HomomorphicEncryption R Package
(3rd Aug 2015)

 Format Download Mac OS X binary HomomorphicEncryption_0.2.tgz Windows binary Not available Source code HomomorphicEncryption_0.2.tar.gz

What’s new recently?
• First public release!
• Fan and Vercauteren (2012) implemented.

< Back to homepage

This package enables use of optimised implementations of homomorphic encryption schemes from the user friendly interactive high-level language R and offers completely transparent use of multi-core CPU architectures during computations. If you are familiar with homomorphic encryption skip to the details below, otherwise read on for a brief introduction.

## What is homomorphic encryption?

Cryptographic methods have been used since the dawn of civilisation in order to keep information secret. Fundamentally, an encryption algorithm is a mathematical transformation of your data in such a way as to make it difficult to recover the original information without knowledge of some secret, commonly called a private key.

Homomorphic encryption schemes are a remarkable subset of encryption schemes which additionally support the homomorphic property. Let all the messages belong to some messages space $$M$$ and let encryption produce cipher texts in a corresponding cipher text space $$C$$. Then a scheme is homomorphic if there is a set of operations $$\circ \in \mathcal{F}_M$$ acting in message space (such as addition) that have corresponding operations $$\diamond \in \mathcal{F}_C$$ acting in cipher text space satisfying the property: $\texttt{Dec}(k_s, \texttt{Enc}(k_p, m_1) \diamond \texttt{Enc}(k_p, m_2)) = m_1 \circ m_2$ For example, the simple scheme in Gentry (2010) describes a method where $$\mathcal{F}_M = \{+, \times\}$$ and $$\mathcal{F}_C = \{+, \times\}$$, though there is no restriction that the operations must correspond in all schemes. For example, Paillier encryption (Paillier, 1999) is homomorphic only for addition, with $$\mathcal{F}_M = \{+\}$$ but where $$\mathcal{F}_C = \{\times\}$$.

For more a more detailed introduction, this package is discussed in context in the review of homomorphic encryption for statisticians (Aslett, Esperança and Holmes, 2015a), or see the excellent and entertaining general introduction to homomorphic encryption concepts by Gentry (2010). This package was developed to enable statistics and machine learning researchers to become involved in developing tailored approaches to encrypted statistical machine learning, such as in Aslett, Esperança and Holmes (2015b), using the R language which is prevalent in the field.

## Package details

This package provides an easy to use interface to begin developing and testing statistical methods in a homomorphic environment. The package has been developed to be highly extensible, so that as new schemes are researched by cryptographers they can be made available for use by statistics researchers with minimal additional effort on the end user’s part. As such, the package has a small number of completely generic functions for which entirely different cryptographic backends can be used. The underlying implementation is mostly in high performance C and C++ (Eddelbuettel et al, 2011), with many of the operations setup to utilise multi-core parallelism via multithreading (Allaire et al, 2014) without requiring any end-user intervention.

### Installation

Installation on the Mac is the easiest as a binary package is provided. Run R and first ensure that the required dependencies are installed:

 install.packages(c("Rcpp", "RcppParallel", "gmp")) 

Then simply run:

 install.packages("http://www.louisaslett.com/HomomorphicEncryption/dl/HomomorphicEncryption_0.2.tgz", repos=NULL) 

This assumes you already have R itself installed. See here for details if you have not done this yet.

First, install the required system libraries (and say yes to all dependencies):

 sudo apt-get install libgmp-dev libflint-dev libmpfr-dev 

Advanced users may wish to install these from source targeting their system CPU for a slight performance boost (see General Linux tab).

Then, ensure that you have r-base-dev (if you have installed previous R packages from source then you have this already)

 sudo apt-get install r-base-dev 

Finally, run R and install the dependencies:

 install.packages(c("Rcpp", "RcppParallel", "gmp")) 

The HomomorphicEncryption package can then be installed within R using:

 install.packages("http://www.louisaslett.com/HomomorphicEncryption/dl/HomomorphicEncryption_0.2.tar.gz", repos = NULL, type="source") 

This assumes you already have R itself installed. See here for details if you have not done this yet.

First, install the required system libraries (and say yes to all dependencies):

 sudo yum install flint-devel gmp-devel mpfr-devel 

Advanced users may wish to install these from source targeting their system CPU for a slight performance boost (see General Linux tab).

Finally, run R and install the dependencies:

 install.packages(c("Rcpp", "RcppParallel", "gmp")) 

The HomomorphicEncryption package can then be installed within R using:

 install.packages("http://www.louisaslett.com/HomomorphicEncryption/dl/HomomorphicEncryption_0.2.tar.gz", repos = NULL, type="source") 

This assumes you already have R itself installed. See here for details if you have not done this yet.

First, install the required system libraries as root (and say yes to all dependencies):

 apt-get install libgmp-dev libflint-dev libmpfr-dev 

Advanced users may wish to install these from source targeting their system CPU for a slight performance boost (see General Linux tab).

Then, ensure that you have r-base-dev (if you have installed previous R packages from source then you have this already)

 apt-get install r-base-dev 

Finally, run R and install the dependencies:

 install.packages(c("Rcpp", "RcppParallel", "gmp")) 

The HomomorphicEncryption package can then be installed within R using:

 install.packages("http://www.louisaslett.com/HomomorphicEncryption/dl/HomomorphicEncryption_0.2.tar.gz", repos = NULL, type="source") 

Installation on Linux requires the following system libraries:

• GMP, v6+ (Granlund et al, 2012)
• FLINT, v2.4+ (Hart, 2010)
• MPFR, v3.1+ (a FLINT dependency)

If your system provides binary packages for these they can be installed. However, advanced users may prefer to compile these from source targeting their specific system CPU for best performance.

The following R packages:

• Rcpp (Eddelbuettel et al, 2011)
• RcppParallel (Allaire et al, 2014)
• gmp (Lucas et al, 2014)

The package can then be installed within R using:

 install.packages("http://www.louisaslett.com/HomomorphicEncryption/dl/HomomorphicEncryption_0.2.tar.gz", repos = NULL, type="source") 

 R CMD INSTALL HomomorphicEncryption_0.2.tar.gz 

The installation locations of GMP, MPFR and FLINT can be provided to the configure script in the usual manner if the default locations are incorrect:

 R CMD INSTALL HomomorphicEncryption_0.2.tar.gz --configure-args="--with-gmp=/path/to/gmp --with-mpfr=/path/to/mpfr --with-flint=/path/to/flint" 

A binary Windows package is not currently provided, though it should follow in the coming months. Advanced users can compile the package by satisfying the dependencies mentioned above for a general Linux installation.

### Package Usage

There are five aspects to using the package:

These are described in the following sections.

### Encryption parameters

The first generic cryptographic function is pars. The first argument to this function designates which cryptographic backend to use and allows the user to override any of the default parameters of that scheme (for example, $$d, q, t$$ and $$\sigma$$ in the scheme of Fan and Vercauteren, 2012). Related to this, there is the alternative method of specifying parameters via the function parsHelp. This allows users to instead specify a desired minimal security level in bits and a minimal depth of multiplications required, and then computes values for $$d, q, t$$ and $$\sigma$$ which will satisfy these requirements with high probability, by automatically optimising established bounds from the literature (Lepoint and Naehrig, 2014; Lindner and Peikert, 2011).

For example, to create a parameter set for the Fan and Vercauteren scheme (FandV) which has at least 80-bit security and supports a multiplicative depth of at least 4, one would run:

p <- pars("FandV", lambda=80, L=4)


### Key generation

The second generic cryptographic function is keygen, whose sole argument is a parameter object as returned by pars or parsHelp. keygen then generates a list containing public ($pk) and private ($sk) keys, along with any scheme dependent keys (such as relinearisation keys in the case of Fan and Vercauteren, 2012), which correspond to the homomorphic scheme designated by the parameter object. At this point, the parameter object is absorbed into the keys so that it doesn’t need to be used for any other functions.

For example, if p contains a parameter set then key generation is simply:

k <- keygen(p)
k$pk # contains public key k$sk # contains private/secret key


### Encryption

The third generic cryptographic function is enc. This requires simply the public key (as returned in the $pk list element from keygen) and the integer message to be encrypted. It then returns a cipher text encrypted under the scheme to which the public key corresponds. Crucially, the ease of use begins to become very apparent here, with enc overloaded to enable encryption of not just individual integers, but also vectors and matrices of integers. The structure of the vectors and matrices are preserved and the encryption process is fully multithreaded across all available CPU cores automatically. For example, to encrypt the value 1 and also the 3-by-3 identity matrix: ct1 <- enc(k$pk, 1)
ct2 <- enc(k$pk, diag(1, 3))  ### Homomorphic operations The real simplicity becomes apparent when manipulating the cipher texts. All the standard arithmetic functions (+, -, *) work as expected, implementing for example the cyclotomic polynomial ring algebra of the FandV scheme transparently. Moreover, vectors can be formed in the usual R manner using c (or extracted from the diagonal of matrix cipher texts with diag), element wise arithmetic can be performed on those vectors (with automatic multithreaded parallelism) and there is support for all the standard vector functions, such as length, sum, prod and %*% for inner products, just as one would conventionally use with unencrypted vectors in R. Indeed, such functionality extends to matrices, with formation of diagonal matrices via diag from cipher text vectors, element wise arithmetic and full matrix multiplication using the usual %*% R operator (again, automatically fully parallelised). Matrices also support the usual matrix functions (dim, length, t, etc). The package automatically dispatches these operations to the correct backend cryptographic routines to perform the corresponding cipher text space operations transparently, returning cipher text result objects which can be used in further operations or decrypted. For example, to add the scalar 1 to every element of the 3-by-3 identity matrix one can simply use the standard R notation on the cipher text objects: ct3 <- ct2 + ct1  ### Decryption The final generic cryptographic function is dec. Similarly, this requires simply the private key, as returned in the $sk list element from keygen, and the (scalar/vector/matrix) cipher text to be decrypted. It then returns the original message. Note that the structure of vector or matrix cipher texts is correctly preserved throughout.

For example, to decrypt the result of adding the scalar 1 to every element of the 3-by-3 identity matrix:

dec(k$sk, ct2+ct1) dec(k$sk, ct3)


### Example

The following is the simplest possible complete example. Examining the contents of k, c1, etc will show the encryption detail:

library("HomomorphicEncryption")
p <- pars("FandV")
k <- keygen(p)
c1 <- enc(k$pk, c(42,34)) c2 <- enc(k$pk, c(7,5))
cres1 <- c1 + c2
cres2 <- c1 * c2
cres3 <- c1 %*% c2
dec(k$sk, cres1) dec(k$sk, cres2)
dec(k\$sk, cres3)


Note that indexing into vectors and matrices as provided by R via the usual [] notation is fully supported, including assignment.

This provides an easy-to-use framework in arguably the most popular high level language in use among statisticians today, including automatic help for encryption scheme parameter selection. Given the computational burden of homomorphic schemes, the transparent multithreaded parallelism automatically across all CPU cores in all available scenarios (encryption, decryption and arithmetic with vectors/matrices) enables focus to be on the subject matter questions.

At present, the scheme of Fan and Vercauteren (2012) has been implemented, making use of FLINT (Hart, 2010) for certain polynomial operations and GMP (Granlund et al, 2012) for high performance arbitrary precision arithmetic. Backends for further schemes are under active development.

## No Warranty

This software has no warranty, it is provided “as is”. It is your responsibility to validate the behavior of the routines and their accuracy using the source code provided. In particular, this is an academic proof-of-concept implementation for research purposes and no warranty is provided as to the security or correctness of any of the encryption algorithms included.

## Citation information

If you use this package, please use the following citation:

Aslett, L. J. M., Esperança, P. M. and Holmes, C. C.(2015), A review of homomorphic encryption and software tools for encrypted statistical machine learning. Technical report, University of Oxford.

@techreport{Aslett2015,
Author = {L. J. M. Aslett and P. M. Esperan{\c c}a and C. C. Holmes},
Institution = {University of Oxford},
Title = {A review of homomorphic encryption and software tools for encrypted statistical machine learning},
Year = {2015}}


## References

Allaire, J. J., François, R., Intel Inc. and Geelnard, M. (2014), RcppParallel: Parallel programming tools for Rcpp. R package version 4.3.3. URL: http://cran.r-project.org/package=RcppParallel

Aslett, L. J. M., Esperança, P. & Holmes, C. C.(2015a), ‘A review of homomorphic encryption and software tools for encrypted statistical machine learning’, arXiv.

Aslett, L. J. M., Esperança, P. & Holmes, C. C.(2015b), ‘Encrypted statistical machine learning: new privacy preserving methods’, arXiv.

Eddelbuettel, D., François, R., Allaire, J. J., Chambers, J., Bates, D. and Ushey, K. (2011), ‘Rcpp: Seamless R and C++ integration’, Journal of Statistical Software 40(8), 1–18. URL: http://cran.r-project.org/package=Rcpp

Fan, J. and Vercauteren, F. (2012), ‘Somewhat practical fully homomorphic encryption’, IACR Cryptology ePrint Archive.

Hart, W. B.(2010), Fast library for number theory: An introduction, in ‘Proceedings of the Third International Congress on Mathematical Software’, ICMS’10, Springer- Verlag, Berlin, Heidelberg, pp. 88–91. URL: http://flintlib.org/.

Gentry, C. (2010), ‘Computing arbitrary functions of encrypted data’, Communications of the ACM 53(3), 97–105.

Granlund, T. and the GMP development team (2012), GNU MP: The GNU Multiple Precision Arithmetic Library. Version 6.0.0a. URL: http://gmplib.org/

Lepoint, T. and Naehrig, M. (2014), A comparison of the homomorphic encryption schemes FV and YASHE, in ‘Progress in Cryptology–AFRICACRYPT 2014’, Springer, pp. 318–335.

Lindner, R. and Peikert, C. (2011), Better key sizes (and attacks) for LWE-based encryption, in ‘Topics in Cryptology–CT-RSA 2011’, Springer, pp. 319–339.

Lucas, A., Scholz, I., Boehme, R., Jasson, S. and Maechler, M. (2014), gmp: Multiple Precision Arithmetic. R package version 0.5-12. URL: http://CRAN.R-project.org/package=gmp

Paillier, P. (1999), Public-key cryptosystems based on composite degree residuosity classes, in ‘Advances in Cryptology - EUROCRYPT’99’, Springer, pp. 223–238.

R Core Team (2015), R: A language and environment for statistical computing. R Foundation for Statistical Computing, Vienna, Austria. URL: http://www.R-project.org/