Paper 2022/1573

Solving Small Exponential ECDLP in EC-based Additively Homomorphic Encryption and Applications

Abstract

Additively Homomorphic Encryption (AHE) has been widely used in various applications, such as federated learning, blockchain, and online auctions. Elliptic Curve (EC) based AHE has the advantages of efficient encryption, homomorphic addition, scalar multiplication algorithms, and short ciphertext length. However, EC-based AHE schemes require solving a small exponential Elliptic Curve Discrete Logarithm Problem (ECDLP) when running the decryption algorithm, i.e., recovering the plaintext $$ from $$. Therefore, the decryption of EC-based AHE schemes is inefficient when the plaintext length $$. This leads to people being more inclined to use RSA-based AHE schemes rather than EC-based ones. This paper proposes an efficient algorithm called $$ for solving the small exponential ECDLP at $$-bit security level. We perform a series of deep optimizations from two points: computation and memory overhead. These optimizations ensure efficient decryption when the plaintext length $$ is as long as possible in practice. Moreover, we also provide a concrete implementation and apply $$ to some specific applications. Experimental results show that $$ is far faster than the previous works. For example, the decryption can be done in $$ ms with a single thread when $$, which is about $$ times faster than that of Paillier. Furthermore, we experiment with $$ from $$ to $$, and the existing works generally only consider $$. The decryption only requires $$ second with $$ threads when $$. In the practical applications, we can speed up model training of existing vertical federated learning frameworks by $$ to $$ times. At the same time, the decryption efficiency is accelerated by about $$ times in a blockchain financial system (ESORICS 2021) with the same memory overhead.

Note: An efficient algorithm called $$ for solving the small exponential ECDLP at $$-bit security level.