Database Secure Manipulation based on Paillier’s Homomorphic Encryption (DSM-PHE)

The objective of this research was to suggest some simple solution to increase database manipulation security. Based on advantage of Homomorphic encryption, user’s data in database is always encrypted by Homomorphic encryption algorithm such as Paillier. User’s data is manipulated or processed on many times such as addition, subtraction, multiplication and division. By the advantage of Homomorphic encryption algorithm, user’s data were no need to decrypt while it was manipulated therefore secrecy of data was still reserved. Unfortunately, Paillier’s Homomorphic encryption is normally coverage only addition and multiplication mathematical data operation. This paper suggests simple technique to enhance Pailler’s encryption algorithm to perform data operation as well in subtraction and division operation. Evaluation in suggested data base manipulation, DSM-PHE, indicates that its operation tasks was five operation times more than ordinary data base manipulation operation tasks, without any encryption. Therefore DSM-PHE should be especially used in more sensitive data.


Introduction
In database manipulation, there are many problems in secrecy or privacy of kept data in database engine. User's plain data which are kept in database may be deliberated attacked by both internal and external intruders.
Some database's administrator try to protect data records by encrypting all of these data while they arein database engine. Unfortunately, inquired data for data manipulation event have to be revealed especially when data processing is on performing. This disclosure user's data wasobserved or even copied by data manipulation officer and/or others.
This research suggested a solution to conceal user's data all the time while they are kept in database engine and even on data processing by anyone that performs a task by using user's data.
Paillier's Homomorphic encryption algorithm is used to solve this problem. Data are always protected as long as user's data are not need to be revealed by authorized actor.
Paillier's encryption is an algorithm of encryption that possesses Homomorphic property. The latter covers addition and multiplication operation. Unfortunately, subtraction and division operation are not in the operation.
This paper presented a simple technique to enhance Paillier's encryption to handle subtraction and division operation.

Homomorphic encryption scheme[1]
Homomorphic encryption is a form of confidential encryption system based on homomorphism property in abstract algebra. Encrypted data or cipher text could be mathematical computed. It should provide a result of operation in the same value as identical plain text computation. There are many encryption algorithms that conform with Homomorphic property such as RSA, Pallier, etc.
Unfortunately, many traditional encryption algorithms do not cover all mathematical computation. For example, RSA encryption is covered just a multiplication homomorphic property. While, Paillier's encryption algorithm has multiplication and addition Homomorphic property.
This paper chose Paillier's encryption algorithm because it can easily enhance both subtractions and division mathematical operations. Therefore, all basic computations (+, -, * and /) are all operated on encrypt data like performing operation on plain data.
Homomorphic property of Paillier's encryption algorithm Addition Additive Homomorphic property of Paillier's encryption is shown in equation (1).
Step 4: integer positive number, call g , is arbitrarily assigned. This value must be ranged in andfollow property in equation (7).
Step 5: calculate for value of  from equation (8).
While U is data embed in function () LU ; Step 6: Therefore, public key is ( , ) ng and private key is ( , )  .
If -p‖ and -q‖ have equivalent character size then variables setting should be performed as following.

Data Encryption
If -m‖ is a plain text and -c‖ is cipher text. Encryption -m‖ under public key is shown in equation (9).
, and , is arbitrarily chosen by one who undertake plain data encryption. It must be positive integer that follow criteria. Ordinary, c-cipher text value is an element in range; . Data Decryption Plain text, -m‖, is revealed by decrypt cipher text with private key as shown in equation (10). (10) Modular data inversion In order to overcome the Paillier's encryption algorithm properties that can't support subtraction and division mathematical operation, data inversion technique was used to transform data to itsinverse form. This inversed data can be performed by two ordinary support operation. Therefore, these strategies can enhance Paillier's encryption to support subtraction on addition and division on multiplication.
Modular additive inversion [3] Modular additive inversion technique is used to overcome problem of Paillier's encryption system that is not support subtraction operation. If -y‖ is and operand that should be performed -x-y‖ mathematical operation with operand -x‖. -v‖, modular additive inverse value, is substituted -y‖ value. Using this additive inverse value, subtraction operation is then reversed to addition operation.
Therefore, subtract operation, , should be equivalence to . Value of -v‖ is calculated from while -0‖ is an identity value of addition operation.
For example, let v is modular additive inversion of 4 mod 7 then v can be calculated by following equation.
Hence, 3 is modular additive inversion of 4 mod 7. Modular Multiplicative Inverse [4] In order to perform mathematical, , operation, operand -y‖ must be changed to a modular multiplicative inversed value, -v‖. -v‖ is an inverse value form of -y‖ that can be calculated from . Therefore, division operation, , is then transformed as equation (11). (11) Let v is modular multiplicative inversion of -v mod m‖. Check for gcd if its value is -1‖ . If -gcd‖ criteria is achieved then modular multiplicative inversion is feasible calculation. If there are exist any integer -a‖ and -b‖ that follow criteria then -b‖ is a modular multiplicative inversion of -y‖. For example, let v is modular multiplicative inversion of 4 mod 11. Check greatest common divisor of -y‖ and -m‖. Result of -‖ is passes criteria. Then -‖ is assigned. There exist two numbers, -a=-1‖ and -b=3‖, so that . Hence -3‖ is a modular multiplicative inversion of 4 mod 11.
Exclusive .or. (.xor.) Operation [5] Exclusive or, .xor., is a logical mathematical operation that result is -true‖ value if either operand is -true‖ and both operands are not -true‖ or -false‖.

Related research
The Paillier's cryptosystem was used in secure electronic voting [6]. The voter's ballot was encrypted, Paillier's encryption, by individual voter public key. This vote was signed, digital signature.Many voting officers do not know any information about ballots. At last, all of ballots were decrypted by voting director by using master private key.
An application to secure multimedia data in cloud environment using Paillier's cryptography [7], many multimedia contents were related to some sensitive event to owner, organization or even country endurance. Unfortunately, many contents need to be stored in untrustworthy cloud storage. Homomorphic encryption was used to conceal these contents in order to increase secrecy. These contents may be many times computed by many operators, legitimate or even not legitimate while they were kept invisible. These contents could be revealed by one who has a private key.
Nowadays, Kamal [8], many enterprises choose to perform their data processing on cloud computing. Data were encrypted with traditional encryption algorithms before sending to be processed in cloud server. Nevertheless, those encrypted data must be revealed before any data processing. Cloud computing officer could easily get plain data so that user's data were absolutely disclosed. Homomorphic encryption algorithm could prevent anyone from access plain data. All processing on cloud computing was still performed on normal data processing without data decryption.
Seddik [9] present method of protect text file from security breach. Data file was separated to many portions. Each data file portion was encrypted with defined encryption algorithm. Another data file perform encryption under different encryption algorithm. This technique increases confusion of cryptanalysis.
Hussain [10] suggested security protocol to manage security of customer data that got service of cloud storage provider. The designed protocol composes of key generation, key exchange and data encryption. Customer must encrypt their data file with their own invisible public key which was generated by key generation bot. No one else could reveal data file that store in cloud storage except one who have private key.
There are many problems about security such as costing and time delay in cloud storage security manipulation. Basma [11]presented protocol of encryption management based on Paillier's encryption algorithm. Automated master agent (AMA) was added to the multi agent system architecture (MASA) layer (cloud client-side). These agents were accountable for encryption and decryption performing in order to reduced time delay in data encryption. More ever, there will inform data owner if there were any occurring events about data manipulation on their own data by QR code under encoded key print.

Database Secure Manipulation
DSM-PHE protocol is conducted in overall explanation steps by steps as following.
The scenario are brief details as following. DA: is one who responsible in public, private key generation and encrypt, decrypt operation.
DOP: is one who undertook public key encryption (Paillier) and data manipulation. DOi:'s data is firstly encrypted, by DA: with DOi:'s public key, and save it in database engine.
DOP: is a client who has manipulation responsibility about data processing without knowledge of its original plain data.
For some event, DOi:'s data is requested for declaration. DOi:s request, contain with plain data record ID, is sent to DA:. This requested encrypt data record is then retrieved from cloud storage or database engine.
DA: perform decryption on last cipher text, with DOi:'s private key (Paillier) so that plain data is revealed then this plain data is be further sent it back to DOi:.
There are two encryption operation responsibility undertaken by DA:. First, DOi:'s data record is encrypted with DOi:'s public key (not Paillier). Second, DA: encrypt DOi:'s data record, with Paillier's encryption algorithm public key, before submit this data record to be kept in Database.
Iteratively, this data record is further performed data manipulation under designed DSM-PHE operation.
When DOi: make request to DA: for his own plain data then DA: would perform two tasks. First, decrypt cipher text, DOi:'s encrypted data record, with Paillier's encryption algorithm DOi:'s private key. Second, sent it to DOi:. After that, DOi: reveal plain text by decrypt it with his private key (not Paillier). The second task is compiled in order to preserve data secrecy from data transferring on network. This activity should use any public key system such as RSA.
Concisely, DSM-PHE operation as described later shall briefly explained in DSM-PHE therefore encryption tasks detail are mostly related to Paillier's encryption algorithm.
Scenario of DSM-PHE. Detail of each step is explained in figure 1. There were two database engines. First, DA:'s table look up is used to keep generating keys of all DOi:. Second, database engine is used to keep encrypted data records of all DOi:. All data record in database engine is always stored in encrypted from, all the time of data manipulation.
First, initial data is data record of data owner, DOi:, this data record is encrypted with DOi:'s public key (not Paillier), under DA:'s responsibility. After that, this data is iteratively manipulated by database operator, DOP:, who is responsible in data operation such as addition, subtraction, multiplication and division. All data manipulation is processed on encrypted data record. DOP: has to encrypt data record, on encrypt data record, by DOi:'s public key (Paillier) which is retrieved from DA:'s table look up. However, DOP: can not access plain data all the time of his working.
Initial data is many times changed until data owner request for plain data reveal. Data owner, DOi:, inform DA: to perform this request. DA: must retrieve encrypted data record from database engine. DA: perform decryption on retrieved data record. DA: perform decryption on cipher, under Paillier's encryption algorithm, again with DOi:'s public key, not a DSM-PHE Paillier's encryption algorithm. DA: sent this plain text to data owner. DOi: perform decryption on sent cipher text with DOi:'s private's key (not Paillier) to gain a requested plain data record.
Details of all actor-tasks are presented in table 1. There are 14 main tasks or 23subtasks in total. Scenario of DSM-PHE, in table 1., is just simple protocols that proceeds only necessary task that serves on Homomorphic encryption.
For more secrecy, some task must be additionally provided such as authentication detection, plain data encryption while data transferring between DA: and DOi:. Customer certification, CA, is a possible technique to handle this task in order to obtain more authentications.
Since, there are many DOi: (i=1, n) thus DA: must create distinct public key and private key for each one. This couple of keys should be used in particular tasks as shown in table 1.
Normally, there will be many transactions that will proceed on a specific current data record. The data update operation may be addition, multiplication, division and subtraction. Therefore, DOP: must compile the right encryption algorithm with type of operation as explained above.

Key generation (practical example)
Data operation -addition and subtraction‖ that will explain in next topic are covered only Paillier's encryption exclude every task that are related to not Paillier's encryption.

Subtraction operation
Suppose that DOi:'s data is -3‖ and DOP: want to minus -3‖ with -2‖ or -3 -2‖. DA: responsibility. DA:-4 starts with, DOi:'s data is encrypted once the first time and save this encrypted data in database engine.The -r‖ value is defined, suppose that r = 4.
Encrypt DOi:'s plain text (-3‖),   -encrypted data record was performed encryption belong to type of operation.
-send this encrypted data record to be kept in database engine.
Database engines

Performance comparison
Assume that each task consumed one unit of time in computer operation. According to Database Secure Manipulation (DSM-PHE) explained above, there is greater number of tasks than ordinarydatabase manipulation, not any encryption activity.
Normal database manipulation, without any encryption, has not any overhead of key preparation so that its scenario of both subtractions and divisions perform just only five tasks.

Key secrecy enhancement
Public & private, for each DOi:, keys that are prepared by DA: are kept in DA:'s table look up. These keys are managed and used by DA: and DOP:. If there is someone access to this file, then secrecy and integrity of DOi:'s data should be disclosed.
Since there are many operations on DSM-PHE, taking more processing time, thus additional processing task, in order to protect DOi:'s data security, must not spend too much processing time. To overcome this problem, DA: must undertake more tasks as explained in detail of additional task, as following explanation.
DA: define an arbitrarily random number () r , has equivalent number of bit of target key, which is confidentially and no one can access it.
All public & private keys are processed through mathematical operation exclusive .OR. with an assigned random number () r before the keys are kept.  -encrypted data record was performed encryption belong to type of operation.
-sent this encrypted data record to be kept in database engine.

Summary and Suggestion
In summary, DSM-PHE consumed more computation tasks than normal database manipulation. Therefore, database administrator has to consider choosing DSM-PHE operation only in situation that sensitive data and secrecy are more important issues. This paper presents computing on positive integer number while neglect positive, negative number of floating points number operation. Number theory and numerical method should be applied to solve variety kind of operands and decrease computational time problem.
Private and public key of each DOi:, which are stored in DA:'stable look up, should be attacked by some intruder. Therefore, these series of keys could be enhanced their secrecy by simple hidden mathematical operation. These operations consume just only nine unit of computing time. DSM-PHE model are composed of key generation and distribution module, encryptionanddecryption moduleanddatainversion module. These components work together to accomplish secure data manipulation on specific database. Even though there are many tasks that all actors have to compiled but overall operation could reach data secrecy and integrity.
DSM-PHE should be a good solution of secure database manipulation especially when apply it on commercial cloud storage. It can prevent anonymous cloud database administrator deliberately access to customer database. Cloud database administrator can not disclose to kept data since they have no private key. This private key is not a static value since it is frequently changed by DA: by using key enhancement. DSM-PHE is suitable for numerical data processing. Hence, DSM-PHE is good for numerical data manipulation especial sensitive numerical data.
Nevertheless, DSM-PHE is also practical used in other disciplines such as national security, critical infrastructure control, health care, industry control system, inventory control and organization financial information. Personal behavior information on several social medias should be protected from social media provider since transactions are complete manipulated without reveal user's important data.