What is a secure, modern, partially homomorphic encryption scheme?

Question

I was reading this paper by Philippe Golle on using the homomorphic properties of ElGamal encryption to play a game of mental poker (i.e. cryptographically secure poker without a trusted third party dealer). I decided that it would be a good project to try to implement some basic version of but I quickly ran into some problems.

It seems that ElGamal (and RSA, for that matter) are considered generally insecure and the prevailing advice seems to be to avoid them. Thus, the two big options for partial homomorphism fall are off the table for games with high enough stakes. Furthermore, I couldn't really find any other standardized cryptosystems that have this property and work on discrete values and not approximations (necessary to implement the algorithm outlined in the paper). Am I missing something obvious?

I guess my question is: if Golle was writing this paper in 2022, what would he have proposed instead of ElGamal for games of poker with high enough stakes?

Answer 1

There are two obvious things to mention. First, with the caveat that I only briefly skimmed the paper you linked, I see section 3 state that the encryption scheme used needs 3 properties, namely

1. additive homomorphism,

2. "modular plaintext comparison", e.g. checking if $Enc(c)$ is an encryption of 0,

3. a distributed key generation protocol.

it would be easier to answer this question if you could formalize precisely what operations/properties you need though.

Lattice-based

That all being said, by far the most common type of partially homomorphic encryption scheme currently are R(LWE) variants of encryption. This satisfy a "noisy" variant of additive homomorphism though, meaning that one can only evaluate some a priori bounded number of additive homomorphisms. If you need arbitrary additions, this can be done as well, for example the schemes FHEW/TFHE are perhaps suited well for this (note that these are fully homomorphic encryption schemes, although they are particularly efficient ones). It is plausible/likely this is fine in your case though.

For the other two points, I would need to more carefully read/know the precise requirements of the scheme. It seems plausible to me that RLWE-based encryption schemes could work for your situation though, but I don't bother trying to fill out details because...

El-Gamal based:

While you are right that "classical" El-Gamal (say based on finite-field Diffie Hellman) is somewhat dated, you can use El-Gamal based on elliptic curve groups. This is "modern" (although still weak against quantum computers, if this is your concern), and likely easier for your purposes than working out the details of how to use a lattice-based scheme. Note that for general encryption there is little reason to use elliptic curve variants of El Gamal (see here for details), but since you specifically want to use the additive homomorphism, using El Gamal makes sense.

If you are against using Elliptic Curve El Gamal for some reason, your main remaining options are lattice-based schemes. This will require more work to figure out the details of, which will be easier for people on this website to help you with if you can say precisely what requirements you have for the underlying encryption scheme.

Answer 2

ElGamal and RSA «are considered generally insecure» IF one assumes Cryptographically Relevant Quantum Computers. But these remain highly hypothetical. The world (internet, banking, mobile..) currently runs on cryptosystems which, when asymmetric, are theoretically vulnerable to these hypothetical CRQCs: RSA, ECDSA, EdDSA, ECIES…

Paillier's cryptosystem is worth consideration when one disregards the CRQC hypothesis. It's simple¹, provides additively homomorphic encryption of (possibly signed) integers with a small and clear restriction², has efficiency within a small constant factor of RSA decryption (thus bearable in many applications), is patent-free, is provably reducible to a mathematical problem widely believed to be super-polynomial for classical computers, and is regarded as secure as RSA for the same prime size.

The main reason Paillier's cryptosystem is not much used in practice is, I believe, that homomorphic encryption in general is not in high demand.

Addition: Paillier encryption is not vulnerable to padding oracle attack or poor choice of padding, since (contrary to RSA) it needs no padding. It's vulnerable to attacks on implementation about as RSA is, including exploiting poor random number generators at key generation or use, side channels and fault attacks. The similarity to RSA is good news, since effective countermeasures against attacks are known for RSA, and can largely be adapted to Paillier.

---

¹ Especially with the common restriction of $n$ the product of two primes of equal size, and $g=n+1$.

² Plaintext that exceeds $n$ gets reduced modulo $n$, with $n$ a public parameters huge enough that's not an issue for anything that can be counted, including any meaningful fraction of currency, even atoms. Contrast will the additively homomorphic variant of ElGamal, which has severe restrictions about the integers it can add.