The HEROIC Framework: Encrypted Computation Without Shared Keysby Nektarios Georgios Tsoutsos, Michail Maniatakos

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems



Quantum key distribution without a shared reference frame

C. E. R. Souza, C. V. S. Borges, A. Z. Khoury, J. A. O. Huguenin, L. Aolita, S. P. Walborn

Key-Private Proxy Re-encryption under LWE

Yoshinori Aono, Xavier Boyen, Le Trieu Phong, Lihua Wang

A methodology for methodology choice

Paul Keys


0278-0070 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCAD.2015.2419619, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 1

The HEROIC Framework:

Encrypted Computation without Shared Keys

Nektarios Georgios Tsoutsos, Student Member, IEEE, and Michail Maniatakos, Member, IEEE

Abstract—Outsourcing computation to the cloud has recently become a very attractive option for enterprises and consumers, due mostly to reduced cost and extensive scalability. At the same time, however, concerns about the privacy of the data entrusted to cloud providers keeps rising. To address these concerns and thwart potential attackers, cloud providers today resort to numerous security controls as well as data encryption. Since the actual computation is still unencrypted inside cloud microprocessor chips, it is only a matter of time until new attacks and side channels are devised to leak sensitive information. To address the challenge of securing general-purpose computation inside microprocessor chips, we propose a novel computer architecture, and present a complete framework for general-purpose encrypted computation without shared keys, enabling secure data processing. This new architecture, called Homomophically EncRypted

One Instruction Computation (HEROIC), contrary to previous work in the area does not require a secret key installed inside the microprocessor chip. Instead, it leverages the powerful properties of homomorphic encryption combined with the simplicity of one instruction set computing. The proposed framework introduces i) an RTL implementation for reconfigurable hardware, and ii) a ready-to-deploy virtual machine, which can be readily ported to existing server processor architectures.

Index Terms—Encrypted processor, homomorphic encryption,

Paillier, cloud computing, virtualization, one instruction set computer


AS cloud computing services become even more afford-able today, the option of outsourcing computationally demanding applications is very appealing. The benefits of performing computation in the cloud typically include great scalability, zero maintenance or upgrade cost, as well as all-in-one and pay-as-you-go service options. Unfortunately, these benefits are some times outweighed by concerns about data privacy in the cloud, and security threats are not at all uncommon: On the cloud provider end, there are known attacks to Amazon EC2/S3 and LastPass in 2011, as well as

Dropbox in 2012 [1]. Moreover, on the infrastructure end, the known exploits to popular hypervisor technologies keep increasing [2]. In contrast to privately owned datacenters, where many logical and physical controls ensure the privacy of the data and executed programs, in a cloud setting users are asked to trust a third party with full control on their sensitive information [3], [4]. This is only possible as long as end users

N. G. Tsoutsos is with the Department of Computer Science and Engineering, New York University Polytechnic School of Engineering, New York City,

USA. E-mail:

M. Maniatakos is with the Department of Electrical and Computer Engineering, New York University Abu Dhabi, Abu Dhabi, UAE. E-mail:

Copyright (c) 2015 IEEE. Personal use of this material is permitted.

However, permission to use this material for any other purposes must be obtained from the IEEE by sending an email to trust the reputation of the cloud provider itself and have studied the provider’s safety record. In case the risk of handing over sensitive information to a cloud provider is not acceptable, users need to incur the usually much higher costs of building and maintaining private datacenters. Thus, it is evident that there is currently a need for protecting the confidentiality of the information processed in the cloud, in a more definitive and effective manner.

A promising solution towards addressing these concerns is the use of a cryptographic algorithm (often refered to as an encryption scheme); this approach renders information unreadable to unauthorized entities, and can protect the confidentiality of sensitive data. Cryptography in general is very popular for the storage and transmission of information, but it has not been widely demonstrated to ensure the privacy of instructions and data inside cloud microprocessor chips, without sharing any cryptographic keys with the host. A few secure microprocessor designs have been proposed in the past [5], but they assume a threat model where the processor pipeline is trustworthy. In such approaches, the inputs to the

CPU are decrypted before processing, and the CPU outputs are re-encrypted, and thus the attack surface is limited to the – typically tamper-proof/resistant– microprocessor chip package.

This approach, however, is still theoretically vulnerable to attackers capable of eavesdropping the pipeline or leaking the cryptographic keys from inside the processor, without triggering the tampering protections. Similar attack proposals have already been demonstrated in [6], where a sub-transistor level Trojan is used for extracting sensitive information from the internals of integrated circuits.

Preventing this kind of information leaking from the processor chip would require microprocessors in cloud datacenters to process encrypted information directly, without ever decrypting them. Current computer architectures, however, like RISC or CISC, cannot directly support execution of encrypted instructions, since encryption effectively prevents the instruction decoder from determining the correct operations. Contemporary processors are engineered for performance and efficiency, since privacy and security have only recently surfaced as design considerations, and processing encrypted information natively has never been a design objective.