Intel Paillier Cryptosystem Library is an open-source library which provides accelerated performance of a partial homomorphic encryption (HE), named Paillier cryptosystem, by utilizing Intel® Integrated Performance Primitives Cryptography technologies on Intel CPUs supporting the AVX512IFMA instructions and Intel® Quickassist Technology. The library is written in modern standard C++ and provides the essential API for the Paillier cryptosystem scheme. Intel Paillier Cryptosystem Library is certified for ISO compliance.
Paillier cryptosystem is a probabilistic asymmetric algorithm for public key cryptography and a partial homomorphic encryption scheme which allows two types of computation:
As a public key encryption scheme, Paillier cryptosystem has three stages:
For increased security, typically the key length is at least 1024 bits, but recommendation is 2048 bits or larger. To handle such large size integers, conventional implementations of the Paillier cryptosystem utilizes the GNU Multiple Precision Arithmetic Library (GMP). The essential computation of the scheme relies on the modular exponentiation, and our library takes advantage of two Intel features - the multi-buffer modular exponentiation function (mbx_exp_mb8
) of IPP-Crypto library, which is enabled in AVX512IFMA instruction sets supporting SKUs, such as Intel Icelake/Sapphire Rapid Xeon® scalable processors and the modular exponentiation operation (cpaCyLnModExp
) of Quickassist Technology library for QAT devices.
For best performance, especially due to the multi-buffer modular exponentiation function, the library is to be used on AVX512IFMA enabled systems, as listed below in Intel CPU codenames:
The library can be built and used without AVX512IFMA and/or QAT, if the features are not supported. But for better performance, it is recommended to use the library on Intel Xeon® scalable processors - Ice Lake-SP or Sapphire Rapids-SP Xeon CPUs while fully utilizing the features.
The following operating systems have been tested and deemed to be fully functional.
We will keep working on adding more supported operating systems.
Must have dependencies include:
cmake >= 3.15.1
git
pthread
Intel C++ Compiler Classic 2021.3 for Linux* OS
Intel oneAPI DPC++/C++ Compiler for Linux* OS >= 2021.3
g++ >= 8.0
clang >= 10.0
The following libraries and tools are also required,
nasm >= 2.15
OpenSSL >= 1.1.0
OpenSSL
can be installed with:
# Ubuntu
sudo apt install libssl-dev
# Fedora (RHEL 8, Centos)
sudo dnf install openssl-devel
In order to install nasm
, please refer to the Netwide Assembler webpage for download and installation details.
The library can be built using the following commands:
export IPCL_ROOT=$(pwd)
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build -j
It is possible to pass additional options to enable more features. The following table contains the current CMake options, default values are in bold.
CMake options | Values | Default | Comments |
---|---|---|---|
IPCL_TEST |
ON/OFF | ON | unit-test |
IPCL_BENCHMARK |
ON/OFF | ON | benchmark |
IPCL_ENABLE_QAT |
ON/OFF | OFF | enables QAT functionalities |
IPCL_ENABLE_OMP |
ON/OFF | ON | enables OpenMP functionalities |
IPCL_THREAD_COUNT |
Integer | OFF | explicitly set max number of threads |
IPCL_DOCS |
ON/OFF | OFF | build doxygen documentation |
IPCL_SHARED |
ON/OFF | ON | build shared library |
IPCL_DETECT_CPU_RUNTIME |
ON/OFF | OFF | detects CPU supported instructions (AVX512IFMA, rdseed, rdrand) during runtime |
If IPCL_DETECT_CPU_RUNTIME
flag is ON
, it will determine whether the system supports the AVX512IFMA instructions on runtime. It is still possible to disable IFMA exclusive feature (multi-buffer modular exponentiation) during runtime by setting up the environment variable IPCL_DISABLE_AVX512IFMA=1
.
For installing and using the library externally, see example/README.md.
Install QAT software stack following the Building the HE QAT Library.
export IPCL_DIR=$(pwd)
export ICP_ROOT=$HOME/QAT
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -DIPCL_ENABLE_QAT=ON
cmake --build build -j
For more details, please refer to the HEQAT Readme.
To run a set of unit tests via GoogleTest, configure and build library with -DIPCL_TEST=ON
(see Instructions).
Then, run
cmake --build build --target unittest
For running benchmark via Google Benchmark, configure and build library with -DIPCL_BENCHMARK=ON
(see Instructions).
Then, run
cmake --build build --target benchmark
Setting the CMake flag -DIPCL_ENABLE_OMP=ON
during configuration will use OpenMP for acceleration. Setting the value of -DIPCL_THREAD_COUNT
will limit the maximum number of threads used by OpenMP (If set to OFF or 0, its actual value will be determined at run time).
The executables are located at ${IPCL_ROOT}/build/test/unittest_ipcl
and ${IPCL_ROOT}/build/benchmark/bench_ipcl
.
Alongside the Intel Paillier Cryptosystem Library, we provide a Python extension package utilizing this library as a backend. For installation and usage detail, refer to Intel Paillier Cryptosystem Library - Python.
This library is certified for ISO compliance with the homomorphic encryption standards ISO/IEC 18033-6 by Dekra.
Main contributors to this project, sorted by alphabetical order of last name are: