论文信息 - Fully Homomorphic Encryption without Bootstrapping

Fully Homomorphic Encryption without Bootstrapping

We present a radically new approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry’s bootstrapping procedure. Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have 2 security against known attacks. For RLWE, we have: • A leveled FHE scheme that can evaluate L-level arithmetic circuits with O(λ · L) per-gate computation – i.e., computation quasi-linear in the security parameter. Security is based on RLWE for an approximation factor exponential in L. This construction does not use the bootstrapping procedure. • A leveled FHE scheme that uses bootstrapping as an optimization, where the per-gate computation (which includes the bootstrapping procedure) is O(λ), independent of L. Security is based on the hardness of RLWE for quasi-polynomial factors (as opposed to the sub-exponential factors needed in previous schemes). We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width – e.g., where a constant fraction of levels have width at least λ – we can reduce the per-gate computation of the bootstrapped version to O(λ), independent of L, by batching the bootstrapping operation. Previous FHE schemes all required Ω(λ) computation per gate. At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011). ∗Sponsored by the Air Force Research Laboratory (AFRL). Disclaimer: This material is based on research sponsored by DARPA under agreement number FA8750-11-C-0096. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.S. Government. Approved for Public Release, Distribution Unlimited. †This material is based on research sponsored by DARPA under agreement number FA8750-11-2-0225. The same disclaimer as above applies. ISSN 1433-8092 Electronic Colloquium on Computational Complexity, Report No. 111 (2011)

Craig Gentry | Vinod Vaikuntanathan | Zvika Brakerski

[1] Frederik Vercauteren,et al. Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes , 2010, Public Key Cryptography.

[2] David Cash,et al. Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[3] Ron Steinfeld,et al. Faster Fully Homomorphic Encryption , 2010, ASIACRYPT.

[4] Dan Boneh,et al. Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[5] Oded Regev,et al. The Learning with Errors Problem (Invited Survey) , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[6] Craig Gentry,et al. Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[7] Craig Gentry,et al. Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[8] Anat Paskin-Cherniavsky,et al. Evaluating Branching Programs on Encrypted Data , 2007, TCC.

[9] Vinod Vaikuntanathan,et al. Can homomorphic encryption be practical? , 2011, CCSW '11.

[10] Ronald L. Rivest,et al. ON DATA BANKS AND PRIVACY HOMOMORPHISMS , 1978 .

[11] Jean-Sébastien Coron,et al. Fully Homomorphic Encryption over the Integers with Shorter Public Keys , 2011, IACR Cryptol. ePrint Arch..