Fully homomorphic encryption using ideal lattices

We propose a fully homomorphic encryption scheme -- i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result -- that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable. Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable. Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a public-key ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits. Unfortunately, our initial scheme is not quite bootstrappable -- i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a server-aided cryptosystem.

[1]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[2]  Chris Peikert,et al.  Lattices that admit logarithmic worst-case to average-case connection factors , 2007, STOC '07.

[3]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[4]  Keisuke Tanaka,et al.  Multi-bit Cryptosystems Based on Lattice Problems , 2007, Public Key Cryptography.

[5]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[6]  Shafi Goldwasser,et al.  Proof of Plaintext Knowledge for the Ajtai-Dwork Cryptosystem , 2005, TCC.

[7]  Jacques Stern,et al.  A new public key cryptosystem based on higher residues , 1998, CCS '98.

[8]  Moti Yung,et al.  Non-interactive cryptocomputing for NC/sup 1/ , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[9]  Birgit Pfitzmann,et al.  Attacks on Protocols for Server-Aided RSA Computation , 1992, EUROCRYPT.

[10]  Van-Ly Le,et al.  Polly Two : A New Algebraic Polynomial-based Public-Key Scheme , 2006, Appl. Algebra Eng. Commun. Comput..

[11]  Manoj Prabhakaran,et al.  Homomorphic Encryption with CCA Security , 2008, ICALP.

[12]  Frederik Armknecht,et al.  A New Approach for Algebraically Homomorphic Encryption , 2008, IACR Cryptol. ePrint Arch..

[13]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[14]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[15]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[16]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[17]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[18]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[19]  Van-Ly Le,et al.  Polly two - a public key cryptosystem based on Polly cracker , 2003 .

[20]  Donald Beaver Minimal-Latency Secure Function Evaluation , 2000, EUROCRYPT.

[21]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[22]  Ronald L. Rivest,et al.  ON DATA BANKS AND PRIVACY HOMOMORPHISMS , 1978 .

[23]  Philippe Gaborit,et al.  Lattice-based homomorphic encryption of vector spaces , 2008, 2008 IEEE International Symposium on Information Theory.

[24]  Johannes Merkle,et al.  Multi-round passive attacks on server-aided RSA protocols , 2000, CCS.

[25]  Josh Benaloh Verifiable secret-ballot elections , 1987 .

[26]  Hugo Krawczyk,et al.  Security under key-dependent inputs , 2007, CCS '07.

[27]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[28]  J. Boyar,et al.  On the multiplicative complexity of Boolean functions over the basis ∧,⊕,1 , 1998 .

[29]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[30]  Hideki Imai,et al.  Speeding Up Secret Computations with Insecure Auxiliary Devices , 1988, CRYPTO.

[31]  Gary L. Mullen,et al.  Finite Fields: Theory, Applications and Algorithms , 1994 .

[32]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[33]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[34]  Daniele Micciancio,et al.  Asymptotically Effi cient Lattice-Based Digital Signatures , 2008, IACR Cryptol. ePrint Arch..

[35]  Jacques Stern,et al.  The Béguin-Quisquater Server-Aided RSA Protocol from Crypto '95 is not Secure , 1998, ASIACRYPT.

[36]  Douglas R. Stinson Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem , 2002, Math. Comput..

[37]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[38]  Ludovic Perret,et al.  A Polly Cracker System Based on Satisfiability , 2004 .

[39]  Anat Paskin-Cherniavsky,et al.  Evaluating Branching Programs on Encrypted Data , 2007, TCC.

[40]  Ivan Damgård,et al.  A Length-Flexible Threshold Cryptosystem with Applications , 2003, ACISP.

[41]  Igor E. Shparlinski,et al.  On the Insecurity of a Server-Aided RSA Protocol , 2001, ASIACRYPT.

[42]  Richard J. Lipton,et al.  Searching for Elements in Black Box Fields and Applications , 1996, CRYPTO 1996.

[43]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[44]  Daniele Micciancio,et al.  Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[45]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[46]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[47]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[48]  Richard J. Lipton,et al.  Algorithms for Black-Box Fields and their Application to Cryptography (Extended Abstract) , 1996, CRYPTO.

[49]  Gadiel Seroussi,et al.  On the minimum distance of some quadratic residue codes , 1984, IEEE Trans. Inf. Theory.

[50]  Ueli Maurer,et al.  Black-Box Extension Fields and the Inexistence of Field-Homomorphic One-Way Permutations , 2007, ASIACRYPT.

[51]  David A. Mix Barrington,et al.  Bounded-width polynomial-size branching programs recognize exactly those languages in NC1 , 1986, STOC '86.

[52]  Sean Hallgren,et al.  Quantum algorithms for some hidden shift problems , 2003, SODA '03.

[53]  Javier Herranz,et al.  Additively Homomorphic Encryption with d-Operand Multiplications , 2010, IACR Cryptol. ePrint Arch..

[54]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[55]  Andrew Odlyzko,et al.  The Rise and Fall of Knapsack Cryptosystems , 1998 .

[56]  Daniele Micciancio Improved cryptographic hash functions with worst-case/average-case connection , 2002, STOC '02.

[57]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[58]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[59]  Craig Gentry Key Recovery and Message Attacks on NTRU-Composite , 2001, EUROCRYPT.

[60]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.