Advances in Cryptology – CRYPTO 2013

Gentry’s “bootstrapping” technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme from a “somewhat homomorphic” one that is powerful enough to evaluate its own decryption function. To date, it remains the only knownway of obtaining unboundedFHE. Unfortunately, bootstrapping is computationally very expensive, despite the great deal of effort that has been spent on improving its efficiency. The current state of the art, due to Gentry, Halevi, and Smart (PKC 2012), is able to bootstrap “packed” ciphertexts (which encrypt up to a linear number of bits) in time only quasilinear Õ(λ) = λ · log λ in the security parameter. While this performance is asymptotically optimal up to logarithmic factors, the practical import is less clear: the procedure composes multiple layers of expensive and complex operations, to the point where it appears very difficult to implement, and its concrete runtime appears worse than those of prior methods (all of which have quadratic or larger asymptotic runtimes). In this work we give simple, practical, and entirely algebraic algorithms for bootstrapping in quasilinear time, for both “packed” and “non-packed” ciphertexts. Our methods are easy to implement (especially in the non-packed case), and we believe that they will be substantially more efficient in practice than all prior realizations of bootstrapping. One of our main techniques is a substantial enhancement of the “ring-switching” procedure of Gentry et al. (SCN 2012), which we extend to support switching between two rings where neither is a subring of the other. Using this procedure, we give a natural method for homomorphically evaluating a broad class of structured linear transformations, including one that lets us evaluate the decryption function efficiently.

[1]  Jooyoung Lee,et al.  Collision Resistance of the JH Hash Function , 2012, IEEE Transactions on Information Theory.

[2]  François-Xavier Standaert,et al.  Practical Leakage-Resilient Pseudorandom Objects with Minimum Public Randomness , 2013, CT-RSA.

[3]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[4]  Eric Miles,et al.  Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs , 2012, J. ACM.

[5]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[6]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[7]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[8]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[9]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[10]  Yannick Seurin,et al.  How to Construct an Ideal Cipher from a Small Set of Public Permutations , 2013, ASIACRYPT.

[11]  E. Biham,et al.  The SHAvite-3 Hash Function , 2008 .

[12]  Alex Biryukov,et al.  Speeding up Collision Search for Byte-Oriented Hash Functions , 2009, CT-RSA.

[13]  Jean-Sébastien Coron,et al.  A Domain Extender for the Ideal Cipher , 2010, TCC.

[14]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[15]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[16]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[17]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[18]  Nils J. Nilsson,et al.  A Formal Basis for the Heuristic Determination of Minimum Cost Paths , 1968, IEEE Trans. Syst. Sci. Cybern..

[19]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[20]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..

[21]  François-Xavier Standaert,et al.  Security Evaluations beyond Computing Power , 2013, EUROCRYPT.

[22]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[23]  Alex Biryukov,et al.  Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others , 2010, EUROCRYPT.

[24]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[25]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[26]  John P. Steinberger,et al.  Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers , 2008, CRYPTO.

[27]  Pierre-Alain Fouque,et al.  Automatic Search of Attacks on round-reduced AES and Applications , 2011, IACR Cryptol. ePrint Arch..

[28]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[29]  Eli Biham,et al.  A Unified Approach to Related-Key Attacks , 2008, FSE.

[30]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[31]  Ronald L. Rivest,et al.  Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 , 2009, FSE.

[32]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[33]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[34]  V. Rijmen,et al.  On the Four-Round AES Characteristics , 2013 .

[35]  Yevgeniy Dodis,et al.  A New Mode of Operation for Block Ciphers and Length-Preserving MACs , 2008, EUROCRYPT.

[36]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[37]  Gregor Leander,et al.  Small Scale Variants Of The Block Cipher PRESENT , 2010, IACR Cryptol. ePrint Arch..

[38]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[39]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[40]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[41]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.