Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

We present a new tensoring technique for LWE-based fully homomorphic encryption. While in all previous works, the ciphertext noise grows quadratically (B \to B^2\cdot\poly(n)) with every multiplication (before ``refreshing\u27\u27), our noise only grows linearly (B \to B\cdot\poly(n)). We use this technique to construct a \emph{scale-invariant} fully homomorphic encryption scheme, whose properties only depend on the ratio between the modulus $q$ and the initial noise level $B$, and not on their absolute values. Our scheme has a number of advantages over previous candidates: It uses the same modulus throughout the evaluation process (no need for ``modulus switching\u27\u27), and this modulus can take arbitrary form, including a power of $2$ which carries obvious advantages for implementation. In addition, security can be \emph{classically} reduced to the worst-case hardness of the GapSVP problem (with quasi-polynomial approximation factor), whereas previous constructions could only exhibit a quantum reduction to GapSVP

On Fully Homomorphic Encryption

Täielikult homomorfne krüpteerimine on krüptosüsteem, mille puhul üks osapool saab enda valdusesse krüpteeritud andmed ning saab nende andmetega tõhusalt sooritada erinevaid operatsioone. Operatsioone saab teha hoolimata sellest, et andmed jäävad krüpteerituks ning seega ei ole ka vajalik teada dekrüpteerimisvõtit. Selline süsteem oleks äärmiselt kasulik, näiteks tagades andmete privaatsuse, mis on saadetud kolmanda osapoole teenusele. Täielikult homomorfne krüpteerimine on vastandiks krüptosüsteemidele nagu Paillier, kus ei ole võimalik teostada krüpteeritud andmete peal korrutamist ilma neid enne dekrüpteerimata, või ElGamal, kus ei saa sooritada krüpteeritud andmete liitmist enne andmete dekrüpteerimist. Täielikult homomorfne krüpteerimine on väga uus uurimisala: esimese taolise süsteemi lõi Gentry aastal 2009. Gentry läbimurdest alates on olnud palju tema tööst inspireeritud edasiminekuid. Kõik viimased täielikult homomorfsed krüptosüsteemid kasutavad avaliku võtmega krüptograafiat ja põhinevad võredel. Võre-põhine krüptograafia äratab üha enam huvi oma turvalisuse püsimisega kvantarvutites ning oma halvima juhu turvagarantiidega. Siiski jääb püsima peamine probleem: süsteemidel ei ole veel tõhusat teostust, mis säilitaks adekvaatsed turvalisuse nõuded. Selles valguses vaadatuna, viimased edasiminekud täielikult homomorfses krüpteerimises kas täiendavad eelnevate süsteemide tõhusust või pakuvad välja uue parema efektiivsusega skeemi. Antud uurimus on ülevaade hiljutistest täielikult homomorfsetest krüptosüsteemidest. Õpime tundma mõningaid viimaseid täielikult homomorfseid krüptosüsteeme, analüüsime ning võrdleme neid. Neil süsteemidel on teatud ühised elemendid: 1. Tõhus võre-põhine krüptosüsteem turvalisusega, mis põhineb üldteada võreprobleemide keerulisusel. 2. Arvutusfunktsioon definitsioonidega homomorfsele liitmisele ja korrutamisele müra kasvu piiramiseks. 3. Meetodid, et muuta süsteem täielikult homomorfseks selle arvutusfunktsiooniga. Niipea kui võimalik, kirjutame nende süsteemide peamised tulemused ümber detailsemas ja loetavamas vormis. Kõik skeemid, mida me arutame, välja arvatud Gentry, on väga uued. Kõige varasem arutletav töö avaldati oktoobris aastal 2011 ning mõningad tööd on veel kättesaadavad ainult elektroonilisel kujul. Loodame, et käesolev töö aitab lugejail olla kursis täielikult homomorfse krüpteerimisega, rajades teed edasistele arengutele selles vallas

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and fine-tunes modulus switching. In general this new technique yields a significant gain in the constant in front of the exponent in the overall complexity. We illustrate this by solving p within half a day a LWE instance with dimension n = 128, modulus $q = n^2$, Gaussian noise $\alpha = 1/(\sqrt{n/\pi} \log^2 n)$ and binary secret, using $2^{28}$ samples, while the previous best result based on BKW claims a time complexity of $2^{74}$ with $2^{60}$ samples for the same parameters. We then introduce variants of BDD, GapSVP and UniqueSVP, where the target point is required to lie in the fundamental parallelepiped, and show how the previous algorithm is able to solve these variants in subexponential time. Moreover, we also show how the previous algorithm can be used to solve the BinaryLWE problem with n samples in subexponential time $2^{(\ln 2/2+o(1))n/\log \log n}$. This analysis does not require any heuristic assumption, contrary to other algebraic approaches; instead, it uses a variant of an idea by Lyubashevsky to generate many samples from a small number of samples. This makes it possible to asymptotically and heuristically break the NTRU cryptosystem in subexponential time (without contradicting its security assumption). We are also able to solve subset sum problems in subexponential time for density $o(1)$, which is of independent interest: for such density, the previous best algorithm requires exponential time. As a direct application, we can solve in subexponential time the parameters of a cryptosystem based on this problem proposed at TCC 2010.Comment: CRYPTO 201

A Survey on Homomorphic Encryption Schemes: Theory and Implementation

Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the survey that is being submitted to ACM CSUR and has been uploaded to arXiv for feedback from stakeholder

Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based

We describe a comparatively simple fully homomorphic encryption (FHE) scheme based on the learning with errors (LWE) problem. In previous LWE-based FHE schemes, multiplication is a complicated and expensive step involving relinearization . In this work, we propose a new technique for building FHE schemes that we call the approximate eigenvector method. In our scheme, for the most part, homomorphic addition and multiplication are just matrix addition and multiplication. This makes our scheme both asymptotically faster and (we believe) easier to understand. In previous schemes, the homomorphic evaluator needs to obtain the user\u27s evaluation key , which consists of a chain of encrypted secret keys. Our scheme has no evaluation key. The evaluator can do homomorphic operations without knowing the user\u27s public key at all, except for some basic parameters. This fact helps us construct the first identity-based FHE scheme. Using similar techniques, we show how to compile a recent attribute-based encryption scheme for circuits by Gorbunov et al. into an attribute-based FHE scheme that permits data encrypted under the same index to be processed homomorphically

Efficient Fully Homomorphic Encryption from (Standard) LWE

A fully homomorphic encryption (FHE) scheme allows anyone to transform an encryption of a message, m, into an encryption of any (efficient) function of that message, f(m), without knowing the secret key. We present a leveled FHE scheme that is based solely on the (standard) learning with errors (LWE) assumption. (Leveled FHE schemes are initialized with a bound on the maximal evaluation depth. However, this restriction can be removed by assuming “weak circular security.”) Applying known results on LWE, the security of our scheme is based on the worst-case hardness of “short vector problems” on arbitrary lattices. Our construction improves on previous works in two aspects: 1. We show that “somewhat homomorphic” encryption can be based on LWE, using a new relinearization technique. In contrast, all previous schemes relied on complexity assumptions related to ideals in various rings. 2. We deviate from the “squashing paradigm” used in all previous works. We introduce a new dimension-modulus reduction technique, which shortens the ciphertexts and reduces the decryption complexity of our scheme, without introducing additional assumptions. Our scheme has very short ciphertexts, and we therefore use it to construct an asymptotically efficient LWE-based single-server private information retrieval (PIR) protocol. The communication complexity of our protocol (in the public-key model) is k·polylog(k)+log |DB| bits per single-bit query, in order to achieve security against 2k-time adversaries (based on the best known attacks against our underlying assumptions). Key words. cryptology, public-key encryption, fully homomorphic encryption, learning with errors, private information retrieva

Homomorphic Encryption and the Approximate GCD Problem

With the advent of cloud computing, everyone from Fortune 500 businesses to personal consumers to the US government is storing massive amounts of sensitive data in service centers that may not be trustworthy. It is of vital importance to leverage the benefits of storing data in the cloud while simultaneously ensuring the privacy of the data. Homomorphic encryption allows one to securely delegate the processing of private data. As such, it has managed to hit the sweet spot of academic interest and industry demand. Though the concept was proposed in the 1970s, no cryptosystem realizing this goal existed until Craig Gentry published his PhD thesis in 2009. In this thesis, we conduct a study of the two main methods for construction of homomorphic encryption schemes along with functional encryption and the hard problems upon which their security is based. These hard problems include the Approximate GCD problem (A-GCD), the Learning With Errors problem (LWE), and various lattice problems. In addition, we discuss many of the proposed and in some cases implemented practical applications of these cryptosystems. Finally, we focus on the Approximate GCD problem (A-GCD). This problem forms the basis for the security of Gentry\u27s original cryptosystem but has not yet been linked to more standard cryptographic primitives. After presenting several algorithms in the literature that attempt to solve the problem, we introduce some new algorithms to attack the problem