#### DMCA

## Efficient Fully Homomorphic Encryption from (Standard) LWE (2011)

### Cached

### Download Links

Venue: | LWE, FOCS 2011, IEEE 52ND ANNUAL SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE, IEEE |

Citations: | 117 - 6 self |

### Citations

981 | Public-key cryptosystems based on composite degree residuosity classes - Paillier - 1999 |

955 | Factoring polynomials with rational coefficients - Lenstra, Lenstra, et al. - 1982 |

854 | Pseudo-random generation from one-way functions
- Impagliazzo, Levin, et al.
- 1989
(Show Context)
Citation Context ... vT · u. Let v be an n dimensional vector. For all i = 1, . . . , n, the ith element in v is denoted v[i]. We use the convention that v[0] , 1. We use the following variant of the leftover hash lemma =-=[ILL89]-=-, stated in terms of distinguishing advantage. Lemma 2.1 (matrix-vector leftover hash lemma). Let κ ∈ N, n ∈ N, q ∈ N, and m ≥ n log q+ 2κ. Let A $← Zm×nq be a uniformly random matrix, let r $← {0, 1}... |

744 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context .... Such a scheme follows immediately given any pseudo-random function (PRF). If we want to base security solely on LWE, we can use the LWE-based PRF that is obtained by applying the GGM transformation =-=[GGM86]-=- to an LWE based pseudorandom generator. Note that using such instantiation, we cannot argue that ComposeDB[·],c ∈ Arith[L, T ] for reasonable L, T (since the complexity of evaluating the PRF might be... |

635 | Fully homomorphic encryption using ideal lattices - Gentry |

359 | On lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2009
(Show Context)
Citation Context ...nted a different instantiation that considered ideals over the integers. Our somewhat homomorphic scheme is based on the hardness of the “learning with errors” (LWE) problem, first presented by Regev =-=[Reg05]-=-. The LWE assumption states that if s ∈ Znq is an n dimensional “secret” vector, any polynomial number of “noisy” random linear combinations of 2All known scheme, including ours, treat evaluated funct... |

257 | Computationally private information retrieval with polylogarithmic communication, Eurocrypt
- Cachin, Micali, et al.
- 1999
(Show Context)
Citation Context ...garithmic in the size of the database N (at least logN bits are required to specify an entry in the database). The first polylogarithmic candidate protocol was presented by Cachin, Micali and Stadler =-=[CMS99]-=- and additional polylograithmic protocols were introduced by Lipmaa [Lip05] and by Gentry and Ramzan [GR05]. Of which, the latter achieves the best communication complexity of O(log3−o(1)(N)).13 The l... |

229 | Evaluating 2-DNF Formulas on Ciphertexts - Boneh, Goh, et al. |

211 | A sieve algorithm for the shortest lattice vector problem - Ajtai, Kumar, et al. - 2001 |

202 | NTRU: a ring-based public key cryptosystem
- Hoffstein, Pipher, et al.
- 1998
(Show Context)
Citation Context ...d public keys. The resulting ciphertext after homomorphic evaluation can be decrypted using the knowledge of all the constituent secret keys. Their construction is based on the NTRU encryption scheme =-=[HPS98]-=-, and uses our re-linearization and modulus reduction techniques to turn NTRU into a (multi-key) fully homomorphic encryption scheme. As mentioned above, Gentry, Sahai and Waters [GSW13] recently show... |

198 | A fully homomorphic encryption scheme
- Gentry
(Show Context)
Citation Context ...and it can be used for many queries. Therefore it is customary to analyze such schemes in the public key model where sending the public key does not count towards the communication complexity. Gentry =-=[Gen09a]-=- proposes to use his somewhat homomorphic scheme towards this end, which requires O(log3N) bit communication.15 We show how, using our somewhat homomorphic scheme, in addition to new ideas, we can bri... |

193 |
On data banks and privacy homomorphisms
- Rivest, Adleman, et al.
- 1977
(Show Context)
Citation Context ...ell, a fully homomorphic encryption scheme is an encryption scheme that allows evaluation of arbitrarily complex programs on encrypted data. The problem was suggested by Rivest, Adleman and Dertouzos =-=[RAD78]-=- back in 1978, yet the first plausible candidate came thirty years later with Gentry’s breakthrough work in 2009 [Gen09b, Gen10] (although, there has been partial progress in the meanwhile [GM82, Pai9... |

187 | Probabilistic encryption and how to play mental poker keeping secret all partial information - Goldwasser, Micali - 1982 |

152 | Public-key cryptosystems from the worst-case shortest vector problem
- Peikert
- 2009
(Show Context)
Citation Context ...es not refer to ideals, and indeed, the LWE problem is at least as hard as finding short vectors in any lattice, as follows from the worst-case to average-case reductions of Regev [Reg05] and Peikert =-=[Pei09]-=-. As mentioned earlier, we have a much better understanding of the complexity of lattice problems (thanks to [LLL82, Ajt98, Mic00] and many others), compared to the corresponding problems on ideal lat... |

146 |
A hierarchy of polynomial time lattice basis reduction algorithms
- Schnorr
- 1987
(Show Context)
Citation Context ...s for these problems run in time nearly exponential in the dimension n [AKS01, MV10]. More generally, the best algorithms that approximate these problems to within a factor of 2k run in time 2Õ(n/k) =-=[Sch87]-=-. 11 2.2 Symmetric Encryption A symmetric encryption scheme SYM = (SYM.Keygen,SYM.Enc, SYM.Dec), over message space M = {Mκ}κ∈N, is a triple of ppt algorithms as follows. We always denote the security... |

130 | Implementing Gentry’s fully-homomorphic encryption scheme
- Gentry, Halevi
- 2011
(Show Context)
Citation Context ...reduced to the worst-case hardness of problems on ideal lattices. The efficiency of implementing Gentry’s scheme also gained much attention. Smart and Vercauteren [SV10], as well as Gentry and Halevi =-=[GH11b]-=- conduct a study on reducing the complexity of implementing the scheme. Second Generation. This work puts forth a second generation of fully homomorphic schemes that do not require squashing, as descr... |

125 | On ideal lattices and learning with errors over rings
- Lyubashevsky, Peikert, et al.
(Show Context)
Citation Context ...]: 1. We introduce the re-linearization technique, and show how to use it to obtain a somewhat 1Roughly speaking, ideal lattices correspond to a geometric embedding of an ideal in a number field. See =-=[LPR10]-=- for a precise definition. 1 homomorphic encryption that does not require hardness assumptions on ideals. 2. We present a dimension-modulus reduction technique, that turns our somewhat homomorphic sch... |

121 | Bonsai trees, or how to delegate a lattice basis - Cash, Hofheinz, et al. - 2010 |

117 | A framework for efficient and composable oblivious transfer - Peikert, Vaikuntanathan, et al. - 2008 |

115 | Fully homomorphic encryption with relatively small key and ciphertext sizes
- Smart, Vercauteren
- 2010
(Show Context)
Citation Context ...e using a variant of our scheme. 1.5 Other Related Work First Generation. The first generation of fully homomorphic encryption includes Gentry’s scheme (and a variant thereof by Smart and Vercauteren =-=[SV10]-=- and an optimization by Stehle and Steinfeld [SS10]), as well as two followup works that followed similar principles [DGHV10, BV11a]. These works followed Gentry’s blueprint and presented a somewhat h... |

103 | An oblivious transfer protocol with log-squared communication
- Lipmaa
- 2005
(Show Context)
Citation Context ... specify an entry in the database). The first polylogarithmic candidate protocol was presented by Cachin, Micali and Stadler [CMS99] and additional polylograithmic protocols were introduced by Lipmaa =-=[Lip05]-=- and by Gentry and Ramzan [GR05]. Of which, the latter achieves the best communication complexity of O(log3−o(1)(N)).13 The latter two protocols achieve constant amortized communication complexity whe... |

96 | Efficient lattice (h)ibe in the standard model - Agrawal, Boneh, et al. - 2010 |

95 |
Vinod Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert
- 2008
(Show Context)
Citation Context ... the size of the public key does count towards the communication complexity, our protocol still has polylogarithmic communication. 1.4 Dual-Regev Encryption and IBE Gentry, Peikert and Vaikuntanathan =-=[GPV08]-=- present a “dual” LWE-based encryption scheme, where the roles of the key generation and the encryption procedure are reversed. Interestingly, their ciphertext takes the same form as in Regev’s scheme... |

91 | V.: “Fully homomorphic encryption without bootstrapping
- Brakerski, Gentry, et al.
- 2012
(Show Context)
Citation Context ...cations. Followup Work. We now describe some followup work that appeared since the publication of the conference version of this paper [BV11b]. First, the work of Brakerski, Gentry and Vaikuntanathan =-=[BGV12]-=- presented a considerable refinement and simplification of our modulus reduction technique, and used it to construct a leveled fully homomorphic encryption scheme without bootstrapping. Whereas we use... |

88 | Non-interactive Cryptocomputing for NC1 - Sander, Young, et al. - 1999 |

77 | Single-database private information retrieval with constant communication rate
- Gentry, Ramzan
- 2005
(Show Context)
Citation Context ...). The first polylogarithmic candidate protocol was presented by Cachin, Micali and Stadler [CMS99] and additional polylograithmic protocols were introduced by Lipmaa [Lip05] and by Gentry and Ramzan =-=[GR05]-=-. Of which, the latter achieves the best communication complexity of O(log3−o(1)(N)).13 The latter two protocols achieve constant amortized communication complexity when retrieving large consecutive b... |

70 | Fully homomorphic encryption without modulus switching from classical GapSVP
- Brakerski
- 2012
(Show Context)
Citation Context ...lt of [BGV12] needs bootstrapping and consequently, “circular security” type assumptions. Removing these remains a very important open problem in the design of fully homomorphic encryption. Brakerski =-=[Bra12]-=- simplified this construction and improved the underlying assumptions. Our re-linearization and dimension-modulus reduction techniques are quite general, and they can be applied to number of other som... |

67 | Better Key Sizes (and Attacks) for LWE-Based Encryption - Lindner, Peikert - 2011 |

62 | Fully homomorphic encryption with polylog overhead - Gentry, Halevi, et al. - 2012 |

61 | The Shortest Vector in a Lattice is Hard to Approximate to within some Constant - Micciancio - 1998 |

55 | Amit Sahai. Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems - Applebaum, Cash, et al. - 2009 |

54 | Homomorphic encryption from learning with errors: Conceptuallysimpler, asymptotically-faster, attribute-based
- Gentry, Sahai, et al.
- 2013
(Show Context)
Citation Context ...E scheme with any fully homomorphic scheme,16 the above construction is more natural and can hopefully be a stepping stone towards full-fledged FH-IBE. Indeed, very recently, Gentry, Sahai and Waters =-=[GSW13]-=- realized the aforementioned outline using a variant of our scheme. 1.5 Other Related Work First Generation. The first generation of fully homomorphic encryption includes Gentry’s scheme (and a varian... |

49 |
A Survey of Parallel Algorithms for Shared- U Memory Machines
- Karp, Ramachandran
- 1990
(Show Context)
Citation Context ...ming up k(1 + blog pc) + 1 numbers in Zp, and then taking the result modulo p. The summation (over the integers) can be done in depth O(log k + log log p) using the standard “3 to 2” method (see e.g. =-=[KR88]-=-). In order to take modulo p, one needs to subtract, in parallel, all possible multiples of p (there are at most O(k log p) options) and check if the result is in Zp. This requires depth O(log k + log... |

43 | Faster fully homomorphic encryption
- Stehlé, Steinfeld
- 2010
(Show Context)
Citation Context ...Work First Generation. The first generation of fully homomorphic encryption includes Gentry’s scheme (and a variant thereof by Smart and Vercauteren [SV10] and an optimization by Stehle and Steinfeld =-=[SS10]-=-), as well as two followup works that followed similar principles [DGHV10, BV11a]. These works followed Gentry’s blueprint and presented a somewhat homomorphic encryption schemes which were not bootst... |

38 | A Simple BGN-Type Cryptosystem from LWE
- Gentry, Halevi, et al.
- 2010
(Show Context)
Citation Context ...y compute 2e+m modulo 2.7 As we will see below, the scheme is naturally additive homomorphic, yet multiplication presents a thorny problem. In fact, a recent work of Gentry, Halevi and Vaikuntanathan =-=[GHV10b]-=- showed that (a slight variant of) this scheme supports just a single homomorphic multiplication, but at the expense of a huge blowup to the ciphertext which made further advance impossible. To better... |

37 |
Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphic encryption over the integers
- Dijk, Gentry
- 2010
(Show Context)
Citation Context ...as per the first property, a hardness assumption on ideals in certain rings. Gentry’s original work relied on hardness assumptions on ideal lattices, while van Dijk, Gentry, Halevi and Vaikuntanathan =-=[DGHV10]-=- presented a different instantiation that considered ideals over the integers. Our somewhat homomorphic scheme is based on the hardness of the “learning with errors” (LWE) problem, first presented by ... |

34 | Toward basing fully homomorphic encryption on worst-case hardness - Gentry - 2010 |

32 | Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits
- Gentry, Halevi
- 2011
(Show Context)
Citation Context ...the scheme. Second Generation. This work puts forth a second generation of fully homomorphic schemes that do not require squashing, as described above. In a recent independent work, Gentry and Halevi =-=[GH11a]-=- showed how the sparse subset sum assumption can be replaced by either the (decisional) Diffie-Hellman assumption or an ideal lattice assumption, by representing the decryption circuit as an arithmeti... |

19 | Vinod Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks - Akavia, Goldwasser |

19 | Better bootstrapping in fully homomorphic encryption - Gentry, Halevi, et al. - 2012 |

13 | Additively Homomorphic Encryption with d-Operand Multiplications - Melchor, Goborit, et al. - 2010 |

13 | Estimating the Security of Lattice-based Cryptosystems - Rückert, Schneider - 2010 |

11 |
Skeith III. A survey of single-database private information retrieval: Techniques and applications
- Ostrovsky, William
- 2007
(Show Context)
Citation Context ... the best communication complexity of O(log3−o(1)(N)).13 The latter two protocols achieve constant amortized communication complexity when retrieving large consecutive blocks of data. See a survey in =-=[OS07]-=- for more details on these schemes. Fully homomorphic, or even somewhat homomorphic, encryption is known to imply polylogarithmic PIR protocols.14 Most trivially, the receiver can encrypt the index it... |

10 | Micciancio and Oded Regev. Lattice-based cryptography - Daniele - 2009 |

7 |
Shai Halevi, and Vinod Vaikuntanathan. i-hop homomorphic encryption and rerandomizable yao circuits
- Gentry
- 2010
(Show Context)
Citation Context ...makes our schemes easier to describe. Lastly, note that one can always perform a “blank” homomorphic operation and then decrypt, so functionality is not hurt. 18This is termed “1-hop homomorphism” in =-=[GHV10a]-=-. 14 3.2 Gentry’s Bootstrapping Technique In this section we formally define the notion of a bootstrappable encryption scheme and present Gentry’s bootstrapping theorem [Gen09b, Gen09a] which implies ... |

7 | A First Glimpse of Cryptography’s Holy Grail - Micciancio - 2010 |

1 | The shortest vector problem in 2 is p-hard for randomized reductions (extended abstract - Ajtai - 1998 |

1 | Gen10] [GGM86] [GH11a] [GH11b] [GHS11a] [GHS11b] [GHV10a] Craig Gentry. Toward basing fully homomorphic encryption on worst-case hardness - Goldwasser, Micali - 2010 |

1 | Shai Halevi, and Vinod Vaikuntanathan. A simple BGN-type cryptosystem from LWE - Gentry - 2010 |

1 |
On-the-fly multiparty computation with a cloud via multi-key fully homomorphic encryption
- Lopéz-Alt, Tromer, et al.
- 2012
(Show Context)
Citation Context ...operate on many bits at once (the so-called SIMD mode). Fully homomorphic encryption schemes operate on ciphertexts encrypted under the same key. Quite recently, Lopéz-Alt, Tromer and Vaikuntanathan =-=[LTV12]-=- constructed a multi-key fully homomorphic encryption scheme that can operate on encryptions under different, unrelated public keys. The resulting ciphertext after homomorphic evaluation can be decryp... |

1 | Gen10] [GGM86] [GH11a] [GH11b] [GHV10a] Craig Gentry. Toward basing fully homomorphic encryption on worst-case hardness - Goldwasser, Micali - 2010 |