research-article

Fully homomorphic encryption using ideal lattices

Author:

Craig GentryAuthors Info & Claims

STOC '09: Proceedings of the forty-first annual ACM symposium on Theory of computing

Pages 169 - 178

https://doi.org/10.1145/1536414.1536440

Published: 31 May 2009 Publication History

Abstract

We propose a fully homomorphic encryption scheme -- i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result -- that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable.

Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable.

Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a public-key ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits.

Unfortunately, our initial scheme is not quite bootstrappable -- i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a server-aided cryptosystem.

References

[1]

M. Ajtai.Generating hard instances of lattice problems (extended abstract). STOC '96,pp. 99--108.

Digital Library

[2]

M. Ajtai and C. Dwork.A public key cryptosystem with worst-case / average-case equivalence. STOC '97, pp. 284--293.

Digital Library

[3]

J.H. An, Y. Dodis, and T. Rabin.On the security of joint signature and encryption. Eurocrypt '02, LNCS 2332,pp. 83--107.

Digital Library

[4]

F. Armknecht and A.-R. Sadeghi.A new approach for algebraically homomorphic encryption. Eprint 2008/422.

[5]

L. Babai.On Lovász's lattice reduction and the nearest lattice point problem. Combinatorica 6 (1986), 1--14.

Digital Library

[6]

D. Barrington.Bounded-width polynomial-size branching programs recognize exactly those languages in NC1. STOC '86,pp. 1--5.

Digital Library

[7]

D. Beaver.Minimal-latency secure function evaluation. Eurocrypt '00, pp. 335--350.

Digital Library

[8]

J. Benaloh. Verifiable secret-ballot elections. Ph.D. thesis, Yale Univ., Dept. of Comp. Sci., 1988.

Digital Library

[9]

J. Black, P. Rogaway, and T. Shrimpton. Encryption-scheme security in the presence of key-dependent messages. SAC '02, LNCS 2595,pp. 62--75.

Digital Library

[10]

M. Blaze, G. Bleumer, and M. Strauss. Divertible protocols and atomic proxy cryptography. Eurocrypt '98, LNCS 1403,pp. 127--144.

[11]

D. Boneh, E.-J. Goh, and K. Nissim.Evaluating 2-DNF formulas on ciphertexts. TCC '05, LNCS 3378,pp. 325--341.

Digital Library

[12]

D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky. Circular-Secure Encryption from Decision Diffie-Hellman. Crypto '08, LNCS 5157,pp. 108--125.

Digital Library

[13]

D. Boneh and R. Lipton.Searching for Elements in Black-Box Fields and Applications. Crypto '96, LNCS 1109,pp. 283--297.

Digital Library

[14]

J. Boyar, R. Peralta, and D. Pochuev.On the Multiplicative Complexity of Boolean Functions over the Basis (∧,øplus,1).Theor. Comput. Sci. 235(1), pp. 43--57, 2000.

Digital Library

[15]

R. Canetti. Personal communication, 2008.

[16]

R. Canetti, H. Krawczyk, and J.B. Nielsen.Relaxing chosen-ciphertext security. Crypto '03,pp. 565--582.

[17]

D. Coppersmith and G. Seroussi. On the minimum distance of some quadratic residue codes. IEEE Trans. Inform. Theory 30 (1984), 407--411.

Digital Library

[18]

W. van Dam, S. Hallgren, and L. Ip. Quantum Algorithms for Some Hidden Shift Problems. SIAM J. Comput., v. 36., no. 3, pp. 763--778, 2006.

Digital Library

[19]

I. Damgard and M. Jurik. A Length-Flexible Threshold Cryptosystem with Applications. ACISP '03, LNCS 2727,pp. 350--356.

Digital Library

[20]

T. ElGamal.A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. Crypto '84,pp. 469--472.

Digital Library

[21]

M. Fellows and N. Koblitz. Combinatorial cryptosystems galore! Contemporary Mathematics,v. 168 of Finite Fields: Theory, Applications, and Algorithms, FQ2,pp. 51--61, 1993.

[22]

S. Goldwasser and D. Kharchenko. Proof of plaintext knowledge for the Ajtai-Dwork cryptosystem. TCC 2005,pp. 529--555.

Digital Library

[23]

S. Goldwasser and S. Micali.Probabilistic encryption and how to play mental poker keeping secret all partial information. STOC '82,pp. 365--377.

Digital Library

[24]

S. Halevi and H. Krawczyk. Security under key-dependent inputs. ACM CCS '07.

Digital Library

[25]

J. Hoffstein, J. Silverman, and J. Pipher.NTRU: A Ring Based Public Key Cryptosystem. In Proc. of ANTS '98, LNCS 1423,pages 267--288.

Digital Library

[26]

Y. Ishai and A. Paskin. Evaluating Branching Programs on Encrypted Data. TCC '07.

Digital Library

[27]

A. Kawachi, K. Tanaka, K. Xagawa. Multi-bit cryptosystems based on lattice problems. PKC '07, LNCS 4450,pp. 315--329.

Digital Library

[28]

A.K. Lenstra, H.W. Lenstra, L. Lovász. Factoring polynomials with rational coefficients. Math. Ann. 261(4) (1982) 515--534.

[29]

F. Levy-dit-Vehel and L. Perret. A Polly Cracker system based on satisfiability. In Coding, Crypt. and Comb., Prog. in Comp.Sci. and App. Logic, v. 23, pp. 177--192.

[30]

L. Ly. A public-key cryptosystem based on Polly Cracker,Ph.D. thesis, Ruhr-Universitat Bochum, Germany, 2002.

[31]

L. Ly. Polly two -- a new algebraic polynomial-based public-key scheme.AAECC, 17(3-4), 2006.

[32]

V. Lyubashevsky and D. Micciancio. Generalized compact knapsacks are collision resistant. ICALP '06.

Digital Library

[33]

V. Lyubashevky and D. Micciancio. Asymptotically efficient lattice-based digital signatures. TCC '08.

Digital Library

[34]

T. Matsumoto, K. Kato, and H. Imai. Speeding up secret computations with insecure auxiliary devices. Crypto '88, LNCS 403,pp. 497--506.

Digital Library

[35]

U. Maurer and D. Raub. Black-Box Extension Fields and the Inexistence of Field-Homomorphic One-Way Permutations. Asiacrypt '07,pp. 427--443.

Digital Library

[36]

C.A. Melchor, G. Castagnos, and P. Gaborit. Lattice-based homomorphic encryption of vector spaces. ISIT '08,pp. 1858--1862.

[37]

C.A. Melchor, P. Gaborit, and J. Herranz. Additive Homomorphic Encryption with t-Operand Multiplications. Eprint 2008/378.

[38]

J. Merkle. Multi-round passive attacks on server-aided RSA protocols. ACM CCS '00,pp. 102--107.

Digital Library

[39]

D. Micciancio. Improving Lattice Based Cryptosystems Using the Hermite Normal Form. CaLC '01, LNCS 2146, pp. 126--145.

Digital Library

[40]

D. Micciancio. Improved cryptographic hash functions with worst-case / average-case connection. STOC '02,pp. 609--618.

Digital Library

[41]

D. Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. FOCS '02,pp. 356--365.

Digital Library

[42]

D. Naccache and J. Stern.A New Public-Key Cryptosystem Based on Higher Residues. ACM CCS '98.

Digital Library

[43]

P.Q. Nguyen and I. Shparlinski. On the Insecurity of Some Server-Aided RSA Protocol. Asiacrypt '01, LNCS 2248, pp. 21--35.

Digital Library

[44]

P.Q. Nguyen and J. Stern. The Beguin-Quisquater server-aided RSA protocol from Crypto '95 is not secure. Asiacrypt '98,pp. 372--379.

Digital Library

[45]

A.M. Odlyzko. The rise and fall of knapsack cryptosystems. In Crypt. and Comp. Num. Th., Proc. Sympos. Appl. Math., vol. 42, AMS, 1990, pp. 75--88.

[46]

T. Okamoto and Uchiyama. A New Public-Key Cryptosystem as Secure as Factoring. Eurocrypt '98, LNCS 1403,pp. 308--318.

[47]

P. Paillier. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. Eurocrypt '99,pp. 223--238.

Digital Library

[48]

C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. TCC '06,pp. 145--166.

Digital Library

[49]

C. Peikert and A. Rosen. Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors. STOC '07,pp. 478--487.

Digital Library

[50]

C. Peikert and B. Waters.Lossy Trapdoor Functions and Their Applications. STOC '08,pp. 187--196.

Digital Library

[51]

B. Pfitzmann and M. Waidner. Attacks on protocols for server-aided RSA computation. Eurocrypt '92, LNCS 658,pp. 153--162.

Digital Library

[52]

M. Prabhakaran and M. Rosulek. Homomorphic Encryption with CCA Security. ICALP '08.

Digital Library

[53]

O. Regev. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. STOC '05,pp. 84--93.

Digital Library

[54]

R. Rivest, L. Adleman, and M. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Computation, pp. 169--180, 1978.

[55]

R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. In Comm. of the ACM, 21:2,pages 120--126,1978.

Digital Library

[56]

T. Sander, A. Young, and M. Yung. Non-interactive cryptocomputing for NC1. FOCS '99,pp. 554--567,1999.

Digital Library

[57]

C.P. Schnorr. A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Theoretical Computer Science, 53(2-3):201--224, 1987.

Digital Library

[58]

D.R. Stinson. Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem. Mathematics of Computation,vol. 71, no. 237, pages 379--391, 2001.

Digital Library

Cited By

Ngoupayou Limbepe ZGai KYu J(2025)Blockchain-Based Privacy-Enhancing Federated Learning in Smart Healthcare: A SurveyBlockchains10.3390/blockchains30100013:1(1)Online publication date: 1-Jan-2025
https://doi.org/10.3390/blockchains3010001
Wang XMa J(2025)Cloud-Network-End Collaborative Security for Wireless Networks: Architecture, Mechanisms, and ApplicationsTsinghua Science and Technology10.26599/TST.2023.901015830:1(18-33)Online publication date: Feb-2025
https://doi.org/10.26599/TST.2023.9010158
Javeed KGregg D(2025)Efficient Number Theoretic Transform Architecture for CRYSTALS-KyberIEEE Transactions on Circuits and Systems II: Express Briefs10.1109/TCSII.2024.346527372:1(263-267)Online publication date: Jan-2025
https://doi.org/10.1109/TCSII.2024.3465273
Show More Cited By

Index Terms

Fully homomorphic encryption using ideal lattices
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption

Recommendations

CCA-Secure Keyed-Fully Homomorphic Encryption
Proceedings, Part I, of the 19th IACR International Conference on Public-Key Cryptography --- PKC 2016 - Volume 9614

To simultaneously achieve CCA security and homomorphic property for encryption, Emura et al. introduced a new cryptographic primitive named keyed-homomorphic encryption, in which homomorphic ciphertext manipulations can only be performed by someone ...
Constant-Size Unbounded Multi-hop Fully Homomorphic Proxy Re-encryption from Lattices
Computer Security – ESORICS 2024
Abstract
Proxy re-encryption is a cryptosystem that achieves efficient encrypted data sharing by allowing a proxy to transform a ciphertext encrypted under one key into another ciphertext under a different key. Homomorphic proxy re-encryption (HPRE) ...
Fully Homomorphic Encryption Beyond IND-CCA1 Security: Integrity Through Verifiability
Advances in Cryptology – EUROCRYPT 2024
Abstract
We focus on the problem of constructing fully homomorphic encryption (FHE) schemes that achieve some meaningful notion of adaptive chosen-ciphertext security beyond $CCA1$ . Towards this, we propose a new notion, called security against verified ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

STOC '09: Proceedings of the forty-first annual ACM symposium on Theory of computing

May 2009

750 pages

ISBN:9781605585062

DOI:10.1145/1536414

Program Chair:
Michael Mitzenmacher
Harvard University

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 May 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

fully homomorphic encryption

Qualifiers

Research-article

Conference

STOC '09

Sponsor:

STOC '09: Symposium on Theory of Computing

May 31 - June 2, 2009

MD, Bethesda, USA

Acceptance Rates

Overall Acceptance Rate 1,469 of 4,586 submissions, 32%

Upcoming Conference

STOC '25

Sponsor:
sigact

57th Annual ACM Symposium on Theory of Computing (STOC 2025)

June 23 - 27, 2025

Prague , Czech Republic

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4,081
Total Citations
View Citations
17,493
Total Downloads

Downloads (Last 12 months)1,110
Downloads (Last 6 weeks)145

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ngoupayou Limbepe ZGai KYu J(2025)Blockchain-Based Privacy-Enhancing Federated Learning in Smart Healthcare: A SurveyBlockchains10.3390/blockchains30100013:1(1)Online publication date: 1-Jan-2025
https://doi.org/10.3390/blockchains3010001
Wang XMa J(2025)Cloud-Network-End Collaborative Security for Wireless Networks: Architecture, Mechanisms, and ApplicationsTsinghua Science and Technology10.26599/TST.2023.901015830:1(18-33)Online publication date: Feb-2025
https://doi.org/10.26599/TST.2023.9010158
Javeed KGregg D(2025)Efficient Number Theoretic Transform Architecture for CRYSTALS-KyberIEEE Transactions on Circuits and Systems II: Express Briefs10.1109/TCSII.2024.346527372:1(263-267)Online publication date: Jan-2025
https://doi.org/10.1109/TCSII.2024.3465273
Habler EBitton RAvraham DKlevansky EMimran DBrodt OLehmann HElovici YShabtai A(2025)Adversarial machine learning threat analysis and remediation in Open Radio Access Network (O-RAN)Journal of Network and Computer Applications10.1016/j.jnca.2024.104090236(104090)Online publication date: Apr-2025
https://doi.org/10.1016/j.jnca.2024.104090
Banaeian Far SHosseini Bamakan S(2025)Third layer blockchains are being rapidly developed: Addressing state-of-the-art paradigms and future horizonsJournal of Network and Computer Applications10.1016/j.jnca.2024.104044233(104044)Online publication date: Jan-2025
https://doi.org/10.1016/j.jnca.2024.104044
Tang BZhou YYang YGong BNing Z(2025)A lattice-based multi-authority updatable searchable encryption scheme for serverless architecture with scalable on-demand result processingComputer Standards & Interfaces10.1016/j.csi.2024.10395693(103956)Online publication date: Apr-2025
https://doi.org/10.1016/j.csi.2024.103956
Hosseini Bamakan SBanaeian Far S(2025)Distributed and trustworthy digital twin platform based on blockchain and Web3 technologiesCyber Security and Applications10.1016/j.csa.2024.1000643(100064)Online publication date: Dec-2025
https://doi.org/10.1016/j.csa.2024.100064
Zeng LShen PZhu XTian XChen C(2025)A review of privacy-preserving biometric identification and authentication protocolsComputers & Security10.1016/j.cose.2024.104309(104309)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104309
Jia DXue HLi B(2025)Fully selective opening secure IBE from LWEDesigns, Codes and Cryptography10.1007/s10623-024-01560-1Online publication date: 3-Jan-2025
https://doi.org/10.1007/s10623-024-01560-1
Ran JLi D(2025)A Faster Privacy-Preserving Medical Image Diagnosis Scheme with Machine LearningJournal of Imaging Informatics in Medicine10.1007/s10278-024-01384-4Online publication date: 3-Jan-2025
https://doi.org/10.1007/s10278-024-01384-4
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents