TY - JOUR
T1 - Efficient fully homomorphic encryption from (standard) lwe
AU - Brakerski, Zvika
AU - Vaikuntanathan, V
N1 - NSERC Discovery grant; Alfred P. Sloan Research Fellowship; DARPA [FA8750-11-2-0225] This author's work was partially supported by an NSERC Discovery grant, an Alfred P. Sloan Research Fellowship, a Connaught New Researcher Award, and by DARPA under agreement FA8750-11-2-0225.
PY - 2014
Y1 - 2014
N2 - A fully homomorphic encryption (FHE) scheme allows anyone to transform an encryption of a message, m, into an encryption of any (efficient) function of that message, f(m), without knowing the secret key. We present a leveled FHE scheme that is based solely on the (standard) learning with errors (LWE) assumption. (Leveled FHE schemes are initialized with a bound on the maximal evaluation depth. However, this restriction can be removed by assuming "weak circular security.") Applying known results on LWE, the security of our scheme is based on the worst-case hardness of "short vector problems" on arbitrary lattices. Our construction improves on previous works in two aspects: 1. We show that "somewhat homomorphic" encryption can be based on LWE, using a new relinearization technique. In contrast, all previous schemes relied on complexity assumptions related to ideals in various rings. 2. We deviate from the "squashing paradigm" used in all previous works. We introduce a new dimension-modulus reduction technique, which shortens the ciphertexts and reduces the decryption complexity of our scheme, without introducing additional assumptions. Our scheme has very short ciphertexts, and we therefore use it to construct an asymptotically efficient LWE-based single-server private information retrieval (PIR) protocol. The communication complexity of our protocol (in the public-key model) is k.polylog(k)+log |DB| bits per single-bit query, in order to achieve security against 2k-time adversaries (based on the best known attacks against our underlying assumptions). copy; 2014 the authors.
AB - A fully homomorphic encryption (FHE) scheme allows anyone to transform an encryption of a message, m, into an encryption of any (efficient) function of that message, f(m), without knowing the secret key. We present a leveled FHE scheme that is based solely on the (standard) learning with errors (LWE) assumption. (Leveled FHE schemes are initialized with a bound on the maximal evaluation depth. However, this restriction can be removed by assuming "weak circular security.") Applying known results on LWE, the security of our scheme is based on the worst-case hardness of "short vector problems" on arbitrary lattices. Our construction improves on previous works in two aspects: 1. We show that "somewhat homomorphic" encryption can be based on LWE, using a new relinearization technique. In contrast, all previous schemes relied on complexity assumptions related to ideals in various rings. 2. We deviate from the "squashing paradigm" used in all previous works. We introduce a new dimension-modulus reduction technique, which shortens the ciphertexts and reduces the decryption complexity of our scheme, without introducing additional assumptions. Our scheme has very short ciphertexts, and we therefore use it to construct an asymptotically efficient LWE-based single-server private information retrieval (PIR) protocol. The communication complexity of our protocol (in the public-key model) is k.polylog(k)+log |DB| bits per single-bit query, in order to achieve security against 2k-time adversaries (based on the best known attacks against our underlying assumptions). copy; 2014 the authors.
UR - http://www.scopus.com/inward/record.url?scp=84899651713&partnerID=8YFLogxK
U2 - https://doi.org/10.1137/120868669
DO - https://doi.org/10.1137/120868669
M3 - مقالة
SN - 0097-5397
VL - 43
SP - 831
EP - 871
JO - SIAM Journal on Computing
JF - SIAM Journal on Computing
IS - 2
ER -