Fully Homomorphic Encryption Using Lattices

Craig Gentry Stanford University and IBM Watson [email protected]

ABSTRACT duced by Rivest, Adleman and Dertouzos [54] shortly af- We propose a fully homomorphic encryption scheme – i.e., ter the invention of RSA by Rivest, Adleman and Shamir a scheme that allows one to evaluate circuits over encrypted [55]. Basic RSA is a multiplicatively homomorphic encryp- tion scheme – i.e., given RSA public key pk = (N, e) and data without being able to decrypt. Our solution comes e in three steps. First, we provide a general result – that, ψi πi mod N , one can efficiently compute ψ = ( { π ←)e mod N, a} that encrypts the to construct an encryption scheme that permits evaluation i i i i of arbitrary circuits, it suffices to construct an encryption productQ ofQ the original plaintexts. Rivest et al. [54] asked scheme that can evaluate (slightly augmented versions of) a natural question: What can one do with an encryption its own decryption circuit; we call a scheme that can evaluate scheme that is fully homomorphic: a scheme with an effi- cient algorithm Evaluate that, for any validE public key pk, its (augmented) decryption circuit bootstrappable. E Next, we describe a public key encryption scheme using any circuit C (not just a circuit consisting of multiplication gates), and any ciphertexts ψi Encrypt (pk, πi), outputs ideal lattices that is almost bootstrappable. -based ← E typically have decryption algorithms with low ψ Evaluate (pk, C, ψ1, . . . , ψt) , circuit complexity, often dominated by an inner product ← E computation that is in NC1. Also, ideal lattices provide a valid encryption of C(π1, . . . , πt) under pk? Their answer: both additive and multiplicative homomorphisms (modulo a one can arbitrarily compute on encrypted data – i.e., one can public-key ideal in a polynomial that is represented as process encrypted data (query it, write into it, do anything a lattice), as needed to evaluate general circuits. to it that can be efficiently expressed as a circuit) without Unfortunately, our initial scheme is not quite bootstrap- the decryption key. As an application, they suggested pri- pable – i.e., the depth that the scheme can correctly evalu- vate data banks: a user can store its data on an untrusted ate can be logarithmic in the lattice dimension, just like the server in encrypted form, yet still allow the server to pro- depth of the decryption circuit, but the latter is greater than cess, and respond to, the user’s data queries (with responses the former. In the final step, we show how to modify the more concise than the trivial solution: the server just sends scheme to reduce the depth of the decryption circuit, and all of the encrypted data back to the user to process). Since thereby obtain a bootstrappable encryption scheme, with- then, cryptographers have accumulated a list of “killer” ap- out reducing the depth that the scheme can evaluate. Ab- plications for fully homomorphic encryption. However, prior stractly, we accomplish this by enabling the encrypter to to this proposal, we did not have a viable construction. start the decryption process, leaving less work for the de- crypter, much like the server leaves less work for the de- 1.1 Homomorphic Encryption crypter in a server-aided . A homomorphic public key encryption scheme has four E Categories and Subject Descriptors: E.3 [Data En- algorithms KeyGen , Encrypt , Decrypt , and an additional algorithm Evaluate E that takesE as inputE the public key pk, a cryption]: Public key cryptosystems E circuit C from a permitted set of circuits, and a tuple of General Terms: Algorithms, Design, Security, Theory CE ciphertexts Ψ = ψ1, . . . , ψt ; it outputs a ciphertext ψ. The computational complexityh i of all of these algorithms must 1. INTRODUCTION be polynomial in security parameter λ and (in the case of We propose a solution to the old open problem of con- Evaluate ) the size of C. is correct for circuits in if, E E structing a fully homomorphic encryption scheme. This no- for any key-pair (sk, pk) outputE by KeyGen (λ), any circuitC E tion, originally called a privacy homomorphism, was intro- C , any plaintexts π1, . . . , πt, and any ciphertexts Ψ = ∈ CE ψ1, . . . , ψt with ψi Encrypt (pk, πi), it is the case that: h i ← E ψ Evaluate (pk,C, Ψ) C(π1, . . . , πt) = Decrypt (sk, ψ) ← E ⇒ E Permission to make digital or hard copies of all or part of this work for 1 personal or classroom use is granted without fee provided that copies are By itself, mere correctness does not exclude trivial schemes. not made or distributed for profit or commercial advantage and that copies So, we require ciphertext size and decryption time to be up- bear this notice and the full citation on the first page. To copy otherwise, to 1In particular, we could define Evaluate (pk,C, Ψ) to just republish, to post on servers or to redistribute to lists, requires prior specific E permission and/or a fee. output (C, Ψ) without “processing” the circuit or ciphertexts STOC’09, May 31–June 2, 2009, Bethesda, Maryland, USA. at all, and Decrypt to decrypt the component ciphertexts E Copyright 2009 ACM 978-1-60558-506-2/09/05 ...$5.00. and apply C to results.

169 per bounded by a function of the security parameter λ, in- decrypt it! This is the idea behind bootstrapping: we do dependently of C (or perhaps, as a relaxation, dependent on decrypt the ciphertext, but homomorphically! the depth of C, but not the size). Specifically, suppose is bootstrappable with plaintext space is 0, 1 , and thatE circuits are boolean. Suppose we Definition 1 (Homomorphic Encryption). is ho- P { } have a ciphertext ψ1 that encrypts π under pk , which we momorphic for circuits in if is correct for E and 1 E E want to refresh. So that we can decrypt it homomorphically, Decrypt can be expressed asC a circuitE D of size poly(C λ). E E suppose we also have sk1, the secret key for pk1, encrypted under a second public key pk : let sk be the encrypted Definition 2 (Fully Homomorphic Encryption). 2 1j secret key bits. Consider the following algorithm. is fully homomorphic if it is homomorphic for all circuits. E Recrypt (pk2,D , sk1j , ψ1). Definition 3 (Leveled Fully Hom. Encryption). E E h i A family of schemes (d) : d Z+ is leveled fully homo- R {E ∈ } Set ψ1j Encrypt (pk2, ψ1j ) morphic if they all use the same decryption circuit, (d) is ← E E Output ψ2 Evaluate (pk2,D , sk1j , ψ1j ) homomorphic for all circuits of depth at most d (that use ← E E hh i h ii some specified set of gates Γ), and the computational com- Above, Evaluate takes in the bits of sk1 and ψ1, each en- plexity of (d)’s algorithms is polynomial in λ, d, and (in crypted under pk . Then, is used to evaluate the de- E 2 E the case of Evaluate (d) ) the size of C. cryption circuit homomorphically. The output ψ2 is thus an E 2 encryption under pk2 of Decrypt (sk1, ψ1) = π. Applying Remark 1. One may desire – e.g., for the two-party com- the decryption circuit D removesE the error vector associ- E putation setting – the additional property that Encrypt and ated to the first ciphertext, but Evaluate simultaneously Evaluate have the same output distribution, or thatE there E E introduces a new error vector. Intuitively, we have made is at least some post-hoc randomization procedure that in- progress as long as the second error vector is shorter. duces the same output distribution. We discuss such circuit Suppose contains not just D but also the augmen- E E privacy in Section 7. tation of DC by NAND (i.e., a NAND gate connecting two E copies of D ). Then, we say is bootstrappable. Here, we focus on constructing a scheme that is semanti- E E cally secure against chosen plaintext attacks (or just “seman- Theorem 1 (Informal). One can construct a (seman- tically secure”). Unfortunately a scheme that has nontriv- tically secure) family (d) of leveled fully homomorphic en- ial homomorphisms cannot be semantically secure against {E } adaptive chosen ciphertext attacks (CCA2), since it is mal- cryption schemes from any (semantically secure) bootstrap- pable encryption scheme . leable. There are relaxed notions of CCA2 security [3, 16, E 52], but they do not apply to a fully homomorphic scheme. (d)’s public key contains d + 1 public keys, basically one However, constructing a CCA1-secure fully homomorphic E E encryption scheme is an interesting open problem. for each level of the circuit, and an acyclic chain of encrypted secret keys. It evaluates a d-depth NAND-circuit as follows:

1.2 Our Results given ciphertexts encrypted under pki associated to wires We construct a fully homomorphic encryption scheme us- at the ith level of the circuit, it Recrypts them so that they ing ideal lattices. The result can roughly be broken down become encrypted under pki 1, applies the NAND gates at that level, and recurses for −i 1. If securely encrypts into three steps: a general “bootstrapping” result, an “initial − E construction”using ideal lattices, and a technique to“squash key-dependent messages (is KDM-secure) [9, 24, 12] – i.e., the decryption circuit” to permit bootstrapping. roughly, if providing a ciphertext that encrypts a function of the secret key does not hurt security – then the public Our research began with the second step: a PKE scheme E 1 described in Section 3 that uses ideal lattices and is homo- keys need not be distinct; we can have a “loop,” even a “self- morphicE for shallow circuits. A ciphertext ψ has the form loop,” of encrypted secret keys, and the derived scheme is v + x where v is in the ideal lattice and x is an “error” fully homomorphic. See Section 2 for formal details. In Section 4, we describe a scheme 2 that “tweaks” 1, or “offset” vector that encodes the plaintext π. Interpret- E E ing ciphertext vectors as coefficient vectors of elements in a analyze the complexity of its decryption circuit, and explain Z[x]/f(x), we add and multiply ciphertexts why we are unable to prove that it is bootstrappable. In Section 5, we describe a transformation of 2, labeled 3, using ring operations – ψ ψ1 + ψ2 or ψ ψ1 ψ2 – and E E ← ← × where the 3 public key contains a set of vectors with a secret induce addition and multiplication of the underlying plain- E sparse subset whose sum is related to 2 secret key. This texts. By itself, this scheme improves upon prior work. It E compares favorably to Boneh-Goh-Nissim [11]; it is homo- allows us to re-express decryption as a sparse subset vector morphic for circuits with greater multiplicative depth while sum rather than a full matrix-vector product, which requires allowing essentially unlimited additions. The security of 1 a circuit of lower depth, permitting bootstrapping. It also is based on a natural decisional version of the closest vectoEr entails an additional assumption: roughly, that it is hard to problem for ideal lattices for ideals in a fixed ring. distinguish a set that has a sparse subset with a known sum 1 is homomorphic only for shallow circuits because the from a set that is uniform. Similar assumptions have been “error”E vector grows with addition and (especially) multi- analyzed in connection with server-aided decryption. plication operations; eventually, it becomes so long that it causes a decryption error. It is natural to ask: can we “re- Theorem 2 (Informal). 3 is bootstrappable and is E fresh” a ciphertext whose error vector is almost too long to semantically secure (under two assumptions). obtain a new ciphertext whose error vector is shorter? Ob- viously, we could refresh a ciphertext if we could completely 2Recrypt implies a one-way proxy re-encryption scheme [10].

170 1.3 Other Related Work algorithm that breaks the semantic security of with prob- B E Homomorphic encryption schemes that are not semanti- ability at least /`(d + 1), for ` as in Definition 4, and time poly(`, d) times that of . cally secure, like basic RSA, may also have stronger attacks A on their one-wayness. Boneh and Lipton [13] proved that Note that Γ is arbitrary in Theorem 3. For example, each any algebraic privacy homomorphism over a ring Zn can be broken in sub-exponential time under a (reasonable) num- gate in Γ could be a circuit of (ANDs, ORs, NOTs) of depth ber theoretic assumption, if the scheme is deterministic or m and fan-in 2; for this value of Γ, Theorem 3 implies the scheme correctly evaluates “normal” circuits of depth d m. otherwise offers an equality oracle. See also [35] and [18]. · Goldwasser and Micali [23] proposed the first semanti- Now we specify the leveled fully homomorphic scheme. cally secure homomorphic encryption scheme (and also in- Let be bootstrappable with respect to a set of gates Γ. For anyE integer d 1, we use to construct a scheme (d) = troduced the notion of semantic security). Their scheme ≥ E E Z (KeyGen (d) , Encrypt (d) , Evaluate (d) , Decrypt (d) ) that can is “additively homomorphic” over 2; in our terminology, E E E E its set of permitted circuits contains circuits with XOR handle all circuits of depth d with gates in Γ. When we refer E gates.C Other additively homomorphic encryption schemes to the level of a wire in C, we mean the level of the gate for which the wire is an input. We use the notation D (Γ, δ) to with proofs of semantic security are Benaloh [8], Naccache- E Stern [42], Okamoto-Uchiyama [46], Paillier [47], and Damgard- refer to the set of circuits that equal a δ-depth circuit with gates in Γ augmented by D (copies of D become inputs Jurik [19]. Some additively homomorphic encryption schemes E E use lattices or linear codes [22, 50, 27, 36, 37, 4]. ElGamal to the δ-depth circuit). [20] is multiplicatively homomorphic. KeyGen (d) (λ, d). Takes as input a security parameter λ and Semantically secure schemes that allow both addition and a positiveE integer d. For ` = `(λ) as in Definition 4, it sets multiplication include Boneh-Goh-Nissim [11] (quadratic for- mulas) and “Polly Cracker” by Fellows and Koblitz [21, 29, R (ski, pki) KeyGen (λ) for i [0, d] ← E ∈ 30, 31] (arbitrary circuits but with exponential ciphertext- R size blow-up). Sanders, Young and Yung [56, 7] (SYY) use skij Encrypt (pki 1, skij ) for i [1, d], j [1, `] ← E − ∈ ∈ circuit-private additively homomorphic encryption to con- where ski1,..., ski` is the representation of ski as elements struct a circuit-private scheme that can handle NC1 circuits. (d) of . It outputs the secret key sk sk0 and the pub- Ishai and Paskin [26] do this for branching programs, which P (d) ← (δ) lic key pk ( pki , skij ). For δ d, let refer to the covers NC1 circuits (by Barrington [6]), and ciphertexts in ← (δh) i h i (δ) ≤ E scheme using sk sk0 and pk ( pki i [0,δ], skij i [1,δ]). their scheme are much shorter – proportional to the length ← ← h i ∈ h i ∈ of the branching program rather than its size, though the (d) (d) Encrypt (d) (pk , π). Takes as input a public key pk and a computation is proportional to the size. E R plaintext π . It outputs a ciphertext ψ Encrypt (pkd, π). ∈ P ← E (d) (d) 2. BOOTSTRAPPABLE ENCRYPTION Decrypt (d) (sk , ψ). Takes as input a secret key sk and E To be bootstrappable, needs to be able to evaluate not a ciphertext ψ (which should be an encryption under pk0). E only its decryption circuit, which merely allows recryptions It outputs Decrypt (sk0, ψ). E of the same plaintext, but also slightly augmented versions of (δ) (δ) Evaluate (δ) (pk ,Cδ, Ψδ). Takes as input a public key pk , it, so that we can perform nontrivial operations on plaintexts E and make progress through a circuit. a circuit Cδ of depth at most δ with gates in Γ, and a tuple of input ciphertexts Ψδ (where each input ciphertext should Definition 4 (Augmented Decryption Circuit). be under pkδ). We assume that each wire in Cδ connects Let Γ be a set of gates with inputs and output in plaintext gates at consecutive levels; if not, add identity gates to make space including the identity gate (input and output are the it so. If δ = 0, it outputs Ψ0 and terminates. Otherwise, it same).P For gate g Γ, the g-augmented decryption circuit does the following: ∈ (δ) consists of a g-gate connecting multiple copies of D (the Sets (C† , Ψ† ) Augment (δ) (pk ,C , Ψ ). E δ 1 δ 1 δ δ number of copies equals the number of inputs to g), where ◦ − − ← E (δ 1) Sets (Cδ 1, Ψδ 1) Reduce (δ−1) (pk − ,C† , Ψ† ). − − δ 1 δ 1 D takes a secret key and ciphertext as input formatted as ◦ ← (δ 1)E − − E `(λ) Runs Evaluate (δ−1) (pk − ,Cδ 1, Ψδ 1). elements of . We denote the set of g-augmented de- ◦ E − − P cryption circuits, g Γ, by D (Γ). (δ) ∈ E Augment (δ) (pk ,Cδ, Ψδ). Takes as input a public key (δ) E Definition 5 (Bootstrappable Encryption). Let pk , a circuit Cδ of depth at most δ with gates in Γ, and a E be a set of circuits with respect to which is homomorphic.C tuple of input ciphertexts Ψδ (where each input ciphertext E should be under pk ). It augments Cδ with D ; call the We say that is bootstrappable with respect to Γ if δ E E resulting circuit Cδ† 1. Let Ψδ† 1 be the tuple of ciphertexts D (Γ) . − − E E formed by replacing each input ciphertext ψ Ψδ by the ⊆ C ∈ (δ 1) tuple skδj , ψj , where ψj Encrypt (δ−1) (pk − , ψj ) (d) hh i h ii ← E For a family of schemes derived from that we will and the ψj ’s form the properly-formatted representation of define momentarily, we have{E the} following theorems.E ψ as elements of . It outputs (Cδ† 1, Ψδ† 1). P − − Theorem 3. Let be bootstrappable with respect to a set (δ) (δ) E (d) Reduce (δ) (pk ,Cδ†, Ψδ†). Takes as input a public key pk , of gates Γ. Then the family is leveled fully homomor- E a tuple of input ciphertexts Ψ† (where each input ciphertext phic (for circuits with gates{E in Γ).} δ should be an output of Encrypt (δ) ), and a circuit Cδ† E ∈ Theorem 4. Let be an algorithm that breaks the se- D (Γ, δ+1). It sets Cδ to be the sub-circuit of Cδ† consisting (Ad) E mantic security of with advantage . Then, there is an of the first δ levels. It sets Ψδ to be the induced input E

171 (w) ciphertexts of Cδ, where the ciphertext ψδ associated to Encrypt(pk, π). Takes as input the public key pk and plain- (w) (w) pk 0 Samp B B wire w at level δ is set to Evaluate (pkδ,Cδ , Ψδ ), where text π . It sets ψ (π, I ,R, J ) and outputs (w) E (w) ∈ P pk ← ψ ψ0 mod B . Cδ is the sub-circuit of Cδ† with output wire w, and Ψδ J (w) ← are the input ciphertexts for Cδ . It outputs (Cδ, Ψδ). Decrypt(sk, ψ). Takes as input the secret key sk and a ci- phertext ψ. It outputs Regarding the computational complexity of Evaluate (d) : E sk π (ψ mod BJ ) mod BI Theorem 5. For a circuit C of depth at most d and size ← s (defined here as the number of wires), the computational Evaluate(pk,C, Ψ). Takes as input the public key pk, a cir- complexity of applying Evaluate (d) to C is dominated by at E cuit C in some permitted set of circuits composed of most s ` d applications of Encrypt and at most s d ap- CE AddB and MultB gates and a set of input ciphertexts Ψ. plications· · of Evaluate to circuits in ED (Γ), where ` is· as in I I E E It invokes Add and Mult, given below, in the proper sequence Definition 4. to compute the output ciphertext ψ. (We will describe CE As mentioned above, if is KDM-secure, we can shorten when we consider correctness below. If desired, one could the public key to includeE pk and and an encryption of sk use different arithmetic gates.) under pk, a “self-loop” rather than an acyclic chain of en- pk Add(pk, ψ1, ψ2). Outputs ψ1 + ψ2 mod B . crypted secret keys.3 This scheme is fully homomorphic, J with security following from KDM-security, and correctness pk Mult(pk, ψ1, ψ2). Outputs ψ1 ψ2 mod BJ . following from correctness of the above scheme. × Now, let us consider correctness, which is a highly non- trivial issue in this paper. The following definitions provide 3. AN INITIAL CONSTRUCTION structure for our analysis. Our goal now is to construct an encryption scheme that To begin, we observe that the scheme is actually using two is bootstrappable with respect to a universal set of gates Γ different circuits. First, Evaluate takes a mod-BI circuit C – e.g., where Γ includes NAND and the trivial gate. Here, as input. This circuit is implicitly applied to plaintexts. we describe an initial attempt. In Section 4, we describe Second, Evaluate applies a circuit related to C, which we some tweaks to this construction and find that the decryp- call the generalized circuit, to the ciphertexts; this circuit tion complexity is still too large to permit bootstrappability. uses the ring operations (not modulo I). We finally achieve bootstrappability in Section 5. Definition 6 (Generalized Circuit). Let C be a mod- 3.1 The Initial Construction, Abstractly BI circuit. We say generalized circuit g(C) of C is the cir- cuit formed by replacing C’s AddBI and MultBI operations We start by describing our initial attempt simply in terms with addition ‘+’ and multiplication ‘ ’ in the ring R. of rings and ideals; we bring in ideal lattices later. In our ini- × tial scheme , we use a fixed ring R that is set appropriately Here are a few more definitions relevant to Theorem 6 E according to a security parameter λ. We also use a fixed below, which concerns correctness. basis BI of a ideal I R, and an algorithm IdealGen(R, BI ) ⊂ pk sk that outputs public and secret bases BJ and BJ of some Definition 7 (XEnc and XDec). Let XEnc be the image (variable) ideal J, such that I + J = R – i.e., I and J are of Samp. Notice that all ciphertexts output by Encrypt are sk sk relatively prime. (Actually, BJ can be a basis of a (frac- in XEnc + J. Let XDec equal R mod BJ , the distinguished sk tional) ideal that contains J, rather than of J.) We assume representatives of cosets of J wrt the secret basis BJ . that if t R and BM is a basis for ideal M R, then the ∈ ⊂ value t mod BM is unique and can be computed efficiently Definition 8 (Permitted Circuits). Let

– i.e., the coset t + M has a unique, efficiently-computable t 0 = C : (x1, . . . , xt) XEnc , g(C)(x1, . . . , xt) XDec “distinguished representative” with respect to the basis BM . CE { ∀ ∈ ∈ } We use the notation R mod BM to denote the set of distin- In other words, 0 is the set of mod-BI circuits that, when guished representatives of r + M over r R, with respect CE ∈ generalized, the output is always in XDec if the inputs are in to the particular basis BM of M. We also use an algorithm XEnc. (The value t will of course depend on C.) If 0, E E Samp(x, BI ,R, BJ ) that samples from the coset x + I. we say that is a set of permitted circuits. C ⊆ C In the scheme, Evaluate takes as input a circuit C whose CE gates perform operations modulo BI . For example, an AddBI Definition 9. ψ is a valid ciphertext wrt public key pk gate in C takes two terms in R mod BI , and outputs a third and permitted circuits if it equals EvaluateE(pk,C, Ψ) for E term in R mod BI , which equals the sum of the first two some C , where eachC ψ Ψ is in the image of Encrypt. terms modulo I. ∈ CE ∈ Theorem 6. Assume is a set of permitted circuits KeyGen(R, B ). Takes as input a ring R and basis B of I. E I I containing the identity circuit.C is correct for – i.e., sk pk R E It sets (B , B ) IdealGen(R, BI ). The plaintext space E C J J ← Decrypt correctly decrypts valid ciphertexts. is (a subset of) R mod BI . The public key pk includes R, P B Bpk Samp Bsk Proof. For Ψ = ψ1, . . . , ψt , ψk = πk + ik + jk, where I , J , and . The secret key sk also includes J . { } πk , ik I, jk J, and πk + ik XEnc, we have 3 ∈ P ∈ ∈ ∈ Initially, we used ∗ (with the self-loop) and tried to prove pk Evaluate(pk,C, Ψ) = g(C)(Ψ) mod B KDM-security. CanettiE [15] proposed the acyclic, leveled J approach to make this unnecessary. g(C)(π1 + i1, . . . , πt + it) + J ∈

172 If C , we have g(C)(XEnc,...,XEnc) XDec; so, modulo J, and consequently ψ is a uniformly random ele- E ∈ C ∈ ment of R mod Bpk that is independent of β. In this case Decrypt(sk, Evaluate(pk,C, Ψ)) J ’s advantage is 0. Overall, ’s advantage is /2. = g(C)(π1 + i1, . . . , πt + it) mod BI A B

= g(C)(π1, . . . , πt) mod BI 3.3 Background on Ideal Lattices Z Z = C(π , . . . , π ) Let R = [x]/f(x), where f(x) [x] is monic and of 1 t degree n. We view an element v R∈both as a ring element as required. and as a vector – specifically, the∈ coefficient vector v Zn. The ideal (v) generated by v directly corresponds to∈ the The bottom line is that we have proven that is correct i E lattice generated by the column vectors v x mod f(x): for permitted circuits, and our goal now is to maximize this i [0, n 1] ; we call this the rotation{ basis× of the ideal set. The permitted circuits are defined somewhat indirectly; lattice∈ (v).− Generally} speaking, an ideal I R need not be they are the circuits for which the “error” g(C)(x1, . . . , xt) ⊂ principal – i.e., have a single generator – and a basis BI of I of the output ciphertext is small (i.e., lies inside XDec) when need not be a rotation basis. R corresponds to the ideal (1) the input ciphertexts are in the image of Encrypt . When n E or (e1), and to Z . The Hermite normal form (HNF) of a we begin to instantiate the abstract scheme with lattices and lattice I is an upper triangular basis that can be efficiently give geometric interpretations of XEnc and XDec, the problem computable from any other basis of I, making it well-suited of maximizing will have a geometric flavor. to be a public key [39]. The index [R : I] equals det(BI ) ; CE | | 3.2 Security of the Abstract Construction since this is invariant, we refer to det(I). As required by our abstract scheme, for any basis BI of For an abstract “instantiation” of Samp that we describe an ideal I R, the term t mod BI is uniquely defined as momentarily, we provide a simple proof of semantic security ⊆ the vector t0 (BI ) such that t t0 I, where (BI ) based on the following abstract problem. ∈ P − ∈ n P is the half-open parallelepiped (B) xibi : xi P ← { i=1 ∈ Definition 10 (Ideal Coset Problem (ICP)). Fix R, [ 1/2, 1/2) . The vector t mod BI is efficientlyP computable − } 1 B , algorithm IdealGen, and an algorithm Samp that ef- as t B B− t , where rounds the coefficients of a I 1 − · b · e b·e R vector to the nearest integer. We define the length BI of ficiently samples R. The challenger sets b 0, 1 and k k ← { } a basis to be max bi : bi BI . sk pk R R {k k ∈ } (BJ , BJ ) IdealGen(R, BI ). If b = 0, it sets r Samp1(R) Cryptographic work on ideal lattices includes NTRU [25] ← pk ← and t r mod B . If b = 1, it samples t uniformly from and more recent work [41, 32, 33, 48, 49]. ← J R mod Bpk. The problem: guess b given (t, Bpk). J J 3.4 The Initial Construction, Concretely Basically the ICP asks one to decide whether t is uniform When we implement the abstract construction using a modulo J, or whether it was chosen according to a known polynomial ring and ideal lattices as described in Section “clumpier” distribution induced by Samp . n 1 3.3, the sets XEnc and XDec become subsets of Z . We re- To get a proof based on the ICP, define Samp as follows. characterize these sets geometrically as follows. Let s I be such that the ideal (s) is relatively prime to J. ∈ (Assume for now that such an s can be efficiently generated.) Definition 11 (rEnc and rDec). Let rEnc be the smallest value such that XEnc (rEnc), where (r) is the ball of pk R ⊆ B B Samp(x, BI ,R, BJ ). Run r Samp1(R). Output x+r s. radius r. Let rDec be the largest such that XDec (rDec). ← × ⊇ B Obviously, the output is in x + I since s I. The value s Now, let us define a set of permitted circuits as follows: ∈ CE could be a fixed parameter wired into the algorithm Samp, t pk = C : (x1, . . . , xt) (rEnc) , g(C)(x1, . . . , xt) (rDec) or generated dynamically from BI and BJ according to a CE { ∀ ∈ B ∈ B } prescribed distribution. is defined like the maximal set 0 of permitted circuits CE CE in Definition 8, but we have replaced XEnc and XDec with Theorem 7. Suppose that there is an algorithm that A (rEnc) and (rDec). Clearly, 0. (At several points breaks the semantic security of with advantage  when it E E Blater in the paper,B we narrowC our⊆ set C of permitted circuits uses Samp. Then, there is an algorithmE , running in about again so as to enable a less complex decryption algorithm.) the same time as , that solves the ICPB with advantage /2. A For fixed values of rEnc and rDec, what is ? This is a E Proof. The challenger sends a ICP instance (t, Bpk). geometric problem, and we can bound the EuclideanC length B J sets s, and sets the other components of pk in the obvious g(C)(x1,..., xt) by bounding the lengths of u + v and wayB using the ICP instance. When requests a challenge ku v in terms ofk u and v . For addition,k this isk easy: A R usingk × thek triangle inequality,k k k wek have u + v u + v ciphertext on one of π0, π1 , sets a bit β 0, 1 and k k ≤ k k k k ∈ P B pk ← { } for u, v R. For multiplication, we can prove that u sends back ψ πβ + t s mod BJ . sends back a guess ∈ k × ← × A v γMult(R) u v , where γMult(R) is some factor that β0, and guesses b0 β β0. k ≤ · k k · k k If b =B 0, we claim that← ⊕’s simulation is perfect; in partic- is dependent only on the ring R. (See [32] for a different ular, the challenge ciphertextB has the correct distribution. definition of the expansion factor for multiplication.) When b = 0, we have that t = r + j, where r was chosen The following theorem characterizes the “error expansion” that a circuit can cause based on the circuit’s depth. according to Samp1 and j J. So, ψ πβ + t s = pk ∈ ← × πβ + r s mod B ; the ciphertext is thus well-formed. In Theorem 8. Suppose rE 1 and that circuit C’s additive × J ≥ this case should have advantage , which translates into fan-in is γMult(R), multiplicative is 2, and depth is at most an advantageA of  for . B log log rD log log(γMult(R) rE) If b = 1, then t is uniformly random modulo J. Since the − · ideal (s) is relatively prime to J, t s is uniformly random Then, C(x1,..., xt) (rD) for all x1,..., xt (rE). × ∈ B ∈ B

173 1 1 Proof. For a d-depth circuit, let ri be an upper-bound on ideal J − . (The fractional ideal J − contains the elements the Euclidean norm of the values at level i, given that rd = in Q[x]/f(x) that, when multiplied by any element in J, the rE. By the triangle inequality, an addition (or subtraction) product is in R.) gate at level i outputs some v R such that v γMult(R) ∈ k k ≤ · 1 T ri. A multiplication gate at level i outputs some v R such Lemma 1. Let B be a lattice basis and B∗ = (B− ) . 2 ∈ 2 that v γMult(R) ri . In either case, ri 1 γMult(R) ri , Let r be the radius of the largest sphere, centered at 0, cir- d − k k ≤ · 2 ≤ · cumscribed by (B) (permitting tangential overlap). Then, and thus r0 (γMult(R) rE) . The result follows. P ≤ · r = 1/(2 B∗ ). In particular, · k k An (oversimplified) bottom line from Theorem 8 is that, to sk 1 T maximize the depth of circuits that can correctly evaluate rDec = 1/(2 ((BJ )− ) ) E · k k (see Theorem 6), we should minimize γMult(R) and rEnc, and 1 Suppose t < r; then each coefficient of B− t has magni- maximize rDec. Most of the remainder of this subsection tude at mostk k 1/2. · consists of proposals toward this goal. 1 First, though, we observe that semantic security places a Proof. Each coefficient of B− t is an inner product of · limit on how large we can take rDec/rEnc. In concrete terms, t with a column vector of B∗, and therefore has magnitude 1 the ICP becomes (roughly): decide whether t is within a at most t B∗ < 1/2. This implies B− t = 0, k k · k k b · e small distance (less than rEnc) of the lattice J (according to and thus t = (t mod B), and thus t (B). Let v be B x ∈ P v a distribution determined by Samp1), or is uniformly ran- the longest vector in ∗, and let be parallel to . Then, 1 dom modulo J. This is a fairly natural decisional version B− x = 0 – i.e., x = (B) – when v, x > 1/2 b · e 6 6 P |h i| ⇔ of the closest vector problem, though we are unaware of x > 1/(2 B∗ ). k k · k k an equivalent problem mentioned in the literature. Cer- tainly rDec < λ1(J), the latter being the length of the short- It is easy to imagine ad hoc ways of instantiating IdealGen est nonzero vector in J. On other hand, we cannot let – e.g., one could generate a random vector v and simply set n sk pk λ1(J)/rEnc be too large (e.g., 2 ); otherwise, lattice reduc- BJ to be the rotation basis of v, and set BJ to be the tion techniques, such as LLL [28, 5, 57], make it feasible HNF of (v). Very roughly speaking, if v is generated as a to recover the J-vector closest to t, which breaks the ICP. vector that is very “nearly parallel” to e1 (i.e., the vector (1, 0,..., 0)), then the rotational basis will have rDec within However,c given known attacks, this problem is infeasible for n a small factor of v /2. This method can be made to ensure a 2 approximation factor when c < 1. Overall, thec ratio n 1 k k rDec/rEnc can also be sub-exponential. When rDec = 2 and that rDec is within a polynomial factor of λ1(J). c n 2 γMult(R) rEnc = 2 , then Theorems 6 and 8 imply that the On the other hand, one may prefer to generate J according · to a “nice” average-case distribution that permits a worst- scheme can correctly evaluate circuits of depth (c1 c2) log n. − Regarding γMult(R), there are many f for which γMult(R) case / average-case reduction [1, 2, 53]. This is a technical is only polynomial in n: issue that we tackle in a separate work. We stress that our analysis below regarding the decryption circuit does not rely Theorem 9. Let R = Z[x]/f(x) and suppose f(x) = on any of the concrete proposals in this subsection – e.g., the n x h(x) where h(x) has degree at most n (n 1)/k for analysis does not require I to be a principal ideal. − − − k k 2. Then, γMult(R) √2n (1 + 2n ( (k 1)n f ) ). ≥ ≤ · · − k k n p As an example, f(x) = x 1 achieves γMult(R) = √n. Aside 4. BOOTSTRAPPABLE YET? ± from Theorem 9, we do not specify how to choose R; let us Here, we describe two “tweaks” to the scheme to lower the assume it is chosen so that γMult(R) is polynomial in n. decryption complexity in preparation for bootstrapping; we Regarding rEnc, recall that XEnc (rEnc) is the image label the tweaked scheme . Next, we analyze the decryp- ⊆ B 2 of Samp, where our security proof (Theorem 7) holds when tion complexity (and findE that it is too large). However, pk Samp(x, BI ,R, B ) runs r Samp (R) and outputs x + some of the analysis applies to the final scheme. J ← 1 r s, where s I and the ideal (s) is relatively prime to J. We separate 2 from 1 because the former already im- For× simplicity,∈ suppose that I is the principal ideal (s). Let proves upon previousE work,E irrespective of bootstrapping. ` be an upper bound on the length of r, drawn according to The Boneh-Goh-Nissim (BGN) pairing-based cryptosystem Samp1. We have [11] was the first to permit efficient evaluation of quadratic formulas that may have an arbitrary number of monomials. rEnc = max x + r s n BI + √n ` BI {k × k} ≤ · k k · · k k However, BGN has a small plaintext space – log λ bits for Toward minimizing rEnc, we can choose s to be short – e.g., security parameter λ. 1 allows both greater multiplicative E use s = 2 e1. The size of ` is a security issue. We need depth in the circuit (while allowing essentially an arbitrary · pk it to be large enough so that the min-entropy of t mod BJ number of additions) and also a larger plaintext space. in the ICP is large; taking ` to be polynomial in n suffices. Overall, we can take rEnc to be polynomial in n. We note 4.1 Some Tweaks to the Initial Construction that, even in this case, the plaintext space may be as large In each of the following tweaks, we slightly narrow our set as [R : I] = det(I), which can be exponential in n. of permitted circuits . Recall from Section 3.4 that 1’s CE E Now, rDec, as the radius of the largest sphere centered at definition of used (rEnc) and (rDec). sk CE B B 0 that is circumscribed by BJ , obviously depends crucially sk Tweak 1: Redefine the set of permitted circuits , replac- on the secret basis. The important property of BJ is its CE sk ing (rDec) with (rDec/2). shape – i.e., we want the parallelepiped (BJ ) to be “fat” B B enough to contain a large sphere. ThisP property is easier Purpose: To ensure that ciphertext vectors are closer to sk 1 to formalize in terms of the inverse matrix (BJ )− , whose the lattice J than they strictly need to be, so that we will transpose is a basis (or independent set) of the fractional need less “precision” to ensure the correctness of decryption.

174 sk Recall that Decrypt computes (ψ mod BJ ) mod BI , where Step 2: From the n vectors x1,..., xn, generate integer sk sk sk 1 ψ mod BJ = ψ BJ (BJ )− ψ . If we permitted the vectors y1,..., yn+1 with sum xi . −sk 1 · b · e sk1b e coefficients of (BJ )− ψ to be very close to half-integers, Step 3: Compute π ψ BJ P( yi) mod BI · ← − · we would need high precision to ensure correct rounding. In Step 1, to obtain the n vectors,P we perform the multi- However, after Tweak 1, we have the following lemma: plications associated to the inner products associated to the Lemma 2. If ψ is a valid ciphertext after Tweak 1, then matrix-vector multiplication; we do not discuss this step in sk 1 detail, since (we will find that) Step 2 is already too expen- each coefficient of (BJ )− ψ is within 1/4 of an integer. · sive to permit bootstrappability. Proof. Observe that ψ (rDec/2)+J. Let ψ = x+j for Regarding Step 2, recall that Evaluate takes as input cir- ∈ B sk 1 sk 1 x Dec j B − B − (r /2) and J. We have ( J ) ψ = ( J ) cuits with mod-BI gates – i.e., arithmetic gates whose in- ∈ B sk 1 ∈ · · x + (B )− j, where the former term has coefficients of J · puts and outputs are in R mod BI . However, in general magnitude at most 1/4 by Lemma 1 and the latter is an “base-BI ,” it is unclear how to handle the carries needed integer vector. for adding the vectors in Step 2 without resorting to high- degree polynomials that require more multiplicative depth Per Theorem 8, the new maximum evaluation depth of the that our initial construction can evaluate. To handle this scheme after Tweak 1 is log log(rDec/2) log log(γMult(R) − · complication, we use the plaintext space = 0, 1 mod BI , rEnc), which is less than the original amount by only a sub- regardless of the underlying ideal I. We emulateP { boolean} op- constant additive factor. erations, where carries are constant-depth. (This plaintext Tweak 2 is more technical and less “essential” than the space restriction is unnecessary if we use the initial construc- first tweak. It replaces matrix-vector multiplications with tion without bootstrapping.) We have the following lemma. ring multiplications. This is nice, but the two computations are essentially equally parallelizable, and their circuits have Lemma 5. For i [1, t], let ai = (. . . , ai,1, ai,0, ai, 1,...) essentially the same depth. So, really, this tweak is primar- − be a real number given∈ in binary representation mod B with ily useful for reducing the public key size and the per-gate I the promise that ai mod 1 [ 1/4, 1/4]. There is a mod- computation during bootstrapping in our ultimate scheme. i ∈ − BI circuit C forP generating t + 1 integers z1, . . . , zt+1 (also sk sk Tweak 2: From BI and BJ , compute a short vector vJ represented in binary) whose sum is i ai , such that if 1 sk 1 ∈ b e J − such that there exists u 1+I with u (vJ )− 1+I. the generalized circuit g(C)’s inputs areP in (rin), then its ∈ × 1.5 ∈ 2 B Also, redefine again, now using (2 rDec/(n γMult(R) outputs are in (rout) for: CE B · · · B BI )). t polylog(t) k k sk sk 1 rout (γMult(R) n BI (1 + γMult(R) rin) t) Purpose: To modify Decrypt from ψ BJ (BJ )− ≤ · · k k · · · − sk · b · ψ mod BI to the simpler expression ψ vJ ψ mod BI , Ω(1) e sk −b × e For BI rin, t n, and γMult(R) = n , we have: where vJ Q[x]/f(x). k k ≤ ≤ ∈ t+polylog(t) rout (γMult(R) rin) To use both tweaks, we need to reduce the radius of the ≤ · sphere in Tweak 2 by an additional factor of 2. Proof (fragment). Let a∗ be the integer part of ai and Tweak 2 requires us to reduce the permitted distance of i let a† = (ai, 1, ai, 2,...) be the fractional part. Let T = ciphertexts from the J-lattice much more than Tweak 1. i − − log t + 2. Let bi = (ai,† 1, . . . , ai,† T ). First, we claim that Still, it does not affect our maximum evaluation depth very d e − − much when γMult(R) and BI are polynomial in n, and ai† = bi . This claim follows from the promise that k k b e b e rDec/rEnc is super-polynomial. Pi ai† is withinP 1/4 of an integer, and that The following two lemmas say that we can perform Tweak P j [T +1, ] 2 efficiently and that it has the expected effect – i.e., the new ∈ ∞ j Decrypt equation works correctly. ai† bi = 2− ai, j < 1/4 − · − Xi Xi Xi sk Lemma 3. From BI and BJ , we can compute in polyno- sk 1 v u Our t + 1 output integers will be a1∗, . . . , at∗, bi . mial time a vector J J − and a vector 1 + I such b e sk 1 ∈ sk ∈ Our strategy for computing bi is first to compute, for that u (vJ )− 1+I. Moreover, vJ (n/2) γMult(R) P sk× 1 T ∈ k k ≤ · · b e B − B each j [1,T ], the binary representationP cj of the Hamming (( J ) ) I . ∈ k k · k k weight of (b1, j , . . . , bt, j ). Then, we finish by computing T− j − Lemma 4. Suppose ψ is a valid ciphertext after Tweak 2 the sum j=1 2− cj ; this latter term is much easier to sk b · e which decrypts to π. Then, π = ψ v ψ mod BI . compute than the original term, since it only consists of T − b J × e P numbers, rather than t. 4.2 Decryption Complexity of Tweaked Scheme This strategy is straightforward when I = (2 e1) and the · To decrypt, we compute plaintext space is 0, 1 mod I. The binary representation { } sk1 sk2 of the Hamming weight of (b1, . . . , bt) is given by (ψ B B ψ ) mod BI − J · b J · e n sk1 n n sk2 n n (e2blog tc (b1, . . . , bt) mod 2, . . . , e20 (b1, . . . , bt) mod 2) where ψ Z , BJ Z × , BJ Q × , and BI is a basis of an ideal∈ I of R =∈Z[x]/f(x). From∈ Tweak 1, we have the sk2 where ei(x1, . . . , xt) is the ith elementary symmetric poly- promise that the coefficients of BJ ψ are all within 1/4 nomial over x , . . . , x . (See Lemma 4 of [14].) These poly- · sk1 1 t of an integer. Optionally, Tweak 2 ensures that BJ is the nomials can be computed in time poly(t), and the fact that identity matrix and Bsk2 is a rotation matrix. We split the J rout is exponential in t comes from the fact that the degree decryption computation into the following sequence of steps: of these polynomials is upper bounded by t. There are minor sk2 Step 1: Generate n vectors with sum B ψ complications when I = (2 e1) (omitted). J · 6 ·

175 Unfortunately, Step 2 uses t = n, implying rDec/rEnc Add (pk, ψ1, ψ2). Extracts (ψ1∗, ψ2∗) from (ψ1, ψ2), computes n ≥ E rout/rin 2 , and therefore the above analysis cannot show ψ∗ Add ∗ (pk∗, ψ1∗, ψ2∗), and outputs ψ which includes ψ∗ ≥ ← E that the initial construction is both bootstrappable and se- and the output of ExpandCT (pk, ψ∗). Mult (pk, ψ1, ψ2) is E cure. However, Lemma 5 will be relevant to our final scheme, analogous. E as will the following lemma regarding Step 3: The security of the transformation relies on the following Lemma 6. Using a constant depth circuit having polyno- problem, which is completely abstract at this point. mial fan-in AddBI gates and constant fan-in MultBI gates, Definition 12 (SplitKey Distinguishing Problem). sk1 we can compute ψ BJ ( yi) mod BI from a binary R R − · The challenger sets (sk∗, pk∗) KeyGen ∗ and b 0, 1 . representation (using the bitsP0, 1 mod BI ) of the terms R ← E ← { } of the expression. { } If b = 0, it sets (sk, τ) SplitKey(sk∗, pk∗). If b = 1, it R ← sets (sk, τ) SplitKey( , pk∗), where is a special symbol. The proof of Lemma 6 involves converting the binary rep- ← ⊥ ⊥ The problem: guess b given (τ, sk∗, pk∗). resentation of the terms to a more “natural” mod-BI repre- sentation, at which point the computation is trivially obvi- Theorem 10. Suppose that there is an algorithm that ously constant depth. As a toy example for intuition, sup- breaks the semantic security of above with advantageA . E pose we have mod-13 gates, where the numbers 0,..., 12 are Then, there exist algorithms 0 and 1, running in about the B B represented by 13 different “frequencies” (not in terms of a same time as , such that either 0’s advantage against the A B binary representation), and Add13 and Mult13 perform ad- SplitKey Distinguishing Problem or 1’s advantage against B dition and multiplication modulo 13 “automatically.” To ob- the semantic security of ∗ is at least /3. E tain the natural representation of r mod 13 as one of the 13 5.2 The Transformation, Concretely frequencies given the binary representation ...b1b0 (each bit j in 0, 1 mod 13), we precompute the aj 2 mod 13 and Let (sk∗, pk∗) be an 2 key pair. Let γset(n) and γsubset(n) { } ← E output Add13(..., Mult13(a1, b1), Mult13(a0, b0)). This takes be functions, where the former is ω(n) and poly(n) and the constant depth even if r has a polynomial number of bits latter is ω(1) and o(n). Here are the concrete instantiations using polynomial-fan-in Add13 gates. Essentially the same SplitKey , ExpandCT , and Decrypt used to construct 3. E E E E considerations apply in the proof of Lemma 6. The simplest SplitKey (sk†, pk∗). Takes as input sk†, which may be either case is where I = (2) and the conversion is unnecessary. E sk∗ sk∗ or . If the former, it extracts the vector vJ from sk∗; ⊥ sk∗ if the latter, it sets vJ 0. It outputs (sk, τ), where: 5. SQUASHING THE DEC. CIRCUIT ← τ is a set of γset(n) vectors t1,..., tγset(n) that are The circuit complexity of decryption in 2 is too high to • 1 uniformly random in J − mod BI , except there exists permit bootstrapping. The culprit is StepE 2 – i.e., adding a subset S 1, . . . , γset(n) of cardinality γsubset(n) n numbers. Here, we describe how transform the scheme ⊆ { sk∗ } such that i S ti vJ + I. so that Decrypt adds only a sub-linear quantity of numbers. ∈ ∈ P Importantly, this transformation does not affect the set of sk is a matrix γsubset(n) γset(n) matrix M of 0’s and • × permitted circuits at all. However, the transformation does 1’s, where Mij = 1 iff j is the ith member of S. induce an additional hardness assumption. By choosing pa- ExpandCT (pk, ψ∗). Outputs ci ti ψ∗ mod BI for i rameters appropriately, the scheme becomes bootstrappable. E ← × ∈ [1, γset(n)]. These terms are represented in binary using 0, 1 mod BI , as in 2. 5.1 The Transformation, Abstractly { } E At a high level, our transformation works by splitting the Decrypt (sk, ψ). Takes as input the secret key sk and a E initial decryption algorithm into two phases – an initial com- ciphertext ψ. It performs the following steps: putationally intensive preprocessing phase performed with- Step 0: Set the vectors wij Mij cj out the secret key (by the encrypter), followed by a com- ← γset·(n) Step 1: Set the vectors xi j=1 wij putationally lightweight phase using the secret key (by the ← Step 2: From γsubset(n) vectorsPx1,..., xn, generate integer decrypter). In short, the encrypter preprocesses its own ini- vectors y1,..., yγ (n)+1 with sum xi . tial ciphertext, leaving less work for the decrypter to do. subset b e Step 3: Compute π ψ ( yi) modPBI Interestingly, this two-phase approach to decryption is pre- sk←∗ − SplitKey splits vJ into τ,P which is a set of vectors with cisely what one finds in server aided . E ∗ a hidden sparse subset whose sum is vsk modulo I, and sk, In detail, let ∗ be an initial encryption scheme (which J E which is a set of incidence matrix encoding the subset. To concretely will become 2). From ∗, we construct a modi- E E SplitKey generate τ, one may, for example, just set t1,..., tγset (n) 1 fied scheme that uses two new algorithms, and 1 − E E to be uniformly random vectors in J − (BI ). Then, one ExpandCT , that will remain abstract for now. ∗ E sk γsubset (n) 1 ∩ P sets tγset(n) vJ − ti mod BI . Then one R R ← − i=1 KeyGen (λ). Runs (pk∗, sk∗) KeyGen ∗ (λ) and (sk, τ) permutes the vectors. P E ← E ← SplitKey (sk∗, pk∗). The secret key is sk. The public key pk In Decrypt , Steps 2 and 3 are as in 2 (Section 4), with E E E is (pk∗, τ). the crucial difference that Step 2 adds only γsubset(n) vec- tors. In Steps 0 and 1, Decrypt sets xi to be the γsubset(n) Encrypt (pk, π). Runs ψ∗ Encrypt ∗ (pk∗, π). It then E E ← E “relevant” vectors in ci – i.e., the ones associated to the sets ψ to include ψ∗ and the output of ExpandCT (pk, ψ∗). subset. Correctness should{ } be clear. (ExpandCT makes heavy use of tag τ.) E E Without Tweak 2, we could have instead used a γset(n)- Decrypt (sk, ψ). Uses sk and the expanded ciphertext to sized set of matrices with a hidden γsubset(n)-sized subset E sk 1 decrypt more efficiently. Decrypt (sk, ψ) should work when- whose sum is related to (BJ )− . This would have resulted E ever Decrypt ∗ (sk∗, ψ∗) works. in a larger public key. E

176 5.3 Bootstrapping Achieved exists a subset S 1, . . . , γset(n) of cardinality γsubset(n) ⊆ { } We analyzed Steps 2 and 3 in Section 4.2. It is obvious such that i S ai = 0 mod q. If b = 1, it sets the elements ∈ that Step 0 requires only constant depth. We claim that without theP constraint. The problem: guess b given τ. Step 1 requires only constant depth, but why? Comput- γset(n) Known attacks on the SSSP[51, 44, 38, 43] are feasible ing wij is very cheap because, in the set wij : j=1 { only for limited choices of parameters. Some of these [51] j P[1, γset(n) , there is only one nonzero vector. There- ∈ } (and previous related results [58, 17]) essentially amount to a fore, when we add the vectors, no expensive carry opera- O(γsubset(n)) tions are required; we simply “XOR” the vectors together time-space tradeoff whose complexity is γset(n) ; these only require us to take γsubset(n) = ω(1). Nguyen and using polynomial-fan-in AddBI operations, using constant depth. At last, we have the following theorem. Shparlinski [43] present a lattice-based cryptanalysis of the SSSP that provably succeeds with advantage at least

Theorem 11. The scheme 3 is bootstrappable when γset(n)+2 E 1 (γsubset(n) α)/q − · log(rDec/m) γsubset(n) where α is a term that is greater than 1. The attack breaks ≤  α 2c log(γMult(R) rEnc)  · · · down when γset(n) exceeds log q. where m arises from the re-definition of in the Tweaks Though we omit details, current attacks against our con- CE (m = 2 when just Tweak 1 is used), α > 1 is chosen so that crete version SplitKey DP begin to break down when γset(n) (α 1) γsubset(n) is greater than the polylog(γsubset(n)) exceeds log det(IJ). The intuition is that, once γset(n) is term− coming· from Lemma 5, and c is a constant represent- sufficiently large, there will be exponentially many subsets ing the depth needed in a circuit having AddBI gates with in τ (not necessarily sparse) whose vector sum is congruent Ω(1) sk∗ γMult(R) = n fan-in and MultBI gates with constant fan- to vJ ; lattice reduction techniques have trouble extracting in to sequentially perform Decrypt Steps 0, 1, 3, and 4, and the sparse subset from among the many subset solutions. a NAND gate. E Proof. As in the proof of Theorem 8, for a c-level circuit, 6. PERFORMANCE if the inputs to the generalized circuit are in (r), the out- c Our scheme relies on two assumptions. The first assump- 2 B puts are in ((γMult(R) r) ). Combining with Lemma 5, we tion underlies the security 1 and its approximation factor is B · E have that if the inputs to our generalized NAND-augmented mildly impacted by the tweaks of 2. The second arises from E decryption circuit are in (rEnc), the output is in the addition of τ to the public key. Interestingly, the two as- B c sumptions counterbalance each other: increasing γsubset(n) 2 (γsubset(n)+polylog(γsubset(n))) (γMult(R) rEnc) · · seems to make the second problem harder, but at the ex- pense of increasing the approximation factor in the first The result follows when this value is at most rDec/m. problem, making the first problem easier. For example, suppose γMult(R) rEnc is polynomial in n, and Using a crude analysis, the breaking time for the second C γsubset (n) n · problem using known attacks is roughly 2 . (We rDec = 2 for C < 1. In this case, γ (n) can be polyno- subset ignore constants and logarithmic factors in the exponent.) mial in n (but sub-linear). The constant c is not very large, The approximation factor for the first problem is also roughly though in practice one would want to optimize it beyond 2γsubset (n). Using the rule of thumb that a lattice prob- what we have done. lem for approximation factor 2k takes time about 2n/k, the n/γ (n) 5.4 On the New Hardness Assumption breaking time for the first problem is roughly 2 subset . Setting γsubset(n) √n maximizes the minimal breaking Concretely, the SplitKey Distinguishing Problem becomes: ← time at about 2√n. To make this breaking time truly expo- 2 Definition 13 (SplitKey DP, concrete version). Let nential in the security parameter λ, we need n λ . ≈ B For each gate, we evaluate the circuit D homomorphi- γset(n) and γsubset(n) be functions as above, and I a basis E R cally. (Actually, there is a tradeoff here, since a “gate” can of an ideal I. The challenger sets (sk∗, pk∗) KeyGen ∗ E R ← sk∗ be taken to be a “normal circuit” of depth greater than 1.) and b 0, 1 , where sk∗ includes the secret vector vJ Though it is a shallow circuit, the computational complex- ← { } sk∗ ∈ R. If b = 1, it sets vJ 0. It sets τ to be a set of ity of D itself in 3 (not evaluated homomorphically in ← E E γset(n) vectors t1,..., tγset(n) that are uniformly random in the encryption scheme) is quite high (but poly(λ)), primar- 1 J − mod BI subject to the constraint that there exists a sub- ily due to the large unary representation of the secret key in set S 1, . . . , γset(n) of cardinality γsubset(n) such that 3. The fact that decryption is performed homomorphically, ⊆ { sk∗ } E Bpk i S ti vJ +I. The problem: guess b given (τ, sk∗, pk∗). with ciphertext elements in R mod J being used instead of ∈ ∈ P plaintext elements in R mod BI , multiplies the complexity This problem is related to the following problem, which has by another factor that is quasi-linear in n γsubset(n), since · been analyzed in connection with server-aided cryptography roughly log det(IJ) n log rDec/rEnc n γsubset(n) bits [34, 51, 44, 38, 43], and which should not be confused with of precision are needed,≈ but· again this≈ is polynomial· in λ. the low-density knapsack problem [45]. Two optimizations are: 1) one can reduce the size of the 3 secret key substantially by allowing a modest increase in thEe Definition 14 (Sparse Subset Sum Problem (SSSP)). depth of the decryption circuit, and 2) the homomorphic de- Let γset(n) and γsubset(n) be functions as above. Let q be cryption circuit can take the ciphertext bits as input directly a positive integer. The challenger sets b R 0, 1 . If b = 0 [15] (rather than the encrypted ciphertext bits). Making the ← { } it generates τ as a set of γset(n) integers a1, . . . , aγset(n) full scheme practical remains an open problem (though 1 in [ q/2, q/2] that are uniformly random,{ except that there} is quite practical for shallow circuits). E −

177 7. CIRCUIT PRIVACY [25] J. Hoffstein, J. Silverman, and J. Pipher. NTRU: A Ring Based Public Key Cryptosystem. In Proc. of ANTS ’98, LNCS We omit full details due to lack of space, but mention 1423, pages 267–288. that one can construct an algorithm RandomizeCT for our [26] Y. Ishai and A. Paskin. Evaluating Branching Programs on EncryptE Encrypted Data. TCC ’07. 2 that can be applied to ciphertexts output by 2 [27] A. Kawachi, K. Tanaka, K. Xagawa. Multi-bit cryptosystems E E and Evaluate 2 , respectively, that induces equivalent output based on lattice problems. PKC ’07, pp. 315–329. E [28] A.K. Lenstra, H.W. Lenstra, L. Lov´asz. Factoring polynomials distributions. The circuit privacy of 2 immediately implies E with rational coefficients. Math. Ann. 261(4) (1982) 515–534. the (leveled) circuit privacy of our (leveled) fully homomor- [29] F. Levy-dit-Vehel and L. Perret. A Polly Cracker system based phic encryption scheme. on satisfiability. In Coding, Crypt. and Comb., Prog. in Comp. Sci. and App. Logic, v. 23, pp. 177–192. The idea is simple: to construct a random encryption ψ0 [30] L. Ly. A public-key cryptosystem based on Polly Cracker, of π from a particular encryption ψ of π, we simply add Ph.D. thesis, Ruhr-Universit¨at Bochum, Germany, 2002. [31] L. Ly. Polly two – a new algebraic polynomial-based public-key an encryption of 0 that has a much larger random “error” scheme. AAECC, 17(3-4), 2006. vector than ψ – super-polynomially larger, so that the new [32] V. Lyubashevsky and D. Micciancio. Generalized compact error vector statistically obliterates all information about knapsacks are collision resistant. ICALP ’06. [33] V. Lyubashevky and D. Micciancio. Asymptotically efficient ψ’s error vector. This entails another re-definition of . TCC ’08 E lattice-based digital signatures. . C [34] T. Matsumoto, K. Kato, and H. Imai. Speeding up secret computations with insecure auxiliary devices. Crypto ‘88, pp. 8. ACKNOWLEDGMENTS 497–506. [35] U. Maurer and D. Raub. Black-Box Extension Fields and the We thank Boaz Barak, Dan Boneh, Ran Canetti, Shafi Inexistence of Field-Homomorphic One-Way Permutations. Goldwasser, Iftach Haitner, Yuval Ishai, Tal Rabin, Yael Asiacrypt ’07, pp. 427–443. [36] C.A. Melchor, G. Castagnos, and P. Gaborit. Lattice-based Tauman Kalai, Salil Vadhan, and Brent Waters for very homomorphic encryption of vector spaces. ISIT ’08, pp. helpful discussions. 1858–1862. [37] C.A. Melchor, P. Gaborit, and J. Herranz. Additive Homomorphic Encryption with t-Operand Multiplications. 9. REFERENCES Eprint 2008/378. [38] J. Merkle. Multi-round passive attacks on server-aided RSA [1] M. Ajtai. Generating hard instances of lattice problems protocols. ACM CCS ’00, pp. 102–107. (extended abstract). STOC ’96, pp. 99–108. [39] D. Micciancio. Improving Lattice Based Cryptosystems Using [2] M. Ajtai and C. Dwork. A public key cryptosystem with the Hermite Normal Form. CaLC ’01, pp. 126–145. worst-case / average-case equivalence. STOC ’97, pp. 284–293. [40] D. Micciancio. Improved cryptographic hash functions with [3] J.H. An, Y. Dodis, and T. Rabin. On the security of joint worst-case / average-case connection. STOC ’02, pp. 609–618. signature and encryption. Eurocrypt ’02, pp. 83–107. [41] D. Micciancio. Generalized compact knapsacks, cyclic lattices, [4] F. Armknecht and A.-R. Sadeghi. A new approach for and efficient one-way functions from worst-case complexity algebraically homomorphic encryption. Eprint 2008/422. assumptions. FOCS ’02, pp. 356–365. [5] L. Babai. On Lov´asz’s lattice reduction and the nearest lattice [42] D. Naccache and J. Stern. A New Public-Key Cryptosystem point problem. Combinatorica 6 (1986), 1–14. Based on Higher Residues. ACM CCS ’98. [6] D. Barrington. Bounded-width polynomial-size branching [43] P.Q. Nguyen and I. Shparlinski. On the Insecurity of Some programs recognize exactly those languages in NC1. STOC Server-Aided RSA Protocol. Asiacrypt ’01, pp. 21–35. ’86, pp. 1–5. [44] P.Q. Nguyen and J. Stern. The Beguin-Quisquater server-aided [7] D. Beaver. Minimal-latency secure function evaluation. RSA protocol from Crypto ‘95 is not secure. Asiacrypt ‘98, pp. Eurocrypt ’00, pp. 335–350. 372–379. [8] J. Benaloh. Verifiable secret-ballot elections. Ph.D. thesis, Yale [45] A.M. Odlyzko. The rise and fall of knapsack cryptosystems. In Univ., Dept. of Comp. Sci., 1988. Crypt. and Comp. Num. Th., Proc. Sympos. Appl. Math., vol. [9] J. Black, P. Rogaway, and T. Shrimpton. Encryption-scheme 42, AMS, 1990, pp. 75–88. security in the presence of key-dependent messages. SAC ’02, [46] T. Okamoto and Uchiyama. A New Public-Key Cryptosystem pp. 62–75. as Secure as Factoring. Eurocrypt ’98, pp. 308–318. [10] M. Blaze, G. Bleumer, and M. Strauss. Divertible protocols [47] P. Paillier. Public-Key Cryptosystems Based on Composite and atomic proxy cryptography. Eurocrypt ’98, pp. 127–144. Degree Residuosity Classes. Eurocrypt ’99, pp. 223–238. [11] D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF [48] C. Peikert and A. Rosen. Efficient collision-resistant hashing formulas on ciphertexts. TCC ’05, pp. 325–341. from worst-case assumptions on cyclic lattices. TCC ’06, pp. [12] D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky. 145–166. Circular-Secure Encryption from Decision Diffie-Hellman. [49] C. Peikert and A. Rosen. Lattices that Admit Logarithmic Crypto ’08, pp. 108–125. Worst-Case to Average-Case Connection Factors. STOC ’07, [13] D. Boneh and R. Lipton. Searching for Elements in Black-Box pp. 478–487. Fields and Applications. Crypto ’96, pp. 283–297. [50] C. Peikert and B. Waters. Lossy Trapdoor Functions and Their [14] J. Boyar, R. Peralta, and D. Pochuev. On the Multiplicative Applications. STOC ’08, pp. 187–196. ∧ ⊕ Complexity of Boolean Functions over the Basis ( , , 1). [51] B. Pfitzmann and M. Waidner. Attacks on protocols for Theor. Comput. Sci. 235(1), pp. 43–57, 2000. server-aided RSA computation. Eurocrypt ’92, pp. 153–162. [15] R. Canetti. Personal communication, 2008. [52] M. Prabhakaran and M. Rosulek. Homomorphic Encryption [16] R. Canetti, H. Krawczyk, and J.B. Nielsen. Relaxing with CCA Security. ICALP ’08. chosen-ciphertext security. Crypto ’03, pp. 565–582. [53] O. Regev. On Lattices, , Random Linear [17] D. Coppersmith and G. Seroussi. On the minimum distance of Codes, and Cryptography. STOC ’05, pp. 84–93. some quadratic residue codes. IEEE Trans. Inform. Theory 30 [54] R. Rivest, L. Adleman, and M. Dertouzos. On data banks and (1984), 407–411. privacy homomorphisms. In Foundations of Secure [18] W. van Dam, S. Hallgren, and L. Ip. Quantum Algorithms for Computation, pp. 169–180, 1978. Some Hidden Shift Problems. SIAM J. Comput., v. 36., no. 3, [55] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining pp. 763–778, 2006. digital signatures and public-key cryptosystems. In Comm. of [19] I. Damgard and M. Jurik. A Length-Flexible Threshold the ACM, 21:2, pages 120–126, 1978. Cryptosystem with Applications. ACISP ’03, pp. 350–356. [56] T. Sander, A. Young, and M. Yung. Non-interactive [20] T. ElGamal. A Public-Key Cryptosystem and a Signature cryptocomputing for NC1. FOCS ’99, pp. 554–567, 1999. Scheme Based on Discrete Logarithms. Crypto ’84, pp. [57] C.P. Schnorr. A Hierarchy of Polynomial Time Lattice Basis 469–472. Reduction Algorithms. Theoretical Computer Science, [21] M. Fellows and N. Koblitz. Combinatorial cryptosystems 53(2-3):201–224, 1987. galore! Contemporary Mathematics, v. 168 of Finite Fields: [58] D.R. Stinson. Some baby-step giant-step algorithms for the low Theory, Applications, and Algorithms, FQ2, pp. 51–61, 1993. hamming weight discrete logarithm problem. Mathematics of [22] S. Goldwasser and D. Kharchenko. Proof of plaintext Computation, vol. 71, no. 237, pages 379–391, 2001. knowledge for the Ajtai-Dwork cryptosystem. TCC 2005, pp. 529–555. [23] S. Goldwasser and S. Micali. and how to play keeping secret all partial information. STOC ’82, pp. 365–377. [24] S. Halevi and H. Krawczyk. Security under key-dependent inputs. ACM CCS ’07.

178