Fully Homomorphic Encryption Using Ideal Lattices Craig Gentry Stanford University and IBM Watson [email protected] ABSTRACT duced by Rivest, Adleman and Dertouzos [54] shortly af- We propose a fully homomorphic encryption scheme – i.e., ter the invention of RSA by Rivest, Adleman and Shamir a scheme that allows one to evaluate circuits over encrypted [55]. Basic RSA is a multiplicatively homomorphic encryp- tion scheme – i.e., given RSA public key pk = (N, e) and data without being able to decrypt. Our solution comes e in three steps. First, we provide a general result – that, ciphertexts ψi πi mod N , one can efficiently compute ψ = ( { π ←)e mod N, a} ciphertext that encrypts the to construct an encryption scheme that permits evaluation i i i i of arbitrary circuits, it suffices to construct an encryption Qproduct ofQ the original plaintexts. Rivest et al. [54] asked scheme that can evaluate (slightly augmented versions of) a natural question: What can one do with an encryption its own decryption circuit; we call a scheme that can evaluate scheme that is fully homomorphic: a scheme with an effi- cient algorithm Evaluate that, for any validE public key pk, its (augmented) decryption circuit bootstrappable. E Next, we describe a public key encryption scheme using any circuit C (not just a circuit consisting of multiplication gates), and any ciphertexts ψi Encrypt (pk, πi), outputs ideal lattices that is almost bootstrappable. Lattice-based ← E cryptosystems typically have decryption algorithms with low ψ Evaluate (pk, C, ψ1, . , ψt) , circuit complexity, often dominated by an inner product ← E computation that is in NC1. Also, ideal lattices provide a valid encryption of C(π1, . , πt) under pk? Their answer: both additive and multiplicative homomorphisms (modulo a one can arbitrarily compute on encrypted data – i.e., one can public-key ideal in a polynomial ring that is represented as process encrypted data (query it, write into it, do anything a lattice), as needed to evaluate general circuits. to it that can be efficiently expressed as a circuit) without Unfortunately, our initial scheme is not quite bootstrap- the decryption key. As an application, they suggested pri- pable – i.e., the depth that the scheme can correctly evalu- vate data banks: a user can store its data on an untrusted ate can be logarithmic in the lattice dimension, just like the server in encrypted form, yet still allow the server to pro- depth of the decryption circuit, but the latter is greater than cess, and respond to, the user’s data queries (with responses the former. In the final step, we show how to modify the more concise than the trivial solution: the server just sends scheme to reduce the depth of the decryption circuit, and all of the encrypted data back to the user to process). Since thereby obtain a bootstrappable encryption scheme, with- then, cryptographers have accumulated a list of “killer” ap- out reducing the depth that the scheme can evaluate. Ab- plications for fully homomorphic encryption. However, prior stractly, we accomplish this by enabling the encrypter to to this proposal, we did not have a viable construction. start the decryption process, leaving less work for the de- crypter, much like the server leaves less work for the de- 1.1 Homomorphic Encryption crypter in a server-aided cryptosystem. A homomorphic public key encryption scheme has four E Categories and Subject Descriptors: E.3 [Data En- algorithms KeyGen , Encrypt , Decrypt , and an additional algorithm Evaluate E that takesE as inputE the public key pk, a cryption]: Public key cryptosystems E circuit C from a permitted set of circuits, and a tuple of General Terms: Algorithms, Design, Security, Theory CE ciphertexts Ψ = ψ1, . , ψt ; it outputs a ciphertext ψ. The computational complexityh i of all of these algorithms must 1. INTRODUCTION be polynomial in security parameter λ and (in the case of We propose a solution to the old open problem of con- Evaluate ) the size of C. is correct for circuits in if, E E structing a fully homomorphic encryption scheme. This no- for any key-pair (sk, pk) outputE by KeyGen (λ), any circuitC E tion, originally called a privacy homomorphism, was intro- C , any plaintexts π1, . , πt, and any ciphertexts Ψ = ∈ CE ψ1, . , ψt with ψi Encrypt (pk, πi), it is the case that: h i ← E ψ Evaluate (pk, C, Ψ) C(π1, . , πt) = Decrypt (sk, ψ) ← E ⇒ E Permission to make digital or hard copies of all or part of this work for 1 personal or classroom use is granted without fee provided that copies are By itself, mere correctness does not exclude trivial schemes. not made or distributed for profit or commercial advantage and that copies So, we require ciphertext size and decryption time to be up- bear this notice and the full citation on the first page. To copy otherwise, to 1In particular, we could define Evaluate (pk, C, Ψ) to just republish, to post on servers or to redistribute to lists, requires prior specific E permission and/or a fee. output (C, Ψ) without “processing” the circuit or ciphertexts STOC’09, May 31–June 2, 2009, Bethesda, Maryland, USA. at all, and Decrypt to decrypt the component ciphertexts E Copyright 2009 ACM 978-1-60558-506-2/09/05 ...$5.00. and apply C to results. 169 per bounded by a function of the security parameter λ, in- decrypt it! This is the idea behind bootstrapping: we do dependently of C (or perhaps, as a relaxation, dependent on decrypt the ciphertext, but homomorphically! the depth of C, but not the size). Specifically, suppose is bootstrappable with plaintext space is 0, 1 , and thatE circuits are boolean. Suppose we Definition 1 (Homomorphic Encryption). is ho- P { } have a ciphertext ψ1 that encrypts π under pk , which we momorphic for circuits in if is correct for E and 1 E E want to refresh. So that we can decrypt it homomorphically, Decrypt can be expressed asC a circuitE D of size poly(C λ). E E suppose we also have sk1, the secret key for pk1, encrypted under a second public key pk : let sk be the encrypted Definition 2 (Fully Homomorphic Encryption). 2 1j secret key bits. Consider the following algorithm. is fully homomorphic if it is homomorphic for all circuits. E Recrypt (pk2,D , sk1j , ψ1). Definition 3 (Leveled Fully Hom. Encryption). E E h i A family of schemes (d) : d Z+ is leveled fully homo- R {E ∈ } Set ψ1j Encrypt (pk2, ψ1j ) morphic if they all use the same decryption circuit, (d) is ← E E Output ψ2 Evaluate (pk2,D , sk1j , ψ1j ) homomorphic for all circuits of depth at most d (that use ← E E hh i h ii some specified set of gates Γ), and the computational com- Above, Evaluate takes in the bits of sk1 and ψ1, each en- plexity of (d)’s algorithms is polynomial in λ, d, and (in crypted under pk . Then, is used to evaluate the de- E 2 E the case of Evaluate (d) ) the size of C. cryption circuit homomorphically. The output ψ2 is thus an E 2 encryption under pk2 of Decrypt (sk1, ψ1) = π. Applying Remark 1. One may desire – e.g., for the two-party com- the decryption circuit D removesE the error vector associ- E putation setting – the additional property that Encrypt and ated to the first ciphertext, but Evaluate simultaneously Evaluate have the same output distribution, or thatE there E E introduces a new error vector. Intuitively, we have made is at least some post-hoc randomization procedure that in- progress as long as the second error vector is shorter. duces the same output distribution. We discuss such circuit Suppose contains not just D but also the augmen- E E privacy in Section 7. tation of DC by NAND (i.e., a NAND gate connecting two E copies of D ). Then, we say is bootstrappable. Here, we focus on constructing a scheme that is semanti- E E cally secure against chosen plaintext attacks (or just “seman- Theorem 1 (Informal). One can construct a (seman- tically secure”). Unfortunately a scheme that has nontriv- tically secure) family (d) of leveled fully homomorphic en- ial homomorphisms cannot be semantically secure against {E } adaptive chosen ciphertext attacks (CCA2), since it is mal- cryption schemes from any (semantically secure) bootstrap- pable encryption scheme . leable. There are relaxed notions of CCA2 security [3, 16, E 52], but they do not apply to a fully homomorphic scheme. (d)’s public key contains d + 1 public keys, basically one However, constructing a CCA1-secure fully homomorphic E E encryption scheme is an interesting open problem. for each level of the circuit, and an acyclic chain of encrypted secret keys. It evaluates a d-depth NAND-circuit as follows: 1.2 Our Results given ciphertexts encrypted under pki associated to wires We construct a fully homomorphic encryption scheme us- at the ith level of the circuit, it Recrypts them so that they ing ideal lattices. The result can roughly be broken down become encrypted under pki 1, applies the NAND gates at that level, and recurses for −i 1. If securely encrypts into three steps: a general “bootstrapping” result, an “initial − E construction”using ideal lattices, and a technique to“squash key-dependent messages (is KDM-secure) [9, 24, 12] – i.e., the decryption circuit” to permit bootstrapping. roughly, if providing a ciphertext that encrypts a function of the secret key does not hurt security – then the public Our research began with the second step: a PKE scheme E 1 described in Section 3 that uses ideal lattices and is homo- keys need not be distinct; we can have a “loop,” even a “self- morphicE for shallow circuits.