Fully Homomorphic Encryption: Overview and Cryptanalysis

(1)

Technische Universit¨at Darmstadt Department of Computer Science Cryptography and Computeralgebra

Diploma Thesis

July 2011

Fully Homomorphic Encryption:

Overview and Cryptanalysis

Patrick Schmidt

Technische Universit¨at Darmstadt Department of Mathematics

Supervised by Prof. Dr. Johannes Buchmann Dr. Richard Lindner

(2)

(3)

Acknowledgements

First of all, I would like to thank Prof. Johannes Buchmann for giving me the opportunity to write my thesis under this topic and gain knowledge in the field of fully homomorphic schemes and moreover in the area of lattices.

Furthermore, many thanks go to my two supervisors Dr. Richard Lindner and Michael Schneider who offered and spent much time answering me all my investigating questions and guiding me in the right direction.

In addition I would like to thank all people that supported my work on this thesis by proofreading it, finding spelling mistakes and logical errors as well as supporting me in improving the structure of my thesis and its fluent reading; as there are: Richard Frankland, Maina Olembo, Denise Demirel, and Dr. Melanie Volkamer.

Lastly, I thank all whom I have forgotten to mention before! Without your contributions this work would not be what it actually is.

Warranty

I hereby declare that the content of this thesis is the direct result of my own work and that any use of published or unpublished material in this thesis is fully and correctly referenced.

(4)

(5)

Introduction

Cryptography has a longstanding history – the Egyptians in the year 3000 BC are be-lieved to have been the first humans to use encryption, albeit a very simple form of it –, but in previous centuries it simply was known as the science of encryption. Since its early years, cryptography and human kind’s understanding of it have undergone a great development, nowadays consisting of far more areas than just encryption.

Today, cryptography is more often used in daily life than a normal (end)user in the real world is aware of, e.g. in smartcards, USB-tokens, car or door keys, home wifi networks, mobile communication (using a cellular phone) and many more. Perhaps the most prominent example for the usage of cryptography is the internet, with its many applications and transactions. One can think of such transactions as online-banking, electronic/online voting, e-mailing or using social networks. In most – and hopefully all – of these examples cryptography in the sense of encryption plays a huge role in ensuring confidentiality of the user’s data and credentials like passwords, IDs, PINs, TANs, etc.

Contrary to these instances, in some areas one explicitly wants to allow other people to perform some set of (permitted) applications on ones data without having access to the data in plaintext. One example is the delegation of computations according to [19] or [10], in which the delegator wants to outsource the computation of some function on many inputs to a worker and later maintain the correct result. A second example for this is electronic voting (which could be seen as a special case of delegation of computation) like in [15] or [45], where one would like the election authorities to be able to count the votes and present the final results, but dislikes the idea that individual votes are first decrypted and afterwards tallied. Two final examples are multiparty computations and commitment schemes as reported in [41]. In the setting of multiparty computations one wants different parties to jointly compute some function without revealing their inputs to each other, and for commitment schemes one can think of auctions where the auctioneer wants to assure that the offers are not publicly known in the bidding phase while at the same time ensuring that no one is able to repudiate their own offer.

In the above settings, as well as in many others, a way to accomplish the goal of “com-puting on encrypted data” is needed. With homomorphic encryption one can assure that performing some operations on encrypted data is possible. To achieve the aim in the example of electronic voting, the election authorities add the encrypted votes (thus receiving the final result encrypted) and then only have to decrypt the computed cipher-text to obtain the final result. For delegation of computation, the delegator hands the functionf and the encrypted inputs to the worker, and the worker returns the encrypted result. For the other examples similar operations have to be performed.

A various number of homomorphic schemes have already been presented in the last decades: unpadded RSA [43] or the cryptosystem of ElGamal [16] and the cryptosys-tems of Goldwasser-Micali [27], Benaloh [4] or Paillier [40]. These examples contain additive-only or multiplicative-only homomorphic encryption schemes as well as

(8)

addi-tively homomorphic encryption schemes which support a very limited number of mul-tiplications. This last type of scheme is able to homomorphically evaluate an arbitrary number of additions but only a small number of multiplications, i.e. such schemes can evaluate polynomials up to some small degreedbut are unable to evaluate polynomials of a larger degree. For further examples of homomorphic encryption schemes see [20]. Depending on the function which shall be computed, miscellaneous complex operations (consisting of additions, multiplications, etc.) have to be evaluated homomorphically, e.g. encrypted queries to a search engine or searching on encrypted data (in a database). But the small number of homomorphically evaluable multiplications drastically limits the previously mentioned schemes. The question whether it is possible to construct a

fully homomorphic encryption scheme, i.e. a scheme which supports the computation of

arbitrary functions on encrypted data (with no limit on the number of multiplications), in the cryptographic community was long believed to be a holy grail. Not before 2009, Gentry theoretically solved this problem by presenting his fully homomorphic encryption scheme (FHE) based on ideal lattices in [20].

The goal of this thesis is twofold: Firstly we give an overview of the progress and results in the field of fully homomorphic encryption and signatures after the breakthrough of Gentry, and secondly we cryptanalyse an implementation of a FHE scheme to contribute experimental results concerning the security issues of such schemes.

In the first part, we recapitulate Gentry’s theoretical achievements in [20] to obtain a FHE scheme and then list a number of improvements to his work as well as further proposals from [47], [24], [39], [49], [48], [14], and [12] for lattice-based schemes and from [50] and [13] for integer-arithmetic schemes. In addition, we highlight the link between all these papers as they are the most common approaches to achieve a fully homomorphic encryption scheme. Furthermore, we provide an overview over the results in [7] and [6] on the field on fully homomorphic signatures schemes which is fairly new.

For the second part we cryptanalyse the, to us, most efficient implementation of a fully homomorphic encryption scheme, presented by Gentry and Halevi in [24]. In detail, we concentrate on one of the two underlying (theoretical) hardness problems which is also suitable for, and used, in other cryptographic encryption schemes (not fully homomorphic ones). We analyse and estimate the robustness of the security parameters presented by the authors of [24] by applying some strategies to “break” the proposed scheme. We measure the running times and also the success rates of the chosen strategies and compare their effectiveness.

(9)

Part I.

Progress on Homomorphic

Encryption and Signature Schemes

1. Preliminaries

We start by giving definitions that will be used throughout this paper and to which we will eventually refer.

The definitions are split into three parts: There is the general part for (ideal) lattices, followed by the part of computational problems and lastly the part containing security models for (fully) homomorphic encryption and signatures.

General Notations. With N,Z,Q,R we denote natural numbers (with zero), integers, rationals and reals, respectively; with K+ we denote {x ∈ K: x >0} and with Kn we mean the usual n-dimensional vector space resp. module over K ∈ {N,Z,Q,R}. Kp

denotesK/(pK) and for prime pwe write it as Fp, sinceFp is (in this case) a field with p elements. We also considerF2 ={0,1}.

Vectors are denoted with small letters (a, b, . . .) and we think of vectors as columns. We denote matrices with capital letters (A, B, . . .) and the set of all (m×n)-matrices over K with Km×n. AT stands for the transpose of the matrix A. We think of matrices as ordered sets of column vectors.

||v||p denotes the`p-norm of the vector vwhich for a real p≥1 is defined as

||v||_p:= p v u u t n X i=1 |vi|p.

The frequently used norms will be the maximum norm||v||∞:= maxi=1,...,n{|vi|}and the

Euclidean norm||v||2=pPn_i₌₁|vi|2 corresponding to the intuitive notion of the length

of the vectorvin a Euclidean space. For a matrixAwe write||A||pfor maxi=1,...,n{||ai||p}

whereai denotes the i-th column ofA.

Withbtewe mean the rounding of tto the nearest integer, as well asdte andbtc denote the rounding up of t to the next integer and rounding down, respectively. (This in particular for a (possibly negative) real t means that bte = sign(t)b|t|e, and similar for rounding up and down.) If we write t modp, we mean the unique number t0 in [−p/2, p/2)∩_Z such that t = kp+t0 _{for some integer} _k_{. (When} _t0 _{shall denote the} unique number in {0, . . . , p−1}, we will address this separately.)

With x := a or x ← a we assign the value a to (the variable) x, with x ←_R A the assignment has some randomness involved (according to A respectively the right-hand side of the assignment), with x ∈_R A we uniformly choose x from the set A on the right, and for comparison in algorithms we usex==aif needed so as not to get mixed

(10)

1 PRELIMINARIES

up with the assignment x := a. The equation sign = is used in its full meaning in mathematics (e.g. containing assignments and comparisons, its actual use being clear from the context).

A last notation we want to introduce is the Big O notation: With f ∈ O(g) or f =

O(g) we mean 0 ≤ lim sup_x_→∞|f(x)/g(x)| < ∞, with f ∈ o(g) or f = o(g) we mean limx→∞|f(x)/g(x)|= 0, f ∈Ω(g) orf = Ω(g) denotesg∈O(f), f ∈ω(g) orf =ω(g) is the corresponding g ∈o(f), and finally f ∈Θ(g) or f = Θ(g) means both f ∈O(g) and g∈O(f).

Other notations concerning the definitions below will be introduced there.

1.1. Lattices

General lattices. Alattice Lis a discrete abelian subgroup ofRn. Since this definition is too vague, we would like to have a better natural “handle” for the lattice L. A basis B := (b1, . . . , bd) for the latticeL consists ofd≤nlinearly independent vectors bi with L=L(B) :={Bx:x∈_Zd_}_{, i.e.} _L _{is the set of all integer combinations of vectors in}_B_.

The numberd≥1 is independent of the given basis for the latticeL, thus being a lattice constant. It is called thedimensionofLand denotedd= dim(L). (The independence of

dis due to the fact that ford≥2 there exist infinitely many bases forLand a particular basis B can be transformed into any other basis B0 _via _B0 ₌ _B_·_T _{for a (unimodular)} matrix T ∈ GLd(Z) := {A ∈ Zd×d :|det(A)| = 1}.) A lattice is of full-rank ifd = n. The determinant of a lattice L with basisB is given by det(L) :=pdet(BT_B_{). It also}

is a lattice constant. For full-rank lattices there is a short version for the determinant, i.e. det(L) = |det(B)|. A geometric interpretation of the determinant is the volume of the parallelepiped P(B) := {Bx : x ∈ [−1/2,1/2)d_}_{. Albeit the “shape” of} _P₍_B₎

changes (sinceP(B) depends on the “shape” ofB), the volume ofP(B) is the same for all bases B of L. Although we stated above that there exist infinitely many bases for a lattice with dim(L) ≥2, there are differences between them. A good basis consists of “short” and nearly orthogonal vectors whereas a bad basis does not fulfill any of these two requirements. We will not go into detail what “short” here means, but in literature the Hermite Normal Form (HNF) of a basis is thought of as a bad basis. A matrix B

is in Hermite Normal Form if B is an upper triangular matrix, bii >0 for i= 1, . . . , n

and bii> bij ≥0 for all j =i+ 1, . . . , n. The HNF of a basis B, denoted HNF(B), can

be easily computed fromB via HNF(B) =B·U for a unimodular matrix U ∈GLd(Z) denoting (invertible) column operations.

Byt mod B for a vector twe denote the unique vectort0 _∈_P₍_B_{) with}_t₋_t0 _∈_L_;_t0 _can be computed efficiently viat0 =t−B·

B−1·t

ifL=L(B) is a full-rank lattice. Thei-th successive minimum λi(L) is defined as the radius of the smallest sphere which

contains i linearly independent vectors of L. The value λ1(L) is also called minimal distance of L. Thedual lattice or reciprocal lattice L∗ of a latticeL is defined as L∗ :=

{y ∈ span(L) :∀x ∈ L :hx, yi ∈ _Z}, where h·,·i denotes the (standard) scalar product and span(L) :={Bx:x∈Rn} forL=L(B). It holds that det(L)·det(L∗) = 1, and for full-rank latticesL=L(B) we get a basisB∗ forL∗ viaB∗ = (B−1)T_{. Furthermore, let}

Λ⊥

(11)

1.1 Lattices

Ideal lattices. For the introduction of ideal lattices, we use another approach than for general lattices. Therefore, consider the (polynomial) ringZ[x] in one variable. Anideal I of a ring R (with unity) is a subset which is additively closed and also closed under multiplication with elements ofR, i.e. for elementsi, j∈I andr∈Rwe havei+rj ∈I. We define (a1, . . . , an) to be theideal generated by elements a1, . . . , an∈R, i.e.

(a1, . . . , an) :=    k X j=1 rjaij :rj ∈R, ij ∈ {1, . . . , n}, k≤n    .

The elements a1, . . . , an are then called generators of I, and for n = 1 the ideal I is

calledprincipal ideal.

Now, we define the (polynomial factor) ring R := Z[x]/(f(x)) for a polynomial f(x) ∈

Z[x] of degreen. R bijectively corresponds toZnand each elementvinRcan be viewed as a polynomial v(x) = v0 +v1x+. . .+vn−2xn−2+vn−1xn−1 of degree n−1 or as a vector v = (v0, v1, . . . , vn−2, vn−1)T. By simply writing v, we simultaneously mean

both. The ideal I = (v) in R then naturally corresponds to a lattice in Zn. By abuse of notation, we will writeI for this lattice which is called an ideal lattice. The basis for

I is BI := {vi := v·xi mod f(x) : i = 0, . . . , n−1} and is called rotation basis. For

an ideal I, we can also define a fractional ideal I−1 := {y ∈ K : ∀x ∈ I :x·y ∈ R}, whereK is a field containingR, e.g. forR=Z[x]/(f(x)) we haveK=Q[x]/(f(x)). So,

I−1 is not necessarily a subset of R, but I−1 again is an ideal (hence, the definition of fractional ideal makes sense). (In general, the formal definition of a fractional ideal is much more complex, but the definition above is suitable for our needs.) A (fractional) idealI is calledinvertible if there exists another (fractional) idealJ withIJ =R, where

IJ ={Pn

i=1aibi :ai ∈I, bi ∈J, n∈N+} is the product of I and J. If we have I = (v) then I−1 _{= (1}_/v_{), where 1}_/v _{is computed in} _K_{; for multiple generators} _v

1, . . . , vn of I,

its inverse ideal is I−1 =Tn

i=1(1/vi). Two ideals I and J are calledrelatively prime or co-prime ifI+J ⊇R. We sometimes call the determinant of an ideal latticeI itsnorm, denoted nm(I), and forI = (v) we have nm(I−1_{) = nm(}_I₎−1_.

We introduce the (discrete) Gaussian distribution and the smoothing parameter, which have become more and more important in past years: For any s ∈ _R+ the Gaussian distribution (in Rn) centered around c ∈ Rn is defined as

ρs,c,||·||(x) := exp(−π||x−c||2/s2) for allx∈Rn. The parametersis called thestandard deviation of the distribution. (When it is clear which norm is used, we will writeρs,c; if c= 0, we just writeρs forρs,c.) Besides this continuous version there is also thediscrete Gaussian distribution overL, defined as

DL,s,c(x) :=

ρs,c(x) ρs,c(L)

for all x ∈ L and ρs,c(L) := Py∈Lρs,c(y) for a set L (which will be a lattice in this

paper). Ifc= 0, we will omit it inDL,s,c and just write DL,s.

According to most definitions in literature, the smoothing parameter ηε(L) is defined

here as follows: For a latticeL and ε∈R+ we have

(12)

1 PRELIMINARIES

The expansion factor γ of a ring R is defined as

γ :=γ(R) := sup r1,r2∈R _|| r1·r2|| ||r1|| · ||r2|| .

If the ringR is obvious or not necessary to mention, we will omit it and just writeγ. For two polynomialsf(x), g(x) theresultant res(f, g) is defined as

res(f, g) := Y (x,y):f(x)=0=g(y)

(x−y) which for a separable polynomial f(x) is the same as res(f, g) =Q

y:g(y)=0f(y).

1.2. Computational Problems

Now we define the used computational problems, on which the security of the pro-posed homomorphic encryption and signature schemes relies. We will write dist(L, t) for miny∈L{||t−y||}.

Although there are a lot of different lattice problems, we will only consider the most important for this work. The first one is a problem in general lattices, whereas the following problems will occur in ideal lattices.

Definition 1.1 (Small Integer Solution Problem (SIS)). Given positive integersm, n∈

Z+, a positive real β ∈ R+, a prime q and A ∈ Znq×m, where A is chosen from a

distribution negligibly close to uniform over Znq×m, find v∈Λ⊥q(A)\ {0} with||v|| ≤β.

This definition corresponds to one of Micciancio and Regev (cf. [37]). Roughly speaking, the SIS problem asks to find a small integral linearly dependent combination of the columns ofA (modulo q).

For a definition of “negligible” see Definition 1.16.

Definition 1.2 (Ideal Shortest Independent Vector Problem (Ideal SIVP)). Given a ring R, an ideal I inR with basisBI and a positive real d≥1, find an independent set B inI with||B|| ≤d·λn(I).

The ideal SIVP is a “natural translation” from the d-SIVP in lattices, which asks to find nlinearly independent vectors v1, . . . , vn∈Lwith the condition maxi=1,...,n||vi|| ≤ d·λn(L). The first definition of the SIVP, to our knowledge, appeared in the work of

Ajtai ([1], problem (P3)) in a slightly different manner to both notations before: Ajtai formulated to find a basis with the condition above.

Definition 1.3 (Ideal Membership Problem (IMP)). Let R be a ring, I an ideal inR

and SampleI an algorithm that efficiently samples I. The challenger randomly chooses

a bit b←R {0,1}, and sets x ←R SampleI(R) for b = 0 andx ←R R otherwise. Given

(x, R,Sample_I), find b.

(13)

1.2 Computational Problems

Definition 1.4(Inner Ideal Membership Problem (IIMP)). LetR be a ring,I an ideal inR with basis BI, IdealGenan algorithm that samples two bases of an ideal in R and s ∈ _R+ a positive real. The challenger generates (Bsk

J , B

pk

J ) ←R IdealGen(R, BI) and

randomly chooses a bitb∈_R{0,1}. For b= 0 it setsx ←_RDI,s, otherwisex ←RDR,s.

At last, it setst=x mod Bpk_J . Given (B_Jpk, t), findb.

This problem is like the IMP in the sense that one wants to know whetherxis an element of the (inner) idealI, but where theI-IMP is disturbed by the (outer) idealJ.

Definition 1.5 (Ideal Coset Problem (ICP)). Let R be a ring, I an ideal in R with basisBI,IdealGenan algorithm that samples two bases of an ideal in R and Samplean

algorithm which efficiently samplesR. The challenger randomly chooses a bitb∈_R{0,1}

and generates (Bsk

J , B

pk

J )←IdealGen(R, BI). Forb= 0 it setsr ←RSample(R) andt=r

mod B_Jpk, otherwise t←_RR mod B_Jpk. Given (t, B_Jpk), findb.

Definition 1.6 (Decisional Bounded Distance Decoding Problem (DBDDP) for Ideal Lattices). When the ICP is instantiated with a polynomial (factor) ringR =Z[x]/(f(x)) and the algorithm Sampleefficiently samples from Zn 'R (for monic polynomialf(x) of degreen), the ICP is called DBDDP (in a version for ideal lattices).

Definition 1.7 (SplitKey Distinguishing Problem (SKDP)). Let KeyGen, SplitKey be algorithms and (sk, pk)←_RKeyGen. The challenger randomly chooses a bitb←_R{0,1}. For b= 0 it sets (sk, T) ←_RSplitKey(sk, pk), otherwise (sk, T) ←_R SplitKey(⊥, pk) for some special symbol⊥. Given (T, sk, pk), findb.

The four problems IIMP, ICP, DBDDP and SKDP were introduced by Gentry in [20] and previous works. The ICP is said to be a “fairly natural decisional version of the closest vector problem” ([21]) in concrete terms.

The last type of problems are problems on (integer) numbers, which can be adapted to a one-dimensional lattice: One shall find an “approximate” greatest common divisor (gcd) for some given numbers or a (sparse) subset in a set of numbers that sums up to a given number. The definitions are as follows:

Definition 1.8 (Approximate-GCD Problem (AGCDP)). Given k numbers y1, . . . , yk

chosen according to the distribution

Distγ,ρ(p) :={chooseq ∈RZ∩[0,2γ/p), r∈RZ∩(2−ρ,2ρ), outputx=pq+r} for an odd positive integerp∈_Z+, find p.

The number p is called the (hidden) approximate-gcd of the given numbers y1, . . . , yk,

and the values γ,ρ define the maximal (bit)length ofq,r.

Definition 1.9 (Sparse Subset Sum Problem (SSSP)). Let s, t, q ∈ _Z+ be positive integers. The challenger randomly chooses a bit b←_R{0,1}. For b = 0 it generates T

as a set of t integers a1, . . . , at with ai ∈R [−q/2, q/2) and the existence-constraint of S ⊆ {1, . . . , t} with |S|=s and P

i∈Sai = 0 modq; otherwise it generates T without

(14)

1 PRELIMINARIES

This definition is the one for the decisional version of the subset sum problem in litera-ture, the “sparsity” of the problem occurring when the parameterst,sare set according to those of Gentry in [20], Section 11. If one is asked to not just decide if a subset S

exists, but rather to find and output S, the problem is called “search SSSP”.

1.3. Security Models

This subsection is intended to give the definitions for the analysis of the security of the schemes presented later.

Homomorphic Encryption

Definition 1.10(Homomorphic Encryption Scheme). Ahomomorphic encryption scheme

consists of the following four algorithms:

KeyGen(λ). On input the security parameter λ, this randomised algorithm outputs a tuple (sk, pk) consisting of the secret keysk and public key pk.

Encrypt(pk, π). On input a public keypk and a plaintextπ, this randomised algorithm outputs a ciphertextψ.

Decrypt(sk, ψ). On input a secret keysk and a ciphertextψ, this algorithm outputs the corresponding plaintextπ.

Evaluate(pk, C,Ψ). On input a public keypk, a circuitC withtinputs (of the set C of allowed circuits) and a set Ψ oftciphertextsψ1, . . . , ψt, this (possibly randomised)

algorithm outputs a ciphertext ψ.

So, a homomorphic encryption scheme consists of all algorithms of a conventional public key encryption scheme and an extra one. Thecorrectness-condition for the conventional part of a homomorphic encryption scheme is identical to the one for a (non-homomorphic) public key encryption scheme.

Because of simplicity and size, we will give a rather informal explanation of theEvaluate -algorithm, an informal definition for fully homomorphic encryption (FHE) schemes and defer the detailed definitions to the references.

The additional algorithm Evaluate – roughly speaking – is supposed to do the fol-lowing: If ψi is a ciphertext corresponding to the plaintext πi for i = 1, . . . , t and

Ψ = (ψ1, . . . , ψt), then Evaluate(pk, C,Ψ) shall return a ciphertext ψ corresponding to

the plaintextC(π1, . . . , πt) for a circuitC with tinputs (cf. Figure 1).

A homomorphic encryption scheme is said to “correctly evaluate”C (a set of circuits), if the correctness-condition on the algorithm Evaluate from above holds for all circuits

C∈ C.

Definition 1.11(Fully Homomorphic Encryption). We call a homomorphic encryption scheme fully homomorphic, if it correctly evaluates all circuits and the size of its de-cryption algorithm (as a circuit) is bounded by some (fixed) polynomial in the security parameter.

(15)

1.3 Security Models π1 π2 .. . ... πt _Dec ψt sk Dec Dec ψ1 ψ2 .. . ψt C Evaluate Ψ pk C ψ Dec sk π C π1 π2 .. . πt 1

Figure 1: An illustrative view on the Evaluate-algorithm

Remark. The size-constraint on the decryption algorithm excludes trivial schemes in which Evaluatesimply outputs (C,Ψ) andDecryptis adapted to first decrypt the single components of Ψ and then apply the circuit C to the decrypted parts.

Now, we come to the definitions concerning the security of the schemes. Security Definitions for Homomorphic Encryption

We consider games as the right purpose to introduce the notion of security which is covered by the definitions then. We start by defining the games for CCA2-, CCA1- and CPA-security for a homomorphic encryption scheme E.

Definition 1.12 (GameHom-CCA2-IND

E ). Let P denote the plaintext space and C the ciphertext space, which in the case of a homomorphic encryption scheme E is supposed to be larger – sinceC is the support ofEvaluateand not just the support ofEncrypt– as for a conventional public key encryption scheme.

Setup. The challenger B generates a tuple (sk, pk)←RKeyGen(λ) and gives the public

keypk to the adversaryA.

Query-Rounds. Asends decryption-queries about ciphertextsψi of its choice toB. The

challenger answers with the output ofDecrypt(sk, ψi). The adversaryAis allowed

to request decryption-querieseven though it may have received the challenge from

B.

Challenge. The adversaryA picks a circuitC witht inputs (t being polynomial in the security parameter), two plaintext tuples πi _{:= (}_πi

1, . . . , πti), i= 1,2,of its choice

and sendsπ0_{, π}1_to_B_{. The challenger randomly chooses a bit}_b_∈

R{0,1}, computes

Ψ := (ψb

1, . . . , ψtb) withψjb←REncrypt(pk, πjb) and sends ψ:= Ψ to A. (Note that B does not have to compute ψ as Evaluate(pk, C,Ψ) since A can do this step on its own because only public values are involved.)

Guess. A sends a bit b0 _{∈ {}₀_,₁_} _to_B_.

Definition 1.13 (GameHom-CCA1-IND_E ). The game for CCA1-security is the same as the game for CCA2, except that the adversary is allowed to make queries only before the challenge.

(16)

1 PRELIMINARIES

Definition 1.14 (GameHom-CPA-IND

E ). The game for CPA-security omits the

query-rounds of the CCA2/CCA1-games. The rest remains the same.

Except for the challenge phase, the three defined games GameHom-CCA2-INDE , GameHom-CCA1-INDE and GameHom-CPA-IND

E equal the ordinary games for

CCA2-, CCA1- and CPA-security for conventional public key encryption schemes. The difference in the challenge step in the ordinary games is thatAonly is allowed to choose two elementsπ0, π1∈ P (and not twot-tuples for a circuitC withtinputs) and receives an elementψ (and not a t-tuple) as the answer.

We say that an adversary wins GameHom-X-IND

E forX ∈ {CCA2,CCA1,CPA}if b0 =b, and by Pr[b0₌_b_{] we denote the probability for this event.}

Definition 1.15 (Advantage in Homomorphic Encryption). We define adversary A’s

advantage in GameHom-X-INDE to be

AdvHom-X-IND_A,E := Pr[b0 =b]−1 2 ,

where Pr[b0 =b] is the probability for Ato win GameHom-X-IND_E (the probability is over the randomness used by the challenger and the adversary).

Roughly speaking,A’s advantage is the difference between A’s method and just “guess-ing” the correct value ofb.

Definition 1.16(Negligible (Function)). A functionf :N→Ris said to benegligible if for every integerc >0 there exists a positive integerncsuch that for all integersn > nc

we have |f(n)|< _n1c. Otherwise we callf non-negligible.

For negligiblef we write f(x)≈ε(x), for non-negligible f(x)6≈ε(x). We now can define the security notions:

Definition 1.17 (CCA2-, CCA1- and CPA-IND). A homomorphic encryption scheme

EisX-IND forX∈ {CCA2,CCA1,CPA}, if no probabilistic polynomial-time adversary

Awins GameHom-X-IND

E with non-negligible advantage (in the security parameterλ), i.e. AdvHom-X-IND_A,E ≈ε(λ).

By simply writingsemantically secure we mean secure in the CPA-IND sense. Homomorphic Signatures

Definition 1.18 (Homomorphic Signature Scheme). Ahomomorphic signature scheme

consists of the following four algorithms:

Setup(1n_{, t}_). _{On input the security parameter}_n_{and a “data set” size} _t_{, this randomised}

algorithm generates the secret key sk and public key pk and outputs the tuple (sk, pk). (The public key defines the message space M, the signature space and also the setF of “allowed” functions f :Mt_{→ M}_with_t_inputs.)

(17)

1.3 Security Models

Sign(sk, τ, i, πτ

i). On input a secret keysk, a tag τ ∈ {0,1}

n_{, an index} _i_{and a message} πτ

i, this randomised algorithm outputs a signatureσiτ.

Verify(pk, τ, πτ

i, σiτ, f). On input a public key pk, a tag τ, a message πiτ, a signature στ

i and a function f ∈ F, this algorithm either outputs 0 (for rejection) or 1 (for

acceptance).

Evaluate(pk, τ, f,Στ_). _{On input a public key} _pk_{, a tag} _τ_{, a function} _f _{∈ F} _{and a}

signature tuple Στ _{= (}_στ

1, . . . , σtτ), this (possibly randomised) algorithm outputs a

signatureσ.

Like for homomorphic encryption, the first three algorithms are (nearly) identical to those of a conventional public key signature scheme. The difference here – the inclusion of a tagτ, an index iand a functionf – will become obvious: With the tag τ ∈ {0,1}n

we distinguish between different “data sets” Στ _{as input to the function}_f_{, the signature}

computed by theSign-algorithm will require the presence of the index i, and the Verify -algorithm will need a representation of f to do its job properly.

Thecorrectness-condition for conventional public key signature schemes must obviously be fulfilled for the converted algorithms Sign and Verify including the projection maps

pi(π1τ, . . . , πtτ) :=πiτ. This means thatF at least contains all projection mapspi.

The additional algorithmEvaluate informally does the following: If Στ _{consists of}

hon-estly created signaturesστ

i =Sign(sk, τ, i, πτi) for messagesπiτ, thenEvaluate(pk, τ, f,Στ)

shall return a signature σ corresponding to the message f(πτ

1, . . . , πτt) for a function f ∈ F.

In addition to the correctness-condition forSignand Verify, the one forEvaluatecan be formulated as

Verify(pk, τ, f(π₁τ, . . . , π_tτ),Evaluate(pk, τ, f,Στ), f) = 1 for Στ _{= (}_στ

1, . . . , σtτ), σiτ =Sign(pk, τ, i, πiτ) and for allf ∈ F.

Definition 1.19 (Homomorphic with respect to F / F-Homomorphic). If all these conditions are satisfied for an allowed set F of functions, then the signature scheme S

“correctly evaluates”F and is called F-homomorphic (or homomorphic with respect to F).

Remark. There is one risky point in our definitions so far: The Evaluate-algorithm can create a signature σ from signatures Σ = (σ1, . . . , σt) which themselves are obtained

by Evaluate. Repeating this procedure several times, we could reach the point where the input signatures are valid, but the output signature of Evaluateis not. This is due to the fact that the “noise” in the aggregated signature becomes too large and thus the Evaluate-algorithm is no longer able to do its job properly. To keep it simple, we restrict the correctness-property ofEvaluateto hold when the input signatures are “fresh” signatures created bySign.

(18)

1 PRELIMINARIES

Security Definitions for Homomorphic Signatures

Definition 1.20 (GameHom-CMA-UNF

S ).

Setup. The challengerB generates a tuple (sk, pk)←RSetup(1n, t) and gives the public

keypk to the forgerA.

Query-Rounds. Asends adaptively-chosen signature-queries about message tuples Πi :=

(πi

1, . . . , πti) toB. The challenger randomly chooses a tag τi∈R {0,1}n and sends

the tagτiand the signature tuple Στiincluding the signaturesσjτi =Sign(sk, τi, j, πji)

back toA.

(Note that B does not have to compute Evaluate(pk, τ, f,Στ_{) since} _A _{can do this}

step on its own after it receives the signature tuple Στ_.)

Attempt. At the end, the forgerAoutputs a tagτ ∈ {0,1}n, a messageπ, a functionf

and a signatureσ.

We say that the forger A wins in GameHom-CMA-UNFS , if Verify(pk, τ, π, σ, f) = 1 and either

Type-1 forgery. τ 6=τi for all queriedi, or

Type-2 forgery. τ =τi for someiandπ 6=f(Πi).

Definition 1.21 (Advantage in Homomorphic Signatures). We define forgerA’s advan-tage in GameHom-CMA-UNF_S to be

AdvHom-CMA-UNF

A,S :=|Pr[Verify(pk, τ, π, σ, f) = 1]|,

where Pr[Verify(pk, τ, π, σ, f) = 1] is the probability for A to win in GameHom-CMA-UNFS (the probability is over the randomness used by the challenger and the forger).

Definition 1.22 (CMA-UNF). A homomorphic signature scheme S is CMA-UNF, if no probabilistic polynomial-time forger A wins GameHom-CMA-UNF

S with non-negligible advantage (in the security parametern), i.e.

(19)

2. Homomorphic Encryption Schemes

In this section we want to describe the process that was made on (fully) homomorphic encryption schemes. The schemes published so far can be categorised in two parts. We start by introducing the lattice-based schemes.

2.1. Lattice-Based Encryption Schemes

Though there were many (ordinary) lattice-based encryption schemes like the one of Goldreich, Goldwasser and Halevi (cf. [26]), Ajtai and Dwork (cf. [2]), the fast NTRU cryptosystem (cf. [29]), and cryptosystems based on the “learning with errors”-problem introduced by Regev (cf. [42]), the problem of a fully homomorphic encryption scheme was not solved until the breakthrough of Gentry in [20].

We will start by showing Gentry’s techniques for obtaining a fully homomorphic encryp-tion scheme based on ideal lattices, since it is a very important foundaencryp-tion for the work of Gentry and others, and then present further work that improves the proposed scheme or adapts the techniques and uses them in a similar way.

Gentry’s Fully Homomorphic Scheme

Gentry’s most important steps can be described briefly as follows: After constructing an abstract and a somewhat homomorphic encryption scheme, Gentry “squashes” the decryption circuit and by “bootstrappability” obtains a fully homomorphic scheme. Abstract Scheme. Gentry starts with a definition of an abstract scheme using rings and ideals, omitting instantiation details at first. His scheme is as follows (additional remarks appear after the description):

KeyGen(R, BI). On input a ring R and the basis BI of an ideal I, this randomised

algorithm generates via (Bsk

J , B

pk

J ) ←R IdealGen(R, BI) two bases for an ideal J

and outputs the public keypk= (R, BI, BJpk,Samp) and secret keysk= (pk, BJsk).

Encrypt(pk, π). On input a public key pk and a plaintext π, this algorithm generates

ψ∗ _←_Samp₍_B

I, π) and outputs ψ:=ψ∗ modBJpk.

Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ, this algorithm outputs

π:=ψ mod Bsk J mod BI =ψ−BskJ · Bsk J ·ψ modBI.

Evaluate(pk, C,Ψ). On input a public keypk, a circuitC withtinputs (of some special set C of “allowed” circuits) and a set of t ciphertexts Ψ = (ψ1, . . . , ψt), this

algo-rithm invokes the evaluation of the embedded additions (ψi +ψj) modBJpk and

multiplications (ψi·ψj) modBJpk in the circuit C in the right order to obtain a

ciphertext ψwhich it outputs.

Remarks. 1. The plaintext space is (a subset of)R mod BI.

2. The (randomised) algorithms IdealGen and Samp remain abstract, but – roughly speaking –IdealGen(R, BI) constructs a secret and public basis for an ideal J

(20)

2 HOMOMORPHIC ENCRYPTION SCHEMES

3. Gentry describes how to construct C, the set of “allowed” (or permitted) circuits, and proves that this abstract scheme is correct forC.

Gentry also proves that this abstract schemeE is semantically secure if the ICP is hard:

Theorem 2.1 ([20], Theorem 5.3.1). Suppose that there is an algorithm A that breaks the semantic security of (the abstract scheme) E with advantage ε when it uses Samp. Then, there is an algorithmB, running in about the same time asA, that solves the ICP with advantage ε/2.

Somewhat Homomorphic Scheme. Gentry’s “somewhat” homomorphic encryption (SHE) scheme bases on the abstract scheme and is instantiated with ideal lattices, thus becoming a semi-concrete scheme (some details remain abstract). His motivation for using ideal lattices is that they not only have an additive, but “also have a multiplica-tive structure that will enable us to evaluate deep arithmetic circuits (though we will need more tricks before we ultimately obtain a bootstrappable scheme)”. Bootstrappa-bility means the scheme’s ability of homomorphically evaluating augmented decryption circuits.

Therefore, he geometrically interprets the sets of encryptable and decryptable elements as balls with some radii rEnc andrDec, and in Theorem 7.3.2 states the bound

log logrDec−log log(γ·rEnc) on the depth of correctly evaluable circuits.

After that, Gentry proposes instantiations for the underlying ring, for the

Encrypt- and Decrypt-algorithms (thus, also values for rDec and rEnc), and in Section 7.7 he states that this instantiation of the abstract scheme is semantically secure if the underlying decisional bounded distance decoding problem (DBBDP) is hard. (In his words the ICP becomes the DBDDP if instantiated with ideal lattices.)

Although this scheme is the first “concrete” one, keep in mind that some algorithms still remain abstract.

Tweaks. Before Gentry comes to his squashing-technique, he applies two tweaks to the somewhat homomorphic scheme:

1. At first, he redefines the decryption equation to π =ψ−

vsk

J ·ψ

mod BI for a

short vector vsk

J ∈ J−1. By this Gentry simplifies the equation and reduces the

computational complexity (he also lowers the range of decryptable elements). 2. The second tweak is to halve the radius rDec of the ball B(rDec) of decryptable

elements. This is done for the purpose of reducing the circuit complexity of the

Decrypt-algorithm, since reducing rDec by half ensures vectors to be closer to J and the decryption-process will need less “precision”.

The second tweak is especially slightly more complicated, since several different tech-niques are applied. Therefore, the decryption equation π = ψ − Bsk

J

(Bsk

J )

−1_·_ψ mod BI is split into and computed in three steps:

(21)

2.1 Lattice-Based Encryption Schemes

I. Generaten vectorsx1, . . . , xn withPni=1xi = (BJsk)−1·ψ.

II. From x1, . . . , xn generate integer vectorsy1, . . . , yn+1 withPn_i₌₁+1yi=bPn_i₌₁xie.

III. Computeπ=ψ−Bsk

J ·(

Pn+1

i=1 yi) modBI.

It shall only be mentioned here that

• step I will be eliminated by the squashing-technique (i.e. transferred to the en-crypting party),

• for step II only O(logn) bits of precision for the rational vectors xi are required

when using Karp’s 3-for-2-trick (cf. [31]),

• the computation ofP

yican be“boosted”using elementary symmetric polynomials,

and

• in step III the computation can be done in constant depth (using a polynomial fan-in circuit).

For further details see Section 9 in [20].

Squashing the Decrypt-Algorithm. The squashing-technique is as follows: The owner of the secret keyskadds a “hint” ofskinside the public keypkafter creating the key-pair, which the encrypting party then uses in its (extended) computation. Thanks to Tweak 1, the secret key consists of the vectorvsk

J and the decryption equation isπ=ψ−

vsk

J ·ψ

. Using the somewhat homomorphic scheme, one adds the following algorithms:

SplitKey(sk∗, pk0). On inputsk∗, which either is a secret key sk0 of the somewhat ho-momorphic scheme or the special symbol⊥, and a public keypk0 _{of the somewhat} homomorphic scheme, this algorithm outputs the tuple (sk, T) where:

1. T is a set of tvectors v1, . . . , vt uniformly random in J−1 mod BI with the

constraint that there exists a subset S ⊂ {1, . . . , t} with |S| = s such that P

i∈Svi∈vskJ +I.

2. sk is a matrix encoding which elements ofT are elements of S.

ExpandCT(pk, ψ0_). _On _input _a _public _key _pk _(which _includes _the _set

T = (v1, . . . , vt)) and a ciphertextψ0 of the somewhat homomorphic scheme, this

algorithm outputsci :=vi·ψ0 mod BI fori= 1, . . . , t.

Making use of these two new methods, the algorithms for the squashed scheme have to be slightly adjusted:

KeyGen(λ). Run the KeyGen-algorithm of the somewhat homomorphic scheme to obtain (sk0_{, pk}0_{) and run (}_{sk, T}₎_←_SplitKey₍_sk0_{, pk}0_{). The secret key is}

sk, the public keypk= (pk0_{, T}_).

Encrypt(pk, π). Run theEncrypt-algorithm of the somewhat homomorphic scheme using

pk0 to obtain ψ0, run ExpandCT(pk, ψ0) to receive the expansion (c1, . . . , ct) of ψ0

and outputψ= (ψ0_{, c}

1, . . . , ct).

Decrypt(sk, ψ). On input a secret keyskand a ciphertextψof the formψ= (ψ0, c1, . . . , ct),

this algorithm performs the following steps: i. Generate the vectorsxi using sk and the ci’s.

ii. Proceed with step II, and

iii. Proceed with step III of the decryption equation like on page 14.

(22)

the somewhat homomorphic scheme to obtainψ0_{, run}_ExpandCT_on_ψ0 _{and output} (ψ0, c0₁, . . . , c0_t). Analogue steps are done for Mult.

Remark. An easy way to generate T would be to generate t−1 uniform vectors vi in J−1_∩_P₍_B

I), set vt:=vskJ −

Ps

i=1vi and permute the resultingt vectors.

The security of the squashed scheme relies on the hardness of the SKDP:

Theorem 2.2 ([20], Theorem 10.1.2). Suppose that there is an algorithm A that breaks the semantic security of (the squashed scheme) E above with advantage ε. Then, there exist algorithmsB0 andB1, running in about the same time asA, such that either B0’s

advantage against the SplitKey Distinguishing Problem or B1’s advantage against the

semantic security of (the somewhat homomorphic scheme) E∗ is at least ε/3.

Gentry proves the security for the abstract version of the squashed scheme, using an abstract version of the SplitKey Distinguishing Problem (as stated in Definition 1.7). The proof easily carries over to a semi-concrete version of the squashed scheme based on the concrete instantiation of theSplitKey-algorithm as defined above. This semi-concrete version can be proven secure if the SSSP is hard:

Theorem 2.3. Let A be an algorithm that decides the concrete version of the SKDP with advantage ε, and let BI and IdealGen be such that det(I) and det(J) are distinct primes andq/det(IJ) is super-polynomial (in the security parameter). Then, there is an algorithmB, running in about the same time as A, that decides the SSSP with advantage ε/(4t) up to negligible factors.

Proof. The proof is just the combination of the proofs of Theorems 11.1.3 and 11.1.5 in [20]. There, an intermediate problem, namely the sparse vector subset sum problem, is introduced, which is needed for the reduction SSSP →SVSSP →SKDP to work. In addition, Gentry proves that the squashed scheme is hard if the search version of the SSSP is hard (Theorem 11.1.7).

Fully Homomorphic Encryption Scheme. The only question, which remains unan-swered up to now, is: For which parameters is the proposed semi-concrete squashed scheme “bootstrappable”, or how can we choose the parametersfor the SSSP to be hard while still maintaining “bootstrappability” (the ability of homomorphically evaluating augmented decryption circuits)?

Theorem 2.4 ([20], Theorem 10.3.1). The (semi-concrete) scheme E is bootstrappable when

s·logc1_s_≤ log(rDec/m)

2c2·log(γ·r Enc)

,

where logc1_s _{is the polylog-term arising in Lemma 9.0.3,} _m _{arises from the redefinition} ofCE in the Tweaks (m= 2when just Tweak 2 is used), andc2 is a constant representing

the depth needed in a circuit havingAddBI gates withγ =n

Ω(1) _{fan-in and} _Mult

BI gates

(23)

Name Remaining abstract Instantiated (accumulative) Abstract Rings, ideals, ICP,

encryption, decryption, key generation, . . .

—

Somewhat homomorphic

Key generation Ring, ideals→ideal lattices, encryption, decryption, ICP→ BDDP

Squashed Key generation, SKDP – Semi-concrete Key generation SKDP Fully

homomorphic

— Key generation (SampleD)

Table 1: Overview of Gentry’s Schemes

After giving some optimizations to the squashed scheme, Gentry describes a concrete scheme, instantiating the remaining abstract methods: For theSample-algorithm Gentry makes use of theSampleD-algorithm proposed by Gentry, Peikert and Vaikuntanathan in Section 3.2 (especially Theorem 3.3) in [25] which uses discrete Gaussian sampling. We call this instantiation Gentry’s Fully Homomorphic Scheme.

Gentry also proves the security of his fully homomorphic scheme, basing it on the IIMP:

Theorem 2.5([20], Theorem 14.3.2). LetsIIMP=G/ √

2whereG:=||BI||·ω( √

logn)is the Gaussian deviation parameter in (Gentry’s fully homomorphic) encryption schemeE, and suppose thatsIIMP/

√

2exceeds the smoothing parameter ofI, i.e. ρ√

2/sIIMP(I

−1_\{₀_}₎

is negligible. Suppose that there is an algorithm A that breaks the semantic security of E with advantage ε. Then, there is an algorithm B, running in about the same time as A, that solves the IIMP with advantage ε/2 (up to negligible factors).

Finally, Gentry finishes his investigation of the security of the scheme by proposing a (quantum-)reduction from SIVP to IVIP, hopping over four intermediate problems. Summarizing all results, this gives

Theorem 2.6. Suppose that

dISIVP = (3·e)1/n·dIVIP sIVIP ≤ sHBDDP/(n1.5· ||f||)

sHBDDP ≤ 2·(sMIIMP−2n· ||BI||)/(γ· √

n)

sMIIMP ≤ sIIMP·ε/(n·max{||BI||})

sIIMP ≤ G/

√

(24)

whereGis the Gaussian deviation parameter in (Gentry’s fully homomorphic) encryption scheme E, e is Euler’s constant and sIVIP > 8·γ ·n2.5 ·ω(

√

logn) for all ideals with determinant at least dn

IVIP. Also suppose that sIIMP exceeds the smoothing parameter of I, that IdealGenalways outputs an idealJ withG·√n < λ1(J) and that[R:I]is prime.

Finally, suppose that there is an algorithm that breaks the semantic security of E with advantageε. Then, there is a quantum algorithm B that solves sISIVP-SIVP for an ε/4 (up to negligible factors) weight fraction of bases output by IdealGen. The running time of B is O([R:I]·1/ε·logdIVIP·time(A)).

Proof. The proof for this theorem consists of using Theorems 14.3.2 (Theorem 2.5), 14.4.2, 14.5.2, 14.6.2, 19.2.4 and 19.2.3 of [20] for creating the reduction queue

SIVP→ISIVP→IVIP→HBDDP→MIIMP→IIMP→ E sem. secure and thereby obtaining the abovementioned results.

Remarks. 1. Gentry applies a random self-reduction to obtain a worst-case/average-case connection for ideal lattices and to base the scheme’s security on the worst-worst-case/average-case hardness of SIVP to get more confidence that the scheme is secure.

2. In Section 18 Gentry describes how to adapt Kalai’s algorithm to generate a ran-dom factored ideal and how to instantiate some (sub-) methods of the KeyGen-algorithm properly.

Suggested Parameters for Gentry’s Scheme. To provide resistance for the BDDP against lattice attacks (which run in time approx. 2n/s_{for subset size}_s_{), the SSSP to be}

resistant against birthday attacks and lattice attacks (which run in time approx. 2s _if_t

is chosen large enough, e.g. t∈Ω(logq)), Gentry proposes to make use of the following parameters: s≈λ,n≈λ2_{, log}_q _≈_λ3 _and _t_≈_λ3_{, where} _λ_{is the security parameter of} the scheme.

Improvements and Adaptions

This subsection is intended to give an overview of work that bases on Gentry’s construc-tions and improves them or adapts them in a similar way.

Specialization of Gentry

Smart and Vercauteren’s construction in [47], presented at PKC’10, adapts Gentry’s technique to build a fully homomorphic scheme from a somewhat homomorphic one. In particular, the scheme is a specialization of Gentry’s scheme.

Their somewhat homomorphic scheme has the plaintext space{0,1}, the ringR in use is Z[x]/(f(x)) with the monic and irreducible polynomialf(x) =x2

n

+ 1, which minimises the expansion factorγ, the public key is a tuple (p, a) consisting of the primep= res(f, g) and the (unique) roota∈_Fp of gcd(f, g) for some polynomialgoverFp[x], and the secret

(25)

f(x) and 2p. For further details we refer the reader to [47], Section 3.1, in which it is compactly described how the polynomials and additional variables are chosen and how the algorithms of the scheme are computed.

In Section 3.2 the proposed algorithms are analysed in detail in the sense of correctness and evaluation-depthdof the circuits for the somewhat homomorphic scheme. Therein, Smart and Vercauteren use Gentry’s Theorem 7.3.2 to obtain a bound ond, but one has to be careful since Gentry’s analysis uses the 2-norm whereas Smart and Vercauteren make use of the ∞-norm.

For the security analysis of their scheme in Section 4 they introduce two new problems: The first problem, called Small Principal Ideal Problem (SPIP), asks to find a “small” generator for a principal ideal when given a two-element- or a HNF-representation. (This problem evolves when one tries to recover the secret from the public key, so called Key Recovery.) They only informally argue that no efficient solution for this problem can be found that is reasonably small, relying on the Baby-Step/Giant-Step method and Buchmann’s sub-exponential algorithm for units and class groups, even though the SPIP is “an instance of a classical and well studied problem in algorithmic number theory”. The second problem, calledPolynomial Coset Problem (PCP), is similar to Gentry’s ICP and asks one to decide whether the value ofr is the evaluation of a small polynomial in the rootaor a random value (both taken modp).

Theorem 2.7. ([47], Theorem 1) Suppose there is an algorithm A which breaks the semantic security of our somewhat homomorphic scheme with advantage ε. Then there is an algorithm B, running in about the same time as A, which solves the PCP with advantageε/2.

They also informally argue that recovering a plaintext from a given ciphertext would be an instance of the CVP. They are unable to apply a worst-case/average-case reduction to their scheme, but state that the underlying lattice problem is well-studied.

The encryption of a single bit with the established somewhat homomorphic scheme is then extended to a larger message space. The authors are able to encrypt and decrypt polynomials up to degree 2n₋_{1. Roughly speaking, they expand the secret key to be}

a vector of coefficientsbi rather than a single coefficient b. For details on this extension

see Section 6 of [47].

At the end one is given implementation results. There one can see that the scheme of Smart and Vercauteren in [47] cannot be made fully homomorphic for practical values ofn. Furthermore it should be mentioned that theirKeyGen-method has a disadvantage concerning time complexity, since the constraint “until p is prime” is very strict and entails a high number of iterations until it is satisfied.

So we see that although Smart and Vercauteren’s scheme is a specialization of Gen-try’s scheme and they obtain “relatively” small key and ciphertext sizes, there also are disadvantages in the practicality of this scheme.

(26)

Implementing Gentry’s Scheme

Presented at EUROCRYPT’11, Gentry and Halevi describe in [24] a working imple-mentation of (a variant of) Gentry’s fully homomorphic scheme which is similar to that of Smart and Vercauteren [47]. Their main result is an optimised KeyGen-algorithm for the underlying somewhat homomorphic scheme, but they also implemented other optimizations.

The scheme of Gentry and Halevi, in comparison to the one of Smart and Vercauteren, also uses a principal ideal J = (v) in the ring R = Z[x]/(f(x)) with f(x) = x2k

+ 1 of degree n= 2k_{. The difference is that the condition “until} _p _{is prime” of the}

Smart-Vercauteren scheme is not required.

The optimizations for the somewhat homomorphic scheme are:

• TheKeyGen-algorithm on inputnand a precision P computes the following steps: 1. Fori= 0, . . . , n−1 randomly choosevi as (signed) integer of precisionP and

setv= (v0, . . . , vn−1).

2. Compute the inversew ofv withv·w=p mod f(x). 3. Check thatv is a “good” polynomial.

Step 3 requires the HNF of the ideal lattice J to be of the form

Bpk_:=      p −r1 −r2 −r3 · · · −rn−1 0 .. . In−1 0      , (1)

where p = det(J) = res(v, f), r is a root of f(x) modulo p, ri := ri mod p and In−1 denotes the (n−1)-dimensional identity matrix.

This condition is equal to the fact that the lattice spanned by the rotation basis of v contains a vector of the form (−r,1,0, . . . ,0)T _{(proven in Lemma 1 of [24]),}

being equal to the more simple condition rn₌₋_{1 mod} _p_{. Thus, we can use the}

two integersd, r to represent the public key (Remark 1 in [24]).

• The secret key usually would consist of (v, w) where w is v’s inverse polynomial and for the computation ofwone usually applies the extended Euclidean algorithm tov, f. In Section 4, the authors present a more efficient way to compute w(they obtain the relationwi+1 =wi·r mod pfor the coefficients ofw) and in Section 6

they show that only a single, odd coefficient wi has to be stored as the secret key

(since decryption can be optimised to π =ψ·wi mod p mod 2 withψ being an

integer, see next item).

• For the encryption of a bit π ∈ {0,1} they show that the computation of the ciphertext can be simplified from the vectorψ= (π+ 2u) modBpk_{to the integer}

ψ= (b+ 2Pn−1

i=0 uiri) modp, where

ui=

(

0 with probability q

(27)

for i = 0, . . . , n−1 and u = (u0, . . . , un−1). Thus, the expensive part of the computation of ψ is the evaluation of the “noise polynomial”u(x) in r. With a recursive evaluative approach, which consists of splitting the polynomial into two halves, evaluating these two halves and combining the results, they obtain a bound of√2nmultiplications rather thann−1 when using Horner’s rule. (Note that one has to have enough memory to keep intermediate computations when using this “batch technique”.)

For obtaining a fully homomorphic scheme, the authors “squash” the somewhat homo-morphic scheme by blowing up the public key to contain ssets T1, . . . , Ts of tintegers,

the secret key beingsvectors σi with each Hamming weight 1.

In Section 9 they give optimizations to this disadvantage: Each set Ti is defined to be

a geometric progression in Zp, namely there exists an element xi such that the j-th

element in Ti is x(i, j) := xiRj modp for j = 0, . . . , t−1 and R is some parameter

(see [24], bottom of Section 10.2). So, we keep only the elementsx1, . . . , xsin the public

key. The (secret) sparse subset still contains a single element of each Ti, i.e. for each i

there exists an indexjisuch thatPsi=1x(i, ji) =w mod pfor the secret keyw. Further

optimizations are made for the encryption of the secret key.

In Section 10 Gentry and Halevi show how they set the parameters for the (challenges of their implemented) scheme appropriately and they end with an analysis of the per-formance of their scheme on the proposed challenges.

Improving Gentry’s KeyGen-Algorithm

Ogura et al. in [39] propose a practical variant for the KeyGen-algorithm for Gentry’s fully homomorphic scheme, which appeared at IWSEC’10.

They establish a relationship between the circuit depth dof the scheme and the eigen-values of the basis of a lattice in Theorem 2 and determine in Theorem 3, how the eigenvalues for a rotation basis can be computed.

In Section 4 they propose twoKeyGen-algorithms (in Table 1 and Table 3) that on input

doutput the secret and public bases (Bsk_{, B}pk_{) of a lattice (corresponding to the ideal} lattice J in Gentry’s scheme). Since their construction is very technical, we will omit it here and refer the reader to [39].

At last, they show experimental results for their algorithm when using f(x) = xn₋₁

and state that their algorithm(s) could be used in the papers/schemes of Smart and Vercauteren [47] or Stehl´e and Steinfeld [49].

Future work would be to obtain aKeyGen-algorithm that is more general in the genera-tion of the keys as well as to further investigate the security of this method (for specific lattices).

Improving Hardness Assumption and Decrypt-Algorithm

In their paper [49] of EUROCRYPT’10, Stehl´e and Steinfeld describe two improvements to Gentry’s scheme: They more aggressively analyse the hardness assumption (related to

(28)

the SSSP) and introduce a probabilistic decryption algorithm which needs a less complex decryption circuit than Gentry’s.

The first improvement is about the reduction of the sparse vector subset sum problem (SVSSP), which can be seen as a “vector-variant” of the SSSP, to the SplitKey Distin-guishing Problem, being one part of the reduction in Theorem 2.3.

Stehl´e and Steinfeld choose I = (2) andB_Jpk to be the HNF ofJ. Their analysis differs from Gentry’s by utilizing an approximate SVP solver rather than an exact one for attacking the SVSSP using a different lattice reduction method. Setting the parameters correct to thwart this attack, they obtain a new bound on the size of the subset sum, i.e. t2_/λ_{= Ω(log}_q_{), which in their words is “less restrictive” than Gentry’s}_t_{= Ω(log}_q_). For the second improvement they allow the decryption method to make errors with negligible probability, whereas Gentry strictly forbids errors. Therefore, they specify a sufficient precision on the ci’s in the ciphertext ψ = (ψ0, c1, . . . , ct) for decryption to

work with high probability. Let εk denote the difference between the approximatedci’s

and their originals, c1, . . . , cs−1, ct be the (left-shifted) ci’s corresponding to 1’s of the

secret key sk (the set T is created as remarked on page 16), E[·] denote the mean and

p= 1₂s+ω(log logλ) denote the precision, then we have the following.

Lemma 2.8 ([49], Lemma 5.1). Let ε1, . . . , εs−1 ∈ R be independently identically

dis-tributed variables with values in[−2−p_,₂−p_]_{and such that}_E_[_ε

k] = 0for allk(< s). Then

P k≤s−1εk > √

s−1·2−p_·_ω₍√_log_λ₎_{with probability negligibly small with respect to}_λ.

In Figure 4 they give the computation of the p-approximation of the ci’s and show it

to be correct. Like Gentry, the authors use Hamming weights inside the decryption method, but they state that only dlog₂se instead of all bits are needed. Overall, their investigation leads to a new bound on the “bootstrappability” of their squashed scheme

SqHom (which makes use of both Tweaks and another optimization of Gentry):

Theorem 2.9 ([49], Theorem 5.1). The scheme SqHom is bootstrappable as long as √

s·ω(plogλ)≤ log(rDec/m)

log(rEnc·γ·s) (where m= 8·√2·n2.5 _{since both Tweaks are used).}

Finally, Stehl´e and Steinfeld present their choice of parameters, i.e. s = Θ(λ), n = Θ(λ1.5_{), log}_q _{= Θ(}_λ2_{) and} _t _{= Θ(}_λ1.5_{), which is smaller compared to Gentry’s choice} (see page 18). Also, the complexity of the re-encryption (and evaluation) process are lowered from O(λ6_{) to (}_λ3.5_{) and the size of the secret key is reduced from} _O₍_λ3.5_{) to}

O(λ1.5_).

Fully Homomorphic SIMD Operations

In their first paper [47] on this topic (available on the ePrint), Smart and Vercauteren mentioned that SIMD (single instruction, multiple data) style operations on data could be supported by their scheme. The improvement of their slow KeyGen-algorithm by

(29)

Gentry and Halevi [24] seems to exclude these operations when using the proposed pa-rameters. In [48], Smart and Vercauteren show how to select parameters for Gentry and Halevi’s implementation that re-enable SIMD operations for the somewhat homomorphic scheme, how to construct a fully homomorphic scheme when performing re-encryptions in parallel and in which way SIMD operations can be useful in practice.

For the KeyGen-algorithm, the authors make use of the one proposed by Gentry and Halevi, but they suggest not to useR=Z[x]/(f(x)) withf(x) =x2

n

+ 1, but to choose the polynomial as f(x) := Φm(x) of degree N = ϕ(m) instead, where Φm(x) denotes

the m-th cyclotomic polynomial and ϕ denotes Euler’s totient function. (With this particular choice one gets that R is isomorphic to a product ofr finite fields of degree

p := N/r.) After the generator v for J = (v) is chosen, Smart and Vercauteren make heavy use of fast Fourier transform (e.g. the algorithms of Cooley-Tukey, Good-Thomas, Rader) in the computation ofv’s inverse and hence obtain (nearly) the same complexity for theKeyGen-algorithm than when usingf(x) =x2n₊₁

(the implied constants are only slightly greater). Having again a closed expression for the coefficients of the secret key, the size of the secret key can be reduced to a single integer like in [24].

In Section 5 (and especially in Algorithm 4), the authors show how to perform the re-encryption operation in parallel. Therein, the above construction ofRbeing isomorphic to a product of finite fields is used.

Experimental results of the scheme using this parallel re-encryption method (Option 3) and the bitwise fully homomorphic encryption scheme (Option 1) can be found in a table at the bottom of Section 6. The main point is that the parallel version is more than 2.4 times faster than the standard FHE scheme and, in addition, the ciphertext size is reduced by a factor 1/72.

As a possible real-life application of their scheme, Smart and Vercauteren mention search-ing in an encrypted database on a remote server, which is analysed in detail in Section 7.3. Self-loop-based Specialization I

In [14] (ePrint), Gu uses a small modification of the somewhat homomorphic scheme presented by Smart and Vercauteren in [47] and turns it into a fully homomorphic scheme by using a self-loop-based approach.

The modification consists in the choice of the secret key, which is re-chosen when its binary representation has Hamming weight above some bound b. A constraint on this bound is b≤s, where sis the size of the subsetS of the SSSP.

Encrypting the bits of the binary representation of the secret key (for some fixed preci-sion) using the somewhat homomorphic encryption scheme, these encryptions are then added to the public key and hence a fully homomorphic encryption scheme is obtained. Note that no SSSP-instance is introduced here for the construction of the FHE scheme. In addition, a re-encryption method is depicted and proven to be correct (Theorem 3.1). Besides all this, Gu does not prove its scheme to be secure if the polynomial coset prob-lem is hard, although he states this to be true. One can obviously apply [47], Theorem 1, to Gu’s somewhat homomorphic scheme, but this does not prove his fully homomor-phic scheme to be semantically secure. Furthermore, the author does not discuss the

(30)

evaluative capacity of his scheme. Self-loop-based Specialization II

Gu also proposes another way to obtain a fully homomorphic encryption scheme. In [12] (ePrint), he bases the security of his scheme on a new problem which is called Decisional Hidden Principal Ideal (lattice polynomial) Problem (DHPIP), being an analogue to the AGCDP in lattices or polynomial rings, respectively.

His somewhat homomorphic construction bases on the ringR=Zp[x]/(xn−1), uses as

secret key a (specially chosen) polynomialsand as public key the tuple (λ, p,(b1, . . . , bτ)),

whereλis the security parameter,pthe determinant of the (ideal) lattice (s),τ =O(λ) and bi is a polynomial chosen from the distribution

Distλ(f) :={chooseai, ei ∈RR,||ei||∞≤λ/2, output bi=ai·f +ei},

wheref fulfills s·f = 0 mod (xn₋_{1) mod} _p_{and gcd(}_f,_{2) = 1.}

Encryption, Decryption and Evaluation are performed similar to the scheme of van Dijk et al. below (cf. next subsection, in particular “Fully Homomorphic Encryption over the Integers”).

Gu proves that hisKeyGen-algorithm has a polynomial time complexity, that decryption works if the error term is below some bound, and that the proposed somewhat homo-morphic scheme is correct for circuits up to depthb(1 +ε1)·log₂λc, whereε1 ∈(0, ε) is some real depending on the constantε >0 of the polynomials.

For the fully homomorphic scheme, Gu uses his technique of a “self-loop”, i.e. he encrypts the coefficients of the secret key (polynomial) using his somewhat homomorphic scheme and puts them into the public key. He also introduces a re-encryption procedure for his FHE scheme, and proofs its security:

Theorem 2.10 ([12], Theorem 5.2). Suppose there is an algorithm A which breaks the semantic security of our SHE with advantageε. Then there is a distinguishing algorithm D against DHPIP running in about the same time as A with advantage at least ε/2.

In addition, Gu shows that there is a probabilistic polynomial time reduction from Ring-LWE (learning with errors) to DHPIP.

Altogether, the size of the public key is O(n3+ε_{), of the secret key} _O₍_λ1+ε_{) and of the}

re-encryption (and evaluation) processO(λ4+ε_log2_λ_{). Hence, Gu obtains values for his} scheme relatively close to those of Stehl´e and Steinfeld, see 2.1 on page 22.

Giving some practical parameters, changing the modulus fromxn₋_{1 to}_xn_{+1, extending}

the scheme to a larger message space and raising open problems finishes the paper.

2.2. Integer-Arithmetic Encryption Schemes

Besides all these lattice-based schemes, some effort has been made to accomplish fully homomorphic encryption using only integer arithmetic.