Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits

Craig Gentry, S. Halevi
{"title":"Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits","authors":"Craig Gentry, S. Halevi","doi":"10.1109/FOCS.2011.94","DOIUrl":null,"url":null,"abstract":"All previously known fully homomorphic encryption (FHE) schemes use Gentry's blueprint:* SWHE: Construct a somewhat homomorphic encryption (SWHE) scheme -- roughly, an encryption scheme that can homomorphically evaluate polynomials up to some degree.* Squash: ``Squash\" the decryption function of the SWHE scheme, so that the scheme can evaluate functions twice as complex (in terms of polynomial degree) than its own decryption function. Do this by adding a ``hint \" to the SHWE public key -- namely, a large set of vectors that has a secret sparse subset that sums to the original secret key.* Bootstrap: Given a SWHE scheme that can evaluate functions twice as complex as its decryption function, apply Gentry's transformation to get a ``leveled\" FHE scheme. To get ``pure\" (non-leveled) FHE, one assumes circular security. Here, we describe a new blueprint for FHE. We show how to eliminate the squashing step, and thereby eliminate the need to assume that the sparse subset sum problem (SSSP) is hard, as all previous leveled FHE schemes have done. Using our new blueprint, we obtain the following results:* A ``simple\" leveled FHE scheme where we replace SSSP with Decision Diffie-Hellman!* The first leveled FHE scheme based entirely on worst-case hardness}. Specifically, we give a leveled FHE scheme with security based on the shortest independent vector problem over ideal lattices (ideal-SIVP).* Some efficiency improvements for FHE.} While the new blueprint does not yet improve computational efficiency, it reduces cipher text length. As in the previous blueprint, we obtain pure FHE by assuming circular security. Our main technique is to express the decryption function of SWHE schemes as a depth-3 ($\\sum \\prod \\sum$) arithmetic circuit. When we evaluate this decryption function homomorphically, we temporarily switch to a multiplicatively homomorphic encryption (MHE) scheme, such as Elgamal, to handle the $\\prod$ part, after which we translate the result from the MHE scheme back to the SWHE scheme by evaluating the MHE scheme's decryption function within the SWHE scheme. The SWHE scheme only needs to be able to evaluate the MHE scheme's decryption function (plus minor operations), and does not need to have the self-referential property of being able to evaluate its {\\em own} decryption function, a property that necessitated squashing in the original blueprint.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"219","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/FOCS.2011.94","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 219

Abstract

All previously known fully homomorphic encryption (FHE) schemes use Gentry's blueprint:* SWHE: Construct a somewhat homomorphic encryption (SWHE) scheme -- roughly, an encryption scheme that can homomorphically evaluate polynomials up to some degree.* Squash: ``Squash" the decryption function of the SWHE scheme, so that the scheme can evaluate functions twice as complex (in terms of polynomial degree) than its own decryption function. Do this by adding a ``hint " to the SHWE public key -- namely, a large set of vectors that has a secret sparse subset that sums to the original secret key.* Bootstrap: Given a SWHE scheme that can evaluate functions twice as complex as its decryption function, apply Gentry's transformation to get a ``leveled" FHE scheme. To get ``pure" (non-leveled) FHE, one assumes circular security. Here, we describe a new blueprint for FHE. We show how to eliminate the squashing step, and thereby eliminate the need to assume that the sparse subset sum problem (SSSP) is hard, as all previous leveled FHE schemes have done. Using our new blueprint, we obtain the following results:* A ``simple" leveled FHE scheme where we replace SSSP with Decision Diffie-Hellman!* The first leveled FHE scheme based entirely on worst-case hardness}. Specifically, we give a leveled FHE scheme with security based on the shortest independent vector problem over ideal lattices (ideal-SIVP).* Some efficiency improvements for FHE.} While the new blueprint does not yet improve computational efficiency, it reduces cipher text length. As in the previous blueprint, we obtain pure FHE by assuming circular security. Our main technique is to express the decryption function of SWHE schemes as a depth-3 ($\sum \prod \sum$) arithmetic circuit. When we evaluate this decryption function homomorphically, we temporarily switch to a multiplicatively homomorphic encryption (MHE) scheme, such as Elgamal, to handle the $\prod$ part, after which we translate the result from the MHE scheme back to the SWHE scheme by evaluating the MHE scheme's decryption function within the SWHE scheme. The SWHE scheme only needs to be able to evaluate the MHE scheme's decryption function (plus minor operations), and does not need to have the self-referential property of being able to evaluate its {\em own} decryption function, a property that necessitated squashing in the original blueprint.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
使用深度-3算术电路的不压缩全同态加密
所有已知的完全同态加密(FHE)方案都使用Gentry的蓝图:* SWHE:构造一个有点同态的加密(SWHE)方案——粗略地说,一个可以在某种程度上同态计算多项式的加密方案。* Squash:将SWHE方案的解密函数“Squash”,使该方案的求值函数的复杂度(就多项式度而言)是其自身解密函数的两倍。为此,可以向SHWE公钥添加一个“提示”——也就是说,一个大的向量集,它具有一个秘密稀疏子集,其和等于原始秘密密钥。* Bootstrap:给定一个SWHE方案,其计算函数的复杂度是其解密函数的两倍,应用Gentry的变换得到一个“水平”的FHE方案。要获得“纯”(非分级)FHE,需要假定循环安全性。在这里,我们描述了FHE的新蓝图。我们展示了如何消除压缩步骤,从而消除了假设稀疏子集和问题(SSSP)很难的需要,就像以前所有级别的FHE方案所做的那样。使用我们的新蓝图,我们得到了以下结果:*一个“简单”的分层FHE方案,我们用Decision Diffie-Hellman取代SSSP !*一级FHE方案完全基于最坏情况硬度}。具体来说,我们给出了一种基于理想格上最短独立向量问题(ideal- sivp)的具有安全性的分层FHE方案。* FHE的一些效率改进。虽然新的蓝图还没有提高计算效率,但它减少了密文的长度。与前面的蓝图一样,我们通过假设循环安全性来获得纯FHE。我们的主要技术是将SWHE方案的解密功能表示为深度3 ($\sum \prod \sum$)算术电路。当我们对这个解密函数进行同态计算时,我们暂时切换到乘法同态加密(MHE)方案,如Elgamal,来处理$\prod$部分,之后我们通过在SWHE方案中计算MHE方案的解密函数,将结果从MHE方案转换回SWHE方案。SWHE方案只需要能够计算MHE方案的解密函数(加上较小的操作),而不需要具有能够计算其{\em自己}的解密函数的自引用属性,这种属性需要在原始蓝图中进行压缩。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
A Randomized Rounding Approach to the Traveling Salesman Problem Welfare and Profit Maximization with Production Costs Which Networks are Least Susceptible to Cascading Failures? Computing Blindfolded: New Developments in Fully Homomorphic Encryption The 1D Area Law and the Complexity of Quantum States: A Combinatorial Approach
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1