## AI helps you reading Science

## AI Insight

AI extracts a summary of this paper

Weibo:

# Implementing Gentry's fully-homomorphic encryption scheme

IACR Cryptology ePrint Archive, (2011): 129-148

EI

Keywords

Abstract

We describe a working implementation of a variant of Gentry's fully homomorphic encryption scheme (STOC 2009), similar to the variant used in an earlier implementation effort by Smart and Vercauteren (PKC 2010). Smart and Vercauteren implemented the underlying "somewhat homomorphic" scheme, but were not able to implement the bootstrapping...More

Code:

Data:

Introduction

- Encryption schemes that support operations on encrypted data have a very wide range of applications in cryptography.
- Smart and Vercauteren estimated that the squashed decryption polynomial will have degree of a few hundreds, and that to support this procedure with their parameters they need to use lattices of dimension at least n = 227(≈ 1.3 × 108), which is well beyond the capabilities of the key-generation procedure.

Highlights

- Encryption schemes that support operations on encrypted data have a very wide range of applications in cryptography. This concept was introduced by Rivest et al shortly after the discovery of public key cryptography [12], and many known public-key cryptosystems support either addition or multiplication of encrypted data
- Smart and Vercauteren estimated that the squashed decryption polynomial will have degree of a few hundreds, and that to support this procedure with their parameters they need to use lattices of dimension at least n = 227(≈ 1.3 × 108), which is well beyond the capabilities of the key-generation procedure
- In Lemma 1 below we prove that the HNF of the lattice L(V ) has the right form if and only if the lattice contains a vector of the form −r, 1, 0, . . . , 0
- As addition is much faster than multiplication, the dominant term in the running time will be the computation of the powers of x, which we only need to do once for all the polynomials
- We show that the encrypted bit b can be recovered by a significantly cheaper procedure: Recall that the ciphertext vector c is decrypted to the bit b when the distance from c to the nearest vector in the lattice L(V ) is of the form a = 2u + be1, and all the entries in a × W are less than d/2 in absolute value

Results

- For an encoded bit m ∈ {0, 1}n the authors set e = 2r+m for a random small vector r, and output the ciphertext c ← e mod Bpk. The secret key in Gentry’s scheme is just a short vector w ∈ J−1.
- Smart and Vercauteren describe a decryption procedure that uses a single integer w as the secret key, setting m ← (c − cw/d ) mod 2.
- The authors adopt the Smart-Vercauteren approach [13], in that the authors use principalideal lattices in the ring of polynomials modulo fn(x) d=ef xn +1 with n a power of two.
- The Hermite normal form of the matrix V from Equation (2) is equal to the identity matrix in all but the leftmost column, if and only if the lattice spanned by the rows of V contains a vector of the form r = −r, 1, 0 .
- As addition is much faster than multiplication, the dominant term in the running time will be the computation of the powers of x, which the authors only need to do once for all the polynomials.
- Let them denote by M (k, n) the number of multiplications that it takes to evaluate k polynomials of degree (n − 1).
- The authors note that increasing the noise will have only moderate effect on the performance numbers of the fully-homomorphic scheme, for example using 30 nonzero entries is likely to increase the size of the key by only about 5-10%.

Conclusion

- The authors show that the encrypted bit b can be recovered by a significantly cheaper procedure: Recall that the ciphertext vector c is decrypted to the bit b when the distance from c to the nearest vector in the lattice L(V ) is of the form a = 2u + be1, and all the entries in a × W are less than d/2 in absolute value.
- In these experiments the authors generated key pairs for parameters n and t, and for each key pair the authors encrypted many bits, evaluated on the ciphertexts many elementary symmetric polynomials of various degrees and number of variables, decrypted the results, and checked whether or not the authors got back the same polynomials in the plaintext bits.

Reference

- Avanzi, R.M.: Fast evaluation of polynomials with small coefficients modulo an integer. Web document (2005), http://caccioppoli.mac.rub.de/website/papers/trick.pdf
- Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)
- Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st ACM Symposium on Theory of Computing – STOC 2009, pp. 169–178. ACM, New York (2009)
- Gentry, C.: Toward basing fully homomorphic encryption on worst-case hardness. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 116–137. Springer, Heidelberg (2010)
- Gentry, C., Halevi, S.: Implementing gentry’s fully-homomorphic encryption scheme. Cryptology ePrint Archive, Report 2010/520 (2010), http://eprint.iacr.org/
- Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997)
- Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23.
- Micciancio, D.: Improving lattice based cryptosystems using the hermite normal form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001)
- Ogura, N., Yamamoto, G., Kobayashi, T., Uchiyama, S.: An improvement of key generation algorithm for gentry’s homomorphic encryption scheme. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 70–83.
- Paterson, M.S., Stockmeyer, L.J.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM Journal on Computing 2(1), 60–66 (1973)
- Peikert, C., Rosen, A.: Lattices that admit logarithmic worst-case to average-case connection factors. In: Proceedings of the 39th Annual ACM Symposium on Theory of Computing – STOC 2007, pp. 478–487. ACM, New York (2007)
- Rivest, R., Adleman, L., Dertouzos, M.: On data banks and privacy homomorphisms. In: Foundations of Secure Computation, pp. 169–177. Academic Press, London (1978)
- Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010)
- Stehle, D., Steinfeld, R.: Faster fully homomorphic encryption. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 377–394.

Tags

Comments

数据免责声明

页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果，我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问，可以通过电子邮件方式联系我们：report@aminer.cn