Computing Arbitrary Functions of Encrypted Data

Craig Gentry
IBM T.J. Watson Research Center
19 Skyline Dr.
Hawthorne, NY
[email protected]

ABSTRACT encryption (FHE) scheme, where “fully” means that there

Suppose that you want to delegate the ability to process your are no limitations on what manipulations can be performed.
data, without giving away access to it. We show that this Given ciphertexts c1 , . . . , ct that encrypt m1 , . . . , mt with
separation is possible: we describe a “fully homomorphic” our scheme under some key, and given any efficiently com-
encryption scheme that keeps data private, but that allows putable function f , anyone can efficiently compute a cipher-
a worker that does not have the secret decryption key to text (or set of ciphertexts) that encrypts f (m1 , . . . , mt ) un-
compute any (still encrypted) result of the data, even when der that key. In short, this permits general computations
the function of the data is very complex. In short, a third on encrypted data. No information about m1 , . . . , mt or the
party can perform complicated processing of data without value of f (m1 , . . . , mt ) is leaked.
being able to see it. Among other things, this helps make This means that cloud computing is consistent with pri-
cloud computing compatible with privacy. vacy. If I want the cloud to compute for me some function f
of my (encrypted) data m1 , . . . , mt – for example, this func-
tion could be “all files containing ‘CACM’ or ‘Communica-
1. INTRODUCTION tions’ within three words of ‘ACM’” – I send a description
Is it possible to delegate processing of your data without of f to the cloud, which uses the scheme’s malleability to
giving away access to it? compute an encryption of f (m1 , . . . , mt ), which I decrypt.
This question, which tests the tension between conve- The cloud never sees any unencrypted data. If I want, I can
nience and privacy, has always been important, but seems even use the scheme to encrypt a description of f , so that
especially so now that we are headed toward widespread the cloud does not even see what I am searching for.
use of cloud computing. To put everything online “in the Rivest, Adleman, and Dertouzos [5] suggested that fully
cloud,” unencrypted, is to risk an Orwellian future. For cer- homomorphic encryption may be possible in 1978, shortly
tain types of data, such as medical records, storing them after the invention of the RSA cryptosystem [6], but were
off-site unencrypted may be illegal. On the other hand, en- unable to find a secure scheme. As an application, they de-
crypting one’s data seems to nullify the benefits of cloud scribed our private cloud computing scenario above, though
computing. Unless I give the cloud my secret decryption of course they used different terminology. There are many
key (sacrificing my privacy), what can I expect the cloud to other applications. Homomorphic encryption is useful when-
do with my encrypted data except send it back to me, so ever it is acceptable if a response (e.g., to a search engine
that I can decrypt it and process it myself? query) is encrypted.
Fortunately, this is a false dilemma, or at least convenience Below, we begin by describing homomorphic encryption in
and privacy can be reconciled to a large extent. For data more detail. Then, we describe a concrete scheme due to van
that is encrypted with an “ordinary” encryption scheme, it is Dijk, Gentry, Halevi, and Vaikuntanathan, [9], which uses
virtually impossible for someone without the secret decryp- only simple integer operations, and is a conceptually simpler
tion key (such as the cloud) to manipulate the underlying version of the first scheme by Gentry [3, 2], which uses lat-
data in any useful way. However, some encryption schemes tices. Toward the end, we discuss the scheme’s (rather slow)
are homomorphic or malleable. They let anyone manipu- performance. Throughout, we try to make the ideas more
late (in a meaningful way) what is encrypted, even without tangible by constantly returning to a physical analogy: a
knowing the secret key! jewelry store owner, Alice, who wants her workers to process
In this paper, we describe the first fully homomorphic raw precious materials into intricately designed rings and
necklaces, but who is afraid to give her workers complete
This paper draws from the STOC 2009 paper “Fully Homo- access to the materials for fear of theft.
morphic Encryption Using Ideal Lattices,” my thesis, and a
recent manuscript co-authored with van Dijk, Halevi, and
Vaikuntanathan. 2. HOMOMORPHIC ENCRYPTION
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are 2.1 Alice’s Jewelry Store
not made or distributed for profit or commercial advantage and that copies At first, the notion of processing data without having ac-
bear this notice and the full citation on the first page. To copy otherwise, to cess to it may seem paradoxical, even logically impossible.
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee. To convince you that there is no fallacy, and to give you
Copyright 2008 ACM 0001-0782/08/0X00 ...$5.00. some intuition about the solution, let us consider an analo-
gous problem in (a fictional version of) the “physical world.” set FE of permitted functions. For any function f in FE and
Alice owns a jewelry store. She has raw precious materials any ciphertexts c1 , . . . , ct with ci ← EncryptE (pk, mi ), the
– gold, diamonds, silver, etc. – that she wants her workers algorithm EvaluateE (pk, f, c1 , . . . , ct ) outputs a ciphertext c
to assemble into intricately designed rings and necklaces. that encrypts f (m1 , . . . , mt ) – i.e., such that DecryptE (sk, c) =
But she distrusts her workers and assumes that they will f (m1 , . . . , mt ). (For convenience, we will assume that f has
steal her jewels if given the opportunity. In other words, one output. If f has k outputs, then EvaluateE outputs
she wants her workers to process the materials into finished k ciphertexts that encrypt f (m1 , . . . , mt ) collectively.) As
pieces, without giving them access to the materials. What shorthand, we say that E can handle functions in FE . For a
does she do? function f not in FE , there is no guarantee that EvaluateE
Here is her plan. She uses a transparent impenetrable will output anything meaningful. Typically EvaluateE is un-
glovebox, secured by a lock for which only she has the key. defined for such a function.
She puts the raw precious materials inside the box, locks As described thus far, it is trivial to construct an en-
it, and gives it to a worker. Using the gloves, the worker cryption scheme that can handle all functions. Just de-
assembles the ring or necklace inside the box. Since the fine EvaluateE as follows: simply output c ← (f, c1 , . . . , ct ),
box is impenetrable, the worker cannot get to the precious without “processing” the ciphertexts at all. Modify DecryptE
materials, and figures he might as well return the box to slightly: to decrypt c, decrypt c1 , . . . , ct to obtain m1 , . . . , mt ,
Alice, with the finished piece inside. Alice unlocks the box and then apply f to these messages.
with her key and extracts the ring or necklace. In short, But this trivial solution obviously does not conform to the
the worker processes the raw materials into a finished piece, spirit of what we are trying to achieve – to delegate the data
without having true access to the materials. processing (while maintaining privacy). The trivial solution
The locked impenetrable box, with raw precious materials is as if, in Alice’s jewelry store, the worker simply sends
inside, represents an encryption of the initial data m1 , . . . , mt , the box (which need not have gloves) back to Alice without
which can be accessed only with the secret decryption key. doing any work on the raw precious materials, and Alice
The gloves represent the homomorphism or malleability of unlocks the box, extracts the materials, and assembles the
the encryption scheme, which allows the raw data to be ring or necklace herself.
manipulated while it is inside the “encryption box.” The So, how do we formalize what it means to delegate? In-
completed ring or necklace inside the box represents the en- tuitively, the purpose of delegation is to reduce one’s work-
cryption of f (m1 , . . . , mt ), the desired function of the initial load. We can formalize this in terms of the running times
data. Note that “lack of access” is represented by lack of (i.e., complexity) of the algorithms. Specifically, we require
physical access, as opposed to lack of visual access, to the that decrypting c (the ciphertext output by EvaluateE ) takes
jewels. (For an analogy that uses lack of visual access, con- the same amount of computation as decrypting c1 (a cipher-
sider a photograph developer’s darkroom.) text output by EncryptE ). Moreover, we require that c is the
Of course, Alice’s jewelry store is only an analogy. It same size as c1 . We refer to these as the compact ciphertexts
does not represent some aspects of homomorphic encryption requirement. Again, the size of c and the time needed to de-
well, and taking it too literally may be more confusing than crypt it do not grow with the complexity of f ; rather, they
helpful. We discuss some flaws in the analogy at the end are completely independent of f (unless f has multiple out-
of this section, after we describe homomorphic encryption puts). Also, of course, the complexity of DecryptE , as well
more formally. Despite its flaws, we return to the analogy as the complexity of KeyGenE and EncryptE , must remain
throughout, since it motivates good questions, and repre- polynomial in λ.
sents some aspects of our solution quite well – most notably, E is fully homomorphic if it can handle all functions, has
“bootstrapping,” which we discuss in Section 4. compact ciphertexts, and EvaluateE is efficient in a way that
we specify below. The trivial solution above certainly is not
2.2 Homomorphic Encryption: Functionality fully homomorphic, since the size of the ciphertext output by
EvaluateE , as well as the time needed to decrypt it, depend
An encryption scheme E has three algorithms: KeyGenE ,
on the function being evaluated. In terms of Alice’s jewelry
EncryptE and DecryptE , all of which must be efficient – that
store, our definition of fully homomorphic captures the best-
is, run in time poly(λ), polynomial in a security parameter λ
case scenario for Alice: her workers can assemble arbitrarily
that specifies the bit-length of the keys. In a symmetric, or
complicated pieces inside the box, but the work needed to
secret-key, encryption scheme, KeyGenE uses λ to generate
assemble has no bearing on the work Alice needs to do to
a single key that is used in both EncryptE and DecryptE ,
unlock the box and extract the piece.
first to map a message to a ciphertext, and then to map
We want our fully homomorphic scheme to be efficient for
the ciphertext back to the message. In an asymmetric, or
the worker, as well. In particular, we want the complexity
public-key, encryption scheme, KeyGenE uses λ to generate
of EvaluateE – like the other algorithms of E – to depend
two keys – a public encryption key pk, which may be made
only polynomially on the security parameter. But clearly
available to everyone, and a secret decryption key sk. As
its complexity must also depend on the function being eval-
a physical analogy for an asymmetric encryption scheme,
uated. How do we measure the complexity of f ? Perhaps
one can think of Alice’s public key as a padlock, which she
the most obvious measure is the running time Tf of a Tur-
constructs and distributes, that can be locked without a key.
ing machine that computes f . We use a related measure,
Anyone can put a message inside a box secured by Alice’s
the size Sf of a boolean circuit (i.e., the number of AND,
padlock (encrypt), and mail it via a public channel to Alice,
OR, and NOT gates) that computes f . Any function that
but only Alice has the key needed to unlock it (decrypt).
can be computed in Tf steps on a Turing machine can be
A homomorphic encryption scheme can be either symmet-
expressed as a circuit with about Tf gates. More precisely,
ric or asymmetric, but we will focus on the asymmetric case.
Sf < k · Tf · log Tf for some small constant k. Overall, we
It has a fourth algorithm EvaluateE , which is associated to a
say that EvaluateE is efficient if there is a polynomial g such any constant k).
that, for any function f that is represented by a circuit of Nowadays, we typically require an encryption scheme to
size Sf , EvaluateE (pk, f, c1 , . . . , ct ) has complexity at most have a stronger security property, called semantic security
Sf · g(λ). against chosen-plaintext attacks (CPA) [4]: given a cipher-
The circuit representation of f is also useful because it text c that encrypts either m0 or m1 , it is hard for an ad-
breaks the computation of f down into simple steps – e.g., versary to decide which, even if it is allowed to choose m0
AND, OR, and NOT gates. Moreover, to evaluate these and m1 . Here, “hard” means that if the adversary A runs
gates, it is enough to be able to add, subtract and mul- in polynomial time and guesses correctly with probability
tiply. (In fact, it is enough if we can add, subtract and 1/2 + , then , called A’s advantage, must be negligible.
multiply modulo 2.) In particular, for x, y ∈ {0, 1}, we If this advantage is non-negligible, then we say (informally)
have AND(x, y) = xy, OR(x, y) = 1 − (1 − x)(1 − y) and that the adversary breaks the semantic security of the en-
NOT(x) = 1 − x. So, to obtain a fully homomorphic en- cryption scheme.
cryption scheme, all we need is a scheme that operates on If an encryption scheme is deterministic – i.e., if there is
ciphertexts so as to add, subtract, and multiply the under- only one ciphertext that encrypts a given message – then it
lying messages, indefinitely. cannot be semantically secure. An attacker can easily tell
But is the circuit representation of f – or some arith- whether c encrypts m0 , by running c0 ← Encrypt(pk, m0 )
metized version of it in terms of addition, subtraction and and seeing if c and c0 are the same. A semantically se-
multiplication – necessarily the most efficient way to evalu- cure encryption scheme must be probabilistic – i.e., there
ate f ? In fact, some functions, like binary search, take much must be many ciphertexts that encrypt a given message,
longer on a Turing machine or circuit than on a random ac- and EncryptE must choose one randomly according to some
cess machine. On a random access machine, a binary search distribution.
algorithm on t ordered items only needs to “touch” O(log t) One can prove the (conditional) one-wayness or semantic
of its inputs. security of an encryption scheme by reducing a hard problem
A moment’s thought shows that random-access speed- to breaking the encryption scheme. For example, suppose
ups cannot work if the data is encrypted. Unless we know one shows that if there is an efficient algorithm that breaks
something a priori about the relationship between f and the encryption scheme, then this algorithm can be used as a
m1 , . . . , mt , the algorithm EvaluateE (pk, f, c1 , . . . , ct ) must subroutine in an efficient algorithm that factors large num-
touch all of the input ciphertexts, and therefore have com- bers. Then, under the assumption that factoring is hard –
plexity at least linear in the number of inputs. To put it an- i.e., that no poly(λ)-time algorithm can factor λ-bit numbers
other way, if EvaluateE (for some reason) did not touch the – the reduction implies that the encryption scheme must be
second half of the ciphertexts, this would leak information hard to break.
about the second half of the underlying messages – namely, Semantic security of a homomorphic encryption scheme
their irrelevance in the computation of f – and this leak- is defined in the same way as for an ordinary encryption
age would contradict the security of the encryption scheme. scheme, without reference to the EvaluateE algorithm. If
While EvaluateE must have running time at least linear in we manage to prove a reduction – i.e., that an attacker that
t as an unavoidable cost of the complete privacy that ho- breaks E can be used to solve a hard problem like factoring –
momorphic encryption provides, a tradeoff is possible. If I then this reduction holds whether or not E has an EvaluateE
am willing to reveal – e.g., in the cloud computing context algorithm that works for a large set of functions.
– that the files that I want are contained in a certain 1% To understand the power of semantic security, let us re-
of my data, then I may help the cloud reduce its work by a consider our cloud computing application. Sometime after
factor of 100. storing her encrypted files in the cloud, Alice wants the cloud
Another artifact of using a fixed circuit representation of to retrieve the files that have a certain combination of key-
f is that the size of the output – i.e., the number of output words. Suppose that in its response, the cloud sends cipher-
wires in the circuit – must be fixed in advance. For example, texts that encrypt the first three files. Can’t the cloud just
when I request all of my files that contain a combination see that the first three encrypted files that it is storing for
of keywords, I should also specify how much data I want Alice happen to encrypt the same content as the three files
retrieved – e.g., one megabyte. From my request, the cloud that it sends to Alice? Not if the scheme is semantically
will generate a circuit for a function that outputs the first secure. Even though some of the stored ciphertexts encrypt
megabyte of the correct files, where that output is truncated the same content as the sent ciphertexts, the cloud cannot
(if too much of my data satisfies my request), or padded with see this, because semantic security guarantees that it is hard
zeros (if too little). A moment’s thought shows that this to tell whether two ciphertexts encrypt the same content.
is also unavoidable. There is no way the cloud can avoid Intuitively, it seems like the EvaluateE algorithm should
truncating or padding unless it knows something a priori make E easier to break, simply because this additional algo-
about the relationship between the function and my data. rithm gives the attacker more power. Or, to put it in terms
of the physical analogy, one would think that the easiest way
2.3 Homomorphic Encryption: Security to get inside the glovebox is to cut through the gloves, and
that, the more flexible the gloves are, the easier the glovebox
In terms of security, the weakest requirement for an en-
is to compromise; this suggests that, the more malleable the
cryption scheme is one-wayness: given the public key pk and
encryption scheme is, the easier it is to break. There is some
a ciphertext c that encrypts unknown message m under pk,
truth to this intuition. Researchers [1, 8] showed that if E
it should be “hard” to output m. “Hard” means that any
is a deterministic fully homomorphic encryption scheme (or,
algorithm or “adversary” A that runs in poly(λ) time has a
more broadly, one for which it is easy to tell whether two
negligible probability of success over the choices of pk and
ciphertexts encrypt the same thing), then E can be broken
m (i.e., the probability it outputs m is less than 1/λk for
in sub-exponential time, and in only polynomial time (i.e., KeyGenE (λ): The key is a random P -bit odd integer p.
efficiently) on a quantum computer. So, malleability seems
to weaken the security of deterministic schemes. But these EncryptE (p, m): To encrypt a bit m ∈ {0, 1}, set m0 to be a
results do not apply to semantically secure schemes, such as random N -bit number such that m0 = m mod 2. Out-
ours. put the ciphertext c ← m0 + pq, where q is a random
Q-bit number.
2.4 Some Flaws in the Physical Analogy
DecryptE (p, c): Output (c mod p) mod 2, where (c mod p) is
The physical analogy represents some aspects of homo- the integer c0 in (−p/2, p/2) such that p divides c − c0 .
morphic encryption poorly. For example, the physical anal-
ogy suggests that messages that are encrypted separately Ciphertexts from E are near-multiples of p. We call (c mod
are in different “encryption boxes” and cannot interact. Of p) the noise associated to the ciphertext c. It is the distance
course, this interaction is precisely the purpose of homomor- to the nearest multiple of p. Decryption works because the
phic encryption. To fix the analogy, one may imagine that noise is m0 , which has the same parity as the message. We
the gloveboxes have a one-way insertion slot like the mail call a ciphertext output by Encrypt a fresh ciphertext, since
bins used by the post office. Then, messages can be added it has small (N -bit) noise.
to the same encryption box as they arrive. (Even this fix is How is the scheme homomorphic? By simply adding, sub-
not entirely satisfactory.) tracting, or multiplying the ciphertexts as integers, we can
Another flaw is that the output f (m1 , . . . , mt ) may have add, subtract or multiply (modulo 2) the underlying mes-
significantly fewer bits than m1 , . . . , mt , whereas in the anal- sages. However, complications arise, because these opera-
ogy (absent significant nuclear activity inside the glovebox) tions increase the noise associated to resulting ciphertexts.
the conservation of mass dictates that the box will have Eventually, the noise become so large that decryption no
at least as much material inside when the worker is done longer reliably returns the correct result.
as when he started. Finally, in Alice’s jewelry store, even
though a worker cannot extract the materials from a locked Homomorphic Operations:
glovebox, he can easily tell whether or not a box contains a
AddE (c1 , c2 ), SubE (c1 , c2 ), MultE (c1 , c2 ): the output cipher-
certain set of materials – i.e., the gloveboxes do not provide
text c is c1 + c2 , c1 − c2 , or c1 · c2 .
“semantic security.”
EvaluateE (f, c1 , . . . , ct ): Express the boolean function f as
3. A SOMEWHAT HOMOMORPHIC a circuit C with XOR and AND gates. Let C † be
the same circuit as C, but with XOR and AND gates
ENCRYPTION SCHEME replaced by addition and multiplication gates over the
On our way to fully homomorphic encryption, we begin by integers. Let f † be the multivariate polynomial that
constructing a somewhat homomorphic encryption scheme E corresponds to C † . Output c ← f † (c1 , . . . , ct ).
that can handle a limited class FE of permitted functions.
EvaluateE (pk, f, c1 , . . . , ct ) does not work for functions f that Let us check that ciphertexts output by EvaluateE decrypt
are too complicated. Later, we will show to use E to obtain correctly. As a warm-up, let us consider MultE . Let c =
fully homomorphic encryption. c1 · c2 , where ci ’s noise is m0i , which has the same parity as
the message mi . We have that
3.1 Meanwhile in Alice’s Jewelry Store
c = m01 · m02 + pq 0
After figuring out how to use locked gloveboxes to get her
workers to process her precious materials into fancy rings for some integer q 0 . As long as the noises are small enough
and necklaces, Alice puts in an order with Acme Glovebox so that |m01 · m02 | < p/2, we have that
Company. Unfortunately, the gloveboxes she receives are
defective. After a worker uses the gloves for one minute, the (c mod p) = m01 · m02
gloves stiffen and become unusable. But some of the fanciest and therefore (c mod p) mod 2 = m1 · m2 , as it should be.
pieces take up to an hour to assemble. Alice sues Acme, but We will consider the evaluation of more complicated func-
meanwhile she wonders: Is there some way I can use these tions momentarily, in Section 3.3.
defective boxes to get the workers to securely assemble even So far we only described a symmetric homomorphic en-
the most complicated pieces? cryption scheme. Turning it into a public-key scheme is
She notices that the boxes, while defective, do have a prop- easy, but adds some complexity. As before, the secret key is
erty that might be useful. As expected, they have a one-way p. The public key consists of a list of integers that are essen-
insertion slot, like post office mail bins. But they are also tially “encryptions of zero.” The list has length polynomial
flexible enough so that it is possible to put one box inside an- in λ. To encrypt a bit m, the ciphertext c is (essentially) m
other through the slot. She wonders whether this property plus a random subset sum of the ciphertexts in the public
might play a role in the solution to her problem... key. If these ciphertexts have very small noise, the result-
ing ciphertext will also have small noise, and decryption will
3.2 Our Somewhat Homomorphic Scheme work properly: (c mod p) mod 2 will equal m, as before.
Our somewhat homomorphic encryption scheme E, de-
scribed below, is remarkably simple [9]. We describe it first 3.3 How Homomorphic Is It?
as a symmetric encryption scheme. As an example param- What is the set of permitted functions that our homomor-
eter setting, for security parameter λ, set N = λ, P = λ2 phic encryption scheme E can handle?
and Q = λ5 . To answer this question, we need to analyze how the noise
An Encryption Scheme: grows as we add and multiply ciphertexts. EncryptE outputs
a fresh ciphertext with a small noise, at most N bits. As additional gloveboxes, where box #2 contains (locked in-
we AddE , SubE , or MultE ciphertexts, the output ciphertext side) the key to box #1, box #3 contains the key to box
becomes more noisy. Multiplication tends to increase the #2, and so on. To assemble an intricate design, the worker
noise faster than addition or subtraction. In particular, for manipulates the materials in box #1 until the gloves stiffen.
ciphertexts c1 and c2 with k1 - and k2 -bit noises, the cipher- Then, he places box #1 inside box #2, where the latter box
text c ← c1 · c2 has (roughly) (k1 + k2 )-bit noise. already contains a the key to box #1. Using the gloves for
What happens when we perform many AddE , SubE , and box #2, he opens box #1 with the key, extracts the par-
MultE operations, as prescribed by the circuit representing tially assembled trinket, and continues the assembly within
a function f ? Similar to what we saw above with multipli- box #2 until its gloves stiffen. He then places box #2 inside
cation, we have box #3, and so on. When the worker finally finishes his
assembly inside box #n, he hands the box to Alice.
f † (c1 , . . . , ct ) = f † (m01 , . . . , m0t ) + pq 0 Of course, Alice observes, this trick does not work unless
for some integer q 0 , where m0i is the noise associated to ci . If the worker can open box #i within box #(i + 1), and still
|f † (m01 , . . . , m0t )| < p/2, then (f † (c1 , . . . , ct ) mod p) equals have time to make a little bit of progress on the assembly,
f † (m01 , . . . , m0t ). And if we reduce this result modulo 2, we all before the gloves of box #(i + 1) stiffen. But as long as
obtain the correct result: f (m1 , . . . , mt ). the unlocking operation (plus a little bit of assembly work)
In short, the functions that E can handle are those for takes less than a minute, and as long as she has enough de-
which |f † (a1 , . . . , at )| is always less than p/2 if all of the ai fective gloveboxes, then it is possible to assemble any piece,
are at most N bits. no matter how complicated!
E is already quite powerful. As an example, it can handle
an elementary symmetric
polynomial of degree d in t vari- 4.2 A Dream Deciphered
ables, as long as 2N d · dt < p/2, which is true (roughly) In the analogy, the defective gloveboxes represent our some-
when d < P/(N · log t). For our suggested parameters, this what homomorphic encryption scheme, which can perform
degree can be quite large: λ/(log t) = Ω(λ/ log λ). That E Add, Sub, and Mult operations on ciphertexts for a little
can evaluate polynomials of such high degree makes it “ho- while – it can handle functions in a limited set FE – until
momorphic enough” for many applications. For example, it the noise becomes too large. What we would like to do is
works well when f is a highly parallelizable function – e.g., a use this somewhat homomorphic scheme to construct a fully
basic keyword search – in which case f has fairly low degree. homomorphic one.
As before, box #1 with the precious materials inside rep-
3.4 Semantic Security and Approximate GCDs resents the ciphertexts that encrypt the initial data. Box
Euclid showed that, given two integers x1 and x2 , it is #(i+1) with the key for box i inside represents an encrypted
easy to compute their greatest common divisor (gcd). But secret decryption key – i.e., ski encrypted under pki+1 .
suppose that x1 = s1 + p · q1 and x2 = s2 + p · q2 are near- In the analogy, Alice discovers that there is only one thing
multiples of p, with s1 and s2 much smaller than p. When p that her workers really need to be able to do in less than one
is only an approximate gcd, is it still possible to compute p minute with the gloves, aside from performing a very small
efficiently – i.e., in time polynomial in the bit-lengths of x1 operation on the piece: unlock box #i within box #(i + 1)
and x2 ? Not in general, as far as we know. and extract the piece. It will turn out that there is only
In fact, if we sample si , p and qi with λ, λ2 , and λ5 bits one function that our scheme E really needs to be able to
(similar to our scheme E), then the approximate gcd problem handle, with a tiny bit of room left over to perform one
seems to remain hard even if we are given arbitrarily many more Add, Sub, or Mult: the decryption function (which is
samples xi = si + p · qi , rather than just two. For these like unlocking the “encryption box”).
parameters, known attacks – including those using contin- If E has this self-referential property of being able to han-
ued fractions and simultaneous diophantine approximation dle its own decryption function (augmented by a single gate),
– take time essentially exponential in λ. we say that it is bootstrappable. As we will show, if E is
Moreover, we can reduce the approximate gcd problem bootstrappable, then one can use E to construct a fully ho-
to the security of our somewhat homomorphic encryption momorphic encryption scheme E † .
scheme. That is, we can prove that an attacker cannot effi-
ciently break the semantic security of our encryption scheme
unless the approximate gcd problem is easy. 4.3 Bootstrappable to Fully Homomorphic
Suppose that E is bootstrappable. In particular, suppose
that E can handle the following four functions: the decryp-
4. BOOTSTRAPPABLE ENCRYPTION tion function, expressed as a circuit DE of size polynomial
in λ, as well as DE augmented by an Add, Sub, or Mult gate
4.1 Alice’s Eureka Moment modulo 2. (DE augmented by Add consists of two copies
One night, Alice dreams of immense riches, caverns piled of DE connected by an Add gate.) We will show that this
high with silver, gold and diamonds. Then, a giant dragon is a complete set of circuits, in the sense that if these four
devours the riches and begins to eat its own tail! She awakes circuits are in FE , then one can construct from E a scheme
with a feeling of peace. As she tries to make sense of her E † that is fully homomorphic.
dream, she realizes that she has the solution to her prob- As a warm-up, suppose that ciphertext c1 encrypts the bit
lem. She knows how to use her defective boxes to securely m under key pk1 . Suppose also that we have an encrypted
delegate the assembly of even the most intricate pieces! secret key: let sk1 be a vector of ciphertexts that encrypt
Like before, she gives a worker a glovebox, box #1, con- the bits of sk1 under pk2 via EncryptE (pk2 , sk1j ). Consider
taining the raw materials. But she also gives him several the following algorithm.
RecryptE (pk2 , DE , sk1 , c1 ). Strictly speaking, E † does not quite meet our definition
of fully homomorphic encryption, since the complexity of
Generate c1 via EncryptE (pk2 , c1j ) over the bits of c1 KeyGenE † grows linearly with the maximum circuit depth
Output c ← EvaluateE (pk2 , DE , sk1 , c1 ) we want to evaluate. (Fortunately, EncryptE † and DecryptE †
do not depend at all on the function f being evaluated.)
The decryption circuit DE has input wires for the bits of a However, suppose that E is not only bootstrappable, but
secret key and the bits of a ciphertext. Above, EvaluateE also circular-secure – that is, it is “safe” to reveal the en-
takes in the bits of sk1 and c1 , each encrypted under pk2 . cryption of a secret key ski under its own associated public
Then, E is used to evaluate the decryption circuit homo- key pki . Then, we can simplify KeyGenE † . We do not need
morphically. As long as E can handle DE , the output c is distinct public keys pki for each circuit level and an acyclic
an encryption under pk2 of DecryptE (sk1 , c1 ) = m. RecryptE chain of encrypted secret keys. Instead, the public key in E †
therefore outputs a new encryption of m, but under pk2 . can consist merely of a single public key pk and a single en-
One fascinating thing about RecryptE is that the message crypted secret key sk (sk under pk), where pk is associated
m is doubly encrypted at one point, first under pk1 and to all levels of the circuit. This approach has the additional
next under pk2 . Ordinarily, the only thing one can do with advantage that we do not need to decide beforehand the
a doubly-encrypted message is to peel off the outer encryp- maximal circuit depth complexity of the functions that we
tion first, and then decrypt the inner layer. However, in want to be able to evaluate.
RecryptE , the EvaluateE algorithm is used to remove the in- For most encryption schemes, including our somewhat ho-
ner encryption, just like Alice unlocks box #i while it is momorphic scheme (as far as we know), revealing an encryp-
inside box #(i + 1). tion of sk under pk does not lead to any attack. However,
It is also useful to imagine that E is our somewhat ho- it is typically difficult to prove that an encryption scheme is
momorphic encryption scheme from Section 3, and consider circular-secure.
what RecryptE does to the noise of the ciphertexts. Evaluat- The issue of circular security also fits within our physical
ing DE removes the noise associated to the first ciphertext analogy. Suppose that a key is locked inside the very same
under pk1 (because, of course, decryption removes noise), box that the key could open from the outside. Is it possible
but EvaluateE simultaneously introduces new noise while to use the gloves and key to open the box from the inside? If
evaluating the ciphertexts under pk2 . As long as the new so, it would be a strange lock. Similarly, encryption schemes
noise added is less than the old noise removed, we have made that are insecure in this setting tend to be contrived.
“progress.” A similar situation holds in Alice’s jewelry store.
When the worker extracts the piece from the used-up glove-
box #i, this process simultaneously uses up the gloves of box 5. SOMEWHAT HOMOMORPHIC TO
#(i + 1). We have made “progress” as long as the process BOOTSTRAPPABLE
does not leave box #(i + 1)’s gloves completely used-up.
Of course, our goal is to perform actual operations on Is our somewhat homomorphic encryption scheme from
underlying messages, not merely to obtain a new encryption Section 3 already bootstrappable? Can it handle its own
of the same message. So, suppose that E can handle DE decryption circuit? Unfortunately, as far as we can tell,
augmented by some gate – e.g., Add; call this augmented E can almost handle DE , but not quite. So, we modify
circuit DAdd . If c1 and c2 are two ciphertexts that encrypt E slightly, constructing a new (but closely related) some-
m1 and m2 , respectively, under pk1 , and we compute c1 what homomorphic scheme E ∗ that can handle essentially
and c2 as before, as ciphertexts encrypting the bits of the the same functions that E can, but whose decryption circuit
ciphertexts under pk2 , then we have that is simple enough to make E ∗ bootstrappable.

c ← EvaluateE (pk2 , DAdd , sk1 , c1 , c2 ) 5.1 Alice Gets Her Hands Dirty
After her dream, Alice rushes to her store to see if her
is an encryption under pk2 of m1 ⊕ m2 .
idea works. She locks box #1 and puts it inside box #2.
By recursing this process, we get a fully homomorphic en-
Working with the gloves of box #2, she tries to unlock box
cryption scheme. The public key in E † consists of a sequence
#1 in less than one minute. The thickness of the gloves and
of public keys (pk1 , . . . , pk`+1 ) and a chain of encrypted se-
the stickiness of the lock combine to make it impossible.
cret keys sk1 , . . . , sk` , where ski is encrypted under pki+1 . She is despondent until she remembers that she has a
To evaluate a function f in E † , we express f as a circuit, special grease that makes her locks less sticky. This time,
topologically arrange its gates into levels, and step through she locks box #3 and puts it inside box #4. She also puts
the levels sequentially. For a gate at level i + 1 (e.g., an Add her bottle of grease inside box #4. Working with the gloves
gate), we take as input the encrypted secret key ski and a of box #4, she squirts some grease on the lock and then tries
couple of ciphertexts associated to output wires at level i to unlock it. But the gloves stiffen before she can finish.
that are under pki , and we homomorphically evaluate DAdd Then, she thinks: why didn’t I grease the box’s lock before
to get a ciphertext under pki+1 associated to a wire at level putting it inside the other box? That way, I wouldn’t waste
i + 1. Finally, we output the ciphertext associated to the my valuable time with the gloves greasing the lock.
output wire of f . She locks box #5, greases its lock, and then puts it inside
Putting the encrypted secret key bits sk1 , . . . , sk` in E † ’s box #6. Working with gloves, she tries the lock again. This
public key is not a problem for security. These encrypted time it works, despite the clumsiness of the gloves!
secret key bits are indistinguishable from encryptions of 0 At last, she has a system that lets her securely delegate
as long as E is semantically secure. the processing of her precious materials into arbitrarily com-
plicated pieces! Her workers just need to apply the grease
4.4 Circular Security to each box before they put it inside the next box. She can
hardly wait to put the system in place the following morning. • EncryptE ∗ (pk∗ , m): Run EncryptE (pk, m) to obtain cipher-
text c. For i ∈ {1, . . . , β}, set zi ← c · yi mod 2 keeping
5.2 Greasing the Decryption Circuit only about log α bits of precision after the binary point for
In our somewhat homomorphic encryption scheme E from each zi . The ciphertext c∗ consists of c and ~z = hz1 , . . . , zβ i.
Section 3, the decryption function is: The important point here is that the hint ~
y is used to post-
m ← (c mod p) mod 2 process a ciphertext c output by EncryptE , with the objective
of leaving less work remaining for DecryptE ∗ to do.
Equivalently, but more simply, the equation is: This sort of two-phase approach to decryption has been
m ← LSB(c) XOR LSB(bc/pe) , used before in server-aided cryptography. (See cites in [2].)
In that setting, a user wants to minimize its cryptographic
where LSB takes the least significant bit and b·e rounds to computation – e.g., because it is using a constrained device,
the nearest integer. This is equivalent, since (c mod p) = such as a smartcard or handheld. So, it outsources expensive
c − p · bc/pe. Since p is odd, we have that (c mod p) mod 2 = computations to a server. To set up this arrangement, the
c−bc/pe mod 2. This is just the XOR of the least significant user (in some schemes) must give the server a hint ~ y that
bits of c and bc/pe. is statistically dependent on its secret key sk, but which is
In the decryption circuit DE , computing the LSB is imme- not sufficient to permit the server to decrypt efficiently on
diate: the circuit simply does not have output wires for the its own. The server uses the hint to process a ciphertext
more significant bits. Computing an XOR also takes only directed to the user, leaving less work for the user to do.
one gate. If the decryption function is complicated, it must In our setting, the encrypter or evaluator plays the role of
be because computing bc/pe is complicated. Is the function the server, post-processing the ciphertext so as to leave less
f (p, c) = bc/pe (with the few steps afterwards) something work for the decryption algorithm to do.
that E can handle? If so, E is bootstrappable, and can be
• DecryptE ∗ (sk∗ , c∗ ): Output LSB(c) XOR LSB(b i si zi e).
P
used to construct a fully homomorphic encryption scheme.
Unfortunately, even a single multiplication of long num- PDecryption P works, since (up to small precision errors)
bers – namely, c with 1/p – seems to be too complex for E i si z i = i c · si yi = c/p mod 2.
to handle. The reason is that c and 1/p each need to be To ensure that the rounding is correct despite the low pre-
expressed with at least P ≈ log p bits of precision to en- cision, we need c to be closer (than the trivial p/2) to a multi-
sure that f (p, c) is computed correctly. When you multiply ple of p (say, within p/16). This makes FE ∗ smaller than FE ,
two P -bit numbers, a bit of the result may be a high-degree since FE ∗ is limited to functions where |f (a1 , . . . , at )| < p/16
polynomial of the input bits; this degree is also roughly P . when the ai are N bits. This makes only a small difference.
We saw that E can handle an elementary symmetric poly- The important point regarding DecryptE ∗ is that we re-
nomial in t variables of degree (roughly) d < P/(N · log t). place the multiplication of c and 1/p with a summation that
However, E cannot handle even a single monomial of degree contains only α nonzero terms. The bits of this summation
P , where the noise of output ciphertext is upper-bounded can be computed by a polynomial of degree α · polylog(α),
by (2N )P ≈ pN  p/2. Consequently, E does not seem to which E ∗ can handle if we set α to be small enough.
be bootstrappable. • AddE ∗ (pk∗ , c∗1 , c∗2 ) : Extract c1 and c2 from c∗1 and c∗2 .
However, if we are willing to get our hands dirty by tin- Run c ← AddE (pk, c1 , c2 ). The output ciphertext c∗ consists
kering with E to make the decryption function simpler, we of c, together with the result of post-processing c with ~ y.
eventually get a scheme E ∗ that is bootstrappable. The main MultE ∗ (pk∗ , c∗1 , c∗2 ) is analogous.
idea of the transformation is to replace E’s decryption func-
tion, which multiplies two long numbers, with a decryption 5.3 How to Add Numbers
function that adds a fairly small set of numbers. In terms To see that E ∗ can handle the decryption function plus
of the bits of the addends, this summation corresponds to a an additional gate when α is set small
polynomial of fairly low degree that E ∗ can handle. P enough, let us con-
sider the computation of the sum i si zi . In this sum,
Let us go through the transformation step by step, begin- we have β numbers a1 , . . . , aβ , each ai expressed in binary
ning with KeyGenE ∗ . The transformation uses a couple of (ai,0 , . . . , ai,−` ) with ` = O(log α), where at most α of the
integer parameters: 0 < α < β. ai ’s are nonzero (since the Hamming weight of s is α). We
• KeyGenE ∗ (λ): Run KeyGenE (λ) to obtain keys (pk, sk), want to express each bit of the output as a polynomial of
where sk is an odd integer p. Generate a set ~ y = hy1 , . . . , yβ i the input bits, while minimizing the degree of the polyno-
of rational numbers in [0, 2) such that there is a sparse subset mial and the number of monomials.
S ⊂ {1, . . . , β} of size α with i∈S yi ≈ 1/p mod 2. Set sk∗
P
Our approach to the problem is to add up the column of
to be the sparse subset S, encoded as a vector s ∈ {0, 1}β LSBs of the numbers – computing the Hamming weight of
with Hamming weight α. Set pk∗ ← (pk, ~ y ). this column – to obtain a number in binary representation.
The important difference between KeyGenE ∗ and KeyGenE Then, we add up the column of penultimate bits, etc. Af-
is that KeyGenE ∗ includes a hint about the secret integer p – terwards, we combine the partial results. More precisely,
namely, a set of numbers ~ y that contains a (hidden) sparse for j ∈ [0, −`], we compute the Hamming weight bj , repre-
subset that sums to 1/p (to within a very small error, and up sented in binary, of (a1,j , . . . , aβ,j ). Then, we add up the
to addition by an even number). This hint is the “grease,” ` + 1 numbers b0 , ..., 2−` b−` to obtain the final correct sum.
which will be used in EncryptE ∗ and DecryptE ∗ . Although it Conveniently, the binary representation of the Hamming
is technically not the decryption key sk∗ , the integer p still weight of any vector ~ x ∈ {0, 1}t is given by
can be used to decrypt a ciphertext output by EncryptE ∗ , (e2blog tc (x1 , . . . , xt ) mod 2, . . . , e20 (x1 , . . . , xt ) mod 2)
so revealing this hint obviously impacts security, a point we
elaborate on in Section 5.4. where ei (x1 , . . . , xt ) is the ith elementary symmetric polyno-
mial over x1 , . . . , xt . These polynomials have degree at most decryption function. The lattice-based scheme with com-
t. Also, we know how to efficiently evaluate the elementary parable security has λ6 · polylog(λ) computation. This is
symmetric polynomials. They are simply coefficients of the high, but not totally unreasonable. Consider: to make RSA
polynomial p(z) = ti=1 (z−xi ). An important point is that, 2λ -secure against known attacks – in particular, against the
Q
in our case, we only need to evaluate the polynomials up to number field sieve factoring algorithm – you need to use
degree α, since we know a priori that each of the Hamming an RSA modulus with approximately λ3 bits. Then, RSA
weights is at most α. We saw in Section 3.3 that we can decryption involves exponentiation by a λ3 -bit exponent –
handle elementary symmetric polynomials in t variables of i.e., about λ3 multiplications. Even if one uses fast Fourier
degree up to about λ/ log t = Ω(λ/ log λ) for our suggested multiplication, this exponentiation requires λ6 · polylog(λ)
parameters. We can set α to be smaller than this. computation. Also, unlike RSA, the decryption function
The final step of computing the sum of the bj ’s does not in our scheme is highly parallelizable, which may make an
require much computation, since there are only ` + 1 = enormous difference in some implementations.
O(log α) of them. We get that a ciphertext encrypting a
bit of the overall sum has noise of at most N · α · g(log α) 7. EPILOGUE
bits for some polynomial g of low degree. If the final sum The morning after her dream, Alice explains her glovebox
modulo 2 is (b00 , b0−1 , . . .) in binary, then the rounding oper- solution to her workers. They are not happy, but they wish
ation modulo 2 is simply b00 XOR b0−1 . With the additional to remain employed. As the day progresses, it becomes clear
XOR operation in decryption, and possibly one more gate, that the gloveboxes are slowing down the pace of jewelry
the noise after evaluating the decryption function plus a gate construction considerably. The main problem seems to be
has at most N · α · h(log α) bits for some polynomial h. the thick gloves, which multiply the time needed for each
The scheme E ∗ becomes bootstrappable when this noise assembly step. After a few days of low output, Alice curtails
has at most log(p/16) = P − 4 bits. For example, this works her use of the gloveboxes to pieces that contain the most
when α = λ/polylog(λ), N = λ, and P = λ2 . valuable diamonds.
5.4 Security of the Transformed Scheme Alice loses her suit against Acme Glovebox Company, be-
cause, as far as anyone knows in Alice’s parallel world, gloves
The encryption key of E ∗ contains a hint about the secret in gloveboxes are always very stiff and stiffen completely af-
p. But we can prove that E ∗ is semantically secure, unless ter moderate use. The old judge explains this to her in a
either it is easy to break the semantic security of E (which patronizing tone.
implies that the approximate gcd problem is easy), or the But Alice refuses to give up. She hires a handsome young
following sparse (or low-weight) subset sum problem (SSSP) glovebox researcher, and tasks him with developing a glove
is easy: given a set of β numbers ~ y and another number s, flexible enough to permit the nimble assembly of jewels and
find the sparse (α-element) subset of ~ y whose sum is s. unlocking of boxes, but sturdy enough to prevent the boxes
The SSSP has been studied before in connection with from being easily compromised. The researcher, amazed at
server-aided cryptosystems. If α and β are set appropri- his good fortune, plunges into the problem.
ately, the SSSP is a hard problem, as far as we know. In
particular, if we set α to be about λ, it is hard
to find the
sparse subset by “brute force,” since there are αβ
≈ β α pos-
8. REFERENCES
[1] D. Boneh and R. J. Lipton. Algorithms for black-box
sibilities. If the sparse subset sum is much closer to 1/p
fields and their application to cryptography (extended
than any other subset sum, the problem yields to a lattice
abstract). In CRYPTO, pages 283–297, 1996.
attack. But these attacks fail when we set β large enough
[2] C. Gentry. A fully homomorphic encryption scheme.
(but still polynomial in λ) so that an exponential (in λ) num-
PhD thesis, Stanford University, 2009.
ber of subset sums are as close to 1/p as the sparse subset.
crypto.stanford.edu/craig.
Concretely, we can set β = λ5 · polylog(λ).
[3] C. Gentry. Fully homomorphic encryption using ideal
lattices. In M. Mitzenmacher, editor, STOC, pages
6. CONCLUSIONS 169–178. ACM, 2009.
We now know that FHE is possible. We already have the [4] S. Goldwasser and S. Micali. Probabilistic encryption.
scheme presented here, the lattice-based scheme by Gentry J. Comput. Syst. Sci., 28(2):270–299, 1984.
[2, 3], and a recent scheme by Smart and Vercauteren [7].
[5] R. L. Rivest, L. M. Adleman, and M. L. Dertouzos. On
There is still work to be done toward making FHE truly
data banks and privacy homomorphisms. In
practical. Currently, all known FHE schemes follow the
Foundations of Sec. Comp., pages 169–180, 1978.
blueprint above: construct a bootstrappable somewhat ho-
[6] R. L. Rivest, A. Shamir, and L. M. Adleman. A
momorphic encryption scheme E, and obtain FHE by run-
method for obtaining digital signatures and public-key
ning EvaluateE on E’s decryption function. But this ap-
cryptosystems. Commun. ACM, 21(2):120–126, 1978.
proach is computationally expensive. Not only is the decryp-
tion function expressed (somewhat inefficiently) as a circuit, [7] N. P. Smart and F. Vercauteren. Fully homomorphic
but then EvaluateE replaces each bit in this circuit with a encryption with relatively small key and ciphertext
large ciphertext that encrypts that bit. Perhaps someone sizes, 2009. http://eprint.iacr.org/2009/571.
will find a more efficient blueprint. [8] W. van Dam, S. Hallgren, and L. Ip. Quantum
The scheme presented here, while conceptually simpler, algorithms for some hidden shift problems. SIAM J.
seems to be less efficient than the lattice-based scheme. To Comput., 36(3):763–778, 2006.
get 2λ security against known attacks – e.g., on the the ap- [9] M. van Dijk, C. Gentry, S. Halevi, and
proximate gcd problem – ciphertexts are λ5 · polylog(λ) bits, V. Vaikuntanathan. Fully homomorphic encryption over
which leads to λ10 · polylog(λ) computation to evaluate the the integers, 2009. http://eprint.iacr.org/2009/616.