Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Transcription

1 Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012 Bar-Ilan University Craig Gentry IBM Watson

2 Optimizations of Somewhat Homomorphic Encryption (SWHE) Constructions of Fully Homomorphic Encryption (FHE) Bar-Ilan University

3 And Better Management of Ciphertext Noise Bar-Ilan University

4 Focusing on the noise problem

5 Noisy Polly Cracker Version: Let χ be an error distribution. Distinguish these distributions: Bar-Ilan University Generate uniform s Z qn. For many i, generate e i χ and a linear polynomial f i (x 1,, x n ) = f 0 f 1 x 1 f n x n (from Z q n1 ) such that [f i (s 1,, s n )] q = e i. For many i, generate and output a uniformly random linear polynomial f i (x 1,, x n ) (from Z q n1 ).

6 Parameters: q such that gcd(q,2)=1. ADD and MULT: Output sum or product of ciphertext polynomials. Relinearize / Key-Switch Bar-Ilan University KeyGen: Secret = uniform s 2 Z qn. Public key: linear polys {f i (x 1,,x n )} s.t. [f i (s)] q =2e i, e i q. Encrypt: Set g(x 1,,x n ) as a random subset sum of {f i (x 1,,x n )}. Output c(x 1,,x n )=mg(x 1,,x n ). Decrypt: [c(s)] q = msmeven. Reduce mod 2.

7 ADD: c(x) = c 1 (x)c 2 (x). Noise of c(x) namely, [c(s)] q is sum of noises. MULT: c(x) = c 1 (x) c 2 (x). Noise [c(s)] q is product of noises. Sort of After MULT, there is relinearization step that adds a small amount to the noise. Function F: c(x) F(c 1 (x),,c t (x)). Noise [c(s)] q f(c 1 (s),,c t (s)) i.e., F applied to noises. Rough approximation: If F has degree d and fresh noises are bounded by B, c(x) has noise B d. Noise magnitude increases exponentially with degree.

8 SWHE ciphertexts must be large to let noise room to grow. Noise grows exponentially with degree. To successfully evaluate degree-d poly, noise B Ã B d without wrapping. So, coefficients of lattice vectors have > d bits. For security, we need it to be hard to B d-1 > 2 d -approximate lattice problems in 2 k time. Requires lattice dim > d k. Total ciphertext length > d 2 k bits.

9 Since total ciphertext length d 2 k bits, we have SWHE for bounded degree: Bar-Ilan University SWHE for bounded degree: A family of schemes E (d), d Z, that for security parameter k, E (d) can homomorphically evaluate functions of degree d. KeyGen, Enc, Dec, ADD, MULT are all poly(k,d). Eval has complexity polynomial in k, d, and circuit size. This is the best we can hope for when noise grows exponentially with degree.

10 Bar-Ilan University

11 Leveled FHE [Gen09]: Relaxation of FHE A family of schemes E (L), L Z, is leveled fully homomorphic if, for security parameter k, E (L) can homomorphically evaluate circuits of depth L, The Dec (decrypt) function is the same for all L, KeyGen, Enc, Dec, ADD, MULT are all poly(k,l). Eval has complexity polyomial in k, L, and circuit size. Humbler name for it: SWHE for bounded depth circuits.

12 Our fantasy: Noise doesn t grow exponentially with degree. There is some simple trick to reduce noise after MULTs. We get better noise management, hence shorter ciphertexts and SWHE for bounded depth. Bar-Ilan University

13 Crazy Idea [BV11b, BGV12]: Suppose c encrypts m that is, m = [[c(s)] q ] 2. Let s pick p<q and set c*(x) = (p/q) c(x), rounded. Maybe it is true that: c*(x) encrypts m: m = [[c*(s)] p ] 2 (new inner modulus). [c*(s)] p (p/q) [c(s)] q (noise is smaller). This really shouldn t work

14 Scaling lemma: Let p < q be odd moduli. Given c with m = [[<c,s>] q ] 2. Set c = (p/q)c. Set c to be the integer vector closest to c such that c = c mod 2. If [<c,s>] q < q/2 - (q/p) l 1 (s), then c is a valid encryption of m with possibly much less noise! m = [<c,s>] p ] 2. [<c,s>] p < (p/q) [<c,s>] q l 1 (s), where l 1 (s) is l 1 -norm of s.

15 Annotated Proof 1. For some k, [<c,s>] q =<c,s>-kq. 1. Imagine <c,s> is close to kq. 2. (p/q)[<c,s>] q = <c,s>-kp. 2. Then <c,s> is close to kp. 3. <c -c,s> < l 1 (s). 3. <c,s> close to kp if s is small. 4. Thus, <c,s>-kp < (p/q) [<c,s>] q l 1 (s) < p/2. 5. So, [<c,s>] p = <c,s> kp. 6. Since c = c and p = q mod 2, we have [<c,s>] p ] 2 =[<c,s>] q ] 2. Scaling lemma:let p<q be odd moduli. Given c with m = [[<c,s>] q ] 2. Set c = (p/q)c. Set c to be the integer (ring) vector closest to c such that c = c mod 2. If [<c,s>] q < q/2 - (q/p) l 1 (s), then: c is a valid encryption of m with possibly much less noise! m = [<c,s>] p ] 2, and [<c,s>] p < (p/q) [<c,s>] q l 1 (s).

16 Example: q=127, p=29, c=(175,212), s=(2,3) <c,s> mod q = = -30 c = (p/q) c = (39.9,48.4) To get c, we round down both values (39,48). <c,s> mod p = = -10 k=8 in both cases, and -30=-10 mod 2. The noise magnitude decreases from 30 to 10. But relative magnitude increases: 10/29 > 30/127.

17 Recall [<c,s>] p < (p/q) [<c,s>] q l 1 (s). Luckily [ACPS 2009] proved that LWE is hard even when s is small chosen from the error distribution χ. So we use this distribution for the secret keys.

18 Scaling lemma also holds for LPR10, BV11a. [LPR10]: Ring-LWE encryption scheme can can also have small secret keys, from the error distribution χ.

19 To evaluate a circuit of depth L Start with a large modulus q L and noise η «q L. After first MULT, noise grows to η 2. Switch the modulus to q L-1 q L /η. Noise reduced to η 2 /η η. After next MULT, noise again grows to η 2. Switch to q L-2 q L-1 /η to reduce the noise to η. Keep switching moduli after each layer. Setting q i-1 q i /η. ( Ladder of decreasing moduli.) Until the last modulus just barely satisfies q 1 > η.

20 Example: q 9 n 9 with modulus reduction. Noise Modulus Fresh ciphertexts η q 9 = η 9 Level-1, Degree=2 η q 8 = η 8 Level-2, Degree=4 η q 7 = η 7 Level-3, Degree=8 η q 6 = η 6 Level-4, Degree=16 η q 5 = η 5 Level-5, Degree=32 η q 4 = η 4 Level-6, Degree=64 η q 3 = η 3 Level-7, Degree=128 η q 2 = η 2 2/29/2012 Level-8, Degree=256 η q 1 = η

21 Example: q 9 n 9 with no modulus reduction. Noise Modulus Fresh ciphertexts η q 9 = η 9 Level-1, Degree=2 η 2 q 9 = η 9 Level-2, Degree=4 η 4 q 9 = η 9 Level-3, Degree=8 η 8 q 9 = η 9 Decryption error Level-4, Degree=16 η 16 q 9 = η 9 Level-5, Degree=32 η 32 Level-6, Degree=64 η 64 Level-7, Degree=128 η 128 2/29/2012 Level-8, Degree=256 η 256

22 To evaluate circuit of depth L; Largest modulus is q L q 1 L η L. Largest ciphertext is O(k poly(l)) bits, where k is the security parameter. Compare: without modulus reduction: ciphertext was O(k d 2 ) bits, where d was the degree (not the depth) of the circuit. Depth is logarithmic in degree. Exponential improvement.

23 Final ciphertext (at output level) is small q 1 is small. Use key-switching to reduce dimension of the ciphertext if needed ( dimension reduction [BV11b]). Final ciphertext can be as small as a normal (nonhomomorphic) Regev 05 ciphertext. We have SWHE for bounded depth circuits.

24 Based on (R)LWE, but for what approx factor? Approx factor = modulus/ noise = (poly(k)) depth. Previously, modulus/ noise = (poly(k)) degree.

25 [CNT12] extends the modulus reduction trick to the integer scheme.

26 Each ciphertext is packed with an array of plaintexts Bar-Ilan University

27 Ciphertexts are long, plaintexts are often short. Wasteful! Overhead of homomorphic encryption = (encrypted comp. time)/(unencrypted comp. time) > (ciphertext length)/(plaintext length)

28 Each ciphertext has an array of plaintext slots. An operation (,x) on a ciphertext acts separately, in parallel, on each plaintext slot (each index in array). Suppose two ciphertexts c and c have (b 1,b 2,b 3 ) and (b 1,b 2,b 3 ) respectively in their slots 3-ADD(c,c ) (b 1 b 1, b 2 b 2, b 3 b 3 ). 3-MULT(c,c ) (b 1 b 1, b 2 b 2, b 3 b 3 ). 3-ADD, 3-MULT cost same as ADD, MULT. Think Chinese Remainder Theorem.

29 Parameters: q such that gcd(q,2)=1. KeyGen: Secret = uniform s 2 Z qn. Public key: linear polys {f i (x 1,,x n )} s.t. [f i (s)] q =2e i, e i q. Encrypt (m Z 2 ): Set g(x 1,,x n ) as a random subset sum of {f i (x 1,,x n )}. Output c(x 1,,x n )=mg(x 1,,x n ). Decrypt: [c(s)] q = msmeven. Reduce mod 2. ADD and MULT: Output sum or product of ciphertext polynomials.

30 Parameters: q and small p 1,p 2,p 3 s.t. gcd(q,p 1 p 2 p 3 )=1. KeyGen: Secret = uniform s 2 Z qn. Public key: linear polys {f i (x 1,,x n )} s.t. [f i (s)] q =p 1 p 2 p 3 e i, e i q. Encrypt (m Z p1p2p3 ): Set g(x 1,,x n ) as a random subset sum of {f i (x 1,,x n )}. Output c(x 1,,x n )=mg(x 1,,x n ). Decrypt: [c(s)] q = m(mult of p 1 p 2 p 3 ). Reduce mod p 1 p 2 p 3. ADD and MULT: Output sum or product of ciphertext polynomials. By CRT, ADD and MULT operate separately on {m mod p i }.

31 Motivation: Better efficiency: RLWE more efficient than LWE even in non-batched setting. Batching works very well in RLWE-based SWHE.

32 Let R = Z[y]/h(y), p prime, R p = Z p [y]/h(y). Suppose h(y) = h i (y) mod p. Then R p Direct product of {Z p [y]/h i (y)}. Example: R = Z[y]/(y 4 1), p=17. (y 4 1) = (y-2)(y-8)(y-15)(y-9) mod 17 2, 8=2 3, 15=2 5, 9=2 7 are the primitive 8-th roots of unity mod 17. Z 17 [y]/(y 4 1) Direct product of Z 17 [y]/(y-2), Z 17 [y]/(y-8), m(y) Z 17 [y]/(y 4 1) is determined by its evaluations at 2, 8, 15, 9.

33 Parameters: q with gcd(q,2)=1, R = Z[y]/(y n 1), R 2 = Z 2 [y]/(y n 1), R q = Z q [y]/(y n 1). KeyGen: Secret = uniform s 2 R. Public key: linear polys {f i (x)} s.t. f i (s)=2e i, e i q. Encrypt(m R 2 ): : Set g(x) as a random subset sum of {f i (x)}. Output c(x)=mg(x). Decrypt: c(s) = msmeven. Reduce mod 2. ADD and MULT: Add or multiply the ciphertext polynomials.

34 Parameters: p, q with gcd(q,p)=1,r = Z[y]/(y n 1), R p = Z p [y]/(y n 1), R q = Z q [y]/(y n 1). KeyGen: Secret = uniform s 2 R. Public key: linear polys {f i (x)} s.t. f i (s)= pe i, e i q. Encrypt(m R p ): : Set g(x) as a random subset sum of {f i (x)}. Output c(x)=mg(x). Decrypt: c(s) = m(p multiple). Reduce mod p. ADD and MULT: Add or multiply the ciphertext polynomials.

35 Parameters: p, q with gcd(q,p)=1,r = Z[y]/(y n 1), R p = Z p [y]/(y n 1), R q = Z q [y]/(y n 1). KeyGen: Secret = uniform s 2 R. Public key: linear polys {f i (x)} s.t. f i (s)= pe i, e i q. Encrypt(m R p ): : Set g(x) as a random subset sum of {f i (x)}. Output c(x)=mg(x). Decrypt: c(s) = m(p multiple). Reduce mod p. Set p = 1 mod 2n, so p has n primitive 2n-th roots of unity. Then, R p splits. ADD and MULT: Add or multiply the ciphertext polynomials. Message m(y) in R p has n plaintext slots for m s evaluations at primitive n-th roots of unity mod p.

36 Plaintexts are m(y) R p = Z p [y]/(y n 1), represented by evaluations m(α i ), where α i s are primitive n-th roots of unity mod p. m 1 (y)m 2 (y) m 1 (α 1 )m 2 (α 1 ),, m 1 (α n )m 2 (α n ). m 1 (y) m 2 (y) m 1 (α 1 ) m 2 (α 1 ),, m 1 (α n ) m 2 (α n ). F(m 1 (y),,m t (y)) F(m 1 (α 1 ),,m t (α 1 )),, F(m 1 (α n ),,m t (α n )). Compute F on n inputs {(a 1i,, a ti ) : i 2 [n]} in parallel by setting {m i (y)} so that m i (α j ) = a ij.

37 Array of length n n-add

38 Array of length n n-mult

39 Array of length n Bar-Ilan University Function F % % % % % % % % % % Great for computing same function F on n different input strings. We can do SIMD homomorphically.

40 Bar-Ilan University

41 x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 ADD and MULT are a complete set of operations.

42 Bar-Ilan University x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 n-add and n-mult are NOT a complete set of operations.

43 Bar-Ilan University n-mult n-permute(π) x 1 x 2 x 3 x 4 x 5 x 7 x 1 x 2 x 3 x 4 x 5 x x 1 0 x x 2 0 x n-add x 1 x x 2 x x 1 x 2 x 3 x 4

44 Ring Automorphisms! Bar-Ilan University How do we Evaluate n-permute(π) homomorphically, without decompressing the packed ciphertexts?

45 Map a(y) b(y) = a(y i ) mod (y n 1), where i 2 Z 2n *. Bar-Ilan University a(x) = a(α 1 ) a(α 2 ) a(α n-1 ) a(α n ) b(x) = = a(α 1i ) a(α 2i ) a(α n-1i ) a(α ni ) a(α π(1) ) a(α π(2) ) a(α π(n-1) ) a(α π(n) ) b(y) has the same evaluations as a(y), but permuted!

46 Given ciphertext c 1 (y) x c 0 (y) with c 1 (y) s(y)c 0 (y) = m(y)p e(y) (mod q, y n 1) c 1 (y i ) s(y i )c 0 (y i ) = m(y i )p e(y i ) (mod q, y in 1), i 2 Z 2n *. c 1 (y i ) s(y i )c 0 (y i ) = m(y i )p e(y i ) (mod q, y n 1), i 2 Z 2n *. c 1 (y i ) x c 0 (y i ) is an encryption of m(y i ) under key s(y i ). Key switch s(y) s(y i ) to get encryption of m(y i ) under normal key s(y).

47 The Basic Permutations (b(y) = a(y i )): Only n (out of n!) of the possible permutations. Automorphism group Gal(Q(α)/Q) Z 2n *. Think of the automorphisms as n-rotate(i), which rotates the n items i steps clockwise, like a dial. Claim: For any permutation π, we can build n-permute(π) efficiently from n-add, n-mult, and n-rotate(i).

48 Butterfly network: assume n = 2 k. n-permute(π) can be realized by a butterfly network of 2k-1 levels of n-swap(i,s) ops, i2{1,,2k-1}, s2{0,1} n/2. At level i, the 2 k items are partitioned into n/2 pairs, each pair with k-bit indices differing only in i-k -th bit. n-swap(i,s) swaps the j-th pair iff s j =1.

49 8-SWAP(2,0110) Potential Swaps

50 8-SWAP(2,0110) Actual Swaps ROTATE(2) ROTATE(-2)

51 8-SWAP(2,0110) Actual Swaps ROTATE(2) ROTATE(-2)

52 8-SWAP(2,0110) n-mult

53 8-SWAP(2,0110)

54 8-SWAP(2,0110) n-mult

55 8-SWAP(2,0110)

56 8-SWAP(2,0110) n-mult

57 8-SWAP(2,0110)

58 8-SWAP(2,0110) n-add

59 Overhead of batched RLWE-based BGV12 SWHE for security parameter k: = (encrypted comp. time)/(unencrypted comp. time) = poly(log q L, log w) = poly(l, log k, log w), where w is the maximum width of circuit being evaluated.

60 and the bootstrapping step Bar-Ilan University

61 So far, we can evaluate bounded depth F: x 1 F Bar-Ilan University x 2 c F(x 1, x 2,, x t ) x t We have a noisy evaluated ciphertext c. We want to get a less noisy c that encrypts the same value, but with less noise. Bootstrapping refreshes ciphertexts, using the encrypted secret key. 61

62 For ciphertext c, consider D c (sk) = Decrypt sk (c) Suppose D c ( ) is a low-depth polynomial in sk. Include in the public key also Enc pk (sk). sk 1 c y D c New encryption of y, with less noise. sk 2 sk n c D c (sk) = Decrypt sk (c) = y Homomorphic computation applied only to the fresh encryption of sk. 62

63 Recall: Complexity of BGV12 (and BV11b) decryption is independent of L, the depth it can evaluate. Set L > 1depth needed to evaluate D C. Then, homomorphic decryption reduces the noise level. (Use recursively.) We now have FHE (modulo a circular security issue).

64 Decryption function computable in depth O(log k). Our somewhat homomorphic scheme only needs to compute circuits of depth O(log k). Bar-Ilan University BGV12 performance with bootstrapping: Ciphertext size can be quasi-linear in k. ADD and MULT take Ō(k) time. Bootstrapping takes Ō(k 2 ) time. Actually, with batching, we can reduce it to Ō(k) amortized. Overhead is poly(l, log k, log w) = poly(log k, log w), where w is the maximum width of circuit being evaluated. Security can be based on quasi-polynomial factors: 2 Ō(log2 k) versus 2 kc (R)LWE.

65 A hybrid FHE scheme that combines lattices and Elgamal Bar-Ilan University

66 Goal: Construct a bootstrappable SWHE scheme. Bar-Ilan University Problem SWHE schemes don t handle multiplication well, it amplifies the noisiness of ciphertexts. But Elgamal cannot alternate between additions and multiplications Solution? Elgamal handles multiplication well! Maybe Elgamal can help! Suppose the decryption function puts all of the mults together, without alternation? Can Elgamal help with the product part?

67 SWHE: Use a lattice-based SWHE scheme, as before. Express SWHE decryption as a ciphertext-dependent depth-3 (ΣΠΣ) arithmetic circuit applied secret key. P 1 c 1 c k fan-in P k L 1,1 X X X X L1,d1 a 1 x 1... a n x n a 0 1 L i,j = a 0 Σ t=1 n a t x t P i = Π j = 1 d i L i,j C(x) = Σ i=1 k c i P i = Σ i c i Π j L i,j

68 Bootstrapping: Evaluate depth-3 circuit homomorphically by combining a SWHE scheme with a helper MHE (multiplicative homomorphic enc.) scheme, like Elgamal: Bottom Sums: Get MHE encryptions of the bottom sums. (Can put all needed MHE ciphertexts in public key.) Products: Evaluate them homomorphically using MHE scheme. Translation: Translate each ciphertext Enc MHE (m) to Enc SWHE (m) by evaluating MHE decryption homomorphically. Top Sum: Evaluate top sum under the SWHE scheme.

69 Main high-level idea: The SWHE scheme only needs enough homomorphic capacity to evaluate the MHE scheme s decryption, not its own decryption. Breaks the self-referentiality of bootstrapping.

70 SWHE Scheme MHE Scheme Bar-Ilan University Chimera (mythology): 1) A monstrous fire-breathing female creature composed of the parts of multiple animals: upon the body of a lioness with a tail that ended in a snake s head, the head of a goat arose on her back. 2) The term chimera has also come to mean, more generally, an impossible or foolish fantasy, hard to believe.

71 Bar-Ilan University

72 Typically, they can be computed using restricted depth-3 circuits. Proven already for Regev s cryptosystem by Klivans and Sherstov. Bar-Ilan University

73 Bar-Ilan University Elementary symmetric polynomial e k (x 1,, x n ): sum of all monomials that are products of exactly k distinct variables. Cool fact: e k (x) mod p can be computed by a depth-3 arithmetic circuit (for large enough p) How? If P(z) = P i (zx 1 ), then e k (x) is the coefficient of z n-k Computing P(z): evaluate P(z) in n1 points, Observe: interpolate the bottom Let A = {a 1,, a n1 } be some subset of Zsums p are restricted. Bottom Sums: Compute a j x i for all x i s and a j s. Products: Compute λ j P(a j ) = Π i (a j x i ) for all j. Top Sum: Interpolate j λ j P(a j ) to get desired coefficient of P(z).

74 Multilinear symmetric polynomials (MSPs): Bar-Ilan University MSPs are symmetric, and each variable has degree 1 MSPs are linear combinations of elementary symmetric polynomials (ESPs) MSPs can be computed by restricted depth-3 circuits. Lattice-based decryption functions can be expressed as restricted MSPs.

75 Bar-Ilan University

76 MHE scheme: Elgamal over QR(p) p = 2q1 be a safe prime SWHE scheme: Plaintext space = Z p. Decryption is a restricted depth-3 arithmetic circuit over Z p.

77 FHE.KeyGen: Generate Elgamal key (e L, g e L ), SWHE key ({sil }, pk i ), for every level L in the circuit Encrypt individual bits of e L under k L1. Encrypt values a j s i (in Z p ) under Elgamal for a j in A. Note: A is our set of interpolation points in our MSP. Technicality: the a j s must be chosen so that a j and a j 1 are both in QR(p), the plaintext space of Elgamal. Publish the public keys and encrypted secret keys.

78 To refresh a level-i ciphertext c: First, express SWHE.Dec(c,s) as a c-dependent restricted depth-3 circuit taking key s as input. Bar-Ilan University c 2 c 1 X X X X a 4 s 1 a 4 s 2 a 4 s 3

79 Refresh.BottomSums: Pick up the Elgamal encryptions of a j s i from PK. The bottom sums have been precomputed. Refresh.Products: Compute c j P(a j ) = c j Π i (a j s i ) mod p homomorphically using Elgamal. Refresh.Translation: Translate to SWHE for the addition X X c 2 X c 1 X Bar-Ilan University Uses Elgamal.Mult for products Elgamal.Enc(a j s i ) in the public key a 4 s 1 a 4 s 2 a 4 s 3

80 Refresh.Translation: Goal: Convert (y, z) = (g r, mg -er ) to a SWHE ciphertext. Precompute y i = y 2 i mod p for all i up to log q. Inside SWHE, compute y e[i]2 i = e[i] y 2 i (1-e[i])y 0 mod p. Inside SWHE, compute product of y e[i]2i s to get y e. The degree of this product is log q. Inside SWHE, compute product of y e and z to get m. Refresh.TopSum: Just do it inside the SWHE scheme.

81 Required homomorphic capacity of SWHE scheme: Evaluate Elgamal decryption, plus an ADD or MULT. Overall degree = 2 log q. Set SWHE parameters large to evaluate polynomials of degree 2 log q. Done!

82 Bar-Ilan University

83 Bar-Ilan University [ACPS09] Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. Crypto [BGV12] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. Fully homomorphic encryption without bootstrapping. ITCS [BV11a] Zvika Brakerski and Vinod Vaikuntanathan. Fully homomorphic encryption from ring-lwe and security for key dependent messages. Crypto [BV11b] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. FOCS [CNT12] Jean-Sebastien Coron, David Naccache, and Mahdi Tibouchi. Public-Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers. Eurocrypt [GH11b] Craig Gentry and Shai Halevi. Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits. FOCS [GHS12] Craig Gentry, Shai Halevi, and Nigel Smart. Fully Homomorphic Encryption with Polylog Overhead. Eurocrypt [SV11] Nigel P. Smart, Frederik Vercauteren. Fully Homomorphic SIMD Operations. eprint.iacr.org/2011/133.

84 We can compress the entire FHE ciphertext down to a single MHE (e.g., Elgamal) ciphertext Choose a j s cleverly so that all products P(a j ) can be computed just from P(a 1 ) Recall: P(z) = Π i (zs i ) where s i is a secret key bit. We only store P(a 1 ) e.g., a single Elgamal ciphertext! Note: P(a j ) can be computed homomorphically from P(a 1 ) within the MHE scheme. Set a j such that we know (w j, e j ) such that a j = w j a e j 1 mod p, and a j 1 = w j (a 1 1) e j mod p How? Choose e j and set a j = a ej 1 /((a 1 1) ej a ej 1 ) and w j = a j /a ej 1. Then, P(a j ) = w jd P(a 1 ) e j mod p

85 Lemma: Let p be a prime. Let S = {(u,v): u 0, v 0, u 2 -v 2 = 1 mod p} Then, S = p-3 or p-5, depending on whether p = 3 or 1 mod 4. Proof: For each pair (u,v) in S, let a uv = uv. Then a uv -1 = u-v, and we have: u = (a uv a uv -1 )/2 and v = (a uv - a uv -1 )/2 implying that a uv determines u and v uniquely. So, for we have S = T. T = {a 0 : aa -1 0, a-a -1 0}, We have that a is in T unless a = 0, a 2 = -1, or a 2 = ±1. If p = 1 mod 4, then -1 in QR(p), and there are 5 prohibited values. If p = 3 mod 4, then -1 is not a residue, and there are 3 prohibited values.