Faster Fully Homomorphic Encryption

Size: px

Start display at page:

Download "Faster Fully Homomorphic Encryption"

Maude Gibson
5 years ago
Views:

1 Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 1/21

2 Main result Improved bit-complexity bound for homomorphically evaluating a binary gate with Gentry s fully homomorphic scheme: Õ(t 6 ) Õ(t3.5 ) bit operations, with t =security parameter. To compare with: standard RSA Enc/Dec costs Õ(t3 ) per bit. Two ingredients: A less pessimistic analysis of one of the hardness assumptions. An improved decryption algorithm. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 2/21

3 Main result Improved bit-complexity bound for homomorphically evaluating a binary gate with Gentry s fully homomorphic scheme: Õ(t 6 ) Õ(t3.5 ) bit operations, with t =security parameter. To compare with: standard RSA Enc/Dec costs Õ(t3 ) per bit. Two ingredients: A less pessimistic analysis of one of the hardness assumptions. An improved decryption algorithm. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 2/21

4 Main result Improved bit-complexity bound for homomorphically evaluating a binary gate with Gentry s fully homomorphic scheme: Õ(t 6 ) Õ(t3.5 ) bit operations, with t =security parameter. To compare with: standard RSA Enc/Dec costs Õ(t3 ) per bit. Two ingredients: A less pessimistic analysis of one of the hardness assumptions. An improved decryption algorithm. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 2/21

5 1 Reminders on homomorphic encryption. 2 Ingredient 1: a less pessimistic analysis of S(V)SSP. 3 Ingredient 2: a shallower decryption algorithm. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 3/21

6 Ideal lattices Let n be a power of 2 and R = Z[x]/(x n + 1). J R is an ideal if a, b J, r R : a + b r J. Any ideal is a lattice, i.e., an additive subgroup of Z n. Basis: (b i ) i n linearly independent s.t. L = { i n x ib i : x i Z} Minimum: λ = min( b : b L \ 0). Determinant: det = det((b i ) i ), for any basis. = volume of R n /L. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 4/21

7 Ideal lattices Let n be a power of 2 and R = Z[x]/(x n + 1). J R is an ideal if a, b J, r R : a + b r J. Any ideal is a lattice, i.e., an additive subgroup of Z n. Basis: (b i ) i n linearly independent s.t. L = { i n x ib i : x i Z} Minimum: λ = min( b : b L \ 0). Determinant: det = det((b i ) i ), for any basis. = volume of R n /L. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 4/21

8 Ideal lattices Let n be a power of 2 and R = Z[x]/(x n + 1). J R is an ideal if a, b J, r R : a + b r J. Any ideal is a lattice, i.e., an additive subgroup of Z n. Basis: (b i ) i n linearly independent s.t. L = { i n x ib i : x i Z} Minimum: λ = min( b : b L \ 0). Determinant: det = det((b i ) i ), for any basis. = volume of R n /L. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 4/21

9 Ideal lattices Let n be a power of 2 and R = Z[x]/(x n + 1). J R is an ideal if a, b J, r R : a + b r J. Any ideal is a lattice, i.e., an additive subgroup of Z n. Basis: (b i ) i n linearly independent s.t. L = { i n x ib i : x i Z} Minimum: λ = min( b : b L \ 0). Determinant: det = det((b i ) i ), for any basis. = volume of R n /L. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 4/21

10 Gentry s somewhat homomorphic scheme: SomHom Public key: B J a basis of an ideal J, with rather large det(j). Secret key: v sk J. Plaintext domain: P = {0, 1}. Ciphertext domain: C = R/B J. Encryption: π ψ = (π + 2ρ) mod B J, with ρ random and small. Decryption: ψ (ψ v sk J ψ ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 5/21

11 Gentry s somewhat homomorphic scheme: SomHom Public key: B J a basis of an ideal J, with rather large det(j). Secret key: v sk J. Plaintext domain: P = {0, 1}. Ciphertext domain: C = R/B J. Encryption: π ψ = (π + 2ρ) mod B J, with ρ random and small. Decryption: ψ (ψ v sk J ψ ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 5/21

12 Gentry s somewhat homomorphic scheme: SomHom Public key: B J a basis of an ideal J, with rather large det(j). Secret key: v sk J. Plaintext domain: P = {0, 1}. Ciphertext domain: C = R/B J. Encryption: π ψ = (π + 2ρ) mod B J, with ρ random and small. Decryption: ψ (ψ v sk J ψ ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 5/21

13 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21

14 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21

15 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21

16 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21

17 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21

18 Lattice reduction Rule of Thumb conjecture BDD γ Given (b i ) i basis of L and t Q n such that dist(t, L) γ 1 λ(l), find b L closest to t. SVP γ Given (b i ) i basis of L, find b L such that 0 < b γ λ(l). Lattice reduction rule of thumb conjecture There exists a constant c s.t. the following holds. Assuming there is nothing special with the lattice: with time 2 t, one cannot solve SVP γ /BDD γ for γ < c n/t. This conjecture is consistent with the current algorithmic knowledge. Essentially unchanged since [Schnorr 87]. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 7/21

19 Lattice reduction Rule of Thumb conjecture BDD γ Given (b i ) i basis of L and t Q n such that dist(t, L) γ 1 λ(l), find b L closest to t. SVP γ Given (b i ) i basis of L, find b L such that 0 < b γ λ(l). Lattice reduction rule of thumb conjecture There exists a constant c s.t. the following holds. Assuming there is nothing special with the lattice: with time 2 t, one cannot solve SVP γ /BDD γ for γ < c n/t. This conjecture is consistent with the current algorithmic knowledge. Essentially unchanged since [Schnorr 87]. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 7/21

20 Lattice reduction Rule of Thumb conjecture BDD γ Given (b i ) i basis of L and t Q n such that dist(t, L) γ 1 λ(l), find b L closest to t. SVP γ Given (b i ) i basis of L, find b L such that 0 < b γ λ(l). Lattice reduction rule of thumb conjecture There exists a constant c s.t. the following holds. Assuming there is nothing special with the lattice: with time 2 t, one cannot solve SVP γ /BDD γ for γ < c n/t. This conjecture is consistent with the current algorithmic knowledge. Essentially unchanged since [Schnorr 87]. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 7/21

21 From SomHom to FullHom, via bootstrapping An encryption scheme is bootstrappable if it can homomorphically evaluate its own decryption circuit. Decryption/security constraints SomHom is not bootstrappable. To squash the decryption, some effort is shifted from P to C: Splitting the secret key vj sk: vj sk = s i v i, for s {0, 1} n of Hamming weight n sub. i n set New secret key: (s i ) i ; New public key: B J, (v i ) i. Ciphertext expansion: ψ (ψ v i ) i. Decryption: ψ, (ψ v i ) i (ψ i s i(ψ v i ) ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 8/21

22 From SomHom to FullHom, via bootstrapping An encryption scheme is bootstrappable if it can homomorphically evaluate its own decryption circuit. Decryption/security constraints SomHom is not bootstrappable. To squash the decryption, some effort is shifted from P to C: Splitting the secret key vj sk: vj sk = s i v i, for s {0, 1} n of Hamming weight n sub. i n set New secret key: (s i ) i ; New public key: B J, (v i ) i. Ciphertext expansion: ψ (ψ v i ) i. Decryption: ψ, (ψ v i ) i (ψ i s i(ψ v i ) ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 8/21

23 From SomHom to FullHom, via bootstrapping An encryption scheme is bootstrappable if it can homomorphically evaluate its own decryption circuit. Decryption/security constraints SomHom is not bootstrappable. To squash the decryption, some effort is shifted from P to C: Splitting the secret key vj sk: vj sk = s i v i, for s {0, 1} n of Hamming weight n sub. i n set New secret key: (s i ) i ; New public key: B J, (v i ) i. Ciphertext expansion: ψ (ψ v i ) i. Decryption: ψ, (ψ v i ) i (ψ i s i(ψ v i ) ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 8/21

24 1 Reminders on homomorphic encryption. 2 Ingredient 1: a less pessimistic analysis of S(V)SSP. 3 Ingredient 2: a shallower decryption algorithm. Using the lattice rule of thumb for both BDD and S(V)SSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 9/21

25 The Sparse Vector Subset Sum Problem SVSSP nset,n sub Distinguish between (a i ) i nset uniform in [R mod (2J)] nset and the same but conditioned on the existence of s {0, 1} nset of Hamming weight n sub s.t. i s ia i = 0 mod 2J. Resembles Sparse Subset Sum Problem (with integers rather than ring elements), used for server-aided RSA. Gentry showed that FullHom is secure assuming the hardnesses of: BDD γ for ideal lattices, for a large γ. SVSSP nset,n sub for specific values of n sub n set. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

26 The Sparse Vector Subset Sum Problem SVSSP nset,n sub Distinguish between (a i ) i nset uniform in [R mod (2J)] nset and the same but conditioned on the existence of s {0, 1} nset of Hamming weight n sub s.t. i s ia i = 0 mod 2J. Resembles Sparse Subset Sum Problem (with integers rather than ring elements), used for server-aided RSA. Gentry showed that FullHom is secure assuming the hardnesses of: BDD γ for ideal lattices, for a large γ. SVSSP nset,n sub for specific values of n sub n set. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

27 Known attacks on SVSSP SVSSP nset,n sub Distinguish between (a i ) i nset uniform in [R mod (2J)] nset and the same but conditioned on the existence of s {0, 1} nset of Hamming weight n sub s.t. i s ia i = 0 mod 2J. Birthday paradox. Requires time ( n set n sub ) 1/2. Lattice attack: s is likely to be a shortest non-zero vector in L = {x Z nset : i x i a i = 0 mod 2J}. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

28 Known attacks on SVSSP SVSSP nset,n sub Distinguish between (a i ) i nset uniform in [R mod (2J)] nset and the same but conditioned on the existence of s {0, 1} nset of Hamming weight n sub s.t. i s ia i = 0 mod 2J. Birthday paradox. Requires time ( n set n sub ) 1/2. Lattice attack: s is likely to be a shortest non-zero vector in L = {x Z nset : i x i a i = 0 mod 2J}. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

29 Analysis of the lattice attack against SVSSP dim(l) = n set. λ(l) [1, n sub ]. L = {x Z nset : i x ia i = 0 mod 2J}. det(l) det(2j) = 2 n det(j). Former analysis: n set log 2 det(2j) implies the existence of too many short vectors (via Minkowski s theorem). Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

30 Analysis of the lattice attack against SVSSP dim(l) = n set. λ(l) [1, n sub ]. L = {x Z nset : i x ia i = 0 mod 2J}. det(l) det(2j) = 2 n det(j). Former analysis: n set log 2 det(2j) implies the existence of too many short vectors (via Minkowski s theorem). Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

31 A less pessimistic analysis of the lattice attack L = {x Z nset : i x ia i = 0 mod 2J}. The former analysis assumes being able to find extremely short vectors of L, i.e., essentially solve SVP. But for SomHom, we assumed BDD γ hard for a large γ. We homogenize the hardness assumptions: Rule of thumb in time 2 t, one cannot find vectors shorter than c nset/t, for some constant c. Minkowski s theorem implies that there are many vectors of L within that norm bound. Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

32 A less pessimistic analysis of the lattice attack L = {x Z nset : i x ia i = 0 mod 2J}. The former analysis assumes being able to find extremely short vectors of L, i.e., essentially solve SVP. But for SomHom, we assumed BDD γ hard for a large γ. We homogenize the hardness assumptions: Rule of thumb in time 2 t, one cannot find vectors shorter than c nset/t, for some constant c. Minkowski s theorem implies that there are many vectors of L within that norm bound. Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

33 A less pessimistic analysis of the lattice attack L = {x Z nset : i x ia i = 0 mod 2J}. The former analysis assumes being able to find extremely short vectors of L, i.e., essentially solve SVP. But for SomHom, we assumed BDD γ hard for a large γ. We homogenize the hardness assumptions: Rule of thumb in time 2 t, one cannot find vectors shorter than c nset/t, for some constant c. Minkowski s theorem implies that there are many vectors of L within that norm bound. Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

34 1 Reminders on homomorphic encryption. 2 Ingredient 1: a less pessimistic analysis of S(V)SSP. 3 Ingredient 2: a shallower decryption algorithm. Using fewer multiplications to homomorphically decrypt. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

35 Decryption For SomHom: ψ ψ vj sk Squashed decryption: ψ mod 2. ψ, (ψ v i ) i ψ i s i(ψ v i ) mod 2. The decryption circuit is to be evaluated homomorphically. What s important: not the time complexity, but the multiplicative degree of the algebraic decryption circuit. Because this fixes the homomorphic capacity of SomHom, and thus the size of J. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

36 Decryption For SomHom: ψ ψ vj sk Squashed decryption: ψ mod 2. ψ, (ψ v i ) i ψ i s i(ψ v i ) mod 2. The decryption circuit is to be evaluated homomorphically. What s important: not the time complexity, but the multiplicative degree of the algebraic decryption circuit. Because this fixes the homomorphic capacity of SomHom, and thus the size of J. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

37 Decryption For SomHom: ψ ψ vj sk Squashed decryption: ψ mod 2. ψ, (ψ v i ) i ψ i s i(ψ v i ) mod 2. The decryption circuit is to be evaluated homomorphically. What s important: not the time complexity, but the multiplicative degree of the algebraic decryption circuit. Because this fixes the homomorphic capacity of SomHom, and thus the size of J. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

38 Decryption For SomHom: ψ ψ vj sk Squashed decryption: ψ mod 2. ψ, (ψ v i ) i ψ i s i(ψ v i ) mod 2. The decryption circuit is to be evaluated homomorphically. What s important: not the time complexity, but the multiplicative degree of the algebraic decryption circuit. Because this fixes the homomorphic capacity of SomHom, and thus the size of J. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

39 Degree of the decryption Dominating component: sum of n sub reals y 1,...,y nsub, modulo 2. 1 Choose a precision p for the inputs: y i = p j=0 y i,j2 j. 2 For each j, compute S j = i n sub y i,j. 3 Compute S = ( j S j2 j ) mod 2. Step 2 dominates. If k S j,k2 k is the binary representation of S j, then S j,k has algebraic degree 2 k. S j can be as large as n sub decryption degree n sub Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

40 Degree of the decryption Dominating component: sum of n sub reals y 1,...,y nsub, modulo 2. 1 Choose a precision p for the inputs: y i = p j=0 y i,j2 j. 2 For each j, compute S j = i n sub y i,j. 3 Compute S = ( j S j2 j ) mod 2. Step 2 dominates. If k S j,k2 k is the binary representation of S j, then S j,k has algebraic degree 2 k. S j can be as large as n sub decryption degree n sub Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

41 Shallower decryption: first remark Dominating component: sum of n sub reals y 1,...y nsub, modulo 2. 1 Choose a precision p for the inputs: y i = p j=0 y i,j2 j. 2 For each j, compute S j = i n sub y i,j. 3 Compute S = ( j S j2 j ) mod 2. S j needs only being evaluated mod 2 j+1. Since j p, the decryption degree is min(2 p+1, n sub ). But which p do we need? Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

42 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

43 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

44 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

45 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

46 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

47 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

48 Remarks on the shallower decryption Making the ε i s iid with expectancy 0 requires some care. Decryption is now probabilistic: it fails with negligible prob. Additional difficulty for the KDM-variant of Gentry s FullHom (to ensure independence). Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

49 Conclusion Let q = det(2j), security goal 2 t. Condition [Gentry 09] Here Ideal-BDD hard q ( 1/n c n/t SVSSP-Combinatorial nset ) n sub 2 2t nset SVSSP-Lattice n set = Ω(log q) 2 t = Ω(log q) Bootstrappability n sub log q 1/n nsub < log q 1/n Complexity of homomorphically evaluating one gate: n set log q : Õ(t 6 ) Õ(t3.5 ). Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

50 Conclusion Let q = det(2j), security goal 2 t. Condition [Gentry 09] Here Ideal-BDD hard q ( 1/n c n/t SVSSP-Combinatorial nset ) n sub 2 2t nset SVSSP-Lattice n set = Ω(log q) 2 t = Ω(log q) Bootstrappability n sub log q 1/n nsub < log q 1/n Complexity of homomorphically evaluating one gate: n set log q : Õ(t 6 ) Õ(t3.5 ). Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

51 Open problems 1 Faster scheme, e.g., using more bits in the plaintext (see work by Smart and Vercauteren). 2 Fewer security assumptions, e.g., no S(V)SSP. 3 Better understood security assumptions: can we rely on more classical assumptions? can we improve Gentry s CRYPTO 10 reduction? 4 What about practice? (see work by Gentry and Halevi). Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21

Faster Fully Homomorphic Encryption

Faster Fully Homomorphic Encryption Damien Stehlé 1,2 and Ron Steinfeld 2 1 CNRS/Department of Mathematics and Statistics (F07), University of Sydney NSW 2006, Australia. damien.stehle@gmail.com http://perso.ens-lyon.fr/damien.stehle