Efficient Fully Homomorphic Encryption from (Standard) LWE
∗
Zvika Brakerski
†
Vinod Vaikuntanathan
‡
Abstract
We present a fully homomorphic encryption scheme that is based solely on the (standard)
learning with errors (LWE) assumption. Applying known results on LWE, the security of our
scheme is based on the worst-case hardness of “short vector problems” on arbitrary lattices.
Our construction improves on previous works in two aspects:
1. We show that “somewhat homomorphic” encryption can be based on LWE, using a new re-
linearization technique. In contrast, all previous schemes relied on complexity assumptions
related to ideals in various rings.
2. We deviate from the “squashing paradigm” used in all previous works. We introduce a
new dimension-modulus reduction technique, which shortens the ciphertexts and reduces
the decryption complexity of our scheme, without introducing additional assumptions.
Our scheme has very short ciphertexts and we therefore use it to construct an asymptotically
efficient LWE-based single-server private information retrieval (PIR) protocol. The communi-
cation complexity of our protocol (in the public-key model) is k · polylog(k) + log |DB| bits per
single-bit query (here, k is a security parameter).
∗
A preliminary version appeared in Proceedings of the 52
nd
IEEE Foundations of Computer Science, 2011.
†
Weizmann Institute of Science. Email: zvika.brakerski@weizmann.ac.il. The author’s research was supported
by ISF grant 710267, BSF grant 710613, and NSF contracts CCF-1018064 and CCF-0729011.
‡
University of Toronto. Email: vinodv@cs.toronto.edu. Part of this work was done while the author was
at Microsoft Research, Redmond. This work was also partially supported by an NSERC Discovery Grant, and by
DARPA under Agreement number FA8750-11-2-0225. The U.S. Government is authorized to reproduce and distribute
reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions
contained herein are those of the author and should not be interpreted as necessarily representing the official policies
or endorsements, either expressed or implied, of DARPA or the U.S. Government.
1 Introduction
Fully-homomorphic encryption is one of the holy grails of modern cryptography. In a nutshell, a
fully homomorphic encryption scheme is an encryption scheme that allows evaluation of arbitrar-
ily complex programs on encrypted data. The problem was suggested by Rivest, Adleman and
Dertouzos [RAD78] back in 1978, yet the first plausible candidate came thirty years later with
Gentry’s breakthrough work in 2009 [Gen09b, Gen10] (although, there has been partial progress in
the meanwhile [GM82, Pai99, BGN05, IP07]).
Gentry’s breakthrough work demonstrated the first construction of fully homomorphic encryp-
tion in 2009. However, his solution involved new and relatively untested cryptographic assumptions.
Our work aims to put fully homomorphic encryption on firm grounds by basing it on the hardness
of standard, well-studied mathematical problems.
The main building block in Gentry’s construction (a so-called “somewhat” homomorphic en-
cryption scheme) was based on the (worst-case, quantum) hardness of problems on ideal lattices.
1
Although lattices have become standard fare in cryptography and lattice problems have been rela-
tively well-studied, ideal lattices are a special breed that we know relatively little about. Ideals are
a natural mathematical object to use to build fully homomorphic encryption in that they natively
support both addition and multiplication (whereas lattices are closed under addition only). Indeed,
all subsequent constructions of fully homomorphic encryption [SV10, DGHV10, BV11a] relied on
ideals in various rings in an explicit way. Our first contribution is the construction of a “somewhat”
homomorphic encryption scheme whose security relies solely on the (worst-case, classical) hardness
of standard problems on arbitrary (not necessarily ideal) lattices.
Secondly, in order to achieve full homomorphism, Gentry had to go through a so-called “squash-
ing step” which forced him to make an additional, strong hardness assumption – namely, the hard-
ness of the (average-case) sparse subset-sum problem. As if by a strange law of nature, all the
subsequent solutions encountered the same difficulty as Gentry did in going from a “somewhat”
to a fully homomorphic encryption, and they all countered this difficulty by relying on the same
sparse subset-sum assumption. This additional assumption was considered to be the main caveat
of Gentry’s solution and removing it has perhaps been the main open problem in the design of
fully homomorphic encryption schemes. Our second contribution is to remove the necessity of this
additional assumption.
Thus, in a nutshell, we construct a fully homomorphic encryption scheme whose security is based
solely on the classical hardness of solving standard lattice problems in the worst-case.
2
Specifically,
out scheme is based on the learning with errors (LWE) assumption that is known to be at least as
difficult as solving hard problems in general lattices. Thus our solution does not rely on lattices
directly and is fairly natural to understand and implement.
To achieve our goals, we deviate from two paradigms that ruled the design of (a handful of)
candidate fully homomorphic encryption schemes [Gen09b, SV10, DGHV10, BV11a]:
1. We introduce the re-linearization technique, and show how to use it to obtain a somewhat
homomorphic encryption that does not require hardness assumptions on ideals.
1
Roughly speaking, ideal lattices correspond to a geometric embedding of an ideal in a number field. See [LPR10]
for a precise definition.
2
Strictly speaking, under this assumption, our scheme can evaluate polynomial-size circuits with a-priori bounded
(but arbitrary) depth. A fully homomorphic encryption scheme independent of the circuit depth can be obtained by
making an additional “circular security” assumption. See Section 3.
1
2. We present a dimension-modulus reduction technique, that turns our somewhat homomorphic
scheme into a fully homomorphic one, without the need for the seemingly artificial squashing
step and the sparse subset-sum assumption.
We provide a detailed overview of these new techniques in Sections 1.1 and 1.2 below.
Interestingly, the ciphertexts of the resulting fully homomorphic scheme are very short. This is
a desirable property which we use, in conjunction with other techniques, to achieve very efficient
private information retrieval protocols. See also Section 1.3 below.
1.1 Re-Linearization: Somewhat Homomorphic Encryption without Ideals
The starting point of Gentry’s construction is a “somewhat” homomorphic encryption scheme. For
a class of circuits C, a C-homomorphic scheme is one that allows evaluation of any circuit in the
class C. The simple, yet striking, observation in Gentry’s work is that if a (slightly augmented)
decryption circuit for a C-homomorphic scheme resides in C, then the scheme can be converted (or
“bootstrapped”) into a fully homomorphic encryption scheme.
It turns out that encryption schemes that can evaluate a non-trivial number of addition and
multiplication operations
3
are already quite hard to come by (even without requiring that they are
bootstrappable).
4
Gentry’s solution to this was based on the algebraic notion of ideals in rings.
In a very high level, the message is considered to be a ring element, and the ciphertext is the
message masked with some “noise”. The novelty of this idea is that the noise itself belonged to
an ideal I. Thus, the ciphertext is of the form m + xI (for some x in the ring). Observe right
off the bat that the scheme is born additively homomorphic; in fact, that will be the case with
all the schemes we consider in this paper. The ideal I has two main properties: first, a random
element in the ideal is assumed to “mask” the message; and second, it is possible to generate a
secret trapdoor that “annihilates” the ideal, i.e., implementing the transformation m + xI → m.
The first property guarantees security, while the second enables decrypting ciphertexts. Letting c
1
and c
2
be encryptions of m
1
and m
2
respectively,
c
1
c
2
= (m
1
+ xI)(m
2
+ yI) = m
1
m
2
+ (m
1
y + m
2
x + xyI)I = m
1
m
2
+ zI
When decrypting, the ideal is annihilated and the product m
1
m
2
survives. Thus, c
1
c
2
is indeed an
encryption of m
1
m
2
, as required. This nifty solution required, as per the first property, a hardness
assumption on ideals in certain rings. Gentry’s original work relied on hardness assumptions on
ideal lattices, while van Dijk, Gentry, Halevi and Vaikuntanathan [DGHV10] presented a different
instantiation that considered ideals over the integers.
Our somewhat homomorphic scheme is based on the hardness of the “learning with errors”
(LWE) problem, first presented by Regev [Reg05]. The LWE assumption states that if s ∈ Z
n
q
is an
n dimensional “secret” vector, any polynomial number of “noisy” random linear combinations of
3
All known scheme, including ours, treat evaluated functions as arithmetic circuits. Hence we use the terminology
of “addition and multiplication” gates. The conversion to the Boolean model (AND, OR, NOT gates) is immediate.
4
We must mention here that we are interested only in compact fully homomorphic encryption schemes, namely ones
where the ciphertexts do not grow in size with each homomorphic operation. We will also look at mildly non-compact
homomorphic encryption schemes where the ciphertexts grow as a sub-linear function of the size of the evaluated
circuit. If we do allow the ciphertexts to grow linearly with the size of the evaluated circuit, a number of solutions
are possible. See, e.g., [SYY99, GHV10a, MGH10].
2
the coefficients of s are computationally indistinguishable from uniformly random elements in Z
q
.
Mathematically,
a
i
, ha
i
, si + e
i
poly(n)
i=1
c
≈
a
i
, u
i
poly(n)
i=1
,
where a
i
∈ Z
n
q
and u
i
∈ Z
q
are uniformly random, and the “noise” e
i
is sampled from a noise distri-
bution that outputs numbers much smaller than q (an example is a discrete Gaussian distribution
over Z
q
with small standard deviation).
The LWE assumption does not refer to ideals, and indeed, the LWE problem is at least as hard
as finding short vectors in any lattice, as follows from the worst-case to average-case reductions of
Regev [Reg05] and Peikert [Pei09]. As mentioned earlier, we have a much better understanding of
the complexity of lattice problems (thanks to [LLL82, Ajt98, Mic00] and many others), compared
to the corresponding problems on ideal lattices. In particular, despite considerable effort, the best
known algorithms to solve the LWE problem run in time nearly exponential in the dimension n.
5
The
LWE assumption also turns out to be particularly amenable to the construction of simple, efficient
and highly expressive cryptographic schemes (e.g., [Reg05, GPV08, AGV09, ACPS09, CHKP10,
ABB10] and many others). Our construction of a fully homomorphic encryption scheme from LWE
is perhaps a very strong testament to its power and elegance.
Constructing a (secret-key) encryption scheme whose security is based on the LWE assumption
is rather straightforward. To encrypt a bit m ∈ {0, 1} using secret key s ∈ Z
n
q
, we choose a random
vector a ∈ Z
n
q
and a “noise” e and output the ciphertext
c = (a, b = ha, si + 2e + m) ∈ Z
n
q
× Z
q
The key observation in decryption is that the two “masks” – namely, the secret mask ha, si and
the “even mask” 2e – do not interfere with each other.
6
That is, one can decrypt this ciphertext
by annihilating the two masks, one after the other: The decryption algorithm first re-computes
the mask ha, si and subtracts it from b, resulting in 2e + m (mod q).
7
If we choose e to be small
enough, then 2e + m (mod q) = 2e + m. Removing the even mask is now easy – simply compute
2e + m modulo 2.
8
As we will see below, the scheme is naturally additive homomorphic, yet multiplication presents
a thorny problem. In fact, a recent work of Gentry, Halevi and Vaikuntanathan [GHV10b] showed
that (a slight variant of) this scheme supports just a single homomorphic multiplication, but at the
expense of a huge blowup to the ciphertext which made further advance impossible.
To better understand the homomorphic properties of this scheme, let us shift our focus away
from the encryption algorithm, on to the decryption algorithm. Given a ciphertext (a, b), consider
the symbolic linear function f
a,b
: Z
n
q
→ Z
q
defined as:
f
a,b
(x) = b − ha, xi (mod q) = b −
n
X
i=1
a[i] · x[i] ∈ Z
q
5
The nearly exponential time is for a large enough error (i.e., one that is a 1/poly(n) fraction of the modulus q).
For smaller errors, as we will encounter in our scheme, there are better – but not significantly better – algorithms.
In particular, if the error is a 1/2
n
fraction of the modulus q, the best known algorithm runs in time approx. 2
n
1−
.
6
We remark that using 2e instead of e as in the original formulation of LWE does not adversely impact security,
so long as q is odd (since in that case 2 is a unit in Z
q
).
7
Throughout this paper, we use x (mod q) to denote the unique residue of x in the interval [−q/2, q/2).
8
Although our simplified presentation of Gentry’s scheme above seems to deal with just one mask (the “secret
mask”), in reality, the additional “even mask” existed in the schemes of [Gen09b, DGHV10] as well. Roughly speaking,
they needed this to ensure semantic security, as we do.
3
where x = (x[1], . . . , x[n]) denotes the variables, and the ciphertext (a, b) defines the public coeffi-
cients of the linear equation. Clearly, decryption of the ciphertext (a, b) is nothing but evaluating
this function on the secret key s (and then taking the result modulo 2).
9
Homomorphic addition and multiplication can now be described in terms of this function f.
Adding two ciphertexts corresponds to the addition of two linear functions, which is again another
linear function. In particular, f
(a+a
0
,b+b
0
)
(x) = f
a,b
(x)+ f
(a
0
,b
0
)
(x) is the linear function correspond-
ing to the “homomorphically added” ciphertext (a + a
0
, b + b
0
). Similarly, multiplying two such
ciphertexts corresponds to a symbolic multiplication of these linear equations
f
(a,b)
(x) · f
(a
0
,b)
(x) = (b −
X
a[i]x[i]) · (b
0
−
X
a
0
[i]x[i])
= h
0
+
X
h
i
· x[i] +
X
h
i,j
· x[i]x[j] ,
which results in a degree-2 polynomial in the variables x = (x[1], . . . , x[n]), with coefficients h
i,j
that can be computed from (a, b) and (a
0
, b
0
) by opening parenthesis of the expression above.
Decryption, as before, involves evaluating this quadratic expression on the secret key s (and then
reducing modulo 2). We now run into a serious problem – the decryption algorithm has to know
all the coefficients of this quadratic polynomial, which means that the size of the ciphertext just
went up from n + 1 elements to (roughly) n
2
/2.
This is where our re-linearization technique comes into play. Re-linearization is a way to reduce
the size of the ciphertext back down to n + 1. The main idea is the following: imagine that we
publish “encryptions” of all the linear and quadratic terms in the secret key s, namely all the
numbers s[i] as well as s[i]s[j], under a new secret key t. Thus, these ciphertexts (for the quadratic
terms) look like (a
i,j
, b
i,j
) where
b
i,j
= ha
i,j
, ti + 2e
i,j
+ s[i] · s[j] ≈ ha
i,j
, ti + s[i] · s[j] .
10
where the expression x ≈ y means that the absolute difference between x and y is small.
Now, the sum h
0
+
P
h
i
· s[i] +
P
h
i,j
· s[i]s[j] can be written (approximately) as
h
0
+
X
h
i
(b
i
− ha
i
, ti) +
X
i,j
h
i,j
· (b
i,j
− ha
i,j
, ti) ,
which, lo and behold, is a linear function in t! The bottom-line is that multiplying the two linear
functions f
(a,b)
and f
(a
0
,b
0
)
and then re-linearizing the resulting expression results in a linear function
(with n + 1 coefficients), whose evaluation on the new secret key t results in the product of the two
original messages (upon reducing modulo 2). The resulting ciphertext is simply the coefficients of
this linear function, of which there are at most n + 1. This ciphertext will decrypt to m · m
0
using
the secret key t.
In this semi-formal description, we ignored an important detail which has to do with the fact
that the coefficients h
i,j
are potentially large. Thus, even though (b
i,j
− ha
i,j
, ti) ≈ s[i]s[j], it may
be the case that h
i,j
· (b
i,j
− ha
i,j
, ti) 6≈ h
i,j
· s[i]s[j]. This is handled by considering the binary
9
The observation that an LWE-based ciphertext can be interpreted as a linear equation of the secret was also used
in [BV11a].
10
Actually, calling these “encryptions” is inaccurate: s[i] · s[j] ∈ Z
q
is not a single bit and therefore the “ciphertext”
cannot be decrypted. However, we feel that thinking of these as encryptions may benefit the reader’s intuition.
4