ECCC-Report TR11-111https://eccc.weizmann.ac.il/report/2011/111Comments and Revisions published for TR11-111en-usWed, 10 Aug 2011 10:13:27 +0300
Paper TR11-111
| Fully Homomorphic Encryption without Bootstrapping |
Zvika Brakerski,
Craig Gentry,
Vinod Vaikuntanathan
https://eccc.weizmann.ac.il/report/2011/111We present a radically new approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), {\em without Gentry's bootstrapping procedure}.
Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have $2^{\lambda}$ security against known attacks. For RLWE, we have:
(1) A leveled FHE scheme that can evaluate $L$-level arithmetic circuits with $\tilde{O}(\lambda \cdot L^3)$ per-gate computation -- i.e., computation {\em quasi-linear} in the security parameter. Security is based on RLWE for an approximation factor exponential in $L$. This construction does not use the bootstrapping procedure.
(2) A leveled FHE scheme that uses bootstrapping {\em as an optimization}, where the per-gate computation (which includes the bootstrapping procedure) is $\tilde{O}(\lambda^2)$, {\em independent of $L$}. Security is based on the hardness of RLWE for {\em quasi-polynomial} factors (as opposed to the sub-exponential factors needed in previous schemes).
We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width -- e.g., where a constant fraction of levels have width at least $\lambda$ -- we can reduce the per-gate computation of the bootstrapped version to $\tilde{O}(\lambda)$, independent of $L$, by {\em batching the bootstrapping operation}. Previous FHE schemes all required $\tilde{\Omega}(\lambda^{3.5})$ computation per gate.
At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011).Wed, 10 Aug 2011 10:13:27 +0300https://eccc.weizmann.ac.il/report/2011/111