Under the auspices of the Computational Complexity Foundation (CCF)

REPORTS > DETAIL:

### Paper:

TR11-111 | 10th August 2011 06:37

#### Fully Homomorphic Encryption without Bootstrapping

TR11-111
Authors: Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan
Publication: 10th August 2011 10:13
Keywords:

Abstract:

We present a radically new approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), {\em without Gentry's bootstrapping procedure}.

Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have $2^{\lambda}$ security against known attacks. For RLWE, we have:

(1) A leveled FHE scheme that can evaluate $L$-level arithmetic circuits with $\tilde{O}(\lambda \cdot L^3)$ per-gate computation -- i.e., computation {\em quasi-linear} in the security parameter. Security is based on RLWE for an approximation factor exponential in $L$. This construction does not use the bootstrapping procedure.

(2) A leveled FHE scheme that uses bootstrapping {\em as an optimization}, where the per-gate computation (which includes the bootstrapping procedure) is $\tilde{O}(\lambda^2)$, {\em independent of $L$}. Security is based on the hardness of RLWE for {\em quasi-polynomial} factors (as opposed to the sub-exponential factors needed in previous schemes).

We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width -- e.g., where a constant fraction of levels have width at least $\lambda$ -- we can reduce the per-gate computation of the bootstrapped version to $\tilde{O}(\lambda)$, independent of $L$, by {\em batching the bootstrapping operation}. Previous FHE schemes all required $\tilde{\Omega}(\lambda^{3.5})$ computation per gate.

At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011).

ISSN 1433-8092 | Imprint