### Revision(s):

__
Revision #2 to TR12-157 | 13th April 2016 19:33
__
#### Homomorphic evaluation requires depth

**Abstract:**
We show that homomorphic evaluation of any non-trivial functionality of sufficiently many inputs with respect to any CPA secure homomorphic encryption scheme cannot be implemented by circuits of polynomial size and constant depth, i.e., in the class AC0. In contrast, we observe that there exist ordinary public-key encryption schemes of quasipolynomial security in AC0 assuming noisy parities are exponentially hard to learn. We view this as evidence that homomorphic evaluation is inherently more complex than basic operations in encryption schemes.

**Changes to previous version:**
The previous version made an unconditional claim about AC^0. We do not know that the claim is false. But this version does not make it.

__
Revision #1 to TR12-157 | 27th October 2015 20:52
__
#### Homomorphic evaluation requires depth

**Abstract:**
We show that homomorphic evaluation of any non-trivial functionality of sufficiently many inputs with respect to any CPA secure homomorphic encryption scheme cannot be implemented by circuits of polynomial size and constant depth, i.e., in the class $\mathrm{AC}^0$. In contrast, we observe that there exist ordinary public-key encryption schemes of quasipolynomial security in $\mathrm{AC}^0$ assuming noisy parities are exponentially hard to learn. We view this as evidence that homomorphic evaluation is inherently more complex than basic operations in encryption schemes.

**Changes to previous version:**
More general arguments on implementing basic cryptographic operations in AC0.

### Paper:

__
TR12-157 | 12th November 2012 04:57
__

#### On the depth complexity of homomorphic encryption schemes

**Abstract:**
We show that secure homomorphic evaluation of any non-trivial functionality of sufficiently many inputs with respect to any CPA secure encryption scheme cannot be implemented by constant depth, polynomial size circuits, i.e. in the class AC0. In contrast, we observe that certain previously studied encryption schemes (with quasipolynomial security) can be implemented in AC0. We view this as evidence that encryption schemes that support homomorphic evaluation are inherently more complex than ordinary ones.