Gentry ’ s SWHE Scheme

We briefly recall Micciancio’s “cleaned-up version” of GGH cryptosystems [GGH97, Mic01]. The secret and public keys are “good” and “bad” bases of some lattice Λ. More specifically, the keyholder generates a good basis by choosing Bsk to be a basis of short, “nearly orthogonal” vectors. Then it sets the public key to be the Hermite normal form of the same lattice, Bpk def = HNF(Λ(Bsk)). A ciphertext in a GGH-type cryptosystem is a vector ~c close to the lattice Λ(Bpk), and the message which is encrypted in this ciphertext is somehow encoded in the distance from ~c to the nearest lattice vector. To encrypt a message m, the sender chooses a short “error vector” ~e that encodes m, and then computes the ciphertext as ~c ← ~e mod Bpk. Note that if ~e is short enough (i.e., less than λ1(Λ)/2), then it is indeed the distance between ~c and the nearest lattice point. To decrypt, the key-holder uses its “good” basis Bsk to recover ~e by setting ~e ← ~c mod Bsk, and then recovers m from ~e. The reason decryption works is that, if the parameters are chosen correctly, then the parallelepiped P(Bsk) of the secret key will be a “plump” parallelepiped that contains a sphere of radius bigger than ‖~e‖, so that ~e is indeed the unique point inside P(Bsk) that equals ~c modulo Λ. On the other hand, the parallelepiped P(Bpk) of the public key will be very skewed, and will not contain a sphere of large radius, making it useless for solving BDDP. More algebraically, the secret-key basis Bsk is chosen so that all the columns of B −1 sk have Eucledean length smaller than 1/2‖~e‖. Recall that ~c = ~v + ~e for some ~v ∈ Λ, so we can write ~c = ~ αBsk + ~e for some integer coefficient vector ~ α. Also, reducing ~c mod Bsk is done by computing