Homomorphic Encryption and Lattices , Spring 2011 Instructor : Shai Halevi Constructions of FHE

In the previous class we constructed a SWHE scheme with sk = w,pk = (d, r) and Decw(c) = [c · w]d mod 2. We want to use “bootstrapping” to convert our SWHE to FHE. Namely we add c∗ = Eec(w) to the public key (assuming circular security), then, given two ciphertexts c1, c2, consider the functions: ADDc1,c2(sk) = Decsk(c1) + Decsk(c2) MULTc1,c2(sk) = Decsk(c1) · Decsk(c2) If we can evaluate the function homomorphically on c∗ then we get two other ciphertexts c+, c× s.t. Decw(c +) = c1 + c2 and Decw(c ×) = c1 · c2. Our goal is therefore to get a bootstrappable scheme, namely one where the functions ADD,MULT are within the homomorphic capacity of the scheme for every two “evaluated ciphertexts” c1, c2 and “fresh ciphertext” c ∗. So far we have a SWHE scheme that can evaluate polynomials of degree up to √ n with up to n2 √ n terms. But the decryption algorithm for this scheme is given by Decw(c) = [c · w]d mod 2, where c, w, d have O(n1.5) bits. Thus a Boolean circuit to evaluate the decryption operation will be of degree Õ(n1.5) which is too much for the scheme to handle. We want to reduce the complexity of the decryption without decreasing the homomorphic capacity. We therefore add another “hint” about the secret key to the public key, namely a set of S elements x1, . . . , xS ∈ Zd such that there exists a very sparse subset of the xi’s that sums up to w modulo d. Although in principle adding such additional “hint” may compromise the security of the cryptosystem, in this case one can prove that if the “sparse subset-sum problem” (SSSP) is hard then the cryptosystem remains secure. Let ~σ = σ1σ2 · · ·σS be the characteristic vector of this subset, namely ∑S i=1 σixi ≡ w (mod d) and HW(~σ) = s << S. We now view ~σ as the secret key. Given a ciphertext c we post-process it to get yi = [c · xi]d, i ∈ [S]. Now decryption is given by: