**Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP**

*Zvika Brakerski*

**Abstract: **We present a new tensoring technique for LWE-based fully homomorphic encryption. While in all previous works, the ciphertext noise grows quadratically ($B \to B^2\cdot\poly(n)$) with every multiplication (before ``refreshing''), our noise only grows linearly ($B \to B\cdot\poly(n)$).

We use this technique to construct a \emph{scale-invariant} fully homomorphic encryption scheme, whose properties only depend on the ratio between the modulus $q$ and the initial noise level $B$, and not on their absolute values.

Our scheme has a number of advantages over previous candidates: It uses the same modulus throughout the evaluation process (no need for ``modulus switching''), and this modulus can take arbitrary form, including a power of $2$ which carries obvious advantages for implementation. In addition, security can be \emph{classically} reduced to the worst-case hardness of the GapSVP problem (with quasi-polynomial approximation factor), whereas previous constructions could only exhibit a quantum reduction to GapSVP.

**Category / Keywords: **public-key cryptography / fully homomorphic encryption, learning with errors

**Date: **received 19 Feb 2012, last revised 18 May 2012

**Contact author: **zvika at stanford edu

**Available format(s): **PDF | BibTeX Citation

**Note: **Revised due to typos.

**Version: **20120518:231322 (All versions of this report)

**Short URL: **ia.cr/2012/078

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]