Paper 2012/078

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Zvika Brakerski

Abstract

We present a new tensoring technique for LWE-based fully homomorphic encryption. While in all previous works, the ciphertext noise grows quadratically ($B \to B^2\cdot\poly(n)$) with every multiplication (before ``refreshing''), our noise only grows linearly ($B \to B\cdot\poly(n)$). We use this technique to construct a \emph{scale-invariant} fully homomorphic encryption scheme, whose properties only depend on the ratio between the modulus $q$ and the initial noise level $B$, and not on their absolute values. Our scheme has a number of advantages over previous candidates: It uses the same modulus throughout the evaluation process (no need for ``modulus switching''), and this modulus can take arbitrary form, including a power of $2$ which carries obvious advantages for implementation. In addition, security can be \emph{classically} reduced to the worst-case hardness of the GapSVP problem (with quasi-polynomial approximation factor), whereas previous constructions could only exhibit a quantum reduction to GapSVP.

Note: Revised due to typos.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
fully homomorphic encryptionlearning with errors
Contact author(s)
zvika @ stanford edu
History
2012-05-18: last of 5 revisions
2012-02-23: received
See all versions
Short URL
https://ia.cr/2012/078
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/078,
      author = {Zvika Brakerski},
      title = {Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP},
      howpublished = {Cryptology ePrint Archive, Paper 2012/078},
      year = {2012},
      note = {\url{https://eprint.iacr.org/2012/078}},
      url = {https://eprint.iacr.org/2012/078}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.