Cryptology ePrint Archive: Report 2012/099

Homomorphic Evaluation of the AES Circuit

Craig Gentry and Shai Halevi and Nigel P. Smart

Abstract: We describe a working implementation of leveled homomorphic encryption (with or without bootstrapping) that can evaluate the AES-128 circuit. This implementation is built on top of the HElib library, whose design was inspired by an early version of the current work. Our main implementation (without bootstrapping) takes about 4 minutes and 3GB of RAM, running on a small laptop, to evaluate an entire AES-128 encryption operation. Using SIMD techniques, we can process upto 120 blocks in each such evaluation, yielding an amortized rate of just over 2 seconds per block.

For cases where further processing is needed after the AES computation, we describe a different setting that uses bootstrapping. We describe an implementation that lets us process 180 blocks in just over 18 minutes using 3.7GB of RAM on the same laptop, yielding amortized 6 seconds/block. We note that somewhat better amortized per-block cost can be obtained using "byte-slicing" (and maybe also "bit-slicing") implementations, at the cost of significantly slower wall-clock time for a single evaluation.

Category / Keywords: implementation / AES, Fully Homomorphic Encryption, Implementation

Publication Info: Extended abstract in CRYPTO 2012

Date: received 24 Feb 2012, last revised 3 Jan 2015

Contact author: shaih at alum mit edu

Available format(s): PDF | BibTeX Citation

Note: This updated report described re-implementation of the AES circuit over the HElib library.

Version: 20150103:190644 (All versions of this report)

Short URL: ia.cr/2012/099

Discussion forum: Show discussion | Start new discussion