Paper 2020/1588
Deniable Fully Homomorphic Encryption from LWE
Shweta Agrawal, Shafi Goldwasser, and Saleet Mossel
Abstract
We define and construct Deniable Fully Homomorphic Encryption based on the Learning With Errors (LWE) polynomial hardness assumption. Deniable FHE enables storing encrypted data in the cloud to be processed securely without decryption, maintaining deniability of the encrypted data, as well the prevention of vote-buying in electronic voting schemes where encrypted votes can be tallied without decryption. Our constructions achieve compactness independently of the level of deniability- both the size of the public key and the size of the ciphertexts are bounded by a fixed polynomial, independent of the detection probability achieved by the scheme. This is in contrast to all previous constructions of deniable encryption schemes (even without requiring homomorphisms) which are based on polynomial hardness assumptions, originating with the seminal work of Canetti, Dwork, Naor and Ostrovsky (CRYPTO 1997) in which the ciphertext size grows with the inverse of the detection probability. Canetti et al. argued that this dependence ``seems inherent'', but our constructions illustrate this is not the case. We note that the Sahai-Waters (STOC 2014) construction of deniable encryption from indistinguishability-obfuscation achieves compactness and can be easily modified to achieve deniable FHE as well, but it requires multiple, stronger sub-exponential hardness assumptions, which are furthermore not post-quantum secure. In contrast, our constructions rely only on the LWE polynomial hardness assumption, as currently required for FHE even without deniability. The running time of our encryption algorithm depends on the inverse of the detection probability, thus the scheme falls short of achieving simultaneously compactness, negligible deniability and polynomial encryption time. Yet, we believe that achieving compactness is a fundamental step on the way to achieving all properties simultaneously as has been the historical journey for other primitives such as functional encryption. Our constructions support large message spaces, whereas previous constructions were bit by bit, and can be run in online-offline model of encryption, where the bulk of computation is independent of the message and may be performed in an offline pre-processing phase. This results in an efficient online phase whose running time is independent of the detection probability. At the heart of our constructions is a new way to use bootstrapping to obliviously generate FHE ciphertexts so that it supports faking under coercion.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. Minor revision. CRYPTO 2021
- DOI
- 10.1007/978-3-030-84245-1_22
- Keywords
- LWEFully Homomorphic EncryptionDeniable Encryption
- Contact author(s)
-
shweta a @ cse iitm ac in
shafi goldwasser @ gmail com
saleet @ mit edu - History
- 2021-11-12: last of 3 revisions
- 2020-12-21: received
- See all versions
- Short URL
- https://ia.cr/2020/1588
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2020/1588, author = {Shweta Agrawal and Shafi Goldwasser and Saleet Mossel}, title = {Deniable Fully Homomorphic Encryption from {LWE}}, howpublished = {Cryptology {ePrint} Archive, Paper 2020/1588}, year = {2020}, doi = {10.1007/978-3-030-84245-1_22}, url = {https://eprint.iacr.org/2020/1588} }