### Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages [chapter]

Zvika Brakerski, Vinod Vaikuntanathan
2011 Lecture Notes in Computer Science
We present a somewhat homomorphic encryption scheme that is both very simple to describe and analyze, and whose security (quantumly) reduces to the worst-case hardness of problems on ideal lattices. We then transform it into a fully homomorphic encryption scheme using standard "squashing" and "bootstrapping" techniques introduced by Gentry (STOC 2009). One of the obstacles in going from "somewhat" to full homomorphism is the requirement that the somewhat homomorphic scheme be circular secure,
more » ... mely, the scheme can be used to securely encrypt its own secret key. For all known somewhat homomorphic encryption schemes, this requirement was not known to be achievable under any cryptographic assumption, and had to be explicitly assumed. We take a step forward towards removing this additional assumption by proving that our scheme is in fact secure when encrypting polynomial functions of the secret key. Our scheme is based on the ring learning with errors (RLWE) assumption that was recently introduced by Lyubashevsky, Peikert and Regev (Eurocrypt 2010). The RLWE assumption is reducible to worst-case problems on ideal lattices, and allows us to completely abstract out the lattice interpretation, resulting in an extremely simple scheme. For example, our secret key is s, and our public key is (a, b = as + 2e), where s, a, e are all degree (n − 1) integer polynomials whose coefficients are independently drawn from easy to sample distributions. his construction of a somewhat homomorphic encryption scheme allows the homomorphic evaluation of any (arithmetic or Boolean) function whose polynomial representation has bounded degree. He then showed how to "bootstrap" from a sufficiently powerful somewhat homomorphic encryption scheme into a fully homomorphic encryption scheme. To construct a somewhat homomorphic encryption scheme, Gentry harnessed the power of ideal lattices -a sophisticated algebraic structure with many useful properties. Specifically, he was able to reduce the security of his somewhat homomorphic encryption scheme to the worst-case hardness of standard problems (such as the shortest vector problem) on ideal lattices [15] . 3 Gentry's construction is quite involved -the secret key, even in the privatekey version of his scheme, is a short basis of a "random" ideal lattice. Generating pairs of public and secret bases with the right distributions appropriate for the worst-case to average-case reduction is technically quite complicated, and significant effort has been devoted recently to this issue [38, 16] . We will present a scheme where key generation is simply sampling a random degree-(n − 1) polynomial with coefficients in Z q . Furthermore, all parts of our scheme can be described in elementary terms, with no reference to ideals. A parallel line of work that utilizes ideal lattices in cryptography dates back to the NTRU cryptosystem [22] . The focus of this line of work is to use ideal lattices for efficient cryptographic constructions. The added structure of ideal lattices, compared to ordinary lattices, makes their representation more succinct and enables fast computation. Starting with the work of Micciancio [28], there has been an ongoing effort [31, 23, 32, 25, 24 ] to come up with very efficient constructions of various cryptographic primitives whose security can formally be reduced to the hardness of short-vector problems in ideal lattices. A recent work along these lines, which serves as an essential stepping stone for this work, is that of Lyubashevsky, Peikert and Regev [26] . Lyubashevsky et al. [26] present the ring learning with errors (RLWE) assumption, which is the "ring counterpart" of Regev's learning with errors assumption [34] . Roughly speaking, the assumption is that given polynomially many samples over a certain ring of the form (a i , a i s + e i ), where s is a random "secret ring element", a i 's are uniformly random in the ring, and e i are "small" ring elements, an adversary cannot distinguish this sequence of samples from random pairs of ring elements. They show that this simple to state assumption can be (very efficiently) reduced to the worst case hardness of short-vector problems on ideal lattices. They also construct a very efficient ring counterpart to Regev's [34] public-key encryption scheme, as well as a counterpart to the identity based encryption scheme of [17] (using the basis sampling techniques of [39] ). The description of the scheme is very elegant since, as explained above, RLWE is stated without directly referring to lattices (similarly to the LWE assumption and ordinary lattices). 3 The specific variant of the (approximate) shortest vector problem, as well as the specific approximation factor, are irrelevant for the current discussion.