Fully Homomorphic Encryption: Overview and Cryptanalysis

Transcription

1 Technische Universität Darmstadt Department of Computer Science Cryptography and Computeralgebra Diploma Thesis July 2011 Fully Homomorphic Encryption: Overview and Cryptanalysis Patrick Schmidt Technische Universität Darmstadt Department of Mathematics Supervised by Prof. Dr. Johannes Buchmann Dr. Richard Lindner Michael Schneider

2

3 Acknowledgements First of all, I would like to thank Prof. Johannes Buchmann for giving me the opportunity to write my thesis under this topic and gain knowledge in the field of fully homomorphic schemes and moreover in the area of lattices. Furthermore, many thanks go to my two supervisors Dr. Richard Lindner and Michael Schneider who offered and spent much time answering me all my investigating questions and guiding me in the right direction. In addition I would like to thank all people that supported my work on this thesis by proofreading it, finding spelling mistakes and logical errors as well as supporting me in improving the structure of my thesis and its fluent reading; as there are: Richard Frankland, Maina Olembo, Denise Demirel, and Dr. Melanie Volkamer. Lastly, I thank all whom I have forgotten to mention before! Without your contributions this work would not be what it actually is. Warranty I hereby declare that the content of this thesis is the direct result of my own work and that any use of published or unpublished material in this thesis is fully and correctly referenced. Date: July 14th, 2011 Signature: P. Schmidt iii

4

5 Contents Introduction 1 I. Progress on Homomorphic Encryption and Signature Schemes 1. Preliminaries Lattices Computational Problems Security Models Homomorphic Encryption Schemes Lattice-Based Encryption Schemes Integer-Arithmetic Encryption Schemes Homomorphic Signature Schemes Additional Work to Homomorphic Signature Schemes II. Cryptanalysis of the Gentry-Halevi FHE Scheme 4. The Gentry-Halevi Scheme Brief Recall of the Construction Parameter Selection Attacking the Gentry-Halevi Scheme Attack Methodology and Strategies Strategy I LLL Strategy II Sublattice Attack Strategy III BKZ Practical Considerations Preparatory Work Post-Processing a Strategy Results Strategy I (LLL) Strategy II (Sublattice Attack) Strategy III (BKZ) Conclusion 47 A. The Code 55 v

6

7 Introduction Cryptography has a longstanding history the Egyptians in the year 3000 BC are believed to have been the first humans to use encryption, albeit a very simple form of it, but in previous centuries it simply was known as the science of encryption. Since its early years, cryptography and human kind s understanding of it have undergone a great development, nowadays consisting of far more areas than just encryption. Today, cryptography is more often used in daily life than a normal (end)user in the real world is aware of, e.g. in smartcards, USB-tokens, car or door keys, home wifi networks, mobile communication (using a cellular phone) and many more. Perhaps the most prominent example for the usage of cryptography is the internet, with its many applications and transactions. One can think of such transactions as online-banking, electronic/online voting, ing or using social networks. In most and hopefully all of these examples cryptography in the sense of encryption plays a huge role in ensuring confidentiality of the user s data and credentials like passwords, IDs, PINs, TANs, etc. Contrary to these instances, in some areas one explicitly wants to allow other people to perform some set of (permitted) applications on ones data without having access to the data in plaintext. One example is the delegation of computations according to [19] or [10], in which the delegator wants to outsource the computation of some function on many inputs to a worker and later maintain the correct result. A second example for this is electronic voting (which could be seen as a special case of delegation of computation) like in [15] or [45], where one would like the election authorities to be able to count the votes and present the final results, but dislikes the idea that individual votes are first decrypted and afterwards tallied. Two final examples are multiparty computations and commitment schemes as reported in [41]. In the setting of multiparty computations one wants different parties to jointly compute some function without revealing their inputs to each other, and for commitment schemes one can think of auctions where the auctioneer wants to assure that the offers are not publicly known in the bidding phase while at the same time ensuring that no one is able to repudiate their own offer. In the above settings, as well as in many others, a way to accomplish the goal of computing on encrypted data is needed. With homomorphic encryption one can assure that performing some operations on encrypted data is possible. To achieve the aim in the example of electronic voting, the election authorities add the encrypted votes (thus receiving the final result encrypted) and then only have to decrypt the computed ciphertext to obtain the final result. For delegation of computation, the delegator hands the function f and the encrypted inputs to the worker, and the worker returns the encrypted result. For the other examples similar operations have to be performed. A various number of homomorphic schemes have already been presented in the last decades: unpadded RSA [43] or the cryptosystem of ElGamal [16] and the cryptosystems of Goldwasser-Micali [27], Benaloh [4] or Paillier [40]. These examples contain additive-only or multiplicative-only homomorphic encryption schemes as well as addi- 1

8 tively homomorphic encryption schemes which support a very limited number of multiplications. This last type of scheme is able to homomorphically evaluate an arbitrary number of additions but only a small number of multiplications, i.e. such schemes can evaluate polynomials up to some small degree d but are unable to evaluate polynomials of a larger degree. For further examples of homomorphic encryption schemes see [20]. Depending on the function which shall be computed, miscellaneous complex operations (consisting of additions, multiplications, etc.) have to be evaluated homomorphically, e.g. encrypted queries to a search engine or searching on encrypted data (in a database). But the small number of homomorphically evaluable multiplications drastically limits the previously mentioned schemes. The question whether it is possible to construct a fully homomorphic encryption scheme, i.e. a scheme which supports the computation of arbitrary functions on encrypted data (with no limit on the number of multiplications), in the cryptographic community was long believed to be a holy grail. Not before 2009, Gentry theoretically solved this problem by presenting his fully homomorphic encryption scheme (FHE) based on ideal lattices in [20]. The goal of this thesis is twofold: Firstly we give an overview of the progress and results in the field of fully homomorphic encryption and signatures after the breakthrough of Gentry, and secondly we cryptanalyse an implementation of a FHE scheme to contribute experimental results concerning the security issues of such schemes. In the first part, we recapitulate Gentry s theoretical achievements in [20] to obtain a FHE scheme and then list a number of improvements to his work as well as further proposals from [47], [24], [39], [49], [48], [14], and [12] for lattice-based schemes and from [50] and [13] for integer-arithmetic schemes. In addition, we highlight the link between all these papers as they are the most common approaches to achieve a fully homomorphic encryption scheme. Furthermore, we provide an overview over the results in [7] and [6] on the field on fully homomorphic signatures schemes which is fairly new. For the second part we cryptanalyse the, to us, most efficient implementation of a fully homomorphic encryption scheme, presented by Gentry and Halevi in [24]. In detail, we concentrate on one of the two underlying (theoretical) hardness problems which is also suitable for, and used, in other cryptographic encryption schemes (not fully homomorphic ones). We analyse and estimate the robustness of the security parameters presented by the authors of [24] by applying some strategies to break the proposed scheme. We measure the running times and also the success rates of the chosen strategies and compare their effectiveness. 2

9 Part I. Progress on Homomorphic Encryption and Signature Schemes 1. Preliminaries We start by giving definitions that will be used throughout this paper and to which we will eventually refer. The definitions are split into three parts: There is the general part for (ideal) lattices, followed by the part of computational problems and lastly the part containing security models for (fully) homomorphic encryption and signatures. General Notations. With N, Z, Q, R we denote natural numbers (with zero), integers, rationals and reals, respectively; with K + we denote {x K : x > 0} and with K n we mean the usual n-dimensional vector space resp. module over K {N, Z, Q, R}. K p denotes K/(pK) and for prime p we write it as F p, since F p is (in this case) a field with p elements. We also consider F 2 = {0, 1}. Vectors are denoted with small letters (a, b,...) and we think of vectors as columns. We denote matrices with capital letters (A, B,...) and the set of all (m n)-matrices over K with K m n. A T stands for the transpose of the matrix A. We think of matrices as ordered sets of column vectors. v p denotes the l p -norm of the vector v which for a real p 1 is defined as v p := n p v i p. The frequently used norms will be the maximum norm v := max i=1,...,n { v i } and the Euclidean norm v 2 = n i=1 v i 2 corresponding to the intuitive notion of the length of the vector v in a Euclidean space. For a matrix A we write A p for max i=1,...,n { a i p } where a i denotes the i-th column of A. With t we mean the rounding of t to the nearest integer, as well as t and t denote the rounding up of t to the next integer and rounding down, respectively. (This in particular for a (possibly negative) real t means that t = sign(t) t, and similar for rounding up and down.) If we write t mod p, we mean the unique number t in [ p/2, p/2) Z such that t = kp + t for some integer k. (When t shall denote the unique number in {0,..., p 1}, we will address this separately.) With x := a or x a we assign the value a to (the variable) x, with x R A the assignment has some randomness involved (according to A respectively the right-hand side of the assignment), with x R A we uniformly choose x from the set A on the right, and for comparison in algorithms we use x == a if needed so as not to get mixed i=1 3

10 1 PRELIMINARIES up with the assignment x := a. The equation sign = is used in its full meaning in mathematics (e.g. containing assignments and comparisons, its actual use being clear from the context). A last notation we want to introduce is the Big O notation: With f O(g) or f = O(g) we mean 0 lim sup x f(x)/g(x) <, with f o(g) or f = o(g) we mean lim x f(x)/g(x) = 0, f Ω(g) or f = Ω(g) denotes g O(f), f ω(g) or f = ω(g) is the corresponding g o(f), and finally f Θ(g) or f = Θ(g) means both f O(g) and g O(f). Other notations concerning the definitions below will be introduced there Lattices General lattices. A lattice L is a discrete abelian subgroup of R n. Since this definition is too vague, we would like to have a better natural handle for the lattice L. A basis B := (b 1,..., b d ) for the lattice L consists of d n linearly independent vectors b i with L = L(B) := {Bx : x Z d }, i.e. L is the set of all integer combinations of vectors in B. The number d 1 is independent of the given basis for the lattice L, thus being a lattice constant. It is called the dimension of L and denoted d = dim(l). (The independence of d is due to the fact that for d 2 there exist infinitely many bases for L and a particular basis B can be transformed into any other basis B via B = B T for a (unimodular) matrix T GL d (Z) := {A Z d d : det(a) = 1}.) A lattice is of full-rank if d = n. The determinant of a lattice L with basis B is given by det(l) := det(b T B). It also is a lattice constant. For full-rank lattices there is a short version for the determinant, i.e. det(l) = det(b). A geometric interpretation of the determinant is the volume of the parallelepiped P (B) := {Bx : x [ 1/2, 1/2) d }. Albeit the shape of P (B) changes (since P (B) depends on the shape of B), the volume of P (B) is the same for all bases B of L. Although we stated above that there exist infinitely many bases for a lattice with dim(l) 2, there are differences between them. A good basis consists of short and nearly orthogonal vectors whereas a bad basis does not fulfill any of these two requirements. We will not go into detail what short here means, but in literature the Hermite Normal Form (HNF) of a basis is thought of as a bad basis. A matrix B is in Hermite Normal Form if B is an upper triangular matrix, b ii > 0 for i = 1,..., n and b ii > b ij 0 for all j = i + 1,..., n. The HNF of a basis B, denoted HNF(B), can be easily computed from B via HNF(B) = B U for a unimodular matrix U GL d (Z) denoting (invertible) column operations. By t mod B for a vector t we denote the unique vector t P (B) with t t L; t can be computed efficiently via t = t B B 1 t if L = L(B) is a full-rank lattice. The i-th successive minimum λ i (L) is defined as the radius of the smallest sphere which contains i linearly independent vectors of L. The value λ 1 (L) is also called minimal distance of L. The dual lattice or reciprocal lattice L of a lattice L is defined as L := {y span(l) : x L : x, y Z}, where, denotes the (standard) scalar product and span(l) := {Bx : x R n } for L = L(B). It holds that det(l) det(l ) = 1, and for full-rank lattices L = L(B) we get a basis B for L via B = (B 1 ) T. Furthermore, let Λ q (A) denote the set {x Z m : Ax 0 mod q}. 4

11 1.1 Lattices Ideal lattices. For the introduction of ideal lattices, we use another approach than for general lattices. Therefore, consider the (polynomial) ring Z[x] in one variable. An ideal I of a ring R (with unity) is a subset which is additively closed and also closed under multiplication with elements of R, i.e. for elements i, j I and r R we have i+rj I. We define (a 1,..., a n ) to be the ideal generated by elements a 1,..., a n R, i.e. k (a 1,..., a n ) := r j a ij : r j R, i j {1,..., n}, k n. j=1 The elements a 1,..., a n are then called generators of I, and for n = 1 the ideal I is called principal ideal. Now, we define the (polynomial factor) ring R := Z[x]/(f(x)) for a polynomial f(x) Z[x] of degree n. R bijectively corresponds to Z n and each element v in R can be viewed as a polynomial v(x) = v 0 + v 1 x v n 2 x n 2 + v n 1 x n 1 of degree n 1 or as a vector v = (v 0, v 1,..., v n 2, v n 1 ) T. By simply writing v, we simultaneously mean both. The ideal I = (v) in R then naturally corresponds to a lattice in Z n. By abuse of notation, we will write I for this lattice which is called an ideal lattice. The basis for I is B I := {v i := v x i mod f(x) : i = 0,..., n 1} and is called rotation basis. For an ideal I, we can also define a fractional ideal I 1 := {y K : x I : x y R}, where K is a field containing R, e.g. for R = Z[x]/(f(x)) we have K = Q[x]/(f(x)). So, I 1 is not necessarily a subset of R, but I 1 again is an ideal (hence, the definition of fractional ideal makes sense). (In general, the formal definition of a fractional ideal is much more complex, but the definition above is suitable for our needs.) A (fractional) ideal I is called invertible if there exists another (fractional) ideal J with IJ = R, where IJ = { n i=1 a ib i : a i I, b i J, n N + } is the product of I and J. If we have I = (v) then I 1 = (1/v), where 1/v is computed in K; for multiple generators v 1,..., v n of I, its inverse ideal is I 1 = n i=1 (1/v i). Two ideals I and J are called relatively prime or co-prime if I + J R. We sometimes call the determinant of an ideal lattice I its norm, denoted nm(i), and for I = (v) we have nm(i 1 ) = nm(i) 1. We introduce the (discrete) Gaussian distribution and the smoothing parameter, which have become more and more important in past years: For any s R + the Gaussian distribution (in R n ) centered around c R n is defined as ρ s,c, (x) := exp( π x c 2 /s 2 ) for all x R n. The parameter s is called the standard deviation of the distribution. (When it is clear which norm is used, we will write ρ s,c ; if c = 0, we just write ρ s for ρ s,c.) Besides this continuous version there is also the discrete Gaussian distribution over L, defined as D L,s,c (x) := ρ s,c(x) ρ s,c (L) for all x L and ρ s,c (L) := y L ρ s,c(y) for a set L (which will be a lattice in this paper). If c = 0, we will omit it in D L,s,c and just write D L,s. According to most definitions in literature, the smoothing parameter η ε (L) is defined here as follows: For a lattice L and ε R + we have η ε (L) := min{s R + : ρ 1/s (L \ {0}) ε}. 5

12 1 PRELIMINARIES The expansion factor γ of a ring R is defined as γ := γ(r) := sup r 1,r 2 R { r1 r 2 r 1 r 2 If the ring R is obvious or not necessary to mention, we will omit it and just write γ. For two polynomials f(x), g(x) the resultant res(f, g) is defined as res(f, g) := (x y) (x,y):f(x)=0=g(y) which for a separable polynomial f(x) is the same as res(f, g) = y:g(y)=0 f(y) Computational Problems Now we define the used computational problems, on which the security of the proposed homomorphic encryption and signature schemes relies. We will write dist(l, t) for min y L { t y }. Although there are a lot of different lattice problems, we will only consider the most important for this work. The first one is a problem in general lattices, whereas the following problems will occur in ideal lattices. Definition 1.1 (Small Integer Solution Problem (SIS)). Given positive integers m, n Z +, a positive real β R +, a prime q and A Zq n m, where A is chosen from a distribution negligibly close to uniform over Z n m q, find v Λ q (A) \ {0} with v β. This definition corresponds to one of Micciancio and Regev (cf. [37]). Roughly speaking, the SIS problem asks to find a small integral linearly dependent combination of the columns of A (modulo q). For a definition of negligible see Definition Definition 1.2 (Ideal Shortest Independent Vector Problem (Ideal SIVP)). Given a ring R, an ideal I in R with basis B I and a positive real d 1, find an independent set B in I with B d λ n (I). The ideal SIVP is a natural translation from the d-sivp in lattices, which asks to find n linearly independent vectors v 1,..., v n L with the condition max i=1,...,n v i d λ n (L). The first definition of the SIVP, to our knowledge, appeared in the work of Ajtai ([1], problem (P3)) in a slightly different manner to both notations before: Ajtai formulated to find a basis with the condition above. Definition 1.3 (Ideal Membership Problem (IMP)). Let R be a ring, I an ideal in R and Sample I an algorithm that efficiently samples I. The challenger randomly chooses a bit b R {0, 1}, and sets x R Sample I (R) for b = 0 and x R R otherwise. Given (x, R, Sample I ), find b. In particular, this means to decide if x is an element of the ideal I. }. 6

13 1.2 Computational Problems Definition 1.4 (Inner Ideal Membership Problem (IIMP)). Let R be a ring, I an ideal in R with basis B I, IdealGen an algorithm that samples two bases of an ideal in R and s R + a positive real. The challenger generates (BJ sk, Bpk J ) R IdealGen(R, B I ) and randomly chooses a bit b R {0, 1}. For b = 0 it sets x R D I,s, otherwise x R D R,s. At last, it sets t = x mod B pk J. Given (Bpk J, t), find b. This problem is like the IMP in the sense that one wants to know whether x is an element of the (inner) ideal I, but where the I-IMP is disturbed by the (outer) ideal J. Definition 1.5 (Ideal Coset Problem (ICP)). Let R be a ring, I an ideal in R with basis B I, IdealGen an algorithm that samples two bases of an ideal in R and Sample an algorithm which efficiently samples R. The challenger randomly chooses a bit b R {0, 1} and generates (BJ sk, Bpk J ) IdealGen(R, B I). For b = 0 it sets r R Sample(R) and t = r mod B pk J, otherwise t R R mod B pk J. Given (t, Bpk J ), find b. Definition 1.6 (Decisional Bounded Distance Decoding Problem (DBDDP) for Ideal Lattices). When the ICP is instantiated with a polynomial (factor) ring R = Z[x]/(f(x)) and the algorithm Sample efficiently samples from Z n R (for monic polynomial f(x) of degree n), the ICP is called DBDDP (in a version for ideal lattices). Definition 1.7 (SplitKey Distinguishing Problem (SKDP)). Let KeyGen, SplitKey be algorithms and (sk, pk) R KeyGen. The challenger randomly chooses a bit b R {0, 1}. For b = 0 it sets (sk, T ) R SplitKey(sk, pk), otherwise (sk, T ) R SplitKey(, pk) for some special symbol. Given (T, sk, pk), find b. The four problems IIMP, ICP, DBDDP and SKDP were introduced by Gentry in [20] and previous works. The ICP is said to be a fairly natural decisional version of the closest vector problem ([21]) in concrete terms. The last type of problems are problems on (integer) numbers, which can be adapted to a one-dimensional lattice: One shall find an approximate greatest common divisor (gcd) for some given numbers or a (sparse) subset in a set of numbers that sums up to a given number. The definitions are as follows: Definition 1.8 (Approximate-GCD Problem (AGCDP)). Given k numbers y 1,..., y k chosen according to the distribution Dist γ,ρ (p) := {choose q R Z [0, 2 γ /p), r R Z (2 ρ, 2 ρ ), output x = pq + r} for an odd positive integer p Z +, find p. The number p is called the (hidden) approximate-gcd of the given numbers y 1,..., y k, and the values γ, ρ define the maximal (bit)length of q, r. Definition 1.9 (Sparse Subset Sum Problem (SSSP)). Let s, t, q Z + be positive integers. The challenger randomly chooses a bit b R {0, 1}. For b = 0 it generates T as a set of t integers a 1,..., a t with a i R [ q/2, q/2) and the existence-constraint of S {1,..., t} with S = s and i S a i = 0 mod q; otherwise it generates T without the constraint. Given T, find b. 7

14 1 PRELIMINARIES This definition is the one for the decisional version of the subset sum problem in literature, the sparsity of the problem occurring when the parameters t, s are set according to those of Gentry in [20], Section 11. If one is asked to not just decide if a subset S exists, but rather to find and output S, the problem is called search SSSP Security Models This subsection is intended to give the definitions for the analysis of the security of the schemes presented later. Homomorphic Encryption Definition 1.10 (Homomorphic Encryption Scheme). A homomorphic encryption scheme consists of the following four algorithms: KeyGen(λ). On input the security parameter λ, this randomised algorithm outputs a tuple (sk, pk) consisting of the secret key sk and public key pk. Encrypt(pk, π). On input a public key pk and a plaintext π, this randomised algorithm outputs a ciphertext ψ. Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ, this algorithm outputs the corresponding plaintext π. Evaluate(pk, C, Ψ). On input a public key pk, a circuit C with t inputs (of the set C of allowed circuits) and a set Ψ of t ciphertexts ψ 1,..., ψ t, this (possibly randomised) algorithm outputs a ciphertext ψ. So, a homomorphic encryption scheme consists of all algorithms of a conventional public key encryption scheme and an extra one. The correctness-condition for the conventional part of a homomorphic encryption scheme is identical to the one for a (non-homomorphic) public key encryption scheme. Because of simplicity and size, we will give a rather informal explanation of the Evaluatealgorithm, an informal definition for fully homomorphic encryption (FHE) schemes and defer the detailed definitions to the references. The additional algorithm Evaluate roughly speaking is supposed to do the following: If ψ i is a ciphertext corresponding to the plaintext π i for i = 1,..., t and Ψ = (ψ 1,..., ψ t ), then Evaluate(pk, C, Ψ) shall return a ciphertext ψ corresponding to the plaintext C(π 1,..., π t ) for a circuit C with t inputs (cf. Figure 1). A homomorphic encryption scheme is said to correctly evaluate C (a set of circuits), if the correctness-condition on the algorithm Evaluate from above holds for all circuits C C. Definition 1.11 (Fully Homomorphic Encryption). We call a homomorphic encryption scheme fully homomorphic, if it correctly evaluates all circuits and the size of its decryption algorithm (as a circuit) is bounded by some (fixed) polynomial in the security parameter. 8

15 1.3 Security Models sk Ψ pk C sk π 1 Dec ψ 1 π 2. Dec. ψ 2. π t Dec ψt ψ t C Evaluate ψ Dec π C π 1 π 2. π t Figure 1: An illustrative view on the Evaluate-algorithm Remark. The size-constraint on the decryption algorithm excludes trivial schemes in which Evaluate simply outputs (C, Ψ) and Decrypt is adapted to first decrypt the single components of Ψ and then apply the circuit C to the decrypted parts. Now, we come to the definitions concerning the security of the schemes. Security Definitions for Homomorphic Encryption We consider games as the right purpose to introduce the notion of security which is covered by the definitions then. We start by defining the games for CCA2-, CCA1- and CPA-security for a homomorphic encryption scheme E. Definition 1.12 (Game Hom-CCA2-IND E ). Let P denote the plaintext space and C the ciphertext space, which in the case of a homomorphic encryption scheme E is supposed to be larger since C is the support of Evaluate and not just the support of Encrypt as for a conventional public key encryption scheme. Setup. The challenger B generates a tuple (sk, pk) R KeyGen(λ) and gives the public key pk to the adversary A. Query-Rounds. A sends decryption-queries about ciphertexts ψ i of its choice to B. The challenger answers with the output of Decrypt(sk, ψ i ). The adversary A is allowed to request decryption-queries even though it may have received the challenge from B. Challenge. The adversary A picks a circuit C with t inputs (t being polynomial in the security parameter), two plaintext tuples π i := (π1 i,..., πi t), i = 1, 2, of its choice and sends π 0, π 1 to B. The challenger randomly chooses a bit b R {0, 1}, computes Ψ := (ψ1 b,..., ψb t ) with ψj b R Encrypt(pk, πj b ) and sends ψ := Ψ to A. (Note that B does not have to compute ψ as Evaluate(pk, C, Ψ) since A can do this step on its own because only public values are involved.) Guess. A sends a bit b {0, 1} to B. Definition 1.13 (Game Hom-CCA1-IND E ). The game for CCA1-security is the same as the game for CCA2, except that the adversary is allowed to make queries only before the 1 challenge. 9

16 1 PRELIMINARIES Definition 1.14 (Game Hom-CPA-IND E ). The game for CPA-security omits the queryrounds of the CCA2/CCA1-games. The rest remains the same. Except for the challenge phase, the three defined games Game Hom-CCA2-IND E, Game Hom-CCA1-IND E and Game Hom-CPA-IND E equal the ordinary games for CCA2-, CCA1- and CPA-security for conventional public key encryption schemes. The difference in the challenge step in the ordinary games is that A only is allowed to choose two elements π 0, π 1 P (and not two t-tuples for a circuit C with t inputs) and receives an element ψ (and not a t-tuple) as the answer. We say that an adversary wins Game Hom-X-IND E for X {CCA2, CCA1, CPA} if b = b, and by Pr[b = b] we denote the probability for this event. Definition 1.15 (Advantage in Homomorphic Encryption). We define adversary A s advantage in Game Hom-X-IND E to be Adv Hom-X-IND A,E := Pr[b = b] 1 2, where Pr[b = b] is the probability for A to win Game Hom-X-IND E the randomness used by the challenger and the adversary). (the probability is over Roughly speaking, A s advantage is the difference between A s method and just guessing the correct value of b. Definition 1.16 (Negligible (Function)). A function f : N R is said to be negligible if for every integer c > 0 there exists a positive integer n c such that for all integers n > n c we have f(n) < 1 n c. Otherwise we call f non-negligible. For negligible f we write f(x) ε(x), for non-negligible f(x) ε(x). We now can define the security notions: Definition 1.17 (CCA2-, CCA1- and CPA-IND). A homomorphic encryption scheme E is X-IND for X {CCA2, CCA1, CPA}, if no probabilistic polynomial-time adversary A wins Game Hom-X-IND E with non-negligible advantage (in the security parameter λ), i.e. ε(λ). Adv Hom-X-IND A,E By simply writing semantically secure we mean secure in the CPA-IND sense. Homomorphic Signatures Definition 1.18 (Homomorphic Signature Scheme). A homomorphic signature scheme consists of the following four algorithms: Setup(1 n, t). On input the security parameter n and a data set size t, this randomised algorithm generates the secret key sk and public key pk and outputs the tuple (sk, pk). (The public key defines the message space M, the signature space and also the set F of allowed functions f : M t M with t inputs.) 10

17 1.3 Security Models Sign(sk, τ, i, πi τ ). On input a secret key sk, a tag τ {0, 1}n, an index i and a message πi τ, this randomised algorithm outputs a signature στ i. Verify(pk, τ, πi τ, στ i, f). On input a public key pk, a tag τ, a message πτ i, a signature σi τ and a function f F, this algorithm either outputs 0 (for rejection) or 1 (for acceptance). Evaluate(pk, τ, f, Σ τ ). On input a public key pk, a tag τ, a function f F and a signature tuple Σ τ = (σ1 τ,..., στ t ), this (possibly randomised) algorithm outputs a signature σ. Like for homomorphic encryption, the first three algorithms are (nearly) identical to those of a conventional public key signature scheme. The difference here the inclusion of a tag τ, an index i and a function f will become obvious: With the tag τ {0, 1} n we distinguish between different data sets Σ τ as input to the function f, the signature computed by the Sign-algorithm will require the presence of the index i, and the Verifyalgorithm will need a representation of f to do its job properly. The correctness-condition for conventional public key signature schemes must obviously be fulfilled for the converted algorithms Sign and Verify including the projection maps p i (π τ 1,..., πτ t ) := π τ i. This means that F at least contains all projection maps p i. The additional algorithm Evaluate informally does the following: If Σ τ consists of honestly created signatures σ τ i = Sign(sk, τ, i, πτ i ) for messages πτ i, then Evaluate(pk, τ, f, Στ ) shall return a signature σ corresponding to the message f(π τ 1,..., πτ t ) for a function f F. In addition to the correctness-condition for Sign and Verify, the one for Evaluate can be formulated as Verify(pk, τ, f(π τ 1,..., π τ t ), Evaluate(pk, τ, f, Σ τ ), f) = 1 for Σ τ = (σ1 τ,..., στ t ), σi τ = Sign(pk, τ, i, πτ i ) and for all f F. Definition 1.19 (Homomorphic with respect to F / F-Homomorphic). If all these conditions are satisfied for an allowed set F of functions, then the signature scheme S correctly evaluates F and is called F-homomorphic (or homomorphic with respect to F). Remark. There is one risky point in our definitions so far: The Evaluate-algorithm can create a signature σ from signatures Σ = (σ 1,..., σ t ) which themselves are obtained by Evaluate. Repeating this procedure several times, we could reach the point where the input signatures are valid, but the output signature of Evaluate is not. This is due to the fact that the noise in the aggregated signature becomes too large and thus the Evaluate-algorithm is no longer able to do its job properly. To keep it simple, we restrict the correctness-property of Evaluate to hold when the input signatures are fresh signatures created by Sign. 11

18 1 PRELIMINARIES Security Definitions for Homomorphic Signatures Definition 1.20 (Game Hom-CMA-UNF S ). Setup. The challenger B generates a tuple (sk, pk) R Setup(1 n, t) and gives the public key pk to the forger A. Query-Rounds. A sends adaptively-chosen signature-queries about message tuples Π i := (π1 i,..., πi t) to B. The challenger randomly chooses a tag τ i R {0, 1} n and sends the tag τ i and the signature tuple Σ τ i including the signatures σ τ i j = Sign(sk, τ i, j, πj i) back to A. (Note that B does not have to compute Evaluate(pk, τ, f, Σ τ ) since A can do this step on its own after it receives the signature tuple Σ τ.) Attempt. At the end, the forger A outputs a tag τ {0, 1} n, a message π, a function f and a signature σ. We say that the forger A wins in Game Hom-CMA-UNF S, if Verify(pk, τ, π, σ, f) = 1 and either Type-1 forgery. τ τ i for all queried i, or Type-2 forgery. τ = τ i for some i and π f(π i ). Definition 1.21 (Advantage in Homomorphic Signatures). We define forger A s advantage in Game Hom-CMA-UNF S to be Adv Hom-CMA-UNF A,S := Pr[Verify(pk, τ, π, σ, f) = 1], where Pr[Verify(pk, τ, π, σ, f) = 1] is the probability for A to win in Game Hom-CMA-UNF S (the probability is over the randomness used by the challenger and the forger). Definition 1.22 (CMA-UNF). A homomorphic signature scheme S is CMA-UNF, if no probabilistic polynomial-time forger A wins Game Hom-CMA-UNF S with non-negligible advantage (in the security parameter n), i.e. Adv Hom-CMA-UNF A,S ε(n). 12

19 2. Homomorphic Encryption Schemes In this section we want to describe the process that was made on (fully) homomorphic encryption schemes. The schemes published so far can be categorised in two parts. We start by introducing the lattice-based schemes Lattice-Based Encryption Schemes Though there were many (ordinary) lattice-based encryption schemes like the one of Goldreich, Goldwasser and Halevi (cf. [26]), Ajtai and Dwork (cf. [2]), the fast NTRU cryptosystem (cf. [29]), and cryptosystems based on the learning with errors -problem introduced by Regev (cf. [42]), the problem of a fully homomorphic encryption scheme was not solved until the breakthrough of Gentry in [20]. We will start by showing Gentry s techniques for obtaining a fully homomorphic encryption scheme based on ideal lattices, since it is a very important foundation for the work of Gentry and others, and then present further work that improves the proposed scheme or adapts the techniques and uses them in a similar way. Gentry s Fully Homomorphic Scheme Gentry s most important steps can be described briefly as follows: After constructing an abstract and a somewhat homomorphic encryption scheme, Gentry squashes the decryption circuit and by bootstrappability obtains a fully homomorphic scheme. Abstract Scheme. Gentry starts with a definition of an abstract scheme using rings and ideals, omitting instantiation details at first. His scheme is as follows (additional remarks appear after the description): KeyGen(R, B I ). On input a ring R and the basis B I of an ideal I, this randomised algorithm generates via (BJ sk, Bpk J ) R IdealGen(R, B I ) two bases for an ideal J and outputs the public key pk = (R, B I, B pk J, Samp) and secret key sk = (pk, Bsk J ). Encrypt(pk, π). On input a public key pk and a plaintext π, this algorithm generates ψ Samp(B I, π) and outputs ψ := ψ mod B pk J. Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ, this algorithm outputs π := ψ mod BJ sk mod B I = ψ BJ sk B sk J ψ mod B I. Evaluate(pk, C, Ψ). On input a public key pk, a circuit C with t inputs (of some special set C of allowed circuits) and a set of t ciphertexts Ψ = (ψ 1,..., ψ t ), this algorithm invokes the evaluation of the embedded additions (ψ i + ψ j ) mod B pk J and multiplications (ψ i ψ j ) mod B pk J in the circuit C in the right order to obtain a ciphertext ψ which it outputs. Remarks. 1. The plaintext space is (a subset of) R mod B I. 2. The (randomised) algorithms IdealGen and Samp remain abstract, but roughly speaking IdealGen(R, B I ) constructs a secret and public basis for an ideal J coprime to the input ideal I and Samp(B I, x) samples the coset x + I. 13

20 2 HOMOMORPHIC ENCRYPTION SCHEMES 3. Gentry describes how to construct C, the set of allowed (or permitted) circuits, and proves that this abstract scheme is correct for C. Gentry also proves that this abstract scheme E is semantically secure if the ICP is hard: Theorem 2.1 ([20], Theorem 5.3.1). Suppose that there is an algorithm A that breaks the semantic security of (the abstract scheme) E with advantage ε when it uses Samp. Then, there is an algorithm B, running in about the same time as A, that solves the ICP with advantage ε/2. Somewhat Homomorphic Scheme. Gentry s somewhat homomorphic encryption (SHE) scheme bases on the abstract scheme and is instantiated with ideal lattices, thus becoming a semi-concrete scheme (some details remain abstract). His motivation for using ideal lattices is that they not only have an additive, but also have a multiplicative structure that will enable us to evaluate deep arithmetic circuits (though we will need more tricks before we ultimately obtain a bootstrappable scheme). Bootstrappability means the scheme s ability of homomorphically evaluating augmented decryption circuits. Therefore, he geometrically interprets the sets of encryptable and decryptable elements as balls with some radii r Enc and r Dec, and in Theorem states the bound log log r Dec log log(γ r Enc ) on the depth of correctly evaluable circuits. After that, Gentry proposes instantiations for the underlying ring, for the Encrypt- and Decrypt-algorithms (thus, also values for r Dec and r Enc ), and in Section 7.7 he states that this instantiation of the abstract scheme is semantically secure if the underlying decisional bounded distance decoding problem (DBBDP) is hard. (In his words the ICP becomes the DBDDP if instantiated with ideal lattices.) Although this scheme is the first concrete one, keep in mind that some algorithms still remain abstract. Tweaks. Before Gentry comes to his squashing-technique, he applies two tweaks to the somewhat homomorphic scheme: 1. At first, he redefines the decryption equation to π = ψ vj sk ψ mod B I for a short vector vj sk J 1. By this Gentry simplifies the equation and reduces the computational complexity (he also lowers the range of decryptable elements). 2. The second tweak is to halve the radius r Dec of the ball B(r Dec ) of decryptable elements. This is done for the purpose of reducing the circuit complexity of the Decrypt-algorithm, since reducing r Dec by half ensures vectors to be closer to J and the decryption-process will need less precision. The second tweak is especially slightly more complicated, since several different techniques are applied. Therefore, the decryption equation π = ψ BJ sk (B sk J ) 1 ψ mod B I is split into and computed in three steps: 14

21 2.1 Lattice-Based Encryption Schemes I. Generate n vectors x 1,..., x n with n i=1 x i = (BJ sk) 1 ψ. II. From x 1,..., x n generate integer vectors y 1,..., y n+1 with n+1 i=1 y i = n i=1 x i. III. Compute π = ψ BJ sk ( n+1 i=1 y i) mod B I. It shall only be mentioned here that step I will be eliminated by the squashing-technique (i.e. transferred to the encrypting party), for step II only O(log n) bits of precision for the rational vectors x i are required when using Karp s 3-for-2-trick (cf. [31]), the computation of y i can be boosted using elementary symmetric polynomials, and in step III the computation can be done in constant depth (using a polynomial fan-in circuit). For further details see Section 9 in [20]. Squashing the Decrypt-Algorithm. The squashing-technique is as follows: The owner of the secret key sk adds a hint of sk inside the public key pk after creating the key-pair, which the encrypting party then uses in its (extended) computation. Thanks to Tweak 1, the secret key consists of the vector vj sk and the decryption equation is π = ψ vj sk ψ. Using the somewhat homomorphic scheme, one adds the following algorithms: SplitKey(sk, pk ). On input sk, which either is a secret key sk of the somewhat homomorphic scheme or the special symbol, and a public key pk of the somewhat homomorphic scheme, this algorithm outputs the tuple (sk, T ) where: 1. T is a set of t vectors v 1,..., v t uniformly random in J 1 mod B I with the constraint that there exists a subset S {1,..., t} with S = s such that i S v i vj sk + I. 2. sk is a matrix encoding which elements of T are elements of S. ExpandCT(pk, ψ ). On input a public key pk (which includes the set T = (v 1,..., v t )) and a ciphertext ψ of the somewhat homomorphic scheme, this algorithm outputs c i := v i ψ mod B I for i = 1,..., t. Making use of these two new methods, the algorithms for the squashed scheme have to be slightly adjusted: KeyGen(λ). Run the KeyGen-algorithm of the somewhat homomorphic scheme to obtain (sk, pk ) and run (sk, T ) SplitKey(sk, pk ). The secret key is sk, the public key pk = (pk, T ). Encrypt(pk, π). Run the Encrypt-algorithm of the somewhat homomorphic scheme using pk to obtain ψ, run ExpandCT(pk, ψ ) to receive the expansion (c 1,..., c t ) of ψ and output ψ = (ψ, c 1,..., c t ). Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ of the form ψ = (ψ, c 1,..., c t ), this algorithm performs the following steps: i. Generate the vectors x i using sk and the c i s. ii. Proceed with step II, and iii. Proceed with step III of the decryption equation like on page 14. Add(pk, ψ 1, ψ 2 ). Extract the ciphertexts ψ 1, ψ 2 from ψ 1, ψ 2, run the Add-algorithm of 15

22 2 HOMOMORPHIC ENCRYPTION SCHEMES the somewhat homomorphic scheme to obtain ψ, run ExpandCT on ψ and output (ψ, c 1,..., c t). Analogue steps are done for Mult. Remark. An easy way to generate T would be to generate t 1 uniform vectors v i in J 1 P (B I ), set v t := vj sk s i=1 v i and permute the resulting t vectors. The security of the squashed scheme relies on the hardness of the SKDP: Theorem 2.2 ([20], Theorem ). Suppose that there is an algorithm A that breaks the semantic security of (the squashed scheme) E above with advantage ε. Then, there exist algorithms B 0 and B 1, running in about the same time as A, such that either B 0 s advantage against the SplitKey Distinguishing Problem or B 1 s advantage against the semantic security of (the somewhat homomorphic scheme) E is at least ε/3. Gentry proves the security for the abstract version of the squashed scheme, using an abstract version of the SplitKey Distinguishing Problem (as stated in Definition 1.7). The proof easily carries over to a semi-concrete version of the squashed scheme based on the concrete instantiation of the SplitKey-algorithm as defined above. This semi-concrete version can be proven secure if the SSSP is hard: Theorem 2.3. Let A be an algorithm that decides the concrete version of the SKDP with advantage ε, and let B I and IdealGen be such that det(i) and det(j) are distinct primes and q/ det(ij) is super-polynomial (in the security parameter). Then, there is an algorithm B, running in about the same time as A, that decides the SSSP with advantage ε/(4t) up to negligible factors. Proof. The proof is just the combination of the proofs of Theorems and in [20]. There, an intermediate problem, namely the sparse vector subset sum problem, is introduced, which is needed for the reduction SSSP SVSSP SKDP to work. In addition, Gentry proves that the squashed scheme is hard if the search version of the SSSP is hard (Theorem ). Fully Homomorphic Encryption Scheme. The only question, which remains unanswered up to now, is: For which parameters is the proposed semi-concrete squashed scheme bootstrappable, or how can we choose the parameter s for the SSSP to be hard while still maintaining bootstrappability (the ability of homomorphically evaluating augmented decryption circuits)? Theorem 2.4 ([20], Theorem ). The (semi-concrete) scheme E is bootstrappable when s log c 1 s log(r Dec/m) 2 c 2 log(γ renc ), where log c 1 s is the polylog-term arising in Lemma 9.0.3, m arises from the redefinition of C E in the Tweaks (m = 2 when just Tweak 2 is used), and c 2 is a constant representing the depth needed in a circuit having Add BI gates with γ = n Ω(1) fan-in and Mult BI gates with constant fan-in to sequentially perform Decrypt steps i, iii and a NAND gate. 16

23 2.1 Lattice-Based Encryption Schemes Name Remaining abstract Instantiated (accumulative) Abstract Rings, ideals, ICP, encryption, decryption, key generation,... Somewhat homomorphic Key generation Ring, ideals ideal lattices, encryption, decryption, ICP BDDP Squashed Key generation, SKDP Semi-concrete Key generation SKDP Fully homomorphic Key generation (SampleD) Table 1: Overview of Gentry s Schemes After giving some optimizations to the squashed scheme, Gentry describes a concrete scheme, instantiating the remaining abstract methods: For the Sample-algorithm Gentry makes use of the SampleD-algorithm proposed by Gentry, Peikert and Vaikuntanathan in Section 3.2 (especially Theorem 3.3) in [25] which uses discrete Gaussian sampling. We call this instantiation Gentry s Fully Homomorphic Scheme. Gentry also proves the security of his fully homomorphic scheme, basing it on the IIMP: Theorem 2.5 ([20], Theorem ). Let s IIMP = G/ 2 where G := B I ω( log n) is the Gaussian deviation parameter in (Gentry s fully homomorphic) encryption scheme E, and suppose that s IIMP / 2 exceeds the smoothing parameter of I, i.e. ρ 2/s IIMP (I 1 \{0}) is negligible. Suppose that there is an algorithm A that breaks the semantic security of E with advantage ε. Then, there is an algorithm B, running in about the same time as A, that solves the IIMP with advantage ε/2 (up to negligible factors). Finally, Gentry finishes his investigation of the security of the scheme by proposing a (quantum-)reduction from SIVP to IVIP, hopping over four intermediate problems. Summarizing all results, this gives Theorem 2.6. Suppose that d ISIVP = (3 e) 1/n d IVIP s IVIP s HBDDP s HBDDP /(n 1.5 f ) 2 (s MIIMP 2n B I )/(γ n) s MIIMP s IIMP s IIMP ε/(n max{ B I }) G/ 2 17

24 2 HOMOMORPHIC ENCRYPTION SCHEMES where G is the Gaussian deviation parameter in (Gentry s fully homomorphic) encryption scheme E, e is Euler s constant and s IVIP > 8 γ n 2.5 ω( log n) for all ideals with determinant at least d n IVIP. Also suppose that s IIMP exceeds the smoothing parameter of I, that IdealGen always outputs an ideal J with G n < λ 1 (J) and that [R : I] is prime. Finally, suppose that there is an algorithm that breaks the semantic security of E with advantage ε. Then, there is a quantum algorithm B that solves s ISIVP -SIVP for an ε/4 (up to negligible factors) weight fraction of bases output by IdealGen. The running time of B is O([R : I] 1/ε log d IVIP time(a)). Proof. The proof for this theorem consists of using Theorems (Theorem 2.5), , , , and of [20] for creating the reduction queue SIVP ISIVP IVIP HBDDP MIIMP IIMP E sem. secure and thereby obtaining the abovementioned results. Remarks. 1. Gentry applies a random self-reduction to obtain a worst-case/averagecase connection for ideal lattices and to base the scheme s security on the worst-case hardness of SIVP to get more confidence that the scheme is secure. 2. In Section 18 Gentry describes how to adapt Kalai s algorithm to generate a random factored ideal and how to instantiate some (sub-) methods of the KeyGen-algorithm properly. Suggested Parameters for Gentry s Scheme. To provide resistance for the BDDP against lattice attacks (which run in time approx. 2 n/s for subset size s), the SSSP to be resistant against birthday attacks and lattice attacks (which run in time approx. 2 s if t is chosen large enough, e.g. t Ω(log q)), Gentry proposes to make use of the following parameters: s λ, n λ 2, log q λ 3 and t λ 3, where λ is the security parameter of the scheme. Improvements and Adaptions This subsection is intended to give an overview of work that bases on Gentry s constructions and improves them or adapts them in a similar way. Specialization of Gentry Smart and Vercauteren s construction in [47], presented at PKC 10, adapts Gentry s technique to build a fully homomorphic scheme from a somewhat homomorphic one. In particular, the scheme is a specialization of Gentry s scheme. Their somewhat homomorphic scheme has the plaintext space {0, 1}, the ring R in use is Z[x]/(f(x)) with the monic and irreducible polynomial f(x) = x 2n + 1, which minimises the expansion factor γ, the public key is a tuple (p, a) consisting of the prime p = res(f, g) and the (unique) root a F p of gcd(f, g) for some polynomial g over F p [x], and the secret key consists of (p, b) with b being the coefficient of x 0 in g s inverse polynomial modulo 18

25 2.1 Lattice-Based Encryption Schemes f(x) and 2p. For further details we refer the reader to [47], Section 3.1, in which it is compactly described how the polynomials and additional variables are chosen and how the algorithms of the scheme are computed. In Section 3.2 the proposed algorithms are analysed in detail in the sense of correctness and evaluation-depth d of the circuits for the somewhat homomorphic scheme. Therein, Smart and Vercauteren use Gentry s Theorem to obtain a bound on d, but one has to be careful since Gentry s analysis uses the 2-norm whereas Smart and Vercauteren make use of the -norm. For the security analysis of their scheme in Section 4 they introduce two new problems: The first problem, called Small Principal Ideal Problem (SPIP), asks to find a small generator for a principal ideal when given a two-element- or a HNF-representation. (This problem evolves when one tries to recover the secret from the public key, so called Key Recovery.) They only informally argue that no efficient solution for this problem can be found that is reasonably small, relying on the Baby-Step/Giant-Step method and Buchmann s sub-exponential algorithm for units and class groups, even though the SPIP is an instance of a classical and well studied problem in algorithmic number theory. The second problem, called Polynomial Coset Problem (PCP), is similar to Gentry s ICP and asks one to decide whether the value of r is the evaluation of a small polynomial in the root a or a random value (both taken mod p). Theorem 2.7. ([47], Theorem 1) Suppose there is an algorithm A which breaks the semantic security of our somewhat homomorphic scheme with advantage ε. Then there is an algorithm B, running in about the same time as A, which solves the PCP with advantage ε/2. They also informally argue that recovering a plaintext from a given ciphertext would be an instance of the CVP. They are unable to apply a worst-case/average-case reduction to their scheme, but state that the underlying lattice problem is well-studied. The encryption of a single bit with the established somewhat homomorphic scheme is then extended to a larger message space. The authors are able to encrypt and decrypt polynomials up to degree 2 n 1. Roughly speaking, they expand the secret key to be a vector of coefficients b i rather than a single coefficient b. For details on this extension see Section 6 of [47]. At the end one is given implementation results. There one can see that the scheme of Smart and Vercauteren in [47] cannot be made fully homomorphic for practical values of n. Furthermore it should be mentioned that their KeyGen-method has a disadvantage concerning time complexity, since the constraint until p is prime is very strict and entails a high number of iterations until it is satisfied. So we see that although Smart and Vercauteren s scheme is a specialization of Gentry s scheme and they obtain relatively small key and ciphertext sizes, there also are disadvantages in the practicality of this scheme. 19

26 2 HOMOMORPHIC ENCRYPTION SCHEMES Implementing Gentry s Scheme Presented at EUROCRYPT 11, Gentry and Halevi describe in [24] a working implementation of (a variant of) Gentry s fully homomorphic scheme which is similar to that of Smart and Vercauteren [47]. Their main result is an optimised KeyGen-algorithm for the underlying somewhat homomorphic scheme, but they also implemented other optimizations. The scheme of Gentry and Halevi, in comparison to the one of Smart and Vercauteren, also uses a principal ideal J = (v) in the ring R = Z[x]/(f(x)) with f(x) = x 2k + 1 of degree n = 2 k. The difference is that the condition until p is prime of the Smart- Vercauteren scheme is not required. The optimizations for the somewhat homomorphic scheme are: The KeyGen-algorithm on input n and a precision P computes the following steps: 1. For i = 0,..., n 1 randomly choose v i as (signed) integer of precision P and set v = (v 0,..., v n 1 ). 2. Compute the inverse w of v with v w = p mod f(x). 3. Check that v is a good polynomial. Step 3 requires the HNF of the ideal lattice J to be of the form p r 1 r 2 r 3 r n 1 B pk 0 :=. I n 1, (1) 0 where p = det(j) = res(v, f), r is a root of f(x) modulo p, r i := r i mod p and I n 1 denotes the (n 1)-dimensional identity matrix. This condition is equal to the fact that the lattice spanned by the rotation basis of v contains a vector of the form ( r, 1, 0,..., 0) T (proven in Lemma 1 of [24]), being equal to the more simple condition r n = 1 mod p. Thus, we can use the two integers d, r to represent the public key (Remark 1 in [24]). The secret key usually would consist of (v, w) where w is v s inverse polynomial and for the computation of w one usually applies the extended Euclidean algorithm to v, f. In Section 4, the authors present a more efficient way to compute w (they obtain the relation w i+1 = w i r mod p for the coefficients of w) and in Section 6 they show that only a single, odd coefficient w i has to be stored as the secret key (since decryption can be optimised to π = ψ w i mod p mod 2 with ψ being an integer, see next item). For the encryption of a bit π {0, 1} they show that the computation of the ciphertext can be simplified from the vector ψ = (π + 2u) mod B pk to the integer ψ = (b + 2 n 1 i=0 u ir i ) mod p, where u i = { 0 with probability q ±1 with probability (1 q)/2 each 20

27 2.1 Lattice-Based Encryption Schemes for i = 0,..., n 1 and u = (u 0,..., u n 1 ). Thus, the expensive part of the computation of ψ is the evaluation of the noise polynomial u(x) in r. With a recursive evaluative approach, which consists of splitting the polynomial into two halves, evaluating these two halves and combining the results, they obtain a bound of 2n multiplications rather than n 1 when using Horner s rule. (Note that one has to have enough memory to keep intermediate computations when using this batch technique.) For obtaining a fully homomorphic scheme, the authors squash the somewhat homomorphic scheme by blowing up the public key to contain s sets T 1,..., T s of t integers, the secret key being s vectors σ i with each Hamming weight 1. In Section 9 they give optimizations to this disadvantage: Each set T i is defined to be a geometric progression in Z p, namely there exists an element x i such that the j-th element in T i is x(i, j) := x i R j mod p for j = 0,..., t 1 and R is some parameter (see [24], bottom of Section 10.2). So, we keep only the elements x 1,..., x s in the public key. The (secret) sparse subset still contains a single element of each T i, i.e. for each i there exists an index j i such that s i=1 x(i, j i) = w mod p for the secret key w. Further optimizations are made for the encryption of the secret key. In Section 10 Gentry and Halevi show how they set the parameters for the (challenges of their implemented) scheme appropriately and they end with an analysis of the performance of their scheme on the proposed challenges. Improving Gentry s KeyGen-Algorithm Ogura et al. in [39] propose a practical variant for the KeyGen-algorithm for Gentry s fully homomorphic scheme, which appeared at IWSEC 10. They establish a relationship between the circuit depth d of the scheme and the eigenvalues of the basis of a lattice in Theorem 2 and determine in Theorem 3, how the eigenvalues for a rotation basis can be computed. In Section 4 they propose two KeyGen-algorithms (in Table 1 and Table 3) that on input d output the secret and public bases (B sk, B pk ) of a lattice (corresponding to the ideal lattice J in Gentry s scheme). Since their construction is very technical, we will omit it here and refer the reader to [39]. At last, they show experimental results for their algorithm when using f(x) = x n 1 and state that their algorithm(s) could be used in the papers/schemes of Smart and Vercauteren [47] or Stehlé and Steinfeld [49]. Future work would be to obtain a KeyGen-algorithm that is more general in the generation of the keys as well as to further investigate the security of this method (for specific lattices). Improving Hardness Assumption and Decrypt-Algorithm In their paper [49] of EUROCRYPT 10, Stehlé and Steinfeld describe two improvements to Gentry s scheme: They more aggressively analyse the hardness assumption (related to 21

28 2 HOMOMORPHIC ENCRYPTION SCHEMES the SSSP) and introduce a probabilistic decryption algorithm which needs a less complex decryption circuit than Gentry s. The first improvement is about the reduction of the sparse vector subset sum problem (SVSSP), which can be seen as a vector-variant of the SSSP, to the SplitKey Distinguishing Problem, being one part of the reduction in Theorem 2.3. Stehlé and Steinfeld choose I = (2) and B pk J to be the HNF of J. Their analysis differs from Gentry s by utilizing an approximate SVP solver rather than an exact one for attacking the SVSSP using a different lattice reduction method. Setting the parameters correct to thwart this attack, they obtain a new bound on the size of the subset sum, i.e. t 2 /λ = Ω(log q), which in their words is less restrictive than Gentry s t = Ω(log q). For the second improvement they allow the decryption method to make errors with negligible probability, whereas Gentry strictly forbids errors. Therefore, they specify a sufficient precision on the c i s in the ciphertext ψ = (ψ, c 1,..., c t ) for decryption to work with high probability. Let ε k denote the difference between the approximated c i s and their originals, c 1,..., c s 1, c t be the (left-shifted) c i s corresponding to 1 s of the secret key sk (the set T is created as remarked on page 16), E[ ] denote the mean and p = 1 2s + ω(log log λ) denote the precision, then we have the following. Lemma 2.8 ([49], Lemma 5.1). Let ε 1,..., ε s 1 R be independently identically distributed variables with values in [ 2 p, 2 p ] and such that E[ε k ] = 0 for all k(< s). Then k s 1 ε k > s 1 2 p ω( log λ) with probability negligibly small with respect to λ. In Figure 4 they give the computation of the p-approximation of the c i s and show it to be correct. Like Gentry, the authors use Hamming weights inside the decryption method, but they state that only log 2 s instead of all bits are needed. Overall, their investigation leads to a new bound on the bootstrappability of their squashed scheme SqHom (which makes use of both Tweaks and another optimization of Gentry): Theorem 2.9 ([49], Theorem 5.1). The scheme SqHom is bootstrappable as long as s ω( log λ) log(r Dec /m) log(r Enc γ s) (where m = 8 2 n 2.5 since both Tweaks are used). Finally, Stehlé and Steinfeld present their choice of parameters, i.e. s = Θ(λ), n = Θ(λ 1.5 ), log q = Θ(λ 2 ) and t = Θ(λ 1.5 ), which is smaller compared to Gentry s choice (see page 18). Also, the complexity of the re-encryption (and evaluation) process are lowered from O(λ 6 ) to (λ 3.5 ) and the size of the secret key is reduced from O(λ 3.5 ) to O(λ 1.5 ). Fully Homomorphic SIMD Operations In their first paper [47] on this topic (available on the eprint), Smart and Vercauteren mentioned that SIMD (single instruction, multiple data) style operations on data could be supported by their scheme. The improvement of their slow KeyGen-algorithm by 22

29 2.1 Lattice-Based Encryption Schemes Gentry and Halevi [24] seems to exclude these operations when using the proposed parameters. In [48], Smart and Vercauteren show how to select parameters for Gentry and Halevi s implementation that re-enable SIMD operations for the somewhat homomorphic scheme, how to construct a fully homomorphic scheme when performing re-encryptions in parallel and in which way SIMD operations can be useful in practice. For the KeyGen-algorithm, the authors make use of the one proposed by Gentry and Halevi, but they suggest not to use R = Z[x]/(f(x)) with f(x) = x 2n + 1, but to choose the polynomial as f(x) := Φ m (x) of degree N = ϕ(m) instead, where Φ m (x) denotes the m-th cyclotomic polynomial and ϕ denotes Euler s totient function. (With this particular choice one gets that R is isomorphic to a product of r finite fields of degree p := N/r.) After the generator v for J = (v) is chosen, Smart and Vercauteren make heavy use of fast Fourier transform (e.g. the algorithms of Cooley-Tukey, Good-Thomas, Rader) in the computation of v s inverse and hence obtain (nearly) the same complexity for the KeyGen-algorithm than when using f(x) = x 2n +1 (the implied constants are only slightly greater). Having again a closed expression for the coefficients of the secret key, the size of the secret key can be reduced to a single integer like in [24]. In Section 5 (and especially in Algorithm 4), the authors show how to perform the reencryption operation in parallel. Therein, the above construction of R being isomorphic to a product of finite fields is used. Experimental results of the scheme using this parallel re-encryption method (Option 3) and the bitwise fully homomorphic encryption scheme (Option 1) can be found in a table at the bottom of Section 6. The main point is that the parallel version is more than 2.4 times faster than the standard FHE scheme and, in addition, the ciphertext size is reduced by a factor 1/72. As a possible real-life application of their scheme, Smart and Vercauteren mention searching in an encrypted database on a remote server, which is analysed in detail in Section 7.3. Self-loop-based Specialization I In [14] (eprint), Gu uses a small modification of the somewhat homomorphic scheme presented by Smart and Vercauteren in [47] and turns it into a fully homomorphic scheme by using a self-loop-based approach. The modification consists in the choice of the secret key, which is re-chosen when its binary representation has Hamming weight above some bound b. A constraint on this bound is b s, where s is the size of the subset S of the SSSP. Encrypting the bits of the binary representation of the secret key (for some fixed precision) using the somewhat homomorphic encryption scheme, these encryptions are then added to the public key and hence a fully homomorphic encryption scheme is obtained. Note that no SSSP-instance is introduced here for the construction of the FHE scheme. In addition, a re-encryption method is depicted and proven to be correct (Theorem 3.1). Besides all this, Gu does not prove its scheme to be secure if the polynomial coset problem is hard, although he states this to be true. One can obviously apply [47], Theorem 1, to Gu s somewhat homomorphic scheme, but this does not prove his fully homomorphic scheme to be semantically secure. Furthermore, the author does not discuss the 23

30 2 HOMOMORPHIC ENCRYPTION SCHEMES evaluative capacity of his scheme. Self-loop-based Specialization II Gu also proposes another way to obtain a fully homomorphic encryption scheme. In [12] (eprint), he bases the security of his scheme on a new problem which is called Decisional Hidden Principal Ideal (lattice polynomial) Problem (DHPIP), being an analogue to the AGCDP in lattices or polynomial rings, respectively. His somewhat homomorphic construction bases on the ring R = Z p [x]/(x n 1), uses as secret key a (specially chosen) polynomial s and as public key the tuple (λ, p, (b 1,..., b τ )), where λ is the security parameter, p the determinant of the (ideal) lattice (s), τ = O(λ) and b i is a polynomial chosen from the distribution Dist λ (f) := {choose a i, e i R R, e i λ/2, output b i = a i f + e i }, where f fulfills s f = 0 mod (x n 1) mod p and gcd(f, 2) = 1. Encryption, Decryption and Evaluation are performed similar to the scheme of van Dijk et al. below (cf. next subsection, in particular Fully Homomorphic Encryption over the Integers ). Gu proves that his KeyGen-algorithm has a polynomial time complexity, that decryption works if the error term is below some bound, and that the proposed somewhat homomorphic scheme is correct for circuits up to depth (1 + ε 1 ) log 2 λ, where ε 1 (0, ε) is some real depending on the constant ε > 0 of the polynomial s. For the fully homomorphic scheme, Gu uses his technique of a self-loop, i.e. he encrypts the coefficients of the secret key (polynomial) using his somewhat homomorphic scheme and puts them into the public key. He also introduces a re-encryption procedure for his FHE scheme, and proofs its security: Theorem 2.10 ([12], Theorem 5.2). Suppose there is an algorithm A which breaks the semantic security of our SHE with advantage ε. Then there is a distinguishing algorithm D against DHPIP running in about the same time as A with advantage at least ε/2. In addition, Gu shows that there is a probabilistic polynomial time reduction from Ring- LWE (learning with errors) to DHPIP. Altogether, the size of the public key is O(n 3+ε ), of the secret key O(λ 1+ε ) and of the re-encryption (and evaluation) process O(λ 4+ε log 2 λ). Hence, Gu obtains values for his scheme relatively close to those of Stehlé and Steinfeld, see 2.1 on page 22. Giving some practical parameters, changing the modulus from x n 1 to x n +1, extending the scheme to a larger message space and raising open problems finishes the paper Integer-Arithmetic Encryption Schemes Besides all these lattice-based schemes, some effort has been made to accomplish fully homomorphic encryption using only integer arithmetic. 24

31 2.2 Integer-Arithmetic Encryption Schemes Fully Homomorphic Encryption over the Integers We start by describing the work of van Dijk, Gentry, Halevi and Vaikuntanathan in their paper [50] which appeared at ASIACRYPT 10. Let Dist γ,ρ (p) denote the distribution as mentioned in the definition of the AGCDP in Definition 1.8 using certain (bit)lengths γ (integers in public key) and ρ (noise), ρ an additional noise (bit)length, η denote the (bit)length of the secret key and τ be the number of integers in the public key. Then, the somewhat homomorphic scheme of van Dijk et al. is as follows: KeyGen(λ). On input the security parameter λ, randomly choose p R (2Z + 1) (2 η 1, 2 η ) and integers (x 0,..., x τ ) via x i R Dist γ,ρ (p) such that (after relabeling) x 0 is the largest, odd and x 0 mod p is even. Restart until all conditions hold. Output the secret key sk := (p) and public key pk := (x 0,..., x τ ). Encrypt(pk, π). On input a public key pk and a plaintext π {0, 1}, choose a random subset Υ {1,..., τ}, a random integer r ( 2 ρ, 2 ρ ) and output the ciphertext ψ := π + 2r + 2 i Υ x i mod x 0. Decrypt(sk, ψ). On input a secret key sk and a plaintext ψ, output the plaintext π = ψ mod p mod 2. Evaluate(pk, C, Ψ). On input a public key pk, a circuit C (of allowed circuits) with k inputs and a set Ψ = (ψ 1,..., ψ k ) of k ciphertexts, execute the addition and multiplication gates in C using the inputs ψ i in correct order to obtain a new ciphertext ψ. Output ψ. There is given a set of constraints for the parameters of the scheme and also a suitable choice for the (bit)lengths as ρ = λ = ρ /2, η = O(λ 2 ), γ = O(λ 5 ) and τ = γ + λ. The authors prove correctness of their somewhat homomorphic scheme and give a bound to define the set of allowed circuits (Lemmas 2 and 3). Their main result is basing the security of the somewhat homomorphic scheme on the hardness of the approximate-gcd problem (AGCDP): Theorem 2.11 ([50], Theorem 2). Fix the parameters ρ, ρ, η, γ, t as in the somewhat homomorphic scheme (... all polynomial in the security parameter λ). Any attack A with advantage ε on the encryption scheme can be converted into an algorithm B for solving (ρ, η, γ)-agcdp with success probability at least ε/2. The running time of B is polynomial in the running time of A, and in λ and 1/ε. In Section 5 they investigate attacks to the AGCDP: lattice-based algorithms for simultaneous Diophantine approximation, Nguyen and Stern s orthogonal lattice and extensions of Coppersmith s method to multivariate polynomials. To obtain a fully homomorphic scheme, van Dijk et al. adapt Gentry s squashing technique by introducing an instance of the SSSP. They prove correctness and bootstrappability of their fully homomorphic scheme in Lemma 4 and Theorem 3 (relating to the security-investigation of Gentry), but also mention that efficiency-improvement of their scheme is an open problem while preserving the hardness of the approximate-gcd problem. 25

32 2 HOMOMORPHIC ENCRYPTION SCHEMES New Fully Homomorphic Encryption over the Integers Like in his paper [14] of a self-loop-based modification of Smart and Vercauteren s scheme, Gu in [13] (eprint) states having solved the open problem in the scheme of van Dijk et al. above. Therefore, the author uses a construction for his somewhat homomorphic scheme similar to the one of van Dijk et al. (including even one optimization). Again utilizing the selfloop-technique, i.e. encrypting the bits of the secret key and inserting the results into the public key, Gu retrieves a homomorphic scheme which is correct for arithmetic circuits up to depth log 2 λ. The security of the proposed scheme relies on the hardness of the AGCDP, using Theorem 2 of van Dijk et al. in [50] (see Theorem 2.11 above). Additional Work to Homomorphic Encryption Schemes This subsection is intended to give an overview of further work in the field of (fully) homomorphic encryption, especially concerning the security definitions for homomorphic encryption schemes and hence dealing with the schemes described above. Investigation on CCA-Security of FHE Schemes We have seen above that the proposed schemes were proven CPA-IND relying on the hardness of different problems. The next interesting question is whether those schemes also achieve security in the sense of CCA1- and CCA2-IND? Loftus, May, Smart and Vercauteren in their work [35] (eprint) concentrate on this problem and analyse some schemes in light of CCA1-security, since the achievement of CCA2-IND is not possible for any fully homomorphic scheme because it is malleable. The focus of the authors is on two variants of the Smart-Vercauteren scheme (which originally was proposed in [47]): a Gentry-Halevi variant and a full-space Smart-Vercauteren variant including a ciphertext-check (called ccfhe). Although they only investigate the basic somewhat homomorphic schemes, their results can be applied to the extension into fully homomorphic schemes using the bootstrapping process. In Section 4 they present a CCA1-attack on the variant of Gentry-Halevi in Algorithm 1 which needs access to a decryption oracle making only O(log p) queries, where p is the determinant of the corresponding lattice. Roughly speaking, the authors apply the bisection method to recover the secret key, in this process selecting a new ciphertext according to the correct interval. Their main result is then stated in Theorem 1, namely that the ccfhe scheme is secure in the context of Plaintext Awareness (PA-1, a security notion introduced by Bellare and Palacio in [3]) in the standard model assuming a lattice-based knowledge assumption. Hence they have shown that ccfhe is CCA1-IND, but it is not secure against ciphertext verification attacks (CVA, originally introduced as CPA+ by Dent) for which they show an attack in Algorithm 2 in Section 6. In summary, the quintessence of the paper of Loftus et al. is that there exist examples of CCA1-IND fully homomorphic encryption schemes, although not every fully homomor- 26

33 2.2 Integer-Arithmetic Encryption Schemes phic scheme is automatically CCA1-secure, and no (fully) homomorphic scheme can be CCA2-IND. A remaining open problem is if CCA1-IND is the correct security notion for homomorphic encryption schemes, or if a stronger notion like CVA would be more suitable. Obtaining CCA-Security for Homomorphic Encryption Schemes In [28] (eprint), Hemenway and Ostrovsky contribute to the question: Under which properties a homomorphic scheme becomes CCA-secure? Their results can be summarised as follows: Having either a cyclic ciphertext space, or a cyclic randomness group whose order has (some) different divisors than the order of the plaintext group, or a cyclic plaintext space consisting of more elements than the randomness space, then a homomorphic encryption scheme is CCA-secure. These statements are proven in Corollaries 2 and 5 (as a result of Theorem 1) and Corollary 1 (as a result of Lemma 2), respectively, using intermediate results on lossy trapdoor functions and diverse group systems. Very Recently Published Results towards a FHE Scheme This subsection is intended to complete the area of fully homomorphic encryption by presenting the very recently published results, not going into details like in the previous subsections since the publications only appeared at the end of writing this thesis. All of the mentioned papers were published on the eprint. FHE without Squashing Using Depth-3 Arithmetic Circuits Gentry and Halevi present a new way to obtain a fully homomorphic encryption scheme without Gentry s technique of squashing the decryption circuit in [23]. Therefore, their new approach constructs a FHE scheme by combining a somewhat homomorphic with a multiplicatively homomorphic encryption scheme. The authors obtain a FHE scheme in which they replace the SSSP by a Decisional Diffie-Hellman problem, the first FHE scheme based only on worst-case hardness using a quantum-reduction from their leveled FHE scheme to ideal-sivp, and efficiency results concerning the mentioned FHE schemes in the way of optimising the ciphertext length. Within their paper, they use the result of Ben-Or who stated that multilinear symmetric polynomials are computable using depth-3 arithmetic circuits, as reported in [38]. This is an innovation and the most important difference to the previously mentioned schemes which utilise Gentry s result of using boolean circuits for the computation of the Evaluatealgorithm. 27

34 2 HOMOMORPHIC ENCRYPTION SCHEMES Cryptanalysis of the Smart-Vercauteren and Gentry-Halevi s FHE In [11], Gu cryptanalyses the schemes by Smart and Vercauteren of [47] and Gentry and Halevi of [24] using block reduction algorithms. The author states that both schemes become insecure for dimensions up to 6000 by using an attack which finds a small multiple of the generator of the principal ideal and thus is able to correctly decrypt ciphertexts. Efficient FHE from (Standard) LWE Brakerski and Vaikuntanathan in [8] obtain a fully homomorphic encryption scheme as one of the first without using Gentry s squashing step. Introducing the so-called re-linearization technique, they construct a somewhat homomorphic encryption scheme based on the learning with errors (LWE) problem in contrast to the previously used complexity assumptions on ideals in various rings. Introducing another technique, called dimension reduction, the authors shorten the size of the ciphertext, thereby reducing the decryption-complexity and thus removing the necessity of the squashing step and the additional SSSP assumption. Overall, this gives a new way to construct fully homomorphic encryption schemes without the need for Gentry s technique(s) and especially without the additional hardness assumption not related to classical lattice problems. Fully Homomorphic Encryption without Bootstrapping In [22], Gentry describes the construction of a (leveled) FHE scheme whose security is based on the LWE or ring-lwe problems and does not require the bootstrapping step. Adapting some tools of Brakerski and Vaikuntanathan from [8], Gentry lowers the computation complexity of the constructed leveled FHE scheme to be quasi-linear (O(λ L 3 )) in the security parameter λ, and bases the security on the ring-lwe problem with approximation factor exponential in the number L of levels. Using bootstrapping as an optimization, the author can show that the per-gate computation is O(λ 2 ). For LWE Gentry obtains similar results, but with worse performance. He further reduces the per-gate computation to O(λ) as in contrast to previous schemes that required O(λ 3.5 ). 28

35 3. Homomorphic Signature Schemes We now come to the the progress on homomorphic signature schemes which is less enormous than the encryption-progress, since there has been little investigation in this field of homomorphic application up to now. Linearly Homomorphic Signatures In [7] which appeared at PKC 11, Boneh and Freeman introduce a linearly homomorphic signature scheme whose security is based on a new hard problem in lattices (k-sis) in the random oracle model (ROM). Furthermore, they present an ordinary (k-time) signature scheme secure in the standard model. Definition 3.1 (k-small Integer Solution Problem (k-sis)). Given a matrix A Z n m q and a set of k vectors e 1,..., e k Λ q (A), find a non-zero vector v Z m such that 1. v β, 2. Av = 0 mod q, i.e. v Λ q (A), and 3. v Q-span(e 1,..., e k ). Additional Parameters for the k-sis are q, m, β and κ (the use of κ will be explained later). Remark. Note that A is chosen uniformly random from Z n m q i = 1,..., k. and e i D Λ q (A),κ for In Theorem 6 the authors state that an algorithm which solves k-sis in dimension m can be used for solving SIS in dimension m k. Since the linearly homomorphic scheme builds on the signature scheme by Gentry, Peikert and Vaikuntanathan (GPV, [25]), we will recall the basics of GPV in short: The public key is a lattice Λ Z n, the secret key a short basis of Λ. To sign a message m, the signer hashes m to H(m) Z n /Λ and samples a short vector σ in the coset H(m) + Λ. To verify σ, one has to check that σ is short and σ mod Λ = H(m). With these basics the linearly homomorphic signature scheme is presented as follows: Setup(n; N, k, L, m, q, κ). On input the security parameter n, the dimension N = n of vectors to be signed, the dimension k < n of subspaces to be signed, the maximum number L 1 of linear combinations which can be verified, an integer m(n, L) > n, an odd prime q(n, L) and a real κ(n, L), do: 1. Run TrapGen(n, m, 2q) from GPV to generate a matrix A Z n m 2q and a basis T of Λ 2q (A) such that T 30 n log(2q), where T denotes the Gram-Schmidt orthogonalization of T. 2. Let H : {0, 1} Z n m 2q be a hash function, viewed as a random oracle. 3. Output the public key pk = (A, H) and secret key sk = (A, H, T ). Sign(sk, τ, π τ ). On input a secret key sk, a tag τ {0, 1} n and a message π τ {0, 1} n, do: 1. Set B := A H(τ) Z n 2m 2q. 2. Let S := ExtBasis(T, B) be a basis for Λ 2q (B) with S = T, where ExtBasis is an algorithm which computes a short basis. 29

36 3 HOMOMORPHIC SIGNATURE SCHEMES 3. Output σ := SamplePre(B, S, κ, q π τ ). Combine(pk, τ, ((α1 τ, στ 1 ),..., (ατ l, στ l ))). On input a public key pk, a tag τ and pairs (αi τ, στ i ) with ατ i {0, 1} for i = 1,..., l, output the signature στ := l i=1 ατ i στ i Z 2m. Verify(pk, τ, y, σ τ ). On input a public key pk = (A, H), a tag τ, a signature σ τ Z 2m and a vector y {0, 1} n, compute B := A H(τ) Z n 2m 2q. If the following conditions hold, output 1, otherwise 0: 1. σ τ L κ 2m, and 2. B σ τ = q y mod 2q. The security of the abovementioned homomorphic signature scheme relies on the hardness of the k-sis: Theorem 3.2 ([7], Theorem 11). Let S be the linearly homomorphic signature scheme over F 2 described above. Suppose that m = 6n log(2q) and κ = 30 n log(2q) log n. Let β = L κ 2m. Then S is unforgeable in the random oracle model assuming that k-sis q,2m,β,κ is infeasible. (Infeasible here means that the probability of finding a solution for the k-sis q,2m,β,κ problem is negligibly small.) Boneh and Freeman state that they are forced to choose k = O(1) in their scheme (by Theorem 6), since the SIS problem is only assumed to be hard for β = poly(n). In Section 6 the authors then describe a stateless variant of the GPV scheme which is k-time unforgeable in the standard model, where k-time unforgeable means that the forger is allowed at most k signing queries. As an open problem an improved reduction from k-sis to worst-case lattice problems, either by tightening the given reduction or establishing a direct reduction, is mentioned. Homomorphic Signatures for Polynomial Functions In [6] (eprint), Boneh and Freeman develop a different construction of a homomorphic signature scheme that is able to evaluate polynomial functions on a set of signatures. Via the intersection method they compute a simultaneous signature on the message π F p and on the hash of f (the description of the function f), therein using an ideal lattice construction similar to the one used by Gentry in establishing his fully homomorphic encryption scheme. We omit the depicted linearly homomorphic scheme which the authors give in Section 5, but directly give the description of the polynomially homomorphic scheme of Section 6 since the linear scheme is very similar to the polynomial scheme: Setup(n, t). On input the security parameter n and a data set size t, do: 1. Choose a monic irreducible polynomial f(x) Z[x] of degree n with γ = poly(n). Let K := Q[x]/(f(x)) and R := Z[x]/(f(x)) such that R = Z n. 2. Run the PrincIdealGen-algorithm twice with input f, n to produce distinct principal degree-one prime ideals p := (p, x a) and q := (p, x b) of R with generators g p, g q, respectively. 30

37 3. Apply the algorithm of Lemma to the set {g p g q, g p g q x,..., g p g q x n 1 } to obtain a basis T of p q. 4. Define ν := γ 2 n 3 log n, and choose positive integers y = poly(n) and d = O(1). 5. Let H : {0, 1} F q be a hash function (modeled as a random oracle). 6. Output the public key pk = (f, p, q, a, b, ν, y, d, H) and secret key sk = T. Sign(sk, τ, i, π τ i ). On input a secret key sk, a tag τ {0, 1}n, an index i and a message π τ i F p, do: 1. Compute α i := H(τ i) F q. 2. Compute h = h(x) R with h(a) mod p = π τ i and h(b) mod q = α i. 3. Output σ τ := SamplePre(p q, T, h, ν) p q + h. Verify(pk, τ, π τ, σ τ, f). On input a public key pk, a tag τ {0, 1} n, a message π τ F p, a signature σ τ = σ τ (x) R and a function f F, output 1 if all following conditions hold or 0 otherwise: 1. σ τ l y γ d 1 (ν n) d, 2. σ τ (a) mod p = π τ, and 3. A σ τ (b) mod q = ω τ ( f ). Evaluate(pk, τ, f, Σ τ ). On input a public key pk, a tag τ {0, 1} n, a function f F encoded as f = (c 1,..., c l ) Z l and a signature tuple Σ τ = (σ τ 1,..., στ t ) Z n t, do: 1. Lift f F p [x 1,..., x t ] to K[x 1,..., x t ] via 2. Output σ τ := ˆf(σ τ 1,..., στ t ). ˆf := l c j Y j (x 1,..., x t ). j=1 Remarks. 1. The message space is R/p = F p, signatures are short vectors in R = Z n. 2. The set F of allowed functions consists of all polynomials in the ring F p [x 1,..., x t ] with coefficients in [ y, y] Z, maximum degree d and constant term zero. 3. Let l := ( k+d d ) 1, and {Yj } l j=1 be the set of all non-constant monomials xe xe k k of degree l j=1 e j d in lexicographical ordering. 2 Then, any polynomial f F can be written as f(m 1,..., m t ) = l j=1 c jy j (m 1,..., m t ) for c j F p. Interpret the c j s as integers in [ y, y] and encode f via f = (c 1,..., c l ) Z l. 4. To evaluate the hash function ω τ, which maps encodings of functions (in Z l ) to cosets of q in R (R/q = F q ), on an encoding f = (c 1,..., c l ) of a function f F, compute α i := H(τ i) for i = 1,..., t and define ω τ ( f ) := l j=1 c jy j (α 1,..., α t ) F q. 1 The mentioned algorithm of Lemma 3.1 corresponds to the algorithm mentioned in Micciancio and Goldwasser s book [36], Lemma 7.1, which on input an arbitrary basis and a full-rank set S in a lattice Λ of dimension m returns a basis T of Λ satisfying T S and T S m/2. 2 On details of the lexicographical ordering see the footnote in [6], page

38 3 HOMOMORPHIC SIGNATURE SCHEMES Boneh and Freeman construct an abstract scheme in Section 7 which they prove CMA- UNF under the hardness assumption for an SIS problem (Theorem 7.4) in the random oracle model (ROM). In Section 7.4 they show how to instantiate the abstract scheme to obtain the formerly constructed polynomially homomorphic scheme, thus proving it CMA-UNF in the ROM. At the end of [6], many open problems are given (e.g. for polynomials of degree 2 the derived signatures leak information about the original data set, the security of the scheme is (only) proven in the ROM and not in the standard model, furthermore the security is not based on worst-case problems in ideal lattices) and research directions (e.g. using Gentry s KeyGen-algorithm for the construction of a homomorphic signature scheme, ability of applying Gentry s bootstrapping process to signature schemes and using the technique of a random self-reduction ) Additional Work to Homomorphic Signature Schemes The main result of Johnson et al. in [30] of CT-RSA 02 regarding this progress-part is that all signature schemes that are homomorphic with respect to (integer) addition must be insecure. For constructions built from multiplicative signature schemes this is due to the fact that if we have enough, say t, messages with gcd(m 1,..., m t ) = 1, i.e. there exist a 1,..., a t Z with t i=1 a im i = 1, then one can compute the signature sig(1) of 1 via sig(1) = t i=1 a i sig(m i ). With that result the signature of an arbitrary message m can be created via sig(m) = m sig(1). 32

39 Part II Cryptanalysis of the Gentry-Halevi FHE Scheme In the second part of this thesis, our focus is on the fully homomorphic encryption scheme proposed by Gentry and Halevi in [24]. We chose this scheme since it is the most promising one to obtain helpful results when scrutinised using cryptanalytic methods and tools. Further reasons for taking a closer look at this particular scheme are its simplicity and its reasonably good practical parameters (when compared to the parameters of other implementations of FHE schemes) as well as the publicly available code of the implementation. In addition to the code, the authors also published three challenges on the webpage 3 which serve as examples for the investigative promise of their scheme s security, since the challenges are supposed to encourage other cryptographers in attacking the scheme. Part II is structured as follows: First, the scheme of Gentry and Halevi is briefly recalled and the parameter selection is described. The description focuses on the somewhat homomorphic part of the scheme since only the BDDP-instance is included in the analysis. Then, the mentioned scheme is practically attacked. Therefore, instances in (lower) dimensions are created and cryptanalysed to give a more precise insight into the security of the proposed scheme and a more concrete understanding of the choice of parameters. 4. The Gentry-Halevi Scheme 4.1. Brief Recall of the Construction The scheme of Gentry and Halevi is constructed using the polynomial ring R = Z[x]/(f(x)) for irreducible f(x) = x 2k + 1 containing a principal ideal I = (v) being isomorphic to a lattice of dimension n = 2 k. The entries of the element v = (v 0,..., v n 1 ) are chosen at random as integers of some bitsize t. The vector v is considered good if the Hermite Normal Form of its ideal lattice has a shape as in equation (1). The public key consists of two integers d, r, where d is the determinant of the basis matrix of I and r is a root of f(x) modulo d. The secret key is just one odd integer entry w of the inverse of the polynomial v modulo d. Encryption is done for a single bit only. Therefore, a trinary vector u of length n with pseudo-randomly chosen coefficients is selected and the bit b is encrypted to c = (b+2 n 1 i=0 u ir i ) mod d. The decryption simply consists of the computation of b = (c w) mod d mod

40 4 THE GENTRY-HALEVI SCHEME 4.2. Parameter Selection Gentry and Halevi give some choices for the parameters of their scheme which they believe to be sufficient to reach certain security levels. Initially, there are two parameters: the security parameter λ and the so-called BDDP-hardness parameter µ. They state that µ quantifies the exponential hardness of the Shortest-Vector-Problem (SVP) and Bounded-Distance Decoding problems (BDDP) in lattices. They assume that one needs time 2 k to approximate SVP or BDDP in the lattices resulting from their scheme up to a factor 2 µ n log k k (when using block reduction algorithms, e.g. BKZ). Selecting λ = 72 is a good choice in their opinion to prevent birthday-type and exhaustivesearch attacks. For µ they state to choose it via the equation µ = λ t n log λ, where t is the bitsize of the elements of the vector v and n is the dimension of the lattice; choosing a higher dimension will thus result in a smaller (and harder) parameter for the BDDP. The last parameter which is needed for the construction of the somewhat homomorphic scheme (within the fully homomorphic scheme), is the bitsize t of the elements of v. Gentry and Halevi propose to select t such that t p (log ( c 60 S 15) + 34), where p is the precision for elements in the small set and S is the number of elements in the big set for the SSSP (both variables also only depend on λ and µ). Experimental results of the authors showed that for c 7 one obtains the bound t 373. The remaining parameters will be omitted here, because all of them are only important for an attack on the SSSP, which is not included in this analysis (see next section). 34

41 5. Attacking the Gentry-Halevi Scheme Since we know how the parameters for the underlying somewhat homomorphic scheme are originally selected, it is determined here whether they are chosen in a good fashion to prevent cryptanalysts from breaking the scheme. Usually, the cryptanalysis of a (FHE) scheme includes key recovery and message recovery attacks on the practical, and the analysis of average-case as well as worst-case problems on the theoretical side. In particular, we focus on a key recovery attack in our analysis. Given the public key for an instantiation of this scheme, we try to obtain the corresponding secret key. The involved problem in the key recovery attack is the Bounded Distance Decoding Problem (BDDP), which is closely related to the problem of finding closest vectors in a lattice (CVP). Gentry and Halevi do not mention actual algorithms or methods which are most common to attack a BDDP, but just note that their best algorithms for approximating BDDP are based on block reductions as in [44]. In literature, the previously best known algorithm for BDDP is due to Klein [32], recently improved by Liu, Lyubashevsky and Micciancio in [34]. For the SSSP as well as for the more general subset sum problem (without the sparsityconstraint), no polynomial time algorithm is known to us, although several algorithms for special subset sum problems already have been proposed, e.g. [33] or [17] Attack Methodology and Strategies In principle, the methodology for the attack is as follows: Many samples of the Gentry- Halevi scheme are created based on the same security parameter λ = 72, but with different values for the bitsize t and the dimension n. For all these samples, the Hermite Normal Form of the (ideal) lattice s basis is constructed and upon this HNF a basis reduction algorithm is applied. From the retrieved basis a (possibly working) secret key is extracted and with this derived key an attempted decryption of a correctly encrypted bit b is performed Strategy I LLL The first strategy in attacking the scheme of Gentry and Halevi simply consists of applying the LLL-algorithm onto the Hermite Normal Form of the basis matrix with the hope of obtaining a reduced basis matrix with short and nearly orthogonal vectors. We do not expect to maintain a high success rate since for larger dimensions and bitsizes the LLL-algorithm will not find a basis of short and nearly orthogonal vectors; more precisely, due to a result of Gama and Nguyen in [18], LLL finds vectors of length approximately n det(l) 1/n, where n = dim(l). In addition to that, we expect the algorithm to need a long time for the computation in higher dimensions and with larger bitsizes. 35

42 5 ATTACKING THE GENTRY-HALEVI SCHEME Strategy II Sublattice Attack In order to lower the running time of the LLL-algorithm, we consider sublattice attacks a good second strategy. The idea of a sublattice attack was mentioned by Micciancio and Regev in [5] (on page 155) for q-ary lattices Λ q (A) with random basis matrix A Z n m q. The dimension k of the sublattice is obtained by Micciancio and Regev s formula adjusted to our setting: The optimal value is given by k = log d log δ, where the parameter δ depends on the reduction algorithm used. Good experimental values for δ are given by Gama and Nguyen in [18], and for LLL the best experienced value is δ = , whereas BKZ-20 has δ = and BKZ-28 even δ = If k n, we can deploy the idea onto the Hermite Normal Form B of the basis matrix as obtained in equation (1) and extract the k k-submatrix B (k) of B by selecting the first k rows and k columns. We then apply the LLL-algorithm on B (k) to obtain a short vector v (k) in the sublattice L = L(B (k) ). By appending zeros to v (k), we expand it to an n-dimensional short vector v in the original lattice L = L(B) Strategy III BKZ Although the block reduction algorithm BKZ is slower in running time than the LLLalgorithm, it usually gives better results (in the sense of short and nearly orthogonal bases). This is the reason why we selected it for the third strategy. We do not apply the BKZ-algorithm to the Hermite Normal Form (HNF) of the samples, which would be the naive way of using BKZ. Instead, we use the output of fplll as input to BKZ since we make use of the BKZ-implementation of the NTL, which always performs the LLL-algorithm internally. Thus, we expect to obtain much better running times. This expectation is quite reasonable because we can pick a low precision for BKZ when executed with the LLL-output, whereas we would have to pick a high precision when executed with the HNF Practical Considerations Remark. The hardware that was used for the aggregation of the running times was a Lenovo Thinkpad W510 laptop with an Intel i7 Q720 core, running at 1.6GHz, and 4GB of RAM Preparatory Work Gentry and Halevi have published the code for their implementation of Gentry s Fully Homomorphic Scheme on the previously mentioned homepage. The routine test- 4 Actually, we are trying to solve the Hermite-SVP with γ = δ n. Given a basis matrix B Z m n with m n and a constant γ 1, the Hermite-SVP asks to find a non-zero vector v of norm v γ det(l(b)) 1/n. 36

43 5.2 Practical Considerations recrypt.cc of the source code has to be compiled using Shoup s Number Theory Library NTL, [46]. The authors have modified the two files ZZ.h and ZZ.c of the NTL which have to be replaced in order for their code to work properly; for this analysis though, since we have modified the test-recrypt.cc-file to output decimal and not hexadecimal strings, one should be able to correctly compile our code using the original NTL. The modification of the routine can found in Appendix A. Using the compiled routine test-recrypt, many samples of the presented scheme were built and output: Since the routine has the ability to choose which data should be written to a file, we always decided to output all the information possible, i.e. the parameters of the scheme, the full secret key (including the part for the SSSP) as well as the encryptions of the secret key bits, which are needed in the case of homomorphically evaluating some function (since the homomorphic evaluation includes an internal, i.e. encrypted, decryption of the input ciphertexts for which the encrypted secret key bits are needed). We varied the bitsize from very small (t = 10) up to medium (t = 1000) and also the dimension from tiny (n = 2) up to the toy challenge dimension n = 512 which we decided to use as an upper bound, since the theoretical complexity of LLL points to running times exceeding a serious limit for this thesis for even higher dimensions (and/or bitsizes). For each choice of bitsize and dimension we created several numbers of samples (ranging from one sample of bitsize 1000 in dimension 512 up to 14 samples of bitsize 10 in dimension 128). A list with the numbers of all samples in various bitsizes and dimensions can be seen in Table 2. The sample of bitsize 380 in dimension 512 is the toy challenge published by Gentry and Halevi on the Public Challenges for Fully- Homomorphic Encryption -webpage 5. It obviously was created the same way as our samples. It is interesting to mention that the creation of one sample in both small dimension and bitsize was done in less than a second, the creation of a single sample in dimension 512 and relatively large bitsize (e.g. 1000) needed 15 minutes and longer Post-Processing a Strategy When the algorithm of the considered strategy finishes its work, we want to know how good our strategy was. Therefore, we wrote the C++ script ca.cc. Its functionality can be described as follows: 1. The script is given the reduced basis as input, extracts the first vector from the basis and stores it as the potential v of the scheme. 2. Using NTL s modular inversion methods, the script computes the inverse of v modulo d and stores the first odd entry from the resulting vector as the potential secret key w. 3. Since all parameters of the Gentry-Halevi scheme are known for all samples (they are dumped into a file), the script ca.cc can correctly encrypt a user-chosen bit b

44 5 ATTACKING THE GENTRY-HALEVI SCHEME dimension bitsize Table 2: The number of samples, * = toy challenge with the public key and obtain the corresponding ciphertext c. For this process we use the available encryption-routine in the code of the scheme from the authors. 4. A test for correct decryption is then performed. Therefore, we implemented the decryption equation b = c w mod d mod 2 and checked whether b = b. The bit b and the decrypted bit b are written to the console. The process (steps 1 to 4) was repeated for all samples. The results for the selected strategies were collected and are shown in the next subsection. A short remark to the choice of v: The choice to take the first vector of the basis B and not any other vector as the potential v is not taken into account since the other basis vectors are shifts of v (B is the rotation basis of v modulo f(x)). Another brief note to the encryption and decryption process: We did not use the already implemented decryption-routine of the scheme since we wanted to separate the encryption and decryption processes from each other. We ensured that the instantiation of the scheme, which is used to encrypt the bit, does not know the secret key, thus being independent and neither able to correctly decrypt the ciphertext nor to mix up our results in any other way. 38

45 5.3 Results 5.3. Results Strategy I (LLL) On nearly all samples we ran the fplll-algorithm of Cadé, Pujol and Stehlé [9] in its actual version 3.1.1, which is the fastest implementation of the LLL-algorithm known to us. In Table 3 we have listed the average running times of the fplll-algorithm on our samples in seconds. In addition, we have visualised the data set of Table 3 in Figure 2 and (with a logarithmic scale) in Figure 3. Notes for the table: A indicates that no samples of that dimension and bitsize were attacked by fplll, because the preceding samples of the same dimension with smaller bitsizes already needed plenty of time. A > indicates that the fplll-algorithm was stopped after the stated amount of seconds, although no solution had been found until then. dimension bitsize 2, 4, 8, <1 < <1 < > <1 < <1 < <1 < <1 < < < < > > < > < < < Table 3: Average running time of fplll on the samples (in seconds), * = toy challenge As one can see, fplll is very fast for all dimensions less than or equal to 16 in all bitsizes, needing less than a second to find a solution. Even for dimension 32 the fplll-algorithm finds a solution for all given bitsizes in less than 30 seconds. However, with increasing dimension it is clear that the algorithm s running time increases. Applying fplll on a sample with the smallest bitsize 10 in the highest dimension 512 takes 9 hours, whereas a sample with the next bigger bitsize 20 in the same dimension needs at least 1.5 days (we aborted the fplll-algorithm after this period of time); and on Gentry-Halevi s toy challenge with bitsize 380 in dimension 512 we let fplll run for more than 10 days without any solution. 39

46 5 ATTACKING THE GENTRY-HALEVI SCHEME avg running time (s) dimension Figure 2: Average running time of fplll on a subset of samples bitsize10 bitsize20 bitsize40 bitsize50 bitsize100 bitsize380 bitsize760 bitsize1000 From Figure 3 we get an estimate on the running time of fplll: From dimension 16 on, it is straightforward to see that the algorithm has an exponential increase in time for (also exponentially) increasing dimension. Even for same dimension, but with increasing bitsize the running time of fplll increases. Now, we consider the success rates of the first strategy, i.e. the goodness of fplll s solutions. In Table 4 and also in Figure 4 we present the success percentages for Strategy I. From the Table and the Figure we can see that for all bitsizes the success rate decreases for increasing dimension. This is what we expected to find, since the results of the fplllalgorithm for increasing dimension do not find a basis of the lattice containing a vector which is short enough to be used as a correctly working candidate in the scheme. What is surprising is that for dimension 32 and nearly all bitsizes the algorithm has a success rate of 90% or higher, although for preceding dimensions (with the same bitsize) it obtained a lower success rate. The reason for this ascension step is not clear to us and we cannot say whether such steps are likely to occur for larger dimensions and bitsizes. Altogether, in our opinion the success rate will decrease for larger dimensions since the results of the fplll-algorithm will not be sufficiently short. Therefore, we think that Strategy I will absolutely fail for dimensions larger than 2048 for all bitsizes as it already did for some smaller ones of our samples, e.g. dimension 128 with bitsizes 500 upwards. 40

47 5.3 Results avg running time (s) bitsize10 bitsize20 bitsize40 bitsize50 bitsize100 bitsize380 bitsize760 bitsize1000 0,1 0, dimension Figure 3: Average running time of fplll on a subset of samples logarithmically dimension bitsize 2, Table 4: Success Rates for Strategy I (in percent) 41

48 5 ATTACKING THE GENTRY-HALEVI SCHEME percent bitsize10 bitsize20 bitsize40 bitsize50 bitsize100 bitsize380 bitsize760 bitsize dimension Figure 4: Success Rates for Strategy I (Selection) Strategy II (Sublattice Attack) Although the second strategy sounds good in the sense of lowering the running time of LLL because of the decreased attack dimension, unfortunately, in our samples we gained only for one bitsize-dimension-combination an attack dimension k smaller than the lattice dimension n, i.e. for bitsize 10 and dimension n = 512 we obtained k = 448. Therefore, we applied Strategy II solely on the abovementioned six samples. Sadly, the sublattice attack did not gain any advantage over Strategy I because the success rate and the output for the mentioned samples are identical, i.e. Strategy II also fails. We realise that an overall number of 6 testing samples is not enough to affirmatively compare both strategies, but since even the abortion results for all failing samples were identical we conclude that the sublattice attack does not improve the success rate. Further, the idea of lowering the running time of the LLL-algorithm was shown to be wrong since an average running time of seconds (about 11 hours) for Strategy II does not gain benefit. It is even worse than for the application of LLL on the same samples with original dimension 512 which needed on average seconds (about 9 hours), being 2 hours below the sublattice attack. This is a very surprising result. 42

49 5.3 Results Strategy III (BKZ) As stated before, we used the fplll-algorithm at first to obtain an LLL-reduced basis. Then, we applied BKZ to the results of fplll. Our hope was that the BKZ-algorithm would further reduce the LLL-reduced basis to give better results in our third strategy. The fplll-algorithm was used in its natural way, i.e. we applied it to the file containing the Hermite Normal Form of the lattice and let the output be written into another file. Since we provided the input file as the only parameter to fplll, we did not choose any other parameter like precision, method or relaxation, but run fplll with standard values for these. For the BKZ-algorithm we utilised the implementation from the NTL of Shoup [46], and as blocksize we used β = 20. Since we applied it to the output of fplll, we chose the minimum precision needed to accomplish the computation. This means we successfully ran BKZ with precision FP (double) on most of the examples and chose the next possible precision (in the order QP, XD, RR) when the computation failed for a previous one. The running times of BKZ are shown in Table 5. Since the application time of the algorithm for most samples is less than a second, we think that BKZ has neither optimised nor shortened the LLL-reduced basis; but we hope that BKZ has obtained a better solution than LLL on the samples for which it needed more than one second (though we are aware that the input and output of the basis matrix in higher dimensions usually require more time than in lower ones). Furthermore, since we analysed the variances of the average running times, we specifically hope that for huge variances (as for dimension 512 in bitsize 10 and dimension 256 in bitsize 40) BKZ achieves an improvement over LLL. dimension bitsize 2, 4, 8, 16, 32, 64, < < < < <1 100 <1 200 <1 300 <1 380 <1 400 <1 500 <1 760 < <1 Table 5: Average running times of BKZ on the LLL-reduced testing samples (in seconds) 43

50 5 ATTACKING THE GENTRY-HALEVI SCHEME dimension bitsize 2, Table 6: Success Rates for Strategy III (in percent), in bold: advantage over Strategy I A closer look to Table 6 shows: The success rates of Strategy III only differ for two bitsizedimension-combinations (the bold ones), and these are independent of the running time of BKZ; the running time of BKZ is hence no indicator for a successful advantage over LLL. As one can see, an application of BKZ on the LLL-reduced bases does not significantly improve the success rate for the given settings. We believe that the bases output by fplll are nearly BKZ-reduced, at least for the lattices appearing in the scheme of Gentry and Halevi. Therefore, we compared several matrices output by BKZ with the ones produced by LLL to get an impression on the correctness of our assumption: BKZ in most cases changed less than 5% of the vectors in the matrix. It is also surprising that BKZ-20 did not find the shortest vector for all samples of dimension less than or equal to 16, although its blocksize is greater than the lattice dimension and hence a shortest vector in the lattice should be found by it. Why there is no improvement at all over LLL in these small dimensions is unclear to us. Furthermore, we considered to use the sublattice attack in combination with the BKZalgorithm to obtain better results, similar to Strategy II. The reason why we did not adopt this method for the BKZ-setting can be seen easily: As Gama and Nguyen showed in [18], the value for δ in the setting of BKZ-20 is and thus smaller than the value for δ using LLL. This means that the sublattice dimension for BKZ-20 is larger than the one for LLL, and hence we cannot achieve any advantage over Strategy III. As Table 6 already illustrates, we think that the success rate for all strategies will decrease for increasing dimension and bitsize. Although we obtain a fairly good success rate in dimension 64 for many bitsizes, we can see that the success rate in dimension 128 in all bitsizes is less than or equal to 50%. This means that even guessing the correct bit b is a better way than the proposed and analysed strategies. In fact, the short vector 44

51 5.3 Results found by LLL has length of approximately n det(l) 1/n, where n for dimension n 512. This gives a sense for the goodness of the short vector. In addition, we extrapolated the running times of LLL on the testing samples of bitsize 380 using a cubic extrapolation polynomial to give an impression on how long LLL would take to run on the challenges proposed by Gentry and Halevi. The results can be seen in Figures 5, 6 and 7, for different ranges of the dimension. From the Figures we can see that running LLL on the four challenges will take approximately 7 days for the toy challenge of dimension 512, 1.4 years for the small challenge of dimension 2048, 92 years for the medium challenge of dimension 8192, and years for the large challenge of dimension Measurements Extrapolation time (s) dimension Figure 5: Extrapolated Running Times of LLL for Challenges, Small Dimension Range 45

52 5 ATTACKING THE GENTRY-HALEVI SCHEME 5e e+07 4e+07 Measurements Extrapolation 3.5e+07 3e+07 time (s) 2.5e+07 2e e+07 1e+07 5e e dimension Figure 6: Extrapolated Running Times of LLL for Challenges, Medium Dimension Range 2e e e+11 Measurements Extrapolation 1.4e e+11 time (s) 1e+11 8e+10 6e+10 4e+10 2e e dimension Figure 7: Extrapolated Running Times of LLL for Challenges, Large Dimension Range 46

53 Conclusion In this thesis we presented the definitions of (fully) homomorphic encryption and signatures as well as the security definitions involved in this context. We then depicted the actual and most common ways for building a fully homomorphic encryption or signature scheme, basing its security on the previously mentioned security problems. In addition, we presented and discussed literature close or related to the topic of fully homomorphic encryption or signatures. In the practical second part we analysed the fully homomorphic encryption scheme of Gentry and Halevi by concentrating on a key recovery attack and contributed empirical data for it to further understand the security issues in the mentioned context. We saw that the parameters of their scheme were chosen by conservatively estimated boundaries, thus giving a good sense of security concerning the chosen attack strategies. We described the development of the running time for different choices of parameters for the scheme and also demonstrated how intensely the success rate decreases for bigger bitsizes and dimensions. We think that further improvements and optimizations in the fully homomorphic area are both possible and urgently needed, since the size of the public key or the running time of the encryption, decryption and re-encryption methods are each far too long, even for the up until now most efficient scheme of Gentry-Halevi, for high security levels. The following things remain interesting objectives for further work: At first, one could use different strategies (concerning the involved algorithms) to recover the secret key from the public key. The message-recovery is yet cold-shouldered as far as we know, but would be an attractive objective. Since we solely concentrated on the Bounded Distance Decoding Problem, an analysis of the SSSP would be very insightful for a better understanding of the construction of homomorphic schemes relating their security on this particular problem. Furthermore, additional theoretic and practical research regarding the security in the fully homomorphic area are needed: Gu states in [11] that it is possible to extract a small multiple of the secret key which can be used to decrypt arbitrary ciphertext, even for large dimensions of the Gentry-Halevi scheme (bearing a high security level). Since this paper only appeared while this thesis was being finalised, we were not able to retrace the claim and its proof. In summary, we believe that the field of fully homomorphic encryption and, especially, of fully homomorphic signatures will increase and become more important in the future. We therefore conclude that focusing on these topics would be a good idea for further research.

54

55 References [1] Miklós Ajtai. Generating hard instances of lattice problems (extended abstract). In Proceedings of the 28th Annual ACM Symposium on Theory of Computing, STOC 96, pages , New York, NY, USA, ACM. [2] Miklós Ajtai and Cynthia Dwork. A public-key cryptosystem with worstcase/average-case equivalence. In Proceedings of the 29th Annual ACM Symposium on Theory of Computing, STOC 97, pages , New York, NY, USA, ACM. [3] Mihir Bellare and Adriana Palacio. Towards plaintext-aware public-key encryption without random oracles. In Proceedings of the 10th International Conference on the Theory and Application of Cryptology and Information Security, volume 3329 of Lecture Notes in Computer Science, ASIACRYPT 04, pages 48 62, Berlin, Heidelberg, Springer-Verlag. [4] Josh Benaloh. Dense probabilistic encryption. In Proceedings of the Workshop on Selected Areas of Cryptography, pages , [5] Daniel J. Bernstein, Johannes Buchmann, and Erik Dahmen. Post-Quantum Cryptography. Springer-Verlag, Berlin, Heidelberg, 1st edition, [6] Dan Boneh and David M. Freeman. Homomorphic signatures for polynomial functions. Cryptology eprint Archive, Report 2011/018, org/. [7] Dan Boneh and David M. Freeman. Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography, volume 6571 of Lecture Notes in Computer Science, PKC 11, pages 1 16, Berlin, Heidelberg, Springer-Verlag. [8] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. Cryptology eprint Archive, Report 2011/344, http: //eprint.iacr.org/. [9] David Cadé, Xavier Pujol, and Damien Stehlé. fplll: A Floating Point Implementation of the LLL-Algorithm, Version Laboratoire de l Informatique du Parallélisme, École Normale Supérieure de Lyon, Lyon, France, Available at [10] Kai-Min Chung, Yael Kalai, and Salil Vadhan. Improved delegation of computation using fully homomorphic encryption. In Proceedings of the 30th Annual Conference on Advances in Cryptology, volume 6223 of Lecture Notes in Computer Science, CRYPTO 10, pages , Berlin, Heidelberg, Springer-Verlag. 49

56 [11] Gu Chunsheng. Cryptanalysis of the Smart-Vercauteren and Gentry-Halevi s fully homomorphic encryption. Cryptology eprint Archive, Report 2011/328, [12] Gu Chunsheng. Fully homomorphic encryption and ring-lwe over the integers. Cryptology eprint Archive, Report 2011/114, [13] Gu Chunsheng. New fully homomorphic encryption over the integers. Cryptology eprint Archive, Report 2011/118, [14] Gu Chunsheng. Self-loop-based modification of Smart and Vercauteren s fully homomorphic encryption. Cryptology eprint Archive, Report 2011/121, [15] Ronald Cramer, Rosario Gennaro, and Berry Schoenmakers. A secure and optimally efficient multi-authority election scheme. In Proceedings of the 16th Annual International Conference on the Theory and Application of Cryptographic Techniques, volume 1233 of Lecture Notes in Computer Science, EUROCRYPT 97, pages , Berlin, Heidelberg, Springer-Verlag. [16] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, volume 196 of Lecture Notes in Computer Science, CRYPTO 84, pages 10 18, Berlin, Heidelberg, Springer-Verlag. [17] Zvi Galil and Oded Margalit. An almost linear-time algorithm for the dense subsetsum problem. In Javier Albert, Burkhard Monien, and Mario Artalejo, editors, Automata, Languages and Programming, volume 510 of Lecture Notes in Computer Science, pages Springer-Verlag, Berlin, Heidelberg, [18] Nicolas Gama and Phong Q. Nguyen. Predicting lattice reduction. In Proceedings of the 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, volume 4965 of Lecture Notes in Computer Science, EUROCRYPT 08, pages 31 51, Berlin, Heidelberg, Springer-Verlag. [19] Rosario Gennaro, Craig Gentry, and Bryan Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In Proceedings of the 30th Annual Cryptology Conference, volume 6223 of Lecture Notes in Computer Science, CRYPTO 10, pages , Berlin, Heidelberg, Springer-Verlag. [20] Craig Gentry. A Fully Homomorphic Encryption Scheme. PhD thesis, Stanford University, crypto.stanford.edu/craig. [21] Craig Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 09, pages , New York, NY, USA,

57 [22] Craig Gentry. Fully homomorphic encryption without bootstrapping. Cryptology eprint Archive, Report 2011/277, [23] Craig Gentry and Shai Halevi. Fully homomorphic encryption without squashing using depth-3 arithmetic circuits. Cryptology eprint Archive, Report 2011/279, [24] Craig Gentry and Shai Halevi. Implementing Gentry s fully-homomorphic encryption scheme. In Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, volume 6632 of Lecture Notes in Computer Science, EUROCRYPT 11, pages , Berlin, Heidelberg, Springer-Verlag. [25] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, STOC 08, pages , New York, NY, USA, [26] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Public-key cryptosystems from lattice reduction problems. In Proceedings of the 17th Annual International Cryptology Conference, volume 1294 of Lecture Notes in Computer Science, pages , Berlin, Heidelberg, Springer-Verlag. [27] Shafi Goldwasser and Silvio Micali. Probabilistic encryption & how to play mental poker keeping secret all partial information. In Proceedings of the 14th Annual ACM Symposium on Theory of Computing, STOC 82, pages , New York, NY, USA, ACM. [28] Brett Hemenway and Rafail Ostrovsky. Homomorphic encryption over cyclic groups implies chosen-ciphertext security. Cryptology eprint Archive, Report 2010/099, [29] Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NTRU: A ring-based public key cryptosystem. In Proceedings of the Third International Symposium on Algorithmic Number Theory, pages , London, UK, Springer-Verlag. [30] Robert Johnson, David Molnar, Dawn X. Song, and David Wagner. Homomorphic signature schemes. In Proceedings of The Cryptographer s Track at the RSA Conference on Topics in Cryptology, volume 2271 of Lecture Notes in Computer Science, CT-RSA 02, pages , Berlin, Heidelberg, Springer-Verlag. [31] Richard Karp and Vijaya Ramachandran. Parallel Algorithms for Shared-Memory Machines, pages MIT Press, Cambridge, MA, USA, [32] Philip Klein. Finding the closest lattice vector when it s unusually close. In Proceedings of the 11th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 00, pages , Philadelphia, PA, USA, Society for Industrial and Applied Mathematics. 51

58 [33] Brian A. LaMacchia. Basis reduction algorithms and subset sum problems. Technical report, Massachusetts Institute of Technology, Cambridge, MA, USA, [34] Yi-Kai Liu, Vadim Lyubashevsky, and Daniele Micciancio. On bounded distance decoding for general lattices. In Proceedings of the 9th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX 2006, and 10th International Workshop on Randomization and Computation, RANDOM 2006, volume 4110 of Lecture Notes in Computer Science, APPROX 06, RAN- DOM 06, pages , Berlin, Heidelberg, Springer-Verlag. [35] Jacob Loftus, Alexander May, Nigel P. Smart, and Frederik Vercauteren. On CCAsecure fully homomorphic encryption. Cryptology eprint Archive, Report 2010/560, [36] Daniele Micciancio and Shafi Goldwasser. Complexity of Lattice Problems: A Cryptographic Perspective, volume 671 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publishers, Boston, Massachusetts, March [37] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM Journal on Computing, 37: , April [38] Noam Nisan and Avi Wigderson. Lower bounds on arithmetic circuits via partial derivatives. Comput. Complex., 6: , December [39] Naoki Ogura, Go Yamamoto, Tetsutaro Kobayashi, and Shigenori Uchiyama. An improvement of key generation algorithm for Gentry s homomorphic encryption scheme. In Proceedings of the 5th International Workshop on Security, volume 6434 of Lecture Notes in Computer Science, IWSEC 10, pages 70 83, Berlin, Heidelberg, Springer-Verlag. [40] Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of the 17th International Conference on the Theory and Application of Cryptographic Techniques, volume 1592 of Lecture Notes in Computer Science, EUROCRYPT 99, pages , Berlin, Heidelberg, Springer- Verlag. [41] Doerte K. Rappe. Homomorphic cryptosystems and their applications. Cryptology eprint Archive, Report 2006/001, [42] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing, STOC 05, pages 84 93, New York, NY, USA, ACM. [43] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21: , February

59 [44] Claus-Peter Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical Computer Science, 53: , August [45] Berry Schoenmakers. Internet Technology Fully Auditable Electronic Secret-Ballot Elections, [46] Victor Shoup. NTL: A Library for Doing Number Theory, Version Courant Institute, New York University, New York, NY, Available at net/ntl/. [47] Nigel P. Smart and Frederik Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In Proceedings of the 13th International Conference on Practice and Theory in Public Key Cryptography, volume 6056 of Lecture Notes in Computer Science, PKC 10, pages , Berlin, Heidelberg, Springer-Verlag. [48] Nigel P. Smart and Frederik Vercauteren. Fully homomorphic SIMD operations. Cryptology eprint Archive, Report 2011/133, [49] Damien Stehlé and Ron Steinfeld. Faster fully homomorphic encryption. In Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, volume 6110 of Lecture Notes in Computer Science, EUROCRYPT 10, pages , Berlin, Heidelberg, Springer-Verlag. [50] Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphic encryption over the integers. In Proceedings of the 16th International Conference on the Theory and Application of Cryptology and Information Security, volume 6477 of Lecture Notes in Computer Science, ASIACRYPT 10, pages 24 43, Berlin, Heidelberg, Springer-Verlag. 53

60

61 A. The Code Here we list the code which was used to gain the results. publicly available at the CDC-webpage 6 soon. The code will also made At first, we list the change in the code of Gentry-Halevi s routine test-recrypt.cc which we made not to get hexadecimal, but decimal output. Listing 1: Changes to Gentry-Halevi s test-recrypt.cc 73 ZZ : : HexOutput = 0 ; // NTL m o d i f i c a t i o n : I /O NOT in hex 74 // ZZ : : HexOutput = 1 ; // NTL m o d i f i c a t i o n : I /O in hexadecimal To simplify the work of others, we give the input format for the parameters of the Gentry- Halevi (GH) scheme to our scripts which is equal to the output of test-recrypt.cc. The brackets [ ] show optional parameters which could be omitted. The parameters in line 1 which here are separated by commas are split by whitespaces in the files. Listing 2: Input format for the parameters of the GH-scheme 1 lambda = s e c u r i t y parameter, mu = BDDP hardness parameter, s = small s e t s i z e, S = big s e t s i z e, p = p r e c i s i o n, t = i n t e g e r s i z e, logn = logarithm o f the dimension, logr = logarithm o f the r a t i o, n o i s e parameter 2 d = determinant 3 r = r o o t o f f ( x ) 4 [ w = s e c r e t key ] 5 x 1 = g e n e r a t o r o f big s e t 1, [ i t s index ] x s = g e n e r a t o r o f big s e t s, [ i t s index ] 8 [ encrypted s e c r e t key b i t s ] Below our own C++ code is listed. Some small notes about it: The routine cmffo.cc extracts the parameters of the Gentry-Halevi scheme, constructs and outputs the Hermite Normal Form basis matrix to a file, such that fplll, sublattice.cc or bkz.cc can use it as input. The script sublattice.cc uses the output of cmffo.cc to extract the sub-matrix and run fplll on this submatrix. The reduced submatrix is output to a file. bkz.cc is our application of NTL s implemented BKZ onto the matrices output by cmffo.cc to obtain the BKZ-reduced basis matrix. The matrix is stored in a file. The routine ca.cc finally does the analysis of the success rate by encrypting a bit using the fhe-code of Gentry-Halevi and trying to decrypt the bit via the decryption equation (not using the fhe-code of the authors). Inside, a matrix is inverted modulo d which actually is the most expensive operation throughout the script

62 Listing 3: cmffo.cc 1 #include <fstream > 2 #include <sstream> 3 #include <c s t r i n g > 4 #include <NTL/ZZ. h> 5 #include <NTL/mat ZZ. h> 6 7 NTL CLIENT 8 9 int main ( int argc, char argv [ ] ) { 10 s t r i n g i n f i l e = input. t x t ; 11 s t r i n g o u t f i l e n a m e = output ; 12 s t r i n g o u t f i l e e x t = t x t ; 13 s t r i n g l i n e ; 14 i f ( argc >1) i n f i l e = argv [ 1 ] ; 15 i f ( argc >2) o u t f i l e n a m e = argv [ 2 ] ; 16 unsigned long lambda ; 17 double mu; 18 unsigned long s ; 19 unsigned long S ; 20 unsigned long p ; 21 unsigned long t ; 22 unsigned long logn ; 23 long dim ; 24 unsigned long logr ; 25 unsigned long n o i s e ; 26 ZZ d ; 27 ZZ r ; 28 ZZ w; // reading in f i l e : 31 char i n f i l e p = new char [ i n f i l e. l e n g t h ( ) +1]; 32 s t r c p y ( i n f i l e p, i n f i l e. c s t r ( ) ) ; 33 i f s t r e a m i f s t ( i n f i l e p ) ; 34 int counter = 1 ; 35 i f ( i f s t. i s o p e n ( ) ) { 36 i f s t >> lambda ; 37 i f s t >> mu; 38 i f s t >> s ; 39 i f s t >> S ; 40 i f s t >> p ; 41 i f s t >> t ; 42 i f s t >> logn ; 43 dim = pow ( 2, logn ) ; 44 i f s t >> logr ; 45 i f s t >> n o i s e ; 46 i f s t >> d ; 47 i f s t >> r ; 48 i f s t >> w; i f s t. c l o s e ( ) ; 51 } else { 52 cout << Unable to open f i l e. << endl ; 56

63 53 return 1 ; 54 } // w r i t i n g matrix : 57 mat ZZ B; 58 B. SetDims ( dim, dim ) ; 59 ZZ r i = to ZZ ( 1) ; // t h e e n t r i e s o f t h e f i r s t column 60 // ( e x c e p t B(1,1) ) 61 B( 1, 1 ) = d ; 62 for ( int i = 2 ; i <= dim ; i ++) { 63 r i = ((( r i ) r ) % d ) ; 64 B( i, 1 ) = r i ; 65 B( i, i ) = 1 ; 66 } // w r i t i n g output : 69 s t r i n g o u t f i l e B s t r = o u t f i l e n a m e ; 70 char o u t f i l e B = new char [ o u t f i l e B s t r. l e n g t h ( ) +1]; 71 s t r c p y ( o u t f i l e B, o u t f i l e B s t r. c s t r ( ) ) ; 72 ofstream ofstb ( o u t f i l e B ) ; 73 ofstb << B << endl ; 74 ofstb. c l o s e ( ) ; return 0 ; 77 } Listing 4: sublattice.cc 1 #include <fstream > 2 #include <sstream> 3 #include <c s t r i n g > 4 #include <NTL/RR. h> 5 #include <NTL/ZZ. h> 6 #include <NTL/ZZ p. h> 7 #include <NTL/mat ZZ. h> 8 #include <NTL/ vec ZZ. h> 9 10 NTL CLIENT int main ( int argc, char argv [ ] ) { 13 s t r i n g ifnprms, o f n s u b l a t ; 14 i f s t r e a m i f s t p r m s ; 15 ofstream o f s t s u b l a t ; 16 RR d e l t a = to RR ( ) ; // d e l t a taken from Gama, Nguyen : P r e d i c t i n g L a t t i c e Reduction, Eurocrypt 08, page 38 ( Table 1) i f ( argc >1) { 19 i f ( help == argv [ 1 ] ) { 20 cout << Usage : << endl ; 21 cout <<. / s u b l a t t i c e INFILE << endl ; 22 } else { 23 ifnprms = argv [ 1 ] ; 24 char ifnprmsp = new char [ ifnprms. l e n g t h ( ) +1]; 25 s t r c p y ( ifnprmsp, ifnprms. c s t r ( ) ) ; 57

64 26 i f s t p r m s. open ( ifnprmsp ) ; o f n s u b l a t = ifnprms + sub HNF ; 29 char o f n s u b l a t p = new char [ o f n s u b l a t. l e n g t h ( ) +1]; 30 s t r c p y ( ofnsublatp, o f n s u b l a t. c s t r ( ) ) ; 31 o f s t s u b l a t. open ( o f n s u b l a t p ) ; 32 } 33 } i f ( i f s t p r m s. i s o p e n ( ) ) { 36 double mu; 37 unsigned long lambda, s, S, p, t, logn, logr, n o i s e ; 38 long dim ; 39 ZZ d, r, skey ; i f s t p r m s >> lambda ; 42 i f s t p r m s >> mu; 43 i f s t p r m s >> s ; 44 i f s t p r m s >> S ; 45 i f s t p r m s >> p ; 46 i f s t p r m s >> t ; 47 i f s t p r m s >> logn ; 48 dim = pow ( 2, logn ) ; 49 i f s t p r m s >> logr ; 50 i f s t p r m s >> n o i s e ; 51 i f s t p r m s >> d ; 52 i f s t p r m s >> r ; 53 i f s t p r m s >> skey ; i f s t p r m s. c l o s e ( ) ; // w r i t i n g matrix : mat ZZ B; 60 RR tmp = to RR ( d ) ; 61 l o g (tmp, tmp) ; 62 RR tmp2 ; 63 l o g ( tmp2, d e l t a ) ; long subdim = t o l o n g ( c e i l ( s q r t (tmp/tmp2 ) ) ) ; 66 cout << subdim : << subdim << endl ; 67 i f ( 0 < subdim && subdim <= dim ) { 68 B. SetDims ( subdim, subdim ) ; 69 ZZ r i = to ZZ ( 1) ; // t h e e n t r i e s o f t h e f i r s t column ( e x c e p t B( 1, 1 ) ) 70 B( 1, 1 ) = d ; 71 for ( int i = 2 ; i <= subdim ; i ++) { 72 r i = ((( r i ) r ) % d ) ; 73 B( i, 1 ) = r i ; 74 B( i, i ) = 1 ; 75 } 76 o f s t s u b l a t << B; 77 o f s t s u b l a t. c l o s e ( ) ; 78 } else { 79 cout << Subdim not s u i t a b l e, abort. << endl ; 58

65 80 o f s t s u b l a t. c l o s e ( ) ; 81 return 1 ; 82 } // running f p l l l : 85 cout << f p l l l running... << endl ; 86 s t r i n g o f n s u b l a t f p l l l = ifnprms + s u b f p l l l ; 87 char o f n s u b l a t f p l l l p = new char [ o f n s u b l a t f p l l l. l e n g t h ( ) +1]; 88 s t r c p y ( o f n s u b l a t f p l l l p, o f n s u b l a t f p l l l. c s t r ( ) ) ; 89 s t r i n g s y s c a l l s t r = f p l l l + o f n s u b l a t + > + o f n s u b l a t f p l l l ; 90 char s y s c a l l s t r p = new char [ s y s c a l l s t r. l e n g t h ( ) +1]; 91 s t r c p y ( s y s c a l l s t r p, s y s c a l l s t r. c s t r ( ) ) ; 92 system ( s y s c a l l s t r p ) ; return 0 ; 95 } Listing 5: bkz.cc 1 #include <fstream > 2 #include <s t r i n g. h> 3 #include <NTL/mat ZZ. h> 4 #include <NTL/LLL. h> 5 6 NTL CLIENT 7 8 int main ( int argc, char argv [ ] ) { 9 s t r i n g i f n, ofn ; 10 int b l o c k s i z e = 2 ; 11 int p r e c i s i o n = 1 ; i f ( argc >1) i f n = argv [ 1 ] ; 14 i f ( argc >2) ofn = argv [ 2 ] ; 15 i f ( argc >3) p r e c i s i o n = a t o i ( argv [ 3 ] ) ; 16 i f ( argc >4) b l o c k s i z e = a t o i ( argv [ 4 ] ) ; char i f n p = new char [ i f n. l e n g t h ( ) +1]; 19 s t r c p y ( ifnp, i f n. c s t r ( ) ) ; 20 char ofnp = new char [ ofn. l e n g t h ( ) +1]; 21 s t r c p y ( ofnp, ofn. c s t r ( ) ) ; i f s t r e a m i f s t ( i f n p ) ; 24 ofstream o f s t ( ofnp ) ; i f ( i f s t. i s o p e n ( ) && o f s t. i s o p e n ( ) ) { 27 mat ZZ B; 28 i f s t >> B; 29 switch ( p r e c i s i o n ) { 30 case 1 : BKZ FP(B, , b l o c k s i z e, 0, 0, 0 ) ; 31 break ; 32 case 2 : BKZ QP(B, , b l o c k s i z e, 0, 0, 0 ) ; 33 break ; 34 case 3 : BKZ XD(B, , b l o c k s i z e, 0, 0, 0 ) ; 35 break ; 59

66 36 case 4 : BKZ RR(B, , b l o c k s i z e, 0, 0, 0 ) ; 37 break ; 38 default : cout << Unknown p r e c i s i o n given, abort. << endl ; 39 } 40 o f s t << B << endl ; 41 i f s t. c l o s e ( ) ; 42 o f s t. c l o s e ( ) ; 43 } 44 return 0 ; 45 } Listing 6: ca.cc 1 #include <fstream > 2 #include <sstream> 3 #include <c s t r i n g > 4 #include <NTL/RR. h> 5 #include <NTL/ZZ. h> 6 #include <NTL/ZZ p. h> 7 #include <NTL/mat ZZ. h> 8 #include <NTL/ vec ZZ. h> 9 10 NTL CLIENT #include f h e. h 13 #include fhe u t i l s. cc 14 #include fhe enc. cc 15 #include fhe dec. cc void r o t a t e ( vec ZZ &w, vec ZZ &v ) { 18 i f (w. l e n g t h ( )!= v. l e n g t h ( ) ) 19 c e r r << r o t a t e : not equal l e n g t h s << endl ; 20 int n = v. l e n g t h ( ) ; 21 int ind ; 22 for ( int i = 1 ; i <= n ; i ++) { 23 ind = i % n + 1 ; 24 w( i%n+1) = v ( i ) ; 25 } 26 w( 1 ) = w( 1 ) ; 27 } int main ( int argc, char argv [ ] ) { 30 i f s t r e a m i f s t p r m s ; 31 i f s t r e a m i f s t m a t ; 32 unsigned int b = new unsigned int [ 1 ] ; 33 s t r i n g ifnprms ; 34 i f ( argc >1) { 35 ifnprms = argv [ 1 ] ; 36 char ifnprmsp = new char [ ifnprms. l e n g t h ( ) +1]; 37 s t r c p y ( ifnprmsp, ifnprms. c s t r ( ) ) ; 38 i f s t p r m s. open ( ifnprmsp ) ; 39 } 40 s t r i n g mode = f ; 41 i f ( argc >2) mode = argv [ 2 ] ; 60

67 42 43 s t r i n g ifnmat ; 44 i f ( f == mode) { 45 ifnmat = ifnprms + f p l l l ; 46 } else i f ( s == mode) { 47 ifnmat = ifnprms + s u b f p l l l ; 48 } else { 49 ifnmat = ifnprms + bkz ; 50 } 51 char ifnmatp = new char [ ifnmat. l e n g t h ( ) +1]; 52 s t r c p y ( ifnmatp, ifnmat. c s t r ( ) ) ; 53 i f s t m a t. open ( ifnmatp ) ; i f ( argc >3) b [ 0 ] = a t o l ( argv [ 3 ] ) ; 56 else b [ 0 ] = 0 ; i f ( i f s t p r m s. i s o p e n ( ) ) { 59 double mu; 60 unsigned long lambda, s, S, p, t, logn, logr, n o i s e ; 61 long dim ; 62 ZZ d, r, skey ; 63 mat ZZ B; i f s t p r m s >> lambda ; 66 i f s t p r m s >> mu; 67 i f s t p r m s >> s ; 68 i f s t p r m s >> S ; 69 i f s t p r m s >> p ; 70 i f s t p r m s >> t ; 71 i f s t p r m s >> logn ; 72 dim = pow ( 2, logn ) ; 73 i f s t p r m s >> logr ; 74 i f s t p r m s >> n o i s e ; 75 i f s t p r m s >> d ; 76 i f s t p r m s >> r ; 77 i f s t p r m s >> skey ; i f s t p r m s. c l o s e ( ) ; // i n i t i a l i z a t i o n o f somewhat scheme : 82 vec ZZ cvec ; // c i p h e r t e x t v e c t o r 83 cvec. SetLength ( dim ) ; 84 FHEkeys keys ( lambda, t, logn ) ; 85 keys. setdet ( d ) ; 86 keys. setroot ( r ) ; 87 keys. setskey ( skey ) ; // e n c r y p t i n g t h e b i t : 90 cout << b : << b [ 0 ] << endl ; 91 keys. encrypt ( cvec, b, 1) ; 92 ZZ tmp = cvec ( 1 ) ; 93 cvec. SetLength ( dim ) ; 94 cvec ( 1 ) = tmp ; 95 61

68 96 i f ( i f s t m a t. i s o p e n ( ) ) { i f s t m a t >> B; 99 long dimb = B. NumRows( ) ; 100 i f (dimb < dim ) { 101 mat ZZ C; 102 C. SetDims ( dim, dim ) ; 103 for ( int i = 1 ; i <= dimb ; i ++) { 104 for ( int j = 1 ; j <= dimb ; j ++) { 105 C( i, j ) = B( i, j ) ; 106 } 107 } 108 B = C; 109 } i f s t m a t. c l o s e ( ) ; vec ZZ v = B( 1 ) ; // use f i r s t row as ( s e c r e t ) v e c t o r v mat ZZ V; 116 V. SetDims ( dim, dim ) ; 117 V( 1 ) = v ; 118 for ( int i = 2 ; i <= dim ; i ++) { 119 r o t a t e (V( i ),V( i 1) ) ; 120 } mat ZZ W; 123 W. SetDims ( dim, dim ) ; 124 inv (d,w,v, 1 ) ; i f (V W!= d ident mat ZZ ( dim ) ) 127 cout << W not t r u e i n v e r s e o f V mod d. << endl ; vec ZZ wvec = W( 1 ) ; // f i r s t row o f W i s w 130 // s h o u l d s a t i s f y v ( x ) w( x ) = d mod x ˆ{2ˆdim} ZZ w; // t h e e x t r a c t e d s e c r e t key 132 for ( int i = 1 ; i <= dim ; i ++) { 133 i f ( wvec ( i ) % 2 == 1) { 134 w = wvec ( i ) ; 135 i f (w < 0) w = w; 136 break ; 137 } 138 } i f (w == 0) { 141 cout << No odd w found. Abort. << e n d l ; 142 return 1 ; 143 } // d e c r y p t t h e c i p h e r t e x t : 146 ZZ c = cvec ( 1 ) ; 147 ZZ tmpb = ( c w)%d ; 148 i f (tmpb >= d /2) tmpb = d ; 149 long bdec = tmpb%2; 62

69 150 cout << bdec : << bdec << endl ; 151 } 152 } return 0 ; 155 } 63