FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J...
-
Upload
jenna-daley -
Category
Documents
-
view
218 -
download
0
Transcript of FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J...
![Page 1: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/1.jpg)
FULLY HOMOMORPHIC ENCRYPTION
from the Integers
Marten van Dijk(RSA labs)
Craig Gentry(IBM T J Watson)
Shai Halevi(IBM T J Watson)
Vinod Vaikuntanathan(IBM T J Watson)
![Page 2: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/2.jpg)
Computing on Encrypted Data
Client Server/Cloud(Input: x) (Program: P)
“I want to delegate the computation to the cloud”“I want to delegate the computation to the cloud,
but the cloud shouldn’t see my input”
Enc[P(x)]
Enc(x) P
(An Example)
![Page 3: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/3.jpg)
Enc[P(x)]
Enc(x)
P
Definition: [KeyGen, Enc, Dec, Eval](as in regular encryption)
Compactness: Size of Eval’ed ciphertext independent of P
Fully HomomorphicEncryption (FHE) =
Security: Semantic Security [GM’82]
Definition: [KeyGen, Enc, Dec]
Eval
![Page 4: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/4.jpg)
– BGN’05 & GHV’10a: quadratic formulas
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
► Limited Variants:
– GM & Paillier: additively homomorphic
– RSA & El Gamal: multiplicatively homomorphic
– their motivation: searching encrypted data
► NON-COMPACT homomorphic encryption
[CCKM00, SYY99, IP07,MGH08,GHV10b,…]
![Page 5: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/5.jpg)
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– using just integer addition and multiplication
– their motivation: searching encrypted data
► Is there an elementary Construction of FHE?
Big Breakthrough: [Gentry09]
First Construction of Fully Homomorphic Encryption
using algebraic number theory / “ideal lattices”
– easier to understand, implement and improve
No ideal lattices
![Page 6: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/6.jpg)
OUR RESULT
Theorem [DGHV’10]: We have a fully homomorphic public-key encryption scheme
– which uses only add and mult over the integers,
– which is secure based on the approximate GCD problem & the sparse subset sum problem.
![Page 7: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/7.jpg)
Construction
![Page 8: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/8.jpg)
A Roadmap
1. Secret-key “Somewhat” Homomorphic Encryption(under the approximate GCD assumption)
2. Public-key “Somewhat” Homomorphic Encryption(under the approximate GCD assumption)
3. Public-key FULLY Homomorphic Encryption(under approx GCD + sparse subset sum)
(a simple transformation)
(borrows from Gentry’s techniques)
![Page 9: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/9.jpg)
Secret-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Encrypt a bit b:
– pick a random “large” multiple of p, say q·p
– pick a random “small” even number 2·r
– Ciphertext c = q·p+2·r+b
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
(q ~ n5 bits)
(r ~ n bits)
“noise”
(sec. param = n)
![Page 10: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/10.jpg)
Secret-key Homomorphic Encryption
How to Add and Multiply Encrypted Bits:
– Add/Mult two near-multiples of p gives a near-multiple of p.
– c1 = q1·p + (2·r1 + b1), c2 = q2·p + (2·r2 + b2)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) « p
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p
LSB = b1 XOR b2
LSB = b1 AND b2
![Page 11: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/11.jpg)
Two Issues
Ciphertext grows with each operation
Noise grows with each operation
→ Useless for many applications (cloud computing, searching encrypted e-mail)
– Consider c = qp+2r+b ← Enc(b)
(q-1)p qp (q+1)p (q+2)p
2r+b
– c (mod p) = r’ ≠ 2r+b
r’
![Page 12: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/12.jpg)
Two Issues
Ciphertext grows with each operation
→ Useless for many applications (cloud computing, searching encrypted e-mail)
→ After some operations, the ciphertext becomes “undecryptable”
Noise grows with each operation
![Page 13: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/13.jpg)
Solving the Two Issues
Ciphertext grows with each operation
– Publish x0 = q0p (*)
– Take ciphertext (mod x0) after each op (Add/Mult)
(*) More complex way using x0 = a near-multiple of p
![Page 14: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/14.jpg)
Solving the Two Issues
Ciphertext grows with each operation
– Publish x0 = q0p
– Take ciphertext (mod x0) after each op (Add/Mult)
Ciphertext stays less than x0 always
The encrypted bit remains same
Noise does not increase at all
![Page 15: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/15.jpg)
Solving the Two Issues
Ciphertext grows with each operation
Can perform “limited” number of hom. operations
(“Somewhat Homomorphic” Encryption)
– Somewhat → Fully: (A variant of) Squashing + Bootstrapping [G’09]
Noise grows with each operation
– Publish x0 = q0p
– Take ciphertext (mod x0) after each op (Add/Mult)*
![Page 16: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/16.jpg)
Security(of the secret-key “somewhat” homomorphic scheme)
![Page 17: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/17.jpg)
The Approximate GCD Assumption
q0p
p?
p
q0 ← [0…Q]
odd p ← [0…P]
(q0p,q1p+r1,…, qtp+rt)
Assumption: no PPT adversary can guess the number p
Parameters of the Problem: Three numbers P,Q and R
q ← [0…Q]r ← [-R…R]
q1p+r1
(name coined by Howgrave-Graham)
![Page 18: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/18.jpg)
p?
p
Assumption: no PPT adversary can guess the number p
Semantic Security: no PPT adversary can guess the bit b
(q0p,q1p+2r1+b,…,qkp+2rk+b)
=(proof of security)
(q0p,q1p+r1,…, qtp+rt)
![Page 19: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/19.jpg)
A “Taste” of the Security Proof
Encryption breaker
Adv
Alsb(q)
q0p,{qip+ri}p
c=qp+r
Claim: On every c=qp+r, A predicts lsb(q) correctly w.p. 1-1/poly
“Proof”: Lots of details (Worst-case to average case over c, computing lsb(q) = computing lsb(r), a hybrid argument.)
Approx GCD solver
Adv
Bq
p
c=qp+r
q0p,{qip+ri}
![Page 20: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/20.jpg)
A “Taste” of the Security Proof
Main Idea: Use lsb(q) to make q successively smaller
– If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2])– If lsb(q) = 1, c ← [(c-p)/2]
(new-c =
(q-1)/2*p+[r/2])
Adv
Alsb(q)
q0p,{qip+ri}p
c=qp+r Adv
Bq
p
c=qp+r
q0p,{qip+ri}
First Try:
![Page 21: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/21.jpg)
A “Taste” of the Security Proof
Main Idea: Use lsb(q) to make q successively smaller
– If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2])– If lsb(q) = 1, c ← [(c-p)/2]
(new-c =
(q-1)/2*p+[r/2])
Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2
(+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’
W.h.p. gcd(q1,q2)=1
– If lsb(q) = 1, c ← [(c-z’)/2] (new-c = (q-1)/2*p+[(r-r’)/2])
– Learn q bit by bit
![Page 22: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/22.jpg)
A “Taste” of the Security Proof
Main Idea: Use lsb(q) to make q successively smaller
Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2
(+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’
Observation: the Binary GCD algo. is “noise-tolerant”, given lsb oracle.(similar to the RSA hardcore bit proof of [ACGS’88])
![Page 23: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/23.jpg)
– Lagarias’ algorithm
Studied by [HG01]; also [Lag82,Cop97,NS01](equivalent to “simultaneous Diophantine approximation”)
Lattice-based Attacks
– Coppersmith’s algo. for finding small polynomial roots
– Nguyen/Stern and Regev’s orthogonal lattice method
All run out of steam when log Q > (log P)2
(our setting of parameters: log Q = n5, log P = n2)
How Hard is Approximate GCD?
![Page 24: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/24.jpg)
Future Directions
Efficient fully homomorphic encryption(Currently: n5 size ciphertexts; n10 running-time blowup)
Security of the approx GCD assumption(e.g., a worst-case to average-case reduction to regular – non-ideal – lattice problems?)
Some recent improvements [SV’10,SS’10]
![Page 25: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/25.jpg)
Questions?
![Page 26: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/26.jpg)
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
= t+1 random encryptions of 0
Δ
![Page 27: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/27.jpg)
c = + b (mod x0)
Public-key Homomorphic Encryption
rxSi
i 2
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
To Encrypt a bit b: pick random subset S [1…t]
Δ
![Page 28: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/28.jpg)
Parameter Regimes
R
log
Q/(
log
P)2
(very rough diagram)
min=0 max=P
![Page 29: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/29.jpg)
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
– t+1 encryptions of 0
– W.l.o.g., x0 = q0p+2r0 is the largest
Δ
![Page 30: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/30.jpg)
c = + b (mod x0)
Public-key Homomorphic Encryption
rxSi
i 2
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
To Encrypt a bit b: pick random subset S [1…t]
Δ
c = p[ ] + 2[ ] + b (mod x0) Si
iq
Siirrc = p[ ] + 2[ ] + b – kx0 (for a small k)
Siiq
Siirr
= p[ ] + 2[ ] + b 0kqqSi
i
0krrrSii
(mult. of p) + (“small” even noise) + b
![Page 31: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/31.jpg)
c = + b (mod x0)rxSi
i 2
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval: Reduce mod x0 after each operation
To Encrypt a bit b: pick random subset S [1…t]
Ciphertext Size Reduction
– Resulting ciphertext < x0
– Underlying bit is the same (since x0 has even noise)
– Noise does not increase by much(*)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)Δ
(*) additional tricks for mult
![Page 32: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/32.jpg)
A Roadmap
Secret-key “Somewhat” Homomorphic Encryption
Public-key “Somewhat” Homomorphic Encryption
3. Public-key FULLY Homomorphic Encryption
![Page 33: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/33.jpg)
How “Somewhat” Homomorphic is this?
Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if:
f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt
Final Noise ~ (2n)d+…+(2n)d = m•(2n)d
Say, noise in Enc(xi) < 2n
2/22/22nnd pm or nd ~
![Page 34: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/34.jpg)
“Somewhat” HE“Bootstrappable”
From “Somewhat” to “Fully”
FHE = Can eval all fns.
Theorem [Gentry’09]: Convert “bootstrappable” → FHE.
Augmented Decryption ckt.
Dec Dec
NAND
c1 sk skc2
![Page 35: FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.](https://reader033.fdocuments.in/reader033/viewer/2022061305/5513fa47550346e2488b45bc/html5/thumbnails/35.jpg)
Is our Scheme “Bootstrappable”?
What functions can the scheme EVAL?
Complexity of the (aug.) Decryption Circuit
(?)
Can be made bootstrappable– Similar to Gentry’09
Caveat: Assume Hardness of “Sparse Subset Sum”
(polynomials of degree < n)
(degree ~ n1.73 polynomial)