Advances in Cryptology – CRYPTO 2013

Volume 8042 of the series Lecture Notes in Computer Science pp 111-128

Limits of Provable Security for Homomorphic Encryption

  • Andrej BogdanovAffiliated withDept. of Computer Science and Engineering and Institute for Theoretical Computer Science and Communications, Chinese University of Hong Kong
  • , Chin Ho LeeAffiliated withDept. of Computer Science and Engineering, Chinese University of Hong Kong

* Final gross prices may vary according to local VAT.

Get Access


We show that public-key bit encryption schemes which support weak (i.e., compact) homomorphic evaluation of any sufficiently “sensitive” collection of functions cannot be proved message indistinguishable beyond AM ∩ coAM via general (adaptive) reductions, and beyond statistical zero-knowledge via reductions of constant query complexity. Examples of sensitive collections include parities, majorities, and the class consisting of all AND and OR functions.

We also give a method for converting a strong (i.e., distribution-preserving) homomorphic evaluator for essentially any boolean function (except the trivial ones, the NOT function, and the AND and OR functions) into a rerandomization algorithm: This is a procedure that converts a ciphertext into another ciphertext which is statistically close to being independent and identically distributed with the original one. Our transformation preserves negligible statistical error.