Limits of Provable Security for Homomorphic Encryption

  • Andrej Bogdanov
  • Chin Ho Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8042)


We show that public-key bit encryption schemes which support weak (i.e., compact) homomorphic evaluation of any sufficiently “sensitive” collection of functions cannot be proved message indistinguishable beyond AM ∩ coAM via general (adaptive) reductions, and beyond statistical zero-knowledge via reductions of constant query complexity. Examples of sensitive collections include parities, majorities, and the class consisting of all AND and OR functions.

We also give a method for converting a strong (i.e., distribution-preserving) homomorphic evaluator for essentially any boolean function (except the trivial ones, the NOT function, and the AND and OR functions) into a rerandomization algorithm: This is a procedure that converts a ciphertext into another ciphertext which is statistically close to being independent and identically distributed with the original one. Our transformation preserves negligible statistical error.


  1. [AGGM06]
    Akavia, A., Goldreich, O., Goldwasser, S., Moshkovitz, D.: On basing one-way functions on NP-hardness. In: Proceedings of the 38th ACM Symposium on Theory of Computing (2006)Google Scholar
  2. [Ajt96]
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the 28th ACM Symposium on Theory of Computing, STOC 1996, pp. 99–108. ACM, New York (1996)Google Scholar
  3. [BBM11]
    Bhatnagar, N., Bogdanov, A., Mossel, E.: The computational complexity of estimating MCMC convergence time. In: Goldberg, L.A., Jansen, K., Ravi, R., Rolim, J.D.P. (eds.) RANDOM 2011 and APPROX 2011. LNCS, vol. 6845, pp. 424–435. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. [Bra79]
    Brassard, G.: Relativized cryptography. In: Proceedings of the 20th IEEE Symposium on Foundations of Computer Science, pp. 383–391 (1979)Google Scholar
  5. [BT06]
    Bogdanov, A., Trevisan, L.: On wost-case to average-case reductions for NP problems. SIAM J. Comp. 36(4) (2006)Google Scholar
  6. [BV11]
    Brakerski, Z., Vaikuntanathan, V.: Efficient Fully Homomorphic Encryption from (Standard) LWE. In: Proceedings of the 53rd Annual Symposium on Foundations of Computer Science (2011)Google Scholar
  7. [EY80]
    Even, S., Yacobi, Y.: Cryptography and NP-completeness. In: de Bakker, J.W., van Leeuwen, J. (eds.) ICALP 1980. LNCS, vol. 85, pp. 195–207. Springer, Heidelberg (1980)CrossRefGoogle Scholar
  8. [FF93]
    Feigenbaum, J., Fortnow, L.: Random-self-reducibility of complete sets. SIAM Journal on Computing 22, 994–1005 (1993)MathSciNetCrossRefMATHGoogle Scholar
  9. [Gam85]
    El Gamal, T.: A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Info. Theory 31(4), 469–472 (1985)MathSciNetCrossRefGoogle Scholar
  10. [Gen09]
    Gentry, C.: Fully Homomorphic Encryption Using Ideal Lattices. In: STOC, pp. 169–178 (2009)Google Scholar
  11. [GG98]
    Goldreich, O., Goldwasser, S.: On the possibility of basing cryptography on the assumption that P ≠ NP (1998) (unpublished manuscript)Google Scholar
  12. [Gol00]
    Goldreich, O.: Candidate one-way functions based on expander graphs. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 7(90) (2000)Google Scholar
  13. [HMX10]
    Haitner, I., Mahmoody, M., Xiao, D.: A new sampling protocol and applications to basing cryptographic primitives on NP. In: Proceeedings of 25th IEEE Conference on Computational Complexity (CCC), pp. 76–87 (2010)Google Scholar
  14. [MX10]
    Mahmoody, M., Xiao, D.: On the power of randomized reductions and the checkability of sat. In: Proceeedings of 25th IEEE Conference on Computational Complexity (CCC), pp. 64–75 (2010)Google Scholar
  15. [Pai99]
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  16. [Pei09]
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of the 41th ACM Symposium on Theory of Computing, pp. 333–342. ACM, New York (2009)Google Scholar
  17. [Pin64]
    Pinsker, M.S.: Information and information stability of random variables and processes. Holden-Day (1964)Google Scholar
  18. [Reg09]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6) (2009)Google Scholar
  19. [Rot11]
    Rothblum, R.: Homomorphic encryption: From private-key to public-key. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 219–234. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. [Sim82]
    Simon, H.-U.: A tight loglogn-bound on the time for parallel ram’s to compute nondegenerated boolean functions. Information and Control 55(1), 102–107 (1982)MathSciNetCrossRefMATHGoogle Scholar
  21. [SV03]
    Sahai, A., Vadhan, S.: A complete problem for statistical zero knowledge. J. ACM 50, 196–249 (2003)MathSciNetCrossRefMATHGoogle Scholar
  22. [vDGHV10]
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully Homomorphic Encryption from Integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Andrej Bogdanov
    • 1
  • Chin Ho Lee
    • 2
  1. 1.Dept. of Computer Science and Engineering and Institute for Theoretical Computer Science and CommunicationsChinese University of Hong KongChina
  2. 2.Dept. of Computer Science and EngineeringChinese University of Hong KongChina

Personalised recommendations