Multiidentity and Multikey Leveled FHE from Learning with Errors
 58 Citations
 2.6k Downloads
Abstract
Gentry, Sahai and Waters recently presented the first (leveled) identitybased fully homomorphic (IBFHE) encryption scheme (CRYPTO 2013). Their scheme however only works in the singleidentity setting; that is, homomorphic evaluation can only be performed on ciphertexts created with the same identity. In this work, we extend their results to the multiidentity setting and obtain a multiidentity IBFHE scheme that is selectively secure in the random oracle model under the hardness of Learning with Errors (LWE). We also obtain a multikey fullyhomomorphic encryption (FHE) scheme that is secure under LWE in the standard model. This is the first multikey FHE based on a wellestablished assumption such as standard LWE. The multikey FHE of LópezAlt, Tromer and Vaikuntanathan (STOC 2012) relied on a nonstandard assumption, referred to as the Decisional Small Polynomial Ratio assumption.
1 Introduction
Fully homomorphic encryption (FHE) is a cryptographic primitive that facilitates arbitrary computation on encrypted data. Since Gentry’s breakthrough realization of FHE in 2009 [1], many improved variants have appeared in the literature [2, 3, 4, 5, 6].
A leveled FHE scheme allows an evaluator to evaluate a circuit of limited depth L. The parameter L must be specified in advance when generating the public parameters of the scheme, whose size may depend on L. Furthermore, a leveled homomorphic scheme allows L to be polynomial in the security parameter. A “pure” fully homomorphic encryption scheme allows circuits of unlimited depth to be evaluated. However, for many applications in practice, a leveled scheme is adequate.
IdentityBased Encryption (IBE) is centered around the notion that a user’s public key can be efficiently derived from an identity string and systemwide public parameters / master public key. The public parameters are chosen by a trusted authority (TA) along with a secret trapdoor (master secret key), which is used to extract secret keys for user identities. The first secure IBE schemes were presented in 2001 by Boneh and Franklin [7] (based on bilinear pairings), and Cocks [8] (based on the quadratic residuosity problem).
At Crypto 2013, Gentry, Sahai and Waters presented the first (leveled) identitybased fully homomorphic encryption (IBFHE) scheme [6]. Their scheme is secure under the hardness of the Learning with Errors (LWE) problem, a problem introduced by Regev [9] that has received considerable attention in cryptography due to a known worstcase reduction to a hard lattice problem.
Gentry, Sahai and Waters described a compiler [6], which we call the GSW compiler, to transform an LWEbased IBE satisfying certain properties into a leveled IBFHE. They showed that all known LWEbased IBE schemes are compatible with their compiler. However, the GSW compiler only works in the singleidentity setting. In other words, the resulting IBFHE can only evaluate on ciphertexts created with the same identity. Recently, a multiidentity IBFHE was described in [10], but that construction relies heavily on indistinguishability obfuscation [11], and is therefore highly inefficient at the present time. Furthermore, security cannot be based on a wellestablished computational problem. Our construction does not require indistinguishability obfuscation and is the first multiidentity IBFHE, to the best of our knowledge, whose security can be based on wellestablished problem.
Remark 1
Like [6], we omit the qualifier “leveled” for the rest of this paper since we focus only on leveled (IB)FHE in this work.
Note that our multiidentity and multikey leveled IBFHE are 1hop homomorphic insofar as after evaluation is complete, no further homomorphic evaluation can be carried out.
1.1 Multiidentity Setting
Consider the following simplified scenario. Alice and Bob work in an organization C that avails of a semitrusted cloud server E. Let a and b denote the identity strings of Alice and Bob respectively. Their organization C serves as a trusted authority and issues them secret keys for their respective identity strings. Public users can send confidential data to Alice and Bob by encrypting it with their identity string and the master public key (public parameters) published by C. Suppose this encrypted data is sent by external users to the cloud server E. Furthermore, suppose some entity would like to perform some computation on E using encrypted data intended for Alice and encrypted data intended for Bob. The result should only be decryptable (assuming C is honest) by a collaborative effort made by Alice and Bob; they can run a multiparty computation protocol to collaboratively decrypt the result without leaking their secret keys to each other.
Let \(c_a\) and \(c_b\) be ciphertexts created with identities a and b respectively. The goal is to allow computation on \(c_a\) and \(c_b\) together. Assuming this could be achieved, let \(c^\prime \) denote the ciphertext that encrypts the result of the computation. Intuitively, we expect the size of \(c^\prime \) to depend on the number of distinct identities (2 in our example above i.e. a and b) because information about each identity must be “encoded” in \(c^\prime \). But like the singleidentity setting, the size of \(c^\prime \) should be independent of the size of the circuit evaluated. Of course we can naturally extend this notion to ciphertexts created under k distinct identities.
In the syntax of multiidentity IBFHE, a parameter Open image in new window representing the number of distinct identities tolerated in an evaluation is specified in advance of generating the public parameters. Like the parameter L (the circuit depth supported), the size of the public parameters may depend on Open image in new window . A multiidentity and multiattribute IBFHE and ABFHE that rely on indistinguishability obfuscation were described in [12].
Disjunctive Policies. There is another way of viewing multiidentity IBFHE, which might be more useful in some settings. It was mentioned in [13]^{1} that access policies consisting of disjunctions can be achieved with IBE. In this case, to issue a secret key for a policy \(\hat{f}(X) \triangleq X =\) “MATH” OR \(X = \) “CS”, the TA issues a secret key for identity string “MATH” and a secret key for identity string “CS”. In this case, we view the “identities” as attributes.
Suppose the TA issues a secret key \(\mathsf {SK}_{\hat{f}} = \{\mathsf {sk}_{\text {``MATH''}}, \mathsf {sk}_{\text {``CS''}}\}\) for \(\hat{f}\) to a professor working in both the Mathematics and Computer Science departments in a university; this secret key comprises an IBE secret key for identity string “MATH” and an IBE secret key for identity string “CS”. The professor can decrypt the result of computation performed on ciphertexts with both attributes. This matches our intuition because her policy \(\hat{f}\) permits her access to both attributes.
1.2 Our Results
Multiidentity IBFHE. Our central result in this paper is informally summarized in the following theorem statement. The theorem is formally stated and proven later in Appendix A.1.
Theorem 1
(Informal). There exists a multiidentity IBFHE scheme that is selectively secure under the Learning With Errors problem in the random oracle model.
Multikey FHE. Our compiler for multiidentity IBFHE also works in the publickey setting. As a result, we can obtain a multikey FHE [14] from LWE in the standard model. In fact, multiidentity IBFHE can be seen as an identitybased analog to multikey FHE. The syntax of multikey FHE from [14] entails a parameter M, which specifies the maximum number of independent keys tolerated in an evaluation. The size of the parameters and ciphertexts are allowed to depend polynomially on M. Note that M is fixed and specified in advance of generating the scheme’s parameters. To the best of our knowledge, our multikey FHE scheme is the first such scheme (for a nonconstant number of keys) that is based on a wellestablished problem such as LWE; the construction from [14] relies on a nonstandard computational assumption referred to therein as the Decisional Small Polynomial Ratio (DSPR) assumption. Our scheme positively answers the question raised in [14] as to whether other multikey FHE schemes exist supporting polynomiallysized M.
1.3 Our Approach: Intuition
We now give an informal sketch of our approach to achieving multiidentity IBFHE. This section is intended to provide an intuition and many of the details are deferred to later in the paper. We remind the reader that a matrix \(\mathbf {M}\) is denoted by an uppercase symbol written in boldface, and a vector \(\varvec{v}\) is denoted by a lowercase symbol written in boldface. The ith element of \(\varvec{v}\) is denoted by \(v_i\). The inner product of two vectors \(\varvec{a}, \varvec{b} \in \mathbb {Z}_q^n\) for some dimension n is written as \(\langle a, b \rangle \).
GSW SingleIdentity IBFHE. We start by briefly discussing the homomorphic properties of the GSW IBFHE schemes from [6]. This discussion applies to any IBFHE constructed with their compiler. A ciphertext in their scheme is an \(N \times N\) matrix \(\mathbf {C}\) over \(\mathbb {Z}_q\) whose entries are “small” with respect to q. Note that N is a parameter that will be discussed later. A secret key for an identity \(\mathsf {id}\) is an Ndimensional vector \(\varvec{v_{\mathsf {id}}} \in \mathbb {Z}_q^{N}\) with at least one “large” coefficient; let this coefficient (say the ith one) be \(v_{\mathsf {id}, i} \in \mathbb {Z}_q\). The scheme can encrypt “small” messages \(\mu \); an example to keep in mind is a message in \(\{0, 1\}\). We say the matrix \(\mathbf {C}\)encrypts\(\mu \) under identity \(\mathsf {id}\) if \(\mathbf {C} \cdot \varvec{v_{\mathsf {id}}} = \mu \cdot \varvec{v_{\mathsf {id}}} + \varvec{e} \in \mathbb {Z}_q^N\) where \(\varvec{e}\) is a “small” noise vector (i.e. roughly speaking, each of its coefficients is much less than q). As such, \(\varvec{v_{\mathsf {id}}}\) is an approximate eigenvector for the matrix \(\mathbf {C}\) with eigenvalue \(\mu \).
\({{\underline{\mathrm{Homomorphic\,Operations}}}}\)
Let \(\varvec{v} \in \mathbb {Z}_q^{2N}\) be the vertical concatenation of the two vectors \(\varvec{v_1}\) and \(\varvec{v_2}\). We could exploit the homomorphic properties described above to obtain \(\mathbf {\hat{C^\prime }}\) if we could somehow transform \(\mathbf {C_1}\) and \(\mathbf {C_2}\) into \(2N \times 2N\) matrices \( \mathbf {\hat{C_1}}\) and \(\mathbf {\hat{C_2}}\) respectively such that \(\mathbf {\hat{C_j}} \cdot \varvec{v} = \mu _j \cdot \varvec{v} + \text {``small''}\) for \(j \in \{1, 2\}\). Technically this transformation turns out to be difficult; we show how to abstractly accomplish it in Sect. 3 and concretely in Sect. 4.
2 Preliminaries
2.1 Notation
A quantity is said to be negligible with respect to some parameter \(\lambda \), written \(\mathsf {negl}(\lambda )\), if it is asymptotically bounded from above by the reciprocal of all polynomials in \(\lambda \). We use the notation [k] for an integer k to denote the set \(\{1, \ldots , k\}\).
Distributions. For a probability distribution \(\mathcal {D}\), we denote by \(x \xleftarrow {\$}\mathcal {D}\) the fact that x is sampled according to \(\mathcal {D}\). We overload the notation for a set S i.e. \(y \xleftarrow {\$}S\) denotes that y is sampled uniformly from S. Let \(\mathcal {D}_0\) and \(\mathcal {D}_1\) be distributions. We denote by \(\mathcal {D}_0 \underset{C}{\approx }\mathcal {D}_1\) and the \(\mathcal {D}_0 \underset{S}{\approx }\mathcal {D}_1\) the facts that \(\mathcal {D}_0\) and \(\mathcal {D}_1\) are computationally indistinguishable and statistically indistinguishable respectively.
Definition 1
Matrices and Vectors. A matrix \(\mathbf {M}\) is denoted by an uppercase symbol written in boldface, and a vector \(\varvec{v}\) is denoted by a lowercase symbol written in boldface. The ith element of \(\varvec{v}\) is denoted by \(v_i\). The inner product of two vectors \(\varvec{a}, \varvec{b} \in \mathbb {Z}_q^n\) for some dimension n is written as \(\langle a, b \rangle \).
2.2 Multiidentity IBFHE
Definition 2

On input (in unary) a security parameter \(\lambda \), a number of levels L (circuit depth to support) and the number of distinct identities Open image in new window that can be tolerated in an evaluation, generate public parameters \(\mathsf {PP}\) and a master secret key \(\mathsf {MSK}\). Output \((\mathsf {PP}, \mathsf {MSK})\).

\(\mathsf {KeyGen}(\mathsf {MSK}, \mathsf {id})\):
On input master secret key \(\mathsf {MSK}\) and an identity \(\mathsf {id}\): derive and output a secret key \(\mathsf {sk}_{\mathsf {id}}\) for identity \(\mathsf {id}\).

\(\mathsf {Encrypt}(\mathsf {PP}, \mathsf {id}, m)\):
On input public parameters \(\mathsf {PP}\), an identity \(\mathsf {id}\), and a message \(m \in \mathcal {M}\), output a ciphertext \(c \in \mathcal {C}\) that encrypts m under identity \(\mathsf {id}\).

On input Open image in new window secret keys Open image in new window for (resp.) identities Open image in new window and a ciphertext \(c \in \mathcal {C}\), output \(m^\prime \in \mathcal {M}\) if c is a valid encryption under identities Open image in new window ; output a failure symbol \(\bot \) otherwise.

\(\mathsf {Eval}(\mathsf {PP}, C, c_1, \ldots , c_\ell )\): On input public parameters \(\mathsf {PP}\), a circuit \(C \in \mathbb {C}\) and ciphertexts \(c_1, \ldots , c_\ell \in \mathcal {C}\), output an evaluated ciphertext\(c^\prime \in \mathcal {C}\).
 Over all choices of \((\mathsf {PP}, \mathsf {MSK}) \leftarrow \mathsf {Setup}(1^\lambda )\), Open image in new window , Open image in new window , \(C: \mathcal {M}^\ell \rightarrow \mathcal {M}\in \{C \in \mathbb {C}: \mathsf {depth}(C) \le L\}\), Open image in new window , \(\mu _1, \ldots , \mu _\ell \in \mathcal {M}\), \(c_i \leftarrow \mathsf {Encrypt}(\mathsf {PP}, \mathsf {id}_{j_i}, \mu _i)\) for \(i \in [\ell ]\), and \(c^\prime \leftarrow \mathsf {Eval}(\mathsf {PP}, C, c_1, \ldots , c_\ell )\):where Open image in new window is the number of distinct identities; that is, Open image in new window .
 Correctness(2.1)
 Compactness(2.2)

The size of evaluated ciphertexts in our construction grows with Open image in new window .
The security definition for multiidentity IBFHE is the same as that for singleidentity IBFHE. In this work, we focus on Open image in new window security whose definition remains the same for the multiidentity setting.
2.3 Learning with Errors
The Learning with Errors (LWE) problem was introduced by Regev [9]. The goal of the computational form of the LWE problem is to determine an ndimensional secret vector \(\varvec{s} \in \mathbb {Z}_q^n\) given a polynomial number of samples \((\varvec{a_i}, b_i) \in \mathbb {Z}_q^{n + 1}\) where \(\varvec{a_i}\) is uniform over \(\mathbb {Z}_q^n\) and \(b_i \leftarrow \langle \varvec{a_i}, \varvec{s} \rangle + e_i \in \mathbb {Z}_q\) is the inner product of \(\varvec{a_i}\) and \(\varvec{s_i}\) perturbed by a small error\(e_i \in \mathbb {Z}\) that is sampled from a distribution \(\chi \) over \(\mathbb {Z}\). We call the distribution \(\chi \) an error distribution (or noise distribution). The decision variant of the problem is to distinguish such samples \((\varvec{a_i}, b_i) \in \mathbb {Z}_q^{n + 1}\) from uniform vectors over \(\mathbb {Z}_q^{n + 1}\). The decisional variant is more commonly used in cryptography, and is most relevant to our own work. As a result, without further qualification, when we refer to LWE throughout this thesis we are referring to the decisional variant.
Definition 3

Distribution 0: The ith sample \((\varvec{a_i}, b_i) \in \mathbb {Z}_q^{n + 1}\) is computed by uniformly sampling \(\varvec{a_i} \xleftarrow {\$}\mathbb {Z}_q^n\) and \(b_i \xleftarrow {\$}\mathbb {Z}_q\).

Distribution 1: Generate uniform vector \(\varvec{s} \xleftarrow {\$}\mathbb {Z}_q^{n}\). The ith sample \((\varvec{a_i}, b_i) \in \mathbb {Z}_q^{n + 1}\) is computed by uniformly sampling \(\varvec{a_i} \xleftarrow {\$}\mathbb {Z}_q^{n}\), sampling an error value \(e_i \xleftarrow {\$}\chi \) and computing \(b_i \leftarrow \langle \varvec{a_i}, \varvec{s} \rangle + e_i\).
Definition 4
Definition 5
(GapSVP\(_{\varvec{\gamma }}\)). Let n be a lattice dimension, and let d be a real number. Then \(\text {GapSVP}_{\gamma }\) is the problem of deciding whether an ndimensional lattice has a nonzero vector shorter than d (an algorithm should accept in this case) or no nonzero vector shorter than \(\gamma (n) \cdot d\) (an algorithm should reject in this case); an algorithm is allowed to error otherwise.
Theorem 2

There is an efficient quantum algorithm that solves \(\text {GapSVP}_{\tilde{O}(nq/B)}\) on any ndimensional lattice.

If \(q \!>\! \tilde{O}(2^{n/2})\), then there is an efficient classical algorithm for \(\text {GapSVP}_{\tilde{O}(nq/B)}\) on any ndimensional lattice.
2.4 GSW Approximate Eigenvector Cryptosystem
Recall our brief overview of the GSW IBFHE construction earlier from Sect. 1.3. The following exposition describes this construction in more detail. Note that the publickey GSW scheme is similar to the identitybased variant. As such, to simplify the notation, the following discussion deals with the publickey setting, but the ideas apply to both.
Definition 6
(Sect. 1.3.2 from [6]).Bboundedness: Let \(B < q\) be an integer. Let \(\mathbf {C}\) be a ciphertext matrix that encrypts \(\mu \). Let \(\varvec{v}\) be a secret key vector such that \(\mathbf {C} \cdot \varvec{v} = \mu \cdot \varvec{v} + \varvec{e}\). Then \(\mathbf {C}\) is said to be Bbounded (with respect to \(\varvec{v}\)) if the magnitude of \(\mu \) is at most B, the magnitude of all the entries of \(\mathbf {C}\) is at most B, and \(\Vert \varvec{e}\Vert _{\infty } \le B\).
Let \(\mathbf {C_1}\) and \(\mathbf {C_2}\) be two Bbounded ciphertext matrices. Then \(\mathbf {C^{+}} = \mathbf {C_1} + \mathbf {C_2}\) is 2Bbounded. Furthermore, \(\mathbf {C^{\times }} = \mathbf {C_1} \cdot \mathbf {C_2}\) is \((N + 1)^{B^2}\)bounded. As the authors of [6] point out, the error grows worse than \(B^{2^L}\), where L is the multiplicative depth of a circuit being evaluated. The modulus q can be chosen to exceed this bound, but we must be careful to ensure that the ratio q/B is at most subexponential in N to guarantee security (see Theorem 2). Hence, only circuits of logarithmic multiplicative depth can be evaluated. This gives us a somewhathomomorphic scheme.
To evaluate deeper circuits, namely those with polynomial multiplicative depth, we must keep the entries of the ciphertext matrices “small”. To achieve this, Gentry, Sahai and Waters propose a technique called flattening. Consider the following definition.
Definition 7
(Sect. 1.3.3 from [6]).Bstrongboundedness: Let \(B < q\) be an integer. Let \(\mathbf {C}\) be a ciphertext matrix that encrypts \(\mu \). Let \(\varvec{v}\) be a secret key vector such that \(\mathbf {C} \cdot \varvec{v} = \mu \cdot \varvec{v} + \varvec{e}\). Then \(\mathbf {C}\) is said to be Bstronglybounded (with respect to \(\varvec{v}\)) if the magnitude of \(\mu \) is at most 1, the magnitude of all the entries of \(\mathbf {C}\) is at most 1, and \(\Vert \varvec{e}\Vert _{\infty } \le B\).
Basic Operations. Let \(\ell _q = \lfloor \lg {q} \rfloor + 1\). Let \(\varvec{v} \in \mathbb {Z}_q^{m^\prime }\) be a vector of some dimension \(m^\prime \) over \(\mathbb {Z}_q\). Let \(N = m^\prime \cdot \ell _q\).

\({\mathbf {\mathsf{{BitDecomp}}}}(\varvec{v})\): We define an algorithm \(\mathsf {BitDecomp}\) that takes as input a vector \(\varvec{v} \in \mathbb {Z}_q^{m^\prime }\) and outputs an Ndimensional vector \((v_{1, 0}, \ldots , v_{1, \ell _q  1}, \ldots , v_{k, 0}, \ldots , v_{k, \ell _q  1})\) where \(v_{i, j}\) is the jth bit in \(v_i\)’s binary representation (ordered from least significant to most significant).

\({{\mathbf {\mathsf{{BitDecomp}}}}^{1}}(\varvec{v^\prime })\): We define an “inverse” algorithm \({\mathsf {BitDecomp}^{1}}\) that takes an Ndimensional vector \(\varvec{v^\prime } = (v^\prime _{1, 0}, \ldots , v^\prime _{1, \ell _q  1}, \ldots , v^\prime _{k, 0}, \ldots , v^\prime _{k, \ell _q  1})\), and outputs a \(m^\prime \)dimensional vector \((\sum _{j = 0}^{\ell _q  1} 2^j \cdot v^\prime _{1, j}, \ldots , \sum _{j = 0}^{\ell _q  1} 2^j \cdot v^\prime _{k, j})\). Note that the input vector \(\varvec{v^\prime }\) need not be binary, the algorithm is welldefined for any input vector in \(\mathbb {Z}_q^N\).

\({\mathbf {\mathsf{{Flatten}}}}(\varvec{v^\prime })\): The algorithm \(\mathsf {Flatten}\) takes as input an Ndimensional vector \(\varvec{v^\prime } \in \mathbb {Z}_q^N\) and outputs an Ndimensional binary vector \(\mathsf {BitDecomp}({\mathsf {BitDecomp}^{1}}(\varvec{v^\prime }) \in \{0, 1\}^N\).

\({\mathbf {\mathsf{{Powersof2}}}}(\varvec{v})\): The algorithm \(\mathsf {Powersof2}\) takes a \(m^\prime \)dimensional vector \(\varvec{v} \in \mathbb {Z}_q^{m^\prime }\) and outputs an Ndimensional vector \((v_1, 2v_1, \ldots , 2^{\ell _q  1}v_1, \ldots , v_k, 2v_k, \ldots , 2^{\ell _q  1}v_k)\).
We also define \(\mathsf {BitDecomp}\), \({\mathsf {BitDecomp}^{1}}\) and \(\mathsf {Flatten}\) for matrix inputs; in this case, the respective algorithm is applied to each row independently.

\(\langle \mathsf {BitDecomp}(\varvec{a}), \mathsf {Powersof2}(\varvec{b}) \rangle = \langle \varvec{a}, \varvec{b} \rangle \).

\(\langle \varvec{a^\prime }, \mathsf {Powersof2}(\varvec{b}) \rangle = \langle {\mathsf {BitDecomp}^{1}}(\varvec{a^\prime }), \varvec{b} \rangle = \langle \mathsf {Flatten}(\varvec{a^\prime }), \mathsf {Powersof2}(\varvec{b}) \rangle \).
2.5 GSW Compiler for IBE in the SingleIdentity Setting
 1.
Property 1 (Ciphertext and Secret Key Vectors): The secret key for identity \(\mathsf {id}\) and a ciphertext created under \(\mathsf {id}\) are vectors \(\varvec{s_{\mathsf {id}}}, \varvec{c_{\mathsf {id}}} \in \mathbb {Z}_q^{m^\prime }\) for some \(m^\prime \). The first coefficient of \(\varvec{s_{\mathsf {id}}}\) is 1.
 2.
Property 2 (Small Dot Product): If \(\varvec{c_{\mathsf {id}}}\) encrypts 0, then \(\langle \varvec{c_{\mathsf {id}}}, \varvec{s_{\mathsf {id}}} \rangle \) is “small”.
 3.
Property 3 (Security): Encryptions of 0 are indistinguishable from uniform vectors over \(\mathbb {Z}_q\) under the hardness of LWE.
As noted in [6] all known LWEbased IBE schemes satisfy the above properties e.g.: [15, 16, 17, 18].
Let \(\mathcal {E}\) be an IBE satisfying the Properties 13 above. Then \(\mathcal {E}\) can be transformed into a singleidentity IBFHE scheme \(\mathcal {E^\prime }\).
The public parameters \(\mathsf {PP}\) generated by \(\mathcal {E}.\mathsf {Setup}\) includes a modulus q and an integer \(m^\prime \) representing the length of both secret key and ciphertext vectors in \(\mathcal {E}\). Let \(\ell _q = \lfloor \lg {q} \rfloor + 1\) and \(N = m^\prime \times \ell _q\).
3 A Compiler for Multiidentity Leveled IBFHE
In this section, we present a new compiler that can transform an LWEbased IBE into a multiidentity IBFHE. As we will see, achieving multiidentity IBFHE is far more difficult than singleidentity IBFHE.
3.1 Intuition
Suppose \(\mathcal {E}\) is an LWEbased IBE that satisfies properties 1  3 above. We can apply the GSW compiler to yield an IBFHE scheme \(\mathcal {E}^\prime \) in the singleidentity setting. Our goal is to construct a compiler for the multiidentity setting. Consider two ciphertexts \(\mathbf {C_1}\) and \(\mathbf {C_2}\) that encrypt \(\mu _1\) and \(\mu _2\) under identities \(\mathsf {id}_1\) and \(\mathsf {id}_2\) respectively. Let \(\varvec{s_1}\) and \(\varvec{s_2}\) be secret keys in the scheme \(\mathcal {E}\) for identities \(\mathsf {id}_1\) and \(\mathsf {id}_2\) respectively. Accordingly, a decryptor can compute \(\varvec{v_1} \leftarrow \mathsf {Powersof2}(\varvec{s_1})\) and \(\varvec{v_2} \leftarrow \mathsf {Powersof2}(\varvec{s_2})\). It holds that \(\mathbf {C_1} \cdot \varvec{v_1} = \mu _1\cdot \varvec{v_1} + \varvec{e_1}\) and \(\mathbf {C_2} \cdot \varvec{v_2} = \mu _2\cdot \varvec{v_2} + \varvec{e_2}\) where \(\varvec{e_1}, \varvec{e_2} \in \mathbb {Z}_q^N\) are short vectors.
The main idea behind our approach is to transform each input ciphertext matrix (i.e. \(\mathbf {C_1}\) and \(\mathbf {C_2}\) in this example) into a corresponding Open image in new window “expanded matrix” where Open image in new window is the number of distinct identities (i.e. Open image in new window in our example).
3.2 Abstract Compiler
We start by describing an abstract framework for multiidentity IBFHE from Learning with Errors (LWE). Our compiler uses the aforementioned abstraction which we call a masking system. An additional prerequisite for an IBE scheme \(\mathcal {E}\) (beyond Properties 13) to work with our compiler is that there exists a masking system \(\mathsf {MS}_{\mathcal {E}}\) for \(\mathcal {E}\). First we provide a formal definition of a masking system.
Definition 8

\(\mathsf {GenUnivMask}(\mathsf {PP}, \mathsf {id}, \mu )\) takes as input public parameters \(\mathsf {PP}\) for \(\mathcal {E}\), an identity \(\mathsf {id} \in \mathcal {I}\) and a message \(\mu \in \{0, 1\}\), and outputs \(U \in \{0, 1\}^*\) (referred to as a universal mask).

\(\mathsf {DeriveMask}(\mathsf {PP}, U, \mathsf {id}^\prime )\) takes as input public parameters \(\mathsf {PP}\) for \(\mathcal {E}\), a universal mask\(U \in \{0, 1\}^*\) and an identity \(\mathsf {id}^\prime \in \mathcal {I}\), and outputs a pair of matrices \((\mathbf {X}, \mathbf {Y}) \in (\mathbb {Z}_q^{N \times N})^2\).
 Correctness: Let \(w(\cdot )\) be a polynomial associated with the masking system. Let \(w = w(\lambda )\). We refer to w as the error expansion factor. For correctness, it is required that for any \((\mathsf {PP}, \mathsf {MSK}) \leftarrow \mathcal {E}.\mathsf {Setup}(1^\lambda )\), any identities \(\mathsf {id}, \mathsf {id}^\prime \in \mathcal {I}\), any secret keys \(\varvec{v_{\mathsf {id}}} \leftarrow \mathsf {Powersof2}(\mathcal {E}.\mathsf {KeyGen}(\mathsf {MSK}, \mathsf {id})) \in \mathbb {Z}_q^N\) and \(\varvec{v_{\mathsf {id}^\prime }} \leftarrow \mathsf {Powersof2}(\mathcal {E}.\mathsf {KeyGen}(\mathsf {MSK}, \mathsf {id}^\prime )) \in \mathbb {Z}_q^{N}\), and any \(\mu \in \{0, 1\}\), and over allit holds that

\(U \leftarrow \mathsf {GenUnivMask}(\mathsf {PP}, \mathsf {id}, \mu )\),

\((\mathbf {X}, \mathbf {Y}) \leftarrow \mathsf {DeriveMask}(\mathsf {PP}, U, \mathsf {id}^\prime )\)
where \(\Vert \varvec{e}\Vert _{\infty } \le w\cdot B\).$$\begin{aligned} \mathbf {X}\varvec{v_{\mathsf {id}}} + \mathbf {Y}\varvec{v_{\mathsf {id}^\prime }} = \mu \cdot \varvec{v_{\mathsf {id}^\prime }} + \varvec{e} \end{aligned}$$(3.1) 

Security: The masking system is said to be secure if all PPT adversaries have a negligible advantage in the following modified \(\mathsf {IND}\)X\(\mathsf {CPA}\) game for \(\mathcal {E}\) where \(X \in \{\mathsf {sID}, \mathsf {ID}\}\). The only change in the security game is that the adversary is given \(U^*\leftarrow \mathsf {GenUnivMask}(\mathsf {PP}, \mathsf {id}^*, \mu _b)\) in place of the challenge ciphertext in the original game, where \(b \xleftarrow {\$}\{0, 1\}\) is the challenger’s random bit, \(\mathsf {id}^*\) is the adversary’s target identity, and \(\mu _0\) and \(\mu _1\) are the challenge messages chosen by the adversary.
 CP.1:
(Ciphertext and secret key vectors): The secret key for identity \(\mathsf {id}\) and a ciphertext created under \(\mathsf {id}\) are vectors \(\varvec{s_{\mathsf {id}}}, \varvec{c_{\mathsf {id}}} \in \mathbb {Z}_q^{m^\prime }\) for some \(m^\prime \). The first coefficient of \(\varvec{s_{\mathsf {id}}}\) is 1.
 CP.2:
(Small Dot Product): If \(\varvec{c_{{\mathsf {id}}}}\) encrypts 0 under identity \(\mathsf {id}\), then \(\varvec{e} = \langle \varvec{c_{\mathsf {id}}}, \varvec{s}_{\mathsf {id}} \rangle \) is “small” where \(\varvec{s}_{\mathsf {id}}\) is generated as in CP.1. Formally, \(\varvec{e}\) is Bbounded; that is, \(\Vert \varvec{e}\Vert _{\infty } \le B\).
 CP.3:
(Security): Encryptions of 0 are indistinguishable from uniform vectors over \(\mathbb {Z}_q\) under the hardness of LWE.
 CP.4:
(Masking System): There exists a masking system \((\mathsf {GenUnivMask}, \mathsf {DeriveMask})\) for \(\mathcal {E}\) meeting the correctness and security conditions of Definition 8.
Let \(\mathsf {MS}_{\mathcal {E}} = (\mathsf {MS}_{\mathcal {E}}\mathsf {GenUnivMask}, \mathsf {MS}_{\mathcal {E}}\mathsf {DeriveMask})\) be a masking system for \(\mathcal {E}\) that satisfies CP.4. A formal description is now given of a generic scheme, which we call \(\mathsf {mIBFHE}\), that uses \(\mathcal {E}\) and \(\mathsf {MS}_{\mathcal {E}}\). We have \(\mathsf {mIBFHE.Setup} = \mathcal {E}.\mathsf {Setup}\) and \(\mathsf {mIBFHE.KeyGen} = \mathcal {E}.\mathsf {KeyGen}\). The remaining algorithms are described as follows.
Evaluation. The evaluator is given as input a circuit \(C \in \mathbb {C}\) and a collection of \(\ell \) ciphertexts \(\mathsf {CT}_1 := (\mathsf {id}_1, \mathsf {type} := 0, \mathsf {enc} := U_1), \ldots , \mathsf {CT}_\ell := (\mathsf {id}_\ell , \mathsf {type} := 0, \mathsf {enc} := U_\ell )\).
Consider the set of distinct identities \(I = \{\mathsf {id}_1, \ldots , \mathsf {id}_\ell \}\). Suppose that Open image in new window is the number of distinct identities. If Open image in new window (i.e. the maximum supported number of distinct identities is exceeded), the evaluator aborts the evaluation. For simplicity we relabel the distinct identities as Open image in new window . Thus, each distinct identity in the collection is associated with a unique index in Open image in new window . Before evaluation can be performed, each ciphertext must be “transformed” into a Open image in new window matrix, which we call an expanded matrix. This is achieved as follows.
Let \((\mathsf {id}_r, \mathsf {type} := 0, \mathsf {enc} := U)\) be a ciphertext whose associated identity has been assigned the index Open image in new window . A matrix Open image in new window is formed as follows. Start by setting \(\mathbf {\hat{C}}\) to the zero matrix. Now \(\mathbf {\hat{C}}\) can be viewed as consisting of Open image in new window submatrices in \(\mathbb {Z}_q^{N \times N}\). We denote the submatrix on row i and column j as \(\mathbf {\hat{C}_{i, j}} \in \mathbb {Z}_q^{N \times N}\).
 1.
Run \((\mathbf {X_i}, \mathbf {Y_i}) \leftarrow \mathsf {MS}_{\mathcal {E}}.\mathsf {DeriveMask}(\mathsf {PP}, U, \mathsf {id}_i)\).
 2.
Set \(\mathbf {\hat{C}_{i,i}} \leftarrow \mathbf {Y_i}\).
 3.
Set \(\mathbf {\hat{C}_{i,r}} \leftarrow \mathsf {Flatten}(\mathbf {\hat{C}_{i,r}} + \mathbf {X_i})\). (The reason for addition here is to handle the special case of \(i = r\)).
Decryption. On input a ciphertext Open image in new window and a sequence of secret keys Open image in new window where \(\varvec{v_{\mathsf {id}_i}}\) is a secret key for \(\mathsf {id}_i\) for Open image in new window , the decryptor performs the following steps. Form the column vector \(\varvec{v}\) as the vertical concatenation of the column vectors Open image in new window . If \(\mathsf {type} = 0\), parse \(\mathsf {enc}\) as the universal mask U, compute \((\mathbf {X}, \mathbf {Y}) \leftarrow {\mathsf {MS}_{\mathcal {E}}.\mathsf {DeriveMask}}(\mathsf {PP}, U, \mathsf {id}_1)\) and set \(\mathbf {C} \leftarrow \mathbf {X} + \mathbf {Y}\). Else if \(\mathsf {type} = 1\), parse \(\mathsf {enc}\) as \(\mathbf {\hat{C}}\) and set \(\mathbf {C} \leftarrow \mathbf {\hat{C}}\).
Lemma 1
Let B be a bound such that all freshly encrypted ciphertexts are Bstronglybounded. Let Open image in new window and L be positive integers. If Open image in new window ^{2}, then the scheme \(\mathsf {mIBFHE}\) is correct and can evaluate NANDbased Boolean circuits of depth L with any number of distinct identities Open image in new window .
See Appendix B for the proof of Lemma 1.
Theorem 3
Let \(\mathcal {E}\) be an IBE scheme satisfying CP.1  CP.4. Then \(\mathcal {E}\) can be transformed into a multiidentity IBFHE scheme \(\mathcal {E^\prime }\).
Proof
The proof of the theorem is constructive. By CP.4, there exists a masking system \(\mathsf {MS}_{\mathcal {E}}\) for \(\mathcal {E}\). The multiidentity IBFHE scheme \(\mathcal {E^\prime }\) that we obtain is \(\mathsf {mIBFHE}\) instantiated with \(\mathcal {E}\) and \(\mathsf {MS}_{\mathcal {E}}\). By Lemma 1, the scheme is correct. CP.4 implies that \(\mathcal {E^\prime }\) is \(\mathsf {IND}\)X\(\mathsf {CPA}\) secure for some \(X \in \{\mathsf {sID}, \mathsf {ID}\}\).
4 Concrete Construction of Multiidentity Leveled IBFHE
To exploit our compiler from the last section to obtain a multiidentity IBFHE, we need to find an LWEbased IBE scheme \(\mathcal {E}\) that satisfies CP.1  CP.4. The major obstacle is finding a scheme for which a secure masking system can be constructed. A natural starting point is the IBE of Cash, Hofheinz, Kiltz and Peikert (CHKP) [18], which is Open image in new window secure in the standard model. This IBE was adapted by Gentry, Sahai and Waters ([6] Appendix A.1) to work with their compiler. There are difficulties however in developing a secure masking system for this IBE. Instead, we consider the IBE of Gentry, Peikert and Vaikuntanathan (GPV) [15]. Unfortunately this scheme is only secure under LWE in the random oracle model. On the plus side, we show that it enjoys the distinction of admitting a secure masking system, and as a consequence of Theorem 3 can be compiled into a multiidentity IBFHE scheme.
4.1 The Gentry, Peikert and Vaikuntanthan (GPV) IBE
In the GPV scheme, the TA needs to use a lookup table^{3} to store secret keys that are issued to users in order to ensure that only a single unique secret key is ever issued for a given identity. This is required for the security proof in the random oracle model.
A hash function \(H : \{0, 1\}^*\rightarrow \mathbb {Z}_q^n\) (modeled as a random oracle in the security proof) is used to map an identity string \(\mathsf {id} \in \{0, 1\}^*\) to a vector \(\varvec{z_{\mathsf {id}}} \in \mathbb {Z}_q^n\). Due to space constraints a formal description of the GPV scheme is deferred to Appendix A. It is easy to see that GPV fulfills CP.1 and CP.2. Furthermore, GPV can be shown to be Open image in new window secure in the random oracle model [15] under LWE, and CP.3 follows from the security proof. It remains to construct a masking system for GPV.
4.2 A Masking System for GPV
A trivial way to do this is for the encryptor to set \(\varvec{x_i} \leftarrow \varvec{0}\) and \(\varvec{y_i} \leftarrow \mathsf {Flatten}((\underbrace{0}_{1, \ldots , i  1}, \mu , \underbrace{0}_{i + 1, \ldots , N}) + \mathsf {BitDecomp}(\mathcal {E}.\mathsf {Encrypt}(\mathsf {PP}, \mathsf {id}^\prime , 0)) \in \{0, 1\}^N\) where the latter is a GSW row encryption of \(\mu \) under identity \(\mathsf {id}^\prime \). Observe that such an \(\varvec{x_i}\) and \(\varvec{y_i}\) serve as a solution to the above equation. However, it is easy to see that such a trivial solution violates semantic security, since a decryptor with a secret key \(\varvec{v^\prime }\) for \(\mathsf {id}^\prime \) (and no secret key for \(\mathsf {id}\)) can still recover the plaintext \(\mu \).
The approach we take to achieve this is to blind the element \(\langle \varvec{z_{\mathsf {id}^\prime }}, \varvec{r} \rangle \) with a GPV encryption of zero under identity \(\mathsf {id}\) such that it can only be unblinded with a secret key for identity \(\mathsf {id}\) (note that the value cannot be recovered outright; instead a noisy approximation is obtained). For simplicity we define the algorithm \(\mathsf {Blind}\) which takes an identity \(\mathsf {id}\) and a value \(v \in \mathbb {Z}_q\) and outputs a vector \(\mathsf {Flatten}((c_1 + v, c_2, \ldots , c_{m^\prime }))\) where \(\varvec{c} \leftarrow \mathcal {E}.\mathsf {Encrypt}(\mathsf {PP}, \mathsf {id}, 0)\). So to provide an \(\varvec{x_i}\) counterpart to the vector \(\varvec{y_i}\) we generated above, we set \(\varvec{x_i} \leftarrow \mathsf {Blind}(\mathsf {id}, (\langle \varvec{z_{\mathsf {id}^\prime }}, \varvec{r} \rangle )\) where \(\varvec{r}\) is the vector used in the generation of \(\varvec{y_i}\) above. It follows that \(\langle \varvec{x_i}, \varvec{v} \rangle + \langle \varvec{y_i}, \varvec{v^\prime } \rangle = \mu \cdot \varvec{v^\prime } + \text {``small''}\).
There are subtleties that we have overlooked. For security reasons, we need to change how we generate \(\varvec{x_i}\) and \(\varvec{y_i}\) for \(i \in [\ell _q]\). This is because for the first \(\ell _q\) components of \(\varvec{y_i}\) as generated above, the plaintext \(\mu \) is not hidden; it is effectively sent in the clear. However we can resolve this issue by setting \(\varvec{x_i} \leftarrow \mathsf {Blind}(\mathsf {id}, \mu \cdot 2^{i  1}\)\(\varvec{y_i} \leftarrow \varvec{0}\) and simply setting \(\varvec{y_i} \leftarrow \varvec{0}\).
However there is still a major weakness in this approach. Suppose a decryptor has access to two decryption vectors \(\varvec{u^\prime }, \varvec{v^\prime } \in \mathbb {Z}_q^N\) that decrypt ciphertexts with identity \(\mathsf {id}^\prime \). For example, the TA might have generated distinct secret key vectors when issuing keys to different parties, and the parties may have shared that information.
Support for All Identities. The algorithm above allows an encryptor to create a secure “mask” for a specific identity that he knows. But how can we create a succinct “universal mask” from which “masks” for arbitrary identities can be derived? To achieve this, we need to take a look at the structure of vector \(\varvec{x_i}\) in our masking system, which is constructed as \(\varvec{x_i} \leftarrow \mathsf {Blind}(\mathsf {id}, \langle \varvec{z_{\mathsf {id}^\prime }}, \varvec{r} \rangle )\) where \(\mathsf {id}^\prime \) is known to the encryptor. But what if \(\mathsf {id}^\prime \) is an arbitrary identity (i.e. not simply one that is known beforehand by the encryptor but one that is chosen by the evaluator at evaluation time)? In this case, we need to obtain an \(\varvec{x_i}\) that blinds \(\langle \varvec{z_{\mathsf {id}^\prime }}, \varvec{r} \rangle \). Our goal is to include information in the universal mask that we derive so that for any identity \(\mathsf {id}^\prime \) one can derive an \(\varvec{x_i}\) that blinds \(\langle \varvec{z_{\mathsf {id}^\prime }}, \varvec{r} \rangle \) where \(\varvec{z_{\mathsf {id}^\prime }} = H(\mathsf {id}^\prime )\).
More precisely what we have is shown is how to generate \(\mathbf {B}^{(i)}\) and \(\varvec{y}_i\) for \(i \in [\ell _q]\). Recall that in our previous masking system we generated \(\varvec{x_i}\) and \(\varvec{y_i}\) differently for \(i \in [\ell _q]\). This will also apply here. Instead of computing \(\mathbf {B}^{(i)}\) for \(i \in [\ell _q]\), we instead merely compute \(\varvec{x_i} \leftarrow \mathsf {Blind}(\mathsf {id}, \mu \cdot 2^{i  1})\) and \(\varvec{y_i} \leftarrow \varvec{0}\). This completes the description of our masking system.
We now formally present our masking system for \(\mathsf {GPV}\). (which we call \({\mathsf {MS}_{\mathsf {GPV}}}\)). Let \(\eta = \ell _q \cdot n\).
 1.For \(i \in [\ell _q]\):
 (a)
Set \(\varvec{x_i} \leftarrow \mathsf {Blind}(\mathsf {id}, \mu \cdot 2^{i  1})\)
 (b)
Set \(\varvec{y_i} \leftarrow \varvec{0}\)
 (a)
 2.For \(\ell _q < i \le N\):
 (a)
Generate \(\varvec{r} \xleftarrow {\$}\mathbb {Z}_q^{n}\) and sample a short error vector \(\varvec{e} \xleftarrow {\$}\chi ^{m^\prime }\).
 (b)For \(j \in [\eta ]:\)
 (i)
Set \(\varvec{b^{(i)}_j} \leftarrow \mathsf {BitDecomp}^{1}(\mathsf {Blind}(\mathsf {id}, p_j)) \in \mathbb {Z}_q^{m^\prime }\) where \(p_j\) be the jth coefficient of \(\mathsf {Powerof2}(\varvec{r})\)
 (i)
 (c)
Form matrix \(\mathbf {B^{(i)}}\) from rows \(\varvec{b^{(i)}_1}, \ldots , \varvec{b^{(i)}_\eta }\).
 (d)
Set \(\varvec{y_i} \leftarrow \mathsf {Flatten}((\underbrace{0}_{1, \ldots , i  1}, \mu , \underbrace{0}_{i + 1, \ldots , N}) + \mathsf {BitDecomp}((0, \varvec{r} \cdot \mathbf {A} + \varvec{f})))\)
 (a)
 3.
Form matrix \(\mathbf {Y}\) from rows \(\varvec{y_1}, \ldots , \varvec{y_N}\).
 4.
Output \(U := (\varvec{x_1}, \ldots , \varvec{x_{\ell _q}}, \mathbf {Y}, \mathbf {B^{(\ell _q + 1)}}, \ldots , \mathbf {B^{(N)}})\).
 1.
Parse U as \((\varvec{x_1}, \ldots , \varvec{x_{\ell _q}}, \mathbf {Y}, \mathbf {B^{(\ell _q + 1)}}, \ldots , \mathbf {B^{(N)}})\).
 2.
Compute \(\varvec{z_{\mathsf {id}^\prime }} \leftarrow H(\mathsf {id}^\prime )\).
 3.For \(\ell _q < i \le N\):
 (a)
Set \(\varvec{x_i} \leftarrow \mathsf {Flatten}(\mathsf {BitDecomp}(\varvec{z_{\mathsf {id}^\prime }}) \cdot \mathbf {B}^{(i)})\)
 (a)
 4.
Form \(\mathbf {X} \in \{0, 1\}^{N \times N}\) from \(\varvec{x_1}, \ldots , \varvec{x_N}\).
 5.
Output \((\mathbf {X}, \mathbf {Y})\).
It is easy to see from the definition of \({\mathsf {MS}_{\mathsf {GPV}}.\mathsf {DeriveMask}}\) that the error expansion factor is \(w = \eta + 1\). This is because each row in an expanded matrix is formed from a row of \(\mathbf {X}\) and a row of \(\mathbf {Y}\). But the former decomposes into a sum of \(\eta \) ciphertexts (and hence error terms).
Theorem 4
[Informal] The masking system \({\mathsf {MS}_{\mathsf {GPV}}}\) is selectively secure in the random oracle model (i.e. \({\mathsf {MS}_{\mathsf {GPV}}}\) meets the security condition of Definition 8).
A formal statement of Theorem 4 along with the proof is given in Appendix E. See Appendix A.1 on how to apply the compiler.
5 Multikey FHE
If we replace the GPV IBE with the DualRegev publickey encryption scheme from [15], then we can obtain a multikey FHE. The only change in the masking system is that identity vectors (i.e. \(\varvec{z_{\mathsf {id}}} = H(\mathsf {id}) \in \mathbb {Z}_q^n\)) are replaced with publickey vectors in \(\mathbb {Z}_q^n\). As a result, the random oracle H is no longer needed, and security holds in the standard model. Our multikey scheme is the first to the best of our knowledge that is based on wellestablished problem such as LWE in the standard model (recall that the scheme from [14] requires the nonstandard Decisional Small Polynomial Ratio (DSPR) problem). See the full version [19] of this work for a description of an adaptation of our masking systm to the RLWE setting.
Footnotes
 1.
The paper [13] attributes this observation to Brent Waters.
 2.
Note that N (which depends on n) is itself dependent on \(\lg {q}\). For security, it is required that \(q/B = 2^{n^\epsilon }\) for some \(\epsilon \in (0, 1)\). A discussion on parameters is provided in Appendix C.
 3.
Alternatively with the additional assumption of a PRF, a lookup table could be avoided by deterministically deriving secret keys (i.e. obtaining random coins from the PRF).
 4.
\(w = \eta + 1 = \ell _q \cdot n + 1 \le \ell _q \cdot m < N\).
 5.
Note that N (which depends on n) is itself dependent on \(\lg {q}\). For security, it is required that \(q/B = 2^{n^\epsilon }\) for some \(\epsilon \in (0, 1)\). A discussion on parameters is provided in Appendix C.
 6.
A normal variable with standard deviation \(\sigma \) is within \(t \cdot \sigma \) standard deviations of its mean, except with probability at most \(\frac{1}{t} \cdot \frac{1}{e^{t^2/2}}\) [15].
Notes
Acknowledgments
We would like to thank the anonymous reviewers of for their helpful comments. The authors would like to thank Fuqun Wang for pointing out errors in an earlier version of this paper.
References
 1.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, p. 169 (2009)Google Scholar
 2.Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010) Google Scholar
 3.van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010) Google Scholar
 4.Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ringlwe and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011) Google Scholar
 5.Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) FOCS 2011, pp. 97–106. IEEE, Olympia (2011)Google Scholar
 6.Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptuallysimpler, asymptoticallyfaster, attributebased. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013) Google Scholar
 7.Boneh, D., Franklin, M.: Identitybased encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) Google Scholar
 8.Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001) Google Scholar
 9.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the ThirtySeventh Annual ACM symposium on Theory of Computing, STOC 2005, pp. 84–93. ACM, New York, NY, USA (2005)Google Scholar
 10.Clear, M., McGoldrick, C.: Bootstrappable identitybased fully homomorphic encryption. Cryptology ePrint Archive, report 2014/491 (2014). http://eprint.iacr.org/
 11.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49. IEEE Computer Society (2013)Google Scholar
 12.Clear, M., McGoldrick, C.: Bootstrappable identitybased fully homomorphic encryption. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 1–19. Springer, Heidelberg (2014) Google Scholar
 13.Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011) Google Scholar
 14.LópezAlt, A., Tromer, E., Vaikuntanathan, V.: Onthefly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Proceedings of the 44th Symposium on Theory of Computing, STOC 2012, pp. 1219–1234. ACM, New York, NY, USA (2012)Google Scholar
 15.Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM, New York, (2008)Google Scholar
 16.Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010) Google Scholar
 17.Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorterciphertext hierarchical IBE. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 98–115. Springer, Heidelberg (2010) Google Scholar
 18.Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010) Google Scholar
 19.Clear, M., McGoldrick, C.: Multiidentity and multikey leveled FHE from learning with errors. IACR Cryptology ePrint Archive 2014, p. 798 (2014). http://eprint.iacr.org/2014/798
 20.Gilbert, H. (ed.): Advances in Cryptology  EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010)Google Scholar
 21.Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999) Google Scholar
 22.Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Cryptology ePrint Archive, report 2008/521 (2008). http://eprint.iacr.org/2008/521
 23.Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012) Google Scholar