Toward Basing Fully Homomorphic Encryption on Worst-Case Hardness

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)


Gentry proposed a fully homomorphic public key encryption scheme that uses ideal lattices. He based the security of his scheme on the hardness of two problems: an average-case decision problem over ideal lattices, and the sparse (or “low-weight”) subset sum problem (SSSP).

We provide a key generation algorithm for Gentry’s scheme that generates ideal lattices according to a “nice” average-case distribution. Then, we prove a worst-case / average-case connection that bases Gentry’s scheme (in part) on the quantum hardness of the shortest independent vector problem (SIVP) over ideal lattices in the worst-case. (We cannot remove the need to assume that the SSSP is hard.) Our worst-case / average-case connection is the first where the average-case lattice is an ideal lattice, which seems to be necessary to support the security of Gentry’s scheme.


Prime Ideal Full Version Ideal Lattice Homomorphic Encryption Short Vector 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC 1996, pp. 99–108 (1996)Google Scholar
  2. 2.
    Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Ajtai, M., Dwork, C.: A public key cryptosystem with worst-case / average-case equivalence. In: STOC 1997, pp. 284–293 (1997)Google Scholar
  4. 4.
    Alwen, J., Peikert, C.: Generating Shorter Bases for Hard Random Lattices. In: STACS 2009, pp. 75–86 (2009)Google Scholar
  5. 5.
    Bach, E., Shallit, J.: Algorithmic Number Theory, vol. 1 (1996)Google Scholar
  6. 6.
    Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen 296(4), 625–635 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Boyen, X.: Of Lettuces of Lattices: a Framework for Short Signatures and IBE with Full Security. PKC 2010 (to appear 2010)Google Scholar
  8. 8.
    Cai, J.-Y., Nerurkar, A.P.: An Improved Worst-Case to Average-Case Connection for Lattice Problems (extended abstract). In: FOCS 1997, pp. 468–477. IEEE, Los Alamitos (1997)Google Scholar
  9. 9.
    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai Trees, or How to Delegate a Lattice Basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Gentry, C.: Fully Homomorphic Encryption Using Ideal Lattices. In: STOC 2009, pp. 169–178 (2009)Google Scholar
  11. 11.
    Gentry, C.: A Fully Homomorphic Encryption Scheme. Ph.D. thesis, Stanford University (2009),
  12. 12.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for Hard Lattices and New Cryptographic Constructions. In: STOC 2008, pp. 197–206 (2008)Google Scholar
  13. 13.
    Kalai, A.: Generating Random Factored Numbers. Easily. J. Cryptology 16(4), 287–289 (2003); Preliminary version in SODA 2002 (2002) Google Scholar
  14. 14.
    Kaltofen, E., Shoup, V.: Subquadratic-time factoring of polynomials over finite fields. In: STOC 1995, pp. 398–406. ACM, New York (1995)CrossRefGoogle Scholar
  15. 15.
    Landau, E.: Neuer Beweis des Primzahlsatzes und Beweis des Primidealsatzes. Mathematische Annalen 56, 645–670Google Scholar
  16. 16.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Lyubashevky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 37–54. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Lyubashevky, V., Micciancio, D.: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 577–594. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Lyubashevky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  21. 21.
    Micciancio, D.: Improving Lattice Based Cryptosystems Using the Hermite Normal Form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Micciancio, D.: Improved cryptographic hash functions with worst-case / average-case connection. In: STOC 2002, pp. 609–618 (2002); Full version: Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor. SIAM Journal on Computing, 34(1):118–169 (2004) Google Scholar
  23. 23.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In: FOCS 2002, pp. 356–365 (2002)Google Scholar
  24. 24.
    Micciancio, D., Regev, O.: Worst-Case to Average-Case Reductions Based on Gaussian Measures. In: FOCS 2004, pp. 372–381 (2004); Full version: SIAM J. Comput., 37(1), 267–302 (2007)Google Scholar
  25. 25.
    Nguyen, P.Q., Stern, J.: Adapting Density Attacks to Low-Weight Knapsacks. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 41–58. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC 2009, pp. 333–342. ACM, New York (2009)CrossRefGoogle Scholar
  27. 27.
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Peikert, C., Rosen, A.: Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors. In: Proc. of STOC 2007, pp. 478–487 (2007)Google Scholar
  29. 29.
    Regev, O.: New lattice-based cryptographic constructions. Journal of the ACM 51(6), 899–942 (2004); Extended abstract in STOC 2003 (2003)Google Scholar
  30. 30.
    Regev, O.: On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. In: Proc. of STOC 2005, pp. 84–93 (2005)Google Scholar
  31. 31.
    Rivest, R., Adleman, L., Dertouzos, M.: On data banks and privacy homomorphisms. In: Foundations of Secure Computation, pp. 169–180 (1978)Google Scholar
  32. 32.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26(5), 1484–1509 (1997); Extended abstract in FOCS 1994 (1994) Google Scholar
  33. 33.
    Stevenhagen, P.: The Arithmetic of Number Rings. In: Algorithmic Number Theory, vol. 44. MSRI Publications (2008); See also Stevenhagen’s course notes Number RingsGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.IBM T.J Watson Research Center 

Personalised recommendations