[Busec] potentially big new result on fully homomorphic encryption, Tuesday 4PM at MIT

Sharon Goldberg goldbe at cs.bu.edu
Wed May 4 08:50:16 EDT 2011

Hi All,

This is possibly a big deal - it could mean that fully homomorphic
encryption is now practical.  Not sure.  There will be a talk at MIT
on Tuesday, see below.


---------- Forwarded message ----------
From: Be Blackburn <be at csail.mit.edu>
Date: Wed, May 4, 2011 at 6:55 AM
Subject: [Theory-seminars] next Tuesday's TOC Colloquium with Zvika Brakerski
To: seminars at csail.mit.edu, theory-seminars at csail.mit.edu

Efficient Fully Homomorphic Encryption from (Standard) LWE

Speaker: Zvika Brakerski, Weizmann Institute of Science and CSAIL, MIT
Date:      Tuesday, May 10 2011
Time:      4:15 pm to 4:15 pm
Snacks    3:45 pm
Where:    32-155
Host:       Scott Aaronson, CSAIL, MIT
Contact:  Be Blackburn , 3-6098, be at csail.mit.edu

In fully homomorphic encryption, it is possible to transform an
encryption of a message, $m$, into an encryption of any (efficient)
function of that message, $f(m)$, without knowing the secret key. This
property makes it into a very useful cryptographic building block.

We present a fully homomorphic encryption scheme that is based solely
on the (standard) learning with errors (LWE) assumption. Applying
known results on LWE, the security of our scheme is based on the
worst-case hardness of short vector problems on arbitrary lattices. As
icing on the cake, our scheme is quite efficient, and has very short

Our construction improves upon previous works in two aspects:

1. We show that ``somewhat homomorphic'' encryption can be based on LWE,
using a new {\em re-linearization} technique. In contrast, all previous
schemes relied on complexity assumptions related to ideals in various

2. More importantly, we deviate from the ``squashing paradigm'' used
in all previous works. We introduce a new {\em dimension reduction}
technique, which shortens the ciphertexts and reduces the decryption
complexity of our scheme, without introducing additional assumptions.
In contrast, all previous works required an additional, very strong
assumption (namely, the sparse subset sum assumption).

Since our scheme has very short ciphertexts, we use it to construct an
asymptotically-efficient LWE-based single-server private information
retrieval (PIR) protocol. The communication complexity of our protocol
(in the public-key model) is $k \cdot \polylog\,k+\log |DB|$ bits per
single-bit query, which is better than any known scheme. Previously,
it was not known how to achieve a communication complexity of even
$\poly(k, \log|DB|)$ based on LWE.

Joint work with Vinod Vaikuntanathan.

Theory-seminars mailing list
Theory-seminars at lists.csail.mit.edu

Sharon Goldberg
Computer Science, Boston University

More information about the Busec mailing list