Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes

Smart, Nigel P.; Vercauteren, Fréderik

doi:10.1007/978-3-642-13013-7_25

Cited by 530 publications

(411 citation statements)

References 11 publications

Supporting

Mentioning

409

Contrasting

Unclassified

Order By: Relevance

“…For example, it is now generally agreed that the Smart-Vercauteren system [112] using the old rings is broken by a polynomial-time quantum attack and by a subexponential-time pre-quantum attack. Nobody has extended these attacks to our new rings.…”

Section: Choosing Haswell Multiplication Instructionsmentioning

confidence: 99%

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

Selected Areas in Cryptography – SAC 2017

103

View full text Add to dashboard Cite

Abstract. Several ideal-lattice-based cryptosystems have been broken by recent attacks that exploit special structures of the rings used in those cryptosystems. The same structures are also used in the leading proposals for post-quantum lattice-based cryptography, including the classic NTRU cryptosystem and typical Ring-LWE-based cryptosystems. This paper (1) proposes NTRU Prime, which tweaks NTRU to use rings without these structures; (2) proposes Streamlined NTRU Prime, a public-key cryptosystem optimized from an implementation perspective, subject to the standard design goal of IND-CCA2 security; (3) finds high-security post-quantum parameters for Streamlined NTRU Prime; and (4) optimizes a constant-time implementation of those parameters. The resulting sizes and speeds show that reducing the attack surface has very low cost.

show abstract

Section: Choosing Haswell Multiplication Instructionsmentioning

confidence: 99%

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

Selected Areas in Cryptography – SAC 2017

103

View full text Add to dashboard Cite

show abstract

“…Gentry's original scheme [Gen09] based on ideal lattices. An implementation of Gentry's scheme was proposed by Gentry and Halevi in [GH11] with a public key of 2.3 GB and a ciphertext refresh procedure of 30 minutes; the implementation is based on many interesting algorithmic optimizations, including some borrowed from Smart and Vercauteren [SV10].…”

Section: Introductionmentioning

confidence: 99%

Batch Fully Homomorphic Encryption over the Integers

Cheon

Coron²,

Kim

et al. 2013

Advances in Cryptology – EUROCRYPT 2013

221

138

View full text Add to dashboard Cite

Abstract. We extend the fully homomorphic encryption scheme over the integers of van Dijk et al. (DGHV) to batch fully homomorphic encryption, i.e. to a scheme that supports encrypting and homomorphically processing a vector of plaintext bits as a single ciphertext. Our variant remains semantically secure under the (error-free) approximate-GCD problem. We also show how to perform arbitrary permutations on the underlying plaintext vector given the ciphertext and the public key. Our scheme offers competitive performance: we describe an implementation of the fully homomorphic evaluation of AES encryption, with an amortized cost of about 12 minutes per AES ciphertext on a standard desktop computer; this is comparable to the timings presented by Gentry et al. at Crypto 2012 for their implementation of a Ring-LWE based fully homomorphic encryption scheme.

show abstract

“…A number of variations, optimizations and implementations appear in [SV10,GH11b]. The security of these schemes are based on hard problems on lattices.…”

Section: Related Workmentioning

confidence: 99%

“…-Loftus et al [LMSV12] showed that Gentry's SHE scheme [Gen09b] is not IND-CCA1 secure and presented an IND-CCA1 attack against the variation proposed in [GH11b]. They also showed that the same attack applies to the other variant by Smart and Vercauteren [SV10]. In fact, the attacks are both key recovery attacks.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

On Key Recovery Attacks Against Existing Somewhat Homomorphic Encryption Schemes

Chenal

Tang

2015

Progress in Cryptology - LATINCRYPT 2014

View full text Add to dashboard Cite

In this paper, we continue this line of research and show that most existing somewhat homomorphic encryption schemes are not IND-CCA1 secure. In fact, we show that these schemes suffer from key recovery attacks (stronger than a typical IND-CCA1 attack), which allow an adversary to recover the private keys through a number of decryption oracle queries. The schemes, that we study in detail, include those by Brakerski and Vaikuntanathan at Crypto 2011 and FOCS 2011, and that by Gentry, Sahai and Waters at Crypto 2013. We also develop a key recovery attack that applies to the somewhat homomorphic encryption scheme by van Dijk et al., and our attack is more efficient and conceptually simpler than the one developed by Zhang et al.. Our key recovery attacks also apply to the scheme by Brakerski, Gentry and Vaikuntanathan at ITCS 2012, and we also describe a key recovery attack for the scheme developed by Brakerski at Crypto 2012.

show abstract

Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes

Cited by 530 publications

References 11 publications

NTRU Prime: Reducing Attack Surface at Low Cost

NTRU Prime: Reducing Attack Surface at Low Cost

Batch Fully Homomorphic Encryption over the Integers

On Key Recovery Attacks Against Existing Somewhat Homomorphic Encryption Schemes

Contact Info

Product

Resources

About