Computing Arbitrary Functions of Encrypted Data

Craig Gentry
IBM T.J. Watson Research Center
19 Skyline Dr.
Hawthorne, NY
[email protected]
ABSTRACT
Suppose that you want to delegate the ability to process your
data, without giving away access to it. We show that this
separation is possible: we describe a fully homomorphic
encryption scheme that keeps data private, but that allows
a worker that does not have the secret decryption key to
compute any (still encrypted) result of the data, even when
the function of the data is very complex. In short, a third
party can perform complicated processing of data without
being able to see it. Among other things, this helps make
cloud computing compatible with privacy.
1. INTRODUCTION
Is it possible to delegate processing of your data without
giving away access to it?
This question, which tests the tension between conve-
nience and privacy, has always been important, but seems
especially so now that we are headed toward widespread
use of cloud computing. To put everything online in the
cloud, unencrypted, is to risk an Orwellian future. For cer-
tain types of data, such as medical records, storing them
o-site unencrypted may be illegal. On the other hand, en-
crypting ones data seems to nullify the benets of cloud
computing. Unless I give the cloud my secret decryption
key (sacricing my privacy), what can I expect the cloud to
do with my encrypted data except send it back to me, so
that I can decrypt it and process it myself?
Fortunately, this is a false dilemma, or at least convenience
and privacy can be reconciled to a large extent. For data
that is encrypted with anordinaryencryption scheme, it is
virtually impossible for someone without the secret decryp-
tion key (such as the cloud) to manipulate the underlying
data in any useful way. However, some encryption schemes
are homomorphic or malleable. They let anyone manipu-
late (in a meaningful way) what is encrypted, even without
knowing the secret key!
In this paper, we describe the rst fully homomorphic
This paper draws from the STOC 2009 paper Fully Homo-
morphic Encryption Using Ideal Lattices, my thesis, and a
recent manuscript co-authored with van Dijk, Halevi, and
Vaikuntanathan.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for prot or commercial advantage and that copies
bear this notice and the full citation on the rst page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specic
permission and/or a fee.
Copyright 2008 ACM 0001-0782/08/0X00 ...$5.00.
encryption (FHE) scheme, where fully means that there
are no limitations on what manipulations can be performed.
Given ciphertexts c1, . . . , ct that encrypt m1, . . . , mt with
our scheme under some key, and given any eciently com-
putable function f, anyone can eciently compute a cipher-
text (or set of ciphertexts) that encrypts f(m1, . . . , mt) un-
der that key. In short, this permits general computations
on encrypted data. No information about m1, . . . , mt or the
value of f(m1, . . . , mt) is leaked.
This means that cloud computing is consistent with pri-
vacy. If I want the cloud to compute for me some function f
of my (encrypted) data m1, . . . , mt for example, this func-
tion could be all les containing CACM or Communica-
tions within three words of ACM I send a description
of f to the cloud, which uses the schemes malleability to
compute an encryption of f(m1, . . . , mt), which I decrypt.
The cloud never sees any unencrypted data. If I want, I can
even use the scheme to encrypt a description of f, so that
the cloud does not even see what I am searching for.
Rivest, Adleman, and Dertouzos [5] suggested that fully
homomorphic encryption may be possible in 1978, shortly
after the invention of the RSA cryptosystem [6], but were
unable to nd a secure scheme. As an application, they de-
scribed our private cloud computing scenario above, though
of course they used dierent terminology. There are many
other applications. Homomorphic encryption is useful when-
ever it is acceptable if a response (e.g., to a search engine
query) is encrypted.
Below, we begin by describing homomorphic encryption in
more detail. Then, we describe a concrete scheme due to van
Dijk, Gentry, Halevi, and Vaikuntanathan, [9], which uses
only simple integer operations, and is a conceptually simpler
version of the rst scheme by Gentry [3, 2], which uses lat-
tices. Toward the end, we discuss the schemes (rather slow)
performance. Throughout, we try to make the ideas more
tangible by constantly returning to a physical analogy: a
jewelry store owner, Alice, who wants her workers to process
raw precious materials into intricately designed rings and
necklaces, but who is afraid to give her workers complete
access to the materials for fear of theft.
2. HOMOMORPHIC ENCRYPTION
2.1 Alices Jewelry Store
At rst, the notion of processing data without having ac-
cess to it may seem paradoxical, even logically impossible.
To convince you that there is no fallacy, and to give you
some intuition about the solution, let us consider an analo-
gous problem in (a ctional version of) the physical world.
Alice owns a jewelry store. She has raw precious materials
gold, diamonds, silver, etc. that she wants her workers
to assemble into intricately designed rings and necklaces.
But she distrusts her workers and assumes that they will
steal her jewels if given the opportunity. In other words,
she wants her workers to process the materials into nished
pieces, without giving them access to the materials. What
does she do?
Here is her plan. She uses a transparent impenetrable
glovebox, secured by a lock for which only she has the key.
She puts the raw precious materials inside the box, locks
it, and gives it to a worker. Using the gloves, the worker
assembles the ring or necklace inside the box. Since the
box is impenetrable, the worker cannot get to the precious
materials, and gures he might as well return the box to
Alice, with the nished piece inside. Alice unlocks the box
with her key and extracts the ring or necklace. In short,
the worker processes the raw materials into a nished piece,
without having true access to the materials.
The locked impenetrable box, with raw precious materials
inside, represents an encryption of the initial data m1, . . . , mt,
which can be accessed only with the secret decryption key.
The gloves represent the homomorphism or malleability of
the encryption scheme, which allows the raw data to be
manipulated while it is inside the encryption box. The
completed ring or necklace inside the box represents the en-
cryption of f(m1, . . . , mt), the desired function of the initial
data. Note that lack of access is represented by lack of
physical access, as opposed to lack of visual access, to the
jewels. (For an analogy that uses lack of visual access, con-
sider a photograph developers darkroom.)
Of course, Alices jewelry store is only an analogy. It
does not represent some aspects of homomorphic encryption
well, and taking it too literally may be more confusing than
helpful. We discuss some aws in the analogy at the end
of this section, after we describe homomorphic encryption
more formally. Despite its aws, we return to the analogy
throughout, since it motivates good questions, and repre-
sents some aspects of our solution quite well most notably,
bootstrapping, which we discuss in Section 4.
2.2 Homomorphic Encryption: Functionality
An encryption scheme c has three algorithms: KeyGen
E
,
Encrypt
E
and Decrypt
E
, all of which must be ecient that
is, run in time poly(), polynomial in a security parameter
that species the bit-length of the keys. In a symmetric, or
secret-key, encryption scheme, KeyGen
E
uses to generate
a single key that is used in both Encrypt
E
and Decrypt
E
,
rst to map a message to a ciphertext, and then to map
the ciphertext back to the message. In an asymmetric, or
public-key, encryption scheme, KeyGen
E
uses to generate
two keys a public encryption key pk, which may be made
available to everyone, and a secret decryption key sk. As
a physical analogy for an asymmetric encryption scheme,
one can think of Alices public key as a padlock, which she
constructs and distributes, that can be locked without a key.
Anyone can put a message inside a box secured by Alices
padlock (encrypt), and mail it via a public channel to Alice,
but only Alice has the key needed to unlock it (decrypt).
A homomorphic encryption scheme can be either symmet-
ric or asymmetric, but we will focus on the asymmetric case.
It has a fourth algorithm EvaluateE, which is associated to a
set TE of permitted functions. For any function f in TE and
any ciphertexts c1, . . . , ct with ci Encrypt
E
(pk, mi), the
algorithm EvaluateE(pk, f, c1, . . . , ct) outputs a ciphertext c
that encrypts f(m1, . . . , mt) i.e., such that Decrypt
E
(sk, c) =
f(m1, . . . , mt). (For convenience, we will assume that f has
one output. If f has k outputs, then EvaluateE outputs
k ciphertexts that encrypt f(m1, . . . , mt) collectively.) As
shorthand, we say that c can handle functions in TE. For a
function f not in TE, there is no guarantee that EvaluateE
will output anything meaningful. Typically EvaluateE is un-
dened for such a function.
As described thus far, it is trivial to construct an en-
cryption scheme that can handle all functions. Just de-
ne EvaluateE as follows: simply output c (f, c1, . . . , ct),
without processingthe ciphertexts at all. Modify Decrypt
E
slightly: to decrypt c, decrypt c1, . . . , ct to obtain m1, . . . , mt,
and then apply f to these messages.
But this trivial solution obviously does not conform to the
spirit of what we are trying to achieve to delegate the data
processing (while maintaining privacy). The trivial solution
is as if, in Alices jewelry store, the worker simply sends
the box (which need not have gloves) back to Alice without
doing any work on the raw precious materials, and Alice
unlocks the box, extracts the materials, and assembles the
ring or necklace herself.
So, how do we formalize what it means to delegate? In-
tuitively, the purpose of delegation is to reduce ones work-
load. We can formalize this in terms of the running times
(i.e., complexity) of the algorithms. Specically, we require
that decrypting c (the ciphertext output by EvaluateE) takes
the same amount of computation as decrypting c1 (a cipher-
text output by Encrypt
E
). Moreover, we require that c is the
same size as c1. We refer to these as the compact ciphertexts
requirement. Again, the size of c and the time needed to de-
crypt it do not grow with the complexity of f; rather, they
are completely independent of f (unless f has multiple out-
puts). Also, of course, the complexity of Decrypt
E
, as well
as the complexity of KeyGen
E
and Encrypt
E
, must remain
polynomial in .
c is fully homomorphic if it can handle all functions, has
compact ciphertexts, and EvaluateE is ecient in a way that
we specify below. The trivial solution above certainly is not
fully homomorphic, since the size of the ciphertext output by
EvaluateE, as well as the time needed to decrypt it, depend
on the function being evaluated. In terms of Alices jewelry
store, our denition of fully homomorphic captures the best-
case scenario for Alice: her workers can assemble arbitrarily
complicated pieces inside the box, but the work needed to
assemble has no bearing on the work Alice needs to do to
unlock the box and extract the piece.
We want our fully homomorphic scheme to be ecient for
the worker, as well. In particular, we want the complexity
of EvaluateE like the other algorithms of c to depend
only polynomially on the security parameter. But clearly
its complexity must also depend on the function being eval-
uated. How do we measure the complexity of f? Perhaps
the most obvious measure is the running time T
f
of a Tur-
ing machine that computes f. We use a related measure,
the size S
f
of a boolean circuit (i.e., the number of AND,
OR, and NOT gates) that computes f. Any function that
can be computed in T
f
steps on a Turing machine can be
expressed as a circuit with about T
f
gates. More precisely,
S
f
< k T
f
log T
f
for some small constant k. Overall, we
say that EvaluateE is ecient if there is a polynomial g such
that, for any function f that is represented by a circuit of
size S
f
, EvaluateE(pk, f, c1, . . . , ct) has complexity at most
S
f
g().
The circuit representation of f is also useful because it
breaks the computation of f down into simple steps e.g.,
AND, OR, and NOT gates. Moreover, to evaluate these
gates, it is enough to be able to add, subtract and mul-
tiply. (In fact, it is enough if we can add, subtract and
multiply modulo 2.) In particular, for x, y |0, 1, we
have AND(x, y) = xy, OR(x, y) = 1 (1 x)(1 y) and
NOT(x) = 1 x. So, to obtain a fully homomorphic en-
cryption scheme, all we need is a scheme that operates on
ciphertexts so as to add, subtract, and multiply the under-
lying messages, indenitely.
But is the circuit representation of f or some arith-
metized version of it in terms of addition, subtraction and
multiplication necessarily the most ecient way to evalu-
ate f? In fact, some functions, like binary search, take much
longer on a Turing machine or circuit than on a random ac-
cess machine. On a random access machine, a binary search
algorithm on t ordered items only needs to touch O(log t)
of its inputs.
A moments thought shows that random-access speed-
ups cannot work if the data is encrypted. Unless we know
something a priori about the relationship between f and
m1, . . . , mt, the algorithm EvaluateE(pk, f, c1, . . . , ct) must
touch all of the input ciphertexts, and therefore have com-
plexity at least linear in the number of inputs. To put it an-
other way, if EvaluateE (for some reason) did not touch the
second half of the ciphertexts, this would leak information
about the second half of the underlying messages namely,
their irrelevance in the computation of f and this leak-
age would contradict the security of the encryption scheme.
While EvaluateE must have running time at least linear in
t as an unavoidable cost of the complete privacy that ho-
momorphic encryption provides, a tradeo is possible. If I
am willing to reveal e.g., in the cloud computing context
that the les that I want are contained in a certain 1%
of my data, then I may help the cloud reduce its work by a
factor of 100.
Another artifact of using a xed circuit representation of
f is that the size of the output i.e., the number of output
wires in the circuit must be xed in advance. For example,
when I request all of my les that contain a combination
of keywords, I should also specify how much data I want
retrieved e.g., one megabyte. From my request, the cloud
will generate a circuit for a function that outputs the rst
megabyte of the correct les, where that output is truncated
(if too much of my data satises my request), or padded with
zeros (if too little). A moments thought shows that this
is also unavoidable. There is no way the cloud can avoid
truncating or padding unless it knows something a priori
about the relationship between the function and my data.
2.3 Homomorphic Encryption: Security
In terms of security, the weakest requirement for an en-
cryption scheme is one-wayness: given the public key pk and
a ciphertext c that encrypts unknown message m under pk,
it should be hard to output m. Hard means that any
algorithm or adversary / that runs in poly() time has a
negligible probability of success over the choices of pk and
m (i.e., the probability it outputs m is less than 1/
k
for
any constant k).
Nowadays, we typically require an encryption scheme to
have a stronger security property, called semantic security
against chosen-plaintext attacks (CPA) [4]: given a cipher-
text c that encrypts either m0 or m1, it is hard for an ad-
versary to decide which, even if it is allowed to choose m0
and m1. Here, hard means that if the adversary / runs
in polynomial time and guesses correctly with probability
1/2 + , then , called /s advantage, must be negligible.
If this advantage is non-negligible, then we say (informally)
that the adversary breaks the semantic security of the en-
cryption scheme.
If an encryption scheme is deterministic i.e., if there is
only one ciphertext that encrypts a given message then it
cannot be semantically secure. An attacker can easily tell
whether c encrypts m0, by running c0 Encrypt(pk, m0)
and seeing if c and c0 are the same. A semantically se-
cure encryption scheme must be probabilistic i.e., there
must be many ciphertexts that encrypt a given message,
and Encrypt
E
must choose one randomly according to some
distribution.
One can prove the (conditional) one-wayness or semantic
security of an encryption scheme by reducing a hard problem
to breaking the encryption scheme. For example, suppose
one shows that if there is an ecient algorithm that breaks
the encryption scheme, then this algorithm can be used as a
subroutine in an ecient algorithm that factors large num-
bers. Then, under the assumption that factoring is hard
i.e., that no poly()-time algorithm can factor -bit numbers
the reduction implies that the encryption scheme must be
hard to break.
Semantic security of a homomorphic encryption scheme
is dened in the same way as for an ordinary encryption
scheme, without reference to the EvaluateE algorithm. If
we manage to prove a reduction i.e., that an attacker that
breaks c can be used to solve a hard problem like factoring
then this reduction holds whether or not c has an EvaluateE
algorithm that works for a large set of functions.
To understand the power of semantic security, let us re-
consider our cloud computing application. Sometime after
storing her encrypted les in the cloud, Alice wants the cloud
to retrieve the les that have a certain combination of key-
words. Suppose that in its response, the cloud sends cipher-
texts that encrypt the rst three les. Cant the cloud just
see that the rst three encrypted les that it is storing for
Alice happen to encrypt the same content as the three les
that it sends to Alice? Not if the scheme is semantically
secure. Even though some of the stored ciphertexts encrypt
the same content as the sent ciphertexts, the cloud cannot
see this, because semantic security guarantees that it is hard
to tell whether two ciphertexts encrypt the same content.
Intuitively, it seems like the EvaluateE algorithm should
make c easier to break, simply because this additional algo-
rithm gives the attacker more power. Or, to put it in terms
of the physical analogy, one would think that the easiest way
to get inside the glovebox is to cut through the gloves, and
that, the more exible the gloves are, the easier the glovebox
is to compromise; this suggests that, the more malleable the
encryption scheme is, the easier it is to break. There is some
truth to this intuition. Researchers [1, 8] showed that if c
is a deterministic fully homomorphic encryption scheme (or,
more broadly, one for which it is easy to tell whether two
ciphertexts encrypt the same thing), then c can be broken
in sub-exponential time, and in only polynomial time (i.e.,
eciently) on a quantum computer. So, malleability seems
to weaken the security of deterministic schemes. But these
results do not apply to semantically secure schemes, such as
ours.
2.4 Some Flaws in the Physical Analogy
The physical analogy represents some aspects of homo-
morphic encryption poorly. For example, the physical anal-
ogy suggests that messages that are encrypted separately
are in dierent encryption boxes and cannot interact. Of
course, this interaction is precisely the purpose of homomor-
phic encryption. To x the analogy, one may imagine that
the gloveboxes have a one-way insertion slot like the mail
bins used by the post oce. Then, messages can be added
to the same encryption box as they arrive. (Even this x is
not entirely satisfactory.)
Another aw is that the output f(m1, . . . , mt) may have
signicantly fewer bits than m1, . . . , mt, whereas in the anal-
ogy (absent signicant nuclear activity inside the glovebox)
the conservation of mass dictates that the box will have
at least as much material inside when the worker is done
as when he started. Finally, in Alices jewelry store, even
though a worker cannot extract the materials from a locked
glovebox, he can easily tell whether or not a box contains a
certain set of materials i.e., the gloveboxes do not provide
semantic security.
3. A SOMEWHAT HOMOMORPHIC
ENCRYPTION SCHEME
On our way to fully homomorphic encryption, we begin by
constructing a somewhat homomorphic encryption scheme c
that can handle a limited class TE of permitted functions.
EvaluateE(pk, f, c1, . . . , ct) does not work for functions f that
are too complicated. Later, we will show to use c to obtain
fully homomorphic encryption.
3.1 Meanwhile in Alices Jewelry Store
After guring out how to use locked gloveboxes to get her
workers to process her precious materials into fancy rings
and necklaces, Alice puts in an order with Acme Glovebox
Company. Unfortunately, the gloveboxes she receives are
defective. After a worker uses the gloves for one minute, the
gloves stien and become unusable. But some of the fanciest
pieces take up to an hour to assemble. Alice sues Acme, but
meanwhile she wonders: Is there some way I can use these
defective boxes to get the workers to securely assemble even
the most complicated pieces?
She notices that the boxes, while defective, do have a prop-
erty that might be useful. As expected, they have a one-way
insertion slot, like post oce mail bins. But they are also
exible enough so that it is possible to put one box inside an-
other through the slot. She wonders whether this property
might play a role in the solution to her problem...
3.2 Our Somewhat Homomorphic Scheme
Our somewhat homomorphic encryption scheme c, de-
scribed below, is remarkably simple [9]. We describe it rst
as a symmetric encryption scheme. As an example param-
eter setting, for security parameter , set N = , P =
2
and Q =
5
.
An Encryption Scheme:
KeyGen
E
(): The key is a random P-bit odd integer p.
Encrypt
E
(p, m): To encrypt a bit m |0, 1, set m

to be a
random N-bit number such that m

= m mod 2. Out-
put the ciphertext c m

+ pq, where q is a random

Q-bit number.
Decrypt
E
(p, c): Output (c mod p) mod 2, where (c mod p) is
the integer c

in (p/2, p/2) such that p divides c c

.
Ciphertexts from c are near-multiples of p. We call (c mod
p) the noise associated to the ciphertext c. It is the distance
to the nearest multiple of p. Decryption works because the
noise is m

, which has the same parity as the message. We

call a ciphertext output by Encrypt a fresh ciphertext, since
it has small (N-bit) noise.
How is the scheme homomorphic? By simply adding, sub-
tracting, or multiplying the ciphertexts as integers, we can
add, subtract or multiply (modulo 2) the underlying mes-
sages. However, complications arise, because these opera-
tions increase the noise associated to resulting ciphertexts.
Eventually, the noise become so large that decryption no
longer reliably returns the correct result.
Homomorphic Operations:
AddE(c1, c2), SubE(c1, c2), MultE(c1, c2): the output cipher-
text c is c1 + c2, c1 c2, or c1 c2.
EvaluateE(f, c1, . . . , ct): Express the boolean function f as
a circuit C with XOR and AND gates. Let C

be
the same circuit as C, but with XOR and AND gates
replaced by addition and multiplication gates over the
integers. Let f

be the multivariate polynomial that

corresponds to C

. Output c f

(c1, . . . , ct).
Let us check that ciphertexts output by EvaluateE decrypt
correctly. As a warm-up, let us consider MultE. Let c =
c1 c2, where cis noise is m

i
, which has the same parity as
the message mi. We have that
c = m

1
m

2
+ pq

for some integer q

. As long as the noises are small enough

so that [m

1
m

2
[ < p/2, we have that
(c mod p) = m

1
m

2
and therefore (c mod p) mod 2 = m1 m2, as it should be.
We will consider the evaluation of more complicated func-
tions momentarily, in Section 3.3.
So far we only described a symmetric homomorphic en-
cryption scheme. Turning it into a public-key scheme is
easy, but adds some complexity. As before, the secret key is
p. The public key consists of a list of integers that are essen-
tially encryptions of zero. The list has length polynomial
in . To encrypt a bit m, the ciphertext c is (essentially) m
plus a random subset sum of the ciphertexts in the public
key. If these ciphertexts have very small noise, the result-
ing ciphertext will also have small noise, and decryption will
work properly: (c mod p) mod 2 will equal m, as before.
3.3 How Homomorphic Is It?
What is the set of permitted functions that our homomor-
phic encryption scheme c can handle?
To answer this question, we need to analyze how the noise
grows as we add and multiply ciphertexts. Encrypt
E
outputs
a fresh ciphertext with a small noise, at most N bits. As
we AddE, SubE, or MultE ciphertexts, the output ciphertext
becomes more noisy. Multiplication tends to increase the
noise faster than addition or subtraction. In particular, for
ciphertexts c1 and c2 with k1- and k2-bit noises, the cipher-
text c c1 c2 has (roughly) (k1 + k2)-bit noise.
What happens when we perform many AddE, SubE, and
MultE operations, as prescribed by the circuit representing
a function f? Similar to what we saw above with multipli-
cation, we have
f

(c1, . . . , ct) = f

(m

1
, . . . , m

t
) + pq

for some integer q

, where m

i
is the noise associated to ci. If
[f

(m

1
, . . . , m

t
)[ < p/2, then (f

(c1, . . . , ct) mod p) equals

f

(m

1
, . . . , m

t
). And if we reduce this result modulo 2, we
obtain the correct result: f(m1, . . . , mt).
In short, the functions that c can handle are those for
which [f

(a1, . . . , at)[ is always less than p/2 if all of the ai

are at most N bits.
c is already quite powerful. As an example, it can handle
an elementary symmetric polynomial of degree d in t vari-
ables, as long as 2
Nd

t
d

< p/2, which is true (roughly)

when d < P/(N log t). For our suggested parameters, this
degree can be quite large: /(log t) = (/ log ). That c
can evaluate polynomials of such high degree makes it ho-
momorphic enough for many applications. For example, it
works well when f is a highly parallelizable function e.g., a
basic keyword search in which case f has fairly low degree.
3.4 Semantic Security and Approximate GCDs
Euclid showed that, given two integers x1 and x2, it is
easy to compute their greatest common divisor (gcd). But
suppose that x1 = s1 + p q1 and x2 = s2 + p q2 are near-
multiples of p, with s1 and s2 much smaller than p. When p
is only an approximate gcd, is it still possible to compute p
eciently i.e., in time polynomial in the bit-lengths of x1
and x2? Not in general, as far as we know.
In fact, if we sample si, p and qi with ,
2
, and
5
bits
(similar to our scheme c), then the approximate gcd problem
seems to remain hard even if we are given arbitrarily many
samples xi = si + p qi, rather than just two. For these
parameters, known attacks including those using contin-
ued fractions and simultaneous diophantine approximation
take time essentially exponential in .
Moreover, we can reduce the approximate gcd problem
to the security of our somewhat homomorphic encryption
scheme. That is, we can prove that an attacker cannot e-
ciently break the semantic security of our encryption scheme
unless the approximate gcd problem is easy.
4. BOOTSTRAPPABLE ENCRYPTION
4.1 Alices Eureka Moment
One night, Alice dreams of immense riches, caverns piled
high with silver, gold and diamonds. Then, a giant dragon
devours the riches and begins to eat its own tail! She awakes
with a feeling of peace. As she tries to make sense of her
dream, she realizes that she has the solution to her prob-
lem. She knows how to use her defective boxes to securely
delegate the assembly of even the most intricate pieces!
Like before, she gives a worker a glovebox, box #1, con-
taining the raw materials. But she also gives him several
additional gloveboxes, where box #2 contains (locked in-
side) the key to box #1, box #3 contains the key to box
#2, and so on. To assemble an intricate design, the worker
manipulates the materials in box #1 until the gloves stien.
Then, he places box #1 inside box #2, where the latter box
already contains a the key to box #1. Using the gloves for
box #2, he opens box #1 with the key, extracts the par-
tially assembled trinket, and continues the assembly within
box #2 until its gloves stien. He then places box #2 inside
box #3, and so on. When the worker nally nishes his
assembly inside box #n, he hands the box to Alice.
Of course, Alice observes, this trick does not work unless
the worker can open box #i within box #(i + 1), and still
have time to make a little bit of progress on the assembly,
all before the gloves of box #(i + 1) stien. But as long as
the unlocking operation (plus a little bit of assembly work)
takes less than a minute, and as long as she has enough de-
fective gloveboxes, then it is possible to assemble any piece,
no matter how complicated!
4.2 A Dream Deciphered
In the analogy, the defective gloveboxes represent our some-
what homomorphic encryption scheme, which can perform
Add, Sub, and Mult operations on ciphertexts for a little
while it can handle functions in a limited set TE until
the noise becomes too large. What we would like to do is
use this somewhat homomorphic scheme to construct a fully
homomorphic one.
As before, box #1 with the precious materials inside rep-
resents the ciphertexts that encrypt the initial data. Box
#(i+1) with the key for box i inside represents an encrypted
secret decryption key i.e., ski encrypted under pk
i+1
.
In the analogy, Alice discovers that there is only one thing
that her workers really need to be able to do in less than one
minute with the gloves, aside from performing a very small
operation on the piece: unlock box #i within box #(i + 1)
and extract the piece. It will turn out that there is only
one function that our scheme c really needs to be able to
handle, with a tiny bit of room left over to perform one
more Add, Sub, or Mult: the decryption function (which is
like unlocking the encryption box).
If c has this self-referential property of being able to han-
dle its own decryption function (augmented by a single gate),
we say that it is bootstrappable. As we will show, if c is
bootstrappable, then one can use c to construct a fully ho-
momorphic encryption scheme c

.
4.3 Bootstrappable to Fully Homomorphic
Suppose that c is bootstrappable. In particular, suppose
that c can handle the following four functions: the decryp-
tion function, expressed as a circuit DE of size polynomial
in , as well as DE augmented by an Add, Sub, or Mult gate
modulo 2. (DE augmented by Add consists of two copies
of DE connected by an Add gate.) We will show that this
is a complete set of circuits, in the sense that if these four
circuits are in TE, then one can construct from c a scheme
c

that is fully homomorphic.

As a warm-up, suppose that ciphertext c1 encrypts the bit
m under key pk
1
. Suppose also that we have an encrypted
secret key: let sk1 be a vector of ciphertexts that encrypt
the bits of sk1 under pk
2
via Encrypt
E
(pk
2
, sk1j). Consider
the following algorithm.
Recrypt
E
(pk
2
, DE, sk1, c1).
Generate c1 via Encrypt
E
(pk
2
, c1j) over the bits of c1
Output c EvaluateE(pk
2
, DE, sk1, c1)
The decryption circuit DE has input wires for the bits of a
secret key and the bits of a ciphertext. Above, EvaluateE
takes in the bits of sk1 and c1, each encrypted under pk
2
.
Then, c is used to evaluate the decryption circuit homo-
morphically. As long as c can handle DE, the output c is
an encryption under pk
2
of Decrypt
E
(sk1, c1) = m. Recrypt
E
therefore outputs a new encryption of m, but under pk
2
.
One fascinating thing about Recrypt
E
is that the message
m is doubly encrypted at one point, rst under pk
1
and
next under pk
2
. Ordinarily, the only thing one can do with
a doubly-encrypted message is to peel o the outer encryp-
tion rst, and then decrypt the inner layer. However, in
Recrypt
E
, the EvaluateE algorithm is used to remove the in-
ner encryption, just like Alice unlocks box #i while it is
inside box #(i + 1).
It is also useful to imagine that c is our somewhat ho-
momorphic encryption scheme from Section 3, and consider
what Recrypt
E
does to the noise of the ciphertexts. Evaluat-
ing DE removes the noise associated to the rst ciphertext
under pk
1
(because, of course, decryption removes noise),
but EvaluateE simultaneously introduces new noise while
evaluating the ciphertexts under pk
2
. As long as the new
noise added is less than the old noise removed, we have made
progress. A similar situation holds in Alices jewelry store.
When the worker extracts the piece from the used-up glove-
box #i, this process simultaneously uses up the gloves of box
#(i + 1). We have made progress as long as the process
does not leave box #(i + 1)s gloves completely used-up.
Of course, our goal is to perform actual operations on
underlying messages, not merely to obtain a new encryption
of the same message. So, suppose that c can handle DE
augmented by some gate e.g., Add; call this augmented
circuit D
Add
. If c1 and c2 are two ciphertexts that encrypt
m1 and m2, respectively, under pk
1
, and we compute c1
and c2 as before, as ciphertexts encrypting the bits of the
ciphertexts under pk
2
, then we have that
c EvaluateE(pk
2
, D
Add
, sk1, c1, c2)
is an encryption under pk
2
of m1 m2.
By recursing this process, we get a fully homomorphic en-
cryption scheme. The public key in c

consists of a sequence
of public keys (pk
1
, . . . , pk
+1
) and a chain of encrypted se-
cret keys sk1, . . . , sk

, where ski is encrypted under pk

i+1
.
To evaluate a function f in c

, we express f as a circuit,
topologically arrange its gates into levels, and step through
the levels sequentially. For a gate at level i +1 (e.g., an Add
gate), we take as input the encrypted secret key ski and a
couple of ciphertexts associated to output wires at level i
that are under pk
i
, and we homomorphically evaluate D
Add
to get a ciphertext under pk
i+1
associated to a wire at level
i + 1. Finally, we output the ciphertext associated to the
output wire of f.
Putting the encrypted secret key bits sk1, . . . , sk

in c

s
public key is not a problem for security. These encrypted
secret key bits are indistinguishable from encryptions of 0
as long as c is semantically secure.
4.4 Circular Security
Strictly speaking, c

does not quite meet our denition

of fully homomorphic encryption, since the complexity of
KeyGen
E
grows linearly with the maximum circuit depth
we want to evaluate. (Fortunately, Encrypt
E
and Decrypt
E

do not depend at all on the function f being evaluated.)

However, suppose that c is not only bootstrappable, but
also circular-secure that is, it is safe to reveal the en-
cryption of a secret key ski under its own associated public
key pk
i
. Then, we can simplify KeyGen
E
. We do not need
distinct public keys pk
i
for each circuit level and an acyclic
chain of encrypted secret keys. Instead, the public key in c

can consist merely of a single public key pk and a single en-

crypted secret key sk (sk under pk), where pk is associated
to all levels of the circuit. This approach has the additional
advantage that we do not need to decide beforehand the
maximal circuit depth complexity of the functions that we
want to be able to evaluate.
For most encryption schemes, including our somewhat ho-
momorphic scheme (as far as we know), revealing an encryp-
tion of sk under pk does not lead to any attack. However,
it is typically dicult to prove that an encryption scheme is
circular-secure.
The issue of circular security also ts within our physical
analogy. Suppose that a key is locked inside the very same
box that the key could open from the outside. Is it possible
to use the gloves and key to open the box from the inside? If
so, it would be a strange lock. Similarly, encryption schemes
that are insecure in this setting tend to be contrived.
5. SOMEWHAT HOMOMORPHIC TO
BOOTSTRAPPABLE
Is our somewhat homomorphic encryption scheme from
Section 3 already bootstrappable? Can it handle its own
decryption circuit? Unfortunately, as far as we can tell,
c can almost handle DE, but not quite. So, we modify
c slightly, constructing a new (but closely related) some-
what homomorphic scheme c

that can handle essentially

the same functions that c can, but whose decryption circuit
is simple enough to make c

bootstrappable.
5.1 Alice Gets Her Hands Dirty
After her dream, Alice rushes to her store to see if her
idea works. She locks box #1 and puts it inside box #2.
Working with the gloves of box #2, she tries to unlock box
#1 in less than one minute. The thickness of the gloves and
the stickiness of the lock combine to make it impossible.
She is despondent until she remembers that she has a
special grease that makes her locks less sticky. This time,
she locks box #3 and puts it inside box #4. She also puts
her bottle of grease inside box #4. Working with the gloves
of box #4, she squirts some grease on the lock and then tries
to unlock it. But the gloves stien before she can nish.
Then, she thinks: why didnt I grease the boxs lock before
putting it inside the other box? That way, I wouldnt waste
my valuable time with the gloves greasing the lock.
She locks box #5, greases its lock, and then puts it inside
box #6. Working with gloves, she tries the lock again. This
time it works, despite the clumsiness of the gloves!
At last, she has a system that lets her securely delegate
the processing of her precious materials into arbitrarily com-
plicated pieces! Her workers just need to apply the grease
to each box before they put it inside the next box. She can
hardly wait to put the system in place the following morning.
5.2 Greasing the Decryption Circuit
In our somewhat homomorphic encryption scheme c from
Section 3, the decryption function is:
m (c mod p) mod 2
Equivalently, but more simply, the equation is:
m LSB(c) XOR LSB(]c/p) ,
where LSB takes the least signicant bit and ] rounds to
the nearest integer. This is equivalent, since (c mod p) =
cp ]c/p. Since p is odd, we have that (c mod p) mod 2 =
c]c/p mod 2. This is just the XOR of the least signicant
bits of c and ]c/p.
In the decryption circuit DE, computing the LSB is imme-
diate: the circuit simply does not have output wires for the
more signicant bits. Computing an XOR also takes only
one gate. If the decryption function is complicated, it must
be because computing ]c/p is complicated. Is the function
f(p, c) = ]c/p (with the few steps afterwards) something
that c can handle? If so, c is bootstrappable, and can be
used to construct a fully homomorphic encryption scheme.
Unfortunately, even a single multiplication of long num-
bers namely, c with 1/p seems to be too complex for c
to handle. The reason is that c and 1/p each need to be
expressed with at least P log p bits of precision to en-
sure that f(p, c) is computed correctly. When you multiply
two P-bit numbers, a bit of the result may be a high-degree
polynomial of the input bits; this degree is also roughly P.
We saw that c can handle an elementary symmetric poly-
nomial in t variables of degree (roughly) d < P/(N log t).
However, c cannot handle even a single monomial of degree
P, where the noise of output ciphertext is upper-bounded
by (2
N
)
P
p
N
p/2. Consequently, c does not seem to
be bootstrappable.
However, if we are willing to get our hands dirty by tin-
kering with c to make the decryption function simpler, we
eventually get a scheme c

that is bootstrappable. The main

idea of the transformation is to replace cs decryption func-
tion, which multiplies two long numbers, with a decryption
function that adds a fairly small set of numbers. In terms
of the bits of the addends, this summation corresponds to a
polynomial of fairly low degree that c

can handle.
Let us go through the transformation step by step, begin-
ning with KeyGen
E
. The transformation uses a couple of
integer parameters: 0 < < .
KeyGen
E
(): Run KeyGen
E
() to obtain keys (pk, sk),
where sk is an odd integer p. Generate a set y = y1, . . . , y

)
of rational numbers in [0, 2) such that there is a sparse subset
S |1, . . . , of size with

iS
yi 1/p mod 2. Set sk

to be the sparse subset S, encoded as a vector s |0, 1

with Hamming weight . Set pk

(pk, y).
The important dierence between KeyGen
E
and KeyGen
E
is that KeyGen
E
includes a hint about the secret integer p
namely, a set of numbers y that contains a (hidden) sparse
subset that sums to 1/p (to within a very small error, and up
to addition by an even number). This hint is the grease,
which will be used in Encrypt
E
and Decrypt
E
. Although it
is technically not the decryption key sk

, the integer p still

can be used to decrypt a ciphertext output by Encrypt
E
,
so revealing this hint obviously impacts security, a point we
elaborate on in Section 5.4.
Encrypt
E
(pk

, m): Run Encrypt

E
(pk, m) to obtain cipher-
text c. For i |1, . . . , , set zi c yi mod 2 keeping
only about log bits of precision after the binary point for
each zi. The ciphertext c

consists of c and z = z1, . . . , z

).
The important point here is that the hint y is used to post-
process a ciphertext c output by Encrypt
E
, with the objective
of leaving less work remaining for Decrypt
E
to do.
This sort of two-phase approach to decryption has been
used before in server-aided cryptography. (See cites in [2].)
In that setting, a user wants to minimize its cryptographic
computation e.g., because it is using a constrained device,
such as a smartcard or handheld. So, it outsources expensive
computations to a server. To set up this arrangement, the
user (in some schemes) must give the server a hint y that
is statistically dependent on its secret key sk, but which is
not sucient to permit the server to decrypt eciently on
its own. The server uses the hint to process a ciphertext
directed to the user, leaving less work for the user to do.
In our setting, the encrypter or evaluator plays the role of
the server, post-processing the ciphertext so as to leave less
work for the decryption algorithm to do.
Decrypt
E
(sk

, c

): Output LSB(c) XOR LSB(]

i
sizi).
Decryption works, since (up to small precision errors)

i
sizi =

i
c siyi = c/p mod 2.
To ensure that the rounding is correct despite the low pre-
cision, we need c to be closer (than the trivial p/2) to a multi-
ple of p (say, within p/16). This makes TE
smaller than TE,
since TE
is limited to functions where [f(a1, . . . , at)[ < p/16
when the ai are N bits. This makes only a small dierence.
The important point regarding Decrypt
E
is that we re-
place the multiplication of c and 1/p with a summation that
contains only nonzero terms. The bits of this summation
can be computed by a polynomial of degree polylog(),
which c

can handle if we set to be small enough.

AddE
(pk

, c

1
, c

2
) : Extract c1 and c2 from c

1
and c

2
.
Run c AddE(pk, c1, c2). The output ciphertext c

consists
of c, together with the result of post-processing c with y.
MultE
(pk

, c

1
, c

2
) is analogous.
5.3 How to Add Numbers
To see that c

can handle the decryption function plus

an additional gate when is set small enough, let us con-
sider the computation of the sum

i
sizi. In this sum,
we have numbers a1, . . . , a

, each ai expressed in binary

(ai,0, . . . , a
i,
) with = O(log ), where at most of the
ais are nonzero (since the Hamming weight of s is ). We
want to express each bit of the output as a polynomial of
the input bits, while minimizing the degree of the polyno-
mial and the number of monomials.
Our approach to the problem is to add up the column of
LSBs of the numbers computing the Hamming weight of
this column to obtain a number in binary representation.
Then, we add up the column of penultimate bits, etc. Af-
terwards, we combine the partial results. More precisely,
for j [0, ], we compute the Hamming weight bj, repre-
sented in binary, of (a1,j, . . . , a
,j
). Then, we add up the
+1 numbers b0, ..., 2

to obtain the nal correct sum.

Conveniently, the binary representation of the Hamming
weight of any vector x |0, 1
t
is given by
(e
2
log t (x1, . . . , xt) mod 2, . . . , e
2
0(x1, . . . , xt) mod 2)
where ei(x1, . . . , xt) is the ith elementary symmetric polyno-
mial over x1, . . . , xt. These polynomials have degree at most
t. Also, we know how to eciently evaluate the elementary
symmetric polynomials. They are simply coecients of the
polynomial p(z) =

t
i=1
(zxi). An important point is that,
in our case, we only need to evaluate the polynomials up to
degree , since we know a priori that each of the Hamming
weights is at most . We saw in Section 3.3 that we can
handle elementary symmetric polynomials in t variables of
degree up to about / log t = (/ log ) for our suggested
parameters. We can set to be smaller than this.
The nal step of computing the sum of the bjs does not
require much computation, since there are only + 1 =
O(log ) of them. We get that a ciphertext encrypting a
bit of the overall sum has noise of at most N g(log )
bits for some polynomial g of low degree. If the nal sum
modulo 2 is (b

0
, b

1
, . . .) in binary, then the rounding oper-
ation modulo 2 is simply b

0
XOR b

1
. With the additional
XOR operation in decryption, and possibly one more gate,
the noise after evaluating the decryption function plus a gate
has at most N h(log ) bits for some polynomial h.
The scheme c

becomes bootstrappable when this noise

has at most log(p/16) = P 4 bits. For example, this works
when = /polylog(), N = , and P =
2
.
5.4 Security of the Transformed Scheme
The encryption key of c

contains a hint about the secret

p. But we can prove that c

is semantically secure, unless

either it is easy to break the semantic security of c (which
implies that the approximate gcd problem is easy), or the
following sparse (or low-weight) subset sum problem (SSSP)
is easy: given a set of numbers y and another number s,
nd the sparse (-element) subset of y whose sum is s.
The SSSP has been studied before in connection with
server-aided cryptosystems. If and are set appropri-
ately, the SSSP is a hard problem, as far as we know. In
particular, if we set to be about , it is hard to nd the
sparse subset by brute force, since there are

pos-
sibilities. If the sparse subset sum is much closer to 1/p
than any other subset sum, the problem yields to a lattice
attack. But these attacks fail when we set large enough
(but still polynomial in ) so that an exponential (in ) num-
ber of subset sums are as close to 1/p as the sparse subset.
Concretely, we can set =
5
polylog().
6. CONCLUSIONS
We now know that FHE is possible. We already have the
scheme presented here, the lattice-based scheme by Gentry
[2, 3], and a recent scheme by Smart and Vercauteren [7].
There is still work to be done toward making FHE truly
practical. Currently, all known FHE schemes follow the
blueprint above: construct a bootstrappable somewhat ho-
momorphic encryption scheme c, and obtain FHE by run-
ning EvaluateE on cs decryption function. But this ap-
proach is computationally expensive. Not only is the decryp-
tion function expressed (somewhat ineciently) as a circuit,
but then EvaluateE replaces each bit in this circuit with a
large ciphertext that encrypts that bit. Perhaps someone
will nd a more ecient blueprint.
The scheme presented here, while conceptually simpler,
seems to be less ecient than the lattice-based scheme. To
get 2

security against known attacks e.g., on the the ap-

proximate gcd problem ciphertexts are
5
polylog() bits,
which leads to
10
polylog() computation to evaluate the
decryption function. The lattice-based scheme with com-
parable security has
6
polylog() computation. This is
high, but not totally unreasonable. Consider: to make RSA
2

-secure against known attacks in particular, against the

number eld sieve factoring algorithm you need to use
an RSA modulus with approximately
3
bits. Then, RSA
decryption involves exponentiation by a
3
-bit exponent
i.e., about
3
multiplications. Even if one uses fast Fourier
multiplication, this exponentiation requires
6
polylog()
computation. Also, unlike RSA, the decryption function
in our scheme is highly parallelizable, which may make an
enormous dierence in some implementations.
7. EPILOGUE
The morning after her dream, Alice explains her glovebox
solution to her workers. They are not happy, but they wish
to remain employed. As the day progresses, it becomes clear
that the gloveboxes are slowing down the pace of jewelry
construction considerably. The main problem seems to be
the thick gloves, which multiply the time needed for each
assembly step. After a few days of low output, Alice curtails
her use of the gloveboxes to pieces that contain the most
valuable diamonds.
Alice loses her suit against Acme Glovebox Company, be-
cause, as far as anyone knows in Alices parallel world, gloves
in gloveboxes are always very sti and stien completely af-
ter moderate use. The old judge explains this to her in a
patronizing tone.
But Alice refuses to give up. She hires a handsome young
glovebox researcher, and tasks him with developing a glove
exible enough to permit the nimble assembly of jewels and
unlocking of boxes, but sturdy enough to prevent the boxes
from being easily compromised. The researcher, amazed at
his good fortune, plunges into the problem.
8. REFERENCES
[1] D. Boneh and R. J. Lipton. Algorithms for black-box
elds and their application to cryptography (extended
abstract). In CRYPTO, pages 283297, 1996.
[2] C. Gentry. A fully homomorphic encryption scheme.
PhD thesis, Stanford University, 2009.
crypto.stanford.edu/craig.
[3] C. Gentry. Fully homomorphic encryption using ideal
lattices. In M. Mitzenmacher, editor, STOC, pages
169178. ACM, 2009.
[4] S. Goldwasser and S. Micali. Probabilistic encryption.
J. Comput. Syst. Sci., 28(2):270299, 1984.
[5] R. L. Rivest, L. M. Adleman, and M. L. Dertouzos. On
data banks and privacy homomorphisms. In
Foundations of Sec. Comp., pages 169180, 1978.
[6] R. L. Rivest, A. Shamir, and L. M. Adleman. A
method for obtaining digital signatures and public-key
cryptosystems. Commun. ACM, 21(2):120126, 1978.
[7] N. P. Smart and F. Vercauteren. Fully homomorphic
encryption with relatively small key and ciphertext
sizes, 2009. http://eprint.iacr.org/2009/571.
[8] W. van Dam, S. Hallgren, and L. Ip. Quantum
algorithms for some hidden shift problems. SIAM J.
Comput., 36(3):763778, 2006.
[9] M. van Dijk, C. Gentry, S. Halevi, and
V. Vaikuntanathan. Fully homomorphic encryption over
the integers, 2009. http://eprint.iacr.org/2009/616.