Homomorphic Encryption

Shai Halevi (IBM Research)

April 2017

Abstract
Fully homomorphic encryption (FHE) has been called the “Swiss Army knife of cryptog-
raphy”, since it provides a single tool that can be uniformly applied to many cryptographic
applications. In this tutorial we study FHE and describe its different properties, relations with
other concepts in cryptography, and constructions. We briefly discuss the three generations of
FHE constructions since Gentry’s breakthrough result in 2009, and cover in detail the third-
generation scheme of Gentry, Sahai, and Waters (GSW).

Acknowledgment. This tutorial was written in honor of Oded Goldreichs 60th birthday, and was
published (with minor changes) as part of the book “Tutorials on the Foundations of Cryptography”,
edited by Yehuda Lindell [67]. I owe special thanks to Yehuda for the initiative to write it.
I drew on many sources for this tutorial, most extensively on Craig Gentry’s PhD thesis [37], a
survey by Vinod Vaikuntanathan [88], and a blog by Boaz Barak and Zvika Brakerski [6]. I would
like to thank Craig Gentry for teaching me most of what I know about FHE. I also thank the many
other people with whom I collaborated on work in this area.

1
Contents
1 Computing on Encrypted Data 1
1.1 Applications of Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Beyond Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Abridged History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.1 Three Generations of FHE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Organization of This Tutorial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Defining Homomorphic Encryption 7

2.1 Notations and Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.1 Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.2 Secret-Key Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Properties of Homomorphic Encryption Schemes . . . . . . . . . . . . . . . . . . . . 10
2.2.1 Strong Homomorphism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2 Compactness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.3 Circuit Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.4 Circuit Private Homomorphic Encryption Versus Two-Message SFE . . . . . 13
2.2.5 Multi hop Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.6 From Secret-Key to Public-Key Homomorphic Encryption . . . . . . . . . . . 16

3 Realizing Leveled Homomorphic Encryption 18

3.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.1 Learning with Errors (LWE) . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.2 Public-Key Encryption from LWE . . . . . . . . . . . . . . . . . . . . . . . . 20
3.1.3 The Flattening Gadget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.1.4 Modulus and Key Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 The GSW Encryption Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.1 First Try . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.2 Second Try . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.3 Final Try . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.4 The GSW Leveled Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Realizing Fully Homomorphic Encryption 27

4.1 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1.1 Fully Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 The GSW Scheme Is Bootstrappable . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2.1 Decryption Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.3 Homomorphic Encryption Under Polynomial DLWE . . . . . . . . . . . . . . . . . . 32
4.4 Realizing Strong Homomorphism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5 Advanced Topics 37
5.1 Faster Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2 Other Attempts at Realizing Homomorphic Encryption . . . . . . . . . . . . . . . . 38
5.2.1 The Hidden-Ideal Paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.2.2 Homomorphic Encryption from Binary Codes . . . . . . . . . . . . . . . . . . 39
 5.2.3 Homomorphic Encryption from Group Theory . . . . . . . . . . . . . . . . . 39
5.3 Homomorphic Encryption for Other Models of Computation . . . . . . . . . . . . . . 39
5.4 Beyond Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.4.1 Multikey Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . 41
5.4.2 Homomorphic Commitments and Signatures . . . . . . . . . . . . . . . . . . 41
5.4.3 Functional Encryption, Obfuscation, and Multilinear Maps . . . . . . . . . . 42

6 Suggested Reading 43
1 Computing on Encrypted Data
Secure multi party computation epitomizes the promise of cryptography, performing the seemingly
impossible magic trick of processing data without having access to it. One simple example features
a client holding an input x and a server holding a function f , the client wishing to learn f (x) without
giving away information about its input. Similarly, the server may want to hide information about
the function f from the client (except, of course, the value f (x)). This situation arises in many
practical scenarios, most notably in the context of secure cloud computing; For example, the client
may want to get driving directions without revealing their location to the server.
Cryptographers have devised multiple solutions to this problem over the last 40 years, but
none simpler (conceptually) than the paradigm of computing on encrypted data. This paradigm
was suggested by Rivest et al. [82] in the very early days of public-key cryptography, under the
name “privacy homomorphisms”: The client simply encrypts its input x and sends the ciphertext
to the server, who can “evaluate the function f on the encrypted input”. The server returns the
evaluated ciphertext to the client, who decrypts it and recovers the result. Of course, it takes
a special encryption method to allow such processing of encrypted data; for example, Rivest et
al. observed in [82] that “raw RSA” (where x is encrypted as xe mod N ) enables multiplication
of encrypted values. They asked whether it was possible to compute more general functions on
encrypted data, and what one can do with an encryption scheme that enables such computations.
Following [82], encryption schemes that support computation on encrypted data came to be
known as homomorphic encryption (HE). In addition to the usual encryption and decryption pro-
cedures, these schemes have an evaluation procedure that takes ciphertexts encrypting x and a
description of a function f , and returns an “evaluated ciphertext” that can be decrypted to obtain
the value f (x). A salient non triviality property of such scheme is compactness, requiring that
the complexity of decrypting an evaluated ciphertext does not depend on the function f that was
used in the evaluation. Another desirable security property is function-privacy, requiring that the
evaluated ciphertext does not reveal the function f , even to the owner of the secret key.
Many cryptosystems that support computation of some functions on encrypted data have been
proposed over the years, but it seemed much harder to construct a compact fully homomorphic
encryption (FHE), namely a compact scheme that can evaluate all (efficient) functions. It was not
until 2009 that the watershed work of Gentry [38] established for the first time a blueprint for con-
structing such schemes and described a viable candidate. That work was followed by a sequence of
rapid advancements, resulting in much more efficient FHE schemes under well established hardness
assumptions, and better understanding of the relations between FHE and other branches of secure
computation. The goal of this tutorial is to present an overview of that line of work.
A “paradox” and its resolution. The ability to compute on encrypted data may seem para-
doxical at first glance. Consider a simple example of outsourced storage: The client stores multiple
encrypted files at the server, and later wants to retrieve one of them without the server learning
which one was retrieved. The client can send an encrypted index to the server, and the server will
perform the computation on the encrypted index and files, resulting in an encryption of only the
file that needs to be retrieved.
But the server can still see the encrypted versions of all the stored files, and now it has the
encrypted version of the file that the client wants to retrieve. Can’t the server just “see” which of
the stored encrypted files is the one being retrieved? The resolution, of course, is that we require
the encryption to be semantically secure [52], and in particular it must be randomized. Hence there

1
are many different encrypted versions of each file, and the encrypted file that the server returns is
different from and “seemingly unrelated” to the stored encrypted files.

1.1 Applications of Homomorphic Encryption

Fully homomorphic encryption has been called the “Swiss Army knife of cryptography” [6], since
it provides a single tool that can be uniformly applied in a wide host of applications. Even when
we have other solutions to a cryptographic problem, the FHE-based ones are often conceptually
simpler and easier to explain. Below we list a few example applications that demonstrate the power
of FHE.
Outsourcing storage and computations. Perhaps the most direct application of homomorphic
encryption is for outsourcing storage and computation without revealing sensitive information.
Consider a small company trying to move its computing facilities to the cloud, but that is wary
of the cloud provider having access to the company’s confidential information. An easy solution
is to encrypt the confidential information before storing it in the cloud, but how can the company
use that information without shipping it back on-premises for every operation (which would defeat
the purpose of outsourcing it)? Homomorphic encryption provides an elegant solution to this
conundrum. The company can keep the information in the cloud in encrypted form, and the cloud
provider can process the information in this form and send only the processed result back to the
company to be decrypted.
PIR and other private queries. Another direct application of homomorphic encryption is
to enable private queries to a database or a search engine. The simplest such example is private
information retrieval [24], where a server is holding a large database (e.g., the US patent database),
and a client wants to retrieve one record of this database without the server learning which record
was retrieved. Homomorphic encryption lets the user encrypt the index of the record that it wants
to retrieve. The server can evaluate the function fdb (i) = db[i] on the encrypted index,1 returning
the encrypted result to the client, who can decrypt it and obtain the plaintext record.
The same solution applies also to the more complex settings of an SQL query to a database
or a free-form query to a search engine. In both cases the server has some procedure for handling
queries, which can be formalized as a function gdb (query) = answer. The client can therefore encrypt
its query before sending it to the server, and the server can evaluate gdb on the encrypted query
and return the encrypted answer.
General two-party computations. The examples above are special cases of (two-party) secure
computation, where two mutually suspicious parties want to compute a common function on their
joint input. Specifically we have Alice with input x and Bob with input y, and we want Alice to learn
F (x, y) (and nothing more), for some agreed-upon function F , and Bob should learn nothing. In the
semi-honest adversarial model (where both parties are assumed to follow the prescribed protocol),
this can be achieved by Alice encrypting her input x under her own key, and Bob evaluating the
function Fy (x) = F (x, y) on that encrypted input. By the semantic security of the encryption
scheme, we know that Bob does not learn anything about Alice’s input from the encryption that
he sees. Also, if we use a homomorphic scheme that hides the evaluated function, then Alice does
not learn anything other than the value of F (x, y). (Converting this protocol to the more general
malicious-adversary model can be done using standard techniques [50].)
1
The function fdb has the database db hard wired in its description, and on input i it outputs the i-th record.

2
 We note that all the examples so far can use secret-key homomorphic encryption. However, as
we will see later in Section 2.2.6, for homomorphic encryption the distinction between public-key
and secret-key encryption is immaterial.
Zero-knowledge. Homomorphic encryption can also be used in a very simple zero-knowledge proof
protocol for every language L in NP. Let RL (x, w) be an NP relation defining the language L =
{x : ∃w s.t. RL (x, w) = 1}, and we sketch a protocol (taken from [6]) by which Bob who knows w
can prove to Alice that x ∈ L.
Toward a protocol, let Bob encrypt its witness w and send it to Alice, who can evaluate on the
encrypted witness the function rx (w) = RL (x, w). But Alice only has the encrypted result; she still
needs Bob’s help in determining the bit which is encrypted there. Of course Alice cannot just send
that encryption to Bob to be decrypted, since Bob cannot be trusted to return the right answer.
Instead, she chooses a random bit b, and sends the evaluated ciphertext to Bob only when b = 1,
otherwise sending him a fresh encryption of zero. Alice finally accepts if Bob replies with the bit b;
otherwise she rejects.
The soundness of this protocol follows from the fact that, for x ∈ / L, both ciphertexts will be
encryptions of zero. As long as Bob cannot distinguish fresh from evaluated encryption of zero, he
cannot convince Alice with probability better than 1/2. Of course we should consider what happens
when the initial ciphertext sent by Bob is not a valid encryption at all, but this can be handled
by simple cut-and-choose: First, Bob generates two public keys and Alice asks him to open one of
them to show that it was generated correctly. Then, using the other unopened key, Bob encrypts
two random strings whose XOR is the witness w, and Alice asks that he opens one set and prove
that it was encrypted correctly. It is not hard to show that the resulting protocol is sound, in that
for x ∈
/ L no cheating strategy can convince Alice with probability much better than 7/8.
This protocol as described is only honest-verifier zero knowledge, since a cheating Alice can
send to Bob (say) the first bit of the encrypted witness, rather than the result of evaluating rx (·).
This can be fixed by using a standard commitment technique, where Bob sends to Alice not the
decrypted bit itself but rather a commitment to that bit. Then Alice reveals her randomness,
demonstrating to Bob that she ran the computation as needed, and only then does Bob open its
commitment.

1.2 Beyond Homomorphic Encryption

Versatile as it is, homomorphic encryption of course does not solve every problem in cryptography.
Some limitations of homomorphic encryption are listed below, and are discussed in more detail in
Section 5.4.
• The output is encrypted. Although we can evaluate arbitrary functions on encrypted data,
the outcome of such computation is itself a ciphertext, and no one can make sense of it
without the secret key. In contrast, obfuscation and functional encryption allow some forms
of encrypted computation in which the output is obtained in the clear; see Section 5.4.3.

• All inputs must be encrypted under the same key. To be able to compute on encrypted data, all
of that data must be encrypted under the same key. Extensions of homomorphic encryption
that can process together encrypted data under multiple keys are discussed in Section 5.4.1.

• No integrity guarantees. While homomorphic encryption enables computing on encrypted

data, it does not offer any way of checking that the computation was indeed carried out as

3
 expected. Typically there is no way to tell if a given ciphertext is indeed the result of running
some computation or just a fresh encryption of the same value. See Section 5.4.2 for more
discussion.

1.3 Abridged History

Techniques that enable non compact fully homomorphic encryption (where the size of the ciphertext
grows with the complexity of the evaluated function) go back to the early 1980s. In particular, as we
explain in Section 2.2.4, such schemes can be constructed using secure computation techniques such
as Yao’s garbled circuits [91]. Also known since the 1980s are compact additively homomorphic or
multiplicatively homomorphic schemes, i.e., compact schemes that support only addition or only
multiplication on encrypted data. Examples of such schemes include Goldwasser–Micali [52] and
ElGamal [33].
Going beyond one-operation homomorphism took longer. Boneh, Goh, and Nissim described
in 2005 a cryptosystem that permitted an arbitrary number of additions and one multiplication,
without growing the ciphertext size [10]. The security of that scheme was based on the hardness
of the subgroup-membership problem in composite-order groups that admit bilinear maps. A
scheme with similar characteristics was described by Gentry et al. under the learning-with-errors
assumption [47]. In 2007, Ishai and Paskin described a compact scheme that can evaluate branching
programs [62], with security under the N -th residuosity assumption [78]. Also Melchor et al.
[70] described a template for constructing encryption schemes that can evaluate shallow circuits,
where the ciphertext size grows exponentially with the multiplication depth but additions are
supported without increasing the size, and realizations of that template are known from various
lattice hardness assumptions [47, 70].

1.3.1 Three Generations of FHE

The first plausible construction of FHE was given by Gentry in 2009 [38]. The development of FHE
since that result can be roughly partitioned into three “generations”. The first generation includes
Gentry’s original scheme using ideal lattices [38], and the somewhat simpler scheme of van Dijk et
al. that uses only integer arithmetic [89]. Both these schemes suffered from a problem of rapidly
growing noise, which affected both efficiency and security (see below). The second generation
began in 2011 with the works of Brakerski-Vaikuntanathan [19] and Brakerski et al. [16], and was
characterized by much better techniques for controlling the noise, resulting in improved efficiency
while at the same time basing security on well-established hardness assumptions. These techniques
were accompanied by methods for improving the plaintext-to-ciphertext expansion ratio, further
improving efficiency. The third generation began with the scheme of Gentry et al. [48], exhibiting
a somewhat different noise development pattern. The third-generation schemes are in general
somewhat less efficient than second-generation ones, but they can be based on somewhat weaker
hardness assumptions. Below we briefly sketch these three generations, and in Sections 3 and 4 we
describe in detail the third-generation GSW scheme from [48].
Gentry’s blueprint. In his celebrated work from 2009 [38], Gentry gave a blueprint for realizing
fully homomorphic encryption and described a concrete realization of this blueprint. Gentry’s
realization employed ideal lattices and assumed the hardness of the “ideal coset problem” in such
lattices. In his PhD thesis [37], Gentry also sketched a simpler construction (due to van Dijk) using
integer arithmetic; that construction was later completed and analyzed by van Dijk, Gentry, Halevi

4
and Vaikuntanathan in [89]. Here we use the van Dijk et al. construction (viewed as a secret-key
encryption scheme) to illustrate the ideas in Gentry’s blueprint.
The secret key of the integer-based scheme is a secret large odd integer p, and ciphertexts are
integers that are close to a multiple of p. An encryption of a bit b ∈ {0, 1} is an integer whose
residue modulo p has the same parity as the plaintext bit b. Namely, c = pq + 2r + b, where the
integers q, r are random and |r|  p. To decrypt such a ciphertext, first reduce it modulo p into
the symmetric interval [−p/2, p/2) and then output the parity of the result, b = (c mod p) mod 2.
Consider what happens when you add or multiply two such ciphertexts. Let ci = qi p + 2ri + bi
for i = 1, 2, and denote c+ = c1 + c2 and c× = c1 · c2 . Then both c+ and c× have similar structure
to the original one, namely

c+ = (q1 + q2 )p + 2(r1 + r2 ) + (b1 + b2 ) = q 0 p + 2r0 + (b1 ⊕ b2 )

and c× = (q1 c2 + c1 q2 )p + 2(b1 r2 + r1 b2 + 2r1 r2 ) + b1 b2 = q 00 p + 2r00 + b1 b2

for some q 0 , q 00 , r0 , r00 (where r0 ≈ r1 + r2 and r00 ≈ 2r1 r2 ). If the initial noise quantities r1 , r2 were
small enough relative to p then the new c+ and c× are still decryptable to the right values. More
generally it is possible to compute low-degree polynomials on ciphertexts, which will be decrypted
to the evaluation of the same polynomials (over Z2 ) applied to the plaintext bits. It was proved
in [89] that this scheme is secure if the approximate-GCD problem is hard (which is essentially
the problem of finding p), and we believe that approximate-GCD is indeed hard for appropriate
parameters.
As described, the scheme above is not compact since the bit size of the ciphertext grows with
the degree of the evaluated polynomial, but van Dijk et al. described in [89] a way of fixing it
by publishing many near multiples of p of various sizes and using modular reduction. A more
severe problem, however, is that the homomorphic capacity of the scheme is limited to low-degree
polynomials (i.e., these are the only functions that it can evaluate). The reason is that the noise
magnitude grows rapidly with the degree, until it becomes larger than p/2 and then decryption
fails. The same noise development problem occurs also in Gentry’s construction from [38], and
indeed in every FHE construction since.
Bootstrapping. Gentry solved the problem of limited homomorphic capacity by introducing
bootstrapping. He observed that any homomorphic scheme which is capable of evaluating its own
decryption circuit (plus a single NAND gate) can be turned into a fully homomorphic scheme.
Specifically, for every two ciphertexts c1 , c2 , consider the function
def
Dc∗1 ,c2 (sk) = N AN D Decrypt(sk, c1 ), Decrypt(sk, c2 ) .

Namely, this function takes as input an alleged secret key, uses it to decrypt the two fixed ciphertexts
c1 , c2 , and outputs the NAND of the two resulting bits. If the homomorphic capacity of the scheme
suffices to evaluate the functions Dc∗1 ,c2 (sk) for every two ciphertexts c1 , c2 , then the scheme is called
bootstrappable, and it can be transformed into an FHE scheme, as follows: Publishing an encryption
of the secret key sk under the public key, we can homomorphically compute the NAND of any two
ciphertexts by evaluating the function Dc∗1 ,c2 on the publicly available encryption of sk.
Importantly, the homomorphic computation is only applied to the fresh encryption of sk; the
ciphertexts c1 , c2 are only used to define the function Dc∗1 ,c2 that we need to evaluate. We have
the guarantees that, as long as c1 , c2 are decryptable then so is the result of the homomorphic

5
NAND, and the process can be repeated as many times as needed. Thus, we obtain a compact
fully homomorphic encryption.
The first generation of FHE schemes. The first generation of FHE constructions included the
schemes from [38, 89] and some variations [86, 41, 27, 40]. The main problem with those schemes
was the very rapid growth of noise, which severely limited their homomorphic capacity. Specifically,
starting from fresh encryptions with noise magnitude ρ, evaluating a degree-d polynomial resulted
in noise magnitude of roughly ρd . Although these schemes feature a shallow N C1 decryption,
still the rapid noise growth prevents them from evaluating their own decryption procedure, and
additional complex transformations (involving ad hoc hardness assumptions) are needed to enable
bootstrapping.
Second-generation FHE. In 2011, a sequence of works by Brakerski et al. [19, 16, 14] devel-
oped new techniques for better noise control. These techniques (some of which we describe in
Section 3.1.4) slowed the growth of noise dramatically, roughly from linear to logarithmic in the de-
gree of the evaluated function. This resulted in “leveled” schemes that can evaluate circuits of any
fixed polynomial depth, as well as in bootstrappable schemes that can be made fully homomorphic.
Moreover, the security of these new schemes could be based on more standard hardness assumptions
such as learning with errors (which we describe in Section 3.1.1). Some other second-generation
schemes (based on the NTRU hardness assumption) were described in [68, 13].
Other techniques were developed for improving the efficiency of homomorphic evaluation, such
as “packing” many plaintext bits in a single ciphertext [87, 17, 44] and various bootstrapping
optimizations [43, 2, 57]. These optimizations resulted in schemes whose asymptotic overhead
(versus computing in the clear) is only poly-logarithmic in the security parameter, and with vastly
improved practical performance [45, 56]. Second-generation schemes and their optimizations are
not covered in detail in this tutorial, but we briefly touch on the optimizations in Section 5.1.
The GSW scheme and third-generation FHE. In 2013, Gentry et al. described in [48] yet
another homomorphic encryption scheme, which has somewhat different flavor than the second-
generation schemes above (and is arguably conceptually simpler). In particular, that scheme had
asymmetric multiplication, in the sense that the homomorphic multiplication c1 ⊗ c2 results in a
different ciphertext than c2 ⊗c1 (both of which encrypt the same product b1 ·b2 ). More importantly,
the noise growth is also asymmetric: the noise in the left multiplicand has greater influence on the
result than the noise in the right multiplicand.
Brakerski and Vaikuntanathan observed in [20] that this asymmetry can be used to obtain
even slower rates of noise growth, by designing circuits in which the left multiplicand always has
small noise. This observation enabled further reduction of parameters and quantitative relaxation
of the underlying hardness assumption. However, this technique is not compatible with some of
the performance optimizations in second-generation schemes, and third-generation schemes have
higher overhead than their second-generation counterparts.
In this tutorial we cover the GSW scheme in detail, starting in Section 3 from the basic leveled
scheme, then showing in Section 4 how to use bootstrapping to turn it into a fully homomorphic
scheme, and how to use the asymmetric noise development to improve parameters and relax the
hardness assumption.

6
1.4 Organization of This Tutorial
In Section 2, we define homomorphic encryption and its properties and discuss the relations between
these properties and connections with secure computation protocols. In Sections 3 and 4, we
describe the GSW construction in detail, and in Section 5, we briefly go over many related topics,
and in Section 6 we suggest further reading.

2 Defining Homomorphic Encryption

2.1 Notations and Basic Definitions
For an integer q ∈ N, we identify the quotient group Zq with its representatives in the symmetric
interval [− 2q , 2q ) (except Z2 which is identified with {0, 1}). For a real number x ∈ R, we denote
by [x]q the reduction of x modulo q into the same symmetric interval. dxc is the rounding of x
to the nearest integer, and bxc , dxe are the floor and ceiling functions. All these notations extend
naturally to vectors and matrices element-wise. The inner product of two vectors ~u, ~v is denoted
h~u, ~v i.
For a random process such as running a probabilistic Turing machine M on input x, we write
M (x) or y ← M (X) to describe a random variable which is drawn from the output space of that
process. We sometimes write y := M (x; r) to separate the randomness used and the deterministic
processing of that randomness. We often use the same notation for a distribution and its support
set, so y ∈ M (x) means that y is a string which is output by M (x) with non zero probability.
Conversely, if S is a set, then x ← S is a random variable uniformly distributed in S. The `1
statistical distance between two distributions D1 , D2 is denoted SD(D1 , D2 ).
We denote the output distribution of a multi step process, or the probability of an event over
that distribution, using the syntax

Distribution = output : Process , or Pr[event : Process].

For example, the distribution of encryptions of zero in some cryptosystem can be written as {c :
(pk, sk) ← KeyGen(1λ ), c ← Encrypt(pk, 0)}, and
 the probability of an adversary outputting 1 on a 
λ
ciphertext from this distribution is denoted Pr A(c) = 1 : (pk, sk) ← KeyGen(1 ), c ← Encrypt(pk, 0) .

2.1.1 Homomorphic Encryption

To define computation on encrypted data, we must fix some model of computation. In this tutorial
we always use binary circuits with fan-in-2 gates to describe the functions that we want to compute
on encrypted data.2 For a binary circuit Π, we denote its size (i.e., number of gates) by size(Π),
its depth by depth(Π) (i.e., longest input-to-output path), and the number of inputs by inpLen(Π).
We briefly discuss homomorphic encryption relative to other models of computation in Section 5.3.
On the other hand, we use somewhat informal terms such as algorithm/procedure (or adversary)
when referring to computations that manipulate ciphertexts and keys. Unless stated otherwise, all
the algorithms/procedures/adversaries below are (uniform) probabilistic polynomial time (PPT).
A homomorphic public-key encryption scheme (for plaintext space M = {0, 1}) has four PPT
procedures: the usual KeyGen, Encrypt, and Decrypt, and also an Evaluate procedure for computing
2
Fixing circuits with binary input also means that we consider bit-encryption schemes, where the plaintext space
is M = {0, 1}.

7
on encrypted data. We slightly extend the standard syntax of key generation, allowing it to depend
not only on the security parameter λ but also on a second “functionality parameter” τ . Throughout
this tutorial, some schemes will make use of that parameter while others will not.

Definition 1 (Syntax). A homomorphic encryption scheme consists of four procedures, E =

(KeyGen, Encrypt, Decrypt, Evaluate):

• (sk, pk) ← KeyGen(1λ , 1τ ). Takes the security parameter λ and another parameter τ and
outputs a secret/public key-pair.3

• c ← Encrypt(pk, b). Given the public key and a plaintext bit, outputs a ciphertext.

• b ← Decrypt(sk, c). Given the secret key and a ciphertext, outputs a plaintext bit.

• ~c0 ← Evaluate(pk, Π, ~c). Takes a public key pk, a circuit Π, a vector of ciphertexts ~c =
hc1 , . . . , ct i, one for every input bit of Π, and outputs another vector of ciphertexts ~c0 , one for
every output bit of Π.

The syntax from Definition 1 is naturally extended to vectors of plaintexts and ciphertexts.
Namely, we write ~c ← Encrypt(pk, ~b), where ~b = (b1 , . . . , bt ) and ~c = (c1 , . . . , ct ), to denote ci ←
Encrypt(pk, bi ) for all i. Similarly, we write ~b ← Decrypt(sk, ~c) to denote bi ← Decrypt(sk, ci ) for
all i.
We sometimes refer to ciphertexts output by Encrypt as “fresh ciphertexts”, and those output
by Evaluate are “evaluated ciphertexts”. The correctness condition below refers to both.

Definition 2 (Correctness). Let E = (KeyGen, Encrypt, Decrypt, Evaluate) be a homomorphic en-

cryption scheme and C = {Cτ }τ ∈N be some circuit family. E is (perfectly) correct for C if it correctly
decrypts both fresh and evaluated ciphertexts. Namely, for all λ, τ ∈ N, the following two conditions
hold:

• For any b ∈ {0, 1},

h i
Pr Decrypt(sk, c) = b : (sk, pk) ← KeyGen(1λ , 1τ ), c ← Encrypt(pk, b) = 1;

• For every Π ∈ Cτ and plaintext bits ~b = (b1 , . . . , bt ) ∈ {0, 1}t , one for every input bit of Π,

(sk, pk) ← KeyGen(1λ , 1τ ),

 
0 ~
Pr Decrypt(sk, ~c ) = Π(b) : = 1.
~c ← Encrypt(pk, ~b), ~c0 ← Evaluate(pk, Π, ~c)

We sometimes refer informally to the largest family C for which E is correct as the homomorphic
capacity of E. Definition 2 can be weakened by allowing a negligible error probability, but it is more
convenient to work with the stronger condition (and the constructions that we describe later can
be made to meet this stronger condition). Some examples of homomorphism relative to interesting
circuit families include the following:
3
We assume that the size of the public and secret keys is set deterministically by λ and τ ; i.e., it does not vary
with the randomness of the key generation procedure.

8
Fully homomorphic encryption. We say that E is fully homomorphic if it is correct for a family
C such that C1 by itself already contains all Boolean circuits. In this case we can ignore the
parameter τ in KeyGen; i.e., we can always run it with τ = 1. (Note that the size of the circuit
does not figure into the security requirement, and Evaluate always runs in time polynomial
in the circuit description, so considering circuits of superpolynomial size in λ does not cause
any problems.)

Leveled/somewhat homomorphic encryption. We say that E is a leveled homomorphic en-

cryption scheme if it is correct for a family C such that, for all τ , Cτ contains all Boolean
circuits of depth up to τ .
More generally, we may refer to a scheme informally as somewhat homomorphic if it is correct
for a family C where the complexity of the circuits in Cτ grows with τ . A common example
that was used in the first-generation schemes starting with Gentry’s original blueprint (e.g.,
[38, 89, 86, 41]) is when Cτ contains circuits computing multivariate polynomials of total
degree up to τ and up to 2τ monomials.

Additively homomorphic encryption. E is additively homomorphic if it is correct for a family

C such that C1 contains all Boolean circuits made up of only XOR gates. Here too we ignore
the parameter τ in KeyGen. One example of additive homomorphism is the Goldwasser–Micali
scheme [52].
A weaker version of additive homomorphism (which is realized by most lattice-based encryp-
tion schemes) does not support unlimited number of addition operations, but only (say) at
most exponential in τ . Namely, E is almost additively homomorphic if it is correct for a family
C where, for all τ , Cτ contains all the sums (mod 2) of up to 2τ variables.

The semantic security of a homomorphic encryption scheme is defined in the usual way [52],
without reference to the Evaluate algorithm; indeed Evaluate is a public algorithm with no se-
crets. Namely, we require that a PPT adversary cannot distinguish between encryptions of 0 and
encryptions of 1, even if it knows the public key. Definition 3 below handles the “functionality
parameter” τ by considering it an adversarial quantity (that the adversary must output in unary
to ensure that it is polynomially bounded).

Definition 3 (Semantic security). Let E = (KeyGen, Encrypt, Decrypt, Evaluate) be a homomorphic

encryption scheme, and let A be an adversary. The advantage of A w.r.t. E is defined as

1τ ← A(1λ ), (sk, pk) ← KeyGen(1λ , 1τ ),

  
E def 
AdvA (λ) = Pr A(pk, c) = 1 :

c ← Encrypt(pk, 1)
1 ← A(1 ), (sk, pk) ← KeyGen(1λ , 1τ ), 
τ λ
 
− Pr A(pk, c) = 1 : .
c ← Encrypt(pk, 0) 
E (λ) is
The scheme E is semantically secure if, for every PPT adversary A, the advantage AdvA
negligible in λ.

In the rest of this tutorial we only consider semantically secure schemes, often without men-
tioning this requirement.

9
 Property Description Defined in Comments
Secret-key variant Same key to Def. 4 Equivalent to public
encrypt, decrypt key variant, Theorem 3
Strong homomorphism Evaluated ctxts Defs. 5,6 Implies strong compactness,
∼
= fresh ctxts function privacy, and multi hop
Compactness Evaluated ctxts Defs. 7,8 Strong & weak variants
are short
Function privacy Evaluated ctxts Def. 9 Implied by secure 2PC,
hide function Theorem 1
Multi hop Can reprocess Def. 12 Orthogonal to compactness
evaluated ctxts and function privacy

Table 1: Properties of homomorphic encryption

2.1.2 Secret-Key Homomorphic Encryption

It is sometimes convenient to consider secret-key variants of the definitions above, especially since
it was shown by Rothblum [83] that these notions are essentially equivalent for homomorphic
encryption (see Theorem 3). The syntax and correctness conditions for secret-key homomorphic
encryption are similar to those in Definitions 1 and 2 except that KeyGen only outputs the secret
key sk rather than the pair (sk, pk), the Encrypt procedure uses sk rather than pk for encryption,
and the Evaluate procedure gets as input only Π and ~c but not pk.
The security definition is also similar, except that, in lieu of the public key, the adversary is
given a sequence of ciphertexts (rather than just one), encrypting bits of one of two sequences of
its choosing, and it needs to guess which of the two sequences was encrypted.

Definition 4 (Semantic security, secret-key encryption). Let E = (KeyGen, Encrypt, Decrypt, Evaluate)
be a secret-key homomorphic encryption scheme, and let A be an adversary. The advantage of A
w.r.t. E is defined as
 " #
~ ~ τ , b~ , b~ ) ← A(1λ ), sk ← KeyGen(1λ , 1τ ),
|b | = |b | & (1

E def 0 1 0 1
SKAdvA (λ) = Pr :

 A(pk, ~c) = 1 ~c ← Encrypt(sk, b~1 )
" #
|b~0 | = |b~1 | & (1τ , b~0 , b~1 ) ← A(1λ ), sk ← KeyGen(1λ , 1τ ), 

− Pr : .
A(pk, ~c) = 1 ~c ← Encrypt(sk, b~0 ) 

E (λ) is
The scheme E is semantically secure if, for every PPT adversary A, the advantage SKAdvA
negligible in λ.

2.2 Properties of Homomorphic Encryption Schemes

By themselves, the correctness and security properties from above are not enough to rule out
uninteresting realizations. Specifically, any secure encryption scheme can be made “homomorphic”
by an Evaluate procedure that simply attaches a description of the circuit Π to the ciphertext
tuple ~c, and a Decrypt procedure that first decrypts all the ciphertexts and then evaluates Π on the
corresponding plaintext bits.

10
 Such uninteresting realizations are ruled out by the additional requirements that we define
below. We begin with the simplest and strongest condition, which we call strong homomorphism,
as well as three weaker (but still useful) conditions, namely compactness, circuit hiding, and multi
hop homomorphism. We also state and prove some lemmas about the relations between these
notions. A summary of the definitions and results in this section is given in Table 1.

2.2.1 Strong Homomorphism

Strong homomorphism requires evaluated ciphertexts to look the same (i.e., have the same distri-
bution) as fresh ciphertexts.

Definition 5 (Strong homomorphism). A scheme E = (KeyGen, Encrypt, Decrypt, Evaluate) is

strongly homomorphic for a circuit family C = {Cτ }τ ∈N if, for all τ ∈ N and every Π ∈ Cτ and
plaintext bits ~b = (b1 , . . . , bt ) ∈ {0, 1}t , one for every input bit of Π, the two distribution ensembles
below are statistically close up to a distance negligible in λ:
def
(pk, ~c, ~c0 ) : (sk, pk) ← KeyGen(1λ , 1τ ),

FreshΠ,~b (λ) =
~c ← Encrypt(pk, ~b), ~c0 ← Encrypt(pk, Π(~b)) ,

def
(pk, ~c, ~c0 ) : (sk, pk) ← KeyGen(1λ , 1τ ),

EvalΠ,~b (λ) =
~c ← Encrypt(pk, ~b), ~c0 ← Evaluate(pk, Π, ~c) .

Definition 5 can be relaxed to require only computational indistinguishability rather than sta-
tistical closeness, but some care must be taken when defining it. Specifically, for some applications
we require that even the party that generated the keys cannot distinguish between these two dis-
tributions, hence we need them to be indistinguishable even given the randomness that was used
by KeyGen.

Definition 6 (Computationally strong homomorphism). A scheme E = (KeyGen, Encrypt, Decrypt,

Evaluate) is computationally strongly homomorphic for a circuit family C = {Cτ }τ ∈N if, for all
τ ∈ N and every Π ∈ Cτ and plaintext bits ~b = (b1 , . . . , bt ) ∈ {0, 1}t , one for every input bit of Π,
the two distribution ensembles below are computationally indistinguishable:
def
Fresh∗Π,~b (λ) (r, ~c, ~c0 ) : r ← $, (sk, pk) := KeyGen(1λ , 1τ ; r),

=
~c ← Encrypt(pk, ~b), ~c0 ← Encrypt(pk, Π(~b)) ,

def
Eval∗Π,~b (λ) (r, ~c, ~c0 ) : r ← $, (sk, pk) := KeyGen(1λ , 1τ ; r),

=
~c ← Encrypt(pk, ~b), ~c0 ← Evaluate(pk, Π, ~c) .

Definitions 5 and 6 can be modified in the obvious way to handle secret-key homomorphic
encryption. Although these definitions are stated relative to a fixed circuit family C, one readily
sees that this dependence (as well as the dependence on τ ) is immaterial: If some Cτ ∗ contains
AND and XOR gates (or any other functionally complete set of gates) then we can extend the
Evaluate procedure to evaluate any circuit, by repeatedly evaluating each gate on the outputs of
the preceding gates. Moreover, the output distribution when evaluating a circuit Π is at most
negl(λ) · size(Π) away from that of fresh encryption of the outputs. A similar statement applies
also in the computational setting, using the fact that these distributions are indistinguishable even
given the secret key (since the correctness condition involved the secret key). Hence we have:

11
Proposition 1. Any encryption scheme which is (computationally) strongly homomorphic relative
to a circuit family C, where some Cτ ∗ contains AND and XOR gates, can be transformed to a
(computationally) strongly fully homomorphic scheme (i.e. strongly homomorphic relative to a
circuit family C 0 with C10 containing all circuits).

Given Proposition 1, we always assume below that any strongly homomorphic scheme is strongly
fully homomorphic, and we suppress the irrelevant parameter τ when describing such schemes.

2.2.2 Compactness
The main deficiency in the uninteresting realization in which Evaluate just appends the description
of Π to the ciphertexts is that we expect the decryption work to be the same whether the decrypted
ciphertext is fresh or evaluated. This is clearly the case if the scheme is strongly homomorphic, but
being strongly homomorphic is often overkill. A weaker notion that captures a lot of the power of
homomorphic computation is compactness, which only requires that the size of the ciphertext does
not grow with the complexity of the evaluated circuit.

Definition 7 (Compactness). A homomorphic encryption scheme E = (KeyGen, Encrypt, Decrypt,

Evaluate) is compact if there exists a fixed polynomial bound B(·) so that, for all λ, τ ∈ N, any
circuit Π with t inputs and a single output, and plaintext bits ~b = (b1 , . . . , bt ) ∈ {0, 1}t , it holds that

(sk, pk) ← KeyGen(1λ , 1τ ),

 
0
Pr |c | ≤ B(λ) : = 1.
~c ← Encrypt(pk, ~b), c0 ← Evaluate(pk, Π, ~c)

We note that the bound B(·) above depends only on λ but not on τ . This means that, even if
we allow some aspects of the scheme (such as the public-key size) to depend on the parameter τ ,
the size of the evaluated ciphertexts must not grow with τ .
In some settings it is useful to consider a weaker condition, where we allow the ciphertext size
to grow with τ so long as it remains smaller then the size of circuits in Cτ . We use log |Cτ | as our
measure of the size of circuits in Cτ , since you need at least as many bits to describe these circuits
(and note that we only count single-output circuits). This yields the following definition:

Definition 8 (Weak compactness). A homomorphic encryption scheme E = (KeyGen, Encrypt,

Decrypt, Evaluate) is weakly compact if there exists a fixed polynomial bound B(·, ·) so that (i) for all
λ, τ ∈ N, any circuit Π with t inputs and a single output, and plaintext bits ~b = (b1 , . . . , bt ) ∈ {0, 1}t ,
it holds that
(sk, pk) ← KeyGen(1λ , 1τ ),
 
0
Pr |c | ≤ B(λ, τ ) : = 1,
~c ← Encrypt(pk, ~b), c0 ← Evaluate(pk, Π, ~c)

and (ii) B(λ, τ ) = poly(λ) · o(log |Cτ |).

2.2.3 Circuit Privacy

Circuit privacy roughly means that the ciphertext generated by Evaluate does not reveal anything
about the circuit that it evaluates, beyond the output value of that circuit, even to the party who
generated the public and secret keys. To define it, we view the operation of Evaluate as a protocol

12
between a client who generates the keys and encrypts its input, and a server who evaluates some
function on that input and returns the result to the client. We then formalize circuit privacy as
the usual input privacy property for the server, namely we require that the client can be simulated
given only the output value that it learns.

Definition 9 (Circuit privacy, semi-honest). A homomorphic encryption scheme E = (KeyGen,

Encrypt, Decrypt, Evaluate), correct for the circuit family C, is circuit private for C, if there exists
an efficient simulator Sim such that, for every τ ∈ N, Π ∈ Cτ , and plaintext bits ~b = (b1 , . . . , bt ) ∈
{0, 1}t , one for every input bit of Π, we have
(c)
RealΠ,~b (λ) ≈ Sim(1λ , 1τ , ~b, Π(~b)), where
def
(r, r0 , ~c0 ) : r, r0 ← $, (sk, pk) := KeyGen(1λ , 1τ ; r),

RealΠ,~b (λ) =
~c := Encrypt(pk, ~b; r0 ), ~c0 ← Evaluate(pk, Π, ~c) .

It is important to note that the simulator Sim is given the output Π(~b) but not the description
of Π itself, and it needs to simulate the view that includes the randomness for both key generation
and encryption, as well as the evaluated ciphertext.
Circuit privacy against malicious adversaries. Definition 9 above applies only to the semi-
honest case in which the client uses the prescribed KeyGen and Encrypt procedures. The more
general case was considered by Ostrovsky et al. [77]. Roughly, they defined circuit privacy against
malicious adversaries by requiring that, for every (pk∗ , c∗ ) (even ones that are not generated hon-
estly), there exists an “implied plaintext” b∗ such that Evaluate(pk∗ , Π, c∗ ) can be simulated knowing
only pk∗ , c∗ , and Π(b∗ ) (but without knowing Π itself).
Building on techniques of Gentry et al. [46] (see Theorem 1 below), they show how to get
a compact scheme which is circuit private against malicious adversary, by combining a compact
scheme which is not circuit private with a circuit private scheme which is not compact.

2.2.4 Circuit Private Homomorphic Encryption Versus Two-Message SFE

As we discussed in the introduction, circuit private homomorphic encryption implies a two-message
(semi-honest) secure function evaluation (SFE) protocol for any function. We now show these two
notions are essentially equivalent. Namely we show how to realize (non compact) circuit private fully
homomorphic encryption from any two-message semi-honest SFE protocol for general functions.
Recall the structure of a two-message SFE protocol for a function F (x, y), where one party (the
client) holds x, the other party (the server) holds y, and the client needs to learn F (x, y).

Definition 10 (Two-message SFE protocol). A two-message two-party SFE protocol for a func-
tion F (·, ·) consists of three procedures, PF = (SFE1F , SFE2F , SFE3F ) as follows:

• The client computes (s, m1 ) ← SFE1F (1λ , x), sending m1 to the server and keeping the state s
to itself;

• The server responds with m2 ← SFE2F (1λ , y, m1 );

• The client recovers the result as z ← SFE3F (s, m2 ).

The (perfect) correctness of the protocol means that we have z = F (x, y) with probability 1.

13
Definition 11 (Semi-honest security). The security of the protocol PF is defined by means of two
simulators, Sim1 and Sim2 , that simulate the view of the two parties. Specifically for all inputs x, y
for F , we have
(c) (c)
Sim1 (1λ ) ≈ SFE1F (1λ , x) and Sim2 (1λ , F (x, y)) ≈ cViewx,y (λ), where
def 
cViewx,y (λ) = (r, m2 ) : r ← $, (s, m1 ) := SFE1F (1λ , x; r), m2 ← SFE2F (1λ , y) .

Intuitively, a two-message SFE protocol can be thought of as the encryption of x via SFE1
followed by evaluation via SFE2 and decryption via SFE3, but is not quite homomorphic encryption
yet. In particular, there is no public key involved, and the same party (the client) is doing both
the encryption and the decryption.4 In contrast, a public key homomorphic encryption should be
thought of as a three-player game: first a recipient publishes a public key, then a sender (client)
encrypts the data ~b under that public key, next an evaluator (server) evaluates a circuit Π on the
encrypted data, and finally the recipient decrypts the result and recovers Π(~b). Another issue is
that, as described above, the client’s SFE1 function handles the entire input x at once, whereas we
need the client processing to be “decomposable” (cf. [61]), i.e., encrypting each bit of x separately.
If the underlying SFE protocol already happened to be decomposable (such as Yao’s garbled
circuit protocol that uses bit-by-bit oblivious transfer), then it is straightforward to turn it into
homomorphic encryption using an auxiliary (standard) public-key encryption scheme. The recipient
chooses a public/secret key pair for the encryption scheme, the sender sends the first SFE message
and in addition also the encryption of the client’s SFE-state s under the public key, and the
evaluator forwards the encrypted state to the recipient together with the second SFE message. The
recipient uses its secret key to decrypt and recover the SFE state s, and then uses the procedure
SFE3 with this state to recover F (x, y).
Since two-message SFE implies both semantically secure encryption (cf. [49]) and two-message
SFE with decomposable client processing (e.g., via Yao’s protocol), we get a non compact circuit
private HE from any two-message protocol for secure evaluation of all functions. A more direct
proof of this implication, using techniques similar to Gentry’s bootstrapping [38], is described in
the next theorem.
Thoerm 1. A circuit private fully homomorphic encryption scheme can be constructed from public-
key encryption and a two-message semi-honest SFE protocol for all circuits.
Proof. Let E = (KeyGen, Encrypt, Decrypt) be a public-key encryption scheme, consider the universal
function U (~b, Π) = Π(~b), and define the related function U 0 (·, ·) as
def
U 0 (sk, (~c, Π)) = U (Decrypt(sk, ~c), Π) (= Π(Decrypt(sk, ~c)).

Let PU 0 = (SFE1U 0 , SFE2U 0 , SFE3U 0 ) be a two-message SFE protocol for U 0 , and use E and PU 0
to construct a fully homomorphic public-key encryption scheme E 0 = (KeyGen0 , Encrypt0 , Decrypt0 ,
Evaluate0 ), as follows:

• KeyGen0 (1λ ) runs the underlying key generation (sk, pk) ← KeyGen(1λ ), and then the first-
message procedure of the SFE protocol (s, m1 ) ← SFE1U 0 (1λ , sk). It outputs (sk0 = s, pk0 =
(pk, m1 )) (where pk is used for encryption and m1 is used for evaluation).
4
We cannot use here the equivalence between public- and secret-key homomorphic encryption from Theorem 3,
since it only applies to compact schemes.

14
 • Encrypt0 (pk0 = (pk, m1 ), b) just uses the Encrypt procedure of the underlying scheme, out-
putting c = Encrypt(pk, b).

• Evaluate0 (pk0 = (pk, m1 ), Π, ~c) runs the second-message procedure of the SFE protocol for U 0 ,
outputting ~c0 ← SFE2U 0 (1λ , m1 , (~c, Π)).

• Decrypt(sk0 = s, ~c0 ) runs the last procedure of the SFE protocol for U 0 , outputting z ←
SFE3U 0 (s, c0 ).

Correctness of E 0 follows from that of E and PU 0 : If ~c = Encrypt(pk, ~b) then by correctness of E we

have ~b = Decrypt(sk, ~c), and by correctness of PU 0 we have z = U 0 (sk, (~c, Π)) = Π(Decrypt(sk, ~c)) =
Π(~b).
Semantic security follows from the semantic security of the underlying E and from client security
of PU 0 . To show that Encrypt(pk, 0) is indistinguishable from Encrypt(pk, 1) even given pk and m1 ,
consider a hybrid experiment in which m1 is generated by the simulator m1 ← Sim1 (1λ ) instead
of being a part of the output of SFE1(1λ , sk). The client security of PU 0 implies that this hybrid
experiment is indistinguishable from the real encryption scheme. But in this hybrid, m1 no longer
depends on the secret key sk, and therefore by semantic security of E we get that Encrypt(pk, 0) is
indistinguishable from Encrypt(pk, 1).
Finally, the circuit privacy of E 0 follows from the server security of PU 0 : The simulator SimE 0 that
we need for circuit privacy is constructed from the client view simulator Sim2 above: SimE 0 (1λ , b, z)
first chooses randomness r, r0 for the key generation and encryption of the underlying encryption
scheme, then sets (sk, pk) := KeyGen(1λ ; r) and ~c := Encrypt(pk, ~b; r0 ). Next it runs Sim2 to get
(r00 , ~c0 ) ← Sim2 (1λ , z). Then SimE 0 outputs (r, r00 ) as the randomness for KeyGen0 , r0 as the random-
ness for Encrypt0 , and ~c0 as the evaluated ciphertext. Indistinguishability between the simulated
and real views follows directly from that of Sim2 .

2.2.5 Multi hop Homomorphic Encryption

In settings where we do not have strong homomorphism, the evaluated ciphertexts produced by
Evaluate may differ from freshly encrypted ones, bringing up the question of whether one can
keep computing on evaluated ciphertexts. An i-hop homomorphic encryption scheme is one where
Evaluate can be called on its own output up to i times (while still being able to decrypt the
result), and a multi hop homomorphic encryption scheme is one which is i-hop for all i. Note that
the number of hops supported by a scheme is somewhat orthogonal to its homomorphic capacity.
For example the Goldwasser–Micali cryptosystem is only additively homomorphic but is multi
hop, while the scheme constructed from a two-message SFE protocol in Theorem 1 above is fully
homomorphic but supports only a single hop. Also it is clear that strong homomorphism implies
multi hop homomorphism. Gentry et al. studied multi hop homomorphism in [46]. They extended
the notion of circuit privacy to the multi hop case and described how it can be realized (with or
without compactness); their definitions and results are summarized below:
Let E = (KeyGen, Encrypt, Decrypt, Evaluate) be a homomorphic encryption scheme. The syntax
of Evaluate is extended in the natural way to a sequence of circuits: An ordered sequence of circuits
→
−
Π = (Π1 , . . . , Πt ) is compatible if the output length of Πj is the same as the input length of Πj+1
for all j. The composed function Πt (· · · Π2 (Π1 (·)) · · · ) is denoted (Πt ◦ · · · ◦ Π1 ). The extended

15
 →
−
procedure Evaluate∗ takes as input the public key, a compatible sequence Π = (Π1 , . . . , Πt ), and
ciphertexts ~c0 . For i = 1, 2, . . . , t it sets ~ci ← Evaluate(pk, Πi , ~ci−1 ), outputting the last ~ct .
Definition 12 (Multi hop homomorphic encryption). For a circuit family C and i ∈ N, we say that
→
−
E is i-hop homomorphic for C if, for all λ, τ ∈ N and every compatible sequence Π = (Π1 , . . . , Πt )
with t ≤ i functions such that Π̃ = Πt ◦ · · · ◦ Π1 ∈ Cτ , we have
" #
(sk, pk) ← KeyGen(1 λ , 1τ ),
0
Pr Decrypt(sk, ~c ) = Π̃(~b) : →
− = 1.
~c ← Encrypt(pk, ~b), ~c0 ← Evaluate∗ (pk, Π , ~c)

We say that E is a multi hop homomorphic encryption scheme if it is i-hop for all i ∈ N.
Thoerm 2 (Multi hop homomorphism [46]). • If a 1-hop circuit private, fully homomorphic
encryption scheme exists, then for any constant i there exists an i-hop circuit private, fully
homomorphic encryption scheme.

• If both 1-hop circuit private fully homomorphic encryption scheme and 1-hop compact fully
homomorphic encryption scheme exist, then there exists a multi hop circuit private, compact,
fully homomorphic encryption scheme.

• Under the decision Diffie–Hellman assumption, there exists a (non compact) multi hop circuit-
private fully homomorphic encryption scheme.

In the rest of this tutorial we only consider multi hop schemes.

2.2.6 From Secret-Key to Public-Key Homomorphic Encryption

One demonstration of the power of compact homomorphic encryption is a result of Rothblum [83]
showing that it enables a transformation from secret-key to public-key encryption. As a warm-up,
we demonstrate this result for strongly homomorphic encryption. Let E = (KeyGen, Encrypt, Decrypt,
Evaluate) be a secret-key scheme which is strongly fully homomorphic. We transform E to a public-
key strongly fully homomorphic scheme E 0 = (KeyGen0 , Encrypt0 , Decrypt, Evaluate) with the same
Decrypt and Evaluate procedures, but modified KeyGen0 and Encrypt0 :
• KeyGen0 (1λ ) first runs the underlying KeyGen to get sk ← KeyGen(1λ ). Then it runs the
underlying encryption to encrypt 0 and 1, getting c0 ← Encrypt(sk, 0) and c1 ← Encrypt(sk, 1).
It outputs (sk, pk = (c0 , c1 )).

• Encrypt0 (pk = (c0 , c1 ), b) uses the Evaluate procedure for the underlying scheme. Specifically
let Πid be a circuit computing the identity function, then it outputs c ← Evaluate(Πid , cb ).
The strong homomorphism condition implies that the output of Encrypt0 is statistically close to
(resp. computationally indistinguishable from) Encrypt(sk, b), even conditioned on the public key
(resp. the secret key). Hence the modified scheme maintains the semantic security and strong
homomorphism of the underlying scheme, and we have:
Proposition 2. Any secret-key strongly homomorphic encryption scheme can be transformed to a
public-key strongly homomorphic scheme.

16
 When the secret-key scheme that we are given is not strongly homomorphic, the transformation
above may fail to provide semantic security. Rothblum observed in [83] that semantic security can
be obtained by capitalizing on the fact that a compact homomorphic encryption scheme must lose
some information in the course of homomorphic evaluation, since the evaluation output is short.
Using this loss of information to provide security is done by means of (a special case of) the leftover
hash lemma [58], which is stated below.
Lemma 3 (Linear-hashing extractor). Fix some n, q, m ∈ N, and for every matrix A ∈ Zn×m
q
def
consider the multiply-by-A function hA (~s) = [A × ~s]q .
Then for every subset S ⊆ Zm q and every linear subspace L ⊆ Znq , the distribution {(A, hA (~s)) :
p
m
A ← L , ~s ← S} is statistically close up to |L| · 2/|S| to the uniform distribution over Lm+1 .

The special case q = 2, n = 1, and L = Z2 is summarized in the following corollary:

Corollary 4. For m ∈ N and a bit-string r ∈ {0, 1}m , denote the inner-product-with-r function by
def m
p subset S ⊆ {0, 1} , the distribution {(r, hr (s))
hr (s) = [hr, si]2 . Then for every : r ← {0, 1}m , s ←
S} is statistically close up to 8/|S| to the uniform distribution over {0, 1} m+1 .

We are now ready to describe the transformation from private-key to a public-key encryption.
Thoerm 3 (Secret-key to public-key[83]). Any compact, multi hop, secret-key fully homomorphic
scheme can be transformed into a compact, multi hop, public-key fully homomorphic scheme.
Proof. Let E = (KeyGen, Encrypt, Decrypt, Evaluate) be a compact, multi hop, secret-key fully homo-
morphic scheme, and let B(λ) be a bound on the size of evaluated circuits under E. We transform
E to a public-key scheme E 0 = (KeyGen0 , Encrypt0 , Decrypt, Evaluate) with the same Decrypt and
Evaluate procedures, but modified KeyGen0 and Encrypt0 :
• KeyGen0 (1λ , 1τ ) first runs the underlying KeyGen to get sk ← KeyGen(1λ , 1τ ). Letting m =
2(B(λ) + λ), it next chooses a random string r ← {0, 1}m and for each bit ri in r it computes
ci ← Encrypt(sk, ri ) and denotes ~c∗ = (c1 , . . . , cm ).
Finally it outputs the secret key sk and the public key pk = (r, ~c∗ ).

• Encrypt0 (pk = (r, ~c∗ ), b) chooses at random s ← {0, 1}m subject to the condition hr, si = b
(mod 2). Denoting by Πs an m-input circuit made of XOR gates that computes the function
hs (·), it outputs the ciphertext c ← Evaluate(Πs , ~c∗ ).
Correctness follows from that of the underlying scheme: Since ~c∗ = Encrypt(sk, r) then for freshly
encrypted ciphertexts we have Decrypt(sk, c) = Πs (r) = hs (r) = b. Similarly for evaluated cipher-
texts, for ~c = Encrypt0 (pk, ~b) = Evaluate(Π~s , ~c∗ ), where each input bit bi in ~b is encrypted using
some si such that circuitsi (r) = bi . Then for any Π0 such that Π0 ◦ Π~s ∈ Cτ , we have

Evaluate(Π0 , ~c) = Evaluate∗ (Π0 ◦ Π~s , ~c∗ ) = Π0 (Π~s (r)) = Π0 (~b).

To prove semantic security, consider a hybrid experiment in which the ciphertexts ~c∗ in the
public key are generated not as encryption of r but rather encryption of 0, ~c∗ ← Encrypt(sk, 0). By

17
semantic security of the underlying scheme E, no adversary can distinguish between the public key
in the real scheme and that in the hybrid experiment, except with negligible probability. It remains
to show that, in this hybrid game, the ciphertext is nearly independent of the encrypted bit.
Note that, with this setting for ~c∗ , the evaluated ciphertext c ← Evaluate(Πs , ~c∗ ) is independent
of the random string r, and it carries at most B = B(λ) bits of information about s (since it is only
B-bits long). It is therefore sufficient to show that, given r ∈ {0, 1}m and B bits of information
about s, one can have at most a negligible advantage in guessing the inner product b = r,~s (mod 2).
def
We denote E~c∗ (s) = Evaluate(Πs (~c∗ )), and for any B-bit ciphertext c consider the pre image
def 
E~c−1 s ∈ {0, 1}m : E~c∗ (s) = c . By Corollary 4, for any fixed c, the conditional distribution

∗ (c) =
q 
def
D~c∗ ,c = {(r, hr, si)|E~c∗ (s) = c} is statistically close up to 8/E~c−1

∗ (c) to the uniform distribution

over {0, 1}m+1 . Hence for every adversary algorithm A, we have

Pr [A(r, E~c∗ (s)) = hr, si : r, s ← {0, 1}m ]

X
Pr[E~c∗ (s) = c : s ← {0, 1}m ] · Pr A(r, c) = hr, si : r ← {0, 1}m , s ← E~c−1
 
= ∗ (c)

c∈{0,1}B
 −1   
X E ∗ (c) q 
~c m −1

≤ · Pr [A(r, c) = b : r ← {0, 1} , b ← {0, 1}] + 8/E~c∗ (c)
2m | {z }
c∈{0,1}B =1/2
√
q 
8E~c−1

1 ∗ (c) 1 2B · 8 · 2m 1 1
X 
= + < + < + 3 · 2B−m/2 = + 3 · 2−λ .
2 2m 2 2m 2 2
c∈{0,1}B

Remark 1. For the transformation above, the secret-key scheme E need not be fully homomorphic
(nor multi hop); for example, it is sufficient for it to be additively homomorphic since the circuits
Πs are all linear. The result E 0 would still be a public-key encryption scheme, but it may not be
homomorphic since the new encryption procedure used up some of the homomorphic capacity of E.
Specifically, if the secret-key scheme E is i-hop homomorphic relative to some circuit family C, then
E 0 is (i − 1)-hop homomorphic relative to the family C 0 = {Π0 : (Π0 ◦ Π~s ) ∈ C ∀~s}.
This transformation applies also to weakly compact schemes; all we need is for the size of
evaluated inner-product ciphertexts to grow slower than the dimension of the vectors used for the
inner product.

3 Realizing Leveled Homomorphic Encryption

In this section, we show how to implement leveled homomorphic encryption, i.e., where the complex-
ity of the encryption scheme grows with the depth of the circuits that it can evaluate. Specifically
below we describe the GSW construction due to Gentry, Sahai, and Waters [48] in its most basic
form, getting a leveled homomorphic encryption, with semantic security under the (sub exponential)
decision-LWE assumption. Later in Section 4, we show how to use Gentry’s bootstrapping tech-
nique to get fully homomorphic encryption (under the additional assumption of circular security),
and also quantitatively improve the hardness assumption to quasipolynomial (or even polynomial)
decision-LWE.

18
3.1 Tools
We begin by describing the basic tools that underlie the construction. We describe the learning-
with-errors problem, and a flattening gadget and some other useful tricks for reducing the norm of
vectors.

3.1.1 Learning with Errors (LWE)

The learning-with-errors (LWE) problem, first formulated and studied by Regev [81], underlies
much of lattice-based cryptography. At a very high level, this average-case computational problem
considers noisy modular linear equations, and the hardness assumption states that it is hard to
solve such systems (or even decide if a solution exists).
The LWE problem is parametrized by integers q, n, m and a distribution χ over Zq . The
parameter n is related to the security parameter, and we consider a modulus q which is at least

polynomially larger than n (or even as large as q = 2n ) and m = Θ(n log q). The distribution χ is
concentrated on “small integers”, namely we assume Pr[x ← χ : |x| > αq] < negl(n) for some small
α  1 (to be determined later).5 The LWE distribution with these parameters is defined as
def 
LW E[n, m, q, χ] = (A, ~b) : A ← Zn×m , ~s ← Znq , ~η ← χm , ~b := [~sA + ~η ]q .

q

:= × A +
~b ~s ~η
In words, we choose a uniformly random n-by-m matrix A and a row n-vector ~s over Zq , and
an m-vector ~η whose entries are drawn from χ, and compute ~b := [~sA + ~η ]q . The vector ~s is called
the secret and ~η is called the noise (or the error).
Remark 2. Applebaum et al. proved in [4] that a variant in which ~s is drawn from χn (rather than
being uniformly random) is equally hard. Hence we formalize the hardness assumption below using
a uniform secret ~s, but we can use it with a small secret when needed. For most of this tutorial we
get by with a uniform ~s, but on occasion also consider variants that need the secret to be small.
Since m is significantly larger than n, the row-span of A is a rather low-dimension random
linear subspace of Zm q . It follows that with high probability, the row span of A has large minimum
distance (in l∞ norm), roughly q 1−n/m . Hence for α  q −n/m , it holds with high probability
(over A) that there is a unique point in the row span of A within distance αq of ~b (call that point
~b0 ), and the secret ~s is the unique solution to ~sA = b~0 (mod q).
The argument above shows that with high probability the secret ~s is uniquely defined, but
computing it from A and ~b seems to be hard. Indeed, Regev described in [81] a worst-case to
average-case quantum reduction from approximating the shortest-vector search problem in an ar-
bitrary dimension-n lattice to solving a random instance of LWE, where the approximation factor
is essentially n/α. Follow-up work [79, 18] described classical reductions of some other worst-case
problems to LWE with similar dependence on α. These reductions provide ample evidence of the
hardness of the search problem of computing ~s from A and ~b. Moreover, for many parameter
regimes, the search problem of computing ~s can be further reduced to the problem of distinguish-
ing the pair (A, ~b) from uniform [8, 81, 71]. It is the hardness of this decision problem which is
most convenient for use in cryptography.
5
Often χ is taken to be a discrete Gaussian distribution with parameter α0 ≈ α [72].

19
 We often think of the pair (A, ~b) as an (n + 1)-by-m matrix with ~b being the last row. Denoting
this matrix by A0 , it satisfies the equation (~s, −1) × A0 = ~η (mod q) with ~η having low norm, yet
our hardness assumption says that A0 is pseudorandom in Z(n+1)×m . Thinking of n0 = n + 1 as the
security parameter, we can therefore state our hardness assumption as follows:

Definition 13 (Decision-LWE). For parameters n, m, q, α (that depend on the security parame-

ter λ), the decision-LWE hardness assumption (DLWE[n, m, q, α]) states that there exists an effi-
ciently sampleable ensemble {ψλ }λ over pairs (~s ∈ Znq , A ∈ Zn×m
q ), for which the following condi-
tions hold:

• The induced distribution ensemble over A is pseudorandom over Zn×m

q .
def
• The l∞ -norm of ~η = [~sA]q ∈ Zm
q is bounded by αq with overwhelming probability, and
sn = −1.

(Note that above we use the notations n, ~s, A rather than n0 , ~s0 , A0 from before; this will be
more convenient in the sequel.)

Remark 3. The DLWE assumption becomes stronger as α gets smaller. We have strong evidence
that it holds for any polynomial fraction α(n) = 1/poly(n), and distinguishing A from random

seems hard also for quasipolynomial or even nearly exponential fractions such as 2−n . On the
other hand, for an exponentially small fraction, α = 2−O(n) , lattice-reduction tools allow us to find
the secret ~s in polynomial time (so in particular we can distinguish A from random).
Also we clearly need αq ≥ 1 (else the only integer vector satisfying k~η k∞ ≤ αq is the all-zero
vector), and there are attacks due to Arora and Ge [5] that apply when αq = O(1). Below we always
use settings where αq = n (which is nearly the smallest possible). Hence in our setting the DLWE
hardness assumption becomes stronger as q increases, and for q = 2Ω(n) we know that it no longer

holds. In this section we will need to assume that DLWE holds for q = 2n , but later in the text we
can relax this to q = 2polylog(n) and even q = poly(n).
Finally note that the assumption becomes stronger as m increases, but all evidence points to
this assumption holding for every polynomial m = m(n). Below we will use m ≈ 2n log q.

3.1.2 Public-Key Encryption from LWE

Regev described in [81] a simple public-key encryption whose security is based on the DLWE
assumption. That construction, which is naturally additively homomorphic, plays an important
role in many homomorphic encryption schemes, including the GSW scheme that we describe later
in this section.
The salient features of the Regev encryption scheme is that the secret key is a vector ~s ∈ Znq
with sn = −1, and an encryption of a bit b is a vector ~u ∈ Znq such that h~s, ~ui = b · bq/2c + δ
(mod q) where δ is a small noise. Clearly adding/subtracting two ciphertexts yields an encryption
of the XOR of the two encrypted bits, with noise which is the sum of the two noise elements for
the individual ciphertext. It is easy to see how to construct a secret-key encryption scheme with
ciphertexts as above, and since that scheme is additively homomorphic then one can use Theorem 3
to turn it into a public-key scheme. A more direct way of getting a public-key scheme is described
below. Security of this scheme is reduced to the DLWE assumption; the proof is nearly identical
to Lemma 7 later in this section.

20
Key generation: KeyGen(1λ ). given the parameters n, m, q and the distribution ψn for the DLWE
assumption, draw a pair (~s, A) ← ψn , outputting the secret key ~s ∈ Znq and public key A ∈ Zn×m
q .
Encryption: Encrypt(A, b). For a public key A ∈ Zn×m q and plaintext bit b ∈ {0, 1}, choose a
uniform {0, 1} vector ~r ← {0, 1}m and output the ciphertext vector ~u := [b · bq/2c · (0, . . . , 0, −1) +
A × ~r]q ∈ Znq .
Observe that indeed h~s, ~ui = [b · bq/2c + ~sA~r = b · bq/2c + h~η , ~ri, and | h~η , ~ri | is small as needed.
Decryption: Decrypt(s̃, ũ). Compute z := [h~s, ~ui]q , outputting 0 if |z| < q/4 and 1 otherwise.

3.1.3 The Flattening Gadget

A very useful technical tool in many lattice-based cryptosystems (including GSW encryption) is a
“flattening gadget” that allows one to take a high-norm vector and represent it by a low-norm vector
of higher dimension, while maintaining some linear-algebraic properties. We want a “representation
function” f : Zq → Z`q (for some not-too-large `) with the properties:

• For any z ∈ Zq , the l∞ -norm of f (z) is much smaller than q; and

• Recovering z from f (z) is a linear operation. That is, there exists a “gadget vector” ~g ∈ Z`q
such that for every z ∈ Zq we have h~g , f (z)i = z (mod q).

Note that the function f itself need not be linear, but its inverse is linear. A simple function
with these properties is obtained by breaking z into its binary representation: Let ` = dlog qe and
f (z) = (z0 , z1 , . . . , z`−1 ) be the vector of bits in the binary (2’s-complement) representation of z ∈
[−q/2, q/2), with z0 the least-significant bit and z`−1 ∈ {0, −1} representing P the imost-significant
bit. Then kf (z)k∞ ≤ 1 and setting ~g = (1, 2, . . . , 2`−1 ) we have h~g , f (z)i = `−1
i=1 2 zi = z.
To stress the fact that our representation function is an inverse of a linear function, we denote
it below by g −1 (·). Note again that ~g is a vector (representing a linear function), but g −1 is a non
linear function.
The same representation extends naturally to vectors and matrices. For an n-vector ~z =
def
(z1 , . . . , zn ) ∈ Zn , we let G−1 (~z) be the concatenation of all the vectors g −1 (zi ), namely G−1 (~z) =
(g −1 (z1 )|g −1 (z2 )| . . . |g −1 (zn )) ∈ Zn` z and G−1 (~z) as column vectors and consider
q . If we think of ~
the “gadget matrix”

1 2 . . . 2`−1
 

def
 1 2 . . . 2`−1 
G =  ∈ Zqn×n` ,
 
 ..
 . 
1 2 ... 2 `−1

then for any vector ~z ∈ Znq we have kG−1 (~z)k∞ ≤ 1 and G × G−1 (~z) = ~z. Similarly for an n × m
matrix A = (~a1 | . . . |~am ) with columns ~ai ∈ Znq , we let

def
G−1 (A) = G−1 (~a1 )| . . . |G−1 (~am ) ∈ Zqn`×m .

Then for any matrix A ∈ Zn×m

q we have kG−1 (A)k∞ ≤ 1 and G × G−1 (A) = A.

21
3.1.4 Modulus and Key Switching
Below we describe the two tricks of modulus switching and key switching, due to Brakerski et al.
[19, 17], which can be used in some cases to reduce the size of the modulus and the dimension of the
LWE secret vectors. These tricks are not strictly needed to obtain fully homomorphic encryption,
but they can be used to improve its parameters and efficiency and to quantitatively weaken the
hardness assumptions that are needed for its security.
Modulus switching. Modulus switching lets one convert approximate linear relations modulo
one integer into relations modulo another.

Lemma 5. Fix the dimension n ∈ N and moduli p, q ∈ N, and let ~s, ~u ∈ Znq , such that their mod-q
inner product is bounded away from q/4, specifically [h~s, ~ui]q = b · bq/2c + δ where |δ| < q( 41 − k~2p
sk1
).
k~sk1
Let ~u0 = d~u · p/qc, then [h~s, ~u0 i]p = b · bp/2c + δ 0 where |δ 0 | ≤ pq |δ| + 2 < p/4.

Proof. Let ~ denote the rounding error in the computation of ~u0 , i.e., ~u0 = p/q · ~u + ~, note that
k~k∞ ≤ 1/2. Since over the integers we have the equality h~s, ~ui = b · bq/2c + δ + kq for some k ∈ N,
then we get

0 p
~s, ~u = (p/q) h~s, ~ui + h~s,~i = b · bp/2c + δ + h~s,~i +kp,
q
| {z }
=δ 0
k~sk1
with |δ 0 | < pq |δ| + 2 < q/4, as needed.

We can use this lemma in settings where we have a low-norm secret LWE vector ~s (such as when
it is drawn from the error distribution χ, as described by Applebaum et al. [4]). In this situation
we can switch from a mod-q vector ~u to a mod-p vector ~u0 for p  q, with only a small penalty
in terms of increased added noise. As p  q, then mod-p arithmetic has smaller complexity than
mod-q arithmetic.
Key switching. Key switching let us publish a public pseudorandom gadget for converting ap-
proximate linear relations relative to a secret vector ~t into relations relative to another vector ~s.
Specifically, fix the DLWE parameters n, m, q, α, where m = n0 dlog qe for some n0 . Let (~s, A) ←
ψ be drawn according to the distribution from Definition 13, so A ∈ Zqn×m is pseudorandom,
sn = −1, and ~η = [~sA]q has low norm k~η k∞ < αq.
0
Fix any vector ~t ∈ Znq and let A~0s:~t ∈ Zqn×m be the matrix obtained by subtracting ~tG modulo q
0
from the last row of A, where G ∈ Znq ×m is the matrix from the flattening gadget above. (Recall
that m = n0 dlog qe, as needed for this gadget.) Clearly, since A is pseudorandom then so is A~0s:~t
for any fixed ~t independent of ~s. Also since sn = −1 then

~sA~s0 :~t = ~sA + ~tG = ~tG + ~η (mod q).

The use of the key-switching gadget A~0s:~t is summarized in the following lemma:
0
Lemma 6. Fix the parameters n0 , n, m, q ∈ N as above, and let ~s ∈ Znq , ~t ∈ Znq , and A~0s:~t ∈ Zn×m
q
such that ~sA~0s:~t = ~tG + ~η (mod q).

22
 0
Let ~u0 ∈ Znq be a vector whose mod-q inner product with ~t is bounded away from q/4, specifically
[ ~t, ~u ]q = b · bq/2c + δ 0 where |δ 0 | < q/4 − k~η k1 . Computing ~u := [A~0s:~t × G−1 (~u0 )]q , we have

0

[h~s, ~ui]p = b · bq/2c + δ,

where |δ| ≤ |δ 0 | + k~η k1 < p/4.

Proof.

h~s, ~ui = ~s × A~0s:~t × G−1 (~u0 ) = (~tG + ~η ) × G−1 (~u0 ) = ~tG × G−1 (~u0 ) + ~η , G−1 (~u0 )



= ~t, ~u0 + ~η , G−1 (~u0 ) = b · bq/2c + δ 0 + ~η , G−1 (~u0 ) ,




| {z }
=δ

and since G−1 (~u0 ) is a dimension-m 0/1 vector then | ~η , G−1 (~u0 ) | < k~η k1 , hence |δ| ≤ |δ 0 |+k~η k1 <



p/4.

One use of Lemma 6 is to reduce the dimension of an LWE secret from n0 to n < n0 , which we
can do as long as n is large enough so that the DLW E[n, m, q, α] hardness assumption still holds.
As with modulus-switching, this can be used to get lower-complexity arithmetic operations.

3.2 The GSW Encryption Scheme

3.2.1 First Try
The high-level intuition for the GSW scheme [48] comes from the concepts of eigenvectors and
eigenvalues in linear algebra. Let F be some field and let C ∈ Fn×n be a square matrix over F.
Recall that ~s ∈ Fn is a (left-) eigenvector of C with corresponding eigenvalue u ∈ F if we have
~s × C = ~s · u (with operations in F). It is easy to see that, if C1 , C2 are two n-by-n matrices that
share the same eigenvector ~s with corresponding eigenvalues u1 , u2 , then

~s × (C1 ± C2 ) = ~s · (u1 ± u2 ) and ~s × (C1 × C2 ) = ~s · (u1 · u2 ).

In words, the scalar u1 ± u2 is the eigenvalue of C1 ± C2 corresponding to the eigenvector ~s, and
similarly u1 · u2 is the eigenvalue of C1 × C2 corresponding to ~s.
It is therefore tempting to construct a cryptosystem where ~s is the secret key and an encryption
of a value u is a matrix that has ~s as an eigenvector with u the corresponding eigenvalue. Then
we could use matrix addition and multiplication to implement homomorphic addition and multi-
plication over F, getting a fully homomorphic scheme. The problem, of course, is that this scheme
is insecure: Given the ciphertext matrix C it is easy to compute the eigenvectors of C, and one of
these eigenvectors is the secret key.

3.2.2 Second Try

Attempting to improve security, we may try adding some noise, making ~s an approximate rather
than an exact eigenvector of the ciphertext matrices, and relying on the hardness of LWE to get
security. Specifically, we would like to work over Zq and maintain the invariant that a plaintext
scalar u is encrypted relative to a secret key ~s by a matrix C such that ~s × C ≈ ~s · u = ~s × C + ~η

23
 for a small noise vector ~η . We note that adding noise over the real field would have very little
effect, since the algorithm for computing eigenvectors over the reals is very geometric in spirit, and
is robust to inaccuracies or noise. On the other hand, computing eigenvectors over discrete fields is
done using Gaussian elimination, which is algebraic and very brittle in the presence of small noise.
Adding some noise may help security, but does it hurt the homomorphic operations? At least
for addition things still seem to work: If we have ~s × Ci = ~s · ui + ~ηi for i = 1, 2 then also
~s × (C1 ± C2 ) = ~s · (u1 ± u2 ) + (~η1 ± ~η2 ) so ~s is still an approximate eigenvector of the matrix
(C1 ± C2 ), corresponding to the eigenvalue (u1 ± u2 ) with the (still small) noise vector (~η1 ± ~η2 ).
For multiplication, however, we have

~s × (C1 × C2 ) = (~s · u1 + ~η1 ) × C2 = ~s × C2 · u1 + ~η1 × C2

= (~s · u2 + ~η2 ) · u1 + ~η1 × C2
= ~s · u1 u2 + (u1 · ~η2 + ~η1 × C2 ) (mod q). (1)

We would like to think of ~s as an approximate eigenvector of C1 ×C2 corresponding to the eigenvalue

(u1 ·u2 ) with noise vector ~η ∗ = (u1 ·~η2 +~η1 ×C2 ), but ~η ∗ may not be small anymore: If the ciphertext
matrix C2 has large entries, then so would the vector ~η ∗ , no matter how small ~η1 is. Similarly, if
the plaintext scalar u1 is large then u1 · ~η2 will be large.

3.2.3 Final Try

To recover functionality, we want to ensure that both the plaintext scalars and ciphertext matrices
are kept small. Keeping the plaintext small can be done by encrypting only 0’s and 1’s and using
only NAND gates, which are implemented over Zq as N AN D(x, y) = 1 − xy.
To ensure that the ciphertext matrices have small entries we use the flattening gadget from
Section 3.1.3. Recalling the form of the noise from Equation (1), we would like to use the low-norm
G−1 (C2 ) instead of C2 itself in the multiplication procedure. Namely, we want the homomor-
phic multiplication procedure to be C1 × G−1 (C2 ). To make the dimensions match, we need the
ciphertext matrices C to be n-by-N matrices with N = n` (recall that ` = dlog qe).
To maintain correctness we need to introduce the gadget G into the invariant that we maintain:
A plaintext scalar u is now encrypted relative to a secret key ~s by a matrix C such that ~s ×C ≈ ~s0 ·u,
where ~s0 = ~s ×G. With this modification, let Ci ∈ Zn×N q (for i = 1, 2) be two matrices that encrypt
two bits bi ∈ {0, 1} relative to the secret key ~s, i.e., ~s × Ci = bi · (~s × G) + ~ηi for small noise vectors
~ηi . Then we have

~s × (C1 × G−1 (C2 )) = (b1 · ~s × G + ~η1 ) × G−1 (C2 )

= b1 · ~s × G × G−1 (C2 ) + ~η1 × G−1 (C2 )
= b1 · ~s × C2 + ~η1 × G−1 (C2 ) = b1 (b2 · ~s × G + ~η2 ) + ~η1 × G−1 (C2 )
= b1 b2 · (~s × G) + (b1 · ~η2 + ~η1 × G−1 (C2 )) (mod q)

Let us define the homomorphic NAND operation as

def
homNAND(C1 , C2 ) = [G − (C1 × G−1 (C2 ))]q , (2)

24
so we get

~s × homNAND(C1 , C2 ) = ~s × G − ~s × C1 × G−1 (C2 ) (3)

−1
= (1 − b1 b2 ) ·(~s × G) − (b1 · ~η2 + ~η1 × G (C2 )) (mod q).
| {z } | {z }
N AN D(b1 ,b2 ) ~0
η

As b1 ∈ {0, 1} and G−1 (C2 ) ∈ {−1, 0, 1}N ×N , the l∞ norm of ~η 0 is bounded by

k~η 0 k∞ ≤ k~η2 k∞ + N · k~η1 k∞ ≤ (N + 1) · max k~η1 k, k~η2 k .



Consider now a depth-d circuit made of NAND gates, and assume that the inputs to the circuit
are encrypted with noise vectors with norm below some bound B (below we use B = n · m). Then
the noise vectors at level i of the circuit have norm bounded by B · (N + 1)i , and in particular the
output has noise bounded by B · (N + 1)d .

3.2.4 The GSW Leveled Scheme

We are now ready to describe the complete construction. We already established that the secret
key is a vector ~s ∈ Znq and ciphertexts are matrices C ∈ Zn×Nq , and that we maintain the invariant
that an encryption of a bit b ∈ {0, 1} at level i of the circuit satisfies ~s × C = b · (~s × G) + ~η where
k~η k∞ ≤ n · m · (N + 1)i . It remains to explain how to encrypt and decrypt, set the parameters, and
argue security.
KeyGen(1λ , 1τ ). We first select the DLWE parameters n, m, q, ψn (with αq = n) so as to enable
homomorphic evaluation of circuits of depth up to τ . This is described later in this section. Denoting
N = n · dlog qe, we remark that the parameters are chosen so that n · m · (N + 1)τ +1 < q/4.
The KeyGen procedure draws a pair (~s, A) ← ψn , outputting the secret key ~s ∈ Znq and public
key A ∈ Zn×m
q , after ensuring that ~s 6= 0 and that the l∞ -norm of ~η = [~sA]q is bounded by n (else
it draws another pair).
Encrypt(A, b). For a public key A ∈ Zn×m
q and plaintext bit b ∈ {0, 1}, the Encrypt procedure chooses
a uniform {0, 1} matrix R ← {0, 1} m×N and outputs the ciphertext matrix C := [b · G + A × R]q ∈
Zn×N
q .
We observe that ~sC = b · ~sG + ~sAR = b · ~sG + ~η R, and k~η Rk∞ ≤ n · m, so C satisfies our
invariant for fresh ciphertexts.
→
−
Evaluate(Π, C). For a circuit of NAND gates of depth up to τ , go over the circuit in topological
order from inputs to outputs; for every gate with inputs encrypted by C1 , C2 , compute the output
encryption as Cout := G − C1 × G−1 (C2 ).
By the analysis from above, a ciphertext C at level i of the circuit satisfies ~sC = b · ~sG + ~η ,
where b is the plaintext bit on the corresponding wire and k~η k∞ ≤ n · m · (N + 1)i .
~ = − bq/2c · (0, . . . , 0, 1) ∈ Znq be a scaled version of the n-th unit vector, and
Decrypt(s̃, C). Let w
~ = bq/2c (since sn = −1). The Decrypt procedure computes z := [~s × C × G−1 (w)]
note that h~s, wi ~ q,
outputting 0 if |z| < q/4 and 1 otherwise.
Correctness. To see that correctness holds, consider a ciphertext C at a level τ or below, so we
have ~sC = b · ~sG + ~η with k~η k∞ ≤ n · m · (N + 1)τ . Hence

z = ~s × C × G−1 (w) ~ = (b · ~sG + ~η )G−1 (w) ~ + ~η , G−1 (w)


~ = b · h~s, wi ~ = b · bq/2c + v;

25
since k~η k∞ ≤ n · m · (N + 1)τ and G−1 (w)
~ is a 0/1 vector then |v| < n · m · (N + 1)τ +1 < q/4, and
therefore |z| < q/4 if b = 0 and |z| > q/4 if b = 1.

Lemma 7 (Semantic security). The GSW scheme above is semantically secure under the DLWE[n, m, q, α]
hardness assumption with α = n/q and m ≥ 1 + 2n(2 + log q).

Proof. Under the DLWE[n, m, q, α] hardness assumption, the public-key matrix A is pseudorandom
in Zn×m
q . It is sufficient therefore to prove that, if A was truly random, then the distribution of
fresh encryption matrices would be statistically close to uniform in Zn×N
q , regardless of the plaintext
bit b.
Let S = {0, 1}m and L = Znq ; by Lemma 3 the distribution over (A, [A~r]q ) for uniform A ←
n×(m+1)
Zn×m
q and ~r ← S is close to uniform over Zq up to statistical distance of

2/|S| ≤ 2n log q · 2(1−m)/2 ≤ 2n log q−n(2+log q = 2−2n .

p
qn ·

It follows that, except for probability 2−n over the choice of A, the distribution of [A~r]q conditioned
on A (defined over the random choice ~r ← {0, 1}m ) is 2−n -close to uniform over Znq . Hence, the
distribution of [AR]q conditioned on A is N 2−n -close to uniform over Zqn×N , and therefore so is
the distribution of the ciphertext matrix C = [b · G + AR]q .

Parameters for the basic GSW scheme. The security and correctness arguments above rely on
the conditions m ≥ 1 + 2n(2 + log q) and n · m · (N + 1)τ +1 < q/4, respectively, where N = n · dlog qe.
Substituting, we get the condition q > 4n · (1 + 2n(2 + log q)) · (1 + n dlog qe)τ +1 , which we can
simplify as q > (2n log q)τ +3 .

On the other hand, we need to keep q ≤ 2n for some  < 1 (else DLWE is no longer hard). This
yields the condition n > (τ + 3)(log n + log log q + 1), which we can again simplify (for large enough
τ, n) as n > 2τ log n. One could check that these conditions are all satisfied by the following
setting:

• n = max λ, ( 4 τ log τ )1/

  

 
• q = 2n ,

• m = 1 + d2n(2 + log q)e = O(n1+ ), and


• α = n/q = n · 2−n .

We note that, with this setting, the size of ciphertexts (fresh or evaluated) is polynomial in λ and τ ,
while the number of circuits in Cτ is doubly exponential in τ , so the scheme is weakly compact as
per Definition 8. Hence we have proved the following theorem:
 
Thoerm 4. Under the DLWE[n, m, q, α] hardness assumption with q = 2n , α = n · 2−n , and
m = O(n1+ ), there exists a semantically-secure weakly-compact leveled homomorphic encryption
scheme, where the complexity of evaluating each gate in a depth-d circuit is poly(λ, d1/ ).

26
4 Realizing Fully Homomorphic Encryption
Above we described the basic GSW construction from [48], obtaining a leveled homomorphic en-
cryption with security under the subexponential decision-LWE hardness assumption. In Section 4.1
below, we describe Gentry’s bootstrapping technique [38] for transforming some leveled schemes
into fully homomorphic ones, and then explain in Section 4.2 how to apply it to the GSW scheme.
This yields either a leveled homomorphic encryption with security under the quasipolynomial (or
even polynomial) decision-LWE hardness assumption, or alternatively a fully homomorphic scheme
whose security depends on the same (quasi)polynomial DLWE in conjunction with a circular-
security assumption.

4.1 Bootstrapping
So far we have a scheme E such that, for any bounded depth d, we can evaluate depth-d cir-
cuits by setting the parameters of E to size poly(d). To increase the homomorphic capacity of
the scheme, however, we need to choose larger parameters, so also the complexity of encryp-
tion/evaluation/decryption increases. Gentry’s insight in [38] was that this dependence can be
broken if we manage to find a setting in which the homomorphic capacity is just slightly bigger
than the decryption complexity.
We start by setting some notations. Fix some homomorphic encryption scheme E = (KeyGen,
Encrypt, Decrypt, Evaluate) and a class C = {Cτ } of circuits with one output bit. Throughout this
section we assume that all ciphertexts for parameters (λ, τ ) have the same length (and hence the
decryption procedure can be described by a single circuit).

• For λ, τ ∈ N, let CT E (λ, τ ) denote the set of all the fresh and evaluated ciphertexts that can
result from evaluating circuits in Cτ :
def
n o
CT E (λ, τ ) = Encrypt(pk, b) : (pk, sk) ∈ KeyGen(1λ , 1τ ), b ∈ {0, 1}
(pk, sk) ∈ KeyGen(1λ , 1τ ), 
 

∪ Evaluate(pk, Π, ~c) : Π ∈ Cτ , ~b ∈ {0, 1}inpLen(Π) , .
~c ∈ Encrypt(pk, ~b)
 

• Consider the decryption procedure for parameters λ, τ , and for any ciphertext c ∈ CT E (λ, τ )
def
denote by Dc (sk) = Decrypt(sk, c) the decryption circuit with c hardwired in. For any two
ciphertexts c1 , c2 ∈ CE (λ, τ ) let the augmented decryption circuit for these two ciphertexts be
def
Dc∗1 ,c2 (sk) = N AN D Dc1 (sk), Dc2 (sk) .

Definition 14 (Bootstrappable encryption). A homomorphic encryption scheme E = (KeyGen,

Encrypt, Decrypt, Evaluate) is bootstrappable if its homomorphic capacity includes all the augmented
decryption circuits. Specifically, there exists an (efficiently computable) polynomially bounded func-
tion τ (·) such that, for every λ ∈ N and any c1 , c2 ∈ CT E (λ, τ (λ)), we have Dc∗1 ,c2 ∈ Cτ (λ) .

Thoerm 5 (Bootstrapping [38]). Any bootstrappable homomorphic encryption scheme can be trans-
formed into a compact leveled homomorphic encryption scheme.

27
Proof. Let E = (KeyGen, Encrypt, Decrypt, Evaluate) be a bootstrappable homomorphic encryption
scheme; we describe how to transform it into a compact leveled scheme E 0 = (KeyGen0 , Encrypt0 ,
Decrypt0 , Evaluate0 ).

• KeyGen0 (1λ , 1d ). Let τ = τ (λ) (which is unrelated to the input parameter d). For i =
0, 1, . . . , d run the underlying key generation to get (ski , pki ) ← KeyGen(1λ , 1τ ), and for i < d
encrypt all the bits of the i-th secret key under the i+1-st public key, ~ci ∗ ← Encrypt(pki+1 , ski ).
The secret key of E 0 consists of all the ski ’s, and the public key consists of all the pki ’s and
~ci ∗ ’s,
sk0 = (sk0 , . . . , skd ), pk0 = (pk0 , ~c0∗ , pk1 , ~c1∗ , . . . , ~cd−1
∗
, pkd ).

• Encrypt0 (pk0 , b). Encryption uses the first underlying public key, setting c ← Encrypt(pk0 , b)
and outputting (0, c) (with the tag 0 signifying that this is a fresh ciphertext).

• Evaluate0 (pk0 , Π, c̃). We assume w.l.o.g. that Π is made of NAND gates and is leveled ; i.e.,
the two inputs to any gate at level i come from gates at level i − 1.
The Evaluate0 procedure goes over the circuit in topological order from inputs to outputs; for
every gate at level i with inputs (i−1, c1 ) and (i−1, c2 ), compute the description of the circuit
Dc1 ,c2 (·). Then use the underlying evaluation procedure to set c0 ← Evaluate(pki , Dc1 ,c2 , ~ci−1
∗ )
0
and use (i, c0 ) as the output ciphertext of this gate. The Evaluate procedure outputs the
ciphertexts at the output gate of Π.

• Decrypt0 (sk0 , c0 ). On c0 = (i, c), use the i-th secret key with the underlying decryption proce-
dure to output b ← Decrypt(ski , c).

Correctness is shown by induction over Π; the fresh ciphertexts ~ci ∗ are correct (relative to secret
key sk0 ) because the underlying scheme is correct for fresh ciphertexts, and similarly the ciphertexts
encrypting the inputs to Π (relative to sk0 ).
Consider now any gate at level i in Π, and assume by induction that the two ciphertexts at
the input satisfy c1 , c2 ∈ CT E (λ, τ ), and that both these ciphertexts are correct. Namely setting
ptj ← Decrypt(ski−1 , cj ) (for j = 1, 2), b1 , b2 are indeed the input bits to this gate when Π is
evaluated on ~b.
Let c0 ← Evaluate(pki , Dc∗1 ,c2 , ~ci−1
∗ ). Since c , c ∈ CT (λ, τ ) then D ∗
1 2 E c1 ,c2 ∈ Cτ (since E is boot-
strappable). As ~ci is a fresh encryption of ski−1 under pki , then by definition also c0 ∈ CT E (λ, τ ),
∗

and moreover by correctness of E we have

Decrypt(ski , c0 ) = Dc∗1 ,c2 (ski−1 ) = N AN D(Dc1 (ski−1 ), Dc2 (ski−1 )) = N AN D(b1 , b2 ),

as needed. This completes the proof of correctness.

To see that E 0 is semantically secure we consider a sequence of hybrid experiments: For k =
0, 1, . . . , d, let Hk be an experiment that proceeds just like the semantic security experiment of E 0
except for key generation: In Hk , we use ~ci ∗ ← Encrypt(pki+1 , ski ) as in the scheme for i = 0, . . . , k−
1, but for i = k, . . . , d − 1 we encrypt the all-zero string instead, setting ~ci ∗ ← Encrypt(pki+1 , ~0).
We observe that Hd is the actual semantic security experiment, for which we need to prove
that the advantage of the adversary is negligible in λ. For all k the only difference between Hk
and Hk−1 is in some ciphertexts that are encrypted under pkk , and the corresponding skk is never
used anywhere in the experiment (in particular it is not encrypted under pkk+1 ), then by semantic

28
security of the underlying E we know that the adversary’s advantage in Hk−1 is close to that of Hk
up to a negligible difference. Taken together, this means that the advantage in H0 is close to that
of Hd up to a negligible difference. But since sk0 is not used anywhere in H0 , then by semantic
security of the underlying E the adversary in H0 only has advantage negligible in λ. We conclude
that also in Hd the adversary only has negligible advantage, as needed.

Below we sometimes refers to homomorphic evaluation of decryption as the recryption proce-

dure.

Remark 4. In many homomorphic encryption schemes, the Decrypt procedure can be partitioned
into a public post-evaluation processing phase that depends only on the public key, followed by
the “actual decryption” that uses the secret key. We note that in this case the circuits Dc and
Dc∗1 ,c2 can be thought of as having the postprocessed ciphertext hardwired and consisting of only the
“actual decryption” phase. Alternatively we could think of the postprocessing phase as belonging to
the Evaluate procedure.
Also, the secret key can be preprocessed, independently of the ciphertext to be decrypted, in order
to decrease the complexity of the “actual encryption”; this preprocessing can be thought of as part
of KeyGen.

4.1.1 Fully Homomorphic Encryption

The above transformation yields a compact scheme, but not a fully homomorphic one, since we
need a new secret/public key-pair for every level in Π. A natural variant of this transformation
uses a single pair, and includes in the public key for E 0 also an encryption of the secret key of E
under its own public key. It is clear that correctness still holds, but the security of the result can
no longer be reduced to just semantic security of the underlying scheme E. Rather, we now need
to assume that E enjoys also circular security. Circular security can be defined in different ways;
for our purposes we only need a weak version (taken from [23]) that requires semantic security to
hold even given Encrypt(pk, sk).

Definition 15 (Weak circular security [23]). Let E = (KeyGen, Encrypt, Decrypt) be an encryption
scheme (homomorphic or not), and let A be an adversary. The (weak) circular-security advantage
of A w.r.t. E is defined as

1τ ← A(1λ ), (sk, pk) ← KeyGen(1λ , 1τ ),

  
E def  ∗
CircAdvA (λ) = Pr A(pk, ~c , c) = 1 :
~c ∗ ← Encrypt(pk, sk), c ← Encrypt(pk, 1)


1τ ← A(1λ ), (sk, pk) ← KeyGen(1λ , 1τ ), 

 
− Pr A(pk, ~c ∗ , c) = 1 : .
~c ∗ ← Encrypt(pk, sk), c ← Encrypt(pk, 0) 
E (λ) is negligible
E is weakly circular secure if, for every PPT adversary A, the advantage CircAdvA
in λ.

Thoerm 6. Any weakly circular-secure bootstrappable homomorphic encryption scheme can be

transformed into a compact fully homomorphic encryption scheme.

The proof of Theorem 6 is very similar to Theorem 5, except that security follows directly from
Definition 15.

29
4.2 The GSW Scheme Is Bootstrappable
Below we show that the GSW scheme from Section 3 above can be made bootstrappable. To this
end, we need to analyze the complexity of the decryption procedure, and establish that it is within
the homomorphic capacity of the scheme.

4.2.1 Decryption Complexity

Recall that the decryption formula for the GSW scheme is
(
~ T ]q | < q/4
0 if |[~s × C × w
Decrypt(~s, C) = ,
1 otherwise

where w ~ is some fixed vector that does not depend on the secret key. We think of the multiplication
by w ~ as a post-evaluation processing step (as mentioned in Remark 4), computing the vector
~u := [C × w] ~ q . The vector ~u is a Regev ciphertext (cf. Section 3.1.2) relative to the secret key ~s,
and the actual decryption consists of computing the integer inner product z := h~s, ~ui and checking
if |[z]q | < q/4. It is well known that computing modular inner product is in N C1 (e.g., [63]). Hence,
the actual decryption can be done using a circuit of depth logarithmic in the bitsize of ~s (which
is n log q), namely in depth Θ(log n + log log q). Below we illustrate one such circuit. Denoting
k = dz/qc (so [z]q = z − kq), we observe that

[z]q = z − 2k · (q/2) if |[zq ]| < q/4,
[z]q/2 =
[z]q ± (q/2) = z − (2k ± 1) · (q/2) if |[zq ]| > q/4.

Since [z]q/2 = z − dz/(q/2)c · (q/2), it follows that comparing |[z]q | with q/4 can be done by checking
if dz/(q/2)c is even or odd, namely by computing the bit dz/(q/2)c mod 2.
To slightly simplify things, when setting the parameters for any depth-d homomorphism, we
make the modulus q one bit larger than it strictly needs to be, thus ensuring that the eventual
noise is bounded below q/8 (rather than q/4). This means that we have the guarantee that |[z]q | is
either smaller than q/8 or larger than 3q/8, so we can afford some error in the calculations without
affecting the result of comparing with q/4. In particular, we have the guarantee that the value
z/(q/2) is within 1/4 of an integer, so an error of less than 1/4 in computing that value will not
affect the way that it is rounded.
Let q̂ be an approximation of the rational number 1/2q up to t = 3 + dlog n + 2 log qe bits of
precision. Since |q̂ − (1/2q)| < 2−t and |z| < nq 2 , then |z q̂ − (z/2q)| < nq 2 · 2−t < 1/8, and therefore
dz/(q/2)c = dz q̂c. Our decryption circuit is therefore constructed as follows:

• Still in the post-evaluation processing phase, after setting ~u = [Cw]

~ q , we compute the rational
vector ~r = [q̂ · ~u]2 , whose entries have t bits of precision.

• The actual decryption consists of computing the inner product h~s, ~ri (over the rationals) and
outputting the first bit to the left of the binary point (i.e., the most-significant bit of [h~s, ~ri]2 ).

Each of the multiplications involved in the inner product h~s, ~ri requires adding log q numbers, each
of up to t bits. Summing up n such products, we therefore need to add n log q numbers, each of up
to t bits.

30
 To add these numbers, we use the 3-for-2 addition method (cf. [63]),6 where the sum of three
`-bit numbers can be replaced by the sum of two numbers of up to ` + 1 bits: Let x, y, z be three
`-bit numbers and consider the i-th bit position. The sum xi + yi + zi < 3 can be represented
by only two bits: the lower bit is the XOR of the three and the upper bit is their majority; i.e.,
we replace the three numbers x, y, z by the two numbers u, v, such that ui = XOR(xi , yi , zi ) and
vi+1 = M AJ(xi , yi , zi ).
Repeating this process recursively, after Θ(log(n log q)) levels, we are left with only two t-bit
numbers (since we can ignore all but the first bit to the left of the binary point). Adding these last
two numbers can be done in logarithmic depth in the bit length t, using carry look-ahead. Here
we are only interested in the carry bit into the first position to the right of the binary point, which
Wt−1  Vt−1 
can be expressed as r := i=0 xi ∧ yi j=i+1 (xj ∨ yj ) . This expression has constant depth and
fan-in Θ(t2 ), so it can be computed by a fan-in-2 circuit of depth Θ(log t). Hence we get total
depth of d = Θ(log t + log(n log q)) = Θ(log n + log log q).
Parameters for bootstrappable homomorphic encryption. To obtain a bootstrappable
construction we need to set the parameters so that the complexity of (augmented) decryption stays
within the homomorphic capacity of the scheme. By the analysis above, this means that we need
to support evaluation of circuits of depth τ ≤ ρ(log n + log log q) for some constant ρ.
Recall from Section 3.2 that to support depth-τ homomorphism we need q ≥ (2n log q)τ +3 , and
0
substituting the value τ from above we get the sufficient condition q ≥ (n log q)ρ (log n+log log q) for
some other constant ρ0 < 2ρ. For n/ log n > 4ρ0 , we can meet all the conditions with the following
setting:

• n = λ,
l 0 m 2
• q = n4ρ log n = 2Θ(log n) ,

• m = 1 + d2n(2 + log q)e = Θ(n log2 n), and

2
• α = n/q = 2−Θ(log n) .

These parameters yield a bootstrappable scheme under the quasipolynomial DLWE assumption,
and by Theorem 5 also a compact leveled scheme under the same assumption. If we also assume
circular security, then using Theorem 6 we get a compact fully homomorphic scheme.

Thoerm 7. Under the DLWE[n, m, q, α] hardness assumption with q = 2polylog(n) , α = 2−polylog(n) ,

and m = n · polylog(n), there exists a semantically secure compact leveled homomorphic encryption
scheme. The public-key size needed for evaluating level-d circuits is linear in d, but the ciphertext
size and the complexity of evaluating each gate is only poly(λ), independent of d.
Further assuming circular security of the basic GSW scheme with these parameters, there exists
a semantically secure compact fully homomorphic encryption scheme.

6
As described in Remark 5 below, we can use modulus-switching and key-switching techniques to decrease the
vector dimension and the size of q prior to decryption. Doing so we could get a bootstrappable scheme even when
using less efficient addition methods.

31
Remark 5. The parameters above can be improved slightly using the modulus-switching and key-
switching tricks from Section 3.1.4. To use modulus-switching we choose the secret key from the
error distribution χn rather than uniformly at random from Znq , and use the result of Applebaum
et al. [4] to argue that security is unaffected. We also include a key-switching gadget A~0sn :~s∗ in the
0
public key, where ~s∗ ∈ Znq with n0  n.
Then during post-evaluation processing we switch the Regev ciphertext ~u relative to ~sn to a lower-
dimension ciphertext relative to ~s∗ , and then modulus-switch it to a smaller modulus q 0  q. Then
?
decryption needs to implement [h~s∗ , ~u∗ i]q0 < q 0 /4, which has lower complexity than the previous test
?
[h~s, ~ui]q < q/4.
Used judiciously, this technique lets us set q 0 = poly(n) (whereas q = quasipoly(n)). This yields
significant improvement in the recryption complexity, but by itself does not allow us to relax the
necessary hardness assumption from quasipolynomial to polynomial DLWE. The reason is that,
although decryption is evaluated relative to the smaller q 0 , the public encryption key and fresh
ciphertexts must still use the larger q. Relaxing the hardness assumption requires other techniques,
as described next.

4.3 Homomorphic Encryption Under Polynomial DLWE

Is it possible to weaken the quasipolynomial DLWE assumption from above and get FHE under
polynomial DLWE? At first glance, the answer seems to be negative: recryption seems to require
circuit depth of at least log n, and each level increases the noise by at least some small polynomial
factor, so the accumulated noise (and hence the size of the modulus q and the resulting LWE
approximation factor) is at least poly(n)log n .
Brakerski and Vaikuntanathan, however, observed in [20] that the asymmetric noise growth
from Equations 1 and 4 provides a way out. Recall that, for two ciphertext matrices C1 , C2
with associated plaintext bits b1 , b2 and noise vectors ~η1 , ~η2 , the noise vector when multiplying
C1 × G−1 (C2 ) has the form ~η 0 = b1 · ~η 2 + ~η1 × G−1 (C2 ), so ~η1 has much greater influence on ~η 0
than ~η2 . If we can ensure that we always keep ~η1 small, even if ~η2 is much bigger, then we can slow
down the noise growth considerably.
As an illustrating example, consider multiplying a sequence of n ciphertexts, Ci , i = 1, . . . n,
with associated plaintext bits bi and noise vectors ~ηi of similar magnitude (say k~ηi k∞ ≤ n for all i).
This n-wise product can be implemented in a balanced binary tree, or using left- or right-associative
trees (or any form in between), and these different strategies exhibit very different noise behavior.
The balanced strategy is
Cbal = C1 × G−1 (C2 ) × G−1 (C3 × G−1 (C4 ))
×G−1 C5 × G−1 (C6 ) × G−1 (C7 × G−1 (C8 )) · · ·

and its noise behavior is exactly what we analyzed above: We have a log(n)-high binary tree of
multiplications, and the noise magnitude at level i up the tree is roughly mi ·n. Hence, the resulting
matrix Cbal has a quasipolynomial noise magnitude of about mlog n . The left-associative strategy
is
C1 × × × ··· ×
−1 −1 −1 −1
C2 G C3 G C4 G Cn G

32
 Cleft = (· · · ((C1 × G−1 (C2 )) × G−1 (C3 )) · · · ) × G−1 (Cn ),
and its noise is much bigger. Specifically, let us denote by C∗i , b∗i , ~ηi∗ the ciphertext, plaintext, and
noise after multiplying the leftmost i matrices. After the multiplication C∗i × G−1 (Ci+1 ), the noise
∗ = b∗i ~ηi+1 + ~ηi∗ G−1 (Ci ), which has magnitude of roughly k~ηi+1 ∗ k
vector is ~ηi+1 ∞ ≈ k~ ηi+1 k∞ + m ·
∗
k~ηi k∞ ≈ (1 + m + · · · + m ) · n. Hence, the overall noise magnitude is roughly mn · n, which is fully
i

exponential in n.
On the other hand, the right-associative strategy is

Cn−1 C3 C2 C1

Cn × ··· × × ×
G−1 G−1 G−1 G−1

Crght = C1 × G−1 (C2 × G−1 (· · · Cn−1 × G−1 (Cn ) · · · )),

and this strategy has a much smaller noise than even the balanced one. Again let us denote
by C∗i , b∗i , ~ηi∗ the ciphertext, plaintext, and noise after multiplying the matrices i through n. After
incorporating also the i−1-st matrix, Ci−1 ×G−1 (Ci∗ ), the noise vector is ~ηi−1
∗ = bi ~ηi∗ +~ηi−1 G−1 (C∗i ),
∗ ∗
which has magnitude at most k~ηi−1 k∞ ≤ k~ηi k∞ + m · k~ηi−1 k∞ ≤ n(m + m + . . . + m). Hence, the
overall noise magnitude is at most mn2 , which is only polynomial in n.
“Asymmetric circuits” and branching programs. To take advantage of the noise asymmetry,
we need to design “asymmetric circuits” in which all the multiplications have the form C×G−1 (C∗ ),
where C1 is a fresh encryption of an input bit (and hence has small noise) while C∗ can be an
evaluated ciphertext. One approach that naturally yields such circuits uses Barrington’s theorem
[7] and permutation branching programs.

Definition 16 (Permutation branching programs). A width-w, length-` permutation branching-

n
program over
inputs in {0, 1} consists of a sequence of ` tuples, BP = (inpLen(i), Ai,0 , , Ai,1 ) :
i = 1 . . . , ` where the Ai,b ’s are permutation matrices in {0, 1}w×w , and inpLen : [`] → [n] specifies
the order in which input bits are examined (i.e., step i in the branching program examines the input
bit xinpLen(i) ). The function computed by this branching program is

`
def Y

fBP (x) = Ai,xinpLen(i) [1, 1].
i=1

In words, fBP (x) = 1 if composing all the permutations chosen by the bits of x in the different
steps yields a permutation that maps 1 to itself, and otherwise fBP (x) = 0.

Thoerm 8 (Barrington’s Theorem [7]). If the function f : {0, 1}n → {0, 1} can be computed by a
depth-d fan-in-2 binary circuit, then f can also be computed by a width-5, length-4d permutation
branching program.

Barrington’s theorem directly yields a polynomial-size asymmetric circuit for computing

Q` any
N C1 circuit: We keep an “evaluated state” consisting of the current cumulative product i=j+1 Ai,xinpLen(i) ,
then multiply this state on the left by the “fresh matrix” A0j = xk Aj,1 + (1 − xk )Aj,0 , with

33
k = inpLen(j). Since the Ai,b ’s are all permutation matrices then all the intermediate values in
this computation are always in {0, 1} (and moreover every sum computed during this computation
always has exactly one term equaling 1 and all other terms equaling 0).
When evaluating this circuit on encrypted data, we get an encryption of A0j that depends
linearly on the fresh encryption of xinpLen(j) , and we multiply it (on the left) by the evaluated
encryption of the cumulative product so far. When using the GSW scheme with parameters n, m, q,
the cumulative noise at the end of the calculation is bounded by 4d · m · n, which is polynomial
in n when the depth d is logarithmic. We can therefore evaluate the recryption function while
only increasing the noise to magnitude polynomial in n, so we can set q = poly(n) (and therefore
α = 1/poly(n)) and m = O(n log n).
Thoerm 9. Under the DLWE[n, m, q, α] hardness assumption with q = poly(n), α = 1/poly(n),
and m = O(n log n), there exists a semantically secure compact leveled homomorphic encryption
scheme. The public-key size needed for evaluating level-d circuits is linear in d, but the complexity
of evaluating each gate is only poly(λ), independent of d.
Further assuming circular security of the basic GSW scheme with these parameters, there exists
a semantically secure compact fully homomorphic encryption scheme.

Remark 6. The key- and modulus-switching tricks from Remark 5 can be used here too, to re-
duce both the recryption complexity and the constant in the exponent of the polynomial-DLWE
assumption. Brakerski and Vaikuntanathan describe in [20] how iterated application of these two
tricks can be used to reduce the hardness assumption to DLWE with α = 1/n1/2+ for any constant
√
 > 0, which nearly matches the best setting α = 1/Õ( n) for any known lattice-based public-key
encryption.
The concrete efficiency of recryption was significantly improved by Alperin-Sheriff and Peikert
[3], while still relying on the same DLWE with α = 1/n1/2+ . See Section 5.1 for more discussion
of efficiency considerations.

4.4 Realizing Strong Homomorphism

The fully homomorphic scheme from above may still fail to provide strong homomorphism or even
circuit privacy. Following Gentry [38], we can achieve statistical strong homomorphism using a
Refresh procedure based on noise-flooding. A naive use of this technique would require increasing
the parameters and using a stronger DLWE variant, but Ducas and Stehlè showed in [31] that
iterated use of Refresh can avoid these limitations.
For the rest of this section, it will be convenient to assume that, the recryption procedure
of the fully homomorphic encryption returns not the GSW ciphertext matrix C but rather the
post-processed “Regev ciphertext” ~u = [Cw] ~ q , which is decrypted by computing z := [h~s, ~ui]q and
comparing |z| with q/4. (The distinction between these two forms of ciphertexts is only a matter
of convenience, as we can always get back a GSW ciphertext by running the recryption procedure
again without post-processing.) We denote running the recryption process on the post-processed ~u
and returning the post-processed result by ~u0 ← Recryptpk (~u).
Rerandomizing a ciphertext. For a vector ~s ∈ Znq , denote the linear subspace orthogonal to ~s
by
def
L~⊥
s = {~
v ∈ Zq : h~s, ~v i = 0 (mod q)}.

34
 def
~ = bq/2c · (0, . . . , 0, −1), and the “radius-ρ 1-dimensional
Also denote the scaled unit vector by w
ball” by
def
Bρ = {x · (0, . . . , 0, 1) : x ∈ Z, |x| ≤ ρ}.
An easy-to-verify property that we use below is that, for ρ0 , ρ ∈ N and any ~u ∈ Bρ0 , the statistical
distance between the uniform distributions on Bρ and on ~u + Bρ is bounded by ρ0 /(2ρ + 1).
Since the last entry in a GSW secret key ~s is sn = −1, then for ρ < bq/4c any vector ~u ∈ L~s⊥ +Bρ
is decrypted to zero and any vector ~u ∈ L~⊥ s + Bρ + w ~ is decrypted to one.
Let ~u be some fixed vector in either L~s + Bρ0 or L~⊥
⊥
s + Bρ0 + w.
~ We rerandomize ~u by adding to
it a random element in L~⊥ s + B ρ for some ρ > ρ0 such that ρ + ρ0 < bq/4c. The resulting vector ~u0
still decrypts to the same bit as ~u, and the statistical distance between the distribution of ~u0 and
the uniform distribution over L~⊥ ⊥
s + Bρ (or over L~s + Bρ + w)~ is bounded by ρ0 /(2ρ + 1). If ρ  ρ0
0
then the distribution of ~u is almost independent of the original vector ~u, except for the plaintext
bit that it decrypts to. To perform rerandomization, it is therefore sufficient to be able to choose
a nearly uniform vector in L~⊥ s + Bρ . It turns out that the public-key matrix A is all we need for
that purpose.
Lemma 8. For any fixed vector ~s ∈ Znq with sn = −1, denote by D~s the distribution over public keys
(n−1)×m
corresponding to the secret key ~s; namely choosing the top n − 1 rows at random A0 ← Zq
and the last row as ~s0 A0 + ~η , where ~s0 are the first n − 1 entries in ~s and ~η ← χm .
Then with probability at least 1 − 2−n over the choice of A ← D~s and for all ρ ∈ N, the
distribution
def
A~r + ~v : ~r ← {0, 1}m , ~v ← Bρ

RA,ρ =

is close to the uniform distribution over L~⊥

s + Bρ , up to statistical distance at most
nm
2ρ+1 + 2−n .

Proof. Let ~s0 be the first n − 1 entries of ~s, A0 be the first n − 1 rows of A, ~ and à be the matrix A
0 0
with the last row replaced by ~s A (i.e., the last row of A with the error ~η removed). Then ~sà = 0,
and moreover the columns of à ∈ Zn×m q are uniform and independent in L~s⊥ . ByLemma 3, with
probability 1 − 2 over Ã, the distribution of [Ã~r]q conditioned on à is 2−n away from uniform
−n

over L~⊥
s.
Next observe that A~r = Ã~r + ~δ, where ~δ = h~η , ~ri · (0, . . . , 0, 1)t ∈ Bnm . We therefore have
A~r + ~v = Ã~r + δ + ~v , where Ã~r is 2−n -close to uniform over L~⊥ s , and regardless of the value of δ
we have that δ + ~v is 2ρ+1nm
-close to uniform over Bρ . Hence A~r + ~v is close to uniform in L~⊥ s + Bρ ,
nm
up to 2ρ+1 + 2 .−n

Corollary 9. Let ρ, ρ0 ∈ N, and fix the two vectors ~s ∈ Znq with sn = −1 and ~u ∈ (L~⊥
s + Bρ0 ) ∪
⊥
(L~s + Bρ0 + w). −n
~ Then with probability at least 1 − 2 over the choice of A ← D~s , the distribution
0
~u + RA,ρ is within statistical distance nm+ρ
2ρ+1 + 2
−n of:

• The uniform distribution over L~⊥ u ∈ L~s⊥ + Bρ0 , or

s + Bρ if ~

• The uniform distribution over L~⊥ ~ if ~u ∈ L~⊥

s + Bρ + w
0
s + Bρ + w.
~

35
Strong homomorphic encryption. To obtain strong homomorphic encryption, we begin with
the fully homomorphic scheme from above but modify the parameters, making q larger by some
factor β (to be determined later) than what is needed to get full homomorphism. Specifically, we
make q large enough to ensure that after recryption (and post-evaluation processing) the noise is
bounded by some ρ0 < q/8 − β; i.e., we always get a vector ~u ∈ (L~⊥ ⊥
s + Bρ0 ) ∪ (L~s + Bρ0 + w).
~ We
then define a refresh procedure as
Refreshpk (~u) = [Recryptpk (~u) + RA,β ]q .
We then modify both the encryption and evaluation procedures, making them output ~u0 ← Refreshpk (~u)
rather than the vector ~u as before. By Corollary 9 the output distribution of the new Encrypt and
Evaluate is close to uniform over L~⊥ ⊥
s + Bρ or L~s + Bρ + w
~ (depending on the encrypted bit), where
0
ρ = ρ + β < q/8. Correctness is not affected since the parameters are set so that the noise after
Refresh is still bounded below q/8.
0
The statistical distance from uniform is at most nm+ρ 2β+1 + 2
−n , so to get negligible distance we

need β > (nm + ρ0 ) · 2ω(log n) . This means that β (and therefore q) must be superpolynomial in n, so
to get strong homomorphism in this way we need to assume hardness of superpolynomial DLWE.
Strong homomorphism from polynomial DLWE. It was observed by Ducas and Stehlè [31]
that iterating Refresh can be used to go beyond superpolynomial DLWE. To show this, we use the
following general lemma:
Lemma 10 (Iterated refresh [31]). Let D be an arbitrary domain and let f : D → D be a randomized
function. If for some δ < 1 it holds that SD(f (x1 ), f (x2 )) < δ for any x1 , x2 ∈ D, then for every
k ∈ N and x1 , x2 ∈ D we have SD(f k (x1 ), f k (x2 )) < δ k .
Proof. The proof is by induction on k. The basis k = 0 holds vacuously, so assume that it holds for k
and we prove for k+1. Let x1 , x2 ∈ D, so by the induction hypothesis we have SD(f k (x1 ), f k (x2 )) <
δk .
The distributions f k (x1 ), f k (x2 ) can therefore be expressed as convex combinations f k (x1 ) =
(1 − δ k ) · D + δ k · D10 and f k (x2 ) = (1 − δ k ) · D + δ k · D20 for the same D and different Di0 ’s. Namely
for i = 1, 2, yi ← f k (xi ) is obtained by choosing a bit b ∈ {0, 1} with Pr[b = 1] = δ k , then drawing
yi ← D if b = 0 and yi ← Di0 if b = 1. It follows that
SD(f k+1 (x1 ), f k+1 (x2 )) ≤ (1 − δ k ) · SD(f (D), f (D)) +δ k · SD(f (D10 ), f (D20 )) ≤ δ k+1 ,
| {z } | {z }
=0 ≤δ

as needed.

Applying Lemma 10 to the Refresh procedure from above, we can now set the parameters so
that β = 2nm · ρ0 . With this setting, for every ~u, ~u0 ∈ CT that encrypt the same bit, we get
SD(Refreshpk (~u1 ), Refreshpk (~u2 )) < 1/2, so after ω(log n) iterations we get negligible statistical
distance. Since ρ0 can be set to poly(n) as per Section 4.3 above, then we get q = ρ0 + β =
ρ0 · (1 + 2nm) = poly(n), so we can rely on the hardness of polynomial DLWE.
Thoerm 10. Under the DLWE[n, m, q, α] hardness assumption with q = poly(n), α = 1/poly(n),
and m = O(n log n), in conjunction with circular security of the basic GSW scheme with these
parameters, there exists a semantically secure strong fully homomorphic encryption scheme.

36
5 Advanced Topics
In this section we briefly discuss other aspects of homomorphic encryption. We begin in Section 5.1
by describing the active research for devising more practical homomorphic encryption, reducing
the overhead of computing on encrypted data as compared with computing on plaintext data. In
Section 5.2, we touch on some (mostly failed) attempts at realizing homomorphic encryption by
means other than lattice-based cryptography. In Section 5.3, we discuss carrying out computa-
tion on encrypted data using models of computation other than circuits. Finally, in Section 5.4,
we describe uses of techniques similar to the GSW homomorphic encryption scheme to obtain
other functionalities, such as multikey homomorphism, homomorphic commitment and signatures,
multilinear maps, and obfuscation.

5.1 Faster Homomorphic Encryption

The GSW cryptosystem from above is capable of evaluating arbitrary circuits, but at a steep price:
Letting the overhead of a homomorphic scheme be the ratio of encrypted computation complexity
to unencrypted computation complexity (using a circuit model of computation), it is not hard to
see that as described above this scheme has a very large polynomial overhead: Each plaintext bit
is encrypted by a matrix of dimensions at least Ω̃(λ) × Ω̃(λ) (and entries of size polylog(λ) bits).
Each NAND operation in the basic GSW scheme requires the multiplication of two such matrices,
which takes ω̃(λ2.3 ) even using the most asymptotically efficient algorithm. (Of course, to use
bootstrapping we would need to implement full homomorphic description for every gate, which
would drive the overhead much higher.)
A lot of work over the last few years was devoted to improving this overhead, both asymptotically
and practically. Perhaps the most significant improvement comes from working over large extension
rings rather than over the integers, relying on the ring-LWE hardness assumption (RLWE) [69].7
Working over a large ring of extension degree d allows one to reduce the degree of the matrices
involved to as little as n = λ/d while maintaining hardness, so in particular when setting d = λ
we can get n = 1 and m = O(log q) = Õ(λ). This yields ciphertexts of bit-size O(log2 q) = O(λ), ˜
and the complexity of implementing basic NAND (without bootstrapping) is similarly reduced to
˜
O(λ). Hence we get a variant of the basic weakly compact scheme with overhead quasilinear in λ.
A second major improvement comes from packing multiple plaintext bits in every ciphertext.
Specifically, Smart and Vercauteren observed in [87] that, since our “scalars” now live in some
polynomial ring, the Chinese remainder theorem in that ring can be used to encode many bits in
each scalar, yielding multiple “plaintext slots” where additions and multiplications are applied to
each slot separately. Careful choice of parameters lets one get as many as ` = Ω̃(λ) such plaintext
slots, making the plaintext-to-ciphertext expansion ration polylogarithmic in λ, and allowing one
to compute the same function on ` different inputs at the price of a single computation.
We note, however, that packing many bits in each plaintext scalar is in general incompatible
with the Brakerski–Vaikuntanathan method of exploiting the asymmetric noise growth: Packed
scalars typically have norm polynomial in d (the extension degree of the ring), even if only 0’s and
1’s are packed in the slots. Since the GSW noise depends also on the plaintext size, we have to
content ourselves with multiplicative growth of noise for every multiplication operation. In fact,
using the packing technique yields better results for the “second-generation schemes” such as those
in [17, 14, 68, 13] than for the “third-generation” GSW scheme [48].
7
Specifically we use cyclotomic rings, since they have many desirable algebraic properties.

37
 But we can go even beyond batching. It was observed in [69, 17, 87] that the automorphisms
in the polynomial ring can be used to “rotate” the contents of the plaintext slots, and Gentry et
al. show in [44] how to use these “rotations” to perform efficient routing of plaintext slots between
successive levels of any arbitrary circuit. This technique is then used in [44] to perform an entire
computation on “packed” ciphertexts, resulting in a scheme with only poly-logarithmic overhead
even when computing a single function on a single input. This can be extended to bootstrapping,
yielding a fully homomorphic scheme with polylogarithmic overhead. (Further optimizations for
bootstrapping were described in [43, 2, 57].)
There has also been much work devoted to practical efficiency and implementing of homo-
morphic encryption. For example Gentry et al. reported in [45] on an implementation of the
“second-generation” Brakerski–Gentry–Vaikuntanathan scheme (BGV) and its use for evaluating
“real-world circuits” such as the AES encryption/decryption circuits, and that implementation was
further optimized in the HElib library of Halevi and Shoup [56], who also implemented practical
bootstrapping for packed ciphertexts in a matter of minutes [57]. Also, building on techniques from
[20, 3], Ducas and Micciancio implemented bootstrapping for a (non packed) GSW-like scheme in
less than a second [30].

5.2 Other Attempts at Realizing Homomorphic Encryption

Attempts to realize homomorphic encryption go back to the dawn of public-key cryptography,
when the concept was first proposed by Rivest, Adelman, and Dertouzos [82]. Below we sketch
some directions that were explored over the years, even though as of yet none of these directions
have panned out.

5.2.1 The Hidden-Ideal Paradigm

One natural approach is to construct a scheme that uses an algebraic ring R and an ideal I ⊂ R,
and relies for security on the hardness of distinguishing random elements in I from random elements
in R. The plaintext space of such a scheme is the quotient ring R/I, ciphertexts are (representations
of) elements in R, and homomorphic addition and multiplication are just the ‘+’ and ‘×’ operations
in R.
This approach was implicit in many additive homomorphic schemes; it was made explicit by
Fellows and Koblitz [32], who also suggested a concrete realization that they called Polly Cracker.
That scheme uses the ring of multivariate polynomials over some field, R = F [X1 , . . . , Xn ], and
the ideal I is a set of polynomials that have common root, p(s1 , . . . , sn ) = 0. Ciphertexts are
polynomials p ∈ R, the root itself ~s = (s1 , . . . , sn ) is the secret key, and decryption corresponds to
evaluating p(~s).
There is a lot of freedom in choosing the concrete representation of elements and their probability
distributions (note that these R, I are infinite). The challenge in designing such a scheme is to find
a succinct representation that allows efficient sampling and computation of ‘+’ and ‘×’, but where
(at least) recovering ~s is hard. Many attempts to find such representations has been made, so far
with no success; see [66] for a survey. We note that, even though no candidate construction so far
have survived cryptanalysis, there is also no reason to think that no such candidate exists.

38
5.2.2 Homomorphic Encryption from Binary Codes
Following Gentry’s blueprint for constructing homomorphic encryption schemes, some attempts
were made to instantiate this blueprint using binary codes as opposed to integer lattices. The
hope was, that since the problem of learning-parity-with-noise (LPN) is similar in some ways to
the learning-with-errors (LWE) problem, then the techniques for constructing LWE-based homo-
morphic encryption would extend also to LPN. The main challenge is that LPN with its notion
of Hamming distance provides a very narrow range for noise manipulation. Specifically, while in
LWE-based constructions we can handle noise with Euclidean norm polynomial in the dimension,
when it comes to Hamming distance the noise must be strictly smaller then the dimension.
A notable attempt to port Gentry’s blueprint to the LPN-based setting was made by Bogdanov
and Lee [9]. They described a construction that has noticeable decryption error probability, which
is carefully controlled via evaluation of majority gates in conjunction with the linear decryption
function. That construction was later broken by Gauthier et al. [36], and moreover Brakerski
proved in [15] that the approach from [9] cannot work as-is. Specifically, he proved that a scheme
which is capable of computing majority cannot have a learnable decryption function (such as a
linear function), even if it has a significant decryption error probability. Although Brakerski’s
result does not rule out basing homomorphic encryption on LPN, it does say that the decryption
procedure of that scheme must be at least “somewhat complicated”, rather than the simple inner
product of some LPN-based (non homomorphic) schemes such as [1].

5.2.3 Homomorphic Encryption from Group Theory

An alternative approach, using concepts from group theory, was proposed by Nuida in [74]: For
a group G (written multiplicatively), a subgroup H ⊂ G is normal in G if g −1 hg ∈ H for any
h ∈ H and g ∈ G. A simple scheme with plaintext space {0, 1} that uses such G, H represents 0
by a random h ∈ H and 1 by a random g ∈ G. Homomorphic OR is implemented by the group
operation homOR(g1 , g2 ) := g1 g2 , and homomorphic AND is implemented by the commutator
homAND(g1 , g2 ) = g1 g2 g1−1 g2−1 . This can be used to compute arbitrary functions by using deMor-
gan’s laws to push negations to the inputs, and encrypting a bit b as a pair (Enc(b), Enc(1 − b)).
Such a scheme would need to provide methods for choosing random elements in G and H, rely on
the indistinguishability of H from G for security, and provide a trapdoor that enables distinguishing
H from G as a secret key. Some candidate implementations of this approach are discussed in [74],
and some earlier proposals were shown to be insecure. As for the hidden-ideal paradigm, here too
we currently neither have a viable candidate nor know of a reason to think that such candidates
are impossible.

5.3 Homomorphic Encryption for Other Models of Computation

Although circuits are a convenient and universal model of (classical) computation, other models
have been considered as well, both weaker and stronger. Weaker models of computation were
considered before Gentry’s result, and they sometimes allow schemes based on different (non lattice)
hardness assumptions. Stronger models are also considered, as they could provide better efficiency
for applications. Below we list a few such models, and what is known about them.
Truth-tables. Homomorphic encryption for truth-tables allows an encryptor to encrypt the index
into a table, and an evaluator to compute from it an encryption of the content of the corresponding

39
entry in the table. This is closely related to the notion of single-server private information retrieval
(PIR) [65]. Indeed, a two-round single-server PIR protocol immediately yields a weakly compact
secret-key encryption scheme which is homomorphic for truth-tables (cf. [62]).
Moreover, a PIR protocol can be transformed to a public-key scheme using an auxiliary public-
key encryption scheme: The recipient chooses a public/secret key pair for the encryption scheme,
the sender sends the PIR-client message and in addition also an encryption of the client’s PIR-state s
under the public key, and the evaluator forwards the encrypted state to the recipient together with
the PIR reply. The recipient uses its secret key to decrypt and recover the SFE state s, and then
uses the procedure SFE3 with this state to recover F (x, y). The result is a public-key encryption
scheme capable of “evaluating” any table-lookup, and it is compact as long as the client’s PIR
state is short. We note that all PIR constructions have small client state, and this can be enforced
generically by having the client use a pseudorandom generator (PRG) to derive its randomness,
and using the PRG seed as the client state.
Since two-message PIR implies also public-key encryption [29, 49], we have that compact public-
key homomorphic encryption for truth-tables can be realized from any two-message PIR protocol.
For example, this yields realizations with security based on various factoring-related assumptions
such as quadratic residuosity [52], N -th residuosity [78], and phi-hiding [22]. See [76] for a survey
of single-server PIR.
Branching programs. Polynomial-size branching programs are a fairly strong model of compu-
tation, being able to evaluate at least the complexity class N C1. Ishai and Paskin described in
[62] a weakly compact encryption scheme which is homomorphic for branching programs, using the
Damgård–Jurik cryptosystem [28] whose security relies on the N -th residuosity assumption.
Turing machines and RAM. Although circuits are universal, and hence fully-homomorphic
encryption for circuits can evaluate any function on encrypted data, other models of computation
such as Turing machines or RAM computation can provide faster processing. It is therefore desirable
to make the complexity of homomorphic evaluation as low as the Turing-machine complexity or the
RAM-complexity of the evaluated function, as opposed to its circuit complexity. Unfortunately this
is often not possible, for example it is clear that the table lookup function fT (i) = T [i] cannot be
evaluated for an encrypted index in its RAM complexity of O(1). Nonetheless, a significant body
of recent work (such as [51] and [42]) has been devoted to finding cases where processing encrypted
data with better than circuit complexity is possible.
Homomorphic quantum computations. Going beyond classical computations, one may wish
to be able to apply quantum computations to an encrypted quantum state. Note that we are asking
for more than simply a classical homomorphic-encryption scheme which is resistant to quantum
attacks.8 Instead, imagine trying to run Shor’s algorithm [85] for factoring an encrypted integer.
Being able to evaluate classical circuits on encrypted data is not enough here; we need to be able
to evaluate also quantum gates.
A first step toward homomorphic quantum computation was recently taken by Broadbent and
Jeffery [21], who described a quantum homomorphic encryption scheme for a restricted class of
quantum circuits, assuming classical fully homomorphic encryption. Specifically, their scheme can
handle circuits with unbounded number of Clifford-group gates but only a constant non-Clifford
8
Since the learning-with-errors problem is assumed to be hard even for quantum computers, then so are all
LWE-based homomorphic encryption schemes.

40
depth. (This is somewhat analogous to classical arithmetic circuits with unlimited additions but
constant multiplication depth.)

5.4 Beyond Homomorphic Encryption

Powerful as it is, homomorphic encryption is just one of a number of new cryptographic primitives
that were developed in the last decade using tools from lattice-based cryptography. Below we
describe some other primitives that use similar tools.

5.4.1 Multikey Homomorphic Encryption

One limitation of homomorphic encryption is that it can only process encrypted data relative to one
key. Many times, however, we want to be ale to process data that was encrypted relative to several
different keys. For example, multiple parties, each with its own key, may upload their encrypted
data to the cloud, and we want the cloud to aggregate this data and compute useful statistics on
it. Of course, recovering the plaintext result would then depend on all the parties cooperating,
each bringing its corresponding secret key. A homomorphic scheme that supports such processing
is called multikey homomorphic.
The concept of multikey homomorphic encryption, along with a concrete realization based on
the NTRU cryptosystem [59], was first described by López-Alt et al. in [68]. One drawback of
that scheme is that an upper bound on the number of parties must be known at key-generation
time, since the parameters grow with the number of parties. (A similar realization is possible under
LWE, but it only supports a constant number of parties.)
A different realization under LWE (or RLWE) was recently described by Clear and McGoldrick
[25], and later significantly simplified by Mukherjee and Wichs [73]. These schemes can support an
arbitrary number of parties, but they rely on a common reference string that must be known at
key-generation time.

5.4.2 Homomorphic Commitments and Signatures

Although homomorphic encryption allows computing on encrypted data, it does not provide any
integrity guarantees for the computed values. For example, in the client-server application in
which the client encrypts its input x and the server evaluates on it a function f , the client has
no guarantees that the alleged evaluated ciphertext was indeed produced by evaluating f on the
encrypted x.
Verifying the integrity of remote computation is generally known as verifiable computation,
and it is the subject of a very active research effort. See, e.g., [90] for a survey (focusing on the
practical-oriented side of that work). Some useful tools in this area are homomorphic commitments
and signatures, which can be constructed using techniques similar to those used in the GSW
cryptosystem, as noted by Gorbunov et al. [55].
Homomorphic commitments are similar to homomorphic encryption, except that, in addition to
the ciphertext-evaluation procedure Evaluate, there is also a decommitment-evaluation procedure
deEvaluate for computing on the corresponding randomness, which is used by the committer. The
property of deEvaluate is that, whenever we have ~c = Encrypt(pk, ~b; ~r) (where ~r is the randomness
used for encryption) and c0 ← Evaluate(pk, Π, ~c), then computing r0 ← deEvaluate(pk, Π, ~c, ~b, ~r)
we get Encrypt(pk, Π(~b); r0 ) = c0 . Thinking of the randomness ~r as being a decommitment string,

41
this means that the committer can compute the randomness r0 that would open the evaluated
ciphertext c0 to the plaintext b0 = Π(~b). It is easy to see that the basic GSW scheme as described
in Section 3.2.4 supports such a decommitment-evaluation routine, since whenever we have two
ciphertexts Ci such that ~s × Ci = bi · (~s × G) + ~ηi , then their sum and product satisfy
~s × (C1 ± C2 ) = (b1 ± b2 ) · (~s × G) + (~η1 ± ~η2 )
and ~s × (C1 × G−1 (C2 )) = (b1 · b2 ) · (~s × G) + (b1 · ~η2 + ~η1 × G−1 (C2 )),
and these noise terms can be computed efficiently by the committer.
In homomorphic signatures, a data originator uses its secret key to sign messages, and it
publishes the vector of messages ~b = (b1 , . . . , bn ) and the corresponding vector of signatures
~σ = (σ1 , . . . , σn ). A data processor, knowing ~b, ~σ , and the public key, can efficiently generate
a short evaluated signature σΠ,b0 on the pair (Π, Π(~b)), and that signature can be verified using
the public key (even without knowing the original data ~b). Gorbunov et al. described in [55] a
construction of homomorphic signatures from homomorphic commitments, in which verifying an
evaluated signature σΠ,b0 can be partitioned to an offline phase that depends only on Π and an
online phase that depends also on b0 and σΠ,b0 , such that the complexity of the online phase is
independent of Π.

5.4.3 Functional Encryption, Obfuscation, and Multilinear Maps

Homomorphic encryption is in particular a secure encryption scheme. So while it is possible to
compute on encrypted data (or with encrypted programs), the result is still encrypted and it takes
the secret key to make sense of it. In many applications, however, we would like to process encrypted
data or programs, and get (only) the result of the computation in the clear. For example, consider
applying a spam filter to encrypted email: Although the content of the email messages should
remain secret, we may want the mail server to learn the spam/no-spam bit in the clear so that it
can forward to us only the non spam messages.
For another example, imagine that we have a good model for predicting the risk of heart attack
based on various indicators, and we want to release this model for use by the public. At the same
time, we want to withhold the inner workings of this model, either due to intellectual property
concerns, or because we need to protect the privacy of patient data that was used to devise this
model. Here too, we may want the model itself to be encrypted, but anyone should be able to
evaluate the model on their own indicators and get the result in the clear.
These examples illustrate typical uses of functional encryption (the first example) and code ob-
fuscation (the second example), and a large body of research is devoted to studying these concepts.
Functional encryption for simple functions can be constructed from pairing-based cryptography
(e.g., [64, 84, 11, 75]), and some variants that support all functions but offer weaker security can
be based on the hardness of LWE (e.g., [53, 54]). However, more is required to obtain fully secure
functional encryption for all functions, or code obfuscation for any expressive class of functions. As
of now, the only viable tool that we have for realizing these concepts are the so-called cryptographic
multilinear maps.
Cryptographic multilinear maps were envisioned by Boneh and Silverberg [12], but were con-
structed for the first time only a decade later by Garg et al. [34]. On a high level, they enable
evaluation of arithmetic circuits over a large field on “encrypted” data, getting in the clear the bit
saying whether or not the result is equal to zero, without being able to “decrypt” any of the inter-
mediate values. We currently have three candidate constructions for multilinear maps [34, 26, 39]

42
(with some variations on each), all following the same high-level approach: Very roughly, they all
begin with some homomorphic encryption scheme, and then publish a defective secret key, which
allows testing for zero but not decryption.
To use such multilinear maps for obfuscation or functional encryption, one needs to randomize
the computation so that no two intermediate values will ever be equal to each other, but where all
the randomness can be canceled on the output wire so that the zero-test can be used to determine
the output value. Such randomization techniques were found for N C1 circuits, and a bootstrapping
technique using homomorphic encryption is used to extend these constructions to any polynomial-
size circuits. Following Garg et al. [35], this approach was used in very many works; see, e.g., [60]
for a survey.

6 Suggested Reading
Below are pointers to additional reading on related topics that are not covered in detail in this
tutorial.
Multihop and Circuit-private FHE. The connections with secure computation protocols with
emphasis on multihop and function privacy (without compactness) were studied by Gentry et al.
[47] in the semi-honest model. Their treatment was extended to the malicious adversary model by
Ostrovsky et al. [77].
Second-generation FHE. A good survey that covers the basics of the second-generation FHE
schemes was written by Vaikuntanathan [88], with more details given in the work of Brakerski et
al. [17]. The techniques for reducing the plaintext-to-ciphertext overhead to polylogarithmic are
described in the work of Gentry et al. [44], and many practical optimizations are described in
the work of Halevi and Shoup [56]. The scale-invariant flavor of second-generation schemes was
introduced by Brakerski [14] and used also in the work of Bos et al. [13].
Third-generation FHE. The GSW cryptosystem was presented by Gentry et al. in [48], together
with some extensions such as identity-based FHE. The use of asymmetric circuits was proposed by
Brakerski and Vaikuntanathan [20], and additional bootstrapping optimizations using this approach
were described by Alperin-Sheriff and Peikert [3] and by Ducas and Micciancio [30].
Multikey FHE. The concept of a multikey FHE was introduced by López-Alt et al. in [68],
along with a solution based on NTRU. A construction based on LWE was first described by Clear
and McGoldrick [25], and later significantly simplified by Mukherjee and Wichs [73] and improved
further by Peikert and Shiehian [80].
Homomorphic commitments and signatures. An interesting usage of techniques very similar
to those described in this tutorial for the purpose of homomorphic commitments and signatures
was described by Gorbunov et al. in [55].

References
[1] M. Alekhnovich. More on average case vs approximation complexity. Computational Com-
plexity, 20(4):755–786, 2011. Extended asbtract in FOCS 2003.

43
 [2] J. Alperin-Sheriff and C. Peikert. Practical bootstrapping in quasilinear time. In R. Canetti
and J. A. Garay, editors, Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology
Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, volume 8042
of Lecture Notes in Computer Science, pages 1–20. Springer, 2013.

[3] J. Alperin-Sheriff and C. Peikert. Faster bootstrapping with polynomial error. In J. A. Garay
and R. Gennaro, editors, Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology
Conference, Santa Barbara, CA, USA, August 17-21, 2014, Proceedings, Part I, volume 8616
of Lecture Notes in Computer Science, pages 297–314. Springer, 2014.

[4] B. Applebaum, D. Cash, C. Peikert, and A. Sahai. Fast cryptographic primitives and circular-
secure encryption based on hard learning problems. In S. Halevi, editor, Advances in Cryptology
- CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA,
August 16-20, 2009. Proceedings, volume 5677 of Lecture Notes in Computer Science, pages
595–618. Springer, 2009.

[5] S. Arora and R. Ge. New algorithms for learning in presence of errors. In L. Aceto, M. Hen-
zinger, and J. Sgall, editors, Automata, Languages and Programming - 38th International
Colloquium, ICALP 2011, Zurich, Switzerland, July 4-8, 2011, Proceedings, Part I, volume
6755 of Lecture Notes in Computer Science, pages 403–415. Springer, 2011.

[6] B. Barak and Z. Brakerski. The swiss army knife of cryptography. Blog
document, accessed January 2016, http://windowsontheory.org/2012/05/01/
the-swiss-army-knife-of-cryptography/, 2012.

[7] D. A. M. Barrington. Bounded-width polynomial-size branching programs recognize exactly

those languages in NC1. J. Comput. Syst. Sci., 38(1):150–164, 1989.

[8] A. Blum, M. L. Furst, M. J. Kearns, and R. J. Lipton. Cryptographic primitives based on

hard learning problems. In D. R. Stinson, editor, Advances in Cryptology - CRYPTO ’93, 13th
Annual International Cryptology Conference, Santa Barbara, California, USA, August 22-26,
1993, Proceedings, volume 773 of Lecture Notes in Computer Science, pages 278–291. Springer,
1993.

[9] A. Bogdanov and C. H. Lee. Homomorphic encryption from codes. IACR Cryptology ePrint
Archive, Report 2011/622, 2011. http://eprint.iacr.org/2011/622.

[10] D. Boneh, E. Goh, and K. Nissim. Evaluating 2-dnf formulas on ciphertexts. In J. Kilian, editor,
Theory of Cryptography, Second Theory of Cryptography Conference, TCC 2005, Cambridge,
MA, USA, February 10-12, 2005, Proceedings, volume 3378 of Lecture Notes in Computer
Science, pages 325–341. Springer, 2005.

[11] D. Boneh, A. Sahai, and B. Waters. Functional encryption: Definitions and challenges. In
Y. Ishai, editor, Theory of Cryptography - 8th Theory of Cryptography Conference, TCC 2011,
Providence, RI, USA, March 28-30, 2011. Proceedings, volume 6597 of Lecture Notes in Com-
puter Science, pages 253–273. Springer, 2011.

[12] D. Boneh and A. Silverberg. Applications of multilinear forms to cryptography. Cryptology

ePrint Archive, Report 2002/080, 2002. http://eprint.iacr.org/2002/080.

44
[13] J. W. Bos, K. E. Lauter, J. Loftus, and M. Naehrig. Improved security for a ring-based fully
homomorphic encryption scheme. In M. Stam, editor, Cryptography and Coding - 14th IMA
International Conference, IMACC 2013, Oxford, UK, December 17-19, 2013. Proceedings,
volume 8308 of Lecture Notes in Computer Science, pages 45–64. Springer, 2013.

[14] Z. Brakerski. Fully homomorphic encryption without modulus switching from classical
GapSVP. In R. Safavi-Naini and R. Canetti, editors, Advances in Cryptology - CRYPTO
2012 - 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012.
Proceedings, volume 7417 of Lecture Notes in Computer Science, pages 868–886. Springer,
2012.

[15] Z. Brakerski. When homomorphism becomes a liability. In TCC, pages 143–161, 2013.

[16] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully homomorphic encryption without

bootstrapping. In Innovations in Theoretical Computer Science (ITCS’12), 2012. Available
at http://eprint.iacr.org/2011/277.

[17] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (leveled) fully homomorphic encryption

without bootstrapping. ACM Transactions on Computation Theory, 6(3):13, 2014.

[18] Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé. Classical hardness of learning
with errors. In Proceedings of the Forty-fifth Annual ACM Symposium on Theory of Computing,
STOC ’13, pages 575–584, New York, NY, USA, 2013. ACM.

[19] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard)
$\mathsf{LWE}$. SIAM J. Comput., 43(2):831–871, 2014.

[20] Z. Brakerski and V. Vaikuntanathan. Lattice-based FHE as secure as PKE. In M. Naor, editor,
Innovations in Theoretical Computer Science, ITCS’14, Princeton, NJ, USA, January 12-14,
2014, pages 1–12. ACM, 2014.

[21] A. Broadbent and S. Jeffery. Quantum homomorphic encryption for circuits of low t-gate com-
plexity. In R. Gennaro and M. Robshaw, editors, Advances in Cryptology - CRYPTO 2015 -
35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceed-
ings, Part II, volume 9216 of Lecture Notes in Computer Science, pages 609–629. Springer,
2015.

[22] C. Cachin, S. Micali, and M. Stadler. Computationally private information retrieval with
polylogarithmic communication. In J. Stern, editor, Advances in Cryptology - EUROCRYPT
’99, International Conference on the Theory and Application of Cryptographic Techniques,
Prague, Czech Republic, May 2-6, 1999, Proceeding, volume 1592 of Lecture Notes in Computer
Science, pages 402–414. Springer, 1999.

[23] D. Cash, M. Green, and S. Hohenberger. New definitions and separations for circular security.
In M. Fischlin, J. Buchmann, and M. Manulis, editors, Public Key Cryptography - PKC 2012,
volume 7293 of Lecture Notes in Computer Science, pages 540–557. Springer Berlin Heidelberg,
2012.

[24] B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan. Private information retrieval. J. ACM,
45(6):965–981, 1998.

45
[25] M. Clear and C. McGoldrick. Multi-identity and multi-key leveled FHE from learning with
errors. In R. Gennaro and M. Robshaw, editors, Advances in Cryptology - CRYPTO 2015 - 35th
Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings,
Part II, volume 9216 of Lecture Notes in Computer Science, pages 630–656. Springer, 2015.
[26] J. Coron, T. Lepoint, and M. Tibouchi. Practical multilinear maps over the integers. In
R. Canetti and J. A. Garay, editors, Advances in Cryptology - CRYPTO 2013 - 33rd Annual
Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I,
volume 8042 of Lecture Notes in Computer Science, pages 476–493. Springer, 2013.
[27] J. Coron, A. Mandal, D. Naccache, and M. Tibouchi. Fully homomorphic encryption over the
integers with shorter public keys. In P. Rogaway, editor, Advances in Cryptology - CRYPTO
2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011.
Proceedings, volume 6841 of Lecture Notes in Computer Science, pages 487–504. Springer,
2011.
[28] I. Damgård, M. Jurik, and J. B. Nielsen. A generalization of paillier’s public-key system with
applications to electronic voting. Int. J. Inf. Sec., 9(6):371–385, 2010.
[29] G. DiCrescenzo, T. Malkin, and R. Ostrovsky. Single database private information retrieval
implies oblivious transfer. In B. Preneel, editor, Advances in Cryptology - EUROCRYPT 2000,
International Conference on the Theory and Application of Cryptographic Techniques, Bruges,
Belgium, May 14-18, 2000, Proceeding, volume 1807 of Lecture Notes in Computer Science,
pages 122–138. Springer, 2000.
[30] L. Ducas and D. Micciancio. FHEW: bootstrapping homomorphic encryption in less than
a second. In E. Oswald and M. Fischlin, editors, Advances in Cryptology - EUROCRYPT
2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic
Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I, volume 9056 of Lecture
Notes in Computer Science, pages 617–640. Springer, 2015.
[31] L. Ducas and D. Stehlé. Sanitization of FHE ciphertexts. Manuscript, Available from https:
//heat-project.eu/School/Damien\%20Stehle/HEAT\_FHE\_Stehle.pdf, 2016.
[32] M. Fellows and N. Koblitz. Combinatorial cryptosystems galore! Contemporary Mathematics,
168:51–51, 1994.
[33] T. E. Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms.
IEEE Transactions on Information Theory, 31(4):469–472, 1985.
[34] S. Garg, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices. In T. Jo-
hansson and P. Q. Nguyen, editors, Advances in Cryptology - EUROCRYPT 2013, 32nd An-
nual International Conference on the Theory and Applications of Cryptographic Techniques,
Athens, Greece, May 26-30, 2013. Proceedings, volume 7881 of Lecture Notes in Computer
Science, pages 1–17. Springer, 2013.
[35] S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguisha-
bility obfuscation and functional encryption for all circuits. In 54th Annual IEEE Symposium
on Foundations of Computer Science, FOCS 2013, 26-29 October, 2013, Berkeley, CA, USA,
pages 40–49. IEEE Computer Society, 2013.

46
[36] V. Gauthier, A. Otmani, and J.-P. Tillich. A distinguisher-based attack of a homomorphic en-
cryption scheme relying on reed-solomon codes. Cryptology ePrint Archive, Report 2012/168,
2012. http://eprint.iacr.org/2012/168.

[37] C. Gentry. A Fully Homomorphic Encryption Scheme. PhD thesis, Stanford University, Stan-
ford, CA, USA, 2009. AAI3382729.

[38] C. Gentry. Fully homomorphic encryption using ideal lattices. In M. Mitzenmacher, edi-
tor, Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009,
Bethesda, MD, USA, May 31 - June 2, 2009, pages 169–178. ACM, 2009.

[39] C. Gentry, S. Gorbunov, and S. Halevi. Graph-induced multilinear maps from lattices. In
Y. Dodis and J. B. Nielsen, editors, Theory of Cryptography - 12th Theory of Cryptography
Conference, TCC 2015, Warsaw, Poland, March 23-25, 2015, Proceedings, Part II, volume
9015 of Lecture Notes in Computer Science, pages 498–527. Springer, 2015.

[40] C. Gentry and S. Halevi. Fully homomorphic encryption without squashing using depth-3
arithmetic circuits. In R. Ostrovsky, editor, IEEE 52nd Annual Symposium on Foundations of
Computer Science, FOCS 2011, Palm Springs, CA, USA, October 22-25, 2011, pages 107–109.
IEEE Computer Society, 2011.

[41] C. Gentry and S. Halevi. Implementing gentry’s fully-homomorphic encryption scheme. In Ad-
vances in Cryptology - EUROCRYPT’11, volume 6632 of Lecture Notes in Computer Science,
pages 129–148. Springer, 2011.

[42] C. Gentry, S. Halevi, M. Raykova, and D. Wichs. Outsourcing private RAM computation. In
55th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2014, Philadel-
phia, PA, USA, October 18-21, 2014, pages 404–413. IEEE Computer Society, 2014.

[43] C. Gentry, S. Halevi, and N. P. Smart. Better bootstrapping in fully homomorphic encryp-
tion. In M. Fischlin, J. A. Buchmann, and M. Manulis, editors, Public Key Cryptography -
PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptogra-
phy, Darmstadt, Germany, May 21-23, 2012. Proceedings, volume 7293 of Lecture Notes in
Computer Science, pages 1–16. Springer, 2012.

[44] C. Gentry, S. Halevi, and N. P. Smart. Fully homomorphic encryption with polylog overhead. In
D. Pointcheval and T. Johansson, editors, Advances in Cryptology - EUROCRYPT 2012 - 31st
Annual International Conference on the Theory and Applications of Cryptographic Techniques,
Cambridge, UK, April 15-19, 2012. Proceedings, volume 7237 of Lecture Notes in Computer
Science, pages 465–482. Springer, 2012. Available from http://eprint.iacr.org/2011/566.

[45] C. Gentry, S. Halevi, and N. P. Smart. Homomorphic evaluation of the AES circuit. In
R. Safavi-Naini and R. Canetti, editors, Advances in Cryptology - CRYPTO 2012 - 32nd
Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings,
volume 7417 of Lecture Notes in Computer Science, pages 850–867. Springer, 2012.

[46] C. Gentry, S. Halevi, and V. Vaikuntanathan. i -hop homomorphic encryption and reran-
domizable yao circuits. In T. Rabin, editor, Advances in Cryptology - CRYPTO 2010,

47
 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Pro-
ceedings, volume 6223 of Lecture Notes in Computer Science, pages 155–172. Springer, 2010.
http://eprint.iacr.org/2010/145.

[47] C. Gentry, S. Halevi, and V. Vaikuntanathan. A simple bgn-type cryptosystem from LWE. In
H. Gilbert, editor, Advances in Cryptology - EUROCRYPT 2010, 29th Annual International
Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May
30 - June 3, 2010. Proceedings, volume 6110 of Lecture Notes in Computer Science, pages
506–522. Springer, 2010.

[48] C. Gentry, A. Sahai, and B. Waters. Homomorphic encryption from learning with errors:
Conceptually-simpler, asymptotically-faster, attribute-based. In R. Canetti and J. A. Garay,
editors, Advances in Cryptology - CRYPTO 2013, Part I, pages 75–92. Springer, 2013.

[49] Y. Gertner, S. Kannan, T. Malkin, O. Reingold, and M. Viswanathan. The relationship be-
tween public key encryption and oblivious transfer. In 41st Annual Symposium on Foundations
of Computer Science, FOCS 2000, 12-14 November 2000, Redondo Beach, California, USA,
pages 325–335. IEEE Computer Society, 2000.

[50] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game or A completeness
theorem for protocols with honest majority. In A. V. Aho, editor, Proceedings of the 19th
Annual ACM Symposium on Theory of Computing, 1987, New York, New York, USA, pages
218–229. ACM, 1987.

[51] S. Goldwasser, Y. T. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich. How to run

turing machines on encrypted data. In R. Canetti and J. A. Garay, editors, Advances in
Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA,
August 18-22, 2013. Proceedings, Part II, volume 8043 of Lecture Notes in Computer Science,
pages 536–553. Springer, 2013.

[52] S. Goldwasser and S. Micali. Probabilistic Encryption. J. Comput. Syst. Sci., 28(2):270–299,
1984.

[53] S. Gorbunov, V. Vaikuntanathan, and H. Wee. Functional encryption with bounded collusions
via multi-party computation. In R. Safavi-Naini and R. Canetti, editors, Advances in Cryptol-
ogy - CRYPTO 2012 - 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August
19-23, 2012. Proceedings, volume 7417 of Lecture Notes in Computer Science, pages 162–179.
Springer, 2012.

[54] S. Gorbunov, V. Vaikuntanathan, and H. Wee. Predicate encryption for circuits from LWE. In
R. Gennaro and M. Robshaw, editors, Advances in Cryptology - CRYPTO 2015 - 35th Annual
Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part II,
volume 9216 of Lecture Notes in Computer Science, pages 503–523. Springer, 2015.

[55] S. Gorbunov, V. Vaikuntanathan, and D. Wichs. Leveled fully homomorphic signatures from
standard lattices. In R. A. Servedio and R. Rubinfeld, editors, Proceedings of the Forty-Seventh
Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, June
14-17, 2015, pages 469–477. ACM, 2015.

48
[56] S. Halevi and V. Shoup. Algorithms in HElib. In J. A. Garay and R. Gennaro, editors,
Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara,
CA, USA, August 17-21, 2014, Proceedings, Part I, volume 8616 of Lecture Notes in Computer
Science, pages 554–571. Springer, 2014.

[57] S. Halevi and V. Shoup. Bootstrapping for helib. In E. Oswald and M. Fischlin, editors,
Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the
Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Pro-
ceedings, Part I, volume 9056 of Lecture Notes in Computer Science, pages 641–670. Springer,
2015.

[58] J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any
one-way function. SIAM J. Comput., 28(4):1364–1396, Mar. 1999.

[59] J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A ring-based public key cryptosystem.
In J. Buhler, editor, Algorithmic Number Theory, Third International Symposium, ANTS-
III, Portland, Oregon, USA, June 21-25, 1998, Proceedings, volume 1423 of Lecture Notes in
Computer Science, pages 267–288. Springer, 1998.

[60] M. Horváth. Survey on cryptographic obfuscation. Cryptology ePrint Archive, Report

2015/412, 2015. http://eprint.iacr.org/2015/412.

[61] Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai. Cryptography with constant computa-
tional overhead. In C. Dwork, editor, Proceedings of the 40th Annual ACM Symposium on
Theory of Computing, Victoria, British Columbia, Canada, May 17-20, 2008, pages 433–442.
ACM, 2008.

[62] Y. Ishai and A. Paskin. Evaluating branching programs on encrypted data. In Theory of
Cryptography - TCC’07, volume 4392 of Lecture Notes in Computer Science, pages 575–594.
Springer, 2007.

[63] R. M. Karp and V. Ramachandran. Parallel algorithms for shared-memory machines. In

J. van Leeuwen, editor, Handbook of Theoretical Computer Science (Vol. A), pages 869–941.
MIT Press, Cambridge, MA, USA, 1990.

[64] J. Katz, A. Sahai, and B. Waters. Predicate encryption supporting disjunctions, polynomial
equations, and inner products. J. Cryptology, 26(2):191–224, 2013.

[65] E. Kushilevitz and R. Ostrovsky. Replication is NOT needed: SINGLE database,

computationally-private information retrieval. In 38th Annual Symposium on Foundations
of Computer Science, FOCS ’97, Miami Beach, Florida, USA, October 19-22, 1997, pages
364–373. IEEE Computer Society, 1997.

[66] F. Levy-dit Vehel, M. G. Marinari, L. Perret, and C. Traverso. A survey on polly cracker
systems. In Gröbner Bases, Coding, and Cryptography, pages 285–305. Springer, 2009.

[67] Y. Lindell, editor. ”Tutorials on the Foundations of Cryptography, Dedicated to Oded Goldre-
ich”. Information Security and Cryptography. Springer International Publishing, 2017. DOI
10.1007/978-3-319-57048-8.

49
[68] A. López-Alt, E. Tromer, and V. Vaikuntanathan. On-the-fly multiparty computation on the
cloud via multikey fully homomorphic encryption. In H. J. Karloff and T. Pitassi, editors,
Proceedings of the 44th Symposium on Theory of Computing Conference, STOC 2012, New
York, NY, USA, May 19 - 22, 2012, pages 1219–1234. ACM, 2012.

[69] V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over
rings. J. ACM, 60(6):43, 2013.

[70] C. A. Melchor, P. Gaborit, and J. Herranz. Additively homomorphic encryption with d -

operand multiplications. In T. Rabin, editor, Advances in Cryptology - CRYPTO 2010, 30th
Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings,
volume 6223 of Lecture Notes in Computer Science, pages 138–154. Springer, 2010.

[71] D. Micciancio and C. Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In
D. Pointcheval and T. Johansson, editors, Advances in Cryptology - EUROCRYPT 2012 - 31st
Annual International Conference on the Theory and Applications of Cryptographic Techniques,
Cambridge, UK, April 15-19, 2012. Proceedings, volume 7237 of Lecture Notes in Computer
Science, pages 700–718. Springer, 2012.

[72] D. Micciancio and O. Regev. Worst-case to average-case reductions based on gaussian mea-
sures. SIAM J. Comput., 37(1):267–302, 2007.

[73] P. Mukherjee and D. Wichs. Two round mutliparty computation via multi-key FHE. Cryp-
tology ePrint Archive, Report 2015/345, 2015. http://eprint.iacr.org/2015/345, accessed
Jan, 2016.

[74] K. Nuida. Candidate constructions of fully homomorphic encryption on finite simple groups
without ciphertext noise. Cryptology ePrint Archive, Report 2014/097, 2014. http://eprint.
iacr.org/2014/097, accessed Jan 2016.

[75] A. O’Neill. Definitional issues in functional encryption. Cryptology ePrint Archive, Report
2010/556, 2010. http://eprint.iacr.org/2010/556.

[76] R. Ostrovsky and W. E. S. III. A survey of single-database private information retrieval:

Techniques and applications. In T. Okamoto and X. Wang, editors, Public Key Cryptography -
PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography,
Beijing, China, April 16-20, 2007, Proceedings, volume 4450 of Lecture Notes in Computer
Science, pages 393–411. Springer, 2007. Available at http://eprint.iacr.org/2007/059.

[77] R. Ostrovsky, A. Paskin-Cherniavsky, and B. Paskin-Cherniavsky. Maliciously circuit-private

FHE. In J. A. Garay and R. Gennaro, editors, Advances in Cryptology - CRYPTO 2014 - 34th
Annual Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2014, Proceedings,
Part I, volume 8616 of Lecture Notes in Computer Science, pages 536–553. Springer, 2014.
Available from https://eprint.iacr.org/2013/307.

[78] P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In J. Stern,
editor, Advances in Cryptology - EUROCRYPT ’99, International Conference on the Theory
and Application of Cryptographic Techniques, Prague, Czech Republic, May 2-6, 1999, Pro-
ceeding, volume 1592 of Lecture Notes in Computer Science, pages 223–238. Springer, 1999.

50
[79] C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended
abstract. In M. Mitzenmacher, editor, Proceedings of the 41st Annual ACM Symposium on
Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009, pages 333–
342. ACM, 2009.

[80] C. Peikert and S. Shiehian. Multi-key fhe from lwe, revisited. Cryptology ePrint Archive,
Report 2016/196, 2016. http://eprint.iacr.org/.

[81] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM,
56(6), 2009.

[82] R. Rivest, L. Adleman, and M. Dertouzos. On data banks and privacy homomorphisms. In
Foundations of Secure Computation, pages 169–177. Academic Press, 1978.

[83] R. Rothblum. Homomorphic encryption: From private-key to public-key. In Y. Ishai, editor,

Theory of Cryptography - 8th Theory of Cryptography Conference, TCC 2011, Providence, RI,
USA, March 28-30, 2011. Proceedings, volume 6597 of Lecture Notes in Computer Science,
pages 219–234. Springer, 2011.

[84] A. Sahai and B. Waters. Slides on functional encryption. PowerPoint presentation, 2008.
http://www.cs.utexas.edu/~bwaters/presentations/files/functional.ppt.

[85] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a
quantum computer. SIAM Review, 41(2):303–332, 1999.

[86] N. P. Smart and F. Vercauteren. Fully homomorphic encryption with relatively small key and
ciphertext sizes. In P. Q. Nguyen and D. Pointcheval, editors, Public Key Cryptography - PKC
2010, 13th International Conference on Practice and Theory in Public Key Cryptography,
Paris, France, May 26-28, 2010. Proceedings, volume 6056 of Lecture Notes in Computer
Science, pages 420–443. Springer, 2010.

[87] N. P. Smart and F. Vercauteren. Fully homomorphic SIMD operations. Des. Codes Cryptog-
raphy, 71(1):57–81, 2014.

[88] V. Vaikuntanathan. Computing blindfolded: New developments in fully homomorphic encryp-

tion. In R. Ostrovsky, editor, IEEE 52nd Annual Symposium on Foundations of Computer
Science, FOCS 2011, Palm Springs, CA, USA, October 22-25, 2011, pages 5–16. IEEE Com-
puter Society, 2011.

[89] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption
over the integers. In Advances in Cryptology - EUROCRYPT 2010, 29th Annual International
Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May
30 - June 3, 2010. Proceedings, pages 24–43, 2010.

[90] M. Walfish and A. J. Blumberg. Verifying computations without reexecuting them. Commun.
ACM, 58(2):74–84, 2015.

[91] A. C. Yao. Protocols for secure computations (extended abstract). In 23rd Annual Symposium
on Foundations of Computer Science – FOCS ’82, pages 160–164. IEEE, 1982.

51