Homomorphic Encryption Algorithms and Schemes for Secure

Computations in the Cloud

Majedah Alkharji1, Hang Liu2
1
Ph.D. Student, Electrical Engineering and Computer Science
CUA, Washington, DC, [email protected]
2
Associate Professor, Electrical Engineering and Computer Science
CUA, Washington, DC, [email protected]

Abstract
Although cloud computing continues to grow rapidly, shifting to Internet-based shared computing service has created
new security challenge. Organizations move to the cloud technology looking for efficient and fast computing but data security
remains their top concern. Confidential data are prone to leak because of modern trend to outsource computations to third-
parties. Furthermore, the issue of data breaches can remove any benefits businesses make by moving to the cloud computing
technology. Three important questions must be put into consideration: How to guarantee that the user’s private data will always
be kept safe and secure? Can the cloud service provider be reliable to store and process client’s private data confidentially? Is
it possible to ensure that even if the cloud provider have been attacked, client’s confidential data will not be stolen or reused?
To provide better data protection during the communication and storage process, many cryptographic algorithms have already
been used, but these methods are practically inapplicable as they require that the data needs to be visible to the cloud provider,
in order to do that, the private key has to be transmitted to the server to perform the operations required. In the past thirty years,
privacy homomorphism has been used to solves this issue. Homomorphic encryption allows us to execute the arithmetical
calculations directly on the ciphertext while keeping the secret key that is used to decrypt the result. In addition to preserve
privacy, it provides the exact same result as if we perform the computations on the plaintext. So far, many fully homomorphic
encryption (FHE) schemes which evaluate an arbitrary number of additions and multiplications are implemented but researches
remains unable to design more secure and powerful schemes. In this paper, a detailed survey of homomorphic encryption using
public key algorithms such as RSA, El-Gamal, and Paillier algorithms is given, then, FHE schemes are introduced as well. This
work can be helpful as a guide of principles, properties of FHE as researchers believe in the possibility of advancement in the
FHE area.

Keywords Cryptography, Cloud Security, Confidentiality, Homomorphic Encryption (HE), Fully Homomorphic Encryption
Schemes (FHE).

1. Introduction services to users in more flexible, and convenient manner

[34]. Data storing on remote servers rather than in-house is
In the contemporary world, internet and computer usage is definitely a cost-effective [13]. Also, by transmission into
on the rise with more than 90% of world’s population using the data-centric cloud environment, data will be more
this technology. Given the heightened application of public easily accessible than before. Moreover, through Cloud
cloud and internet in data warehousing, security is a prime Service Provider (CSP), a user can store data into a package
requirement to ensure confidentiality and integrity of data of cloud servers that enhances interaction.
as well as the accessibility of the information system
resources. Hence, the improvement in statistical and Despite the efficient computing solution and economic
computational techniques for machine learning linked with advantages associated with cloud computing, users are
the emergence of powerful, cloud-based computing very worried about security and confidentiality of data
platforms in the last ten years. stored and processed in the cloud. Those concerns are
caused by some security risks such as: insider threats,
By cloud computing we mean: providing on-demand security breach, and potential hackers [19]. These security
network access of IT sharing computing resources (e.g., Challenges on the data confidentiality happen when
servers, storage applications, and networks) using IT uploading and retrieving data to/from the cloud (data in
components (e.g., hardware, and software) via internet or motion), and also when the data located in cloud servers of
private network [1]. Cloud computing, which entails an untrusted CSP (data at rest) [12].
provision of applications offered by third party cloud
service providers (CSP) such as Microsoft, is used by IT Among the solutions provided in safeguarding the data
professionals as a platform on which they can offer stored in the cloud is the encryption of the data making it

1
inaccessible by unauthorized personnel [13]. Hence, in the “partial” homomorphic encryption (PHE) (section 5.1),
era of “big data” and “cloud computing”, encryption “somewhat” homomorphic encryption (SWHE) (section
solutions must be applied to achieve the objective of data 5.2), and Fully Homomorphic Encryption (FHE) (section
protection including confidentiality and integrity. 5.3). Also, different schemes in each category along with
Protection of information while guaranteeing its their fundamental definitions, algorithms, semantic
accessibility presents fresh setbacks. The usage of either security, and possible applications are provided. The
symmetric or asymmetric (public key) encryption following one (section 6) features a comprehensive
algorithms (see Figure 1) are not completely sufficient with detailed survey about the improvement in the field of FHE.
cloud-based scenario [31]. Moreover, once encrypted data The last section discusses the weaknesses of FHE and
is opened for computations, it cannot be processed safely conclusion.
within the cloud and this presents a major cloud computing
constraint [25]. 2. Homomorphic Encryption (HE)
2.1 Definition of Homomorphic encryption
The main objective of encryption is to assure data privacy
and confidentiality in both storage and treatment processes.
Accordingly, untrusted CSP will be given an encrypted
version of the data to work on. Many conventional
cryptographic algorithms have been proposed and
implemented to ensure security [13], [15]. When all
warehoused information (personal, wellbeing, financial
and so on) is encrypted, that would solve all the challenges
identified with information security such as data security,
third party control, and availability. Data in the cloud can
be encrypted and stored as a means of protecting it from
loss or breach, but it can’t be processed if sent to/from the
CSP in the encrypted format, as it will not be accessible,
therefore, the CSP has to decrypt the data which is against
privacy and confidentiality, and then perform the
calculations on the data before sending the outcome to the
Figure 1: asymmetric encryption functions applied to the cloud. user, hence, both users and companies should trust the CSP
to carryout operations [19], [31].
These drawbacks bring the role of Homomorphic
Encryption (HE) into picture. Homomorphic encryption is The practice shows weaknesses in the encryption methods
provided as an effective algorithm to protect the data stored of protecting data since it allows for loss of privacy and
in the cloud and provide assurance to people to use the confidentiality. Using encryption means that the user will
cloud for data storage [1]. have to provide the cloud provider with the private key to
allow data computation before it is sent back to the user.
The goal of this paper is to provide researchers with The practice will then lead to the users giving up their
detailed guidelines of Homomorphic Encryption, as well as confidential information, which is not the aim of the cloud
Fully Homomorphic Encryption including algorithms, data storage technology. The weaknesses can be addressed
performance, and security assumptions. These concepts by having a tool or an approach that allows the data to be
should be enough to realize how the HE and FHE works. computed without decryption by the cloud provider and
The following documentation should provide a strong basis then sent to the user.
for the researchers who would like to intensify their
knowledge on these subjects. Consider the possibility that the client could complete any
calculation on the data without the cloud provider finding
Organization of this Guideline - The next section of this out about the client's information - calculation is done on
paper recalls some basic concepts of homomorphic encoded information without earlier decoding. This is the
encryption (HE), followed by the functions of HE. After guarantee of Homomorphic encryption plans [31].
that, theoretical background of various HE schemes is Homomorphic encryption refers to “the encryption
given. Section 4 in this survey gives details about the technology that implies that the procedures on the
Properties of HE schemes either additive HE such as encrypted data and matching outcome can be attained as on
(Paillier, and Goldwasser-Micalli (GM) (section 4.1), or original data.” The mathematical operations can be done on
multiplicative HE like (RSA, and El-Gamal) (section 4.2). the ciphertext without altering the nature of the encryption
The following section (5) is about the categories of HE: [28]. With HE, a firm can encrypt its database and submit

2
it to a cloud and the data can be processed without (2, 3) Encryption (E) – is the point at which, the client
decrypting it, in other words, the homomorphic encryption encrypts the plaintext (m) using pk and produces Esk (m).
cryptosystems perform activities on encrypted information Then, the ciphertext (c) is delivered to the server alongside
without the private key held by the client [34], [12]. Pk.
(4) Storage – entails the preservation of the pk and the
As such, the user can perform arbitrary computations on encrypted data in the cloud databank.
the hosted information without the intervention of the (5) Request – to analyze the encrypted information, the
cloud provider [19]. However, HE has its limitations which client must send a request to the main server.
include its inability to deal with certain threats such as (6) Evaluation (EV) – Server processes the request and
attacks with selected ciphertext (IND- CCA) and attacks performs function f for conducting appraisal of ciphertext
with selected plaintext (IND-CPA). These setbacks (c) and performs this in line with the needed evaluation
emphasize demand for a capability to carry out function using pk.
computations on encrypted data, such capability that offers (7) Response – Consequently, the cloud provider responds
several crucial applications including the capacity to by returning the sort out result to the client.
privately outsource computations [35]. (8) Decryption (D) – The created EV (f(c)) is deciphered
by the client applying its secret key and it obtains the
2.2 Functions of Homomorphic encryption original data (m).
An encryption scheme is considered homomorphic if:
Given a plaintext (m) = (m1, m2), one can compute 3. History of the HE
E [f (m1, m2)] from E (m1) and E (m2), without using pk, The concept of “privacy Homomorphism” was introduced
where f might be +, x, ⊕. Homomorphic encryption permits by Rivest, Adlema, and Dertouzos in 1978. Although the
the conversion of ciphertext c(m) of text m to ciphertext concept has been proposed, the progress made is little in a
c(f(m)) of a function of text m without revealing the period of 30 years. Goldwasser and Micali suggested in
message [28], [19], [34], [12]. 1982 a provable encryption system known as Goldwasser-
Micali (GM), which developed to an outstanding level of
Homomorphic Encryption (HE) comprise of seven safety. This system was an additive Homomorphic
principles as shown in Figure 2: encryption but it could only perform just one operation, and
HE = {Key Generation (G), Encryption (E), Storage, encrypt a single bit. The GM encryption scheme performs
Request, Evaluation (EV), Response, and Decryption (D)}. addition of encrypted bits mod 2 (which is, the exclusive-
OR function). The Benaloh Cryptosystem is an extension
of the Goldwasser-Micali (GM). It was developed in 1994
by Benaloh. Four years later, The Naccache–Stern
cryptosystem (NS) was proposed by Naccache and Stern in
1998. The Okamoto–Uchiyama (OU) cryptosystem was
illustrated in the same year by Okamoto and Uchiyama. On
the same note, Pascal Paillier was declared another secure
provable additive homomorphic encryption scheme in
1999. In the late 2000, The Damgård–Jurik cryptosystem
Figure 2: Homomorphic encryption applied to the cloud. (DJ) was proposed by Damgård, and Jurik and it was a
generalization of the Paillier cryptosystem. All these
Client: Cloud Provider: schemes intensively studied and supported either
Plaintext (m) = m1, m2. (4) c, and pk are stored in the
homomorphic addition or multiplication of plaintexts, but
(1) Client generates (pk), (sk). database.
(6) The server processes the not both!
(2) Client encrypts:
c = Epk(m) = (Epk(m1), Epk(m2)). requested function and
(3) Client sends c, pk to the perform the operation on the c Boneh, Goh, and Nissim developed in 2005 a better
cloud server. without decryption. semantically secure technology which known as Boneh-
(5) Client sends requests to the y = EVpk f (c) Goh-Nissim (BGN) cryptosystem. It allows to develop
server to perform the = EVpk f(Epk(m1), Epk(m2)). arbitrary number of additions but only allowed a single
operation. (7) The processed result (y) is multiplication.
(8) Client decrypt the returned (y): returned to the client. In 2009, Craig Gentry invented the groundbreaking work
m = Dsk (y). of fully homomorphic encryption, since then, the primitive
blueprint has interested many researchers. In the next
(1) Key Generation (G) – at this stage, the client generates section, the properties of the HE are addressed, and in the
two pairs of keys: public key (pk) alongside secret/private one following, details of these cryptosystems will be under
key (sk) to perform the encryption of plaintext (m). each HE categories they are most related to [28], [34], [35],
[3], [18], [36, [19].

3
4. Properties of Homomorphic Encryption 5.1.2 The Benaloh Cryptosystem
The HE systems can be classified in line with the operation The Benaloh Cryptosystem was proposed to improve the
that allows to perform on the original data as following [1], poor expansion factor provided by GM Cryptosystem.
[19], [34], [28], [12]: Instead of bit-by-bit encryption, the Benaloh scheme
1. Additive homomorphic encryption (e.g., paillier, GM encrypts the ciphertext block-by-block at once with r bits
cryptosystem), or length using technique called “dense probabilistic
2. Multiplicative homomorphic encryption (e.g., RSA, encryption.” Assume we have k-bit plaintext, n is security
El-Gamal cryptosystem). parameter, this technique computes the encryption of k-bit
plaintext to get ciphertext of n + k bit. The Benaloh
HE enables servers to carry out sophisticated mathematical cryptosystem messages are restricted by small prime. This
computations on encrypted records without acknowledging scheme rests on the difficulty of the higher residuosity
the original message. In more details, given a plaintexts m1 problem [20].
& m2, and the corresponding ciphertexts c1 & c2, a HE
scheme allows the processing of c1 Θ c2 without applying 5.1.3 Naccache–Stern cryptosystem (NS)
pk1 Θ pk2. In that connection, the cryptosystem is additive Naccache–Stern cryptosystem was classified first as a
or multiplicative homomorphic in nature depending on the deterministic public key homomorphic scheme, but it has
Θ operation, which can be addition or multiplication. been proved that after revision, it can be made probabilistic
[25]. NS has been counted as a generalization of the
4.1 Additive Homomorphic Encryption (AHE) Benaloh cryptosystem by reducing the expansion factor of
the ciphertext since the messages are restricted by the
The additive operation allows the HE schemes to evaluate
multiplication of many small primes.
raw data. An example of this scheme are Pailler, GM,
In terms of time complexity, recovering a plaintext from its
Benaloh, and Okamoto-Uchiyama cryptosystems. Scholars
matching ciphertext is a little less effective because the
assert that HE is addictive if:
procedure includes decoding the ciphertext modulo each of
E(m1⊕m2) =E(m1) ⊕E(m2), without knowing (m1), and (m2).
the small prime factors and then resetting the ciphertext
using Chinese remaindering [20]. The security of NS
4.2 Multiplicative Homomorphic Encryption (MHE) cryptosystem relies on the higher residuosity problem
In simple terms, multiplicative homomorphic scheme which considered to be intractable more than integer
property refers to systems in which ciphertexts are obtained factorization.
from the ultimate product of plaintexts. RSA and El-Gamal
cryptosystems constitute multiplicative homomorphic 5.1.4 Okamoto-Uchiyama Cryptosystem (OU)
schemes. Homomorphic encryption is multiplicative if:
Like RSA public key cryptography scheme, Okamoto-
E(m1⊗m2) =E(m1) ⊗E(m2), without knowing (m1), and (m2). Uchiyama homomorphic (OU) cryptosystem relies on the
challenge of factoring large integer. The primary difference
5. Categories of Homomorphic Encryption of this system is that it works in the multiplicative group of
5.1 Partially HE Schemes (PHE) integers modulo n, where n in the form N = p2q instead of
In partially homomorphic encryption, one operation either N = p q, where p and q are large primes. This cryptosystem
addition (ex: paillier, GM cryptosystem), or multiplication is considered homomorphic under addition, subtraction,
(ex: RSA, El-Gamal cryptosystem) can be performed on and multiplication of ciphertext. The semantic security of
the ciphertext, but both operation cannot be handled [12]. this probabilistic scheme derives from the p-subgroup
The following algorithms are different examples of PHE assumption, which is very identical to the quadratic
cryptosystems. For more details, Kukucka in his thesis [20] residuosity problem and higher residuosity problem [20].
investigated theses algorithms theoretically.
5.1.5 Paillier cryptosystem
5.1.1 Goldwasser-Micali cryptosystem (GM) Pascal Paillier was proposed the new probabilistic
The Goldwasser-Micali (GM) additive HE cryptosystem asymmetric cryptographic algorithm, which contains an
was proposed by Goldwasser and Micali in 1982. It is addictive homomorphic characteristic. It has been seen as
considered as a probabilistic public key algorithm, but it an expansion of Okamoto-Uchiyama. The innovation is
can encrypt ciphertext bit-by-bit [12]. This scheme is proven under Decisional Composite Residuosity
considered as an important stone for the later researches. Assumption (DCRA) [31]. As such, it has numerous
Some schemes proposed after were treated as applications such as threshold schemes and e-voting
generalizations of this one [15]. GM has the XOR systems.
homomorphic characteristic, or we can call it addition
modulo 2. The security of GM cryptosystem relies on the
quadratic residuosity problem [20].

4
Algorithm 1 demonstrates the additive property of paillier 5.1.7 RSA Algorithm
cryptosystem [15] [28], [34], [1], [19]. In 1978, Rivest, Shamir, and Adleman suggested their
most widely used public-key cryptosystem. The RSA
Algorithm 1: Paillier Algorithm
scheme has a multiplicative homomorphic property. This
Key Generation: G(p, q): pk, sk means, the homomorphic encryption scheme given by
Input: (p, q) RSA is the product of two messages modulo n. RSA
Choose p, and q ∈ P, where p, and q are two large prime numbers semantic security is relied on the hardness of the integer
Computation: factorization problem.
Compute n = p. q Algorithm 2 demonstrates the multiplicative property of
Compute φ(n) = (p - 1) . (q - 1), where gcd (n, φ(n)) = 1
Compute λ = lcm (p − 1, q − 1) (Carmichael’s function) RSA cryptosystem [34], [28], [19], [26], [1], [15].
Choose g ∈ G , where g is a random integer, and G = Z*ns
λ
Compute μ = (L(g mod n2))-1 mod n, Algorithm 2: RSA Algorithm
(means gcd(L(gλ mod n2),n) = 1 where L(u) = (u – 1) n Key Generation: G(p, q): pk, sk
Output: (pk, sk) Input: (p, q)
public key: pk = (n , g) Choose p, and q ∈ P, where p, and q are two large prime numbers
Secret key: sk = (p , q) or (equivalently λ) Computation:
Encryption: E(m, pk):c Compute n = p. q
Input: (m), and pk = (n , g) where m < n Compute φ(n) = (p - 1) . (q - 1), where gcd (n, φ(n)) = 1
Plaintext (m) ∈ Zn , where Zn = {0, 1, …, n-1} Choose e ∈ {2, . . . , φ(n) − 1} where e is a random integer
Such that gcd (e, φ(n)) = 1
Computation:
Compute d = e−1 (mod φ(n)) (means e. d = 1 mod φ(n))
Choose r = Z*n , where r is random integer < n
Output: (pk, sk)
Compute c = gm . r n mod n 2 public key: pk = (n , e)
Output: (c) Secret key: sk = (d)
Ciphertext (c) ∈ Zn2 Encryption: E(m, pk): c
Decryption: D(c, sk):m Input: (m), and pk = (n , e)
Input: (c), and sk where c < n2 Plaintext (m) ∈ Zn , where Zn = {0, 1, …, n-1}
Ciphertext (c) ∈ Z n2 Computation:
Computation: Compute c = me mod n
Compute m=L(c λ mod n2) . L(g λ mod n2)−1 mod n Output: (c)
m=L(c λ mod n2) . μ mod n Ciphertext (c) ∈ Zn
Output: (m)
Plaintext (m) ∈ Z n Decryption: D(c, sk): m
Input: (c), and sk = (d)
Ciphertext (c) ∈ Z n
Assume there are two ciphertexts c1 & c2 the following Computation:
illustration demonstrates the addictive homomorphic Compute m= cd mod n
characteristic of the Paillier cryptosystem: Output: (m)
c1 = gm1 r1n mod n2 Plaintext (m) ∈ Z n
c2 = gm2r2n mod n2
c1 . c2 = gm1 r1n mod n2. gm2r2n mod n2
Additive property is: gm1+m2 (r1 r2) n mod n2 Assume there are two ciphertexts, c1 & c2, the following
illustration demonstrates the multiplicative homomorphic
5.1.6 Damgard-Jurik Cryptosystem (DJ) characteristic of the RSA cryptosystem:
Damgard-Jurik is a probabilistic asymmetric homomorphic c1 = m1e mod n
cryptosystem serving addition and subtraction. Similar to c2 = m2e mod n
Paillier, Damgard-Jurik also based on (DCRA), but the c1 . c2 = m1e m2e mod n
only variation here, is that DJ computes modulo ns+1 Multiplicative property is: = (m1 . m2)e mod n
instead of n2 in Paillier. DJ is a generalization of Paillier’s
scheme to groups of Z*ns+1 , where s > 0. when s 5.1.8 El-Gamal Encryption Algorithm
Similar to RSA, the public key encryption scheme given
increases, we will get a decreased expansion. DJ semantic by El-Gamal is a multiplicative homomorphic encryption
security relies on the assumption of the Decisional cryptosystem. It was proposed by Taher El-Gamal in
Composite Residuosity Problem [15], [20]. 1984, and its security relied on the hardness of the Diffi-
Hellman problem. The next algorithm (Algorithm 3)
demonstrates the multiplicative property of El-Gamal
cryptosystem [12], [26], [28], [15].

5
 Assume there are two ciphertexts,
Algorithm 3: El-Gamal Algorithm
c1 = (x1 , y1) & c2 = (x2 , y2)
Key Generation: G(p, g): pk, sk
The following illustration demonstrates the multiplicative
Input: (p, g)
Choose p ∈ P, where p is a large prime numbers homomorphic characteristic of the El-Gamal
Choose g ∈ Z*p, where g is a generator of the cyclic group Z*p cryptosystem:
Choose a ∈ {2, . . . , p − 2}, where a is a random integer
c1. c2 = (x1, y1) . (x2, y2) = (x1 . x2 , y1 . y2)
Computation: = gk1 gk2 , (m1. β k1 ) . (m2. β k1) mod p
Compute β = ga mod p Multiplicative property is: = gk1+ k2 , (m1. m2) β k1+ k2 mod p
Output: (pk, sk)
public key: pk = (p , g, β)
Secret key: sk = (a) In terms of PHE schemes’ efficiency - NS permits a least
Encryption: E(m, pk): c message expansion (N/Q) as compared to the Benaloh
Input: (m), and pk = (p , g, β) cryptosystem. In order to ensure that the system remains
Plaintext (m) ∈ Zp , where Zp = {0, 1, …, p-1} protected and secure, the lower bound of this expansion
Choose k ∈ {2, . . . , p − 2}, where k is a random integer
rate should be four. Improved schemes have been
Computation: developed with the expansion factor being lowered to
increase efficiency. Nonetheless, NS has not been deemed
Compute x = gk mod p
as suitable as Okamoto-Uchiyama cryptosystem, which is
Compute y = m . β k mod p
easier to apply and has a constant expansion rate of three.
Output: (c)
Ciphertext c = (x, y) Scholars aimed at reducing the rate but without decreasing
Decryption: D(c, sk): m the level of security. For instant, Paillier cryptosystem
Input: c = (x, y), and sk = (a) allowed efficient decryption by enabling encryption of
Ciphertext (c) ∈ Z p many bits during single calculation with a better expansion
Computation: rate of two. The safety of DJ cryptosystem compares to the
Compute m= x-a. y mod p Paillier’s original innovation, but this generalization of
Output: (m) Paillier permits reduction of the expansion rate to about
Plaintext (m) ∈ Z p one. A comparison of Paillier, RSA, DJ, and El-Gamal can
be attained assuming the same security factor k [25].
Table 1. presents a comparing between all different HE
Schemes according to properties, categories, & security
assumption.
HE Homomorphic
HE Scheme Year Security Assumption
Categories Features
Privacy
1978 --- --- ---
Homomorphism
Goldwasser-Micali
1982 PHE XOR Quadratic residuosity problem
(GM)
The Benaloh 1994 PHE Addictive Higher residuosity problem
Naccache–Stern (NS) 1998 PHE Addictive Higher residuosity problem
Okamoto-Uchiyama
1998 PHE Addictive P-subgroup assumption
(OU)
Decisional Composite Residuosity Assumption
Paillier 1999 PHE Addictive
(DCRA)
Damgard-Jurik Decisional Composite Residuosity Assumption
2000 PHE Addictive
(DJ) (DCRA)
RSA 1977 PHE Multiplicative Integer factorization problem.
El-Gamal 1984 PHE Multiplicative Diffi-Hellman problem
unlimited additions,
Boneh-Goh-Nissim
2005 SWHE but only one Subgroup decision problem.
(BGN)
multiplication
unlimited additions,
Gentry’s FHE 2009 FHE Sparse Subset Sum (SSSP) assumption
and multiplication

Table 1. Properties, Categories, and Security Assumption of HE Schemes [1] [12] [20].

6
5.2 Somewhat HE Schemes (SWHE) the holy grail; Nonetheless, Gentry's work does not
Somewhat homomorphic encryption approaches can only represent a conclusion to the mission for the Holy Grail
evaluate a multiple but limited number of addition and [36]. Gentry's work indicated interestingly a reasonable
multiplication activities [12]. SWHE schemes refer to construction of fully homomorphic encryption. The
encryption systems that present certain homomorphic fundamental building stone in Gentry's project, what’s
characteristics but lacks full homomorphic capacity. The called “Somewhat” Homomorphic Encryption (SWHE),
schemes support a certain number of addition but only which depended on the hardness of lattices [4]. The next
single multiplication operations, but every time the section includes a comprehensive detail about Gentry’s
operations are done, they result to “noise” in the ciphertexts FHE blueprint.
that eventually make the decryption impossible [32], [31].
Additionally, in SWHE systems, the ciphertexts could 5.3.2 Gentry (2009)
expand in size, hence violating the compact message In late 2009, Craig Gentry, an employee of IBM invented
requirement. Boneh-Goh-Nissim (BGN) described below the first encryption scheme that is fully homomorphic [3],
is considered as most famous SWHS. For more [18] based on ideal lattices. In Gentry’s original discovery,
information about the algorithm and its security, see he started with SWHE plan and later “bootstrapped” to
Kukucka thesis [20]. generate a Fully Homomorphic Encryption system [31],
[32]. Gentry suggested a homomorphic scheme, which is
5.2.1 Boneh-Goh-Nissim (BGN) roughly speaking similar to a Goldreich–Goldwasser–
Halevi (GGH) lattice-based cryptosystem. He utilized ideal
Over the years, the first major breakthrough in this area
lattices as a way to develop a bootstrappable encryption
suggested in 2005. The different schemes have allowed the
protocol. The reasons behind using ideal lattices is because
merging of addition and multiplication with a fixed-size of
every ciphertext has a noise parameter which grows in the
ciphertexts. Boneh, Goh, and Nissim developed a better
resulting ciphertext after any homomorphic operation
semantically secure technology which known as Boneh-
applied to the original ciphertexts [10], [31]. He later
Goh-Nissim (BGN) cryptosystem. With the BGN public
demonstrated that with a suitable key generation technique,
key cryptosystem, it became possible to handle an arbitrary
the security of that plan can be reduced to the worst case
number of additions but only allowed a single
scenario of some lattice problems in ideal lattices. But this
multiplication. BGN cryptosystem uses bilinear pairings-
scheme is not yet bootstrappable, so Gentry portrayed in a
based to allow the computation of a single homomorphic
change to squash the decryption scheme, by minimizing
multiplication of two ciphertexts. Also, it evaluates
the degree of the decryption polynomial [16].
quadratic formulas on encrypted data (e.g., 2-DNFs) [36],
According to Gentry [3], [18], the abstract of FHE is
[3], [18]. BGN is secure under the assumption of the
straightforward, He began his work with some assumptions
subgroup decision problem. The message expansion
as described in the following:
degree of BGN cryptosystem is represented by N/R, where
1. Given ciphertexts that encrypt m1, …, mt, FHE should
N refers to the bit-length of n while R denotes the bit-length
allow anybody to output a ciphertext that encrypts f (m1, …,
of r.
mt) for any function f, as long as that function can be
proficiently performed. The inputs, outputs, and middle
5.3 Fully Homomorphic Encryption (FHE) value are constantly encoded, no information about m1, …,
5.3.1 What is FHE mt or f (m1, …, mt), or any plaintext value must leak.
The fully homomorphic encryption supported an arbitrary 2. A FHE scheme ε must have an effective function
number of multiplications and additions, and hence, Evaluate ε that, given a valid ε key pair (sk, pk), any circuit
compute any form of function on encrypted information. y, and any ciphertexts ci  Encrypt ε (pk, πi), outputs:
For all forms of computations on the information c  Evaluate ε (pk, y, c1, …ct), such that Decrypt ε (sk, c)
warehoused in cloud, FHE must be embraced because it = y (π1, … , πt).
allows execution of operations on encrypted records 3. Assume you have a number of encryption procedures
without decryption. As such, the usage of FHE is a crucial with a “noise parameter” joined to each ciphertexts, in
step in enhancing cloud-computing security [19]. The which encryption produces a ciphertext with small noise,
concept of FHE is just about as old as the idea of public i.e., < n, whereas decryption performs as long as the noise
key encryption. In spite of public key encryption, the initial is smaller than some threshold N >> n.
structure of FHE eluded cryptographers' attempts for a long 4. Consume that you have algorithm re-crypt that takes a
time. In light of the trouble in achieving FHE, its possibility ciphertext E(m1) or E(m2) with noise N'< N and provide a
as a primitive for building and streamlining other “new” ciphertext that additionally encrypts m1, however
cryptographic schemes, and additionally outsourcing which has noise parameter which is sufficiently smaller
calculation, some have come to consider FHE as the “holy than √ N. This re-crypt calculation is sufficient to build a
grail” of cryptography. Hence, with Gentry's innovative FHE scheme out of the SWHE scheme.
blueprint in 2009, cryptographers have efficiently obtained

7
5. Besides, suppose you have calculations Add and Definition5.3.2.2. Basis of Lattice L - A set of n vectors
Multiply that can take ciphertexts E (m1) and E (m2) and (v1, …, vn) can be viewed as a basis of a vector space.
provide E (m1 + m2) for addition and E (m1 ∗ m2) for Lattices have many bases. Some bases are considered as
multiplication. However, at the cost of adding or “good”, while others considered as “bad.”
multiplying the noise parameters, this promptly provides a L = {a1v1+a2v2+···+anvn :a1,a2,...,an ∈Z}.
“SWHE” scheme that can deal with circuits of
multiplicative depth almost log log N – log log n. Definition5.3.2.3. Lattices points - any point of lattice is
His strategies were like those utilized as a part of server- the result of “linear combination” of those basis vectors
aided cryptography, where a client with a moderate device with “integer coefficients.” the mathematical operations
that needs to assign the greater part of the decryption work can be done on those points located in the vector space such
to a server without permitting the server to totally decrypt. as addition, subtraction, multiplication by an integer.
Gentry required a second computational hardness
presumption, like ones that have been concentrated on with The Two Major Hard Lattice Computational Problems:
regards to server-aided cryptography. Definition5.3.2.4 Shortest Vector Problem (SVP) – find
a shortest vector v in lattice L with nonzero value.
5.3.2.1 Lattice Theory
Over the last decade, lattice theory is a remarkable field Definition5.3.2.5 The Approximate Closest Vector
that started to show up as foundation in modern Problem (CVP) – is the problem of finding the vector v in
cryptography, especially, in the infrastructure of fully the lattice L which is closest to a given target t.
homomorphic encryption (FHE). The attraction of lattice-
based primitives comes from the fact that their security can Solution- given a vector v not in L, draw a fundamental
often be based on worst-case scenario assumptions [24]. domain around the target point t, then, we have two cases:
Gentry’s blueprint depended on ideals in different rings, - If the basis is “good” such that the basis consists of short
and also on the hardness of approximation lattice problems vectors that are reasonably orthogonal to one another, then
in the polynomial range. In spite of the fact that lattice find a vertex v ∈ L that is closest to t, a candidate for an
problems have been very much concentrated on, thus approximate closest lattice vector.
considering as standard toll in cryptography, ideal lattices - Using a “bad” basis, find the closest lattice vector that
are an extraordinary generation which are less aware. Ideal actually solve CVP such that much closer to the target t
lattices develop FHE Where they inherit natural than the closest vertex [29].
mathematical Add and Mul operations from the ring since
they correspond to ideals in polynomial ring [3], [18], [4], Gentry’s innovation can be summarized into three stages:
[20]. First, construct a some-what homomorphic encryption
(SWHE) scheme, next, “squash” the decryption circuit
Definition5.3.2.1. Lattice L - is basically a set of vectors until it is straightforward enough to be handled within the
in n-dimensional Euclidean vector space with a strong homomorphic capacity of the SWHE scheme, and finally,
periodic structure. When Euclidean space is at least 2- “bootstrap” to get a FHE scheme.
dimensional, each lattice has infinite entities in infinite In all existing schemes, the squashing technique motivates
bases, whilst in cryptography, all elements such as the an additional assumption: that the sparse subset sum
ciphertext, public key, and secret key, (bit strings has fixed problem (SSSP) is hard.
length), should be taken from a finite space. Consequently, Step 1: Somewhat Homomorphic Encryption - the initial
the lattices utilized in the field of cryptography should be phase in Gentry's outline is to build a “somewhat”
over a finite field. Figure 3 presents an example of 2- homomorphic encryption (SWHE) scheme, in particular,
dimensional lattice in the Euclidean plane. an encryption plan which is eligible for evaluating “low-
degree” polynomials on decrypted data homomorphically.
. . . . . . . . . . In other words, which supports assessing a limited number
. . . . . . . . . . of operations (many addition and one multiplication
calculations like the Boneh-Goh-Nissim cryptosystem)
. . . . . . . . . . [20], [35], [6].
. . . . . . . . . . Step 2: “Squashing” the Decryption Circuit - this part is
to implement a “squashing” strategy on decryption circuit
. . . . . . . . . . of the initial SWHE cryptosystem in order to get
reasonably reduced decryption circuit complexity, thus
. . . . . . . . . . changing the plan into a bootstrappable protocol, which has
. . . . . . . . . . the same homomorphic ability. Squashing helps to figure
Figure 3: A 2-dimensional lattice in the Euclidean plane. out whether we can apply the bootstrapping hypothesis to

8
the SWHE schemes, to be specific, determine whether they a scheme that supports evaluating “high-enough degree”
are in reality equipped for assessing their own decryption polynomials, and at the same time has decryption circuit
circuits. The approach of squashing procedure is that can be considered as “low-enough degree”
accomplished by including a “clue” about the secret key to polynomials. Whenever the degree of evaluated
the evaluation key. To be more specific, instead of using polynomials exceeds the decryption polynomials (multiply
the original secret key, an extra “hint” about the secret key by 2), the scheme is known as “bootstrappable” and then it
is added inside the public key, known as “sparse subset- can be transformed to FHE scheme [32], [16], [35], [36],
sum” problem (SSSP). In particular, the public key is [20], [6] [10].
enlarged with a large set of vectors, to such an extent that
there exists an extremely sparse subset of them that
5.3.3 FHE Application
indicates the secret key. Furthermore, this “extra
indication” was insufficient to decrypt a ciphertext output Cloud computation technology is widely used in the
by the first plan, but it could be utilized to “enlarge” the contemporary world. FHE schemes is applicable in cloud
ciphertext, hence build another fresh ciphertext. computing to provide security assurance to the users,
Comparing to schemes like RSA or El-Gamal, which rely thereby their information remains confidential and
on exponentiation, Gentry’s essential FHE project inaccessible by unauthorized personnel [8]. With FHE, one
depended on various complexity assumptions. The most can outsource the mathematical computations on
intricate one is the difficulty of a decisional version of confidential encrypted data to cloud server without
sparse subset-sum problem (SSSP) that employed in requiring the user’s private key. FHE can be applied in
squashing the decryption circuit. The processed ciphertext computation in database to maintain the confidentiality of
of the hidden plan can be decrypted with a low-degree the user’s data. Moreover, Gentry states in his blueprint
polynomial in the bits of the ciphertext and the new secret that FHE permits private requests to a search engine. In this
key (equivalently a circuit of small depth), and acquires a case, the user offers an encrypted queries and the search
bootstrappable cryptosystem [16], [10]. engine processes an encoded response without ever
Step 3: The Bootstrapping technique - SWHE scheme is focusing at the question clearly. In addition, it also allows
just ready to evaluate “low-degree” polynomials and searching on encrypted information where a user maintains
support a limited number of operations. To acquire FHE encoded records on a remote server and later retrieve only
cryptosystem from SWHE scheme, Gentry gave a fabulous data that satisfy some boolean limitations, even though the
bootstrapping hypothesis. He demonstrated that given a sever can hardly decrypt the files independently. On a
SWHE scheme, a ciphertext could be “refreshed” by broader scale, fully homomorphic encryption enhances the
running the decryption circuit on it homomorphically using efficiency of protected multiparty computations [3], [18].
an encrypted private key, which brings about a minimized
noise. It is obvious that the noise vector roughly doubles in 6. Evolution of FHE
size for each addition evaluation, and squares for each Since Gentry distributed the initial fully homomorphic
multiplication evaluation. As a result, the decryption encryption system in 2009, this powerful discovery became
process could output mistaken raw data. At the point when a dynamic research subject and there has been huge
we get a large or noisy ciphertext, the cryptographer can enthusiasm for this scope. There have been dedicated
use the SWHE scheme to assess the decryption circuit efforts to improve the scheme by different individuals,
using the encrypted secret key. consequently, the evolution of FHE is an extremely
Given two refreshed ciphertexts one can perform unlimited widening the range of the calculations, which can be
number of homomorphic computations (either addition or implemented to operate on encrypted data
multiplication), which could not be done on the original homomorphically. Other proposed researches relied on
ciphertexts because of the noise linked to it. The simpler, or more effective assumptions compared to
fundamental reason of bootstrapping is to encrypt plaintext Gentry’s project. They have adopted other techniques e.g.,
utilizing one key and perform operations until the error integers instead of lattices, learning with error, or linear
brought into the ciphertext reaches a specific margin. The SWHE cryptosystems fairly in light of error correcting
second step, is to perform the re-encryption function on the codes. Consequently, the execution of the following
already encrypted (ciphertext) using the encrypted secret schemes has been improved. But to come to a conclusion,
key, and then, decrypt using the first public key. Besides, it still need an improvement regarding the limitation on
in the event that we will make an extra assumption, one efficiency, and operations overhead [3], [18], [4].
could incorporate the process of secret key encryption In 2010, a number of the fresh versions emerged to
under the same public key pk, a necessity that is referred to implement the initial idea of Gentry. Smart-Vercauteren,
as “circular security”, (i.e., it should be capable to encrypt followed by Stehle-Steinfeld, and then Gentry-Halevi
its own particular secret key, and evaluate the function implemented Gentry’s work in order to get a better
which is sufficient to permit HE concerning addition and performance. In the same year, Gentry collaborated with
multiplication. The hard point in this technique is to attain van Dijk, Halevi and Vaikuntanathan, to construct a

9
technique called (DGHV), simpler than his initial one, they were not able to acquire a bootstrappable functionality
utilizing integers rather than lattices. They developed a or a FHE scheme. Comparing to Gentry’s original scheme,
simple FHE plan that using just the simple arithmetic over their scheme has smaller message expansion and key size.
the integers. In 2011, an improvement of DGHV was done One issue in the Smart-Vercauteren execution was the
by Coron, Mandal, Naccache, and Tibouchi as they complexity of key generation procedure for the SWHE
proposed FHE scheme, i.e., working over integers with scheme because they should generate many nominees in
smaller public keys. Within the same period, Brakerski and order to find one whose determinant is prime. Besides,
Vaikuntanathan presented a FHE from Ring-LWE and Smart and Vercauteren evaluated that the squashed
security for key dependent messages. After that, FHE decryption technique will have a degree of few hundreds,
without squashing cryptosystem utilizing depth-3 and that to support this methodology with their parameters,
arithmetic circuits by Gentry and Halevi is proposed. Then, they have to utilize a lattice dimension of at least n = 227(≈
Brakerski and Vaikuntanathan constructed a novel FHE 1.3 × 108), which is well past the capacities of the key
project in view of standard LWE. Fourth, Lauter, Naehrig generation process [16], [31], [10].
and Vaikuntanathan presented and implemented the
SWHE technique in view of R-LWE (ring learning with 6.2 Gentry’s Second Improvement (2010) - Stehle
errors) problem. Next, Smart and Vercauteren and Steinfeld
demonstrated how to select the parameters to empower In order to obtain a faster FHE scheme than Gentry’s
such SIMD operations. In 2012, Brakerski, Gentry and invention, Stehle and Steinfeld depicted two main
Vaikuntanathan created a leveled FHE technology without improvements taking into account ideal lattices and its
bootstrapping named (BGV). Coron, Naccache, and examination. Their optimization [5] can be summarized as
Tibouchi invented a compression approach for minimizing follows:
the public key size that had been used by DGHV scheme. - First, they analyzed the complexity of Gentry’s scheme
Gentry in collaboration with other scholars, Halevi, and related to the Sparse Subset Sum (SSSP) assumption in
Smart, thought of an improvement of Gentry's more aggressive way.
bootstrapping procedure and joined their strategy with the - Second, they presented a probabilistic decryption process
SIMD homomorphic calculation. Then, Brakerski, Gentry, that can be actualized with a mathematical circuit of “low
and Halevi designed a FHE, i.e., discussed the issue of multiplicative degree.”
packing ciphertexts in LWE-based HE. In 2013, Cheon, After these changes together applied, fully homomorphic
Coron, Kim, Lee, Lepoint, Tibouchi, and Yun examined
the issue of batching FHE plans over integers. Currently, encryption scheme became faster, with a Õ (λ3.5) bit
the schemes that are being developed are supporting both complexity per elementary binary Add/Mul gate. These
the addition and multiplication of ciphertexts without enhancements also can be performed in the FHE schemes
limitation pointing towards improved quality. The of both Smart and Vercauteren [2], and DGHV [31].
development of the schemes will continue with time until
it has ensured the optimal functioning of all the aimed 6.3 Implementation of Gentry’s blueprint (2010) -
objectives of the homomorphic encryptions. Gentry and Halevi
Gentry and Halevi proposed an optimized version [16] of
6.1 Gentry’s First Improvement (2010) - Smart and the Smart–Vercauteren “principal-ideal lattices”
Vercauteren cryptosystem [2], which permit to implement the squashing
The initial effort to improve Gentry's fully homomorphic functionality, thus obtaining a bootstrappable scheme to
public key encryption scheme [2] was made in 2010 by convert to a FHE scheme.
Smart and Vercauteren. Their construction followed In their implementation, they proposed a number of major
Gentry’s technique in producing a FHE scheme from the and minor optimizations along with facilitation that allow
underlying “SWHE” scheme, but the difference here that, to execute all aspects of the scheme, including the
they executed a variation utilizing “principle ideal lattices” bootstrapping method, and squashing the decryption
of prime determinant, thereby presenting a FHE scheme circuit.
which has both relatively small key and ciphertext size. - With regard to the first major optimization, the authors
Smart and Vercauteren demonstrated that in such a SWHE followed the same trend as Smart-Vercauteren, yet for key
scheme based on lattices, the public and private keys generation procedure, instead of requiring prime
represented by two large integers (paying little attention to determinant, their scheme required that the Hermite
their dimension), and also the private key in decryption Normal Form (HNF) of the lattice has a particular form.
strategy is represented by one large integer. They could - Another major optimization is related to decryption
realize the fundamental of SWHE scheme, yet they were circuit, Gentry and Halevi do not require “full polynomial
not ready to support sufficiently huge parameters to make inversion” since they decrypted using a “simpler
Gentry's squashing procedure experience. Accordingly, decryption circuit.” Similar to Smart-Vercauteren
implementation, they used a single coefficient of the secret

10
inverse polynomial, but the variation here is that they used 6.5 FHE over the Integers with Shorter Public Keys
“modular arithmetic” instead of “rational division.” (2011) - Coron, Mandal, Naccache, and Tibouchi
- As for the bootstrappable scheme, the public key includes
an examples of the sparse-subset-sum problem (SSSP) Dijk et al. proposed the simple (DGHV) scheme [11].
which have a “very space-efficient representation.” Comparing with Gentry's construction, the principle
-The public key has an encryption of all the secret key bits attraction of their framework is its reasonable simplicity.
in the FHE scheme. In addition, in order to improve the This effortlessness comes to the detriment of public key
storing space for all encrypted data, they utilized a “space- size in O ̃(λ10), which is considered too large for any
time tradeoff.” functional framework. Coron, Mandal, Naccache, and
- In order to speed-up encryption, they utilized effective Tibouchi proposed in their contribution [10] a solution to
algorithm for “batch evaluation” of many polynomials. The this problem that minimize the public key size of the
private key in their implementation is a binary vector of SWHE scheme from O ̃(λ10) to O ̃(λ7). According to the
length “S ≈ 1000”, the only s = 15 bits set to one, while the authors, “the idea consists in storing only a smaller subset
other bits set to zero. By representing the secret key in s of the public key and then generating the full public key on
groups of S bits, they got an important speedup. According the fly by combining the elements in the small subset
to four different security levels (“toy”, “small”, “medium” multiplicatively.” In order to get a shorter public keys,
and “large”), their implementation with lattices has been rather than performing the encryption with a linear form, a
tested of several dimensions. From a “toy” setting in quadratic form in the public key components has been
dimension 512, to “small”, “medium”, and “large” settings used. They demonstrated that the cryptosystem remains
in dimensions 2048, 8192 and 32768. Regarding the secure, in light of a more powerful variation of the
public-key size ranges, the size from 70 Mb for the “small” approximate GCD assumption as it was already treated by
setting, to 2.3 Gb for the “large” setting [31], [10]. van Dijk et al. The second contribution was to depict the
first implementation of the DGHV scheme over the
integers under their variation, while borrowing some of the
6.4 DGHV FHE scheme over the integers (2010) -
optimizations from the Gentry-Halevi implementation [16]
Dijk, Gentry, Halevi, and Vaikuntanathan of Gentry’s breakthrough [3], [18]. From Stehle and
Comparing to the Gentry's essential construction, the Steinfeld [5], they utilized the repeated analysis of the
principle advance of this methodology is the theoretical sparse subset sum assumption; however, because of the
simplicity. Dijk, Gentry, Halevi, & Vaikuntanathan elevation in the error likelihood for their set of parameters,
proposed a very simple SWHE framework (DGHV they did not use the probabilistic decryption procedure.
scheme) [11], in which all mathematical operations are Their main limitation was to define a secure collection of
done over the integers using only “elementary modular concrete parameters. Their method was to implement the
arithmetic computation” instead of ideal lattices over a known attacks, measure their running time and extrapolate
“polynomial ring.” However, they followed Gentry’s for large parameters; Then, they can fix the concrete
blueprint to transform SWHE into FHE scheme using parameters according to the desired level of security. They
“error correcting codes.” To be more specific, the adopted attained almost the same level of performance as the
the same “squash decryption circuit” method to get a Gentry-Halevi implementation [16]. To be more accurate,
bootstrappable scheme, and then applied refreshing they use the same four security levels, even though they
ciphertext procedure to get a FHE scheme [31], [10]. might not be similar due to the different concepts of
This made a perfect commitment to the advancement of “security bits.” They defined the security parameters as
FHE. Nonetheless, keeping in mind the end goal to “toy”, “small”, “medium” and “large”, corresponding to
understand the full homomorphism, the DGHV also 42, 52, 62 and 72 bits of security. With a public key size of
performed a re-encryption technique before mathematical 800 MB, Encryption and re-cryption take 3 minutes and 14
operations to reduce the noise components, which minutes for “large” parameters. This result proved that
extraordinarily raised the calculation complexity. The FHE can be performed utilizing basic mathematical
primary accomplishment was the plaintext comprised of operations.
integers as opposed to one bit. Also, they minimized the
security of their SWHE scheme to find an approximate gcd 6.6 FHE from Ring-LWE and Security for Key
integer, i.e., a list of integers that are “near-multiples” of an Dependent Messages (2011) - Brakerski and
invisible integer, give an output of an invisible integer. Vaikuntanathan
Consequently, the development of the DGHV Construction Brakerski and Vaikuntanathan proposed a SWHE
depends on the complexity of the common divisors issue, technique [7] that is extremely simple to understand, and
defined by the prior work of Howgrave-Graham [11], [20]. apply. Its security is able to decrease the worst-case
scenario of ideal lattices problems. Then, the experts
transformed it into a FHE scheme using the same
techniques proposed by Gentry [3], [18], i.e., “squashing”

11
and “bootstrapping” techniques. One of the obstacles in the decryption process of the MHE scheme. At the end,
transforming from “somewhat” to “fully” homomorphic they showed the possibility to substitute the MHE scheme
encryption is the necessity that the SWHE has to be by an additively homomorphic encryption (AHE) scheme,
“circular secure”, i.e., the scheme should have the ability which is capable to encrypt discrete logarithms. This
to securely encrypt its own private key. According to the substitution allowed them to develop a leveled FHE
scholars, under any cryptographic assumption, this need scheme whose semantic security is relied on the worst-case
had to be explicitly assumed because it was not recognized scenario of the shortest independent vector problem (SIVP)
to be realizable in all SWHE cryptosystem. Consequently, over ideal lattices (Ideal-SIVP) where the ciphertext length
they took an advanced step towards getting rid of this is reduced [31].
additional presumption by demonstrating that their
technique is indeed secure when encrypting “polynomial 6.8 FHE based on (Standard) Learning with Errors
functions” of the private key. Their public key encryption LWE (BV) (2011) - Brakerski and Vaikuntanathan
scheme is relied on the “polynomial learning with errors” Brakerski and Vaikuntanathan proposed a radical change
(PLWE) assumption, which is a simplified form of R- to develop FHE schemes, known as (BV) scheme [4],
LWE, i.e., proposed by Lyubashevsky, Peikert and Regev whose security linked with the hardness of the decisional
[24]. The R-LWE assumption permits to totally eliminate (standard) learning with error (LWE) assumption [23].
the worst-case hardness on ideal lattices, thus providing a This scheme is unique as it does not totally follow the
very straightforward scheme. It has been proved that this Gentry blueprint [18], [3], and DGHV scheme [11] over
scheme is somewhat homomorphic, which means that the integers. Comparing to Gentry’s blueprint which
limited complexity operations can be assessed on included new and comparatively untested cryptographic
ciphertext. Furthermore, the SWHE is “circular secure”, presumptions, BV cryptosystem aims to establish FHE
meaning that significant encryption functions on the secret under standard, well- realized cryptographic assumptions.
key is securely performed. At the end, they presented how Although, BV scheme relies on learning with error
FHE can be achieved by bootstrapping, utilizing “Gentry- problem [23], which is considered hard like solving other
style” squashing [7]. hard problems in general lattices, their scheme is totally
easy to understand and execute and does not depend on
6.7 FHE without Squashing Using Depth-3 lattices directly. This resulting FHE scheme has very short
Arithmetic Circuits (2011) - Gentry and Halevi ciphertexts, making it more effective than prior ones,
Gentry and Halevi developed a new FHE approach [17] as therefore, using to build an effective LWE-based “single-
the hybrid of a SWHE and a “compatible multiplicatively server private information retrieval” (PIR) protocol [20],
homomorphic encryption” (MHE) scheme in an [32].
unexpected way. Although this framework provided a
completely various method, it still depends on ideal The BV scheme is summarized in two steps:
lattices. Basically, it demonstrated how to bootstrap - First step: Re-linearization: Somewhat Homomorphic
excluding the method of “squashing” the decryption Encryption without Ideals
circuit. Accordingly, this leveled FHE scheme is Re-linearization allows to employ a SWHE scheme whose
constructed by excluding the necessity to assume the security depends only on the hardness of solving standard
difficulty of the sparse subset sum problem (SSSP), thus, “short vector” problems on arbitrary (not necessarily ideal)
replaced with the decisional Diffie–Hellman (DDH) lattices in worst-case scenario. According to Gentry, a
assumption. The primary strategy is to express the homomorphic scheme in any class of circuits permits
decryption procedure of SWHE schemes as a depth-3 evaluation of any circuit in the class. Gentry’s blueprint
(ΣΠΣ) algebraic circuit of a specific structure. Because of demonstrated that the “bootstrapping” technique for
the particular form of the decryption circuit, the obtaining FHE from SWHE requires a homomorphic
transformation to the MHE scheme should be possible scheme whose decryption circuit resides in the class. It
without evaluating anything homomorphically. becomes clear that homomorphic encryption schemes that
Consequently, at the stage of assessing this circuit through can evaluate arbitrary number of addition and
the bootstrapping technique, the authors developed an multiplication calculations are very difficult to attain even
optimization of their level FHE scheme, where the whole without the process of bootstrapping. What Gentry
leveled FHE ciphertext tentatively “compressed” into a one proposed to solve this problem was based on the arithmetic
MHE plan (e.g., El-Gamal) ciphertext. In other words, the concept of ideals in various rings. Specifically, the
SWHE scheme should be able to evaluate the MHE plaintext is considered to be a ring element, and the
scheme's decryption circuit, rather than its own decryption ciphertext is the encrypted plaintext linked with some
circuit, thus getting rid of the “circularity” that made noise, which related to an ideal. As a result, unlike all
squashing step required. The outcome has been interpreted former cryptosystems, it has been shown that SWHE can
back to the SWHE scheme by homomorphically evaluating be based on LWE assumption, using a new method called

12
“re-linearization.” This technique helps to attain a SWHE combination. Hence, the difficulty of resolving LWE is
scheme, that exclude the necessity of solving complexity restricted to finding a “good” (short or close) basis for a
assumptions on ideals in different rings [31]. relevant lattice [29], [24].
- Second step: Dimension-Modulus Reduction: Fully On the Hardness of LWE
Homomorphic Encryption Without Squashing As demonstrated above, the cryptographic schemes linked
Dimension-Modulus Reduction permits to eliminate the with LWE to some extent are ineffective because of an
requirement of the rather complex “squashing step” innate quadratic overhead in the usage of LWE. Several
utilized in Gentry’s as well as all subsequent solutions, issues make anyone recognize the difficulty of the LWE
hence bypassing the additional very strong hardness problem:
assumption, recognized as, the difficulty of the sparse - Firstly, the best known algorithms for LWE work is in
subset-sum problem (SSSP). The researchers introduced a exponential time.
new technique known as “dimension- modulus reduction”, - Secondly, a related issue is to recognize the difficulty of
which allows to upgrade the SWHE scheme into a FHE one the learning parity with noise (LPN) problem. The
with same homomorphism properties, thus reducing the Learning with Errors (LWE) problem is a natural
ciphertext size and the decryption complexity of the generalization to large moduli of the LPN problem. That
scheme. All of this, without relying on any additional means, the hardness of LWE does not efficiently act for
assumptions [31]. small moduli, because there is still need to find an effective
algorithm for LPN to benefit from the small modulus.
-Thirdly, Numerous lattice-based cryptographic
The Learning with Error Problem (LWE) cryptosystems are relied straight upon two average-case
The Learning with Errors (LWE) problem, proposed by scenario problems, i.e., learning with errors (LWE)
Regev [9], and as of late, it has served as the establishment problem, and short integer solution (SIS) problem. These
for a plenty of cryptographic applications. Many two average-case problems have been appeared to accede
researchers in cryptography field employ LWE in very strong lattices hardness guarantees. To be more
constructing with many cryptographic schemes in order to specific, LWE has been appeared to be at the same level of
obtain high level of security and efficiency [24]. difficulty with many worst-case scenario issues such as the
The LWE problem aims to retrieve a secret s ∈ 𝑍𝑞𝑛 given shortest independent vectors problem (SIVP), the decision
a series of approximate random linear equations on s. e.g., version of shortest vector problem (GAPSVP), and the
the input might be as follows: learning parity with noise (LPN) problem. On the same
14s1 + 15s2 + 5s3 + 2s4  8 (mod 17) note, SIS has been appeared to be as hard as comparable
13s1 + 14s2 + 14s3 + 6s4  16 (mod 17) worst-case complexity under a polynomial factor in the
6s1 + 10s2 + 13s3 + 1s4  3 (mod 17) lattice dimension. To get back to the point, cryptographic
10s1 + 4s2 + 12s3 + 16s4  12 (mod 17) schemes that relied on SIS, and LWE problems usually
9s1 + 5s2 + 9s3 + 6s4  9 (mod 17) require rather large key sizes of order n2. This is due to the
3s1 + 6s2 + 4s3 + 5s4  16 (mod 17) fact that for cryptographic applications, one regularly
. needs to give sequence of vectors v1, . . . , vn ∈ 𝑍𝑞𝑛 . From
. a practical perspective, minimizing the key size to roughly
. linear size might lead to efficient enhancements [23], [24],
6s1 + 7s2 + 16s3 + 2s4  3 (mod 17) [30].
Each equation is correct up to some small additive error Definition 6.8.2. The Small Integer Solution (SIS)
(say, ±1), and his goal is to recover s. problem- Given a sequence of vectors v1, . . . , vn ∈ 𝑍𝑞𝑛 ,
Answer is s = (0, 13, 9, 11) [23]. find a subset of them (a combination with small
Retrieving s would be very straightforward in case the error coefficients) that sums to zero (modulo q). One can define
is not introduced. After about n equations, s can be SIS as the problem of finding short vectors in a random
retrieved in polynomial time using “Gaussian elimination.” lattice or code.
If there is an error, the problem might be more difficult. Algorithms for Solving the LWE problem
Definition 6.8.1. Learning with Error (LWE) Problem According to Regv [23], the naïve algorithm to solve the
Consider a linear combination of a lattice basis vectors learning with error problems is known as the “maximum
including a small error, the issue of searching and likelihood algorithm”, however, best known and even most
recognizing the difference between noisy random linear interesting algorithm is the combinatorial algorithm
functions (with error) and uniformly random vectors is invented by Blum, Kalai, and Wasserman (BKW) [30].
known as the “Learning with Error” problem. In other The other most widely used algorithms to tackle LWE are
words, the problem of finding the closest vector to the lattice basis reduction (LLL) algorithm, and algebraic
vector linked with noise in a given lattice, specifically, by Algorithms.
solving closest vector (CVP) problem and/or linear Definition 6.8.6. Maximum likelihood algorithm -

13
The proof of this algorithm started with assuming that q is individual ciphertexts in 20 milliseconds on a laptop
polynomial and the error distribution is normal, then, running Magma” [21].
- Demonstrating that after about O(n) equations, the correct
assignment will be the secret s, since it is the only Ring Learning with Error problem (R-LWE) -
assignment that approximately fulfills the equations, A major open question is whether it is possible for
(finding s can be accomplished by trying all possible qn cryptographic schemes that applied LWE to be more
assignments), then, effective by taking advantage of additional arithmetic
- Performing an algorithm with running time qn=2O(nlogn) functions, and performing calculations on polynomials
has been obtained, using only O(n) equations [23], [30]. which has “better complexity” than vectors.
Definition 6.8.7. Blum-Kalai-Wasserman (BKW) Lyubashevsky, Peikert, and Regev [24] resolved this
combinatorial algorithm - question by proposing a variant of LWE over rings known
BKW algorithm has been applied to the LWE problem to as “ring- LWE”, demonstrating that it also enjoys worst-
study the complexity. BKW presented by first preparing case lattices complexity qualities. R-LWE is a simple
refined running-time estimates for the data and functions expansion of LWE [23] in order to get more security and
requirements, thus understanding and solving concrete reduce ciphertext size.
complexity of the LWE problem. Second, applying this The main idea behind R-LWE is that the vectors can be
estimates analysis to different parameters for LWE applied visible as polynomials modulo the nth cyclotomic
cryptographic cryptosystems and then, comparing with polynomial (the unique irreducible polynomial with integer
alternate schemes based on lattice reduction. As a result, a coefficients), where n is a power of 2. They restricted their
“new recovered upper bounds for the concrete hardness of algorithm to cyclotomic fields rather than other number
these LWE-based schemes” is provided. It has been shown fields. According to the authors, the ring-LWE distribution
that BKW algorithm exceeds previous estimates for lattice is pseudorandom, assuming that the worst-case lattices
reduction algorithms [30]. problems of the ring-LWE problem is hard for
Definition 6.8.8. lattice basis reduction (LLL) algorithm- “polynomial-time quantum algorithms.” As a final point,
At the cost of an approximate exponential in the number of many improvements and security proofs on LWE have
dimensions, LLL is used to reduce lattice basis in a quite often counterparts on the first truly practical R-LWE.
polynomial time. If the approximation is extremely However, the reasons behind working with R-LWE rather
important to the lattice space (modulo q), resolving Closest than LWE, is that many of the LWE-based schemes could
Vector Problem (CVP) outputs an error. All things be much more effective and practical when utilizing R-
considered, for a given q, there exist a various dimensions LWE instead. [24], [29].
n (i.e., LWE is believed to be hard) [29].
6.10 Fully Homomorphic SIMD Operations (2011)
6.9 Implementation of FHE based on R-LWE - Smart-Vercauteren
(2011) - Lauter, Naehrig, and Vaikuntanathan Gentry’s scheme encrypts and decrypts a plaintext of only
Lauter, Naehrig, and Vaikuntanathan proposed an 1-bit length. For this reason, scholars thought about
implementation [21] of the “Somewhat” public key improving particular operations, which could be processed
encryption scheme from BV scheme [4] proposed by on many bits in parallel to minimize runtime. When Smart-
Brakerski and Vaikuntanathan, while employing the Vercauteren presented their variation of Gentry's blueprint
computer algebra system Magma. They concentrated on [2], they specified that their cryptosystem could support
characterizing a number of real-world applications and SIMD style operations (single instruction, multiple data).
beneficial functions to be performed. Most of these The slow key generation procedure of the Smart–
applications supports many addition operations, yet only a Vercauteren framework was then handled in a paper by
limited number of multiplications. In a nutshell, they Gentry and Halevi, however, their key generation
thought that it is enough to implement a “SWHE” scheme technique seems to eliminate the SIMD style operation
since it can be much faster, and more practical than FHE insinuated by Smart-Vercauteren. In this improvement
schemes. Moreover, the re-linearization technique [33], Smart-Vercauteren recalled Smart-Vercauteren
proposed in BV, which minimizes the size of the ciphertext SWHE variation and proved that it can support SIMD
to two ring components, has been employed in this operations in the finite field of characteristic two by
implementation. They executed experiments using modifying key generation. They demonstrated the
Magma’s polynomial algebraic for all calculations possibility of choosing parameters for Gentry and Halevi
(addition and multiplication) in the ring of polynomials implementation to enable such SIMD operations,
modulo a prime number, thus providing a similar performing the re-crypt procedure all data elements
efficiency with the same level of homomorphism and separately in parallel, thus obtaining FHE from SWHE
security. As a result, they proved that “an encryption for scheme and resulting in a fundamental speed-up. At the
the sum of 100 128-bit numbers can be calculated from the end, they proved how such SIMD operations can be used

14
to execute different higher level missions by exploring two and without bootstrapping.
situations: implementing AES encryption
homomorphically, and seeking an encrypted database on a - A combination of both above procedures that minimizes
remote server. [33], [31]. the multiplicative depth of the decryption circuit is used.
According to the authors, BV scheme re-linearization/
6.11 BGV (Leveled FHE without Bootstrapping Modulus switching methods can be used to convert a
ciphertext c1 (decrypted using one secret key vector s1) to
from R-LWE) (2012) - Brakerski, Gentry, and
a different ciphertext c2 that encrypts the same plaintext.
Vaikuntanatha But in this scheme, used to convert a ciphertext c1
Brakerski, Gentry, and Vaikuntanatha constructed a (decrypted using a second secret key vector s2) is
leveled BGV cryptosystem [6] on techniques of the transformed to a different ciphertext c2.
Brakerski & Vaikuntanathan (BV) scheme [4] while using - A batching technique was the first optimization in the
R-LWE problem from [24]. Nowadays, due to the fact that scheme. It permits to minimize the per-gate calculation
the BGV encryption scheme significantly enhances from quasi-linear in the security parameter λ to
efficiency and level of security on the “weaker “polylogarithmic”. This method is done by packing
assumptions”, it is considered as the first existing scheme multiple plaintexts into each ciphertext homomorphically
proved practically in real-life applications. The main rather than one, however its security gives approximately
contribution in their work was a new strategy of the same level of efficiency.
constructing a leveled FHE schemes that able to evaluate - Next, they reemployed bootstrapping as an optimization
“arbitrary polynomial-size circuits”, while eliminating the rather than a requirement. Bootstrapping allows us to
bootstrapping procedure proposed by Gentry. It is achieve per-gate computation quasi-quadratic in the
commonly considered as a Public key (asymmetric) security parameter, independent of the depth of the circuit
encryption scheme that encrypts bits. being evaluated.
There are two versions of the BGV cryptosystems: one is - Then, they proved that combining batching with the
handling the integer vectors, which based on learning with bootstrapping method is a powerful mix. With batching
errors (LWE) problem [23], while the other one handling the bootstrapping optimization, circuits whose levels
the integer polynomials, which based on Ring-learning mostly have width at least λ can be homomorphically
with errors (R-LWE) problem [24]. They started somewhat evaluated with only O ̃(λ) per-gate computation,
homomorphic encryption (SWHE) scheme based on “Ring independent of the number of levels. In other words,
LWE” assumptions [24] that have 2λ security against batching homomorphic evaluation of the decryption
known attacks, since it is much more efficient. In previous function permits to reduce the per-gate calculation by
schemes which worked over ideal lattices, sub-exponential another factor of λ from O ̃(λ2) to O ̃(λ) (independent of L).
factors have been used, also a parameter d (i.e., indicating BGV result - They obtained a results that was similar to
the degree of the polynomials to be evaluated). But, in LWE scheme, however in case of poor performance, they
BGV scheme, security is based on lattice problems with provided a number of extra optimizations. At the time they
“quasi-polynomial approximation factors” giving an relied on R-LWE, they have:
exponential improvement. Moreover, the experts used a - While eliminating bootstrapping method, and security is
parameter L (i.e., indicating the number of levels of relied on hardness of R-LWE for an approximation factor
arithmetic circuit being evaluated). Brakerski, Gentry, and exponential in L, the result was a leveled FHE scheme that
Vaikuntanatha offered several improvements to Gentry's can perform the evaluation of L-level arithmetic circuits,
essential blueprint [3], [18], and BV scheme [4]. Due to the where the per-gate calculation is O ̃(λ · L3).
fact that their FHE scheme has per-gate computation only
- While using bootstrapping technique as an optimization
“quasi-linear” in the security parameter, they provided a
rather than a requirement, and security is based on the
number of optimizations techniques to their FHE scheme:
hardness of R-LWE for quasi-polynomial factors, the result
was a leveled FHE scheme with O ̃(λ2) per-gate calculation,
- A re-linearization procedure to reduce the dimension of independent of L [6], [20], [28], [14], [29].
the ciphertext and key sizes. - The dimension reduction
strategy is used in the BV scheme [4] to accomplish a FHE
instead of using squashing methods, while in this project, 6.12 Public Key Compression and Modulus
the “modulus switching” procedure was bundled into a Switching for FHE over the Integers (2012) - Coron,
“dimension reduction” technique, and then, named Naccache, and Tibouchi
separately and examine carefully.
Coron, Naccache, and Tibouchi proposed a compression
procedure [22] that minimize the public key size of Dijk et
- Modulus switching is refined to better manage noise al. (DGHV) FHE cryptosystem over the integers [11] from
brought into ciphertexts during homomorphic O ̃(λ7) (their result with Mandal [10]) down to O ̃(λ5). They
multiplication operations without knowing the secret key,

15
acquired an implementation of the FHE scheme with a 10.1 parameter. This last part requires expanding the methods
MB public key rather than 802 MB utilizing comparable from previous work to process arithmetic over some rings
security parameters. besides over fields. To be more specific, their scheme
works with modulo very close to a power of two, instead
The experts’ contributions can be listed as follows: of over characteristic two fields [31].
1. Public Key Compression - a method to decrease the
public key size of DGHV schemes. Under their variation, 7. FHE Semantic Security
the encryption scheme can remain secure under the Despite the fact that FHE schemes guarantee
approximate-GCD assumption [22]. confidentiality and efficiency, there are major drawbacks
2. Extension to Higher Degrees - Different techniques that need attention. One of its greatest setbacks is being the
have been proposed to obtain a shorter public key size and increase in the size of public key and its effects on the size
at the same time, increase the efficiency of the DGHV of encrypted data, which leads to longer server response
scheme [11]. The most important method is the one utilized time to any request from the client. Encryption and
a quadratic form instead of a linear form. The experts in decryption of data also affect response time thus making
this contribution demonstrated how to expand the quadratic the system slow for practical usage [12]. Gentry’s concept
encryption procedure of their previous contribution with is to minimize the complexity of the decryption circuit.
Mandal [10] to higher degrees in order to get a shorter Nonetheless, the complexity of the encryption circuit and
public key for the basic DGHV scheme. They the size of the public key are augmenting significantly.
demonstrated that a specific family of quadratic hash Consequently, Central Processing Units (CPUs) can hardly
functions is sufficiently close to being “pairwise execute such complex procedures. Assuming that Moore’s
independent”, thus proving that the scheme remains principle is limitless, the processing power needed to carry
semantically secure [22]. out FHE requires at least thirty years of continuous
3. Modulus Switching and Leveled DGHV Scheme - development. FHE schemes represent the computation
Regarding their third contribution, they provided a new with something called circuit homomorphism where each
method called “modulus switching” to show how to apply logic gate is simulated through its own HE. Different
Brakerski, Gentry and Vaikuntanathan’s (BGV) FHE mathematical activities can be disintegrated into
scheme [6] (without bootstrapping) with the DGHV fundamental operations, whereas it is hard to convert
scheme [11] over the integers. Applying the BGV scheme, sophisticated arithmetic activities into circuit tasks [37].
the noise vector grows only linearly with “multiplicative Schemes that followed Gentry’s work turned out to have
depth” rather than exponentially. This permits to attain a inherent efficiency weaknesses. This is due to the fact that
FHE scheme without the costly bootstrapping procedure. all of the FHE techniques require substantial computing
Based on their implementation and result, the BGV resources because they employ intensive sophisticated
framework can be practically applied, and also, the arithmetic tools, thus generating large sizes of keys,
resulting FHE scheme remains secure under a harder massive ciphertext per computation in a circuit, and
assumption [22]. accumulation of noise [8]. The existing FHE schemes
always apply re-encryption processing to generate the fully
homomorphic encryption. The computational complexity
6.13 Gentry’s Bootstrapping Improvement (2012) -
of the re-encryption method affects the real
Gentry, Halevi, and Smart implementation of FHE schemes. On the other hand, all
The major obstacle in the bootstrapping technique of FHE schemes have a large computational overhead, which
Gentry's breakthrough is the requirement to evaluate the increases runtimes for encryption and decryption, thus
modular arithmetic reduction operation homomorphically. making homomorphic computation of arbitrary functions
This is basically done by simulating a “binary modular impractical. More importantly, it has shown that the
reduction circuit”, utilizing bit operations on integer dilemma that prevents FHE schemes from developing
numbers that represented on binary. Gentry, Halevi, and practically is the “per-gate evaluation time”, which means
Smart presented an approach [27] that bypasses the the ratio of the time it needs to assess a circuit
reduction of one integer modulo another homomorphically homomorphically to the time it needs to assess the same
to some degree, by using an arithmetic modulus near a circuit on plaintext inputs. The per-gate evaluation time of
power of two. It is simpler to depict and actualize than the FHE schemes followed Gentry’s initial work have a Ω(κ4),
common binary circuit approach, and is provable to be where κ is the security parameter [35]. Moreover, a fresh
faster. Their strategy permits saving the encryption of the security assumption known as Sparse Subset Sum Problem
private key as a single ciphertext, hence minimizing the (SSSP), whose security is yet to be proved, has been
size of public key. Their scheme can be joined with the launched at the point of squashing the decryption circuit.
SIMD homomorphic calculation procedures of Smart- As a result, the FHE still bear a security risk for the data
Vercauteren [33] as well, to run a bootstrapping technique stored. However, the level of security is high, but not
that could be done in time “quasilinear” in the security

16
satisfactory. To realize a fully homomorphic encryption method is still very costly and suffer from poor
design, all of these setbacks must be overcome [37]. performance. Performing computations utilizing FHE
8. Conclusion takes quite long, however, as inventions evolve, the
The cloud computing security founded on HE is a fresh situation will change for the better.
idea of security. The exploration of HE schemes highlight Comprehensively, this research paper has simplified
important concepts regarding the generation of numerous definitions related to HE. The role of HE in the
cryptographic needs. It is used to promote security of user’s existing applications have been explored and the current
data in the cloud and support easy retrieval of the data. state of the art has been reviewed and presented
Therefore, applications of homomorphic encryption have systematically. Although the use of homomorphic
increased in the recent times with the spread of cloud encryption techniques leads to improve cloud computing
computing. The role of adopting HE algorithms by the CSP benefits to promote client satisfaction and security of data,
to maintain the confidentiality of private data cannot be its weaknesses need to be addressed in its speed and ability
underestimated. Cloud computing draws researchers’ to manage large load of data. Therefore, further research to
attention to develop practical FHE schemes. In fact, the improve these schemes is needed to strengthen the
current level of usage of the homomorphic encryption homomorphic encryption, it should focus on developing
points towards its improved usage and further research to ways that are much better in terms of practically.
address its weaknesses. Precisely, the most effective FHE

FHE Scheme Year Scheme Outline Security Assumption

Gentry’s FHE 2009 First FHE scheme, it based on ideal lattices The hardness assumption of SSSP
Improvement of Gentry's scheme with small key The complexity of key generation
Smart-Vercauteren 2010 and ciphertext size, using “principal-ideal procedure (finding small principal
lattices” ideal lattice)
Two main improvements of Gentry's scheme to
Stehle-Steinfeld 2010 The hardness assumption of SSSP
obtain a faster FHE scheme
Implementation of Gentry’s scheme by a The hardness assumption of finding
Gentry-Halevi 2010
number of optimizations small principal ideal lattice
Dijk Gentry Halevi and FHE scheme using the simple arithmetic over
2010 Approximate-GCD Problem
Vaikuntanathan (DGHV) the integers rather than lattices
Coron, Mandal, Improvement of DGHV working over integers
2011 Approximate-GCD Problem
Naccache, and Tibouchi with smaller public keys
Brakerski and FHE from R-LWE and Security for Key
2011 The hardness of R-LWE Problem
Vaikuntanathan Dependent Messages
The decisional (DDH) assumption, or
FHE without squashing cryptosystem using
Gentry and Halevi 2011 SIVP problem over ideal lattices
depth-3 arithmetic circuits
(Ideal-SIVP)
Brakerski and FHE scheme based on LWE
2011 The hardness of LWE Problem
Vaikuntanathan (BV) scheme
Fourth, Lauter, Naehrig Implementation of FHE scheme
2011 The hardness of R-LWE Problem
and Vaikuntanathan based on R-LWE
The decision variant of the BDDP, or
Smart and Vercauteren 2011 FHE scheme enables SIMD operations
SSSP
R-LWE for an approximation factor
Brakerski, Gentry and Leveled FHE scheme without bootstrapping
2012 exponential, or R-LWE for quasi-
Vaikuntanathan (BGV) scheme
polynomial approximation factors
Coron, Naccache, and Compression approach for minimizing the pk
2012 Approximate-GCD assumption
Tibouchi size used by DGHV scheme

Improvement of Gentry's bootstrapping, then The quasi-polynomial approximation

Gentry Halevi, and Smart 2012
join it with SIMD operations factors

Table 2. FHE Scheme, Brief Description, and Security Assumption of HE Schemes.

17
9. References Journal of Theoretical and Applied Information
[1] I. Ahmad, and K. Archana. Homomorphic Encryption Technology 84, no. 3, (2016).
Method Applied to Cloud Computing. International
Journal of Information & Computation Technology 4, no. [13] R. Emelaya, and S. Agrawal. A Survey: Secure Data
15, (2014): 1519-530. Storage Techniques in Cloud Computing. International
Journal on Recent and Innovation Trends in Computing
[2] N.P. Smart, and F. Vercauteren. Fully Homomorphic and Communication 3, no. 9, (2015): 5376-379.
Encryption with Relatively Small Key and Ciphertext
Sizes. PKC'10 Proceedings of the 13th international [14] S. Fau, R. Sirdey, C. Fontaine, C. Aguilar-Melchor,
conference on Practice and Theory in Public Key and G. Gogniat. Towards Practical Program Execution
Cryptography, (2010): 420-443. over Fully Homomorphic Encryption Schemes. IEEE 8th
International Conference on P2P, Parallel, Grid, Cloud and
[3] C. Gentry. A fully homomorphic encryption scheme. Internet Computing, (2013).
Ph.D. dissertation, Stanford University, (2009), Available
at https://crypto.stanford.edu/craig/craig-thesis.pdf. [15] C. Fontaine, and F. Galand. A Survey of
Homomorphic Encryption for Nonspecialists. Journal of
[4] Z. Brakerski, and V. Vaikuntanathan. Efficient Fully Information Security 1, (2009): 41-50.
Homomorphic Encryption from (Standard) LWE. IEEE
52nd Annual Symposium on Foundations of Computer [16] C. Gentry, and S. Halevi. Implementing Gentry’s
Science, (2011). Fully-Homomorphic Encryption Scheme. Advances in
Cryptology - EUROCRYPT’11, volume 6632 of Lecture
[5] D. Stehle ́ and R. Steinfeld. Faster fully homomorphic Notes in Computer Science. Springer, (2011): pages 129–
encryption. ASIACRYPT, (2010): 377–394. 148.

[6] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully [17] C. Gentry, and S. Halevi. Fully Homomorphic
Homomorphic Encryption without Bootstrapping. Encryption without Squashing Using Depth-3 Arithmetic
Innovations in Theoretical Computer Science (ITCS’12), Circuits. FOCS’11. IEEE Computer Society, (2011).
(2011). Available at https://eprint.iacr.org/2011/277.pdf.
[18] C. Gentry. Fully homomorphic encryption using ideal
[7] Z. Brakerski and V. Vaikuntanathan, Fully lattices. Michael Mitzenmacher, editor, STOC, 169–178.
Homomorphic Encryption for Ring-LWE and Security for ACM, (2009).
Key Dependent Messages. In P. Rogaway (Ed.), CRYPTO,
(2011), LNCS, vol. 6841, Springer, (2011): 505–524. [19] R. Kanagavalli, and S. Vagdevi. A Survey of
Homomorphic Encryption Schemes in Cloud Data Storage.
[8] D. Chechulina, K. Shatilov, and S. Krendelev. Fully International Journal of Recent Development in
Homomorphic Encryption for Secure Computations in Engineering and Technology 3, no. 1, (2014). Available at
Protected Database. Position Papers of the Federated www.ijrdet.com.
Conference on Computer Science and Information
Systems, (2015): 125-31. [20] J. M. Kukucka. An Investigation of the Theory and
Applications of Homomorphic Cryptography. ProQuest
[9] O. Regev. On lattices, learning with errors, random LLC, (2013).
linear codes, and cryptography. STOC, H. N. Gabow and
R. Fagin, Eds. ACM, (2005): 84–93. [21] K. Lauter, M. Naehrig and V. Vaikuntanathan. Can
Homomorphic Encryption Be Practical? Cryptology ePrint
[10] J.S. Coron, A. Mandal, D. Naccache and M. Tibouchi. Archive, Report (2011): 405.
Fully Homomorphic Encryption over the Integers with
Shorter Public Keys. P. Rogaway (Ed.), CRYPTO, (2011): [22] J-S. Coron, D. Naccache, and M. Tibouchi, Public
487–504. Key Compression and Modulus Switching for Fully
Homomorphic Encryption over the Integers. Advances in
[11] M. van Dijk, C. Gentry, S. Halevi and V.
Cryptology—EUROCRYPT 2012, Lect. Notes in Comp.
Vaikuntanathan. Fully Homomorphic Encryption over the
Sci. 7237, (2012), Springer, 446–464.
Integers. H. Gilbert (Ed.), EUROCRYPT 2010, LNCS, vol.
6110, Springer, (2010): 24–43.
[23] O. Regev. The Learning with Errors Problem. 25th
Annual IEEE Conference on Computational Complexity,
[12] K. El Makkaoi, A. Ezzati, A. Beni-Hssane, and C. (2010).
Motamed. Data Confidentiality in The World of Cloud.

18
 [35] V. Vaikuntanathan. Computing Blindfolded: New
[24] V. Lyubashevsky, C. Peikert, and O. Regev. On Ideal Developments in Fully Homomorphic Encryption. IEEE
Lattices and Learning with Errors Over Rings. 52nd Annual Symposium on Foundations of Computer
EUROCRYPT, (2013). Science, (2011).

[25] D-Ș. MAIMUȚ, A. PĂTRAȘCU, and E. SIMION. [36] D. J. Wu. Fully Homomorphic Encryption:
Homomorphic Encryption Schemes and Applications for a Cryptography’s Holy Grail, (2015). Available at
Secure Digital World. Journal of Mobile, Embedded and https://crypto.stanford.edu/~dwu4/papers/XRDS2015.pdf.
Distributed Systems IV, no. 4, (2012).
[37] Y. Yang, S. Zhang, J. Yang, J. Li, and Z. Li. Targeted
[26] R. Meissen. A Mathematical Approach to Fully Fully Homomorphic Encryption Based on a Double
Homomorphic Encryption, (2012). Available at Decryption Algorithm for Polynomials. IEEE Tsinghua
https://web.wpi.edu/Pubs/E-project/Available/E-project- Science and Technology 19, no. 5, (2014): 478-85.
042612-132350/unrestricted/Meissen_MQP2.pdf

[27] C. Gentry, S. Halevi, and N. P. Smart, Better

Bootstrapping in Fully Homomorphic Encryption, Public
Key Cryptography, (2012): 1–16.

[28] P. V. Parmar, S. B. Padhar, S. N. Patel, N. I. Bhatt,

and R. H. Jhaveri. Survey of Various Homomorphic
Encryption Algorithms and Schemes. International Journal
of Computer Applications 91, no. 8, (2014).

[29] L. Barthelemy. A Brief Survey of Fully Homomorphic

Encryption, Computing on Encrypted Data, (2016).
Accessed August 24, 2016. http://blog.quarkslab.com/a-
brief-survey-of-fully-homomorphic-encryption-
computing-on-encrypted-data.html.

[30] J. Ding. Solving LWE problem with bounded errors in

polynomial time, (2010). Available at
https://eprint.iacr.org/2010/558.pdf.

[31] I. Sharma. Fully Homomorphic Encryption Scheme

with Symmetric Keys. Master Thesis, Rajasthan Technical
University, (2013). Available at
https://cryptome.org/2013/10/homo-crypto-sym.pdf.

[32] A. Silverberg. Fully Homomorphic Encryption for

Mathematicians, (2013). Available at
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.
295.3830&rep=rep1&type=pdf.

[33] N. P. Smart, and F. Vercauteren. Fully Homomorphic

SIMD Operations. Designs, Codes and Cryptography,
(2011): 1-25. Available at
http://homes.esat.kuleuven.be/~fvercaut/papers/DCC2011
.pdf.

[34] M. TEBAA, S. EL HAJJI, and A. EL GHAZI.

Homomorphic Encryption Applied to the Cloud
Computing Security. Proceedings of the World Congress
on Engineering, (2012).

19