Homomorphic encryption algorithms and schemes for secure computations in the cloud

1
Homomorphic Encryption Algorithms and Schemes for Secure
Computations in the Cloud
Majedah Alkharji1
, Hang Liu2
1
Ph.D. Student, Electrical Engineering and Computer Science
CUA, Washington, DC, 32alkharji@CUA.edu
2
Associate Professor, Electrical Engineering and Computer Science
CUA, Washington, DC, liuh@CUA.edu
Abstract
Although cloud computing continues to grow rapidly, shifting to Internet-based shared computing service has created
new security challenge. Organizations move to the cloud technology looking for efficient and fast computing but data security
remains their top concern. Confidential data are prone to leak because of modern trend to outsource computations to third-
parties. Furthermore, the issue of data breaches can remove any benefits businesses make by moving to the cloud computing
technology. Three important questions must be put into consideration: How to guarantee that the user’s private data will always
be kept safe and secure? Can the cloud service provider be reliable to store and process client’s private data confidentially? Is
it possible to ensure that even if the cloud provider have been attacked, client’s confidential data will not be stolen or reused?
To provide better data protection during the communication and storage process, many cryptographic algorithms have already
been used, but these methods are practically inapplicable as they require that the data needs to be visible to the cloud provider,
in order to do that, the private key has to be transmitted to the server to perform the operations required. In the past thirty years,
privacy homomorphism has been used to solves this issue. Homomorphic encryption allows us to execute the arithmetical
calculations directly on the ciphertext while keeping the secret key that is used to decrypt the result. In addition to preserve
privacy, it provides the exact same result as if we perform the computations on the plaintext. So far, many fully homomorphic
encryption (FHE) schemes which evaluate an arbitrary number of additions and multiplications are implemented but researches
remains unable to design more secure and powerful schemes. In this paper, a detailed survey of homomorphic encryption using
public key algorithms such as RSA, El-Gamal, and Paillier algorithms is given, then, FHE schemes are introduced as well. This
work can be helpful as a guide of principles, properties of FHE as researchers believe in the possibility of advancement in the
FHE area.
Keywords Cryptography, Cloud Security, Confidentiality, Homomorphic Encryption (HE), Fully Homomorphic Encryption
Schemes (FHE).
1. Introduction
In the contemporary world, internet and computer usage is
on the rise with more than 90% of world’s population using
this technology. Given the heightened application of public
cloud and internet in data warehousing, security is a prime
requirement to ensure confidentiality and integrity of data
as well as the accessibility of the information system
resources. Hence, the improvement in statistical and
computational techniques for machine learning linked with
the emergence of powerful, cloud-based computing
platforms in the last ten years.
By cloud computing we mean: providing on-demand
network access of IT sharing computing resources (e.g.,
servers, storage applications, and networks) using IT
components (e.g., hardware, and software) via internet or
private network [1]. Cloud computing, which entails
provision of applications offered by third party cloud
service providers (CSP) such as Microsoft, is used by IT
professionals as a platform on which they can offer
services to users in more flexible, and convenient manner
[34]. Data storing on remote servers rather than in-house is
definitely a cost-effective [13]. Also, by transmission into
the data-centric cloud environment, data will be more
easily accessible than before. Moreover, through Cloud
Service Provider (CSP), a user can store data into a package
of cloud servers that enhances interaction.
Despite the efficient computing solution and economic
advantages associated with cloud computing, users are
very worried about security and confidentiality of data
stored and processed in the cloud. Those concerns are
caused by some security risks such as: insider threats,
security breach, and potential hackers [19]. These security
Challenges on the data confidentiality happen when
uploading and retrieving data to/from the cloud (data in
motion), and also when the data located in cloud servers of
an untrusted CSP (data at rest) [12].
Among the solutions provided in safeguarding the data
stored in the cloud is the encryption of the data making it

2
inaccessible by unauthorized personnel [13]. Hence, in the
era of “big data” and “cloud computing”, encryption
solutions must be applied to achieve the objective of data
protection including confidentiality and integrity.
Protection of information while guaranteeing its
accessibility presents fresh setbacks. The usage of either
symmetric or asymmetric (public key) encryption
algorithms (see Figure 1) are not completely sufficient with
cloud-based scenario [31]. Moreover, once encrypted data
is opened for computations, it cannot be processed safely
within the cloud and this presents a major cloud computing
constraint [25].
Figure 1: asymmetric encryption functions applied to the cloud.
These drawbacks bring the role of Homomorphic
Encryption (HE) into picture. Homomorphic encryption is
provided as an effective algorithm to protect the data stored
in the cloud and provide assurance to people to use the
cloud for data storage [1].
The goal of this paper is to provide researchers with
detailed guidelines of Homomorphic Encryption, as well as
Fully Homomorphic Encryption including algorithms,
performance, and security assumptions. These concepts
should be enough to realize how the HE and FHE works.
The following documentation should provide a strong basis
for the researchers who would like to intensify their
knowledge on these subjects.
Organization of this Guideline - The next section of this
paper recalls some basic concepts of homomorphic
encryption (HE), followed by the functions of HE. After
that, theoretical background of various HE schemes is
given. Section 4 in this survey gives details about the
Properties of HE schemes either additive HE such as
(Paillier, and Goldwasser-Micalli (GM) (section 4.1), or
multiplicative HE like (RSA, and El-Gamal) (section 4.2).
The following section (5) is about the categories of HE:
“partial” homomorphic encryption (PHE) (section 5.1),
“somewhat” homomorphic encryption (SWHE) (section
5.2), and Fully Homomorphic Encryption (FHE) (section
5.3). Also, different schemes in each category along with
their fundamental definitions, algorithms, semantic
security, and possible applications are provided. The
following one (section 6) features a comprehensive
detailed survey about the improvement in the field of FHE.
The last section discusses the weaknesses of FHE and
conclusion.
2. Homomorphic Encryption (HE)
2.1 Definition of Homomorphic encryption
The main objective of encryption is to assure data privacy
and confidentiality in both storage and treatment processes.
Accordingly, untrusted CSP will be given an encrypted
version of the data to work on. Many conventional
cryptographic algorithms have been proposed and
implemented to ensure security [13], [15]. When all
warehoused information (personal, wellbeing, financial
and so on) is encrypted, that would solve all the challenges
identified with information security such as data security,
third party control, and availability. Data in the cloud can
be encrypted and stored as a means of protecting it from
loss or breach, but it can’t be processed if sent to/from the
CSP in the encrypted format, as it will not be accessible,
therefore, the CSP has to decrypt the data which is against
privacy and confidentiality, and then perform the
calculations on the data before sending the outcome to the
user, hence, both users and companies should trust the CSP
to carryout operations [19], [31].
The practice shows weaknesses in the encryption methods
of protecting data since it allows for loss of privacy and
confidentiality. Using encryption means that the user will
have to provide the cloud provider with the private key to
allow data computation before it is sent back to the user.
The practice will then lead to the users giving up their
confidential information, which is not the aim of the cloud
data storage technology. The weaknesses can be addressed
by having a tool or an approach that allows the data to be
computed without decryption by the cloud provider and
then sent to the user.
Consider the possibility that the client could complete any
calculation on the data without the cloud provider finding
out about the client's information - calculation is done on
encoded information without earlier decoding. This is the
guarantee of Homomorphic encryption plans [31].
Homomorphic encryption refers to “the encryption
technology that implies that the procedures on the
encrypted data and matching outcome can be attained as on
original data.” The mathematical operations can be done on
the ciphertext without altering the nature of the encryption
[28]. With HE, a firm can encrypt its database and submit

3
it to a cloud and the data can be processed without
decrypting it, in other words, the homomorphic encryption
cryptosystems perform activities on encrypted information
without the private key held by the client [34], [12].
As such, the user can perform arbitrary computations on
the hosted information without the intervention of the
cloud provider [19]. However, HE has its limitations which
include its inability to deal with certain threats such as
attacks with selected ciphertext (IND- CCA) and attacks
with selected plaintext (IND-CPA). These setbacks
emphasize demand for a capability to carry out
computations on encrypted data, such capability that offers
several crucial applications including the capacity to
privately outsource computations [35].
2.2 Functions of Homomorphic encryption
An encryption scheme is considered homomorphic if:
Given a plaintext (m) = (m1, m2), one can compute
E [f (m1, m2)] from E (m1) and E (m2), without using pk,
where f might be +, x, ⊕. Homomorphic encryption permits
the conversion of ciphertext c(m) of text m to ciphertext
c(f(m)) of a function of text m without revealing the
message [28], [19], [34], [12].
Homomorphic Encryption (HE) comprise of seven
principles as shown in Figure 2:
HE = {Key Generation (G), Encryption (E), Storage,
Request, Evaluation (EV), Response, and Decryption (D)}.
Figure 2: Homomorphic encryption applied to the cloud.
(1) Key Generation (G) – at this stage, the client generates
two pairs of keys: public key (pk) alongside secret/private
key (sk) to perform the encryption of plaintext (m).
(2, 3) Encryption (E) – is the point at which, the client
encrypts the plaintext (m) using pk and produces Esk (m).
Then, the ciphertext (c) is delivered to the server alongside
Pk.
(4) Storage – entails the preservation of the pk and the
encrypted data in the cloud databank.
(5) Request – to analyze the encrypted information, the
client must send a request to the main server.
(6) Evaluation (EV) – Server processes the request and
performs function f for conducting appraisal of ciphertext
(c) and performs this in line with the needed evaluation
function using pk.
(7) Response – Consequently, the cloud provider responds
by returning the sort out result to the client.
(8) Decryption (D) – The created EV (f(c)) is deciphered
by the client applying its secret key and it obtains the
original data (m).
3. History of the HE
The concept of “privacy Homomorphism” was introduced
by Rivest, Adlema, and Dertouzos in 1978. Although the
concept has been proposed, the progress made is little in a
period of 30 years. Goldwasser and Micali suggested in
1982 a provable encryption system known as Goldwasser-
Micali (GM), which developed to an outstanding level of
safety. This system was an additive Homomorphic
encryption but it could onlyperform just one operation, and
encrypt a single bit. The GM encryption scheme performs
addition of encrypted bits mod 2 (which is, the exclusive-
OR function). The Benaloh Cryptosystem is an extension
of the Goldwasser-Micali (GM). It was developed in 1994
by Benaloh. Four years later, The Naccache–Stern
cryptosystem (NS) was proposed by Naccache and Stern in
1998. The Okamoto–Uchiyama (OU) cryptosystem was
illustrated in the same year by Okamoto and Uchiyama. On
the same note, Pascal Paillier was declared another secure
provable additive homomorphic encryption scheme in
1999. In the late 2000, The Damgård–Jurik cryptosystem
(DJ) was proposed by Damgård, and Jurik and it was a
generalization of the Paillier cryptosystem. All these
schemes intensively studied and supported either
homomorphic addition or multiplication of plaintexts, but
not both!
Boneh, Goh, and Nissim developed in 2005 a better
semantically secure technology which known as Boneh-
Goh-Nissim (BGN) cryptosystem. It allows to develop
arbitrary number of additions but only allowed a single
multiplication.
In 2009, Craig Gentry invented the groundbreaking work
of fully homomorphic encryption, since then, the primitive
blueprint has interested many researchers. In the next
section, the properties of the HE are addressed, and in the
one following, details of these cryptosystems will be under
each HE categories they are most related to [28], [34], [35],
[3], [18], [36, [19].
Client:
Plaintext (m) = m1, m2.
(1) Client generates (pk), (sk).
(2) Client encrypts:
c = Epk(m) = (Epk(m1), Epk(m2)).
(3) Client sends c, pk to the
cloud server.
(5) Client sends requests to the
server to perform the
operation.
(8) Client decrypt the returned (y):
m = Dsk (y).
Cloud Provider:
(4) c, and pk are stored in the
database.
(6) The server processes the
requested function and
perform the operation on the c
without decryption.
y = EVpk f (c)
= EVpk f(Epk(m1), Epk(m2)).
(7) The processed result (y) is
returned to the client.

4
4. Properties of Homomorphic Encryption
The HE systems can be classified in line with the operation
that allows to perform on the original data as following [1],
[19], [34], [28], [12]:
1. Additive homomorphic encryption (e.g., paillier, GM
cryptosystem), or
2. Multiplicative homomorphic encryption (e.g., RSA,
El-Gamal cryptosystem).
HE enables servers to carry out sophisticated mathematical
computations on encrypted records without acknowledging
the original message. In more details, given a plaintexts m1
& m2, and the corresponding ciphertexts c1 & c2, a HE
scheme allows the processing of c1 Θ c2 without applying
pk1 Θ pk2. In that connection, the cryptosystem is additive
or multiplicative homomorphic in nature depending on the
Θ operation, which can be addition or multiplication.
4.1 Additive Homomorphic Encryption (AHE)
The additive operation allows the HE schemes to evaluate
raw data. An example of this scheme are Pailler, GM,
Benaloh, and Okamoto-Uchiyama cryptosystems. Scholars
assert that HE is addictive if:
E(m1⊕m2) =E(m1) ⊕E(m2), without knowing (m1), and (m2).
4.2 Multiplicative Homomorphic Encryption (MHE)
In simple terms, multiplicative homomorphic scheme
propertyrefers to systems in which ciphertexts are obtained
from the ultimate product of plaintexts. RSA and El-Gamal
cryptosystems constitute multiplicative homomorphic
schemes. Homomorphic encryption is multiplicative if:
E(m1⊗m2) =E(m1) ⊗E(m2), without knowing (m1), and (m2).
5. Categories of Homomorphic Encryption
5.1 Partially HE Schemes (PHE)
In partially homomorphic encryption, one operation either
addition (ex: paillier, GM cryptosystem), or multiplication
(ex: RSA, El-Gamal cryptosystem) can be performed on
the ciphertext, but both operation cannot be handled [12].
The following algorithms are different examples of PHE
cryptosystems. For more details, Kukucka in his thesis [20]
investigated theses algorithms theoretically.
5.1.1 Goldwasser-Micali cryptosystem (GM)
The Goldwasser-Micali (GM) additive HE cryptosystem
was proposed by Goldwasser and Micali in 1982. It is
considered as a probabilistic public key algorithm, but it
can encrypt ciphertext bit-by-bit [12]. This scheme is
considered as an important stone for the later researches.
Some schemes proposed after were treated as
generalizations of this one [15]. GM has the XOR
homomorphic characteristic, or we can call it addition
modulo 2. The security of GM cryptosystem relies on the
quadratic residuosity problem [20].
5.1.2 The Benaloh Cryptosystem
The Benaloh Cryptosystem was proposed to improve the
poor expansion factor provided by GM Cryptosystem.
Instead of bit-by-bit encryption, the Benaloh scheme
encrypts the ciphertext block-by-block at once with r bits
length using technique called “dense probabilistic
encryption.” Assume we have k-bit plaintext, n is security
parameter, this technique computes the encryption of k-bit
plaintext to get ciphertext of n + k bit. The Benaloh
cryptosystem messages are restricted by small prime. This
scheme rests on the difficulty of the higher residuosity
problem [20].
5.1.3 Naccache–Stern cryptosystem (NS)
Naccache–Stern cryptosystem was classified first as a
deterministic public key homomorphic scheme, but it has
been proved that after revision, it can be made probabilistic
[25]. NS has been counted as a generalization of the
Benaloh cryptosystem by reducing the expansion factor of
the ciphertext since the messages are restricted by the
multiplication of many small primes.
In terms of time complexity, recovering a plaintext from its
matching ciphertext is a little less effective because the
procedure includes decoding the ciphertext modulo each of
the small prime factors and then resetting the ciphertext
using Chinese remaindering [20]. The security of NS
cryptosystem relies on the higher residuosity problem
which considered to be intractable more than integer
factorization.
5.1.4 Okamoto-Uchiyama Cryptosystem (OU)
Like RSA public key cryptography scheme, Okamoto-
Uchiyama homomorphic (OU) cryptosystem relies on the
challenge of factoring large integer. The primary difference
of this system is that it works in the multiplicative group of
integers modulo n, where n in the form N = p2
q instead of
N = p q, where p and q are large primes. This cryptosystem
is considered homomorphic under addition, subtraction,
and multiplication of ciphertext. The semantic security of
this probabilistic scheme derives from the p-subgroup
assumption, which is very identical to the quadratic
residuosity problem and higher residuosity problem [20].
5.1.5 Paillier cryptosystem
Pascal Paillier was proposed the new probabilistic
asymmetric cryptographic algorithm, which contains an
addictive homomorphic characteristic. It has been seen as
an expansion of Okamoto-Uchiyama. The innovation is
proven under Decisional Composite Residuosity
Assumption (DCRA) [31]. As such, it has numerous
applications such as threshold schemes and e-voting
systems.

5
Algorithm 1 demonstrates the additive property of paillier
cryptosystem [15] [28], [34], [1], [19].
Algorithm 1: Paillier Algorithm
Key Generation: G(p, q): pk, sk
Input: (p, q)
Choose p, and q ∈ P, where p, and q are two large prime numbers
Computation:
Compute n = p. q
Compute φ(n) = (p - 1) . (q - 1), where gcd (n, φ(n)) = 1
Compute λ = lcm (p − 1, q − 1)  (Carmichael’s function)
Choose g ∈ G , where g is a random integer, and G = Z*
ns
Compute μ = (L(g λ
mod n2
))-1
mod n,
(means gcd(L(gλ
mod n2
),n) = 1 where L(u) = (u – 1) n
Output: (pk, sk)
public key: pk = (n , g)
Secret key: sk = (p , q) or (equivalently λ)
Encryption: E(m, pk):c
Input: (m), and pk = (n , g) where m < n
Plaintext (m) ∈ Z
n
, where Z
n
= {0, 1, …, n-1}
Computation:
Choose r = Z*
n
, where r is random integer < n
Compute c = g
m
. r
n
mod n
2
Output: (c)
Ciphertext (c) ∈ Z
n2
Decryption: D(c, sk):m
Input: (c), and sk where c < n2
n2
Computation:
Compute m=L(c λ
mod n2
) . L(g λ
mod n2
)−1
mod n
m=L(c λ
mod n2
) . μ mod n
Output: (m)
Plaintext (m) ∈ Z
n
Assume there are two ciphertexts c1 & c2 the following
illustration demonstrates the addictive homomorphic
characteristic of the Paillier cryptosystem:
c1 = gm1
r1
n
mod n2
c2 = gm2
r2
n
mod n2
c1 . c2 = gm1
r1
n
mod n2
. gm2
r2
n
mod n2
Additive property is: gm1+m2
(r1 r2) n
mod n2
5.1.6 Damgard-Jurik Cryptosystem (DJ)
Damgard-Jurik is a probabilistic asymmetric homomorphic
cryptosystem serving addition and subtraction. Similar to
Paillier, Damgard-Jurik also based on (DCRA), but the
only variation here, is that DJ computes modulo ns+1
instead of n2
in Paillier. DJ is a generalization of Paillier’s
scheme to groups of Z*
ns+1 , where s > 0. when s
increases, we will get a decreased expansion. DJ semantic
security relies on the assumption of the Decisional
Composite Residuosity Problem [15], [20].
5.1.7 RSA Algorithm
In 1978, Rivest, Shamir, and Adleman suggested their
most widely used public-key cryptosystem. The RSA
scheme has a multiplicative homomorphic property. This
means, the homomorphic encryption scheme given by
RSA is the product of two messages modulo n. RSA
semantic security is relied on the hardness of the integer
factorization problem.
Algorithm 2 demonstrates the multiplicative property of
RSA cryptosystem [34], [28], [19], [26], [1], [15].
Algorithm 2: RSA Algorithm
Key Generation: G(p, q): pk, sk
Input: (p, q)
Choose p, and q ∈ P, where p, and q are two large prime numbers
Computation:
Compute n = p. q
Compute φ(n) = (p - 1) . (q - 1), where gcd (n, φ(n)) = 1
Choose e ∈ {2, . . . , φ(n) − 1} where e is a random integer
Such that gcd (e, φ(n)) = 1
Compute d = e−1
(mod φ(n)) (means e. d = 1 mod φ(n))
Output: (pk, sk)
public key: pk = (n , e)
Secret key: sk = (d)
Encryption: E(m, pk): c
Input: (m), and pk = (n , e)
Plaintext (m) ∈ Z
n
, where Z
n
= {0, 1, …, n-1}
Computation:
Compute c = m
e
mod n
Output: (c)
n
Decryption: D(c, sk): m
Input: (c), and sk = (d)
n
Computation:
Compute m= c
d
mod n
Output: (m)
Plaintext (m) ∈ Z
n
Assume there are two ciphertexts, c1 & c2, the following
illustration demonstrates the multiplicative homomorphic
characteristic of the RSA cryptosystem:
c1 = m1
e
mod n
c2 = m2
e
mod n
c1 . c2 = m1
e
m2
e
mod n
Multiplicative property is: = (m1 . m2)e
mod n
5.1.8 El-Gamal Encryption Algorithm
Similar to RSA, the public key encryption scheme given
by El-Gamal is a multiplicative homomorphic encryption
cryptosystem. It was proposed by Taher El-Gamal in
1984, and its security relied on the hardness of the Diffi-
Hellman problem. The next algorithm (Algorithm 3)
demonstrates the multiplicative property of El-Gamal
cryptosystem [12], [26], [28], [15].

6
Assume there are two ciphertexts,
c1 = (x1 , y1) & c2 = (x2 , y2)
The following illustration demonstrates the multiplicative
homomorphic characteristic of the El-Gamal
cryptosystem:
c1. c2 = (x1, y1) . (x2, y2) = (x1 . x2 , y1 . y2)
= g
k1
g
k2
, (m1. β
k1
) . (m2. β
k1
) mod p
Multiplicative property is: = g
k1+ k2
, (m1. m2) β
k1+ k2
mod p
In terms of PHE schemes’ efficiency - NS permits a least
message expansion (N/Q) as compared to the Benaloh
cryptosystem. In order to ensure that the system remains
protected and secure, the lower bound of this expansion
rate should be four. Improved schemes have been
developed with the expansion factor being lowered to
increase efficiency. Nonetheless, NS has not been deemed
as suitable as Okamoto-Uchiyama cryptosystem, which is
easier to apply and has a constant expansion rate of three.
Scholars aimed at reducing the rate but without decreasing
the level of security. For instant, Paillier cryptosystem
allowed efficient decryption by enabling encryption of
many bits during single calculation with a better expansion
rate of two. The safety of DJ cryptosystem compares to the
Paillier’s original innovation, but this generalization of
Paillier permits reduction of the expansion rate to about
one. A comparison of Paillier, RSA, DJ, and El-Gamal can
be attained assuming the same security factor k [25].
Table 1. presents a comparing between all different HE
Schemes according to properties, categories, & security
assumption.
Algorithm 3: El-Gamal Algorithm
Key Generation: G(p, g): pk, sk
Input: (p, g)
Choose p ∈ P, where p is a large prime numbers
Choose g ∈ Z*
p
, where g is a generator of the cyclic group Z*
p
Choose a ∈ {2, . . . , p − 2}, where a is a random integer
Computation:
Compute β = ga
mod p
Output: (pk, sk)
public key: pk = (p , g, β)
Secret key: sk = (a)
Encryption: E(m, pk): c
Input: (m), and pk = (p , g, β)
Plaintext (m) ∈ Z
p
, where Z
p
= {0, 1, …, p-1}
Choose k ∈ {2, . . . , p − 2}, where k is a random integer
Computation:
Compute x = g
k
mod p
Compute y = m . β
k
mod p
Output: (c)
Ciphertext c = (x, y)
Decryption: D(c, sk): m
Input: c = (x, y), and sk = (a)
p
Computation:
Compute m= x
-a
. y mod p
Output: (m)
Plaintext (m) ∈ Z
p
HE Scheme Year
HE
Categories
Homomorphic
Features
Security Assumption
Privacy
Homomorphism
1978 --- --- ---
Goldwasser-Micali
(GM)
1982 PHE XOR Quadratic residuosity problem
The Benaloh 1994 PHE Addictive Higher residuosity problem
Naccache–Stern (NS) 1998 PHE Addictive Higher residuosity problem
Okamoto-Uchiyama
(OU)
1998 PHE Addictive P-subgroup assumption
Paillier 1999 PHE Addictive
Decisional Composite Residuosity Assumption
(DCRA)
Damgard-Jurik
(DJ)
2000 PHE Addictive
Decisional Composite Residuosity Assumption
(DCRA)
RSA 1977 PHE Multiplicative Integer factorization problem.
El-Gamal 1984 PHE Multiplicative Diffi-Hellman problem
Boneh-Goh-Nissim
(BGN)
2005 SWHE
unlimited additions,
but only one
multiplication
Subgroup decision problem.
Gentry’s FHE 2009 FHE
unlimited additions,
and multiplication
Sparse Subset Sum (SSSP) assumption
Table 1. Properties, Categories, and Security Assumption of HE Schemes [1] [12] [20].

7
5.2 Somewhat HE Schemes (SWHE)
Somewhat homomorphic encryption approaches can only
evaluate a multiple but limited number of addition and
multiplication activities [12]. SWHE schemes refer to
encryption systems that present certain homomorphic
characteristics but lacks full homomorphic capacity. The
schemes support a certain number of addition but only
single multiplication operations, but every time the
operations are done, they result to “noise” in the ciphertexts
that eventually make the decryption impossible [32], [31].
Additionally, in SWHE systems, the ciphertexts could
expand in size, hence violating the compact message
requirement. Boneh-Goh-Nissim (BGN) described below
is considered as most famous SWHS. For more
information about the algorithm and its security, see
Kukucka thesis [20].
5.2.1 Boneh-Goh-Nissim (BGN)
Over the years, the first major breakthrough in this area
suggested in 2005. The different schemes have allowed the
merging of addition and multiplication with a fixed-size of
ciphertexts. Boneh, Goh, and Nissim developed a better
semantically secure technology which known as Boneh-
Goh-Nissim (BGN) cryptosystem. With the BGN public
key cryptosystem, it became possible to handle an arbitrary
number of additions but only allowed a single
multiplication. BGN cryptosystem uses bilinear pairings-
based to allow the computation of a single homomorphic
multiplication of two ciphertexts. Also, it evaluates
quadratic formulas on encrypted data (e.g., 2-DNFs) [36],
[3], [18]. BGN is secure under the assumption of the
subgroup decision problem. The message expansion
degree of BGN cryptosystem is represented by N/R, where
N refers to the bit-length of n while R denotes the bit-length
of r.
5.3 Fully Homomorphic Encryption (FHE)
5.3.1 What is FHE
The fully homomorphic encryption supported an arbitrary
number of multiplications and additions, and hence,
compute any form of function on encrypted information.
For all forms of computations on the information
warehoused in cloud, FHE must be embraced because it
allows execution of operations on encrypted records
without decryption. As such, the usage of FHE is a crucial
step in enhancing cloud-computing security [19]. The
concept of FHE is just about as old as the idea of public
key encryption. In spite of public key encryption, the initial
structure of FHE eluded cryptographers' attempts for a long
time. In light of the trouble in achieving FHE, its possibility
as a primitive for building and streamlining other
cryptographic schemes, and additionally outsourcing
calculation, some have come to consider FHE as the “holy
grail” of cryptography. Hence, with Gentry's innovative
blueprint in 2009, cryptographers have efficiently obtained
the holy grail; Nonetheless, Gentry's work does not
represent a conclusion to the mission for the Holy Grail
[36]. Gentry's work indicated interestingly a reasonable
construction of fully homomorphic encryption. The
fundamental building stone in Gentry's project, what’s
called “Somewhat” Homomorphic Encryption (SWHE),
which depended on the hardness of lattices [4]. The next
section includes a comprehensive detail about Gentry’s
FHE blueprint.
5.3.2 Gentry (2009)
In late 2009, Craig Gentry, an employee of IBM invented
the first encryption scheme that is fully homomorphic [3],
[18] based on ideal lattices. In Gentry’s original discovery,
he started with SWHE plan and later “bootstrapped” to
generate a Fully Homomorphic Encryption system [31],
[32]. Gentry suggested a homomorphic scheme, which is
roughly speaking similar to a Goldreich–Goldwasser–
Halevi (GGH) lattice-based cryptosystem. He utilized ideal
lattices as a way to develop a bootstrappable encryption
protocol. The reasons behind using ideal lattices is because
every ciphertext has a noise parameter which grows in the
resulting ciphertext after any homomorphic operation
applied to the original ciphertexts [10], [31]. He later
demonstrated that with a suitable key generation technique,
the security of that plan can be reduced to the worst case
scenario of some lattice problems in ideal lattices. But this
scheme is not yet bootstrappable, so Gentry portrayed in a
change to squash the decryption scheme, by minimizing
the degree of the decryption polynomial [16].
According to Gentry [3], [18], the abstract of FHE is
straightforward, He began his work with some assumptions
as described in the following:
1. Given ciphertexts that encrypt m1, …, mt, FHE should
allow anybody to output a ciphertext that encrypts f (m1, …,
mt) for any function f, as long as that function can be
proficiently performed. The inputs, outputs, and middle
value are constantly encoded, no information about m1, …,
mt or f (m1, …, mt), or any plaintext value must leak.
2. A FHE scheme ε must have an effective function
Evaluate ε that, given a valid ε key pair (sk, pk), any circuit
y, and any ciphertexts ci  Encrypt ε (pk, πi), outputs:
c  Evaluate ε (pk, y, c1, …ct), such that Decrypt ε (sk, c)
= y (π1, … , πt).
3. Assume you have a number of encryption procedures
with a “noise parameter” joined to each ciphertexts, in
which encryption produces a ciphertext with small noise,
i.e., < n, whereas decryption performs as long as the noise
is smaller than some threshold N >> n.
4. Consume that you have algorithm re-crypt that takes a
ciphertext E(m1) or E(m2) with noise N'< N and provide a
“new” ciphertext that additionally encrypts m1, however
which has noise parameter which is sufficiently smaller
than √ N. This re-crypt calculation is sufficient to build a
FHE scheme out of the SWHE scheme.

8
5. Besides, suppose you have calculations Add and
Multiply that can take ciphertexts E (m1) and E (m2) and
provide E (m1 + m2) for addition and E (m1 ∗ m2) for
multiplication. However, at the cost of adding or
multiplying the noise parameters, this promptly provides a
“SWHE” scheme that can deal with circuits of
multiplicative depth almost log log N – log log n.
His strategies were like those utilized as a part of server-
aided cryptography, where a client with a moderate device
that needs to assign the greater part of the decryption work
to a server without permitting the server to totally decrypt.
Gentry required a second computational hardness
presumption, like ones that have been concentrated on with
regards to server-aided cryptography.
5.3.2.1 Lattice Theory
Over the last decade, lattice theory is a remarkable field
that started to show up as foundation in modern
cryptography, especially, in the infrastructure of fully
homomorphic encryption (FHE). The attraction of lattice-
based primitives comes from the fact that their security can
often be based on worst-case scenario assumptions [24].
Gentry’s blueprint depended on ideals in different rings,
and also on the hardness of approximation lattice problems
in the polynomial range. In spite of the fact that lattice
problems have been very much concentrated on, thus
considering as standard toll in cryptography, ideal lattices
are an extraordinary generation which are less aware. Ideal
lattices develop FHE Where they inherit natural
mathematical Add and Mul operations from the ring since
they correspond to ideals in polynomial ring [3], [18], [4],
[20].
Definition5.3.2.1. Lattice L - is basically a set of vectors
in n-dimensional Euclidean vector space with a strong
periodic structure. When Euclidean space is at least 2-
dimensional, each lattice has infinite entities in infinite
bases, whilst in cryptography, all elements such as the
ciphertext, public key, and secret key, (bit strings has fixed
length), should be taken from a finite space. Consequently,
the lattices utilized in the field of cryptography should be
over a finite field. Figure 3 presents an example of 2-
dimensional lattice in the Euclidean plane.
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
Figure 3: A 2-dimensional lattice in the Euclidean plane.
Definition5.3.2.2. Basis of Lattice L - A set of n vectors
(v1, …, vn) can be viewed as a basis of a vector space.
Lattices have many bases. Some bases are considered as
“good”, while others considered as “bad.”
L = {a1v1+a2v2+···+anvn :a1,a2,...,an ∈Z}.
Definition5.3.2.3. Lattices points - any point of lattice is
the result of “linear combination” of those basis vectors
with “integer coefficients.” the mathematical operations
can be done on those points located in the vector space such
as addition, subtraction, multiplication by an integer.
The Two Major Hard Lattice Computational Problems:
Definition5.3.2.4 Shortest Vector Problem (SVP) – find
a shortest vector v in lattice L with nonzero value.
Definition5.3.2.5 The Approximate Closest Vector
Problem (CVP) – is the problem of finding the vector v in
the lattice L which is closest to a given target t.
Solution- given a vector v not in L, draw a fundamental
domain around the target point t, then, we have two cases:
- If the basis is “good” such that the basis consists of short
vectors that are reasonably orthogonal to one another, then
find a vertex v ∈ L that is closest to t, a candidate for an
approximate closest lattice vector.
- Using a “bad” basis, find the closest lattice vector that
actually solve CVP such that much closer to the target t
than the closest vertex [29].
Gentry’s innovation can be summarized into three stages:
First, construct a some-what homomorphic encryption
(SWHE) scheme, next, “squash” the decryption circuit
until it is straightforward enough to be handled within the
homomorphic capacity of the SWHE scheme, and finally,
“bootstrap” to get a FHE scheme.
In all existing schemes, the squashing technique motivates
an additional assumption: that the sparse subset sum
problem (SSSP) is hard.
Step 1: Somewhat Homomorphic Encryption - the initial
phase in Gentry's outline is to build a “somewhat”
homomorphic encryption (SWHE) scheme, in particular,
an encryption plan which is eligible for evaluating “low-
degree” polynomials on decrypted data homomorphically.
In other words, which supports assessing a limited number
of operations (many addition and one multiplication
calculations like the Boneh-Goh-Nissim cryptosystem)
[20], [35], [6].
Step 2: “Squashing” the Decryption Circuit - this part is
to implement a “squashing” strategy on decryption circuit
of the initial SWHE cryptosystem in order to get
reasonably reduced decryption circuit complexity, thus
changing the plan into a bootstrappable protocol, which has
the same homomorphic ability. Squashing helps to figure
out whether we can apply the bootstrapping hypothesis to

9
the SWHE schemes, to be specific, determine whether they
are in reality equipped for assessing their own decryption
circuits. The approach of squashing procedure is
accomplished by including a “clue” about the secret key to
the evaluation key. To be more specific, instead of using
the original secret key, an extra “hint” about the secret key
is added inside the public key, known as “sparse subset-
sum” problem (SSSP). In particular, the public key is
enlarged with a large set of vectors, to such an extent that
there exists an extremely sparse subset of them that
indicates the secret key. Furthermore, this “extra
indication” was insufficient to decrypt a ciphertext output
by the first plan, but it could be utilized to “enlarge” the
ciphertext, hence build another fresh ciphertext.
Comparing to schemes like RSA or El-Gamal, which rely
on exponentiation, Gentry’s essential FHE project
depended on various complexity assumptions. The most
intricate one is the difficulty of a decisional version of
sparse subset-sum problem (SSSP) that employed in
squashing the decryption circuit. The processed ciphertext
of the hidden plan can be decrypted with a low-degree
polynomial in the bits of the ciphertext and the new secret
key (equivalently a circuit of small depth), and acquires a
bootstrappable cryptosystem [16], [10].
Step 3: The Bootstrapping technique - SWHE scheme is
just ready to evaluate “low-degree” polynomials and
support a limited number of operations. To acquire FHE
cryptosystem from SWHE scheme, Gentry gave a fabulous
bootstrapping hypothesis. He demonstrated that given a
SWHE scheme, a ciphertext could be “refreshed” by
running the decryption circuit on it homomorphically using
an encrypted private key, which brings about a minimized
noise. It is obvious that the noise vector roughly doubles in
size for each addition evaluation, and squares for each
multiplication evaluation. As a result, the decryption
process could output mistaken raw data. At the point when
we get a large or noisy ciphertext, the cryptographer can
use the SWHE scheme to assess the decryption circuit
using the encrypted secret key.
Given two refreshed ciphertexts one can perform unlimited
number of homomorphic computations (either addition or
multiplication), which could not be done on the original
ciphertexts because of the noise linked to it. The
fundamental reason of bootstrapping is to encrypt plaintext
utilizing one key and perform operations until the error
brought into the ciphertext reaches a specific margin. The
second step, is to perform the re-encryption function on the
already encrypted (ciphertext) using the encrypted secret
key, and then, decrypt using the first public key. Besides,
in the event that we will make an extra assumption, one
could incorporate the process of secret key encryption
under the same public key pk, a necessity that is referred to
as “circular security”, (i.e., it should be capable to encrypt
its own particular secret key, and evaluate the function
which is sufficient to permit HE concerning addition and
multiplication. The hard point in this technique is to attain
a scheme that supports evaluating “high-enough degree”
polynomials, and at the same time has decryption circuit
that can be considered as “low-enough degree”
polynomials. Whenever the degree of evaluated
polynomials exceeds the decryption polynomials (multiply
by 2), the scheme is known as “bootstrappable” and then it
can be transformed to FHE scheme [32], [16], [35], [36],
[20], [6] [10].
5.3.3 FHE Application
Cloud computation technology is widely used in the
contemporary world. FHE schemes is applicable in cloud
computing to provide security assurance to the users,
thereby their information remains confidential and
inaccessible by unauthorized personnel [8]. With FHE, one
can outsource the mathematical computations on
confidential encrypted data to cloud server without
requiring the user’s private key. FHE can be applied in
computation in database to maintain the confidentiality of
the user’s data. Moreover, Gentry states in his blueprint
that FHE permits private requests to a search engine. In this
case, the user offers an encrypted queries and the search
engine processes an encoded response without ever
focusing at the question clearly. In addition, it also allows
searching on encrypted information where a user maintains
encoded records on a remote server and later retrieve only
data that satisfy some boolean limitations, even though the
sever can hardly decrypt the files independently. On a
broader scale, fully homomorphic encryption enhances the
efficiency of protected multiparty computations [3], [18].
6. Evolution of FHE
Since Gentry distributed the initial fully homomorphic
encryption system in 2009, this powerful discovery became
a dynamic research subject and there has been huge
enthusiasm for this scope. There have been dedicated
efforts to improve the scheme by different individuals,
consequently, the evolution of FHE is an extremely
widening the range of the calculations, which can be
implemented to operate on encrypted data
homomorphically. Other proposed researches relied on
simpler, or more effective assumptions compared to
Gentry’s project. They have adopted other techniques e.g.,
integers instead of lattices, learning with error, or linear
SWHE cryptosystems fairly in light of error correcting
codes. Consequently, the execution of the following
schemes has been improved. But to come to a conclusion,
it still need an improvement regarding the limitation on
efficiency, and operations overhead [3], [18], [4].
In 2010, a number of the fresh versions emerged to
implement the initial idea of Gentry. Smart-Vercauteren,
followed by Stehle-Steinfeld, and then Gentry-Halevi
implemented Gentry’s work in order to get a better
performance. In the same year, Gentry collaborated with
van Dijk, Halevi and Vaikuntanathan, to construct a

10
technique called (DGHV), simpler than his initial one,
utilizing integers rather than lattices. They developed a
simple FHE plan that using just the simple arithmetic over
the integers. In 2011, an improvement of DGHV was done
by Coron, Mandal, Naccache, and Tibouchi as they
proposed FHE scheme, i.e., working over integers with
smaller public keys. Within the same period, Brakerski and
Vaikuntanathan presented a FHE from Ring-LWE and
security for key dependent messages. After that, FHE
without squashing cryptosystem utilizing depth-3
arithmetic circuits by Gentry and Halevi is proposed. Then,
Brakerski and Vaikuntanathan constructed a novel FHE
project in view of standard LWE. Fourth, Lauter, Naehrig
and Vaikuntanathan presented and implemented the
SWHE technique in view of R-LWE (ring learning with
errors) problem. Next, Smart and Vercauteren
demonstrated how to select the parameters to empower
such SIMD operations. In 2012, Brakerski, Gentry and
Vaikuntanathan created a leveled FHE technology without
bootstrapping named (BGV). Coron, Naccache, and
Tibouchi invented a compression approach for minimizing
the public key size that had been used by DGHV scheme.
Gentry in collaboration with other scholars, Halevi, and
Smart, thought of an improvement of Gentry's
bootstrapping procedure and joined their strategy with the
SIMD homomorphic calculation. Then, Brakerski, Gentry,
and Halevi designed a FHE, i.e., discussed the issue of
packing ciphertexts in LWE-based HE. In 2013, Cheon,
Coron, Kim, Lee, Lepoint, Tibouchi, and Yun examined
the issue of batching FHE plans over integers. Currently,
the schemes that are being developed are supporting both
the addition and multiplication of ciphertexts without
limitation pointing towards improved quality. The
development of the schemes will continue with time until
it has ensured the optimal functioning of all the aimed
objectives of the homomorphic encryptions.
6.1 Gentry’s First Improvement (2010) - Smart and
Vercauteren
The initial effort to improve Gentry's fully homomorphic
public key encryption scheme [2] was made in 2010 by
Smart and Vercauteren. Their construction followed
Gentry’s technique in producing a FHE scheme from the
underlying “SWHE” scheme, but the difference here that,
they executed a variation utilizing “principle ideal lattices”
of prime determinant, thereby presenting a FHE scheme
which has both relatively small key and ciphertext size.
Smart and Vercauteren demonstrated that in such a SWHE
scheme based on lattices, the public and private keys
represented by two large integers (paying little attention to
their dimension), and also the private key in decryption
strategy is represented by one large integer. They could
realize the fundamental of SWHE scheme, yet they were
not ready to support sufficiently huge parameters to make
Gentry's squashing procedure experience. Accordingly,
they were not able to acquire a bootstrappable functionality
or a FHE scheme. Comparing to Gentry’s original scheme,
their scheme has smaller message expansion and key size.
One issue in the Smart-Vercauteren execution was the
complexity of key generation procedure for the SWHE
scheme because they should generate many nominees in
order to find one whose determinant is prime. Besides,
Smart and Vercauteren evaluated that the squashed
decryption technique will have a degree of few hundreds,
and that to support this methodology with their parameters,
they have to utilize a lattice dimension of at least n = 227(≈
1.3 × 108), which is well past the capacities of the key
generation process [16], [31], [10].
6.2 Gentry’s Second Improvement (2010) - Stehle
and Steinfeld
In order to obtain a faster FHE scheme than Gentry’s
invention, Stehle and Steinfeld depicted two main
improvements taking into account ideal lattices and its
examination. Their optimization [5] can be summarized as
follows:
- First, they analyzed the complexity of Gentry’s scheme
related to the Sparse Subset Sum (SSSP) assumption in
more aggressive way.
- Second, they presented a probabilistic decryption process
that can be actualized with a mathematical circuit of “low
multiplicative degree.”
After these changes together applied, fully homomorphic
encryption scheme became faster, with a Õ (λ
3.5
) bit
complexity per elementary binary Add/Mul gate. These
enhancements also can be performed in the FHE schemes
of both Smart and Vercauteren [2], and DGHV [31].
6.3 Implementation of Gentry’s blueprint (2010) -
Gentry and Halevi
Gentry and Halevi proposed an optimized version [16] of
the Smart–Vercauteren “principal-ideal lattices”
cryptosystem [2], which permit to implement the squashing
functionality, thus obtaining a bootstrappable scheme to
convert to a FHE scheme.
In their implementation, they proposed a number of major
and minor optimizations along with facilitation that allow
to execute all aspects of the scheme, including the
bootstrapping method, and squashing the decryption
circuit.
- With regard to the first major optimization, the authors
followed the same trend as Smart-Vercauteren, yet for key
generation procedure, instead of requiring prime
determinant, their scheme required that the Hermite
Normal Form (HNF) of the lattice has a particular form.
- Another major optimization is related to decryption
circuit, Gentry and Halevi do not require “full polynomial
inversion” since they decrypted using a “simpler
decryption circuit.” Similar to Smart-Vercauteren
implementation, they used a single coefficient of the secret

11
inverse polynomial, but the variation here is that they used
“modular arithmetic” instead of “rational division.”
- As for the bootstrappable scheme, the public key includes
an examples of the sparse-subset-sum problem (SSSP)
which have a “very space-efficient representation.”
-The public key has an encryption of all the secret key bits
in the FHE scheme. In addition, in order to improve the
storing space for all encrypted data, they utilized a “space-
time tradeoff.”
- In order to speed-up encryption, they utilized effective
algorithm for “batch evaluation” of manypolynomials. The
private key in their implementation is a binary vector of
length “S ≈ 1000”, the only s = 15 bits set to one, while the
other bits set to zero. By representing the secret key in s
groups of S bits, they got an important speedup. According
to four different security levels (“toy”, “small”, “medium”
and “large”), their implementation with lattices has been
tested of several dimensions. From a “toy” setting in
dimension 512, to “small”, “medium”, and “large” settings
in dimensions 2048, 8192 and 32768. Regarding the
public-key size ranges, the size from 70 Mb for the “small”
setting, to 2.3 Gb for the “large” setting [31], [10].
6.4 DGHV FHE scheme over the integers (2010) -
Dijk, Gentry, Halevi, and Vaikuntanathan
Comparing to the Gentry's essential construction, the
principle advance of this methodology is the theoretical
simplicity. Dijk, Gentry, Halevi, & Vaikuntanathan
proposed a very simple SWHE framework (DGHV
scheme) [11], in which all mathematical operations are
done over the integers using only “elementary modular
arithmetic computation” instead of ideal lattices over a
“polynomial ring.” However, they followed Gentry’s
blueprint to transform SWHE into FHE scheme using
“error correcting codes.” To be more specific, the adopted
the same “squash decryption circuit” method to get a
bootstrappable scheme, and then applied refreshing
ciphertext procedure to get a FHE scheme [31], [10].
This made a perfect commitment to the advancement of
FHE. Nonetheless, keeping in mind the end goal to
understand the full homomorphism, the DGHV also
performed a re-encryption technique before mathematical
operations to reduce the noise components, which
extraordinarily raised the calculation complexity. The
primary accomplishment was the plaintext comprised of
integers as opposed to one bit. Also, they minimized the
security of their SWHE scheme to find an approximate gcd
integer, i.e., a list of integers that are “near-multiples” of an
invisible integer, give an output of an invisible integer.
Consequently, the development of the DGHV Construction
depends on the complexity of the common divisors issue,
defined by the prior work of Howgrave-Graham [11], [20].
6.5 FHE over the Integers with Shorter Public Keys
(2011) - Coron, Mandal, Naccache, and Tibouchi
Dijk et al. proposed the simple (DGHV) scheme [11].
Comparing with Gentry's construction, the principle
attraction of their framework is its reasonable simplicity.
This effortlessness comes to the detriment of public key
size in O ̃(λ10
), which is considered too large for any
functional framework. Coron, Mandal, Naccache, and
Tibouchi proposed in their contribution [10] a solution to
this problem that minimize the public key size of the
SWHE scheme from O ̃(λ10
) to O ̃(λ7
). According to the
authors, “the idea consists in storing only a smaller subset
of the public key and then generating the full public key on
the fly by combining the elements in the small subset
multiplicatively.” In order to get a shorter public keys,
rather than performing the encryption with a linear form, a
quadratic form in the public key components has been
used. They demonstrated that the cryptosystem remains
secure, in light of a more powerful variation of the
approximate GCD assumption as it was already treated by
van Dijk et al. The second contribution was to depict the
first implementation of the DGHV scheme over the
integers under their variation, while borrowing some of the
optimizations from the Gentry-Halevi implementation [16]
of Gentry’s breakthrough [3], [18]. From Stehle and
Steinfeld [5], they utilized the repeated analysis of the
sparse subset sum assumption; however, because of the
elevation in the error likelihood for their set of parameters,
they did not use the probabilistic decryption procedure.
Their main limitation was to define a secure collection of
concrete parameters. Their method was to implement the
known attacks, measure their running time and extrapolate
for large parameters; Then, they can fix the concrete
parameters according to the desired level of security. They
attained almost the same level of performance as the
Gentry-Halevi implementation [16]. To be more accurate,
they use the same four security levels, even though they
might not be similar due to the different concepts of
“security bits.” They defined the security parameters as
“toy”, “small”, “medium” and “large”, corresponding to
42, 52, 62 and 72 bits of security. With a public key size of
800 MB, Encryption and re-cryption take 3 minutes and 14
minutes for “large” parameters. This result proved that
FHE can be performed utilizing basic mathematical
operations.
6.6 FHE from Ring-LWE and Security for Key
Dependent Messages (2011) - Brakerski and
Vaikuntanathan
Brakerski and Vaikuntanathan proposed a SWHE
technique [7] that is extremely simple to understand, and
apply. Its security is able to decrease the worst-case
scenario of ideal lattices problems. Then, the experts
transformed it into a FHE scheme using the same
techniques proposed by Gentry [3], [18], i.e., “squashing”

12
and “bootstrapping” techniques. One of the obstacles in
transforming from “somewhat” to “fully” homomorphic
encryption is the necessity that the SWHE has to be
“circular secure”, i.e., the scheme should have the ability
to securely encrypt its own private key. According to the
scholars, under any cryptographic assumption, this need
had to be explicitly assumed because it was not recognized
to be realizable in all SWHE cryptosystem. Consequently,
they took an advanced step towards getting rid of this
additional presumption by demonstrating that their
technique is indeed secure when encrypting “polynomial
functions” of the private key. Their public key encryption
scheme is relied on the “polynomial learning with errors”
(PLWE) assumption, which is a simplified form of R-
LWE, i.e., proposed by Lyubashevsky, Peikert and Regev
[24]. The R-LWE assumption permits to totally eliminate
the worst-case hardness on ideal lattices, thus providing a
very straightforward scheme. It has been proved that this
scheme is somewhat homomorphic, which means that
limited complexity operations can be assessed on
ciphertext. Furthermore, the SWHE is “circular secure”,
meaning that significant encryption functions on the secret
key is securely performed. At the end, they presented how
FHE can be achieved by bootstrapping, utilizing “Gentry-
style” squashing [7].
6.7 FHE without Squashing Using Depth-3
Arithmetic Circuits (2011) - Gentry and Halevi
Gentry and Halevi developed a new FHE approach [17] as
the hybrid of a SWHE and a “compatible multiplicatively
homomorphic encryption” (MHE) scheme in an
unexpected way. Although this framework provided a
completely various method, it still depends on ideal
lattices. Basically, it demonstrated how to bootstrap
excluding the method of “squashing” the decryption
circuit. Accordingly, this leveled FHE scheme is
constructed by excluding the necessity to assume the
difficulty of the sparse subset sum problem (SSSP), thus,
replaced with the decisional Diffie–Hellman (DDH)
assumption. The primary strategy is to express the
decryption procedure of SWHE schemes as a depth-3
(ΣΠΣ) algebraic circuit of a specific structure. Because of
the particular form of the decryption circuit, the
transformation to the MHE scheme should be possible
without evaluating anything homomorphically.
Consequently, at the stage of assessing this circuit through
the bootstrapping technique, the authors developed an
optimization of their level FHE scheme, where the whole
leveled FHE ciphertext tentatively “compressed” into a one
MHE plan (e.g., El-Gamal) ciphertext. In other words, the
SWHE scheme should be able to evaluate the MHE
scheme's decryption circuit, rather than its own decryption
circuit, thus getting rid of the “circularity” that made
squashing step required. The outcome has been interpreted
back to the SWHE scheme by homomorphically evaluating
the decryption process of the MHE scheme. At the end,
they showed the possibility to substitute the MHE scheme
by an additively homomorphic encryption (AHE) scheme,
which is capable to encrypt discrete logarithms. This
substitution allowed them to develop a leveled FHE
scheme whose semantic security is relied on the worst-case
scenario of the shortest independent vector problem (SIVP)
over ideal lattices (Ideal-SIVP) where the ciphertext length
is reduced [31].
6.8 FHE based on (Standard) Learning with Errors
LWE (BV) (2011) - Brakerski and Vaikuntanathan
Brakerski and Vaikuntanathan proposed a radical change
to develop FHE schemes, known as (BV) scheme [4],
whose security linked with the hardness of the decisional
(standard) learning with error (LWE) assumption [23].
This scheme is unique as it does not totally follow the
Gentry blueprint [18], [3], and DGHV scheme [11] over
the integers. Comparing to Gentry’s blueprint which
included new and comparatively untested cryptographic
presumptions, BV cryptosystem aims to establish FHE
under standard, well- realized cryptographic assumptions.
Although, BV scheme relies on learning with error
problem [23], which is considered hard like solving other
hard problems in general lattices, their scheme is totally
easy to understand and execute and does not depend on
lattices directly. This resulting FHE scheme has very short
ciphertexts, making it more effective than prior ones,
therefore, using to build an effective LWE-based “single-
server private information retrieval” (PIR) protocol [20],
[32].
The BV scheme is summarized in two steps:
- First step: Re-linearization: Somewhat Homomorphic
Encryption without Ideals
Re-linearization allows to employ a SWHE scheme whose
security depends only on the hardness of solving standard
“short vector” problems on arbitrary (not necessarily ideal)
lattices in worst-case scenario. According to Gentry, a
homomorphic scheme in any class of circuits permits
evaluation of any circuit in the class. Gentry’s blueprint
demonstrated that the “bootstrapping” technique for
obtaining FHE from SWHE requires a homomorphic
scheme whose decryption circuit resides in the class. It
becomes clear that homomorphic encryption schemes that
can evaluate arbitrary number of addition and
multiplication calculations are very difficult to attain even
without the process of bootstrapping. What Gentry
proposed to solve this problem was based on the arithmetic
concept of ideals in various rings. Specifically, the
plaintext is considered to be a ring element, and the
ciphertext is the encrypted plaintext linked with some
noise, which related to an ideal. As a result, unlike all
former cryptosystems, it has been shown that SWHE can
be based on LWE assumption, using a new method called

13
“re-linearization.” This technique helps to attain a SWHE
scheme, that exclude the necessity of solving complexity
assumptions on ideals in different rings [31].  
- Second step: Dimension-Modulus Reduction: Fully
Homomorphic Encryption Without Squashing
Dimension-Modulus Reduction permits to eliminate the
requirement of the rather complex “squashing step”
utilized in Gentry’s as well as all subsequent solutions,
hence bypassing the additional very strong hardness
assumption, recognized as, the difficulty of the sparse
subset-sum problem (SSSP). The researchers introduced a
new technique known as “dimension- modulus reduction”,
which allows to upgrade the SWHE scheme into a FHE one
with same homomorphism properties, thus reducing the
ciphertext size and the decryption complexity of the
scheme. All of this, without relying on any additional
assumptions [31].  
The Learning with Error Problem (LWE)
The Learning with Errors (LWE) problem, proposed by
Regev [9], and as of late, it has served as the establishment
for a plenty of cryptographic applications. Many
researchers in cryptography field employ LWE in
constructing with many cryptographic schemes in order to
obtain high level of security and efficiency [24].
The LWE problem aims to retrieve a secret s ∈ 𝑍 𝑞
𝑛
given
a series of approximate random linear equations on s. e.g.,
the input might be as follows:
14s1 + 15s2 + 5s3 + 2s4  8 (mod 17)
13s1 + 14s2 + 14s3 + 6s4  16 (mod 17)
6s1 + 10s2 + 13s3 + 1s4  3 (mod 17)
10s1 + 4s2 + 12s3 + 16s4  12 (mod 17)
9s1 + 5s2 + 9s3 + 6s4  9 (mod 17)
3s1 + 6s2 + 4s3 + 5s4  16 (mod 17)
.
.
.
6s1 + 7s2 + 16s3 + 2s4  3 (mod 17)
Each equation is correct up to some small additive error
(say, ±1), and his goal is to recover s.
Answer is s = (0, 13, 9, 11) [23].
Retrieving s would be very straightforward in case the error
is not introduced. After about n equations, s can be
retrieved in polynomial time using “Gaussian elimination.”
If there is an error, the problem might be more difficult.
Definition 6.8.1. Learning with Error (LWE) Problem
Consider a linear combination of a lattice basis vectors
including a small error, the issue of searching and
recognizing the difference between noisy random linear
functions (with error) and uniformly random vectors is
known as the “Learning with Error” problem. In other
words, the problem of finding the closest vector to the
vector linked with noise in a given lattice, specifically, by
solving closest vector (CVP) problem and/or linear
combination. Hence, the difficulty of resolving LWE is
restricted to finding a “good” (short or close) basis for a
relevant lattice [29], [24].
On the Hardness of LWE
As demonstrated above, the cryptographic schemes linked
with LWE to some extent are ineffective because of an
innate quadratic overhead in the usage of LWE. Several
issues make anyone recognize the difficulty of the LWE
problem:
- Firstly, the best known algorithms for LWE work is in
exponential time.
- Secondly, a related issue is to recognize the difficulty of
the learning parity with noise (LPN) problem. The
Learning with Errors (LWE) problem is a natural
generalization to large moduli of the LPN problem. That
means, the hardness of LWE does not efficiently act for
small moduli, because there is still need to find an effective
algorithm for LPN to benefit from the small modulus.
-Thirdly, Numerous lattice-based cryptographic
cryptosystems are relied straight upon two average-case
scenario problems, i.e., learning with errors (LWE)
problem, and short integer solution (SIS) problem. These
two average-case problems have been appeared to accede
very strong lattices hardness guarantees. To be more
specific, LWE has been appeared to be at the same level of
difficulty with many worst-case scenario issues such as the
shortest independent vectors problem (SIVP), the decision
version of shortest vector problem (GAPSVP), and the
learning parity with noise (LPN) problem. On the same
note, SIS has been appeared to be as hard as comparable
worst-case complexity under a polynomial factor in the
lattice dimension. To get back to the point, cryptographic
schemes that relied on SIS, and LWE problems usually
require rather large key sizes of order n2
. This is due to the
fact that for cryptographic applications, one regularly
needs to give sequence of vectors v1, . . . , vn ∈ 𝑍 𝑞
𝑛
. From
a practical perspective, minimizing the key size to roughly
linear size might lead to efficient enhancements [23], [24],
[30].
Definition 6.8.2. The Small Integer Solution (SIS)
problem- Given a sequence of vectors v1, . . . , vn ∈ 𝑍 𝑞
𝑛
,
find a subset of them (a combination with small
coefficients) that sums to zero (modulo q). One can define
SIS as the problem of finding short vectors in a random
lattice or code.
Algorithms for Solving the LWE problem
According to Regv [23], the naïve algorithm to solve the
learning with error problems is known as the “maximum
likelihood algorithm”, however, best known and even most
interesting algorithm is the combinatorial algorithm
invented by Blum, Kalai, and Wasserman (BKW) [30].
The other most widely used algorithms to tackle LWE are
lattice basis reduction (LLL) algorithm, and algebraic
Algorithms.
Definition 6.8.6. Maximum likelihood algorithm -

14
The proof of this algorithm started with assuming that q is
polynomial and the error distribution is normal, then,
- Demonstrating that after about O(n) equations, the correct
assignment will be the secret s, since it is the only
assignment that approximately fulfills the equations,
(finding s can be accomplished by trying all possible qn
assignments), then,
- Performing an algorithm with running time qn
=2O(nlogn)
has been obtained, using only O(n) equations [23], [30].
Definition 6.8.7. Blum-Kalai-Wasserman (BKW)
combinatorial algorithm -
BKW algorithm has been applied to the LWE problem to
study the complexity. BKW presented by first preparing
refined running-time estimates for the data and functions
requirements, thus understanding and solving concrete
complexity of the LWE problem. Second, applying this
estimates analysis to different parameters for LWE applied
cryptographic cryptosystems and then, comparing with
alternate schemes based on lattice reduction. As a result, a
“new recovered upper bounds for the concrete hardness of
these LWE-based schemes” is provided. It has been shown
that BKW algorithm exceeds previous estimates for lattice
reduction algorithms [30].
Definition 6.8.8. lattice basis reduction (LLL) algorithm-
At the cost of an approximate exponential in the number of
dimensions, LLL is used to reduce lattice basis in a
polynomial time. If the approximation is extremely
important to the lattice space (modulo q), resolving Closest
Vector Problem (CVP) outputs an error. All things
considered, for a given q, there exist a various dimensions
n (i.e., LWE is believed to be hard) [29].
6.9 Implementation of FHE based on R-LWE
(2011) - Lauter, Naehrig, and Vaikuntanathan
Lauter, Naehrig, and Vaikuntanathan proposed an
implementation [21] of the “Somewhat” public key
encryption scheme from BV scheme [4] proposed by
Brakerski and Vaikuntanathan, while employing the
computer algebra system Magma. They concentrated on
characterizing a number of real-world applications and
beneficial functions to be performed. Most of these
applications supports many addition operations, yet only a
limited number of multiplications. In a nutshell, they
thought that it is enough to implement a “SWHE” scheme
since it can be much faster, and more practical than FHE
schemes. Moreover, the re-linearization technique
proposed in BV, which minimizes the size of the ciphertext
to two ring components, has been employed in this
implementation. They executed experiments using
Magma’s polynomial algebraic for all calculations
(addition and multiplication) in the ring of polynomials
modulo a prime number, thus providing a similar
efficiency with the same level of homomorphism and
security. As a result, they proved that “an encryption for
the sum of 100 128-bit numbers can be calculated from the
individual ciphertexts in 20 milliseconds on a laptop
running Magma” [21].
Ring Learning with Error problem (R-LWE) -
A major open question is whether it is possible for
cryptographic schemes that applied LWE to be more
effective by taking advantage of additional arithmetic
functions, and performing calculations on polynomials
which has “better complexity” than vectors.
Lyubashevsky, Peikert, and Regev [24] resolved this
question by proposing a variant of LWE over rings known
as “ring- LWE”, demonstrating that it also enjoys worst-
case lattices complexity qualities. R-LWE is a simple
expansion of LWE [23] in order to get more security and
reduce ciphertext size.
The main idea behind R-LWE is that the vectors can be
visible as polynomials modulo the nth
cyclotomic
polynomial (the unique irreducible polynomial with integer
coefficients), where n is a power of 2. They restricted their
algorithm to cyclotomic fields rather than other number
fields. According to the authors, the ring-LWE distribution
is pseudorandom, assuming that the worst-case lattices
problems of the ring-LWE problem is hard for
“polynomial-time quantum algorithms.” As a final point,
many improvements and security proofs on LWE have
quite often counterparts on the first truly practical R-LWE.
However, the reasons behind working with R-LWE rather
than LWE, is that many of the LWE-based schemes could
be much more effective and practical when utilizing R-
LWE instead. [24], [29].
6.10 Fully Homomorphic SIMD Operations (2011)
- Smart-Vercauteren
Gentry’s scheme encrypts and decrypts a plaintext of only
1-bit length. For this reason, scholars thought about
improving particular operations, which could be processed
on many bits in parallel to minimize runtime. When Smart-
Vercauteren presented their variation of Gentry's blueprint
[2], they specified that their cryptosystem could support
SIMD style operations (single instruction, multiple data).
The slow key generation procedure of the Smart–
Vercauteren framework was then handled in a paper by
Gentry and Halevi, however, their key generation
technique seems to eliminate the SIMD style operation
insinuated by Smart-Vercauteren. In this improvement
[33], Smart-Vercauteren recalled Smart-Vercauteren
SWHE variation and proved that it can support SIMD
operations in the finite field of characteristic two by
modifying key generation. They demonstrated the
possibility of choosing parameters for Gentry and Halevi
implementation to enable such SIMD operations,
performing the re-crypt procedure all data elements
separately in parallel, thus obtaining FHE from SWHE
scheme and resulting in a fundamental speed-up. At the
end, they proved how such SIMD operations can be used

15
to execute different higher level missions by exploring two
situations: implementing AES encryption
homomorphically, and seeking an encrypted database on a
remote server. [33], [31].
6.11 BGV (Leveled FHE without Bootstrapping
from R-LWE) (2012) - Brakerski, Gentry, and
Vaikuntanatha
Brakerski, Gentry, and Vaikuntanatha constructed a
leveled BGV cryptosystem [6] on techniques of the
Brakerski & Vaikuntanathan (BV) scheme [4] while using
R-LWE problem from [24]. Nowadays, due to the fact that
the BGV encryption scheme significantly enhances
efficiency and level of security on the “weaker
assumptions”, it is considered as the first existing scheme
proved practically in real-life applications. The main
contribution in their work was a new strategy of
constructing a leveled FHE schemes that able to evaluate
“arbitrary polynomial-size circuits”, while eliminating the
bootstrapping procedure proposed by Gentry. It is
commonly considered as a Public key (asymmetric)
encryption scheme that encrypts bits.
There are two versions of the BGV cryptosystems: one is
handling the integer vectors, which based on learning with
errors (LWE) problem [23], while the other one handling
the integer polynomials, which based on Ring-learning
with errors (R-LWE) problem [24]. They started somewhat
homomorphic encryption (SWHE) scheme based on “Ring
LWE” assumptions [24] that have 2λ
security against
known attacks, since it is much more efficient. In previous
schemes which worked over ideal lattices, sub-exponential
factors have been used, also a parameter d (i.e., indicating
the degree of the polynomials to be evaluated). But, in
BGV scheme, security is based on lattice problems with
“quasi-polynomial approximation factors” giving an
exponential improvement. Moreover, the experts used a
parameter L (i.e., indicating the number of levels of
arithmetic circuit being evaluated). Brakerski, Gentry, and
Vaikuntanatha offered several improvements to Gentry's
essential blueprint [3], [18], and BV scheme [4]. Due to the
fact that their FHE scheme has per-gate computation only
“quasi-linear” in the security parameter, they provided a
number of optimizations techniques to their FHE scheme:
- A re-linearization procedure to reduce the dimension of
the ciphertext and key sizes. - The dimension reduction
strategy is used in the BV scheme [4] to accomplish a FHE
instead of using squashing methods, while in this project,
the “modulus switching” procedure was bundled into a
“dimension reduction” technique, and then, named
separately and examine carefully.
- Modulus switching is refined to better manage noise
brought into ciphertexts during homomorphic
multiplication operations without knowing the secret key,
and without bootstrapping.
- A combination of both above procedures that minimizes
the multiplicative depth of the decryption circuit is used.
According to the authors, BV scheme re-linearization/
Modulus switching methods can be used to convert a
ciphertext c1 (decrypted using one secret key vector s1) to
a different ciphertext c2 that encrypts the same plaintext.
But in this scheme, used to convert a ciphertext c1
(decrypted using a second secret key vector s2) is
transformed to a different ciphertext c2.
- A batching technique was the first optimization in the
scheme. It permits to minimize the per-gate calculation
from quasi-linear in the security parameter λ to
“polylogarithmic”. This method is done by packing
multiple plaintexts into each ciphertext homomorphically
rather than one, however its security gives approximately
the same level of efficiency.
- Next, they reemployed bootstrapping as an optimization
rather than a requirement. Bootstrapping allows us to
achieve per-gate computation quasi-quadratic in the
security parameter, independent of the depth of the circuit
being evaluated.
- Then, they proved that combining batching with the
bootstrapping method is a powerful mix. With batching
the bootstrapping optimization, circuits whose levels
mostly have width at least λ can be homomorphically
evaluated with only O ̃(λ) per-gate computation,
independent of the number of levels. In other words,
batching homomorphic evaluation of the decryption
function permits to reduce the per-gate calculation by
another factor of λ from O ̃(λ2
) to O ̃(λ) (independent of L).
BGV result - They obtained a results that was similar to
LWE scheme, however in case of poor performance, they
provided a number of extra optimizations. At the time they
relied on R-LWE, they have:
- While eliminating bootstrapping method, and security is
relied on hardness of R-LWE for an approximation factor
exponential in L, the result was a leveled FHE scheme that
can perform the evaluation of L-level arithmetic circuits,
where the per-gate calculation is O ̃(λ · L
3
).  
- While using bootstrapping technique as an optimization
rather than a requirement, and security is based on the
hardness of R-LWE for quasi-polynomial factors, the result
was a leveled FHE scheme with O ̃(λ2
) per-gate calculation,
independent of L [6], [20], [28], [14], [29].
6.12 Public Key Compression and Modulus
Switching for FHE over the Integers (2012) - Coron,
Naccache, and Tibouchi
Coron, Naccache, and Tibouchi proposed a compression
procedure [22] that minimize the public key size of Dijk et
al. (DGHV) FHE cryptosystem over the integers [11] from
O ̃(λ7
) (their result with Mandal [10]) down to O ̃(λ5
). They

16
acquired an implementation of the FHE scheme with a 10.1
MB public key rather than 802 MB utilizing comparable
security parameters.
The experts’ contributions can be listed as follows:
1. Public Key Compression - a method to decrease the
public key size of DGHV schemes. Under their variation,
the encryption scheme can remain secure under the
approximate-GCD assumption [22].
2. Extension to Higher Degrees - Different techniques
have been proposed to obtain a shorter public key size and
at the same time, increase the efficiency of the DGHV
scheme [11]. The most important method is the one utilized
a quadratic form instead of a linear form. The experts in
this contribution demonstrated how to expand the quadratic
encryption procedure of their previous contribution with
Mandal [10] to higher degrees in order to get a shorter
public key for the basic DGHV scheme. They
demonstrated that a specific family of quadratic hash
functions is sufficiently close to being “pairwise
independent”, thus proving that the scheme remains
semantically secure [22].
3. Modulus Switching and Leveled DGHV Scheme -
Regarding their third contribution, they provided a new
method called “modulus switching” to show how to apply
Brakerski, Gentry and Vaikuntanathan’s (BGV) FHE
scheme [6] (without bootstrapping) with the DGHV
scheme [11] over the integers. Applying the BGV scheme,
the noise vector grows only linearly with “multiplicative
depth” rather than exponentially. This permits to attain a
FHE scheme without the costly bootstrapping procedure.
Based on their implementation and result, the BGV
framework can be practically applied, and also, the
resulting FHE scheme remains secure under a harder
assumption [22].  
6.13 Gentry’s Bootstrapping Improvement (2012) -
Gentry, Halevi, and Smart
The major obstacle in the bootstrapping technique of
Gentry's breakthrough is the requirement to evaluate the
modular arithmetic reduction operation homomorphically.
This is basically done by simulating a “binary modular
reduction circuit”, utilizing bit operations on integer
numbers that represented on binary. Gentry, Halevi, and
Smart presented an approach [27] that bypasses the
reduction of one integer modulo another homomorphically
to some degree, by using an arithmetic modulus near a
power of two. It is simpler to depict and actualize than the
common binary circuit approach, and is provable to be
faster. Their strategy permits saving the encryption of the
private key as a single ciphertext, hence minimizing the
size of public key. Their scheme can be joined with the
SIMD homomorphic calculation procedures of Smart-
Vercauteren [33] as well, to run a bootstrapping technique
that could be done in time “quasilinear” in the security
parameter. This last part requires expanding the methods
from previous work to process arithmetic over some rings
besides over fields. To be more specific, their scheme
works with modulo very close to a power of two, instead
of over characteristic two fields [31].
7. FHE Semantic Security
Despite the fact that FHE schemes guarantee
confidentiality and efficiency, there are major drawbacks
that need attention. One of its greatest setbacks is being the
increase in the size of public key and its effects on the size
of encrypted data, which leads to longer server response
time to any request from the client. Encryption and
decryption of data also affect response time thus making
the system slow for practical usage [12]. Gentry’s concept
is to minimize the complexity of the decryption circuit.
Nonetheless, the complexity of the encryption circuit and
the size of the public key are augmenting significantly.
Consequently, Central Processing Units (CPUs) can hardly
execute such complex procedures. Assuming that Moore’s
principle is limitless, the processing power needed to carry
out FHE requires at least thirty years of continuous
development. FHE schemes represent the computation
with something called circuit homomorphism where each
logic gate is simulated through its own HE. Different
mathematical activities can be disintegrated into
fundamental operations, whereas it is hard to convert
sophisticated arithmetic activities into circuit tasks [37].
Schemes that followed Gentry’s work turned out to have
inherent efficiency weaknesses. This is due to the fact that
all of the FHE techniques require substantial computing
resources because they employ intensive sophisticated
arithmetic tools, thus generating large sizes of keys,
massive ciphertext per computation in a circuit, and
accumulation of noise [8]. The existing FHE schemes
always apply re-encryption processing to generate the fully
homomorphic encryption. The computational complexity
of the re-encryption method affects the real
implementation of FHE schemes. On the other hand, all
FHE schemes have a large computational overhead, which
increases runtimes for encryption and decryption, thus
making homomorphic computation of arbitrary functions
impractical. More importantly, it has shown that the
dilemma that prevents FHE schemes from developing
practically is the “per-gate evaluation time”, which means
the ratio of the time it needs to assess a circuit
homomorphically to the time it needs to assess the same
circuit on plaintext inputs. The per-gate evaluation time of
FHE schemes followed Gentry’s initial work have a Ω(κ4),
where κ is the security parameter [35]. Moreover, a fresh
security assumption known as Sparse Subset Sum Problem
(SSSP), whose security is yet to be proved, has been
launched at the point of squashing the decryption circuit.
As a result, the FHE still bear a security risk for the data
stored. However, the level of security is high, but not

17
satisfactory. To realize a fully homomorphic encryption
design, all of these setbacks must be overcome [37].
8. Conclusion
The cloud computing security founded on HE is a fresh
idea of security. The exploration of HE schemes highlight
important concepts regarding the generation of
cryptographic needs. It is used to promote security of user’s
data in the cloud and support easy retrieval of the data.
Therefore, applications of homomorphic encryption have
increased in the recent times with the spread of cloud
computing. The role of adopting HE algorithms by the CSP
to maintain the confidentiality of private data cannot be
underestimated. Cloud computing draws researchers’
attention to develop practical FHE schemes. In fact, the
current level of usage of the homomorphic encryption
points towards its improved usage and further research to
address its weaknesses. Precisely, the most effective FHE
method is still very costly and suffer from poor
performance. Performing computations utilizing FHE
takes quite long, however, as inventions evolve, the
situation will change for the better.
Comprehensively, this research paper has simplified
numerous definitions related to HE. The role of HE in the
existing applications have been explored and the current
state of the art has been reviewed and presented
systematically. Although the use of homomorphic
encryption techniques leads to improve cloud computing
benefits to promote client satisfaction and security of data,
its weaknesses need to be addressed in its speed and ability
to manage large load of data. Therefore, further research to
improve these schemes is needed to strengthen the
homomorphic encryption, it should focus on developing
ways that are much better in terms of practically.
FHE Scheme Year Scheme Outline Security Assumption
Gentry’s FHE 2009 First FHE scheme, it based on ideal lattices The hardness assumption of SSSP
Smart-Vercauteren 2010
Improvement of Gentry's scheme with small key
and ciphertext size, using “principal-ideal
lattices”
The complexity of key generation
procedure (finding small principal
ideal lattice)
Stehle-Steinfeld 2010
Two main improvements of Gentry's scheme to
obtain a faster FHE scheme
The hardness assumption of SSSP
Gentry-Halevi 2010
Implementation of Gentry’s scheme by a
number of optimizations
The hardness assumption of finding
small principal ideal lattice
Dijk Gentry Halevi and
Vaikuntanathan (DGHV)
2010
FHE scheme using the simple arithmetic over
the integers rather than lattices
Approximate-GCD Problem
Coron, Mandal,
Naccache, and Tibouchi
2011
Improvement of DGHV working over integers
with smaller public keys
Approximate-GCD Problem
Brakerski and
Vaikuntanathan
2011
FHE from R-LWE and Security for Key
Dependent Messages
The hardness of R-LWE Problem
Gentry and Halevi 2011
FHE without squashing cryptosystem using
depth-3 arithmetic circuits
The decisional (DDH) assumption, or
SIVP problem over ideal lattices
(Ideal-SIVP)
Brakerski and
Vaikuntanathan
2011
FHE scheme based on LWE
(BV) scheme
The hardness of LWE Problem
Fourth, Lauter, Naehrig
and Vaikuntanathan
2011
Implementation of FHE scheme
based on R-LWE
The hardness of R-LWE Problem
Smart and Vercauteren 2011 FHE scheme enables SIMD operations
The decision variant of the BDDP, or
SSSP
Brakerski, Gentry and
Vaikuntanathan
2012
Leveled FHE scheme without bootstrapping
(BGV) scheme
R-LWE for an approximation factor
exponential, or R-LWE for quasi-
polynomial approximation factors
Coron, Naccache, and
Tibouchi
2012
Compression approach for minimizing the pk
size used by DGHV scheme
Approximate-GCD assumption
Gentry Halevi, and Smart 2012
Improvement of Gentry's bootstrapping, then
join it with SIMD operations
The quasi-polynomial approximation
factors
Table 2. FHE Scheme, Brief Description, and Security Assumption of HE Schemes.

18
9. References
[1] I. Ahmad, and K. Archana. Homomorphic Encryption
Method Applied to Cloud Computing. International
Journal of Information & Computation Technology 4, no.
15, (2014): 1519-530.
[2] N.P. Smart, and F. Vercauteren. Fully Homomorphic
Encryption with Relatively Small Key and Ciphertext
Sizes. PKC'10 Proceedings of the 13th international
conference on Practice and Theory in Public Key
Cryptography, (2010): 420-443.
[3] C. Gentry. A fully homomorphic encryption scheme.
Ph.D. dissertation, Stanford University, (2009), Available
at https://crypto.stanford.edu/craig/craig-thesis.pdf.  
[4] Z. Brakerski, and V. Vaikuntanathan. Efficient Fully
Homomorphic Encryption from (Standard) LWE. IEEE
52nd Annual Symposium on Foundations of Computer
Science, (2011).
[5] D. Stehle ́ and R. Steinfeld. Faster fully homomorphic
encryption. ASIACRYPT, (2010): 377–394.
[6] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully
Homomorphic Encryption without Bootstrapping.
Innovations in Theoretical Computer Science (ITCS’12),
(2011). Available at https://eprint.iacr.org/2011/277.pdf. 
[7] Z. Brakerski and V. Vaikuntanathan, Fully
Homomorphic Encryption for Ring-LWE and Security for
Key Dependent Messages. In P. Rogaway (Ed.), CRYPTO,
(2011),  LNCS, vol. 6841, Springer, (2011): 505–524.  
[8] D. Chechulina, K. Shatilov, and S. Krendelev. Fully
Homomorphic Encryption for Secure Computations in
Protected Database. Position Papers of the Federated
Conference on Computer Science and Information
Systems, (2015): 125-31.
[9] O. Regev. On lattices, learning with errors, random
linear codes, and cryptography. STOC, H. N. Gabow and
R. Fagin, Eds. ACM, (2005): 84–93.  
[10] J.S. Coron, A. Mandal, D. Naccache and M. Tibouchi.
Fully Homomorphic Encryption over the Integers with
Shorter Public Keys. P. Rogaway (Ed.), CRYPTO, (2011):
487–504.  
[11] M. van Dijk, C. Gentry, S. Halevi and V.
Vaikuntanathan. Fully Homomorphic Encryption over the
Integers. H. Gilbert (Ed.), EUROCRYPT 2010, LNCS, vol.
6110, Springer, (2010): 24–43.  
[12] K. El Makkaoi, A. Ezzati, A. Beni-Hssane, and C.
Motamed. Data Confidentiality in The World of Cloud.
Journal of Theoretical and Applied Information
Technology 84, no. 3, (2016).
[13] R. Emelaya, and S. Agrawal. A Survey: Secure Data
Storage Techniques in Cloud Computing. International
Journal on Recent and Innovation Trends in Computing
and Communication 3, no. 9, (2015): 5376-379.
[14] S. Fau, R. Sirdey, C. Fontaine, C. Aguilar-Melchor,
and G. Gogniat. Towards Practical Program Execution
over Fully Homomorphic Encryption Schemes. IEEE 8th
International Conference on P2P, Parallel, Grid, Cloud and
Internet Computing, (2013).
[15] C. Fontaine, and F. Galand. A Survey of
Homomorphic Encryption for Nonspecialists. Journal of
Information Security 1, (2009): 41-50.
[16] C. Gentry, and S. Halevi. Implementing Gentry’s
Fully-Homomorphic Encryption Scheme. Advances in
Cryptology - EUROCRYPT’11, volume 6632 of Lecture
Notes in Computer Science. Springer, (2011): pages 129–
148.
[17] C. Gentry, and S. Halevi. Fully Homomorphic
Encryption without Squashing Using Depth-3 Arithmetic
Circuits. FOCS’11. IEEE Computer Society, (2011).  
[18] C. Gentry. Fully homomorphic encryption using ideal
lattices. Michael Mitzenmacher, editor, STOC, 169–178.
ACM, (2009).  
[19] R. Kanagavalli, and S. Vagdevi. A Survey of
Homomorphic Encryption Schemes in Cloud Data Storage.
International Journal of Recent Development in
Engineering and Technology 3, no. 1, (2014). Available at
www.ijrdet.com.
[20] J. M. Kukucka. An Investigation of the Theory and
Applications of Homomorphic Cryptography. ProQuest
LLC, (2013).
[21] K. Lauter, M. Naehrig and V. Vaikuntanathan. Can
Homomorphic Encryption Be Practical? Cryptology ePrint
Archive, Report (2011): 405.  
[22] J-S. Coron, D. Naccache, and M. Tibouchi, Public
Key Compression and Modulus Switching for Fully
Homomorphic Encryption over the Integers. Advances in
Cryptology—EUROCRYPT 2012, Lect. Notes in Comp.
Sci. 7237, (2012), Springer, 446–464.
[23] O. Regev. The Learning with Errors Problem. 25th
Annual IEEE Conference on Computational Complexity,
(2010).

19
[24] V. Lyubashevsky, C. Peikert, and O. Regev. On Ideal
Lattices and Learning with Errors Over Rings.
EUROCRYPT, (2013).
[25] D-Ș. MAIMUȚ, A. PĂTRAȘCU, and E. SIMION.
Homomorphic Encryption Schemes and Applications for a
Secure Digital World. Journal of Mobile, Embedded and
Distributed Systems IV, no. 4, (2012).
[26] R. Meissen. A Mathematical Approach to Fully
Homomorphic Encryption, (2012). Available at
https://web.wpi.edu/Pubs/E-project/Available/E-project-
042612-132350/unrestricted/Meissen_MQP2.pdf
[27] C. Gentry, S. Halevi, and N. P. Smart, Better
Bootstrapping in Fully Homomorphic Encryption, Public
Key Cryptography, (2012): 1–16. 
[28] P. V. Parmar, S. B. Padhar, S. N. Patel, N. I. Bhatt,
and R. H. Jhaveri. Survey of Various Homomorphic
Encryption Algorithms and Schemes. International Journal
of Computer Applications 91, no. 8, (2014).
[29] L. Barthelemy. A Brief Survey of Fully Homomorphic
Encryption, Computing on Encrypted Data, (2016).
Accessed August 24, 2016. http://blog.quarkslab.com/a-
brief-survey-of-fully-homomorphic-encryption-
computing-on-encrypted-data.html.
[30] J. Ding. Solving LWE problem with bounded errors in
polynomial time, (2010). Available at
https://eprint.iacr.org/2010/558.pdf.
[31] I. Sharma. Fully Homomorphic Encryption Scheme
with Symmetric Keys. Master Thesis, Rajasthan Technical
University, (2013). Available at
https://cryptome.org/2013/10/homo-crypto-sym.pdf.
[32] A. Silverberg. Fully Homomorphic Encryption for
Mathematicians, (2013). Available at
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.
295.3830&rep=rep1&type=pdf.
[33] N. P. Smart, and F. Vercauteren. Fully Homomorphic
SIMD Operations. Designs, Codes and Cryptography,
(2011): 1-25. Available at
http://homes.esat.kuleuven.be/~fvercaut/papers/DCC2011
.pdf.
[34] M. TEBAA, S. EL HAJJI, and A. EL GHAZI.
Homomorphic Encryption Applied to the Cloud
Computing Security. Proceedings of the World Congress
on Engineering, (2012).
[35] V. Vaikuntanathan. Computing Blindfolded: New
Developments in Fully Homomorphic Encryption. IEEE
52nd Annual Symposium on Foundations of Computer
Science, (2011).
[36] D. J. Wu. Fully Homomorphic Encryption:
Cryptography’s Holy Grail, (2015). Available at
https://crypto.stanford.edu/~dwu4/papers/XRDS2015.pdf.
[37] Y. Yang, S. Zhang, J. Yang, J. Li, and Z. Li. Targeted
Fully Homomorphic Encryption Based on a Double
Decryption Algorithm for Polynomials. IEEE Tsinghua
Science and Technology 19, no. 5, (2014): 478-85.

Homomorphic encryption algorithms and schemes for secure computations in the cloud

Recommended

More Related Content

What's hot (19)

Similar to Homomorphic encryption algorithms and schemes for secure computations in the cloud (20)

Recently uploaded (20)

Homomorphic encryption algorithms and schemes for secure computations in the cloud