Constructing Public-key Homomorphic Encryption Schemes from Private-key Ones over Large Message Spaces Fei Chen ,a , Tao Xiangb a
Department of Computer Science and Engineering, The Chinese University of Hong Kong, Hong Kong. b College of Computer Science, Chongqing University, 400044, China.
Abstract Homomorphic encryption scheme has gained a lot of attention since Gentry’s breakthrough work in constructing the …rst fully public-key homomorphic encryption scheme. Rothblum (Rothblum TCC’11) has shown that a private-key homomorphic encryption scheme implies a public-key one over the message space f0; 1g. In this paper, we generalize Rothblum’s result to large message spaces. We present three constructions of a public-key homomorphic encryption scheme based on a private-key one that can evaluate addition homomorphicly. The common ideas and di¤erences of the three constructions are discussed. Some heuristics about the security of the three constructions are also discussed; however, the security issue remains as an open problem. Key words: homomorphic encryption, private-key encryption, public-key encryption, large message space 1. Introduction Homomorphic encryption is a kind of encryption scheme which enables an entity to carry out computations on any encrypted data, even in the case Corresponding author Email addresses:
[email protected] (Fei Chen),
[email protected] (Tao Xiang)
Preprint submitted to Elsevier
September 13, 2012
that the entity doesn’t have the secret key of the encryption scheme. It was …rst proposed in 1978 by Rivest et al. [15], soon after the invention of the RSA public-key algorithm [16]. The basic motivation was that a client wants to escrow his data to a service provider, and at the same time he wants the service provider to help carry out some computations on his data on his requests. But at the same time he doesn’t want the service provider to know his data which may contain valuable commercial information. Thus, he chooses to encrypt his data and then sends the encrypted one to the service provider. Now the problem of computation on encrypted data arises. People were searching a possible solution throughout the years. Although there were several progresses which can do limited times of additions and multiplications, the substantial progress was achieved in 2009 by Gentry who proposed the …rst algorithm [10] which can do any computation on the encrypted data. Subsequently, people proposed a few more fully homomorphic encryption schemes since 2009 [18][8][7][6][4][11][5]. Now people know that homomorphic encryption is viable although the e¢ ciency is a major problem for practical uses. Thus, a systematic research of homomorphic encryption is needed. Traditionally, one-way functions imply private-key encryption schemes; however, we need trapdoor one-way functions to construct public-key encryption schemes [12]. In other words, private-key encryption doesn’t imply public-key encryption. However, in the homomorphic setting, it turns out that public-key encryption schemes can be constructed from private-key ones if the message space is f0; 1g [17]. Theoretically, bit encryption schemes do provide solutions to practical security problems; however, they are not e¢ cient for practical uses. One interesting phenomena is that the RSA publickey encryption scheme is used in practice since 1990 while the provable secure public-key bit encryption scheme based on the quadratic resudiosity (QR) assumption [14] remains as a theoretical algorithm, which was proposed earlier than the provable secure RSA-OAEP [3] scheme though. We believe that people are interested about encryption schemes over large message spaces. We investigate the following problem: how to construct public-key homomorphic encryption schemes from private-key ones over ZN , where N is an integer. This is interesting because: real world applications require large message spaces; theoretically, it is also interesting to know the case over ZN , besides Z2 . 2
large message spaces also provide high e¢ ciency of the public-key encryption schemes for practical uses. It turns out that we can also construct public-key homomorphic encryption schemes based on private-key ones over large message spaces as in the case over Z2 . We will give three constructions in this paper; however, the security of the constructed public-key encryption scheme is unknown, in contrast to the case over Z2 , which is provable as secure as the private-key encryption scheme. We only have some heuristics about the constructed public-key encryption schemes. From the engineering point of view, it is good to …nd some solutions although it is not totally satisfactory; from the theoretical point of view, it is a demerit of these constructions, but at the same time it provides some challenging theoretical problems. This is the point of this paper. The outline of the paper is as follows. Section 2 presents Rothblum’s construction over Z2 and Goldwasser’s exposition on this construction. Section 3 proposes three constructions over ZN and shows the subtlety of these constructions. Section 4 discusses the security of these constructions. Rothblum’s proof idea and Goldwasser’s proof idea are discussed and whether they can be generalized in the case over ZN is considered. Then, Section 5 shows some applications of public-key encryption schemes over large plaintext spaces in private information retrieval (PIR) protocols, zero-knowledge proof systems, and cloud computing applications. Finally, Section 6 concludes the paper. 2. Preliminaries This section …rst reviews what a homomorphic encryption scheme is, presents Rothblum’s construction of a public-key encryption scheme over Z2 based on a private-key one [17], and then presents Goldwasser’s concise exposition on Rothblum’s idea [13]. However, there is some subtlety in the construction, which will be discussed in the next section. De…nition 1. A homomorphic encryption scheme HE over a plaintext space M and a ciphertext space C is a tuple of algorithms (HE:KeyGen; HE:Enc; HE:Dec; HE:Eval), denoted as HE = (HE:KeyGen; HE:Enc; HE:Dec; HE:Eval), which satisfy the following properties.
3
HE:KeyGen is a probabilistic polynomial time algorithm which on input the security parameter 1 , outputs a key pair (ek; dk) where ek and dk are the encryption key and decryption key, respectively, and a homomorphic evaluation key hk, denoted as (ek; dk; hk) HE:KeyGen(1 ). HE:Enc is a probabilistic polynomial time algorithm which on input the encryption key ek and a message m 2 M, outputs a ciphertext c 2 C, denoted as c = HE:Enc(ek; m). HE:Dec is a deterministic polynomial time algorithm which on input the decryption key dk and a ciphertext c, outputs a plaintext m with negligible error probability if c is a valid encryption of m, denoted as m = HE:Dec(dk; c), or a special symbol ? to denote an abortion if c is not a valid ciphertext. HE:Eval is a probabilistic polynomial time algorithm which on input the homomorphic evaluation key hk, a description of a circuit C and a group of ciphertexts c1 = HE:Enc(ek; m1 ); ; cl = HE:Enc(ek; ml ), outputs a ciphertext c such that HE:Dec(dk; c ) = C(m1 ; ; ml ), denoted as c = HE:Eval(C; hk; c1 ; ; cl ). De…nition 2. We say HE is strongly homomorphic if a homomorphicly evaluated ciphertext c is indistinguishable with a normal ciphertext c which is output by the HE:Enc algorithm. We say HE is weakly homomorphic if the length of c only depends on the depth of the circuit to be evaluated. We say HE is somewhat homomorphic if it can evaluate a limited kinds of circuits. We say HE is fully homomorphic if it can evaluate all kinds of circuits. We say HE is a private-key homomorphic encryption scheme if ek = dk, or a public-key homomorphic encryption scheme if ek 6= dk. In the de…nition, it is required that the algorithm is correct, e.g. the decryption is correct and the evaluation is also correct. The homomorphic evaluation key maybe a null string or equal to the public key of the homomorphic encryption scheme if it is a public-key one. If a homomorphic encryption is strongly homomorphic, then the evaluated ciphertext has the same length with a normal ciphertext; if not, then we can easily distinguish the two distributions c and c. However, it is allowed that c and c have di¤erent lengths in a weakly homomorphic encryption scheme. 4
Let PriHE = (PriHE:KeyGen; PriHE:Enc; PriHE:Dec; PriHE:Eval) and PubHE = (PubHE:KeyGen; PubHE:Enc; PubHE:Dec; PubHE:Eval) be a private-key homomorphic encryption scheme and a public-key homomorphic encryption scheme over Z2 , respectively. Rothblum found that PubHE can be constructed from PriHE as follows [17]. Rothblum’s Construction [17]. PubHE:KeyGen - Using PriHE to get a key pair (ek; dk) and a homomorphic evaluation key hk, where ek = dk, and get l ciphertexts of 0, i.e. X = [PriHE:Enc(0); ; PriHE:Enc(0)], and l ciphertexts of 1, i.e. Y = [PriHE:Enc(1); ; PriHE:Enc(1)]. Publish X; Y and hk as the public key and the secret key is dk. PubHE:Enc - To encrypt a plaintext i in f0; 1g, choose a subset S such that jSj = i mod 2, where jSj is the size of S. Let Ti =
Xi i 2 =S Yi i 2 S
then the ciphertext is l X PriHE:Eval( Ti ; hk): i=1
PubHE:Dec - To decrypt a ciphertext c, output PriHE:Dec(dk; c). PubHE:Eval - To evaluate a circuit C on k ciphertexts c1 ; ; ck , output PriHE:Eval(C; hk; c1 ; ; ck ). Rothblum’s construction and proof of security is a little complicated. Goldwasser has a simpler exposition of this construction and the proof is also simpler [13]. Goldwasser’s Construction [13]. PubHE:KeyGen - Using PriHE to get a key pair (ek; dk) and a homomorphic evaluation key hk, where ek = dk, and get l ciphertexts ci = PriHE:Enc(ri ), where ri ’s is chosen independently and uniformly from f0; 1g. Denote R = (r1 ; ; rl ). Publish R;ci ’s and hk as the public key and the secret key is dk.
5
PubHE:Enc - To encrypt a plaintext i in f0; 1g, choose uniformly S = (s1 ; ; sl ) 2 l f0; 1g such that hR;Si = i mod 2. Then homomorphicly evaluate the sum of cj ’s where Sj = 1 and output the ciphertext X PriHE:Eval( cj mod 2; hk; c1 ; ; cl ): Sj =1
PubHE:Dec - To decrypt a ciphertext c, output PriHE:Dec(dk; c). PubHE:Eval - To evaluate a circuit C on k ciphertexts c1 ; ; ck , output PriHE:Eval(C; hk; c1 ; ; ck ). The two constructions share some similarities. However, the underlying ideas are a little di¤erent and there is some subtlety. We will discuss this in Sections 3.3 and 4. 3. Constructions This section presents constructions for public-key homomorphic encryption schemes based on private-key ones over large plaintext space ZN . First, we consider the case when N is a prime and propose three constructions; then we show how these constructions can be generalized to a composite N and the most general case Z; last, we discuss the subtleties of these constructions. 3.1. Constructions for prime N Suppose there is a private-key homomorphic encryption scheme PriHE = (PriHE:KeyGen; PriHE:Enc; PriHE:Dec; PriHE:Eval) over ZN , which is a …nite …eld for prime N . PriHE can evaluate addition over ZN homomorphicly. Note that to minimize the assumption, homomorphic multiplication is not required. Our goal is to construct a public-key encryption scheme PubHE = (PubHE:KeyGen; PubHE:Enc; PubHE:Dec; PubHE:Eval) over ZN . The basic idea is to publish some ciphertexts for messages in ZN ; then to encrypt a new message, we …nd an algebraic expression on these published messages such that the result of the algebraic expression equals the message to be encrypted. The ciphertext can be obtained by homomorphicly evaluating the algebraic expression. In the following, we propose three di¤erent constructions depending on what the chosen public messages are. Construction 1.
6
PubHE:KeyGen - Using PriHE to get a key pair (ek; dk) and a homomorphic evaluation key hk, where ek = dk, and get l ciphertexts of 0, i.e. X = [PriHE:Enc(0); ; PriHE:Enc(0)], and l ciphertexts of 1, i.e. Y = [PriHE:Enc(1); ; PriHE:Enc(1)]. Publish X; Y and hk as the public key and the secret key is dk. PubHE:Enc - To encrypt a plaintext m in ZN , choose l elements Z = [Z1 ; ; Zl ] 2 l ZN such that l X m= 1 Zi (1) i=1
in ZN . Now to encrypt m, evaluate Eq. (1) homomorphicly. The di¢ culty is that we know the ciphertext for 1 which is contained in the public key, but we don’t know the ciphertext for Zi ’s and the private-key homomorphic encryption scheme is not assumed to have the ability to evaluate multiplication homomorphicly. The trick is that we can also evaluate the function PZi 1 Zi = t=1 1 homormorphicly to get a ciphertext for 1 Zi . Let ( Xi Zi = 0 PZi Ti = Zi 6= 0 PriHE:Eval t=1 Yi
then the ciphertext is
l X PriHE:Eval( Ti ; hk): i=1
PubHE:Dec - To decrypt a ciphertext c, output PriHE:Dec(dk; c). PubHE:Eval - To evaluate a circuit C on k ciphertexts c1 ; ; ck , output PriHE:Eval(C; hk; c1 ; ; ck ). P Remark 3. We can always …nd a solution for m = li=1 1 Zi . This is just a system of l-variable linear equations with rank 1. Thus, there are total N l 1 solutions. This provides some randomness for the encryption algorithm. Remark 4. The private-key homomorphic encryption algorithm is only assumed to be able to evaluate addition. Thus, we need to evaluate 1 Zi homomorphicly. Remark 5. The encryption algorithm needs to run in probabilistic polynomial time. A …rst observation of the encryption algorithm …nds that it may 7
take exponential time if N is large, say N = 2n 1. Then, a naive calculaPZi tion of PriHE:Eval t=1 Yi will take exponential time. This can be solved in the same way to compute g a in a group using the double squaring algorithm. PZi Thus, PriHE:Eval t=1 Yi can be done in poly(log N ) time. The …rst construction requires the evaluation of scalar multiplications which costs some computational time. Now we present another construction which can defend this demerit. Suppose N has lN + 1 bits. Notice that any P i integer in ZN can be expressed as i2S 2 for some subset S f0; 1; ; lN g. Construction 2.
PubHE:KeyGen - Using PriHE to get a key pair (ek; dk) and a homomorphic evaluation key hk, where ek = dk, and get l ciphertexts of 0; 1; 2; 22 ; 2lN and 0, respectively, i.e. X (0) = [PriHE:Enc(0); ; PriHE:Enc(0)], X (1) = l N [PriHE:Enc(1); ; PriHE:Enc(1)], , X (2 ) = PriHE:Enc(2lN ); ; PriHE:Enc(2lN ) l and Y = [PriHE:Enc(0); ; PriHE:Enc(0)]. Publish X (0) X (1) X (2 N ) Y and hk as the public key and the secret key is dk. PubHE:Enc - To encrypt a plaintext m in ZN , express m as m=
lN X
ti
2i
(2)
i=0
in ZN . Now to encrypt m, try to evaluate Eq. (2) homomorphicly. Let ( (0) Xj ti = 0 for some random j 2 [l] Ti = (2i ) Xj ti 6= 0 for some random j 2 [l] then the ciphertext is lN X X PriHE:Eval( Ti + Yi ; hk) i=0
i2S
where S is a random subset of [l]. PubHE:Dec - To decrypt a ciphertext c, output PriHE:Dec(dk; c). PubHE:Eval - To evaluate a circuit C on k ciphertexts c1 ; ; ck , output PriHE:Eval(C; hk; c1 ; ; ck ). 8
Now we present the last construction. Construction 1 and 2 can be seen as special forms of this construction. Construction 3. PubHE:KeyGen - Using PriHE to get a key pair (ek; dk) and a homomorphic evaluation key hk, where ek = dk, and get l ciphertexts of 0, i.e. X = [PriHE:Enc(0); ; PriHE:Enc(0)], and another l ciphertexts ci = PriHE:Enc(Ri ), where Ri ’s is chosen independently and uniformly from ZN . Denote R = (R1 ; ; Rl ). Publish X; R;ci ’s and hk as the public key and the secret key is dk. PubHE:Enc - To encrypt a plaintext m in ZN , choose l elements Z = [Z1 ; ; Zl ] 2 ZlN such that l X m= Ri Zi = hR; Zi mod N (3) i=1
in ZN . Now to encrypt m, try to evaluate Eq. (3) homomorphicly. Let ( Xi Zi = 0 PZi Ti = PriHE:Eval Zi 6= 0 t=1 ci
then the ciphertext is
l X PriHE:Eval( Ti ; hk): i=1
PubHE:Dec - To decrypt a ciphertext c, output PriHE:Dec(dk; c). PubHE:Eval - To evaluate a circuit C on k ciphertexts c1 ; ; ck , output PriHE:Eval(C; hk; c1 ; ; ck ). 3.2. General Message Space The three constructions in the previous section can be easily generalized to the case when N is a composite and the case for Z. When the message space is a ring ZN , constructions 1 and 2 still work well. For construction 3, we need to make sure that there is at least one ri such that ri is coprime with N . Although it is not possible for the message space to be Z in the computer era, constructions 1 and 3 still work. However, construction 2 may fail in this case. For construction 3, we need to caution that the ri ’s are coprime such that Eq. (3) always has a lot of solutions. 9
3.3. Comments on the three constructions Here we show some principles and subtleties of the three constructions: The basic idea of all constructions is to …nd an algebraic expression such that there is a relation between the public keys and the message to be encrypted. In all constructions, there are some randomness added to the output ciphertext. The e¢ ciency is di¤erent for these constructions. Construction 2 is the most e¢ cient one. Construction 1 and 3 share the same e¢ ciency. Construction 2 is a little arti…cial since some encryptions of 0 are added to ensure the randomness. For security, we failed to have a formal proof for any of them. This issue is also subtle as shown in Section 4. We tried to generalize Rothblum’s approach and Goldwasser’s approach here, but it didn’t work. This is due to the di¤erence between Z2 and ZN , which also shows that the constructions over Z2 are quite special. 4. Security We failed to achieve a formal proof of our constructions. This section presents the experience in our trials and some heuristics about the security. First, we brie‡y introduce Rothblum’s and Goldwasser’s idea; then we points out the reason why the two approaches failed here; last, we discuss the security issue heuristically. Rothblum’s idea [17]. The key observation is that if we replace all the public keys with encryption of 0’s, then any adversary (even with in…nite computation power) cannot distinguish two ciphertexts. If the public-key homomorphic encryption scheme is not IND-CPA secure, i.e. there is an adversary A which has a non-negligible advantage on the cryptosystem, then there is another adversary B based on A that can break the private-key homomorphic encryption scheme. The two distinguishable messages are the 02l string and the 0l 1l string. To show the information-theoretical security of the case when the public keys are all encryption of 0’s, the probabilistic method [1] is used. There are four steps: 10
i h (X;Y ;S) 1. Express the advantage of the adversary as Pr[Sucess] 12 + 12 EX;Y;S I(X;Y , ;S) where I0 (X; Y ; S) and I1 (X; Y ; S) is the possible choices of the subset S for an encryption of 0 and 1, respectively, (X; Y ; S) = jI0 (X; Y ; S) I1 (X; Y ; S)j and I(X; Y ; S) = I0 (X; Y ; S)+I1 (X; Y ; S). Note that to encrypt a message, we choose a subset sum of the X; Y . The adversary only knows the ciphertext but not the subset S. Given the ciphertext, there are a lot of such subsets which result in the same ciphertext but correspond to di¤erent plaintexts. h i 2. Bound EX;Y;S
(X;Y ;S) I(X;Y ;S)
. To achieve this, …rst bound I(X; Y ; S). The
result is Pr[I(X; Y ; S) > 20:8l ] > 1 negl. 3. Then bound (X; Y ; S). This is achieved using a union bound. The key is to bound (X; Y ; ), where is a ciphertext; note that di¤erent subsets may result in the same . 4. The last, also the most important, is to bound (X; Y ; ) = jI0 (X; Y ; ) The result is Pr[I(X; Y ; ) < 20:6l ] > 1 negl. This is achieved using the Chebyshev inequality in the probability theory. Goldwasser’s idea [13]. Goldwasser also observed that if the public key is replaced with all encryption of 0’s, then any adversary cannot succeed with a non-negligible probability. The basic idea is to express the advantage as Pr[Sucess0 ] = PrR;S [A(R; c ) = hR; Si] 21 , where c is the challenge ciphertext. Note that hR; Si is a pair-wise independent hash function. Thus, the joint distribution [R; hR; Si] is statistically close to [R; b], where b is a random bit. Then in Pr[Sucess0 ], substituting [R; hR; Si] with [R; b] will get the result. Failed attempts. We tried both approaches in the large message space case, but failed. For Rothblum’s approach, step 1 to step 3 can be easily achieved; but not for step 4. The reason is that in the Z2 case, the subset is just a 0; 1 indicator; however, in the ZN case, additional evaluations for the scalar multiplication are added, which makes the case out of control. For Goldwasser’s approach, the Z2 case is quite special since the adversary can only choose the challenge message from f0; 1g. However, there are much more choices for the challenge message in the ZN case. The di¢ culty is that something like PrR;S [A(R; c ) = hR; Si] cannot be derived. Heuristics and open problems. There are some heuristics for the proposed constructions in this paper. In all constructions, a lot of randomness are added in the ciphertext. In construction 1, there are many random so11
I1 (X; Y ; )j.
lutions for Eq. (1); in construction 2, there are a lot of randomness in the choice of the public keys and in the choice of the encryptions of 0’s; in construction 3, there are also many random solutions for Eq. (3). Randomness is necessary for IND-CPA security but not su¢ cient. We don’t know the security of these constructions now. Therefore, we have the open question: Are these constructions secure? If yes, we need to prove it; if not, we need to disprove it. 5. Applications One important motivation for homomorphic encryption is that it has a lot of useful applications. This section presents some typical applications with a focus on a large message space, which is the normal case in practice. PIR. In a private information retrieval application, Alice wants to get the i-th entry of an n-message database DB, which is controlled by Bob. At the same time, Alice doesn’t want Bob to know that she is interested in the i-th entry. Traditional solution requires an nO(1) communication complexity. It is easy to …nd that the lower bound of the communication complexity is log n since we need at least log n bits to index a data entry. With homomorphic encryption, a poly(log n) communication complexity can be achieved, which is a great improvement. This is pointed out by Gentry [9] and constructed by Brakerski based on the learning with errors problem [6]. The basic idea is to homomorphicly evaluate the function f (i) = DB [i]. ZKP. With homomorphic encryption, it is also easy to construct zeroknowledge proof systems as pointed out by Barak [2]. Suppose Alice has a secret s (e.g. a string) such that f (s) = 1, which she wants to prove to Bob. The basic idea is that she can send an encryption of s to Bob; Bob then evaluates f (s) homomorphicly and sends the result back to Alice for decryption; Alice decrypts it and tells Bob whether the result is 1. Note that Alice may cheat and always returns a 1. This can be remedied if Bob randomly sends back an encryption of f (s) or an encryption of 0. Besides the above applications, homomorphic encryption provides a useful tool for data and computation outsourcing in cloud computing. However, the problem is new and not well formulated. But the point is that the homomorphic property of an encryption scheme can simplify many security protocol designs.
12
6. Conclusion We have shown that for large message spaces public-key homomorphic encryption schemes can also be constructed based on private-key ones which may only be able to evaluate addition homomorphicly. Three candidate constructions are proposed in this paper. This is the good point. However, the bad point is that we don’t understand their security exactly. Thus, it is an interesting future work to investigate the security of the three constructions. Acknowledgment This research was supported in part by: the National Natural Science Foundation of China (Nos. 61103211, 61170249, 60973114); the Fundamental Research Funds for the Central Universities (No. CDJZR10180020) and the Post-doctoral Science Foundation of China (Nos. 201104319, 20100470817). References [1] N. Alon, J. Spencer, The probabilistic method, vol. 57, WileyInterscience, 2000. 10 [2] B. Barak, Z. Brakerski, The swiss army knife of cryptography, Group Blog, http://windowsontheory.org/2012/05/01/ the-swiss-army-knife-of-cryptography/ (2012). 12 [3] M. Bellare, P. Rogaway, Optimal asymmetric encryption, in: Advances in Cryptology–EUROCRYPT’94, Springer, 1995. 2 [4] A. Bogdanov, C. Lee, Homomorphic encryption from codes, Arxiv preprint arXiv:1111.4301. 2 [5] Z. Brakerski, C. Gentry, V. Vaikuntanathan, Fully homomorphic encryption without bootstrapping, Innovations in Theoretical Computer Science. 2
13
[6] Z. Brakerski, V. Vaikuntanathan, E¢ cient fully homomorphic encryption from (standard) LWE, in: IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS), IEEE, 2011. 2, 12 [7] Z. Brakerski, V. Vaikuntanathan, Fully homomorphic encryption from ring-lwe and security for key dependent messages, Advances in Cryptology–CRYPTO 2011 (2011) 505–524. 2 [8] J. Coron, A. Mandal, D. Naccache, M. Tibouchi, Fully homomorphic encryption over the integers with shorter public keys, Advances in Cryptology–CRYPTO 2011 (2011) 487–504. 2 [9] C. Gentry, Fully homomorphic encryption using ideal lattices, in: Proceedings of the 41st annual ACM symposium on Theory of computing (STOC), ACM, 2009. 12 [10] C. Gentry, Computing arbitrary functions of encrypted data, Communications of the ACM 53 (3) (2010) 97–105. 2 [11] C. Gentry, S. Halevi, Fully homomorphic encryption without squashing using depth-3 arithmetic circuits, in: IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS), IEEE, 2011. 2 [12] O. Goldreich, Foundation of cryptography (in two volumes: Basic tools and basic applications) (2001). 2 [13] S. Goldwasser, B. Barak, L. Reyzin, Y. Kalai, S. Vadhan, New developments in cryptography, Lectures of MIT’s 6.889 and BU’s CAS CS 937, Spring 2011, http://www.cs.bu.edu/~reyzin/teaching/s11cs937/ (2011). 3, 5, 11 [14] S. Goldwasser, S. Micali, Probabilistic encryption, Journal of computer and system sciences 28 (2) (1984) 270–299. 2 [15] R. Rivest, L. Adleman, M. Dertouzos, On data banks and privacy homomorphisms, Foundations of secure computation 32 (4) (1978) 169–178. 2 [16] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM 21 (2) (1978) 126. 2 14
[17] R. Rothblum, Homomorphic encryption: from private-key to public-key, Theory of Cryptography (2011) 219–234. 2, 3, 5, 10 [18] M. Van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, Advances in Cryptology– EUROCRYPT 2010 (2010) 24–43. 2
15
