SECURITY OF HOMOMORPHIC ENCRYPTION
- Melissa Chase ,
- Hao Chen ,
- Jintai Ding ,
- Shafi Goldwasser ,
- Sergey Gorbunov ,
- Jeffrey Hoffstein ,
- Kristin Lauter ,
- Satya Lokam ,
- Dustin Moody ,
- Travis Morrison ,
- Amit Sahai ,
- Vinod Vaikuntanathan
We met as a group during the Homomorphic Encryption Standardization Workshop on July 13-
14, 2017, hosted at Microsoft Research in Redmond. Researchers from around the world
represented a number of different communities: government, industry, and academia. There are
at least 6 research groups around the world who have made libraries for general-purpose
homomorphic encryption available ([SEAL], [HElib], [Palisade], [cuHE], [NFLLib], [HEAAN]) for
applications and general-purpose use, and demos were shown of all 6 libraries. All 6 of these
general-purpose libraries for homomorphic encryption were based on RLWE-based systems
(Ring Learning With Errors), and all libraries implemented one of two encryption schemes (BGV
or B/FV) and also displayed common choices for the underlying ring, error distribution, and
parameter selection.
Homomorphic Encryption is a breakthrough new technology which can enable private cloud
storage and computation solutions. Demos shown at the workshop included a SEAL demo of
CryptoNets, which performs efficient computation of image processing tasks such as handwriting recognition on encrypted data using neural nets. Many other applications are described
in detail in the white paper by the Applications group. In order for Homomorphic Encryption to
be adopted in medical, health, and financial sectors to protect data and patient and consumer
privacy, it will have to be standardized, most likely by multiple standardization bodies and
government agencies. An important part of standardization is broad agreement on security
levels for varying parameter sets. Although extensive research and benchmarking has been
done in the research community to establish the foundations for this effort, it is hard to find all
the information in one place, along with concrete parameter recommendations for applications
and deployment.
This document is an attempt to capture the collective knowledge at the workshop regarding the
currently known state of security of these schemes, to specify the schemes, and to recommend
a wide selection of parameters to be used for homomorphic encryption at various security
levels. We describe known attacks and their estimated running times in order to make these
parameter recommendations. We also describe additional features of these encryption schemes
which make them useful in different applications and scenarios. Many sections of this document
are intended for direct use as a first draft of parts of the standard to be prepared by the Working
Group formed at this workshop.