Homomorphic encryption from codes

We propose a new homomorphic encryption scheme based on the hardness of decoding under independent random noise from certain affine families of codes. Unlike in previous lattice-based homomorphic encryption schemes, where the message is hidden in the noisy part of the ciphertext, our scheme carries the message in the affine part of the transformation and applies noise only to achieve security. Our scheme can tolerate noise of arbitrary magnitude, as long as the noise vector has sufficiently small hamming weight (and its entries are independent). Our design achieves “proto-homomorphic” properties in an elementary manner: message addition and multiplication are emulated by pointwise addition and multiplication of the ciphertext vectors. Moreover, the extremely simple nature of our decryption makes the scheme easily amenable to bootstrapping. However, some complications are caused by the inherent presence of noticeable encryption error. Our main technical contribution is the development of two new techniques for handling this error in the homomorphic evaluation process. We also provide a definitional framework for homomorphic encryption that may be useful elsewhere.

💡 Research Summary

The paper introduces a novel homomorphic encryption (HE) scheme that departs from the traditional lattice‑based approach by basing security on the hardness of decoding random independent noise in certain affine families of codes. In contrast to lattice schemes where the message is hidden inside the noise, this construction embeds the plaintext directly into the affine part of the transformation, while the added noise serves solely to obscure the secret key and to provide security.

The underlying public‑key encryption (PKE) scheme, denoted K, works over a finite field F_q. A secret key consists of a hidden index set S ⊂ {1,…,n} of size s and a matrix M whose rows are constructed from distinct field elements a_i in a Vandermonde‑like fashion. The public key is P = M·R where R is a random invertible r×r matrix. Encryption of a message m∈F_q chooses a random vector x∈F_r and an independent sparse noise vector e∈F_n (each coordinate drawn from a distribution ˜η with small Hamming weight). The ciphertext is c = P·x + m·1 + e, where 1 is the all‑ones vector.

Decryption uses only the rows indexed by S. By solving a small linear system (1) involving those rows, the decryptor obtains a vector y supported on S that satisfies yᵀ·M = 0 and yᵀ·1 = 1. The plaintext is then recovered as yᵀ·c = m, provided that the noise does not affect any coordinate in S. Since the probability that a noise entry lands in S is at most η·s, the decryption error is negligible when η·s is sufficiently small.

The scheme exhibits “proto‑homomorphic” properties: pointwise addition of ciphertexts corresponds to addition of plaintexts, and pointwise multiplication corresponds to multiplication of plaintexts. However, multiplication amplifies the noise and introduces a “setup error” – a probability that the resulting ciphertext no longer decrypts correctly. To handle this, the authors develop two new techniques:

1. Reencryption – a deterministic transformation that takes a ciphertext under one public key and re‑encrypts it under a fresh public key, effectively “refreshing” the noise. This leverages the special algebraic structure of M_S (the submatrix of M indexed by S), whose redundancy allows the reencryption to be performed by simple linear algebra without invoking heavy error‑correcting codes.

2. Layered bootstrapping – by arranging computations in layers and applying reencryption after each multiplication layer, the scheme can keep the noise growth under control indefinitely. The depth‑d circuit class C_{cs,d} can thus be evaluated homomorphically with only a polynomial overhead in the security parameter k.

Security analysis considers several natural attacks: (i) brute‑force or statistical recovery of the hidden set S, (ii) rank‑based attacks that try to detect rows belonging to S by examining submatrices of the public key, and (iii) attempts to recover the random vector x from encryptions of zero. By setting parameters as functions of a security parameter n and a constant α>0 (e.g., s = n^{α/4}, r = n^{1−α/8}, η = n^{−(1−α/4)}), the authors argue that all these attacks succeed only with exponentially small probability. They formalize this in Conjecture 2.1, which claims (s,ε)‑message indistinguishability for K under those settings.

Building on K, the paper constructs a full homomorphic encryption scheme called HOM. Assuming K is (s(n),ε(n))‑message indistinguishable, HOM achieves:

• Key length O(d·k·n),
• Ciphertext length O(k·n),
• Encryption error 2^{−Ω(k)},
• Setup error d·2^{−Ω(k)}.

Thus HOM provides a fully homomorphic encryption system with simple decryption, efficient reencryption, and provable security based on decoding random errors in affine codes. The work opens a new direction for HE research, showing that code‑based cryptography can yield practical homomorphic schemes without the heavy lattice machinery traditionally required.