2

In Evaluating 2-DNF Formulas on Ciphertexts stated that

decryption in this system takes polynomial time in the size of the message space T. Therefore, the system as described above can only be used to encrypt short messages

Is there any other extension with the same properties of (any number of addition and one multiplication operation on the ciphertext) but also allows bigger message space?

In my search, I encounter only in Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups, but it does not solve that limitation.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
user1387682
  • 455
  • 2
  • 9

1 Answers1

1

There is a scheme whose purpose is exactly that, the LWE-based BGN-like encryption scheme. In general, we do not know how to achieve large message space for homomorphic encryption using discrete-log-style crypto; all known current solutions require lattice-based cryptography.

EDIT: reading the comments on your question, it seems you want to leak only whether the output is zero or not, by masking with a large random $r$ multiplicatively. But the standard BGN cryptosystem already allows that: the parties can always decrypt $g_t^{\mathsf{DFN(x)}}$ with BGN ($g_t$ is a generator of the target group), only the discrete logarithm at the end requires the message space to be small. However, seeing $g_t^{r\cdot\mathsf{DFN(x)}}$ for a large random $r$ already allows to see efficiently whether $\mathsf{DFN(x)} = 0$ or not: if it is equal to zero, then $g_t^{r\cdot\mathsf{DFN(x)}} = 1$; otherwise, $g_t^{r\cdot\mathsf{DFN(x)}}$ is just a random group element since $r$ is random.

Geoffroy Couteau
  • 19,919
  • 2
  • 46
  • 68