Download - FHEW: Homomorphic Encryption Bootstrapping
![Page 1: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/1.jpg)
FHEW: Homomorphic Encryption Bootstrappingin less than a Second1
Leo Ducas2 Daniele Micciancio
UC San Diego
Charles River Crypto Day, April 2015
1To appear in Eurocrypt 20152Now at CWI
1 / 29
![Page 2: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/2.jpg)
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
2 / 29
![Page 3: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/3.jpg)
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
3 / 29
![Page 4: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/4.jpg)
The evolution of FHE
Fully Homomorphic Encryption has seen drastic changes sinceGentry’s first proposal:
I [Rivest,Adleman,Dertouzos’78]: Open problem
I [Gentry’09]: ideal lattices, sparse subset-sum, squashing, etc.
I [Gentry,Halevi’11],[Brakerski,Vaikuntanathan’11]: no squash
I [Brakerski,Vaikuntanathan’11]: Subexponential LWE
I [Brakerski’12],[Alperin-Sheriff,Peiert’14]: (Polynomial) LWE
I Many more works improving efficiency, etc.
Still, all schemes have a common ingredient:
Key technique
Gentry’s FHE bootstrapping
4 / 29
![Page 5: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/5.jpg)
The evolution of FHE
Fully Homomorphic Encryption has seen drastic changes sinceGentry’s first proposal:
I [Rivest,Adleman,Dertouzos’78]: Open problem
I [Gentry’09]: ideal lattices, sparse subset-sum, squashing, etc.
I [Gentry,Halevi’11],[Brakerski,Vaikuntanathan’11]: no squash
I [Brakerski,Vaikuntanathan’11]: Subexponential LWE
I [Brakerski’12],[Alperin-Sheriff,Peiert’14]: (Polynomial) LWE
I Many more works improving efficiency, etc.
Still, all schemes have a common ingredient:
Key technique
Gentry’s FHE bootstrapping
4 / 29
![Page 6: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/6.jpg)
FHE Bootstrapping
All known FHE schemes are based on noisy encryption schemes:
I Decryption is possible only when noise is sufficiently small.
I Noise grows when computing on ciphertexts.
I After a while, no more operations can be performed.
FHE Bootstrapping:
I Method to “reset” the noise level of a ciphertext
I Idea: homomorphically compute ciphertext decryptionfunction on encrypted key
kDec(·)(Enck(m))
m
Enc(k)Dec(·)(Enck(m))
Enc(m)
5 / 29
![Page 7: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/7.jpg)
FHE Bootstrapping
All known FHE schemes are based on noisy encryption schemes:
I Decryption is possible only when noise is sufficiently small.
I Noise grows when computing on ciphertexts.
I After a while, no more operations can be performed.
FHE Bootstrapping:
I Method to “reset” the noise level of a ciphertext
I Idea: homomorphically compute ciphertext decryptionfunction on encrypted key
kDec(·)(Enck(m))
m
Enc(k)Dec(·)(Enck(m))
Enc(m)
5 / 29
![Page 8: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/8.jpg)
FHE Bootstrapping
All known FHE schemes are based on noisy encryption schemes:
I Decryption is possible only when noise is sufficiently small.
I Noise grows when computing on ciphertexts.
I After a while, no more operations can be performed.
FHE Bootstrapping:
I Method to “reset” the noise level of a ciphertext
I Idea: homomorphically compute ciphertext decryptionfunction on encrypted key
kDec(·)(Enck(m))
m
Enc(k)Dec(·)(Enck(m))
Enc(m)
5 / 29
![Page 9: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/9.jpg)
FHE Bootstrapping (cont.)
kDec(·)(c = Enck(m))
m
Enc(k)Dec(·)(c = Enck(m))
c ′ = Enc(m)
The quality/noise of the output c ′ depends on
I the quality/noise of Enc(k), which is a fresh ciphertxt, and
I the complexity of Dec(·)(c),
I but not the quality/noise of c , as long as it decrypts
Lattice Cryptography
I Basic homomorphic properties
I Low-complexity decryption Dec(·)(c)
Still, even if Dec(·)(c) is efficient, bootstrapping is very costlybecause Dec(·)(c) needs to be computed homomorphically on anencrypted Enc(k).
6 / 29
![Page 10: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/10.jpg)
FHE Bootstrapping (cont.)
kDec(·)(c = Enck(m))
m
Enc(k)Dec(·)(c = Enck(m))
c ′ = Enc(m)
The quality/noise of the output c ′ depends on
I the quality/noise of Enc(k), which is a fresh ciphertxt, and
I the complexity of Dec(·)(c),
I but not the quality/noise of c , as long as it decrypts
Lattice Cryptography
I Basic homomorphic properties
I Low-complexity decryption Dec(·)(c)
Still, even if Dec(·)(c) is efficient, bootstrapping is very costlybecause Dec(·)(c) needs to be computed homomorphically on anencrypted Enc(k).
6 / 29
![Page 11: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/11.jpg)
FHE Bootstrapping (cont.)
kDec(·)(c = Enck(m))
m
Enc(k)Dec(·)(c = Enck(m))
c ′ = Enc(m)
The quality/noise of the output c ′ depends on
I the quality/noise of Enc(k), which is a fresh ciphertxt, and
I the complexity of Dec(·)(c),
I but not the quality/noise of c , as long as it decrypts
Lattice Cryptography
I Basic homomorphic properties
I Low-complexity decryption Dec(·)(c)
Still, even if Dec(·)(c) is efficient, bootstrapping is very costlybecause Dec(·)(c) needs to be computed homomorphically on anencrypted Enc(k).
6 / 29
![Page 12: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/12.jpg)
FHE Bootstrapping (cont.)
kDec(·)(c = Enck(m))
m
Enc(k)Dec(·)(c = Enck(m))
c ′ = Enc(m)
The quality/noise of the output c ′ depends on
I the quality/noise of Enc(k), which is a fresh ciphertxt, and
I the complexity of Dec(·)(c),
I but not the quality/noise of c , as long as it decrypts
Lattice Cryptography
I Basic homomorphic properties
I Low-complexity decryption Dec(·)(c)
Still, even if Dec(·)(c) is efficient, bootstrapping is very costlybecause Dec(·)(c) needs to be computed homomorphically on anencrypted Enc(k).
6 / 29
![Page 13: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/13.jpg)
The Problem
FHE Bootstrapping/Refreshing is an expensive process:
I [Halevi, Shoup’14,’15] HElib: 6-30 mins
Mitigating the cost of bootstrapping (previous approaches):
I SIMD-FHE: Perform many refresh operations in parallel
I Noise control: allow more computation before refreshing
I HElib: Cost can be amortized over ≈ 1000 binary ciphertext.
Question
How fast can we refresh a single ciphertext?
7 / 29
![Page 14: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/14.jpg)
The Problem
FHE Bootstrapping/Refreshing is an expensive process:
I [Halevi, Shoup’14,’15] HElib: 6-30 mins
Mitigating the cost of bootstrapping (previous approaches):
I SIMD-FHE: Perform many refresh operations in parallel
I Noise control: allow more computation before refreshing
I HElib: Cost can be amortized over ≈ 1000 binary ciphertext.
Question
How fast can we refresh a single ciphertext?
7 / 29
![Page 15: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/15.jpg)
The Problem
FHE Bootstrapping/Refreshing is an expensive process:
I [Halevi, Shoup’14,’15] HElib: 6-30 mins
Mitigating the cost of bootstrapping (previous approaches):
I SIMD-FHE: Perform many refresh operations in parallel
I Noise control: allow more computation before refreshing
I HElib: Cost can be amortized over ≈ 1000 binary ciphertext.
Question
How fast can we refresh a single ciphertext?
7 / 29
![Page 16: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/16.jpg)
Contributions
Question
How fast can we refresh for a single ciphertext ?
We give a proof of concept solution in 0.6 seconds:amortized cost comparable to [HElib], but without the delay...Two new techniques:
I a new, cheap NAND gate
I a simpler refreshing procedure using ring structure
8 / 29
![Page 17: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/17.jpg)
Contributions
Question
How fast can we refresh for a single ciphertext ?
We give a proof of concept solution in 0.6 seconds:amortized cost comparable to [HElib], but without the delay...Two new techniques:
I a new, cheap NAND gate
I a simpler refreshing procedure using ring structure
8 / 29
![Page 18: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/18.jpg)
The new NAND gate
Base: Start from LWE encryption with message space: Zt , t > 2.
Idea: Different message space for input (t = 4) and output(t = 2).
Advantages:
I Cost of computing Homomorphic NAND is negligible (similarto a single private key cryptographic operation.)
I Excellent noise growth: ε grows only by a small constantfactor.
I Substantially simplifies the task faced by the Refreshingprocedure.
9 / 29
![Page 19: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/19.jpg)
The new NAND gate
Base: Start from LWE encryption with message space: Zt , t > 2.
Idea: Different message space for input (t = 4) and output(t = 2).
Advantages:
I Cost of computing Homomorphic NAND is negligible (similarto a single private key cryptographic operation.)
I Excellent noise growth: ε grows only by a small constantfactor.
I Substantially simplifies the task faced by the Refreshingprocedure.
9 / 29
![Page 20: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/20.jpg)
A simpler refreshing procedure
Base: General approach of [Alperin-Sheriff,Peikert’14] + Ringvariant of [Gentry,Sahai,Waters’13] Homomorphic encryption.
Idea: Implement arithmetic modq in the exponent
Improvement over [AP14]:
I Theoretical speed-up of Ω(log3 q)
I Smaller final error.
Combined with the problem simpification brought by our cheapNAND computation, this results in bootstrapping cost ≈ 0.6second, at estimated ≈100-bit security level.
10 / 29
![Page 21: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/21.jpg)
A simpler refreshing procedure
Base: General approach of [Alperin-Sheriff,Peikert’14] + Ringvariant of [Gentry,Sahai,Waters’13] Homomorphic encryption.
Idea: Implement arithmetic modq in the exponent
Improvement over [AP14]:
I Theoretical speed-up of Ω(log3 q)
I Smaller final error.
Combined with the problem simpification brought by our cheapNAND computation, this results in bootstrapping cost ≈ 0.6second, at estimated ≈100-bit security level.
10 / 29
![Page 22: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/22.jpg)
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
11 / 29
![Page 23: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/23.jpg)
LWE and Symmetric Encryption
Definition (Learning with Errors)
I For a random secret s ∈ Znq
I Given many sample (a, b = 〈a , s〉+ e) where e ← χ, small
I Distinguish the samples from uniformly random
LWE is as hard as worst-case lattice problems
Encs(m ∈ Z2) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
Sets of encryptions of m with error e < E noted LWEs(m,E ).Correct decryption ensured if (a, b) ∈ LWEs( · , q/4)
12 / 29
![Page 24: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/24.jpg)
LWE and Symmetric Encryption
Definition (Learning with Errors)
I For a random secret s ∈ Znq
I Given many sample (a, b = 〈a , s〉+ e) where e ← χ, small
I Distinguish the samples from uniformly random
LWE is as hard as worst-case lattice problems
Encs(m ∈ Z2) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
Sets of encryptions of m with error e < E noted LWEs(m,E ).Correct decryption ensured if (a, b) ∈ LWEs( · , q/4)
12 / 29
![Page 25: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/25.jpg)
LWE and Symmetric Encryption
Definition (Learning with Errors)
I For a random secret s ∈ Znq
I Given many sample (a, b = 〈a , s〉+ e) where e ← χ, small
I Distinguish the samples from uniformly random
LWE is as hard as worst-case lattice problems
Encs(m ∈ Z2) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
Sets of encryptions of m with error e < E noted LWEs(m,E ).Correct decryption ensured if (a, b) ∈ LWEs( · , q/4)
12 / 29
![Page 26: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/26.jpg)
Homomorphic Operation on LWE ciphertext
Addition/XOR operation as the sum of ciphertexts:
LWEs(m1, e1)× LWEs(m2, e2)→ LWEs(m1 ⊕m2, e1 + e2)
(Traditional) (N)AND operation as the tensor of ciphertexts:
LWEs1(m1, e1)× LWEs2(m2, e2)→ LWEs1⊗s2(m1 ∧m2, e1 · e2)
⇒ FHE boostrapping requires strong Refreshing :
LWEs(m, e)→ LWEs(m, e′), e ′ e.
Techniques: Key Switching, Mod Switching, and HomomorphicDecryption.
13 / 29
![Page 27: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/27.jpg)
Homomorphic Operation on LWE ciphertext
Addition/XOR operation as the sum of ciphertexts:
LWEs(m1, e1)× LWEs(m2, e2)→ LWEs(m1 ⊕m2, e1 + e2)
(Traditional) (N)AND operation as the tensor of ciphertexts:
LWEs1(m1, e1)× LWEs2(m2, e2)→ LWEs1⊗s2(m1 ∧m2, e1 · e2)
⇒ FHE boostrapping requires strong Refreshing :
LWEs(m, e)→ LWEs(m, e′), e ′ e.
Techniques: Key Switching, Mod Switching, and HomomorphicDecryption.
13 / 29
![Page 28: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/28.jpg)
LWE encryption with different message spaces
Idea: use an LWE sample as a mask
Encs(m) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
m · q2 + e
m · q4 + e m · q4 + e
1
0
12
30
12
30
binary messages
Messages in Z4 Smaller error
LWE2s (m, q/4)
LWE4s (m, q/8) LWE4
s (m, q/16)
14 / 29
![Page 29: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/29.jpg)
LWE encryption with different message spaces
Idea: use an LWE sample as a mask
Encs(m) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
m · q2 + e m · q4 + e
m · q4 + e
1
01
230
12
30
binary messages Messages in Z4
Smaller error
LWE2s (m, q/4) LWE4
s (m, q/8)
LWE4s (m, q/16)
14 / 29
![Page 30: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/30.jpg)
LWE encryption with different message spaces
Idea: use an LWE sample as a mask
Encs(m) = (a, b = 〈a , s〉+ e + m · q/2)
Decs(a, b) = b2(b − 〈a , s〉)/qe
m · q2 + e m · q4 + e m · q4 + e
1
01
230
12
30
binary messages Messages in Z4 Smaller errorLWE2
s (m, q/4) LWE4s (m, q/8) LWE4
s (m, q/16)
14 / 29
![Page 31: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/31.jpg)
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
=
12
300
11
0
q80
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
![Page 32: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/32.jpg)
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
= 12
30
0
11
0
q80
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
![Page 33: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/33.jpg)
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
= 12
30
0
11
0
q80
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
![Page 34: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/34.jpg)
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
=
12
30
0
1
1
0
q80
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
![Page 35: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/35.jpg)
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
=
12
300
1
1
0
q8
0
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
![Page 36: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/36.jpg)
A Cheap NAND gate
Idea, use: m1 ∧m2 ⇔ m1 + m2 = 2 mod 4.Consider binary messages 0, 1 encrypted with t = 4:
12
30
+ 12
30
=
12
300
11
0
q8
0
1
5q8
Consider it as a ciphertext for t = 2 and rotate.
HomNAND:
LWE4s (m1,
q16)×LWE4
s (m2,q16) → LWE2
s (m1 ∧ m2,q4 )
(a1, b1) , (a2, b2) 7→ (a1 + a2, b1 + b2 + 5q8 )
15 / 29
![Page 37: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/37.jpg)
Lightweight Refreshing
We have HomNAND:
LWE4s
(m1,
q
16
)× LWE4
s
(m2,
q
16
)→ LWE2
s
(m1 ∧ m2,
q
4
)
To build an FHE we require a relaxed function LightRefresh:
LightRefresh : LWE2s (m, q/4)→ LWE4
s (m, q/16)
whereas previous works required:
Refresh : LWE2s (m, q/4)→ LWE2
s (m,E ) ,E q.
As usual, we will use Key Switching, Mod Switching, andHomomorphic Decryption.
16 / 29
![Page 38: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/38.jpg)
Lightweight Refreshing
We have HomNAND:
LWE4s
(m1,
q
16
)× LWE4
s
(m2,
q
16
)→ LWE2
s
(m1 ∧ m2,
q
4
)To build an FHE we require a relaxed function LightRefresh:
LightRefresh : LWE2s (m, q/4)→ LWE4
s (m, q/16)
whereas previous works required:
Refresh : LWE2s (m, q/4)→ LWE2
s (m,E ) ,E q.
As usual, we will use Key Switching, Mod Switching, andHomomorphic Decryption.
16 / 29
![Page 39: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/39.jpg)
Lightweight Refreshing
We have HomNAND:
LWE4s
(m1,
q
16
)× LWE4
s
(m2,
q
16
)→ LWE2
s
(m1 ∧ m2,
q
4
)To build an FHE we require a relaxed function LightRefresh:
LightRefresh : LWE2s (m, q/4)→ LWE4
s (m, q/16)
whereas previous works required:
Refresh : LWE2s (m, q/4)→ LWE2
s (m,E ) ,E q.
As usual, we will use Key Switching, Mod Switching, andHomomorphic Decryption.
16 / 29
![Page 40: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/40.jpg)
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
17 / 29
![Page 41: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/41.jpg)
Decryption using an Accumulator
Decs(a, b) = msb (b − 〈a , s〉 mod q) = msb
(b −
∑i
ai · si mod q
)
Decs(a, b):
acc ← b
for i = 1 to n:
acc ← acc − ai · si mod q
Return msb(acc)
18 / 29
![Page 42: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/42.jpg)
Decryption using an Accumulator
Decs(a, b) = msb (b − 〈a , s〉 mod q) = msb
(b −
∑i
ai · si mod q
)
Homomorphic decryption given E ′(s) = [E (a · si) | i , a]:
E (acc)← b
for i = 1 to n:
E (acc)← E (acc)− E (ai · si ) mod q
Return LWE(msb(acc))
ACC = E (acc) holds an encrypted integer acc ∈ Zq
The accumulator ACC should support the following operations:
I Initialization: ACC ← bI Addition ACC ← ACC + c of a fresh ciphertext c = E (a · si )I Extract encrypted MSB: ACC → LWE (msb(acc))
18 / 29
![Page 43: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/43.jpg)
Decryption using an Accumulator
Decs(a, b) = msb (b − 〈a , s〉 mod q) = msb
(b −
∑i
ai · si mod q
)
Homomorphic decryption given E ′(s) = [E (a · si) | i , a]:
E (acc)← b
for i = 1 to n:
E (acc)← E (acc)− E (ai · si ) mod q
Return LWE(msb(acc))
ACC = E (acc) holds an encrypted integer acc ∈ Zq
The accumulator ACC should support the following operations:
I Initialization: ACC ← bI Addition ACC ← ACC + c of a fresh ciphertext c = E (a · si )I Extract encrypted MSB: ACC → LWE (msb(acc))
18 / 29
![Page 44: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/44.jpg)
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1
I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
![Page 45: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/45.jpg)
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:
ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
![Page 46: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/46.jpg)
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:
ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
![Page 47: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/47.jpg)
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:
ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
![Page 48: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/48.jpg)
Implementing the Accumulator
The framework of [AP14] based on [GSW13] (E ,+, ·):
I ACC = [E (aq−1), . . . ,E (a1),E (a0)] with ai = δi=acc ∈ 0, 1I Increment ACC ← ACC + Enc(b), b ∈ 0, 1:
ACC [i ]← ACC [i ] · (1− E (b)) + ACC [i − 1] · E (b)
I MSB extraction: MSB(ACC ) =∑q−1
q/2 Enc(ai ).
I Optimized using CRT and product of many small cyclic rings.
We optimize this construction using the cyclotomic ring
R = Z[X ]/(XN + 1).
I Embed Zq in the group (X ii , ·), of roots of unity, q = 2N.
I ACC uses only a single ciphertext E (X acc).
19 / 29
![Page 49: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/49.jpg)
Ring version of [GSW13]
Q = 2k , Gadget matrix: G = [I, 2I, 4I . . . 2k−1I]t ∈ Zn+1×(n+1)kQ .
Es(m) = [A,As + e] + m · G
Decs: extract an LWEs ciphertext (last row) and decrypt.Supports Add. and Mult. for small messages m ∈ −1, 0, 1.
Cyclotomic ring R = Z[X ]/(XN + 1), 2N = q is a power of 2.
Generalized Gadget matrix: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ .
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Supports addition for all message m ∈ Zq.
20 / 29
![Page 50: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/50.jpg)
Ring version of [GSW13]
Q = 2k , Gadget matrix: G = [I, 2I, 4I . . . 2k−1I]t ∈ Zn+1×(n+1)kQ .
Es(m) = [A,As + e] + m · G
Decs: extract an LWEs ciphertext (last row) and decrypt.Supports Add. and Mult. for small messages m ∈ −1, 0, 1.
Cyclotomic ring R = Z[X ]/(XN + 1), 2N = q is a power of 2.
Generalized Gadget matrix: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ .
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Supports addition for all message m ∈ Zq.
20 / 29
![Page 51: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/51.jpg)
The group of roots of unity and msb
m 0 1 . . . q2 − 1 q
2q2 + 1 . . . q − 1
Xm 1 X . . . XN−1 −1 −X . . . −XN−1
xm
10...0
01...0
. . .
00...1
−10...0
0−1
...0
. . .
00...−1
〈1 , xm〉 1 1 . . . 1 −1 −1 . . . −1
Take the vector representation of Xm
Sum all the coordinates
〈1 , xm〉+ 1
2=
(−1)msb(m) + 1
2= msb(m).
21 / 29
![Page 52: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/52.jpg)
Extracting LWE4s (msb(m))
Recall: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ and
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Set u = q/8, take the 2nd row, in vector representation:
C =
[A′,A′ · s + e +
Q
8· xm
]Sum all rows and add q/8:
1t · C = 1t ·[
A′,A′ · s + e +Q
8· xm +
Q
8
]=
[a′, a′ · s + e ′ +
Q
4·msb(m)
]Obtain an LWE encryption of msb(m) with message space Z4.
22 / 29
![Page 53: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/53.jpg)
Extracting LWE4s (msb(m))
Recall: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ and
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Set u = q/8, take the 2nd row, in vector representation:
C =
[A′,A′ · s + e +
Q
8· xm
]
Sum all rows and add q/8:
1t · C = 1t ·[
A′,A′ · s + e +Q
8· xm +
Q
8
]=
[a′, a′ · s + e ′ +
Q
4·msb(m)
]Obtain an LWE encryption of msb(m) with message space Z4.
22 / 29
![Page 54: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/54.jpg)
Extracting LWE4s (msb(m))
Recall: G = u · [I, bI, b2I . . . bk−1I]t ∈ R2×2kQ and
Es(m ∈ Zq) = [a, a · s + e] + Xm · G
Set u = q/8, take the 2nd row, in vector representation:
C =
[A′,A′ · s + e +
Q
8· xm
]Sum all rows and add q/8:
1t · C = 1t ·[
A′,A′ · s + e +Q
8· xm +
Q
8
]=
[a′, a′ · s + e ′ +
Q
4·msb(m)
]Obtain an LWE encryption of msb(m) with message space Z4.
22 / 29
![Page 55: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/55.jpg)
Improvements
Improvement over the bootstrapping of [AP14]:
I Generic Ω(n) speed-up from Ring structure
I An extra Ω(log3 q) speed-up by embedding
I Error after bootstrapping reduced by O(√n log n).
In addition to our new NAND gate, implementation becomesreasonable.
23 / 29
![Page 56: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/56.jpg)
Outline
Introduction/Summary
The new NAND gate
Simpler Refreshing
Conclusion
24 / 29
![Page 57: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/57.jpg)
The ciphertext cycle
LWE4/qn (m1, q/16)
LWE4/qn (m2, q/16)
NAND LWE2/qn (m, q/4)
LWE4/QN
(m, σO(N3/2)
)ACC operations
and msbTest
LWE4/Qn
(m, σO(N3/2)
)Key Switch
LWE4/qs1 (m, q/16)
Modulus Switch
25 / 29
![Page 58: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/58.jpg)
Parameter Proposal
Parameters.LWE parameters: n = 410 q = 512.Ring-GSW parameters: N = 1024 Q = 232 .Gadget Matrix: Q/8 · [I, 211 · I, 222 · I]Key Size.Bootstrapping Key Size 846 MBKey Switching Key Size: +135 MB
6 1GB
Running time.Per NAND gate: 39, 360 FFTs ≈ 0.4 secSecurity.Security of the LWE scheme δ1 = 1.0060Security of the Ring-GSW scheme δ2 = 1.0060
26 / 29
![Page 59: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/59.jpg)
Proof of Concept Implementation
I Coded in 4 days·manroom for implementation level optimization.
I Reasonably concise: 6 600 lines of C++ code[HElib]: ≈ 20, 000 lines
I Using FFT3 over C at double precisionin dimension 2048 to obtain negacyclic-FFT.
potentially slower than 32-bits NTT in dimension 1024.
Result: Homomorphic NAND & refreshing in 0.61 secondson a single standard 64-bit core at 3Ghz.
Comparable to the amortized cost of bootstrapping in [HElib].
3FFTW library: The Fastest Fourier Transform in the West27 / 29
![Page 60: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/60.jpg)
Beyond binary gates
Replace msb by other membership testing function. Obtain :
I moderate fan-in symmetric gatesmajority, threshold gates, neurons
I multiple outputs gates
Figure: Full-adder in one refresh (3-inputs, 2-outputs)
01
23
4
50
1
23
4
5
m1 + m2 + m3 ∈ 1, 3, 5 m1 + m2 + m3 ∈ 2, 3, 4m1 ⊕m2 ⊕m3 carry(m1,m2,m3)
28 / 29
![Page 61: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/61.jpg)
The Next Steps
I Generalize the construction to arbitrary cyclotomic:we are restricted to powers of 2
I Exploit previous work using tensor-CRT for coprimes p, q:
Roots of unity(Z[X ]/Φp(X )
)' Zp
Roots of unity(Z[X ]/Φp(X )⊗ Z[X ]/Φq(X )
)' Zp × Zq ' Zpq
I Obtain a full S-box for the price of 1 or 2 Refresh operation.
Thank You
29 / 29
![Page 62: FHEW: Homomorphic Encryption Bootstrapping](https://reader033.vdocument.in/reader033/viewer/2022042708/62666c095511c00f5605a92e/html5/thumbnails/62.jpg)
The Next Steps
I Generalize the construction to arbitrary cyclotomic:we are restricted to powers of 2
I Exploit previous work using tensor-CRT for coprimes p, q:
Roots of unity(Z[X ]/Φp(X )
)' Zp
Roots of unity(Z[X ]/Φp(X )⊗ Z[X ]/Φq(X )
)' Zp × Zq ' Zpq
I Obtain a full S-box for the price of 1 or 2 Refresh operation.
Thank You
29 / 29