Bootstrapping Fully Homomorphic Encryption over the Integers in Less than One Second

Abstract

One can bootstrap LWE-based fully homomorphic encryption (FHE) schemes in less than one second, but bootstrapping AGCD-based FHE schemes, also known as FHE over the integers, is still very slow. In this work we propose a fast bootstrapping method for FHE over the integers, closing thus this gap between these two types of schemes. We use a variant of the AGCD problem to construct a new GSW-like scheme that can natively encrypt polynomials, then, we show how the single-gate bootstrapping method proposed by Ducas and Micciancio (EUROCRYPT 2015) can be adapted to FHE over the integers using our scheme, and we implement a bootstrapping that, using around 400 MB of key material, runs in less than one second in a common personal computer.

This paper was written while the author was working at the University of Luxembourg.

Appendices

Appendix

A Other Homomorphic Operations

• \(\mathsf {GAHE.AddVec}(\mathbf{c}_1, \mathbf{c}_2)\): to homomorphically add two ciphertexts, just add them entry-wise: \(\mathbf{c}_{add} := \mathbf{c}_1 + \mathbf{c}_2 \in R^{\ell }.\)

• \(\mathsf {GAHE.MultVec}(\mathbf{c}_1, \mathbf{c}_2)\): to perform a homomorphic product, apply \(g^{-1}\) to each entry of \(\mathbf{c}_1\) obtaining a \(\ell \times \ell \) matrix of polynomials, i.e., \(\mathbf{A} := \left( g^{-1}(c_{1,1}) \, \dots \, g^{-1}(c_{1,\ell }) \right) \), then perform a vector-matrix product over R: \(\mathbf{c}_{mult} := \mathbf{c}_2 \cdot \mathbf{A} \in R^{\ell }.\)

• \(\mathsf {GAHE.AddScalar}(c_1, c_2)\): to perform a homomorphic addition, just add the ciphertexts: \(c_{add} := c_1 + c_2 \in R.\)

• \(\mathsf {GAHE.AddPlaintext}(\mathbf{c}_1, h)\) and \(\mathsf {GAHE.MultPlaintext}(\mathbf{c}_1, h)\): to add a plaintext h, output \(\mathbf{c}_1 + \mathbf{g}\cdot h\). To multiply, simply multiply each entry of \(\mathbf{c}_1\) by h in R, i.e., output \(h \cdot \mathbf{c}_1 \in R^{\ell }\).

1.1 A.1 Correctness of Homomorphic Operations

The mixed homomorphic product was analyzed in Sect. 4.3. We now show that the other homomorphic operations are also correct. For \(i \in \{1, 2\}\), let \(\mathbf{c}_i\) a be vector encryption of \(v_i\) and \(c_i\) be a scalar encryption of \(s_i\). Thus, we have \(\mathbf{c}_i = (p\mathbf{q}_i + \mathbf{r}_i)k + \mathbf{g} v_i\) and \(c_i = (p q_i + r_i + \alpha s_i)k\).

Hence, it is easy to see that the homomorphic additions produce valid ciphertexts, i.e.,

• \(c_1 + c_2 = (p(q_1 + q_2) + (r_1+r_2) + \alpha (s_1+s_2))k \in R\).

• \(\mathbf{c}_1 + \mathbf{c}_2 = (p(\mathbf{q}_1 + \mathbf{q}_2) + (\mathbf{r}_1+\mathbf{r}_2))k + \mathbf{g}(v_1+v_2) \in R^\ell \).

To see that the homomorphic product of two vector ciphertexts is correct, notice that we decompose one of the operands, say, \(\mathbf{c}_1\), as \(\mathbf{A} =\left( g^{-1}(c_{1,1}) \, \dots \, g^{-1}(c_{1,\ell })\right) \in R^{\ell \times \ell }\), and when we multiply \(\mathbf{A}\) by \(\mathbf{g}\), we obtain again \(\mathbf{c}_1\), i.e., \(\mathbf{g}\cdot \mathbf{A} = \mathbf{c}_1\). Hence, we have the following:

$$\begin{aligned} \mathbf{c}_{mult}&= \mathbf{c}_2 \cdot \mathbf{A} \\&= (p\mathbf{q}_2\mathbf{A} + \mathbf{r}_2\mathbf{A})k + \mathbf{g} \mathbf{A} v_2 \\&= (p\mathbf{q}_2\mathbf{A} + \mathbf{r}_2\mathbf{A})k + ((p\mathbf{q}_1 + \mathbf{r}_1)k + \mathbf{g} v_1) v_2 \\&= (p\underbrace{(\mathbf{q}_2\mathbf{A} + \mathbf{q}_1v_2)}_{\mathbf{q}_{mult}} + \underbrace{(\mathbf{r}_2\mathbf{A} + \mathbf{r}_1v_2)}_{\mathbf{r}_{mult}})k + \mathbf{g} v_1v_2 \end{aligned}$$

Therefore, the homomorphic multiplication yields a valid encryption of the product of the messages.

1.2 A.2 Noise Growth of Homomorphic Operations

In this section we show that the noise in the ciphertexts grows basically additively when we perform any homomorphic operation, including products. Using the analysis done in Sect. 4.3, it is easy to derive upper bounds to the noise accumulated by the homomorphic operations.

Lemma 11 (Noise of homomorphic additions)

Let n be an integer bigger than or equal to 2. For \(i \in \llbracket 1, n \rrbracket \), let \(c_i\) be a scalar encryption of \(s_i\) and \(\mathbf{c}_i\) be a vector encryption of \(v_i\). Compute the homomorphic sum of these ciphertexts as follows: \(c := \sum _{i=1}^{n}c_i \in R\) and \(\mathbf{c} := \sum _{i=1}^{n}\mathbf{c}_i \in R^\ell \). Then, \(\mathsf {err}(c) = \sum _{i=1}^{n}\mathsf {err}(c_i)\) and \(\mathsf {err}(\mathbf{c}) = \sum _{i=1}^{n}\mathsf {err}(\mathbf{c}_i)\). In particular, if all \({c}_i\)’s and \({\mathbf{c}}_i\)’s are fresh ciphertexts, we have

$$\left\Vert \mathsf {err}(c) \right\Vert< n2^{\rho } \text { and } \left\Vert \mathsf {err}(\mathbf{c}) \right\Vert < n2^{\rho }.$$

Proof

Because each \(c_i\) is of the form \((pq_i + r_i + \left\lfloor p/t \right\rceil s_i)k\), it is clear that \(\mathsf {err}(c) = \sum _{i=1}^{n}r_i = \sum _{i=1}^{n}\mathsf {err}(c_i)\). By Lemma 2, if all \({c}_i\)’s are fresh ciphertexts, we have \(\left\Vert \mathsf {err}(c) \right\Vert \le \sum _{i=1}^{n}\left\Vert \mathsf {err}(c_i) \right\Vert < n2^\rho \) and the particular case holds.

Basically the same argument holds for vector ciphertexts.    \(\square \)

The noise growth of a sequence of homomorphic products involving only vector ciphertexts is essentially equal to the one of mixed products.

Lemma 12 (Noise growth of products of vector ciphertexts)

Let n be an integer bigger than or equal to 1. For \(i \in \llbracket 0, n \rrbracket \), let \(\mathbf{c}_i\) be an encryption of \(m_i\). Let also \(\mathbf{c}'_0 := \mathbf{c}_0\) and \(\mathbf{c}'_i := \mathsf {GAHE.MultVec}(\mathbf{c}'_{i-1}, \mathbf{c}_i)\) for \(i > 0\). (Notice that \(\mathbf{c}'_i\) is an encryption of \(\prod _{j=0}^{i}m_j\)). Assume that B is an upper bound to the product of the plaintexts, i.e., \(\left\Vert \prod _{i=j}^{n} m_i \right\Vert \le B\) for \(0 \le j \le n\). Then,

$$\left\Vert \mathsf {err}(\mathbf{c}'_n) \right\Vert < NB\left\Vert \mathsf {err}(\mathbf{c}_0) \right\Vert + \sum _{i=1}^{n} N^2B\ell b \left\Vert \mathsf {err}(\mathbf{c}_i) \right\Vert . $$

In particular, if all the products only involve fresh ciphertexts, then

$$\begin{aligned} \left\Vert \mathsf {err}(\mathbf {c}'_n) \right\Vert < 2N^2B\ell b n 2^{\rho }. \end{aligned}$$

Proof

This proof is basically equal to the one of Lemma 5, hence, we omit it.    \(\square \)