Abstract
One can bootstrap LWE-based fully homomorphic encryption (FHE) schemes in less than one second, but bootstrapping AGCD-based FHE schemes, also known as FHE over the integers, is still very slow. In this work we propose a fast bootstrapping method for FHE over the integers, closing thus this gap between these two types of schemes. We use a variant of the AGCD problem to construct a new GSW-like scheme that can natively encrypt polynomials, then, we show how the single-gate bootstrapping method proposed by Ducas and Micciancio (EUROCRYPT 2015) can be adapted to FHE over the integers using our scheme, and we implement a bootstrapping that, using around 400 MB of key material, runs in less than one second in a common personal computer.
This paper was written while the author was working at the University of Luxembourg.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
If we were publishing \(x_0\), then the homomorphic operations could be done modulo \(x_0\) and we could set \(\ell = \ell _0\), without adding these extra logarithmic terms.
- 2.
- 3.
References
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_17
Benarroch, D., Brakerski, Z., Lepoint, T.: FHE over the Integers: decomposed and Batched in the Post-Quantum Regime. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 271–301. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_10
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS 2012, pp. 309–325. ACM, New York (2012)
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pp. 97–106, October 2011
Cheon, J.H., et al.: Batch fully homomorphic encryption over the integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_20
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_1
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Coron, J.-S., Naccache, D., Tibouchi, M.: Public key compression and modulus switching for fully homomorphic encryption over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 446–464. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_27
Coron, J.-S., Pereira, H.V.L.: On Kilian’s randomization of multilinear map encodings. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 325–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_12, https://eprint.iacr.org/2018/1129
Cheon, J.H., Stehlé, D.: Fully homomophic encryption over the integers revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 513–536. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_20
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_2
Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24
Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009). https://crypto.stanford.edu/craig/
Galbraith, S.D., Gebregiyorgis, S.W., Murphy, S.: Algorithms for the approximate common divisor problem. LMS J. Comput. Math. 19(A), 58–72 (2016)
Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_28
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_6
Lee, H.T., Seo, J.H.: Security analysis of multilinear maps over the integers. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 224–240. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_13
Pereira, H.V.L.: Efficient AGCD-based homomorphic encryption for matrix and vector arithmetic. Cryptology ePrint Archive, Report 2020/491 (2020). https://eprint.iacr.org/2020/491
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Appendices
Appendix
A Other Homomorphic Operations
-
\(\mathsf {GAHE.AddVec}(\mathbf{c}_1, \mathbf{c}_2)\): to homomorphically add two ciphertexts, just add them entry-wise: \(\mathbf{c}_{add} := \mathbf{c}_1 + \mathbf{c}_2 \in R^{\ell }.\)
-
\(\mathsf {GAHE.MultVec}(\mathbf{c}_1, \mathbf{c}_2)\): to perform a homomorphic product, apply \(g^{-1}\) to each entry of \(\mathbf{c}_1\) obtaining a \(\ell \times \ell \) matrix of polynomials, i.e., \(\mathbf{A} := \left( g^{-1}(c_{1,1}) \, \dots \, g^{-1}(c_{1,\ell }) \right) \), then perform a vector-matrix product over R: \(\mathbf{c}_{mult} := \mathbf{c}_2 \cdot \mathbf{A} \in R^{\ell }.\)
-
\(\mathsf {GAHE.AddScalar}(c_1, c_2)\): to perform a homomorphic addition, just add the ciphertexts: \(c_{add} := c_1 + c_2 \in R.\)
-
\(\mathsf {GAHE.AddPlaintext}(\mathbf{c}_1, h)\) and \(\mathsf {GAHE.MultPlaintext}(\mathbf{c}_1, h)\): to add a plaintext h, output \(\mathbf{c}_1 + \mathbf{g}\cdot h\). To multiply, simply multiply each entry of \(\mathbf{c}_1\) by h in R, i.e., output \(h \cdot \mathbf{c}_1 \in R^{\ell }\).
1.1 A.1 Correctness of Homomorphic Operations
The mixed homomorphic product was analyzed in Sect. 4.3. We now show that the other homomorphic operations are also correct. For \(i \in \{1, 2\}\), let \(\mathbf{c}_i\) a be vector encryption of \(v_i\) and \(c_i\) be a scalar encryption of \(s_i\). Thus, we have \(\mathbf{c}_i = (p\mathbf{q}_i + \mathbf{r}_i)k + \mathbf{g} v_i\) and \(c_i = (p q_i + r_i + \alpha s_i)k\).
Hence, it is easy to see that the homomorphic additions produce valid ciphertexts, i.e.,
-
\(c_1 + c_2 = (p(q_1 + q_2) + (r_1+r_2) + \alpha (s_1+s_2))k \in R\).
-
\(\mathbf{c}_1 + \mathbf{c}_2 = (p(\mathbf{q}_1 + \mathbf{q}_2) + (\mathbf{r}_1+\mathbf{r}_2))k + \mathbf{g}(v_1+v_2) \in R^\ell \).
To see that the homomorphic product of two vector ciphertexts is correct, notice that we decompose one of the operands, say, \(\mathbf{c}_1\), as \(\mathbf{A} =\left( g^{-1}(c_{1,1}) \, \dots \, g^{-1}(c_{1,\ell })\right) \in R^{\ell \times \ell }\), and when we multiply \(\mathbf{A}\) by \(\mathbf{g}\), we obtain again \(\mathbf{c}_1\), i.e., \(\mathbf{g}\cdot \mathbf{A} = \mathbf{c}_1\). Hence, we have the following:
Therefore, the homomorphic multiplication yields a valid encryption of the product of the messages.
1.2 A.2 Noise Growth of Homomorphic Operations
In this section we show that the noise in the ciphertexts grows basically additively when we perform any homomorphic operation, including products. Using the analysis done in Sect. 4.3, it is easy to derive upper bounds to the noise accumulated by the homomorphic operations.
Lemma 11 (Noise of homomorphic additions)
Let n be an integer bigger than or equal to 2. For \(i \in \llbracket 1, n \rrbracket \), let \(c_i\) be a scalar encryption of \(s_i\) and \(\mathbf{c}_i\) be a vector encryption of \(v_i\). Compute the homomorphic sum of these ciphertexts as follows: \(c := \sum _{i=1}^{n}c_i \in R\) and \(\mathbf{c} := \sum _{i=1}^{n}\mathbf{c}_i \in R^\ell \). Then, \(\mathsf {err}(c) = \sum _{i=1}^{n}\mathsf {err}(c_i)\) and \(\mathsf {err}(\mathbf{c}) = \sum _{i=1}^{n}\mathsf {err}(\mathbf{c}_i)\). In particular, if all \({c}_i\)’s and \({\mathbf{c}}_i\)’s are fresh ciphertexts, we have
Proof
Because each \(c_i\) is of the form \((pq_i + r_i + \left\lfloor p/t \right\rceil s_i)k\), it is clear that \(\mathsf {err}(c) = \sum _{i=1}^{n}r_i = \sum _{i=1}^{n}\mathsf {err}(c_i)\). By Lemma 2, if all \({c}_i\)’s are fresh ciphertexts, we have \(\left\Vert \mathsf {err}(c) \right\Vert \le \sum _{i=1}^{n}\left\Vert \mathsf {err}(c_i) \right\Vert < n2^\rho \) and the particular case holds.
Basically the same argument holds for vector ciphertexts. \(\square \)
The noise growth of a sequence of homomorphic products involving only vector ciphertexts is essentially equal to the one of mixed products.
Lemma 12 (Noise growth of products of vector ciphertexts)
Let n be an integer bigger than or equal to 1. For \(i \in \llbracket 0, n \rrbracket \), let \(\mathbf{c}_i\) be an encryption of \(m_i\). Let also \(\mathbf{c}'_0 := \mathbf{c}_0\) and \(\mathbf{c}'_i := \mathsf {GAHE.MultVec}(\mathbf{c}'_{i-1}, \mathbf{c}_i)\) for \(i > 0\). (Notice that \(\mathbf{c}'_i\) is an encryption of \(\prod _{j=0}^{i}m_j\)). Assume that B is an upper bound to the product of the plaintexts, i.e., \(\left\Vert \prod _{i=j}^{n} m_i \right\Vert \le B\) for \(0 \le j \le n\). Then,
In particular, if all the products only involve fresh ciphertexts, then
Proof
This proof is basically equal to the one of Lemma 5, hence, we omit it. \(\square \)
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Pereira, H.V.L. (2021). Bootstrapping Fully Homomorphic Encryption over the Integers in Less than One Second. In: Garay, J.A. (eds) Public-Key Cryptography – PKC 2021. PKC 2021. Lecture Notes in Computer Science(), vol 12710. Springer, Cham. https://doi.org/10.1007/978-3-030-75245-3_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-75245-3_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75244-6
Online ISBN: 978-3-030-75245-3
eBook Packages: Computer ScienceComputer Science (R0)