Privacy Protection of IoT Based on Fully Homomorphic Encryption

,


Introduction
Nowadays, the IoT is becoming an attractive system paradigm to drive a substantive leap on goods and services through physical, cyber, and social spaces.It covers from traditional equipment to general household equipment, which bring more efficiency and convenience to the users and change current ways of life greatly [1].See Figure 1.
However, the application of IoT involves mass private information about users, such as healthcare, location, etc.For the users, they want service providers to process the data accurately and efficiently and extract the contained valuable information with keeping user data unknown by others (including themselves).All these problems are difficult to achieve by traditionally encryption schemes.Homomorphic encryption technology is a good choice to solve all these problems [2,3].
Since bootstrapping technology is the essential technology to obtain a "pure" FHE at present.Meanwhile, it is also the main bottleneck in any practical implementation due to the complexity homomorphic decryption.It is very meaningful to improve the efficiency of bootstrapping, which mainly refers to fast low-circuit implementation of decryption function.Without loss of generality, the decryption function for LWE-(Learning with Errors-) based FHE can be computed by evaluating some linear operation between ciphertext and secret key, then reducing the result modulo a big odd modulus  and then reducing the result modulo a small modulus , to get the plaintext , namely,  = [[  ()]  ]  .For the decryption function, the modularreduction operation of [[]  ]  ( ∈ Z) affects the depth of decryption circuit most.
The past few years have seen an intensive study of bootstrapping technique.In the original bootstrapping technique of Gentry [14], he put forward an idea of "squash the decryption circuit" to transform modular-reduction operation into summing operation.This got a moderate polynomial O( 4 ) runtime.By proposed an amortized bootstrapping method, Brakerski, Gentry, and Vaikuntanathan (BGV) reduced the runtime to O( 2 ) [10].However, these results applied only to "non-packed" ciphertexts (i.e., ones that encrypt just one bit each).
Gentry, Halevi, and Smart (GHS, PKC2012) reached a major milestone of a bootstrapping algorithm concentrating on the BGV ring-LWE-based scheme (ideal lattice-based FHE) [15].They proposed a simpler decryption formula.This is done by choosing a prime plaintext modulus  and a ciphertext modulus  close to a power of .Besides, they utilized packed ciphertexts and Fourier Transform to aid efficiency.To improve the Fourier Transform step of [15], [16] presented a ring/field switching technique.This obtained an asymptotically efficient bootstrapping method for BGV style SHE scheme.Orsini, Pol, and Smart (PKC15) proposed a bootstrapping BGV ciphertexts with a wider choice of  and , but their decryption formula was not simple as GHS's work.Halevi and Shoup (HS, EUROCRYPT 15) generalized the plaintext modulus  in [17] to more general situations and got a better efficiency by improving the bit-extraction way.This is asymptotically optimal space and time so far.
In another line of work, [18][19][20][21][22] present a bootstrapping technique for the GSW-FHE [13] scheme.They get significant progress in improving the bootstrapping technique on standard lattice-based FHE.And their progress mainly relies on the characteristic that noise in ciphertexts of GSW-FHE grows asymmetrically.Since compared with standard LWEbased FHE schemes, ring-LWE-based FHE schemes always have more efficient homomorphic operations.And among all the ring-LWE-based FHE schemes, BGV ring-LWE-based FHE scheme is optimal (note that GSW-FHE scheme is better than BGV-FHE scheme only in standard LWE-based FHE schemes).Note that, in this paper, the aim is to provide practical FHE scheme for the privacy protection of IoT.Thus, it concentrates on improving the bootstrapping technique of BGV ring-LWE-based FHE schemes in this paper.
The starting point of this paper is the HS's work [17], where decryption procedure consists of a linear algebra step < ,  > and a modular reduction step [[]  ]  .When || ≤  2 /4 −  and |[]  | ≤ /4, modular reduction step [[]  ]  can be converted to simple bit operations.This greatly reduces the circuit depth of modular reduction.When homomorphically performed above simple decryption formula, the deepest part is homomorphic bit-extraction procedure, and its complexity (both time and depth) increases with the most-significant extracted bit.In [17], by adding to ciphertext multiples of  and also multiples of , they proposed a lower-degree homomorphic bit-extraction procedure.And the bigger the parameter range of  for the simple formula of modular reduction, the better the performance for the improved homomorphic bit-extraction procedure.See [17] for further details.
Contributions.In this paper, we optimize the parameters of bootstrapping algorithm proposed in EUROCRYPT 2015 by Halevi and Shoup.Firstly, by introducing a definition of load capacity, we optimize the parameters range for which their bootstrapping technique works for the first time.Next we generalize their ciphertext modulus  to more general situations.This makes our method applicable to more cases.Moreover, we also show how to introduce SIMD technique into our new method, to improve the efficiency of bootstrapping technique.
Organization.Section 2 presents the notations and some background on the BGV cryptosystem.Section 3 optimizes the parameter range for which bootstrapping technique of Halevi and Shoup works.Next, the ciphertext modulus is generalized from closing to a power of two to more general situations in Section 4.Moreover, it also shows how to introduce SIMD homomorphic computation techniques into the new method to get an efficient bootstrapping method.And in Section 5, an implementation is made of BGV ring-LWE-based scheme based on our efficient bootstrapping method.Finally, Section 6 concludes.

Homomorphic Encryption Schemes.
Let M be the message space and C be the ciphertext space.A homomorphic encryption scheme  = {, , , V} is as follows: (i) (1  ): output public key , secret key , and evaluation key V.
(iii)   (): recover the message encrypted in the ciphertext  by secret key .
(iv) V V (,  1 , . . .,   ): output ciphertext   ∈ C which is obtained by applying evaluation key V and the function  : Suppose that ( 1 ,  1 ) and ( 2 ,  2 ) are two key-pairs of scheme .Let  be a ciphertext of plaintext  under .Let  1 be a ciphertext of the -th bit of the first secret key  1 under the second public key  2 . is a decryption circuit.See Algorithm 1 for the "Bootstrapping" algorithm.
It can be found that .( 2 ,   ) = .( 1 , ) =  only when scheme  can compactly evaluate its decryption circuit.However, most of the existing schemes do not satisfy this condition naturally.It needs some extra operations, such as "squashing the decryption circuit", which cause the low efficiency of FHE.Thus, it is very meaningful for lower-depth circuit implementation of decryption function.

Analysis of HS Recryption Procedure
We start by introducing the HS recryption procedure [17] on that how to homomorphically compute the modularreduction operation in a lower-depth circuit.The specifics are in Lemma 1.
Lemma 1 (see [17]).Let  > 1,  ≥ 1,  ≥  + 2 and  =   + 1 be integers, and also let  be an integer such that || ≤  2 /4 −  and Lemma 1 transforms complex modular operations into simple bit operation, to get a lower-depth circuit of decryption function.But it is still not easy to execute a homomorphic bit-extraction operation.Next, [17] proposed a fast bitextraction procedure.As stated in the former introduction, the performance of fast bit-extraction procedure is dependent on the parameter range of  in Lemma 1.That is, the bigger parameter range of , the better performance of fast bitextraction procedure.Thus, next we analyse whether the parameter range of  in Lemma 1 is optimal.In order to do so, we introduce a new concept called "load capacity".Definition 2 (load capacity).Let  ∈ Z + ,  ∈ Z. Suppose the formula of modular reduction converted to simple bit operations works when −/2 <  ≤ []  ≤  ≤ /2, and  ≤  < .Then the load capacity is defined by the product of two span lengths of  and []  , namely, ( − ) × ( − ).
Next we discuss how to choose the value of ,  in order to obtain the maximum "load capacity".Load capacity is denoted by , then Let  =  − , then  = (1 − ) ⋅  2 + ( − 1) ⋅ .The concrete relations are as shown in Figure 2 It can be easily seen from Figure 2 that the load capacity takes the maximum value when  −  = /2.That is, the load capacity for HS work is only related to the span length, not to the value of  and .Then Corollary 4 presents the optimal choice of []  and  for the formula of modular reduction converted to simple bit operations.The conclusion is obvious; the proof is omitted here.
Note that, when  = −/4, namely, |[]  | ≤ /4, it is the same as HS's work.But, the load capacity of this paper is bigger than that of HS's work, since  of ours has a bigger span length, namely, || ≤  2 /4 − /4.The details are present in Table 1.
As seen from Table 1, compared to HS' work, it can be seen that our scheme has a better load capacity.Note that, while on the surface, it appears to obtain a tiny improvement in a nondominant term, i.e., where the load capacity of the choice in HS is  3 /4 −  2 , this is improved to  3 /4 −  2 /4, it is actually a meaningful job when you carefully analyse the principle of the trick of the fast bit-extraction procedure in [17].That is, add to the coefficients of  multiples of  and   , making them divisible by    for some  ≤   <  without increasing them too much and also without increasing the noise too much.This means that bit-extraction can be implemented using only polynomials of degree at most −  , smaller than .Since the load capacity of this paper is 3 2 \4 bigger than that of HS's work, it means our work allows adding more multiples of  and   to the coefficients of .That is, bit-extraction can be implemented using polynomials of lower degree to get a faster implementation.Besides, our variant of HS is more flexible and general on parameters.

Generalize Modulus to More General Situations
In this section, it extends HS recryption procedure to have a wider choice of ciphertext modulus.The specifics are in Theorem 5. Then, where "×"refers to scalar multiplication.

5.
Set  ← (c  ,  − ) //Homomorphic exponentiation to the power  − 6. Set Thus, combined with formula (11), we can get that Thus, The proof for the  = 2 case is similar.We omit it here.
Next we discuss how to choose the value of ,  in order to obtain the maximum "load capacity".Load capacity is denoted by , then Let  =  − , then It is easy to get that  takes the maximum value when That is, the load capacity is also only related to the span length, not to the value of  and .
Then Corollary 6 presents the optimal choice of []  and  for the formula of modular reduction converted to simple bit operations.
,  ∤ , V, also let  be an integer such that []  ∈ [,  + /2], and The conclusion is obvious; the proof is omitted here.
To get a homomorphic implementation of the simple decryption formula from above, firstly a homomorphic bitextraction procedure (Algorithm 2) is presented, which is slightly varied from the bit-extraction procedure of [17].
(c, ) uses native homomorphic multiplication to multiply  by itself  times.To aid exposition, this code assumes that the modulus and secret key remain fixed; otherwise modulus-switching and keyswitching should be added (and the level should be increased correspondingly to some  > 0).
Then Algorithm 3 shows how to combine our optimized "bootstrapping" techniques with the SIMD homomorphic computation techniques of Smart-Vercauteren [23], to get a bootstrapping method that works in time quasilinear in the security parameter.
Step 1.The user first post-processes the   -secret-key by encrypting  as a  0 -ciphertext c  = ( 0  ,  1  ) with respect to the  0 -secret-key s  = (1, s), namely the user has Step 2. The server computes  homomorphically.Specifically, the server compute the mod- +1 inner product homomorphically by setting Step 3. Apply a homomorphic inverse-DFT transformation to convert to CRT-based "packed" ciphertexts that hold the coefficients of  in their plaintext slots.Step 4. Apply the bit extraction procedure to all these slots in parallel.The result is encryption of polynomials that have the coefficients of  in their plaintext slots.
Step 5. Apply a homomorphic DFT transformation to get back a ciphertext that encrypts the polynomial  itself.
Algorithm 3: Batched bootstrapping implementation of our scheme.

Implementation and Performance
In this section, an implementation of BGV ring-LWE-based scheme is made, since it offers nearly the most efficient homomorphic operations.This scheme is defined over a ring   = Z[]/(Φ  ()), where Φ  () is the  th cyclotomic polynomial.Let  be a prime or a prime power, and A  fl Z  []/Φ  ().Specifically, assume Φ  () ≡  1 () ⋅ ⋅ ⋅  ℓ ()(mod), where each   has the same degree , which is equal to the order of  modulo .Then, by the Chinese Remainder Theorem, it has the isomorphism   ≅ ⨁  =1 (Z[]/(,   ()).Besides, suppose sk = (1, s) is the  secret-key, where s ∈ Z[]/Φ  () is an integer polynomial with small coefficients.sk  = (1, s  ) is the  0 -secret-key.c = ( 0 ,  1 ) is the   -ciphertext.
First, several groups (, , ) are chosen which satisfy Φ  () ≡  1 () ⋅ ⋅ ⋅  ℓ ()(mod ).For each triple (, , ), a test is run separately based on our work and HS' work.These tests were run on a four-year-old IBM System x3850 server, with two 64-bit 4-core Intel Xeon E5450 processors, and 35MB L2 cache and 32GB of RAM at 3.0 GHz.And the implementation was mainly based on Shoup's NTL library [23] version 9.10.0 and GNU's GMP library [24].The former is used for high-level numeric algorithms, and the latter is used for the underlying integer arithmetic operations.Besides, the code was compiled using the gcc compiler (version 4.9.1).Table 2 summarizes the results from our experiments based on our work and HS' .
The first column gives cyclotomic ring m and its factorization into prime powers.The second column gives the plaintext space, i.e., the field/ring that is embedded in each slot.The third column gives the number of slots packed into a single ciphertext.The fourth column gives the effective security level, computed using the formula that is used in HElib taken from [15,Eqn. (8)].The total recrypt gives the total time for a single recryption, while the previous two rows give a breakdown of that time (note that the time for the linear transforms includes some trivial preprocessing time, as well as the less trivial unpacking/repacking time).The last two rows give the memory used (in gigabytes).
As seen from Table 2, compared to HS' work, it can be easy seen that the variant of HS has advantages both in efficiency and in storage space.Besides the variant of HS is more flexible and general on parameters.This enables our method to be applied in a larger number of situations.

Conclusions
Up to now, Gentry's bootstrapping technique is still the only known method of obtaining a "pure" FHE scheme.Meanwhile it is also the key for the low efficiency of FHE scheme.It is very meaningful to improve the efficiency of bootstrapping, which mainly refers to lower-depth circuit implementation of decryption function.In this paper, it improves the "load capacity" of HS's work with a better efficiency for bootstrapping and to generalize  to more general situations in a similar simple way.This enables our method to be applied in a larger number of situations, such as privacy protection of IoT.

Figure 2 :
Figure 2: The load capacity on the span length of  and .

Table 1 :
The parameter of low-circuit implementation of modular reduction on HS and our work.Input: Modulus  =  ⋅   + V, and a ciphertext c encrypting a constant  ∈ (Z/ +1 Z) relative to secret key s and modulus  +1 Output: A ciphertext c  encrypting the bit operation relative to secret key s and modulus   1. Set c 0 ← c //c encrypt  w.r.t.s 2. For  = 1 to  3. Set  ← c / /  is an accumulator 4. For  = 0 to  = 1 //Compute  − ∑     −1

Table 2 :
Experimental results for our batched bootstrapping and HS.