Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University CRYPTO 2012
Outsourcing Computation π¦ π¦ π π(π¦) Email, web- search, navigation, social networkingβ¦ Search query, location, business information, medical informationβ¦ What if π¦ is private?
Outsourcing Computation β Privately Learns nothing on π¦ . πΉππ(π¦) π¦ π π§ πΈππ π§ = π(π¦) Homomorphic Encryption π, πΉππ π¦ 1 , β¦ , πΉππ π¦ π β πΉππ(π π¦ 1 , β¦ , π¦ π ) We assume w.l.o.g π β *+,Γ+ (over β€ 2 ).
The Old Days of FHE 2009-2011 β’ Gentryβs breakthrough [G09,G10] β first candidate. β’ [vDGHV10, BV11a] : Similar outline, different assumptions. β’ [GH11] : Chimeric-FHE. β’ Efficiency attempts [SV10,SS10,GH10,LNV11] .
2 nd Generation FHE β’ [BV11b] : LWE-based FHE (= apx. short vector in lattice). β Better assumption. β Clean presentation: no ideals, no βsquashingβ. β Efficiency improvement. β’ [BGV12] : Improved performance via Modulus Switching. β Quantitatively better assumption. β βLeveledβ homomorphism without bootstrapping. β Efficiency improvements using ideals (βbatchingβ). [GHS11,GHS12a, GHS12b] : Efficiency improvements and optimizations using ideals.
This work: Modulus switching is a red herring βScale - independent encryptionβ β better performance with less headache
FHE 101 [BV11b] Security based on πππΉ π,π,π½ The Scheme: π β π‘ = π + 2π + ππ½ π Secret key: π‘ β β€ π π small (initial) noise π < πΆ = π½π Ciphertext: π β β€ π 1 dec. if π /π < 4 Encryption algorithm: Doesnβt matter. Decryption algorithm: π β π‘ πππ π (πππ 2) .
FHE 101 [BV11b] The Scheme: π β π‘ = π + 2π + ππ½ π Secret key: π‘ β β€ π π small (initial) noise π < πΆ = π½π Ciphertext: π β β€ π 1 dec. if π /π < 4 That again? Just addβem, dudeβ¦ Additive Homomorphism: π 1 , π 2 β π 1 + π 2 πππ π
FHE 101 [BV11b] The Scheme: π β π‘ = π + 2π + ππ½ π Secret key: π‘ β β€ π π small (initial) noise π < πΆ = π½π Ciphertext: π β β€ π 1 dec. if π /π < 4 Multiplicative Homomorphism: π 2 π‘π changedβ¦ π 1 , π 2 β π 1 β π 2 πππ π β β€ π noise blows up! πͺ β πͺ π β β― β πͺ π π but we can bring it back vector of all cross terms π 1 π β π 2 π π,π (we have the technology) 1 dec. if πΆ 2 π /π < 4 π 1 β π 2 β π‘ β π‘ = π 1 β π‘ β π 2 β π‘ = π 1 + 2π 1 β π 2 + 2π 2 (πππ π) = π 1 π 2 + 2 β π π 1 π 2 (πππ π) ~πΆ 2
Modulus Switching [BGV12] Idea: Bring noise back down by dividing the entire ciphertext by πΆ . π π π /πΆ β β€ π/πΆ π β β€ π /πΆ with noise |π| < πΆ 2 with noise |π| < πΆ (make sure not to harm the message bit π ) Noise/modulus evolution: (πͺ, π) β (πͺ, π/πͺ) β β― β (πͺ, π/πͺ π ) dec. if πΆ π+1 < π/4
My Problems with Modulus Switching 1. Modulus switching is scale-dependent. Scaling πΆ, π changes performance: - Smaller πΆ, π ο smaller πΆ π+1 /π ο better homomorphism. 2. What does modulus switching really do? n othingβ¦ - Same as a scaling factor in the tensoring process ( π 1 , π 2 β π β π 1 β π 2 πππ π ). - In a βcorrectβ scale, this factor should be 1.
Our Solution: Scale-Independent FHE π β π‘ = π + π + 2π½ β β€ π Secret key: π‘ π small (initial) noise π < 2π½ Ciphertext: π β β 2 1 dec. if π < 2 real numbers πππ 2 β‘ (β1,1] Compare with previous: Hardness assumption is the same πππΉ π,π,π½ .
Scale-Independent Multiplication π + 2π½ β π β π‘ β€ π‘ 1 π β π‘ = π + π + 2π½ β β€ π Secret key: π‘ π small (initial) noise π < 2π½ Ciphertext: π β β 2 1 dec. if π < 2 real numbers πππ 2 β‘ (β1,1] Multiplicative Homomorphism: π 2 π 1 , π 2 β π 1 β π 2 πππ 2 β β 2 Careful! 1/2 πππ 2 β 2 πππ 2 β 1 (πππ 2) π 1 β π 2 β π‘ β π‘ = π Noise blowup: π· β π· β π π 1 β π‘ β π 2 β π‘ = π 1 + π 1 + 2π½ 1 β π 2 + π 2 + 2π½ 2 (πππ 2) = π 1 π 2 + π 1 β π 2 + 2π½ 2 + π 2 β π 1 + 2π½ 1 + π 1 π 2 (πππ 2) ~π½ 2 = tiny! ~π½ β |π + 2π½| β² π½ β π‘ 1
Scale-Independent Multiplication π β π‘ = π + π + 2π½ β β€ π Secret key: π‘ π small (initial) noise π < 2π½ Ciphertext: π β β 2 1 dec. if π < 2 real numbers πππ 2 β‘ (β1,1] Multiplicative Homomorphism: π 2 π 1 , π 2 β π 1 β π 2 πππ 2 β β 2 Noise blowup: π· β π· β π π Not good enough: π‘ 1 β ππ Solution: Decompose the elements of π‘ into π log π bits.
Binary Decomposition π‘ = π‘ 1 , π‘ 2 , β¦ π = π 1 , π 2 , β¦ π‘ β π = π‘ 1 β π 1 + π‘ 2 β π 2 + β― π‘ = π‘ 1 0 , β¦ , π‘ 1 log π , π‘ 2 0 , β¦ , π‘ 2 log π , β¦ = π 1 , 2π 1 , β¦ , 2 log π π 1 , π 2 , 2π 2 , β¦ , 2 log π π 2 , β¦ π = π‘ 1 π β 2 π π 1 + π‘ 2 π β 2 π π 2 π‘ β π + β― π π = π‘ 1 β π 1 + π‘ 2 β π 2 + β―
Scale-Independent Multiplication π‘ 1 β€ π log π π β π‘ = π + π + 2π½ β *0,1+ π log π Secret key: π‘ small (initial) noise π < 2π½ π log π Ciphertext: π β β 2 1 dec. if π < 2 real numbers πππ 2 β‘ (β1,1] Multiplicative Homomorphism: π 2 π 1 , π 2 β π 1 β π 2 πππ 2 β β 2 Noise blowup: π· β π· β π log π β€ π· β π π Noise blowup: π· β π· β π π For depth π circuit: π½ β π½ β π π(π) regardless of scale!
Full Homomorphism via Bootstrapping Evaluating depth π circuit: π· β π· β π π·(π) For βbootstrappingβ: π = π(log π) β π· β π· β π π·(π¦π©π‘ π) β dec. if π· β π βπ·(π¦π©π‘ π) regardless of π ! (in *BGV12+ only for βsmallβ odd π ) Using π β 2 π β Hardness based on classical GapSVP.
Conclusion β’ Scale-independence ο FHE without modulus switching. β’ Homomorphic properties independent of π . β But π still matters for security. β’ Properties of [BGV12] extend. β’ Bonuses: β Our π can be even (e.g. power of 2). β Security based on classical GapSVP (as opposed to quantum). β’ Simpler!
also see blog post with Boaz Barak: tiny.cc/fheblog1 ; tiny.cc/fheblog2
Farewell CRYPTO β12β¦
also see blog post with Boaz Barak: tiny.cc/fheblog1 ; tiny.cc/fheblog2
Recommend
More recommend
![P OLYNOMIAL PLAINTEXT MODULUS [CLPX18] Replace t by X b : = Z / b n + 1 . R X b =](https://c.sambuz.com/841942/p-olynomial-plaintext-modulus-clpx18-s.jpg)
