Abstract
We propose a new FHE scheme F-NTRU that adopts the flattening technique proposed in GSW to derive an NTRU based scheme that (similar to GSW) does not require evaluation keys or key switching. Our scheme eliminates the decision small polynomial ratio assumption but relies only on the standard R-LWE assumption. It uses wide key distributions, and hence is immune to Subfield Lattice Attack. In practice, our scheme achieves competitive timings compared to the existing schemes. We are able to compute a homomorphic multiplication in 24.4 msec and 76.0 msec for 5 and 30 levels, respectively, without amortization. Furthermore, our scheme features small ciphertexts, e.g. 2376 KB for 30 levels. The assurance gained by using wide key distributions along with the message space flexibility of the scheme, i.e. bits, binary polynomials, and integers with a large message space, allows the use of the proposed scheme in a wide array of applications.
1 Introduction
The notion of fully homomorphic encryption (FHE) scheme stayed as an open question for a few decades since its introduction by Rivest et al. [23]. In 2009 the first working FHE scheme was constructed by Gentry [11, 12]. However, the proposed scheme was lacking in performance and it was not possible to implement anything practical. For instance, its most crucial operation called bootstrapping, which is used to restore the noise in ciphertext to an acceptable level, was taking 30 seconds in this very first implementation. After the introduction of the first FHE scheme, we witnessed the introduction of many new FHE constructions aimed at bringing FHE closer to real-world applications and with fewer assumptions. Several integer-based constructions and learning with error (LWE)-based constructions may be found in [7, 8, 27] and in [5, 13, 14], respectively.
These recent constructions brought along an impressive array of optimization techniques that can compete with the expensive bootstrapping operation. Such one scheme, which is based on LWE, was constructed by Brakerski, Gentry and Vaikuntanathan (BGV) [4]. The scheme uses a method called modulus switching to mitigate noise growth in ciphertexts. Another leveled FHE scheme was presented by López-Alt, Tromer, Vaikuntanathan (LTV) in [20]. Their scheme is based on a variant of NTRU [16] constructed earlier by Stehlé and Steinfeld [25]. The authors introduced a new key switching technique called relinearization.
The NTRU variant in [25] was later modified and implemented by Bos et al. in [2]. They adopt the tensor product technique in [3] and achieved a scale-invariant scheme with limited noise growth on homomorphic operations. Also, with the use of the tensor product technique the authors managed to improve the security of the LTV scheme [20] by using much higher levels of noise and thereby remove the Decisional Small Polynomial Ratio (DSPR) assumption. Instead the scheme relies only on the standard lattice reductions as in [25]. However, as the authors also note, the YASHE scheme brings in large evaluation key and complicated key switching procedure. Specifically, the size of the evaluation keys are
Motivated by the complex noise management techniques, e.g. relinearization, modulus switching, bootstrapping, of the earlier FHE schemes Gentry, Sahai and Waters [15] proposed a new scheme based on the approximate eigenvector problem. The system uses matrix additions and multiplications which makes it asymptotically faster. At first, they define the GSW scheme as a somewhat homomorphic scheme since for a depth L circuit with B-bounded parameters the noise grows with a double exponential B2L. To convert the scheme into a leveled FHE, they introduce a Flatten operation which decomposes the ciphertext entries into bits. The secret key is also kept in a special powers of two form. With these modifications, the noise performance is improved greatly. For a depth L circuit with B-bounded secret key entries and 1-bounded (flattened) ciphertexts, the error magnitude is at most (N + 1)LB for N = log(q)(n + 1). However, ciphertexts still take a considerable space Θ(n2log(q)2) and as noted by GSW [15] the scheme may not be as efficient as existing leveled schemes in practice.
The Subfield Lattice Attack. To overcome the efficiency bottleneck of FHE numerous optimizations along with customized selections of parameters have been proposed in the literature, e.g. special form lattice dimensions and moduli permitting efficient number theoretical transforms and batching, assumptions regarding the distributions of noise and parameters, etc. On the downside many of these assumptions are still open to debate from a security point of view. A very recent work by Albrecht, Bai and Ducas [22] painfully demonstrated this fact. The authors exploit the presence of a subfield to solve the NTRU problem for large moduli q and show that when the NTRU parameters are chosen poorly then the DSPR problem is not as hard as believed thereby invalidating the underlying security assumption in LTV [9, 20] and YASHE’ [2]. Thus, the asymptotic security of both schemes is significantly reduced. Furthermore, very recently Kirchner and Fouque in [17] proposed a variant of the subfield attack of Albrecht et. al. [22]. What is striking is that the authors are able to recover functional versions of secret keys for a wide array of instances of NTRU-based FHE implementations that use short keys, e.g. YASHE [2] and LTV-based FHE [9] even for instances with Hermite factors of 1.0058. The authors conclude that the only proven way to secure the NTRU is to use the parameters in Stehlé and Steinfeld’s NTRU variant [25], i.e. σ = 𝓞(
Our Contribution. In this work, we present a new leveled FHE scheme F-NTRU that is based on the Stehlé and Steinfeld variant of NTRU [25] and adopts Flattening – the noise management technique introduced in (GSW) [15]. In a nutshell, we are able to achieve the best of both implementations in [2], i.e. elimination of expensive evaluation keys and reduction of security assumptions. Specifically,
We introduce the first NTRU based FHE implementation that uses the Flattening method of GSW. Our scheme uses the encryption methods of NTRU for ciphertext creation, converts them into a matrix structure and makes use of the Flattening noise management technique.
By employing Flattening, we are able to multiply ciphertexts with only linear increase in the size of the noise level. Our scheme does not use any expensive noise reduction techniques such as relinearization and does not require prohibitively large evaluation keys.
Our construction does not require evaluation keys. In contrast, YASHE evaluation keys grow as 𝓞̃ (L4) where L represents the evaluation depth. This makes it impossible to use YASHE in deep evaluations.
Using the noise asymmetry property of our scheme, we are able to provide small parameters which results in fast homomorphic multiplications in range of milliseconds even for large multiplicative levels, e.g. 76 msec for L = 30.
Finally, via a simple polynomial to integer mapping our scheme becomes able to support homomorphic integer arithmetic. We present noise analysis in this case as well. Featuring a very large message space, the integer version of F-NTRU is capable to support a wide range of applications where such arithmetic is required.
2 Overview of NTRU Based FHE Schemes and GSW
We briefly summarize the NTRU based FHE Schemes and the GSW scheme that is relevant to our construction in Appendix A.
3 Our proposal: F-NTRU Scheme
Here we propose a new scheme called F-NTRU that shares the goals of the GSW construction [15], i.e. no evaluation keys, no expensive relinearization operations, no modulus switching and simple homomorphic additions and multiplications. To this end we adopt the flattening approach of [15] and apply it to the NTRU variant, i.e. NTRU′, by Stehlé and Steinfeld [25].
Preliminaries. We work in Rq = ℤq[x]/〈xn + 1〉. We adapt two functions from [15] to work in the polynomial setting as follows:
Bit-Decomposition: The BitDecomp function takes a ciphertext polynomial c(x) and splits them into binary polynomials and forms a vector as:
Here a polynomial ci(x) with index i represents the binary polynomial that is formed using the ith bit index of the coefficients of c(x). One may easily reconstruct the ciphertext c(x) by simply computing:
Note that when we are computing BitDecomp−1, the elements in the vector do not necessarily have to be binary polynomials. It is possible that polynomials can contain coefficients that are not bits.
Flatten: When we are performing arithmetic operations, i.e. addition and multiplication, in our scheme, the elements of a flattened ciphertext vector lose their binary form. These extra bits in the coefficients of the polynomials cause additional noise in subsequent arithmetic operations. To prevent this, we use Flatten. Flatten restructures all the elements of the ciphertext vector into binary polynomials. We evaluate the Flatten operation as follows:
Here in the equation BitDecomp−1 converts the ciphertext vector into a full ciphertext polynomial in Rq. Later, using BitDecomp we convert the ciphertext into a binary polynomial vector again. Basically, this method carries over the extra bits of an element in the vector from least significant to most significant and performs a modular reduction using q to prevent overflow in the overall scheme.
The F-NTRU Scheme. The primitive operations of F-NTRU are defined as follows:
KeyGen: We use the key generation method of NTRU′ to select our parameters. For a security parameter λ, we choose our message modulus as 2, modulus q = q(λ), polynomial degree n = n(λ) where n is power of 2. Also we set Gaussian distributions χerr = χerr(λ) and χkey = χkey(λ). Sample g, f′ ∈ χkey and set public key h = 2gf−1 and secret key f = 2f′ + 1.
Encrypt: In order to encrypt a message μ, we create a vector with length ℓ = log q. Later, we fill the elements with encryptions of zeros using the NTRU′ scheme:
where Enci(0) = hsi + 2ei + 0. We call this the ciphertext vector. We take the transpose of the vector to list the elements in row and apply BitDecomp to the ciphertexts to turn the vector into a ℓ × ℓ matrix:
Then, we use the matrix to encrypt a message μ by evaluating:
Here, in the equation Iℓ is identity matrix with size ℓ.
Decrypt: To decrypt the message we take the first row of the matrix and apply Inverse-Bit-Decomposition to form a NTRU’ ciphertext:
Once the NTRU’ ciphertext is constructed, we are able to decrypt the message using the secret key f for the NTRU’ scheme as ⌊c0f⌉ mod 2 = μ.
Eval. The homomorphic XOR and AND operations are simply computed as matrix addition and multiplication operations, respectively followed by a Flatten operation, i.e.
We show; how the correctness of homomorphic circuit evaluation are preserved in Appendix B, and the optimization techniques that are implemented in Appendix C.
4 Security Analysis
Our scheme uses the NTRU’ encryption scheme adopted from [25]. In F-NTRU, an attacker has access only to a ciphertext vector which holds NTRU’ ciphertexts built with fresh encryptions of zero. Therefore as long as NTRU’ ciphertexts are secure, our scheme is also secure. According to the Stehlé and Steinfeld [25], their scheme is IND-CPA secure under the hardness of R-LWE assumption as long as the error has a wide distribution 𝔻ℤn,σ, i.e. σ >
Fortunately, our scheme has a better control on noise management. The (size of the) noise increases linearly with the multiplicative depth. Therefore, we are able to use a wide error distribution and achieve IND-CPA security as in the original scheme by Stehlé and Steinfeld in [25]. Thus the standard deviation σkey of the discrete Gaussian distribution 𝔻ℤn,σkey needs to be set as:
for ϵ > 0. In this setting we are able to generate a public key h = g/f, i.e. g ∈ χkey and f′ ∈ χkey (f = 2f + 1) in which χkey is truncated 𝔻ℤn,σkey, that is indistinguishable from a uniformly random distribution. The ϵ is evaluated by using the statistical distance Δ between the uniformly random distribution and the Gaussian distributed selected polynomials:
For R-LWE security we follow the settings in [20]. The noise parameters s and e are sampled from the distribution χerr, a truncated Gaussian distribution 𝔻ℤn,σerr. The standard deviation σerr of the error distribution has the following bound σerr >
As above mentioned, the distributions χkey and χerr are truncated Gaussian distributions. They are also defined as B-bounded[1] distributions which means the samples are selected from [−B, B]. The bound value B is selected as a function of the advantage ϵ in a distinguishing attack, e.g. ϵ = 2−128. The function, e.g. see [10], gives for a sample x ∈ χ the probability of x being larger than k ⋅ σ for a factor k is:
Using the equation above, we select the factor k as k(ϵ) = min{k|erf(k/
Hermite Factor. The existing attacks rely on the lattice reduction algorithms and the best attack known in practice is BKZ 2.0 [6] by Chen and Nguyen. The quality of the security is measured by Hermite factor δ. A recent work by van de Pol and Smart [26] shows that a fixed Hermite factor for all the lattice dimensions is not true. They show that it is possible to reduce the lattice dimension by selecting a larger Hermite factor for the same security level by utilizing the work of Chen and Nguyen in [6]. Later, a similar approach is followed by Lepoint and Naehrig [19]. They used a quadratic function to interpolate the enumeration costs in [6] and compute the Hermite factors for a wide range of lattice dimensions. This results in Hermite factors that are more precise for the required security levels. Furthermore, they also derive the following condition on q
where
5 Noise Analysis
In this section we analyze the noise performance of our scheme with homomorphic evaluations. In case of a homomorphic addition, the noise increases only a small percent compared to homomorphic multiplication. In our analysis we want to determine the depth of the circuit we can evaluate and still decrypt correctly with growing noise. This analysis includes average case and worst case scenarios for homomorphic multiplication that estimates the number of possible multiplicative levels. Since additions contribute minimally to noise growth we focus only on homomorphic multiplications.
For an element a ∈ ℝ we define the Euclidean norm
Lemma 5.1
([20, 21]). In a ringR = ℤ[x]/〈xn + 1〉, for any two polynomialsa, b ∈ R we have the following norms ∥ab∥ ≤
Recursive Evaluation. We assume the evaluation circuit is arranged into a tree with levels of parallel multiplication gates that accept as input the output ciphertexts from the previous level. Lets denote a ciphertext matrix that is at a certain multiplicative level i as C(i). Then, a ciphertext matrix at a multiplicative level C(i) = C(i−1) ⋅ C̃(i−1). Lets recall that these ciphertext matrices are actually NTRU’ ciphertext vectors with BitDecomp applied. We also denote the ciphertexts in the vector for multiplicative level i and row index j as
In the first multiplicative level, i.e. i = 0, ciphertext vectors are fresh encryptions with security parameters explained in Section 4. Basically, we have samples g, f′ ∈ χkey and s, e ∈ χerr and ciphertexts
By taking advantage of noise asymmetry and using single bit encryption, the noise is formulated as
for μ, μ̃ ∈ {0, 1}, the noise bounds Bi, BkeyBerr. The details of the noise analysis is in Appendix D
Circuit Evaluation. The single bit encryption gives an advantage for scalable computation. In order to maintain the message bit values as 0 or 1, the gates sohuld be implemented in such a way to preserve the structure. The implementation details are in Appendix E.
6 Complexity
In Table 1 we summarize the asymptotic complexities of F-NTRU and YASHE schemes. We use ℓ = (log q)/ω for radix size 2ω. Note that our scheme does not require evaluation keys, but the ciphertexts consist of ℓ polynomials. After circuit evaluations the ℓ polynomials are reduced to a single polynomial ciphertext. On the other hand YASHE requires ℓ3 polynomials for evaluation keys. For homomorphic AND evaluation our scheme requires ℓ2 polynomial multiplications or using the one sided AND evaluation it uses ℓ polynomial multiplications. In case of YASHE, the scheme uses ℓ2 polynomial multiplications followed by a costly key switching operation computed via ℓ3 polynomial multiplications.
Comparison of F-NTRU and YASHE: homomorphic AND evaluation and Key Switching complexities are in terms of polynomial multiplications with ℓ = (log q)/ω.
| F-NTRU | YASHE | |
|---|---|---|
| Eval. Key Size | - | 𝓞(ℓ3n log q) |
| Ciphertext Size | 𝓞(ℓn log q) | 𝓞(n log q) |
| Final Ciphertext Size | 𝓞(n log q) | 𝓞(n log q) |
| AND Eval. | 𝓞(ℓ2) | 𝓞(ℓ2) |
| One Sided AND Eval. | 𝓞(ℓ2) | 𝓞(ℓ) |
| Key-Switching | - | 𝓞(ℓ3) |
7 Parameter Selection
In our choice of parameters we aimed for 80-bit and 128-bit security levels. For comparison, we also tabulated parameter choices for selected depths for F-NTRU and YASHE as shown in Table 2. The parameters were extracted using the single bit encryption case and for an implementation that takes advantage of the noise asymmetry, i.e. Equation 5. In case of selection of the noise distribution we follow the Equation 1 and choose noise distance to be smaller than 2−128 for Equation 2. The Hermite Factor is selected using the approach in Section 4. We also use the R-LWE estimator from [1] for selecting a bound for error noise, i.e. Berr = 2.
Parameters (log(n), log(q)) to support depth L evaluations with ω = 16 and security parameter λ.
| F-NTRU | YASHE | ||
|---|---|---|---|
| L | λ ≥ 80 | λ ≥ 128 | λ ≥ 128 |
| 5 | (12, 136) | (12, 136) | (11, 359) |
| 10 | (12, 147) | (13, 152) | (13, 840) |
| 20 | (12, 169) | (13, 173) | (14, 1705) |
| 30 | (13, 195) | (13, 195) | (14, 2538) |
In Table 3 and Table 4, we summarize the maximum possible number of multiplications, i.e. 2L, for 80-bit and 128-bit security levels, respectively. Note that it is advantageous to select large radix sizes ω for faster evaluation. This decreases the run-time significantly, however, the depth is reduced somewhat since the noise is increased. As for ciphertext sizes, we are able to decrease it by a factor of ω.
Entries give the equivalent multiplicative depth L, i.e. parameters support 2L multiplications. The security parameter λ is chosen to support 80-bit security.
| ω = 16 | ω = 8 | ω = 4 | ||||
|---|---|---|---|---|---|---|
| (N, log q) | Worst | Average | Worst | Average | Worst | Average |
| (4096, 184) | 10 | 26 | 18 | 34 | 23 | 38 |
| (8192, 378) | 97 | 114 | 105 | 122 | 109 | 126 |
| (16384, 776) | 279 | 298 | 287 | 306 | 291 | 310 |
Entries give the equivalent multiplicative depth L, i.e. parameters support 2L multiplications. The security parameter λ is chosen to support 128-bit security.
| ω = 16 | ω = 8 | ω = 4 | ||||
|---|---|---|---|---|---|---|
| (N, log q) | Worst | Average | Worst | Average | Worst | Average |
| (4096, 150) | 0 | 6 | 0 | 14 | 3 | 18 |
| (8192, 290) | 52 | 69 | 60 | 77 | 64 | 81 |
| (16384, 597) | 191 | 209 | 199 | 217 | 203 | 221 |
8 Implementation Results
We implemented the F-NTRU scheme using Shoup’s NTL library version 9.6.4 [24] compiled with the GMP 6.1 package. We ran our experiments on a 125 GBs of RAM and Intel Xeon E5-2637v2 64-bit CPU server clocked at 3.5 Ghz. The timing results for homomorphic multiplication are summarized in Table 5 for the parameters choices in Table 2. Although the algorithm is suitable for parallelization, NTL’s threading capabilities are limited. Therefore, when we use 4 threads, i.e. C = 4, we only achieve ∼ 2 times speedup. Furthermore, it is clear from the table that using 8 threads does not change the timings significantly.
Homomorphic multiplication times (msec) for radix selection ω = 16. C denotes the number of threads.
| F-NTRU | F-NTRU | |||||
|---|---|---|---|---|---|---|
| λ ≥ 80 | λ ≥ 128 | |||||
| L | C = 1 | C = 4 | C = 8 | C = 1 | C = 4 | C = 8 |
| 5 | 43.5 | 25.1 | 24.4 | 43.5 | 25.1 | 24.4 |
| 10 | 53.3 | 29.8 | 30.8 | 110.7 | 74.2 | 60.7 |
| 20 | 60.0 | 32.0 | 31.2 | 133.4 | 68.1 | 72.5 |
| 30 | 145.9 | 92.5 | 76.0 | 145.9 | 92.5 | 76.0 |
The main advantage of the proposed F-NTRU scheme is that it eliminates costly evaluation keys and the slow relinearization operations. In addition the homomorphic evaluation is immensely simplified as we no longer care about keeping track of the evaluation levels per ciphertext. Finally, we summarize the evaluation key and ciphertext sizes in Table 6.
Evaluation key and ciphertext sizes to support depth L evaluation, i.e. 2L multiplications. YASHE key sizes are computed by using the formulation in [2] which is for the worst case scenario.
| Evaluation Key | Ciphertext | |||
|---|---|---|---|---|
| YASHE | F-NTRU | F-NTRU | YASHE | |
| λ ≥ 80 | λ ≥ 80 | λ ≥ 128 | λ ≥ 80 | |
| L | ω = 2 | ω = 16 | ω = 16 | ω = 2 |
| 5 | 3.86 TB | 578 KB | 578 KB | 87 KB |
| 10 | 478 TB | 675 KB | 1444 KB | 820 KB |
| 20 | n/a | 892 KB | 1870 KB | 3.3 MB |
| 30 | n/a | 2376 KB | 2376 KB | 4.9 MB |
9 Conclusion
We presented a new leveled FHE scheme F-NTRU based on a variant of NTRU and by making use of a recently proposed noise management technique. Our scheme manages to eliminate costly evaluation keys, and any need for key switching and relinearization operations. We rigorously analyzed the security and noise performance of the proposed scheme, and determined parameters needed for correct evaluation of circuits of arbitrary depth. Our scheme makes use of wide key distributions and does not suffer from the Subfield Lattice Attack as LTV and YASHE’. Unlike these schemes, our proposed scheme does not rely on the DSPR assumption.
We analyzed and compared our scheme to the only other NTRU based FHE scheme immune to the attack, i.e. YASHE. Unlike YASHE, our scheme does not suffer from costly evaluation keys and relinearization operations. More significantly it supports deep homomorphic evaluation at reasonable ciphertext sizes, i.e. 2376 KB for 30 multiplicative levels. Our implementation achieves competitive speeds: multiplication in 24.4 msec to support 5 levels and 76 msec for 30 levels. With such speeds our scheme becomes relevant for use in restricted real-life applications. Finally, via a simple polynomial to integer mapping, our scheme supports homomorphic integer arithmetic with a very large message space as desired by many applications.
Acknowledgement
This work was in part supported by the NSF-CISE Awards #1561536 and #1319130. We would like to thank Léo Ducas for clarifying the Subfield Lattice Attack and Vincent Migliore for pointing out a mistake in the parameter selection in an earlier version of our manuscript.
References
[1] Martin Albrecht, lwe-estimator, https://bitbucket.org/malb/lwe-estimator.Search in Google Scholar
[2] Joppe W. Bos, Kristin Lauter, Jake Loftus and Michael Naehrig, Cryptography and Coding: 14th IMA International Conference, IMACC 2013, Oxford, UK, December 17-19, 2013. Proceedings, ch. Improved Security for a ing-Based Fully Homomorphic Encryption Scheme, pp. 45–64, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013.10.1007/978-3-642-45239-0_4Search in Google Scholar
[3] Zvika Brakerski, Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP, pp. 868–886, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.10.1007/978-3-642-32009-5_50Search in Google Scholar
[4] Zvika Brakerski, Craig Gentry and Vinod Vaikuntanathan, Fully Homomorphic Encryption without Bootstrapping, Electronic Colloquium on Computational Complexity (ECCC)18 (2011), 111.10.1145/2090236.2090262Search in Google Scholar
[5] Zvika Brakerski and Vinod Vaikuntanathan, Efficient Fully Homomorphic Encryption from (Standard) LWE, in: FOCS, pp. 97–106, 2011.10.1109/FOCS.2011.12Search in Google Scholar
[6] Yuanmi Chen and Phong Q. Nguyen, BKZ 2.0: Better Lattice Security Estimates, in: ASIACRYPT, pp. 1–20, 2011.10.1007/978-3-642-25385-0_1Search in Google Scholar
[7] Jean-Sébastien Coron, Avradip Mandal, David Naccache and Mehdi Tibouchi, Fully Homomorphic Encryption over the Integers with Shorter Public Keys, in: CRYPTO, pp. 487–504, 2011.10.1007/978-3-642-22792-9_28Search in Google Scholar
[8] Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi, Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers, in: EUROCRYPT, pp. 446–464, 2012.10.1007/978-3-642-29011-4_27Search in Google Scholar
[9] Yarkın Doröz, Yin Hu and Berk Sunar, Homomorphic AES evaluation using the modified LTV scheme, Designs, Codes and Cryptography (2015), 1–26.10.1007/s10623-015-0095-1Search in Google Scholar
[10] Junfeng Fan and Frederik Vercauteren, Somewhat Practical Fully Homomorphic Encryption, IACR Cryptology ePrint Archive2012 (2012), 144.Search in Google Scholar
[11] C. Gentry, A Fully Homomorphic Encryption Scheme, Ph.D. thesis, Stanford University, 2009.10.1145/1536414.1536440Search in Google Scholar
[12] Craig Gentry and Shai Halevi, Implementing Gentry’s Fully-Homomorphic Encryption Scheme, in: EUROCRYPT, pp. 129–148, 2011.10.1007/978-3-642-20465-4_9Search in Google Scholar
[13] Craig Gentry, Shai Halevi and Nigel P. Smart, Better Bootstrapping in Fully Homomorphic Encryption, pp. 1–16, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.10.1007/978-3-642-30057-8_1Search in Google Scholar
[14] Craig Gentry, Shai Halevi and Nigel P. Smart, Fully Homomorphic Encryption with Polylog Overhead, pp. 465–482, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.10.1007/978-3-642-29011-4_28Search in Google Scholar
[15] Craig Gentry, Amit Sahai and Brent Waters, Advances in Cryptology – CRYPTO 2013: 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, ch. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based, pp. 75–92, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013.10.1007/978-3-642-40041-4_5Search in Google Scholar
[16] Jeffrey Hoffstein, Jill Pipher and Joseph H. Silverman, Algorithmic Number Theory: Third International Symposiun, ANTS-III Portland, Oregon, USA, June 21–25, 1998 Proceedings, ch. NTRU: A ring-based public key cryptosystem, pp. 267–288, Springer Berlin Heidelberg, Berlin, Heidelberg, 1998.Search in Google Scholar
[17] Paul Kirchner and Pierre-Alain Fouque, Revisiting Lattice Attacks on Overstretched NTRU Parameters, pp. 3–26, Springer International Publishing, Cham, 2017.10.1007/978-3-319-56620-7_1Search in Google Scholar
[18] Kristin Lauter, Adriana López-Alt and Michael Naehrig, Progress in Cryptology - LATINCRYPT 2014: Third International Conference on Cryptology and Information Security in Latin America Florianópolis, Brazil, September 17–19, 2014 Revised Selected Papers, ch. Private Computation on Encrypted Genomic Data, pp. 3–27, Springer International Publishing, Cham, 2015.10.1007/978-3-319-16295-9_1Search in Google Scholar
[19] Tancréde Lepoint and Michael Naehrig, A Comparison of the Homomorphic Encryption Schemes FV and YASHE, pp. 318–335, Springer International Publishing, Cham, 2014.10.1007/978-3-319-06734-6_20Search in Google Scholar
[20] Adriana López-Alt, Eran Tromer and Vinod Vaikuntanathan, On-the-fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption, in: Proceedings of the Forty-fourth Annual ACM Symposium on Theory of Computing, STOC ‘12, pp. 1219–1234, ACM, New York, NY, USA, 2012.Search in Google Scholar
[21] Vadim Lyubashevsky, Chris Peikert and Oded Regev, On Ideal Lattices and Learning with Errors over Rings, pp. 1–23, Springer Berlin Heidelberg, Berlin, Heidelberg, 2010.10.1007/978-3-642-13190-5_1Search in Google Scholar
[22] Léo Ducas Martin Albrecht, Shi Bai, A subfield lattice attack on overstretched NTRU assumptions: Cryptanalysis of some FHE and Graded Encoding Schemes, Cryptology ePrint Archive, Report 2016/127, 2016, http://eprint.iacr.org/.10.1007/978-3-662-53018-4_6Search in Google Scholar
[23] R. L. Rivest, L. Adleman and M. L. Dertouzos, On Data Banks and Privacy Homomorphisms, Foundations of Secure Computation (1978), 169–180.Search in Google Scholar
[24] Victor Shoup, NTL: A Library for doing Number Theory.Search in Google Scholar
[25] D. Stehlé and R. Steinfeld, Making NTRU as secure as worst-case problems over ideal lattices, Advances in Cryptology – EUROCRYPT ’11 (2011), 27–4.10.1007/978-3-642-20465-4_4Search in Google Scholar
[26] Joop van de Pol and Nigel P. Smart, Estimating Key Sizes for High Dimensional Lattice-Based Systems, pp. 290–303, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013.10.1007/978-3-642-45239-0_17Search in Google Scholar
[27] Marten van Dijk, Craig Gentry, Shai Halevi and Vinod Vaikuntanathan, Fully Homomorphic Encryption over the Integers, in: EUROCRYPT, pp. 24–43, 2010.10.1007/978-3-642-13190-5_2Search in Google Scholar
A NTRU based FHE Scheme Constructions
A.1 Stehlé and Steinfeld’s NTRU Variant
In [25] Stehlé and Steinfeld introduced a modification to the NTRU [16] scheme to make the scheme secure under the assumed quantum hardness of the standard worst-case lattice problem. The scheme fixes the ring to R = ℤ[x]/ 〈xn + 1〉 where n is a power of 2 and chooses q ≤ Poly(n). Also, chooses a message space ℤp. Using a discrete Gaussian distribution random samples f′, g are chosen where the secret key becomes f = pf′ + 1. Set public key h = pf−1g. A message μ is encrypted by computing c = hs + pe + μ mod q where s, e are Gaussian distribution samples. To decrypt we simply compute μ = c ⋅ f mod p.
A.2 DHS Scheme
Recently, Doröz, Hu and Sunar implemented single-key variation of the multi-key LTV-FHE scheme. This scheme is introduced in 2012 by López-Alt, Tromer and Vaikuntanathan (LTV) [20] as a full-fledged, multi-key and leveled fully homomorphic encryption scheme which is based on the NTRU cryptosystem. The NTRU scheme is a public key cryptosystem that is introduced by Stehlé and Steinfeld [25]. New additions to the NTRU scheme are operations for noise and key control are relinearization and modulus switching. Another addition to the scheme is adding random noise to the public key for security.
The DHS implementation has the operational ring Rq = ℤq[x]/〈xn + 1〉 in which q is our modulus and n is the degree of the polynomial. The scheme uses a truncated Gaussian error distribution function χ for sampling polynomials. The truncated distribution χ is B-bounded which means coefficient sizes are between range [−B, B]. The implementation has following four primitive functions:
KeyGen. Using the security parameter λ, we create a sequence of modulus for each level as qi = qd−i in which q is a prime. Later, we sample polynomials g ∈ χ and f′ ∈ χ and compute secret key f = 2f′ + 1 and public key h = 2gf−1 in ℤq0. In the next step, we compute the evaluation keys
Encrypt. In order to encrypt a message bit μ for level i, we compute c(i) = h(i)s + 2e + b which {s, e} ∈ χ and h(i) = h(0) mod qi.
Decrypt. In order to decrypt at level i, we compute μ = ⌈ c(i)f(i)⌋qi (mod 2).
Evaluation. Homomorphic evaluation requires relinearization and modulus switching after each multiplication or an addition operation. Since the additive operations do not create significant noise like multiplications, we apply the noise reduction techniques only after a multiplication. Relinearization is computed as
Note that the DHS implementation uses cyclotomic polynomials Φm(x) to define the ring instead of 〈xn + 1〉. The degree of the polynomial is n = ϕ(m) where ϕ is the Euler’s totient function. This setup allows batching of multiple messages into the same ciphertext polynomial and thereby enables parallel processing.
A.3 BLLN
The BLLN scheme was introduced by Bos et al. in [2]. BLLN is based of the scheme proposed by Stehlé and Steinfeld [25]. The authors create a scheme called YASHE by using the construction of [25] and modify it by applying the tensor product technique of [3] to curb the noise growth in multiplications. With this it becomes possible to use a high level of noise in encryptions with which the schemes becomes DSPR hard as in [25]. However, this brings large evaluation keys into the scheme and makes it difficult to use in practice: the evaluation key consists of ℓ3 = 𝓞((log(q))3) ciphertexts. To mitigate this problem, in the same reference the authors introduced another scheme called YASHE’. They discard the tensor product and decrease the size of the evaluation keys, i.e. ℓ ciphertexts. However, they have to reduce the noise levels on fresh ciphertexts which brings back the DSPR security assumption. In the following, we first give the Basic scheme and later explain YASHE and YASHE’ constructions using the Basic scheme.
Basic. We set the ring as R = ℤ[X]/ 〈xn + 1〉, t as the plaintext modulus, χerr and χkey as the Gaussian distribution for sampling. The scheme has the following primitive functions:
ParamsGen. For security parameter λ we create n = n(λ), q = q(λ), χkey = χkey(λ) and χerr = χerr(λ).
KeyGen. We sample f′, g ∈ χkey. Set secret key f = tf′ + 1 and public key h = tgf−1.
Encrypt. To encrypt message μ, we sample s, e ∈ χerr and compute c = ⌊q/t⌋ μ + e + hs.
Decrypt. To decrypt a message simply compute
There are 3 notations that need explanation before we summarize the YASHE scheme. The authors use ⊗ for the tensor product. The notation Pw,q is used to convert a number to an array with powers of w, i.e. Pw,q(x) → (x, xw, xw2, …, xwℓw,q−1) for ℓw,q = (logwq + 2). Last notation is Dw,q which decomposes a value into its word sizes, i.e. Dw,q(x) → (x0, x1, …, xℓw,q−1) where
YASHE. The Basic scheme explained above is used to construct a leveled FHE scheme. The primitive operations of the scheme is as follows:
ParamsGen. The parameters are selected the same way as in Basic scheme.
KeyGen. The public and secret key pairs are selected using the Basic.KeyGen routine, i.e. h, f ← Basic.KeyGen. Sample
Encrypt. Encrypt message μ as in Basic scheme.
Decrypt. Decrypt message as in Basic scheme.
KeySwitch. Compute 〈Dw,q(c), ζ〉 where c is a ciphertext.
Addition. Addition of two ciphertexts c1 and c2 is c = c1 + c2.
Multiplication. Multiplication of two ciphertexts is computed as
and later apply KeySwitch to c and output.
YASHE’. The primitive operations are as follows:
ParamsGen. The parameters are selected the same way as in Basic scheme.
KeyGen. The public and secret key pairs are selected using the Basic.KeyGen routine, i.e. h, f ← Basic.KeyGen. Sample
Encrypt. Encrypt message μ as in Basic scheme.
Decrypt. Decrypt message as in Basic scheme.
KeySwitch. Compute 〈Dw,q(c), ζ〉 where c is a ciphertext.
Addition. Addition of two ciphertexts c1 and c2 is c = c1 + c2.
Multiplication. Multiplication of two ciphertexts is computed as
and later apply KeySwitch to c and output.
A.4 GSW Scheme
We explain the scheme in four primitive functions in below. Before the explanations we should note some of the preliminaries that is used in the primitive functions. A vector a⃗ = (a0, …, ak−1) is split into its bits using the function BitDecomp(a⃗) = (a0,0, … a0,ℓ−1, …, ak−1,0 …, ak−1,ℓ−1). We are able to reconstruct the elements from the bit representations using the inverse of the BitDecomp as BitDecomp−1(a⃗) = (∑2ja0,j, …, ∑2jak−1,j). The most important function that the scheme uses is flattening. It keeps the ciphertexts bounded so that the noise increase after multiplicative operations are limited. We simply evaluate it as Flatten(a⃗) = BitDecomp(BitDecomp−1(a⃗)). The last function is Powersof2(a⃗) = (a0, 2a0, …, 2ℓ−1a0, …, ak, 2ak, …, 2ℓ−1ak) which multiplies the vector elements with powers of two. Using these functions, the encryption scheme is defined with the following primitives:
Setup. We select λ as the security parameter and L as multiplicative depth. Then compute lattice dimension n = n(λ, L), error distribution χ = χ(λ, L), parameter m = m(λ, L) = 𝓞(n log q). Also, set ℓ = ⌈ log q ⌉ + 1 and N = (n + 1)ℓ.
KeyGen. We sample t⃗ ←
Encrypt. A message μ is encrypted by simply computing C = Flatten(μIN + BitDecomp(R ⋅ A)) ∈
Decrypt. Select a row of the matrix, i.e. Ci as the i-th row of matrix C. Compute xi ← 〈Ci, v⃗〉 and the message as μ′ = ⌊xi/vi⌉.
The beauty of the GSW scheme is that straightforward addition and multiplication of ciphertext matrices suffice to compute homomorphic additions and multiplications. First, lets observe that the construction holds the property C ⋅ v⃗ = μ ⋅ v⃗ + e⃗, since secret key v⃗ is the approximate eigenvector related to the ciphertext. Therefore, adding ciphertext matrices has the effect of adding the corresponding eigenvalues (messages): (C1 + C2)⋅ v = (μ1 + μ2)⋅ v + (e1 + e2). Similarly the matrix product of the ciphertexts (in any order) multiplies the eigenvalues: C1 ⋅ C2 ⋅ v = C1 (μ2 ⋅ v + e2) = μ2 (μ1 ⋅ v + e1) + C1 ⋅ e2 = μ1μ2 ⋅ v + e.
B Correctness of Homomorphic Circuit Evaluation
The correctness of encryption/decryption trivially follows from the correctness of the NTRU’ scheme. In this section we briefly demonstrate how the NTRU’ ciphertext and associated F-NTRU ciphertext matrix forms are preserved thus allowing homomorphic evaluation. For clarity we use ciphertexts of sizes ℓ = 4.
First note that BitDecomp−1(C) is actually a vector that contains the encryptions of message bits scaled by powers of 2:
Homomorphic XOR. A homomorphic XOR operation between two ciphertext matrices is computed as shown in Figure 1.
Homomorphic XOR operation
This is the form we need to preserve throughout homomorphic evaluations for correctness.
When we apply BitDecomp(−1) to the rows of the addition matrix we obtain:
The ciphertext vector is still valid for the following two reasons:
The first part of the addition ci + c̃i still holds an encryption of zero. The only difference is that it is noisier compared to a fresh encryption.
The second term in each entry is the message scaled by powers of two, i.e. 2i ⋅(μ + μ̃) as in a fresh ciphertext.
Homomorphic AND. A homomorphic AND operation between two ciphertext matrices is computed as shown in Figure 2. We summarize the derivation of the rows of the product matrix as follows:
Homomorphic AND operation
Row 0: In Table 7 we show columns of the vector c⃗′ 0 = BitDecomp(
Derivation of Row 0 of product ciphertext
| c⃗′(0,3) | c(0,3) ⋅ (c̃(3,3) + μ̃) | +c(0,2) ⋅ c̃(2,3) | +c(0,1) ⋅ c̃(1,3) | +(c(0,0) + μ) ⋅ c̃(0,3) | 8 |
| c⃗′(0,2) | c(0,3) ⋅ c̃(3,2) | +c(0,2) ⋅ (c̃(2,2) + μ̃) | +c(0,1) ⋅ c̃(1,2) | +(c(0,0) + μ) ⋅ c̃(0,2) | 4 |
| c⃗′(0,1) | c(0,3) ⋅ c̃(3,1) | +c(0,2) ⋅ c̃(2,1) | +c(0,1) ⋅ (c̃(1,1)+ μ̃) | +(c(0,0) + μ) ⋅ c̃(0,1) | 2 |
| c⃗′(0,0) | c(0,3) ⋅ c̃(3,0) | +c(0,2) ⋅ c̃(2,0) | +c(0,1) ⋅ c̃(1,0) | +(c(0,0) + μ) ⋅ (c̃(0,0) + μ̃) | 1 |
The final ciphertext in Table 7 has the proper ciphertext form. The first part of the ciphertext c(0,3) ⋅ c̃3 + c(0,2) ⋅ c̃2 + c(0,1) ⋅ c̃1 + c(0,0) ⋅ c̃0 + c0 ⋅ μ̃ + c̃0 ⋅ μ is still an encryption of zero since ciphertexts ci and c̃i are encryptions of zero and their multiplication with a binary polynomial will result in zero encryptions as long as noise is contained.
Row 1: We apply the same arithmetic for the row number 1 and form a similar construction in Table 8. We achieve a similar derivation for second row in Table 8. The only difference is that now the message is scaled by 2.
Derivation of Row 1 of product ciphertext
| c⃗′(1,3) | c(1,3) ⋅ (c̃(3,3) + μ̃) | +c(1,2) ⋅ c̃(2,3) | +(c(1,1) + μ) ⋅ c̃(1,3) | +c(1,0) ⋅ c̃(0,3) | 8 |
| c⃗′(1,2) | c(1,3) ⋅ c̃(3,2) | +c(1,2) ⋅ (c̃(2,2) + μ̃) | +(c(1,1) + μ) ⋅ c̃(1,2) | +c(1,0) ⋅ c̃(0,2) | 4 |
| c⃗′(1,1) | c(1,3) ⋅ c̃(3,1) | +c(1,2) ⋅ c̃(2,1) | +(c(1,1) + μ) ⋅ (c̃(1,1)+ μ̃) | +c(1,0) ⋅ c̃(0,1) | 2 |
| c⃗′(1,0) | c(1,3) ⋅ c̃(3,0) | +c(1,2) ⋅ c̃(2,0) | +(c(1,1) + μ) ⋅ c̃(1,0) | +c(1,0) ⋅ (c̃(0,0) + μ̃) | 1 |
We can now generalize the arithmetic for each row i as follows:
As shown in Equation 4, after a matrix multiplication the ciphertext vector elements contains a (noisier) encryption of zero along with the message scaled by powers of 2, i.e. c⃗′ = {c̄ℓ−1 + 2ℓ−1μ̄, … c̄1 + 21μ̄, c̄0 + 20μ̄} in which μ̄ = μ ⋅ μ̃. Hence correctness holds throughout circuit evaluation as long as noise is contained.
C Optimizations
In our scheme we are able to perform certain optimizations on the arithmetic operations to reduce computational complexity and the memory footprint. The two main optimizations we perform are:
Using High Radix Representations. The flattened ciphertext matrix takes up a large space, ℓ2 = O(log(q)2). To mitigate we may use a higher radix representation, i.e. a larger radix 2ω and group ω bits for each element of the ciphertext matrix. When we apply BitDecomp−1, we use the powers of the chosen radix (2w)i instead of powers of 2i to reconstruct the ciphertext. With this approach we drastically reduce the matrix size: ℓ′ = ℓ/ω. Note that the number of zero encryptions of NTRU’ should be equal to ℓ′ as well. Using the high radix encoding the ciphertext size is reduced by ω times. In addition, the ciphertext matrix size is reduced by ω2 which decreases the complexity of matrix multiplication significantly.
Matrix Multiplication. A straight schoolbook matrix multiplication takes 𝓞(ℓ3) time and it may reduced to 𝓞(ℓ2.374) time using Coppersmith-Winograd algorithm. However, to evaluate deep circuits we will need a large modulus and even with the Coppersmith-Winograd algorithm multiplication will be slow. Therefore, we change matrix multiplication into a matrix-vector multiplication as follows:
A schoolbook matrix-vector multiplication has 𝓞(ℓ2) runtime which is faster than a matrix multiplication. The only downside of the algorithm is that a binary by a high radix polynomial multiplication should be implemented instead of a binary by binary polynomial multiplication. Although binary by high radix polynomial multiplication is slower, the time gap is closed in the higher level while computing the matrix-vector product for large ℓ values.
D Noise Analysis
Lets recall that for ciphertext matrix multiplications we have NTRU’ ciphertexts that hold the form given in Equation 4. The equation can be rewritten with level index to show the result of a multiplicative level as:
We can simplify the equation, for noise evaluation, by replacing radix size polynomials c(j,k) with yτ, choosing ciphertext vector index j = 0, and substituting y(i) in place of all ciphertexts since they have the same noise level for the same multiplicative level i:
To be able to decrypt y(i) correctly, we need ∥ y(i)f ∥∞ < q/2. Thus, we need
Later, we expand ∥ y(i−1)f∥∞ in terms of ∥ y(i−2)f∥∞ and continue the process recursively. At the lowest level we have:
Since ∥ g ∥∞ = ∥ f′ ∥∞ = Bkey, ∥ s ∥∞ = ∥ e ∥∞ = Berr, the worst-case noise is equal to
For an arbitrary level i, the noise can be evaluated recursively by setting Bi = ∥ y(i)f∥∞, ∥ yτ ∥∞ = 2ω − 1 and ∥ μ ∥∞ ≤ 1. The message at level i is bounded as ∥μi ∥∞ ≤ n2i−1. Then, the noise evaluation is evaluated as
which is also summarized as
In the average case the noise accumulation will be much slower than what the bound given above predicts due to the Gaussian distribution. Using the worst case noise bound, we can simply obtain the average case noise by substituting
Taking Advantage of Noise Asymmetry. As derived earlier the ciphertext c′ obtained from the homomorphic product of ciphertexts c and c̃ can be expressed as
It is important to note that roles of the input ciphertexts in the summation are not symmetric. The (left) input c is processed as binary polynomials breaking the structure of the ciphertext, while the (right) input c̃ is kept intact. Therefore the noise content in c becomes irrelevant in the summation. Since we have the freedom to switch the inputs, we may take advantage of this fact by by placing the noisier ciphertext to the left during our evaluations. In the extreme case we can always feed fresh ciphertexts from the right input. If we iterate i multiplications with fresh ciphertexts c̃i we obtain
The noise experienced in decrypting after iteration i will be
Basically, we have samples g̃, f′ ∈ χkey and s̃, ẽ ∈ χerr. For an arbitrary iteration i, the noise can be evaluated by setting B>i = ∥ yif∥∞, ∥ yτ ∥∞ = 2ω − 1, ∥μ0∥∞ ≤ 1 and for the messages ∥μ̃i∥∞ ≤ 1, and μi = μi−1μ̃i−1, ∥μi∥∞ ≤ n ∥μi−1∥∞ and with μ̃0 ≤ 1 we have ∥μi∥∞ ≤ ni. We explicitly derive the noise bound as
Here for B0 = ∥fy0∥∞ = ∥2gs + 2ef∥∞ ≤ 5nBkeyBerr + 2nBerr. In the average case the noise growth can be captured by
Improving Scalability with Single Bit Encryption. The analysis above shows that the noise growth scales with 𝓞(n) over the levels of encryption. In practice, during evaluations the noise term increases with the first term setting the noise floor, i.e. 𝓞(n2BkeyBerrℓ) and then with each additional level contributing by a factor of n (in the worst case). Therefore the number of levels supported is heavily determined by the dimension n.
The factor n is due to message polynomials we are encrypting. Encrypting polynomials enables batching and yields better amortized times. However, if we are willing to trade off batching, and instead encrypt bits we may improve scalability, significantly. We may make up for the loss of batching by employing much smaller parameter sizes. If we assume all messages μ, μ̃ ∈ {0, 1}, then the noise bound Bi = ∥ fyi ∥∞ simplifies to
Supporting Large Integer Messages. Our scheme is capable of supporting a large message space using the approach in [18]. The authors facilitate an integer to polynomial (and reverse) mapping by changing the message modulus from p = 2 into a polynomial p(x) = x − 2 in the encryption, decryption and key generation stages. Then we may simply encode the message bits into the message polynomial by distributing each message bit into the coefficients of a polynomial. For instance, a bit-decomposed message m = ∑imi 2i is encoded as m(x) = ∑imixi. With such an encoding we are able to support a very large integer message space, i.e. m ∈ [−2n, 2n].
After decryption, a message can be evaluated by simply applying x = 2 into the message polynomial. Since the input message is binary polynomial, the noise analysis is similar to the case that takes advantage of the noise asymmetry. In that case our binary polynomials have degree n, whereas now our message polynomials start with a small degree n′[2] and it grows with each multiplication. In the one-sided multiplication case, each multiplication increases the degree by n′. This gives us a more controllable noise compared to the message polynomials with degree n. By modifying the equation of noise asymmetry with n′, we obtain
E Circuit Evaluation
To take advantage of the scalability gained with single bit encryption, we need to maintain the message values in the ciphertexts always as 0 or 1 not only in fresh ciphertexts, but also in ciphertexts obtained through homomorphic evaluation. In [15] this is achieved by restricting the circuit to only (universal) $NAND$ gates. For input ciphertexts A and B, we can explicitly express the gate operations as follows
NOT: C = IN − A
AND: C = A ⋅ B
NAND: C = IN − A ⋅ B
XOR: C = (IN − A) ⋅ B + A ⋅ (IN − B) = A + B − 2 A ⋅ B
OR: C = IN − ((IN − A) ⋅ (IN − B)) = A + B − A ⋅ B
The evaluation process requires costly matrix multiplications. However note that for decryption we only need the first cipherext vector element to recover the result. Thus, during circuit evaluation we multiply all the elements of the ciphertext vector with the first element of the left operand. The remaining elements in the ciphertext vector are simply discarded. With this approach we achieve ℓ times speedup in circuit evaluations. This is achieved by simply evaluating the boolean circuit from the left-hand side by only using the first element of the ciphertext vector. The fresh ciphertext is always given as input from the right and the accumulated ciphertext is kept on the left. In multiplications, bit decomposition is only applied to the first element and its sum of product is computed with the ciphertext vector on the right-hand side. For instance, we may compute C′ = C ⋅ C̃ as follows
C = [cℓ−1, cℓ−2, …, c0] and C̃ = [c̃ℓ−1, c̃ℓ−2, …, c̃0]
Discard the unused ciphertexts: C = [0, 0, …, 0, c0]
Take the bit decomposition of C: {c(0,ℓ−1)c(0,ℓ−2), …, c(0,0)}.
Compute the sum of product:
Using this method, we are able to complete the circuit evaluation in ℓ operations rather than ℓ2.
© 2020 Y. Doröz and B. Sunar, published by De Gruyter
This work is licensed under the Creative Commons Attribution 4.0 International License.