Efficient Fully Homomorphic Encryption from (Standard) LWE
Summary (4 min read)
1 Introduction
- Fully-homomorphic encryption is one of the holy grails of modern cryptography.
- His solution involved new and relatively untested cryptographic assumptions.
- Ideal lattices are a special breed that the authors know relatively little about.
- Thus, in a nutshell, the authors construct a fully homomorphic encryption scheme whose security is based solely on the classical hardness of solving standard lattice problems in the worst-case.
- See Section 3. 2. We present a dimension-modulus reduction technique, that turns their somewhat homomorphic scheme into a fully homomorphic one, without the need for the seemingly artificial squashing step and the sparse subset-sum assumption.the authors.the authors.
1.1 Re-Linearization: Somewhat Homomorphic Encryption without Ideals
- The starting point of Gentry’s construction is a “somewhat” homomorphic encryption scheme.
- The LWE assumption does not refer to ideals, and indeed, the LWE problem is at least as hard as finding short vectors in any lattice, as follows from the worst-case to average-case reductions of Regev [Reg05] and Peikert [Pei09].the authors.the authors.
- The authors construction of a fully homomorphic encryption scheme from LWE is perhaps a very strong testament to its power and elegance.the authors.the authors.
- The main idea is the following: imagine that the authors publish “encryptions” of all the linear and quadratic terms in the secret key s, namely all the numbers s[i] as well as s[i]s[j], under a new secret key t.
- The authors feel that thinking of these as encryptions may benefit the reader’s intuition.
1.2 Dimension-Modulus Reduction: Fully Homomorphic Encryption Without Squashing
- As explained above, the “bootstrapping” method for achieving full homomorphism requires a Chomomorphic scheme whose decryption circuit resides in C.
- The authors show how to “upgrade” their somewhat homomorphic scheme (explained in Section 1.1) into a scheme that enjoys the same amount of homomorphism but has a much smaller decryption circuit.
- Having the above observation in mind, the authors wonder if they can take t to have not only low dimension but also small modulus p, thus completing the transition from (n, log q) to (k, log p).
- The rounding incurs an additional error of magnitude at most 1/2.
- Specifically, dimension-modulus reduction is used for the scheme in Section 4.2.
1.3 Near-Optimal Private Information Retrieval
- In (single-server) private information retrieval (PIR) protocols, a very large database is maintained by a sender (the sender is also sometimes called the server, or the database).
- 13For the informed reader the authors mention that while k, p are smaller than n, q and therefore seem to imply lesser security, they are able to use much higher relative noise in their k, p scheme since it needs not support homomorphism.
- Fully homomorphic, or even somewhat homomorphic, encryption is known to imply polylogarithmic PIR protocols.
- Most trivially, the receiver can encrypt the index it wants to query, and the database will use that to homomorphically evaluate the database access function, thus retrieving an encryption of the answer and sending it to the receiver.
- The authors stress that even if the size of the public key does count towards the communication complexity, their protocol still has polylogarithmic communication.
1.5 Paper Organization
- Some preliminaries and notation are described in Section 2.
- The authors formally define somewhat and fully homomorphic encryption and present the bootstrapping theorem in Section 3.
- The main technical section of this paper is Section 4, where their scheme is presented and fully analyzed.
- Lastly, their private information retrieval protocol is presented in Section 5.
2 Preliminaries
- The authors utilize “noise” distributions over integers.
- The only property of these distributions the authors use is their magnitude.
- The authors use the convention that v[0] , 1. The authors use the following variant of the leftover hash lemma [ILL89].
- There are known quantum [Reg05] and classical [Pei09] reductions between DLWEn,m,q,χ and approximating short vector problems in lattices.
- Then there exists an efficiently sampleable B-bounded distribution χ such that if there is an efficient algorithm that solves the (average-case) DLWEn,q,χ problem.
2.2 Symmetric Encryption
- A symmetric encryption scheme SYM = (SYM. Keygen(1κ) takes a unary representation of the security parameter and outputs symmetric encryption/decryption key sk.
- Encsk(µ) takes the symmetric key sk and a message µ ∈Mκ and outputs a ciphertext c. Decryption.
- Enc and the coins of the adversary A. Namely, no adversary can distinguish between an oracle that encrypts messages of its choice and an oracle that only returns encryptions of 0 (where 0 is some arbitrary element in the message space).
3 Homomorphic Encryption: Definitions and Tools
- In this section the authors discuss the definition of homomorphic encryption and its properties as well as some related subjects.
- The authors start by defining homomorphic and fully homomorphic encryption in Section 3.1.
- Then, in Section 3.2 the authors discuss Gentry’s bootstrapping theorem.
- The authors note that there are a number of ways to define homomorphic encryption and to describe the bootstrapping theorem.
- The authors chose the definitions that best fit the constructions and they urge even the knowledgeable reader to go over them so as to avoid confusion in interpreting their results.
3.1 Homomorphic Encryption – Definitions
- The authors now define homomorphic encryption and its desired properties.
- The only security notion the authors consider in this chapter is semantic security, namely security w.r.t. passive adversaries.
- Note that a C-homomorphic scheme is not necessarily compact.
3.2 Gentry’s Bootstrapping Technique
- Gen09a] which implies that a bootstrappable scheme can be converted into a fully homomorphic one.the authors.
- Then there is a fully homomorphic encryption scheme as per Definition 3.5.
- Eval (regardless of the length of the ciphertext produced by HE.
4 The New Fully Homomorphic Encryption Scheme
- The authors present their fully homomorphic encryption scheme and analyze its security and performance.
- In Section 4.4 the authors analyze the homomorphic properties of SH and BTS which enables us to prove (in Section 4.5) that the bootstrapping theorem is indeed applicable to BTS, and obtain a fully homomorphic scheme based on LWE.
- During the homomorphic evaluation, the authors will generate ciphertexts of the form c = ((v, w), `), where the tag ` indicates the multiplicative level at which the ciphertext has been generated (hence fresh ciphertexts are tagged with 0).
4.3 Security Analysis
- The authors analyze the security of BTS based on LWE and then, using known connections, based on worst case hardness of lattice problems.the authors.
- The scheme BTS is CPA secure under the DLWEn,q,χ and the DLWEk,p,χ̂ assumptions.
- Essentially, this is the class of arithmetic circuits over GF(2) with bounded fan-in and bounded depth, with an additional final “collation”: a high fan-in addition gate at the last level.
- The authors assume that all samples from χ̂ are indeed of magnitude at most B̂.
4.5 Bootstrapping and Full Homomorphism
- The authors now show how to apply Gentry’s bootstrapping theorem (Theorems 3.1, 3.2) to achieve full homomorphism.
- Lemma 4.5 guarantees that the decryption circuit is in Arith[O(log k), 1] (note that log log p = o(log k)), since the augmented decryption circuit just adds 1 to the depth, it follows that the augmented decryption circuits are also in Arith[O(log k), 1].
- Finally, the authors conclude that there exists an LWE based fully homomorphic encryption based on Theorem 4.1 and Lemma 4.6.the authors.
- The decryption algorithm is essentially the same as Regev’s.
- This will enable generating short ciphertexts that will be “bootstrapped up” during the homomorphic evaluation.
5 LWE-Based Private Information Retrieval
- The authors present a single-server private information retrieval (PIR) protocol with nearly optimal communication complexity.
- Then, in Section 5.2, the authors show a generic construction of PIR from somewhat homomorphic encryption.
- Finally, in Section 5.3, the authors instantiate the generic construction using their own scheme from Section 4 and analyze its parameters.
5.1 Definitions of Single Server PIR
- The authors define single server private information retrieval in the public-key setting.
- The response resp is then sent back to the receiver.
- The authors note that the definition of privacy above differs from the one usually found in literature.
- Thus the protocol needs to be exponentially secure in the security parameter.
5.2 PIR via Somewhat Homomorphic and Symmetric Encryption
- In this section the authors describe a generic PIR protocol that uses a somewhat homomorphic encryption and an arbitrary symmetric encryption as building blocks.
- The authors PIR protocol relies on two building blocks – a semantically secure symmetric encryption scheme SYM = (SYM.
- The authors recall that in Section 4, they get a leveled fully homomorphic scheme without relying on any circular security assumptions, this means that it can be used together with any symmetric scheme.
- In H2, the view of the adversary is independent of the queried indices.
5.3 Instantiating the Components: The PIR Protocol
- The authors show how to implement the primitives required in Section 5.2 in two different ways.
- Then there exists a DLWEk,p,χ̂-secure symmetric encryption scheme whose ciphertext length is O(k log k + `) for `-bit messages, and whose decryption circuit has the same depth as that of BTS.
- There exists a PIR protocol with communication complexity O(k log k+logN) based on the DLWEn,q,χ and DLWEk,p,χ̂ assumptions, for n = poly(k) and the remainder of the parameters as in Theorem 4.2.
- The authors also thank Microsoft Research for hosting the first author during the course of this work.
Did you find this useful? Give us your feedback
Citations
1,924 citations
1,252 citations
1,246 citations
1,127 citations
1,114 citations
References
7,008 citations
5,770 citations
3,513 citations
3,248 citations
2,620 citations
Related Papers (5)
Frequently Asked Questions (15)
Q2. What is the main reason for the creation of a fully homomorphic encryption scheme?
Ideals are a natural mathematical object to use to build fully homomorphic encryption in that they natively support both addition and multiplication (whereas lattices are closed under addition only).
Q3. What is the level of homomorphism required for the protocol?
The level of somewhat homomorphism required for the protocol depends on the symmetric scheme being used (in particular, the decryption complexity of the symmetric scheme).
Q4. How can the authors use the GGM transformation to base security on LWE?
If the authors want to base security solely on LWE, the authors can use the LWE-based PRF that is obtained by applying the GGM transformation [GGM86] to an LWE based pseudorandom generator.
Q5. What is the simplest way to take modulo p?
In order to take modulo p, one needs to subtract, in parallel, all possible multiples of p (there are at most O(k log p) options) and check if the result is in Zp.
Q6. How many parameters are needed to compare different PIR protocols?
As for the sender’s response, their dimension-modulus reduction technique guarantees very short ciphertexts (essentially as short14It is hard to compare the performance of different PIR protocols due to the multitude of parameters.
Q7. What is the definition of a leveled homomorphic scheme?
the leveled homomorphic scheme is such that only the length of the evaluation key depends on the level L. All other parameters of the scheme are distributed identically regardless of the value of L.
Q8. What is the definition of the learning with errors problem?
For an integer q = q(n) and an error distribution χ = χ(n) over Zq, the learning with errors problem LWEn,m,q,χ is defined as follows: Given m independent samples from As,χ (for some s ∈ Znq ), output s with noticeable probability.
Q9. What is the value of treating the evaluation key as a separate entity?
The authors note that while one can treat the evaluation key as a part of the public key, as has been done in the literature so far, the authors feel that there is an expository value to treating it as a separate entity and to distinguishing between the public elements that are used for encryption and those that are used only for homomorphic evaluation.
Q10. How can one reduce the overhead of a ciphertext?
The authors remark that in terms of retrieving large blocks of consecutive data, one can slightly reduce the overhead to O(logN) bits of communication for every bit of retrieved data.
Q11. What is the ciphertext that is used to evaluate a gate?
The authors show how to multiply ciphertexts c, c′ where c = ((v, w), `) and c′ = ((v′, w′), `) (recall that multiplication gates have fan-in 2), to obtain an output ciphertext cmult = ((vmult, wmult), `+ 1).
Q12. What is the ciphertext that is used to evaluate a gate?
The authors show how to multiply ciphertexts c, c′ where c = ((v, w), `) and c′ = ((v′, w′), `) (recall that multiplication gates have fan-in 2), to obtain an output ciphertext cmult = ((vmult, wmult), `+ 1).
Q13. What is the class of arithmetic circuits over GF(2)?
this is the class of arithmetic circuits over GF(2) with bounded fan-in and bounded depth, with an additional final “collation”: a high fan-in addition gate at the last level.
Q14. What is the proof of the augmented decryption circuit?
Lemma 4.5 guarantees that the decryption circuit is in Arith[O(log k), 1] (note that log log p = o(log k)), since the augmented decryption circuit just adds 1 to the depth, it follows that the augmented decryption circuits are also in Arith[O(log k), 1].
Q15. What is the trivial way to get the answer?
Most trivially, the receiver can encrypt the index it wants to query, and the database will use that to homomorphically evaluate the database access function, thus retrieving an encryption of the answer and sending it to the receiver.