Abstract
The purpose of this paper is to test the accuracy of worst-case heuristic bounds on the noise growth in ring-based homomorphic encryption schemes. We use the methodology of Iliashenko (Ph.D. thesis, 2019) to provide a new heuristic noise analysis for the BGV scheme. We demonstrate that for both the BGV and FV schemes, this approach gives tighter bounds than previous heuristic approaches, by as much as 10 bits of noise budget. Then, we provide experimental data on the noise growth of HElib and SEAL ciphertexts, in order to evaluate how well the heuristic bounds model the noise growth in practice. We find that, in spite of our improvements, there is still a gap between the heuristic estimate of the noise and the observed noise in practice. We extensively justify that a heuristic worst-case approach inherently leads to this gap, and hence leads to selecting significantly larger parameters than needed. As an additional contribution, we update the comparison between the two schemes presented by Costache and Smart (CT-RSA, 2016). Our new analysis shows that the practical crossover point at which BGV begins to outperform FV occurs for very large plaintext moduli, well beyond the crossover point reported by Costache and Smart.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
FV is based on a scheme of Brakerski [9] and hence is sometimes referred to as BFV.
- 2.
- 3.
- 4.
- 5.
Since January 2019 the HElib default secret distribution is no longer sparse.
- 6.
For a definition of the canonical embedding and other algebraic background, see [33].
- 7.
decryptAndPrint.
- 8.
In HElib, the security parameter is typically denoted as k. This may not be an accurate security estimate [3].
- 9.
In HElib, the dimension is selected as m where \(n = \varphi (m)\) and \(\varphi (\cdot )\) is the Euler totient function. Hence, we set \(m \in \{ 4096, 8192, 16384, 32768\}\). We verified that our other choices allowed for these m using the function \(\texttt {FindM}\).
- 10.
In HElib, the plaintext modulus is parameterised as \(p^r\) hence we set \(p = 3\) and \(r = 1\).
- 11.
An exception is modulus switching for \(n=4096\), which seems to be well-modelled by both approaches for obtaining heuristic bounds.
- 12.
Bajard et al. [6] recently identified a bug in the implementation of multiplication in SEAL, resulting in a ciphertext that is has more noise than expected when the plaintext modulus is large. Our experiments, using a small plaintext modulus \(t = 256\), are not affected. This bug is expected to be fixed in SEAL v3.5.
References
Albrecht, M., et al.: Homomorphic encryption security standard. HomomorphicEncryption.org, Technical report (2018)
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 103–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_4
Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_6
Bajard, J.-C., Eynard, J., Hasan, M.A., Zucca, V.: A full RNS variant of FV like somewhat homomorphic encryption schemes. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 423–442. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_23
Bajard, J.C., Eynard, J., Martins, P., Sousa, L., Zucca, V.: An HPR variant of the FV scheme: Computationally cheaper, asymptotically faster. IACR Cryptology ePrint Archive 2019, vol. 500 (2019)
Bonte, C., Bootland, C., Bos, J.W., Castryck, W., Iliashenko, I., Vercauteren, F.: Faster homomorphic function evaluation using non-integral base encoding. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 579–600. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_28
Bos, J.W., Lauter, K., Loftus, J., Naehrig, M.: Improved security for a ring-based fully homomorphic encryption scheme. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 45–64. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45239-0_4
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S (ed.) ITCS 2012, pp. 309–325. ACM, January 2012
Brenner, M., et al.: A standard API for RLWE-based homomorphic encryption. HomomorphicEncryption.org, Technical report (2017)
Castryck, W., Iliashenko, I., Vercauteren, F.: Homomorphic SIM\(^2\)D operations: single instruction much more data. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 338–359. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_13
Chen, H., Laine, K., Player, R.: Simple encrypted arithmetic library - SEAL v2.1. In: Brenner, M., Rohloff, K., Bonneau, J., Miller, A., Ryan, P.Y.A., Teague, V., Bracciali, A., Sala, M., Pintore, F., Jakobsson, M. (eds.) FC 2017. LNCS, vol. 10323, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_1
Chen, H., Laine, K., Player, R., Xia, Y.: High-precision arithmetic in homomorphic encryption. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 116–136. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_7
Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33(1), 34–91 (2019). https://doi.org/10.1007/s00145-019-09319-x
Costache, A.: On the practicality of ring-based fully homomorphic encryption schemes. Ph.D. thesis, University of Bristol (2018)
Costache, A., Smart, N.P.: Which ring based somewhat homomorphic encryption scheme is best? In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 325–340. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_19
Costache, A., Smart, N.P., Vivek, S., Waller, A.: Fixed-point arithmetic in SHE schemes. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 401–422. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_22
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144 (2012). http://eprint.iacr.org/2012/144
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M., (ed.) 41st ACM STOC, pp. 169–178. ACM Press, May/June 2009
Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_28
Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49
Halevi, S., Polyakov, Y., Shoup, V.: An improved RNS variant of the BFV homomorphic encryption scheme. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 83–105. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_5
HElib, January 2019. https://github.com/shaih/HElib,
Iliashenko, I.: Optimisations of fully homomorphic encryption. Ph.D. thesis, KU Leuven (2019)
Kim, M., Lauter, K.: Private genome analysis through homomorphic encryption. BMC Med. Inform. Decis. Mak. 15(5), S3 (2015). https://doi.org/10.1186/1472-6947-15-S5-S3
Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1
Lepoint, T., Naehrig, M.: A comparison of the homomorphic encryption schemes FV and YASHE. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 318–335. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06734-6_20
Lindner, R., Peikert, C.: Better key sizes (and Attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Karloff, H.J., Pitassi, T., (eds.) 44th ACM STOC, pp. 1219–1234. ACM Press, May 2012
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Murphy, S., Player, R.: Discretisation and product distributions in Ring-LWE. MathCrypt 2019, to appear (2019)
Al Badawi, A.Q.A., Polyakov, Y., Aung, K.M.M., Veeravalli, B., Rohloff, K.: Implementation and performance evaluation of RNS variants of the BFV homomorphic encryption scheme. IEEE Trans. Emerg. Top. Comput., 1 (2019). https://doi.org/10.1109/TETC.2019.2902799
Microsoft SEAL (release 3.4), Microsoft Research, Redmond, WA, October 2019. https://github.com/Microsoft/SEAL
Acknowledgements
Player was partially supported by the French Programme d’Investissement d’Avenir under national project RISQ P141580. Player and Costache were partially supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701). Most of this work was done while Costache was at Intel AI, San Diego. We thank Ilia Iliashenko, Shai Halevi and Nigel Smart for helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The BGV scheme
In this section we introduce the BGV scheme [10]. The BGV scheme is comprised of the \(\texttt {SecretKeyGen}\), \(\texttt {PublicKeyGen}\), \(\texttt {EvaluationKeyGen}\), \(\texttt {Encrypt}\), \(\texttt {Decrypt}\), \(\texttt {Add}\), \(\texttt {Multiply}\), \(\texttt {Relinearize}\), and \(\texttt {ModSwitch}\) algorithms.
In the \(\texttt {ModSwitch}\) algorithm, we describe switching from a modulus q to a modulus p where, for correctness, we require that \(p = q = 1 \mod t\) [10, 23]. For the algorithm as described here, we also need \(p \mid q\), which will be the case when moving down the chain of moduli.
-
\(\texttt {SecretKeyGen}(\lambda )\): Sample \(s \leftarrow S\) and output \( \texttt {sk}=s\).
-
\(\texttt {PublicKeyGen}(\texttt {sk})\): Set \(s = \texttt {sk}\) and sample \(a \leftarrow R_q\) uniformly at random and \(e \leftarrow \chi \). Output \(\texttt {pk}=\left( [-(as+te)]_q , a\right) \).
-
\(\texttt {EvaluationKeyGen}(\texttt {sk}, w)\): Set \(s = \texttt {sk}\). For \(i \in \{0, \dots , \ell \}\), sample \(a_i \leftarrow R_q\) uniformly at random and \(e_i \leftarrow \chi \). Output \(\texttt {evk} = \left( [-(a_i s + te_i)+w^i s^2]_q , a_i\right) \).
-
\(\texttt {Encrypt}(\texttt {pk},m)\): For the message \(m \in R_t\). Let \(\texttt {pk} = (p_0,p_1)\), sample \(u \leftarrow S\) and \(e_1,e_2 \leftarrow \chi \). Output \( \texttt {ct} = \left( [m + p_0 u + t e_1]_q , [p_1 u + t e_2]_q \right) \).
-
\(\texttt {Decrypt}(\texttt {sk},\texttt {ct})\): Let \(s = \texttt {sk}\) and \(\texttt {ct} = (c_0,c_1)\). Output \(m' = \left[ [c_0+ c_1 s]_q \right] _t\).
-
\(\texttt {Add}(\texttt {ct}_0,\texttt {ct}_1)\): Output \( \texttt {ct} = ([\texttt {ct}_0[0] + \texttt {ct}_1[0]]_q, [\texttt {ct}_0[1] + \texttt {ct}_1[1]]_q)\).
-
\(\texttt {Multiply}(\texttt {ct}_0,\texttt {ct}_1)\): Set \(c_0 {=} \left[ \texttt {ct}_0[0]\texttt {ct}_1[0] \right] _q\), \(c_1 {=} \left[ \texttt {ct}_0[0]\texttt {ct}_1[1]\, {+}\,\texttt {ct}_0[1]\texttt {ct}_1[0]\right] _q\), and \(c_2 = \left[ \texttt {ct}_0[1]\texttt {ct}_1[1] \right] _q\). Output \(\texttt {ct} = (c_0,c_1,c_2)\).
-
\(\texttt {Relinearize}(\texttt {ct},\texttt {evk}):\) Let \(\texttt {ct}[0] = c_0\), \(\texttt {ct}[1] = c_1\) and \(\texttt {ct}[2] = c_2\). Let \(\texttt {evk}[i][0] = [-(a_i s + te_i)+w^i s^2]_q\) and \(\texttt {evk}[i][1] = a_i\). Express \(c_2\) in base w as \(c_2 = \sum _{i=0}^{\ell }c_2^{(i)}w^i\). Set \( c_0' = c_0 + \sum _{i=0}^{\ell }{} \texttt {evk}[i][0]c_2^{(i)}, \) and \(c_1' = c_1 + \sum _{i=0}^{\ell }{} \texttt {evk}[i][1]c_2^{(i)} \). Output \( \texttt {ct}' =(c_0',c_1')\).
-
\(\texttt {ModSwitch}(\texttt {ct},p):\) Let \(\texttt {ct} = (c_0,c_1)\). Fix \(\delta _i\) such that \(\delta _i = -c_i \pmod { \frac{q}{p} }\) and \(\delta _i = 0 \pmod {t}\). Set \(c_0'= \frac{p}{q}(c_0 + \delta _0)\) and \(c_1' = \frac{p}{q}(c_1 + \delta _1)\). Output \(\texttt {ct} = (c_0',c_1')\).
B The FV scheme
In this section we introduce the FV scheme [21], comprised of the algorithms \(\texttt {SecretKeyGen}\), \(\texttt {PublicKeyGen}\), \(\texttt {EvaluationKeyGen}\), \(\texttt {Encrypt}\), \(\texttt {Decrypt}\), \(\texttt {Add}\),
\(\texttt {Multiply}\), \(\texttt {Relinearize}\) and \(\texttt {ModSwitch}\). Unlike for BGV, the constraint on the chain of moduli that \(p_i = 1 \mod t\) is not required, though was enforced for FV in [18]. Imposing this constraint may result in unfairly large parameters for FV, hence our updated comparison can be seen as allowing a more flexible modulus switching.
In order to define \(\texttt {Encrypt}\), we must first define \(\varDelta = \Bigl \lfloor \frac{q}{t} \Bigr \rfloor \), where q is the current ciphertext modulus, and t is the plaintext modulus. We also define \(r_t(q)\) as the remainder of q on division by t, so that \(q = \varDelta t + r_t(q)\).
-
\(\texttt {SecretKeyGen}(\lambda )\): Sample \(s \leftarrow S\) and output \( \texttt {sk}=s\).
-
\(\texttt {PublicKeyGen}(\texttt {sk})\): Set \(s = \texttt {sk}\) and sample \(a \leftarrow R_q\) uniformly at random and \(e \leftarrow \chi \). Output \(\texttt {pk}=\left( [-(as+e)]_q , a\right) \).
-
\(\texttt {EvaluationKeyGen}(\texttt {sk}, w)\): Set \(s = \texttt {sk}\). For \(i \in \{0, \dots , \ell \}\), sample \(a_i \leftarrow R_q\) uniformly at random and \(e_i \leftarrow \chi \). Output \(\texttt {evk} = \left( [-(a_i s + e_i)+w^i s^2]_q , a_i\right) \).
-
\(\texttt {Encrypt}(\texttt {pk},m)\): For the message \(m \in R_t\). Let \(\texttt {pk} = (p_0,p_1)\), sample \(u \leftarrow S\) and \(e_1,e_2 \leftarrow \chi \). Output \( \texttt {ct} = \left( [\varDelta m + p_0 u + e_1]_q , [p_1 u + e_2]_q \right) \).
-
\(\texttt {Decrypt}(\texttt {sk},\texttt {ct})\): Let \(s = \texttt {sk}\) and \(\texttt {ct} = (c_0, c_1)\). Output \( m' = \left[ \left\lfloor \frac{t}{q} [c_0+ c_1 s]_q \right\rceil \right] _t\).
-
\(\texttt {Add}(\texttt {ct}_0,\texttt {ct}_1)\): Output \( \texttt {ct} = ([\texttt {ct}_0[0] + \texttt {ct}_1[0]]_q, [\texttt {ct}_0[1] + \texttt {ct}_1[1]]_q) \,. \)
-
\(\texttt {Multiply}(\texttt {ct}_0,\texttt {ct}_1)\): Compute \(c_0 = \left[ \left\lfloor \frac{t}{q} \texttt {ct}_0[0]\texttt {ct}_1[0] \right\rceil \right] _q\), \(c_1 = \left[ \left\lfloor \frac{t}{q}\left( \texttt {ct}_0[0]\texttt {ct}_1[1] + \texttt {ct}_0[1]\texttt {ct}_1[0]\right) \right\rceil \right] _q\), and \(c_2 = \left[ \left\lfloor \frac{t}{q} \texttt {ct}_0[1]\texttt {ct}_1[1] \right\rceil \right] _q\). Output \(\texttt {ct} = (c_0,c_1,c_2)\).
-
\(\texttt {Relinearize}(\texttt {ct},\texttt {evk}):\) Let \(\texttt {ct}[0] = c_0\), \(\texttt {ct}[1] = c_1\) and \(\texttt {ct}[2] = c_2\). Let \(\texttt {evk}[i][0] = [-(a_i s + e_i)+w^i s^2]_q\) and \(\texttt {evk}[i][1] = a_i\). Express \(c_2\) in base w as \(c_2 = \sum _{i=0}^{\ell }c_2^{(i)}w^i\). Set \( c_0' = [c_0 + \sum _{i=0}^{\ell }{} \texttt {evk}[i][0]c_2^{(i)}]_q, \) and \(c_1' = [c_1 + \sum _{i=0}^{\ell }{} \texttt {evk}[i][1]c_2^{(i)}]_q \). Output \( \texttt {ct}' =(c_0',c_1')\).
-
\(\texttt {ModSwitch}(\texttt {ct},p):\) Let \(\texttt {ct}[0] = c_0\) and \(\texttt {ct}[1] = c_1\). Set \( c_0' = \left[ \left\lfloor \frac{p}{q} c_0 \right\rceil \right] _p \) and \( c_1' = \left[ \left\lfloor \frac{p}{q} c_1 \right\rceil \right] _p \). Output \( \texttt {ct}' =(c_0',c_1')\).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Costache, A., Laine, K., Player, R. (2020). Evaluating the Effectiveness of Heuristic Worst-Case Noise Analysis in FHE. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12309. Springer, Cham. https://doi.org/10.1007/978-3-030-59013-0_27
Download citation
DOI: https://doi.org/10.1007/978-3-030-59013-0_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59012-3
Online ISBN: 978-3-030-59013-0
eBook Packages: Computer ScienceComputer Science (R0)