Evaluating the Effectiveness of Heuristic Worst-Case Noise Analysis in FHE

Abstract

The purpose of this paper is to test the accuracy of worst-case heuristic bounds on the noise growth in ring-based homomorphic encryption schemes. We use the methodology of Iliashenko (Ph.D. thesis, 2019) to provide a new heuristic noise analysis for the BGV scheme. We demonstrate that for both the BGV and FV schemes, this approach gives tighter bounds than previous heuristic approaches, by as much as 10 bits of noise budget. Then, we provide experimental data on the noise growth of HElib and SEAL ciphertexts, in order to evaluate how well the heuristic bounds model the noise growth in practice. We find that, in spite of our improvements, there is still a gap between the heuristic estimate of the noise and the observed noise in practice. We extensively justify that a heuristic worst-case approach inherently leads to this gap, and hence leads to selecting significantly larger parameters than needed. As an additional contribution, we update the comparison between the two schemes presented by Costache and Smart (CT-RSA, 2016). Our new analysis shows that the practical crossover point at which BGV begins to outperform FV occurs for very large plaintext moduli, well beyond the crossover point reported by Costache and Smart.

Appendices

A The BGV scheme

In this section we introduce the BGV scheme  [10]. The BGV scheme is comprised of the \(\texttt {SecretKeyGen}\), \(\texttt {PublicKeyGen}\), \(\texttt {EvaluationKeyGen}\), \(\texttt {Encrypt}\), \(\texttt {Decrypt}\), \(\texttt {Add}\), \(\texttt {Multiply}\), \(\texttt {Relinearize}\), and \(\texttt {ModSwitch}\) algorithms.

In the \(\texttt {ModSwitch}\) algorithm, we describe switching from a modulus q to a modulus p where, for correctness, we require that \(p = q = 1 \mod t\)  [10, 23]. For the algorithm as described here, we also need \(p \mid q\), which will be the case when moving down the chain of moduli.

• \(\texttt {SecretKeyGen}(\lambda )\): Sample \(s \leftarrow S\) and output \( \texttt {sk}=s\).

• \(\texttt {PublicKeyGen}(\texttt {sk})\): Set \(s = \texttt {sk}\) and sample \(a \leftarrow R_q\) uniformly at random and \(e \leftarrow \chi \). Output \(\texttt {pk}=\left( [-(as+te)]_q , a\right) \).

• \(\texttt {EvaluationKeyGen}(\texttt {sk}, w)\): Set \(s = \texttt {sk}\). For \(i \in \{0, \dots , \ell \}\), sample \(a_i \leftarrow R_q\) uniformly at random and \(e_i \leftarrow \chi \). Output \(\texttt {evk} = \left( [-(a_i s + te_i)+w^i s^2]_q , a_i\right) \).

• \(\texttt {Encrypt}(\texttt {pk},m)\): For the message \(m \in R_t\). Let \(\texttt {pk} = (p_0,p_1)\), sample \(u \leftarrow S\) and \(e_1,e_2 \leftarrow \chi \). Output \( \texttt {ct} = \left( [m + p_0 u + t e_1]_q , [p_1 u + t e_2]_q \right) \).

• \(\texttt {Decrypt}(\texttt {sk},\texttt {ct})\): Let \(s = \texttt {sk}\) and \(\texttt {ct} = (c_0,c_1)\). Output \(m' = \left[ [c_0+ c_1 s]_q \right] _t\).

• \(\texttt {Add}(\texttt {ct}_0,\texttt {ct}_1)\): Output \( \texttt {ct} = ([\texttt {ct}_0[0] + \texttt {ct}_1[0]]_q, [\texttt {ct}_0[1] + \texttt {ct}_1[1]]_q)\).

• \(\texttt {Multiply}(\texttt {ct}_0,\texttt {ct}_1)\): Set \(c_0 {=} \left[ \texttt {ct}_0[0]\texttt {ct}_1[0] \right] _q\), \(c_1 {=} \left[ \texttt {ct}_0[0]\texttt {ct}_1[1]\, {+}\,\texttt {ct}_0[1]\texttt {ct}_1[0]\right] _q\), and \(c_2 = \left[ \texttt {ct}_0[1]\texttt {ct}_1[1] \right] _q\). Output \(\texttt {ct} = (c_0,c_1,c_2)\).

• \(\texttt {Relinearize}(\texttt {ct},\texttt {evk}):\) Let \(\texttt {ct}[0] = c_0\), \(\texttt {ct}[1] = c_1\) and \(\texttt {ct}[2] = c_2\). Let \(\texttt {evk}[i][0] = [-(a_i s + te_i)+w^i s^2]_q\) and \(\texttt {evk}[i][1] = a_i\). Express \(c_2\) in base w as \(c_2 = \sum _{i=0}^{\ell }c_2^{(i)}w^i\). Set \( c_0' = c_0 + \sum _{i=0}^{\ell }{} \texttt {evk}[i][0]c_2^{(i)}, \) and \(c_1' = c_1 + \sum _{i=0}^{\ell }{} \texttt {evk}[i][1]c_2^{(i)} \). Output \( \texttt {ct}' =(c_0',c_1')\).

• \(\texttt {ModSwitch}(\texttt {ct},p):\) Let \(\texttt {ct} = (c_0,c_1)\). Fix \(\delta _i\) such that \(\delta _i = -c_i \pmod { \frac{q}{p} }\) and \(\delta _i = 0 \pmod {t}\). Set \(c_0'= \frac{p}{q}(c_0 + \delta _0)\) and \(c_1' = \frac{p}{q}(c_1 + \delta _1)\). Output \(\texttt {ct} = (c_0',c_1')\).

B The FV scheme

In this section we introduce the FV scheme  [21], comprised of the algorithms \(\texttt {SecretKeyGen}\), \(\texttt {PublicKeyGen}\), \(\texttt {EvaluationKeyGen}\), \(\texttt {Encrypt}\), \(\texttt {Decrypt}\), \(\texttt {Add}\),

\(\texttt {Multiply}\), \(\texttt {Relinearize}\) and \(\texttt {ModSwitch}\). Unlike for BGV, the constraint on the chain of moduli that \(p_i = 1 \mod t\) is not required, though was enforced for FV in  [18]. Imposing this constraint may result in unfairly large parameters for FV, hence our updated comparison can be seen as allowing a more flexible modulus switching.

In order to define \(\texttt {Encrypt}\), we must first define \(\varDelta = \Bigl \lfloor \frac{q}{t} \Bigr \rfloor \), where q is the current ciphertext modulus, and t is the plaintext modulus. We also define \(r_t(q)\) as the remainder of q on division by t, so that \(q = \varDelta t + r_t(q)\).

• \(\texttt {SecretKeyGen}(\lambda )\): Sample \(s \leftarrow S\) and output \( \texttt {sk}=s\).

• \(\texttt {PublicKeyGen}(\texttt {sk})\): Set \(s = \texttt {sk}\) and sample \(a \leftarrow R_q\) uniformly at random and \(e \leftarrow \chi \). Output \(\texttt {pk}=\left( [-(as+e)]_q , a\right) \).

• \(\texttt {EvaluationKeyGen}(\texttt {sk}, w)\): Set \(s = \texttt {sk}\). For \(i \in \{0, \dots , \ell \}\), sample \(a_i \leftarrow R_q\) uniformly at random and \(e_i \leftarrow \chi \). Output \(\texttt {evk} = \left( [-(a_i s + e_i)+w^i s^2]_q , a_i\right) \).

• \(\texttt {Encrypt}(\texttt {pk},m)\): For the message \(m \in R_t\). Let \(\texttt {pk} = (p_0,p_1)\), sample \(u \leftarrow S\) and \(e_1,e_2 \leftarrow \chi \). Output \( \texttt {ct} = \left( [\varDelta m + p_0 u + e_1]_q , [p_1 u + e_2]_q \right) \).

• \(\texttt {Decrypt}(\texttt {sk},\texttt {ct})\): Let \(s = \texttt {sk}\) and \(\texttt {ct} = (c_0, c_1)\). Output \( m' = \left[ \left\lfloor \frac{t}{q} [c_0+ c_1 s]_q \right\rceil \right] _t\).

• \(\texttt {Add}(\texttt {ct}_0,\texttt {ct}_1)\): Output \( \texttt {ct} = ([\texttt {ct}_0[0] + \texttt {ct}_1[0]]_q, [\texttt {ct}_0[1] + \texttt {ct}_1[1]]_q) \,. \)

• \(\texttt {Multiply}(\texttt {ct}_0,\texttt {ct}_1)\): Compute \(c_0 = \left[ \left\lfloor \frac{t}{q} \texttt {ct}_0[0]\texttt {ct}_1[0] \right\rceil \right] _q\), \(c_1 = \left[ \left\lfloor \frac{t}{q}\left( \texttt {ct}_0[0]\texttt {ct}_1[1] + \texttt {ct}_0[1]\texttt {ct}_1[0]\right) \right\rceil \right] _q\), and \(c_2 = \left[ \left\lfloor \frac{t}{q} \texttt {ct}_0[1]\texttt {ct}_1[1] \right\rceil \right] _q\). Output \(\texttt {ct} = (c_0,c_1,c_2)\).

• \(\texttt {Relinearize}(\texttt {ct},\texttt {evk}):\) Let \(\texttt {ct}[0] = c_0\), \(\texttt {ct}[1] = c_1\) and \(\texttt {ct}[2] = c_2\). Let \(\texttt {evk}[i][0] = [-(a_i s + e_i)+w^i s^2]_q\) and \(\texttt {evk}[i][1] = a_i\). Express \(c_2\) in base w as \(c_2 = \sum _{i=0}^{\ell }c_2^{(i)}w^i\). Set \( c_0' = [c_0 + \sum _{i=0}^{\ell }{} \texttt {evk}[i][0]c_2^{(i)}]_q, \) and \(c_1' = [c_1 + \sum _{i=0}^{\ell }{} \texttt {evk}[i][1]c_2^{(i)}]_q \). Output \( \texttt {ct}' =(c_0',c_1')\).

• \(\texttt {ModSwitch}(\texttt {ct},p):\) Let \(\texttt {ct}[0] = c_0\) and \(\texttt {ct}[1] = c_1\). Set \( c_0' = \left[ \left\lfloor \frac{p}{q} c_0 \right\rceil \right] _p \) and \( c_1' = \left[ \left\lfloor \frac{p}{q} c_1 \right\rceil \right] _p \). Output \( \texttt {ct}' =(c_0',c_1')\).