Abstract
Hybrid Homomorphic Encryption (HHE) reduces the amount of computation client-side and bandwidth usage in a Fully Homomorphic Encryption (FHE) framework. HHE requires the usage of specific symmetric schemes that can be evaluated homomorphically efficiently. In this paper, we introduce the paradigm of Group Filter Permutator (GFP) as a generalization of the Improved Filter Permutator paradigm introduced by Méaux et al.. From this paradigm, we specify Elisabeth , a family of stream cipher and give an instance: Elisabeth-4 . After asserting the security of this scheme, we provide a Rust implementation of it and ensure its performance is comparable to state-of-the-art HHE. The true strength of Elisabeth lies in the available operations server-side: while the best HHE applications were limited to a few multiplications server-side, we used data sent through Elisabeth-4 to homomorphically evaluate a neural network inference. Finally, we discuss the improvement and loss between the HHE and the FHE framework and give ideas to build more efficient schemes from the Elisabeth family.
O. Cosseron—Part of this work was done while the first author was working in Zama, Paris, France.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
i.e. Regev’s encryption scheme [38].
- 2.
Based on the analysis in Sect. 4, an adversary could retrieve the key by solving an algebraic system of degree at most 4 over \(\mathbb {F}_2\).
- 3.
A python implementation of this protocol can be found here: https://github.com/princess-elisabeth/sboxes_generation.
- 4.
- 5.
Or, more precisely, between two \({\text {PBS}}\).
- 6.
Note that this particular design is initially optimized for 48 cores.
- 7.
- 8.
- 9.
Up to the point of summing with the ciphertext.
- 10.
Note that it is always possible to build a trivial encryption of by appending it to a vector of zeros.
References
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. IACR Cryptology ePrint Archive 2016, 687 (2016)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.) ITCS 2012, pp. 309–325. ACM, Jan. 2012
Canteaut, A., Carpov, S., Fontaine, C., Lepoint, T., Naya-Plasencia, M., Paillier, P., Sirdey, R.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. J. Cryptology 31(3), 885–916 (2018). https://doi.org/10.1007/s00145-017-9273-9
Carlet, C.: Boolean Functions for Cryptography and Coding Theory. Cambridge University Press (2021)
Carlet, C., Méaux, P.: A complete study of two classes of boolean functions: Direct sums of monomials and threshold functions. IEEE Trans. Inf. Theory 68(5), 3404–3425 (2022)
Carlet, C., Méaux, P., Rotella, Y.: Boolean functions with restricted input and their robustness; application to the FLIP cipher. IACR Trans. Symmetric Cryptol. 3, 2017 (2017)
Chilloti, I., Joye, M., Ligier, D., Orfila, J.-B., Tap, S.: Concrete: concrete operates on ciphertexts rapidly by extending tfhe. In: 8th Workshop on Encrypted Computing and Applied Homomorphic Cryptography (WAHC 2020) (2020)
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33(1), 34–91 (2020)
Chillotti, I., Joye, M., Paillier, P.: Programmable bootstrapping enables efficient homomorphic inference of deep neural networks. In: Dolev, S., Margalit, O., Pinkas, B., Schwarzmann, A. (eds.) CSCML 2021. LNCS, vol. 12716, pp. 1–19. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78086-9_1
Chillotti, I., Ligier, D., Orfila, J.-B., Tap, S.: Improved programmable bootstrapping with larger precision and efficient arithmetic circuits for TFHE. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 670–699. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_23
Cho, J., Ha, J., Kim, S., Lee, B., Lee, J., Lee, J., Moon, D., Yoon, H.: Transciphering framework for approximate homomorphic encryption (full version). IACR Cryptol. ePrint Arch., p. 1335 (2020)
Cho, J., Ha, J., Kim, S., Lee, B., Lee, J., Lee, J., Moon, D., Yoon, H.: Transciphering framework for approximate homomorphic encryption. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 640–669. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_22
Cogliati, B., Tanguy, T.: Multi-user security bound for filter permutators in the random oracle model. Designs, Codes and Cryptography, September 2018
Coron, J.-S., Lepoint, T., Tibouchi, M.: Scale-invariant fully homomorphic encryption over the integers. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 311–328. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_18
Courtois, N.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003, pp. 176–194 (2003)
Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_21
Dobraunig, C., Eichlseder, M., Grassi, L., Lallemand, V., Leander, G., List, E., Mendel, F., Rechberger, C.: Rasta: a cipher with low ANDdepth and few ANDs per bit. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 662–692. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_22
Dobraunig, C., Grassi, L., Helminger, L., Rechberger, C., Schofnegger, M., Walch, R.: Pasta: a case for hybrid homomorphic encryption. IACR Cryptol. ePrint Arch., p. 731 (2021)
Duval, S., Lallemand, V., Rotella, Y.: Cryptanalysis of the FLIP family of stream ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 457–475. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_17
Faugère, J.-C.: A new efficient algorithm for computing groebner bases. J. Pure Appl. Algebra 139, 61–88 (1999)
Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Goldreich, O.: Candidate one-way functions based on expander graphs. Electronic Colloquium on Computational Complexity (ECCC), 7(90) (2000)
Goodfellow, I.J., Bengio, Y., Courville, A.C.: Deep Learning. MIT Press, Adaptive computation and machine learning (2016)
Ha, J., Kim, S., Choi, W., Lee, J., Moon, D., Yoon, H., Cho, J.: Masta: an he-friendly cipher using modular arithmetic. IEEE Access 8, 194741–194751 (2020)
Ha, J., Kim, S., Lee, B., Lee, J., Son, M.: Noisy ciphers for approximate homomorphic encryption. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13275. Springer, Cham. https://doi.org/10.1007/978-3-031-06944-4_20
Hebborn, P., Leander, G.: Dasta - alternative linear layer for rasta. IACR Trans. Symmetric Cryptol. 2020(3), 46–86 (2020)
Hoffmann, C., Méaux, P., Ricosset, T.: Transciphering, Using FiLIP and TFHE for an efficient delegation of computation. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 39–61. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_3
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Méaux, P.: On the algebraic immunity of direct sum constructions. Discret. Appl. Math. 320, 223–234 (2022)
Méaux, P., Carlet, C., Journault, A., Standaert, F.-X.: Improved filter permutators for efficient FHE: better instances and implementations. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 68–91. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7_4
Méaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_13
Naehrig, M., Lauter, K.E., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: CCSW, pp. 113–124. ACM (2011)
Papernot, N., McDaniel, P.D., Sinha, A., Wellman, M.P.: Sok: security and privacy in machine learning. In: EuroS &P, pp. 399–414. IEEE (2018)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005
Shalev-Shwartz, S., Ben-David, S.: Understanding Machine Learning - From Theory to Algorithms. Cambridge University Press (2014)
Xiao, H., Rasul, K., Vollgraf, R.: Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. CoRR, abs/1708.07747 (2017)
Acknowledgments
François-Xavier Standaert is a senior research associate of the Belgian Fund for Scientific Research (F.R.S.-FNRS). Pierrick Méaux was supported by the ERC Advanced grant CLOUDMAP (num. 787390). This work has been funded in part by the European Union through the ERC consolidator grant SWORD (num. 724725), and by the PEPR Cyber France 2030 programme (ANR-22-PECY-0003). We thank Arthur Meyre for his help with the neural network, Samuel Tap for the parameters and Pascal Paillier, Damien Stehlé and Alain Passelègue for interesting discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Supplementary material
A Details on the Programmable Bootstrapping
In this part, we detail how works the PBS to apply an \({\text {NLUT}}\) and bootstrap a \({\text {LWE}}\) ciphertext at the same time. First, we recall the definition of a cryptographic multiplexer, and then we explain how the computation of a length-2N \({\text {NLUT}}\) is incorporated inside the bootstrapping.
Definition 11
(\({\text {CMux}}\)). A Cryptographic Multiplexer (\({\text {CMux}}\) in short) is an operator that, given two \({\text {GLWE}}\) ciphertexts and of and respectively and a \({\text {GGSW}}\) encryption \(\boldsymbol{\textrm{B}}\) of a bit b, outputs a reencryption of . This can be done in a single external product by computing \(\boldsymbol{\textrm{B}} \boxdot (\boldsymbol{c}_1 - \boldsymbol{c}_0) + \boldsymbol{c}_0\).
Given , one can see that the constant term of is \(-l_i\), meaning that a negacyclic look-up table of length 2N can be represented as a polynomial of \(\mathbb {Z}_{q,N}[X]\): accessing the i-th value of the look-up table is equivalent to multiplying the polynomial by \(X^{-i}\) then keeping the constant term.
Let be a \({\text {GLWE}}\) encryption of such a polynomialFootnote 10 and \(\boldsymbol{c}\) be a \({\text {LWE}}\) encryption of a message \(\mu \). The goal of bootstrapping is to secretly select a value of L based on the value of \(\mu \). Since there are 2N slots in L and since \(\mu \) can take q different values, one first needs to rescale \(\mu \) from [0, q] to [0, 2N], an operation known as Modulus Switching. This is simply done by multiplying each coefficient of \(\boldsymbol{c}\) by 2N/q, then by rounding to the closest integer. Let call \((\bar{a}_1,\dots , \bar{a}_n, \bar{b})\) the scaled coefficients obtained, and \(\bar{\mu }\) the value of \(\mu \) rescaled. One now has to select the \(\bar{\mu }\)-th slot of the \({\text {NLUT}}\). This can be done approximately by multiplying the polynomial , where the \(\bar{a}_i\) and \(\bar{b}\) are publicly known. Thus, computing can be done immediatly. Multiplying by \(X^{\sum \bar{a}_is_i}\) is done iteratively thanks to a series of \({\text {CMux}}\)es: by using \({\text {GGSW}}\) encryption \(\boldsymbol{\textrm{S}}_i\) of the bits of the \({\text {LWE}}\) secret key \(s_1\) to \(s_n\), one computes \(\mathop {\textsf{ACC}}\leftarrow {\text {CMux}}(\boldsymbol{\textrm{S}}_i, X^{\bar{a}_i} \mathop {\textsf{ACC}}, \mathop {\textsf{ACC}}) = \mathop {\textsf{ACC}}\cdot X^{\bar{a}_is_i}\). This yields an encryption of a polynomial which constant coefficient is \(L[\bar{\mu }^*]\). Since it is not possible to directly compute the rounding of \(\bar{\mu }^* = \bar{\mu } + \bar{\varepsilon }\) homomorphically to recover \(L[\bar{\mu }]\), the only alternative is to introduce redundancy in L, so that \(L[\bar{\mu }^*] = L[\bar{\mu }]\) for small enough values of \(\bar{\varepsilon }\). The actual number of values that the lookup table can hold thus depends on both the degree of the polynomial and the maximal size \(\bar{\varepsilon }\) can take: the bigger the polynomial the more redundancy can be introduced, the smaller \(\varepsilon \) and the lesser redundancy is needed. Now, given a \({\text {GLWE}}\) encryption of \(\sum \mu _iX^i\) under the secret key with ) and \(b = \sum b_iX^i\), one can build an \({\text {LWE}}\) encryption of \(\mu _0\) under the secret key \((s_{1,0},\dots , s_{1,N-1},\dots ,s_{k,0},\dots , s_{k,N-1})\) as:
This operation is called sample extraction and does not increase the noise in the ciphertext. A complete bootstrap cycle then consists of these three operations: modulus switching, blind rotation of the negacyclic look-up table, and sample extraction. The output noise of the bootstrapped ciphertext is independent of the input ciphertext and depends only on the number of \({\text {CMux}}\)es that has been performed, which in turn depends on the length of the \({\text {LWE}}\) key. The noise caused by each \({\text {CMux}}\) depends on the degree N of the polynomials as well as on the basis and number of levels of the \({\text {GGSW}}\) used.
B \(\textsf {Elisabeth-4}\,\) Specifications
This appendix describes the details of \(\textsf {Elisabeth-4}\,\)’s implementation.
1.1 B.1 NLUTs Table
We specify the Negacyclic Look-Up Tables used for \(\textsf {Elisabeth-4}\,\) implementation. Remember that the second half of each \({\text {NLUT}}\)’s value is entirely determined by the first.
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
\( S_1\) | 3 | 2 | 6 | 12 | 10 | 0 | 1 | 11 | 13 | 14 | 10 | 4 | 6 | 0 | 15 | 5 |
\( S_2\) | 4 | 11 | 4 | 4 | 4 | 15 | 9 | 12 | 12 | 5 | 12 | 12 | 12 | 1 | 7 | 4 |
\(S_3\) | 11 | 10 | 12 | 2 | 2 | 11 | 13 | 14 | 5 | 6 | 4 | 14 | 14 | 5 | 3 | 2 |
\(S_4\) | 5 | 9 | 13 | 2 | 11 | 10 | 12 | 5 | 11 | 7 | 3 | 14 | 5 | 6 | 4 | 11 |
\(S_5\) | 3 | 0 | 11 | 8 | 13 | 14 | 13 | 11 | 13 | 0 | 5 | 8 | 3 | 2 | 3 | 5 |
\(S_6\) | 8 | 13 | 12 | 12 | 3 | 15 | 12 | 7 | 8 | 3 | 4 | 4 | 13 | 1 | 4 | 9 |
\(S_7\) | 4 | 2 | 9 | 13 | 10 | 12 | 10 | 7 | 12 | 14 | 7 | 3 | 6 | 4 | 6 | 9 |
\(S_8\) | 10 | 2 | 5 | 5 | 3 | 13 | 15 | 1 | 6 | 14 | 11 | 11 | 13 | 3 | 1 | 15 |
1.2 B.2 \(\textsf {Elisabeth-4}\,\) Algorithms
In this specification, notations from the article are used. For the reader’s comfort, let us remind here a few of them:
-
\(\mathbb {G}= \mathbb {Z}_{16}\).
-
\(S_i\) denotes the NLUTs.
-
Addition (\(+\)) between two vectors of \(\mathbb {G}^k\) denotes the adddition coefficient by coefficient and substraction (−) denotes the inverse of the addition.
We define the \(\textsf {Elisabeth-4}\,\) encryption scheme as its key generation, encryption and decryption algorithm. Both encryption and decryption use the keystream algorithm.
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Cosseron, O., Hoffmann, C., Méaux, P., Standaert, FX. (2022). Towards Case-Optimized Hybrid Homomorphic Encryption. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13793. Springer, Cham. https://doi.org/10.1007/978-3-031-22969-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-22969-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22968-8
Online ISBN: 978-3-031-22969-5
eBook Packages: Computer ScienceComputer Science (R0)