Towards Case-Optimized Hybrid Homomorphic Encryption

Abstract

Hybrid Homomorphic Encryption (HHE) reduces the amount of computation client-side and bandwidth usage in a Fully Homomorphic Encryption (FHE) framework. HHE requires the usage of specific symmetric schemes that can be evaluated homomorphically efficiently. In this paper, we introduce the paradigm of Group Filter Permutator (GFP) as a generalization of the Improved Filter Permutator paradigm introduced by Méaux et al.. From this paradigm, we specify Elisabeth , a family of stream cipher and give an instance: Elisabeth-4 . After asserting the security of this scheme, we provide a Rust implementation of it and ensure its performance is comparable to state-of-the-art HHE. The true strength of Elisabeth lies in the available operations server-side: while the best HHE applications were limited to a few multiplications server-side, we used data sent through Elisabeth-4 to homomorphically evaluate a neural network inference. Finally, we discuss the improvement and loss between the HHE and the FHE framework and give ideas to build more efficient schemes from the Elisabeth family.

O. Cosseron—Part of this work was done while the first author was working in Zama, Paris, France.

Appendices

Supplementary material

A Details on the Programmable Bootstrapping

In this part, we detail how works the PBS to apply an \({\text {NLUT}}\) and bootstrap a \({\text {LWE}}\) ciphertext at the same time. First, we recall the definition of a cryptographic multiplexer, and then we explain how the computation of a length-2N \({\text {NLUT}}\) is incorporated inside the bootstrapping.

Definition 11

(\({\text {CMux}}\)). A Cryptographic Multiplexer (\({\text {CMux}}\) in short) is an operator that, given two \({\text {GLWE}}\) ciphertexts and of and respectively and a \({\text {GGSW}}\) encryption \(\boldsymbol{\textrm{B}}\) of a bit b, outputs a reencryption of . This can be done in a single external product by computing \(\boldsymbol{\textrm{B}} \boxdot (\boldsymbol{c}_1 - \boldsymbol{c}_0) + \boldsymbol{c}_0\).

Given , one can see that the constant term of is \(-l_i\), meaning that a negacyclic look-up table of length 2N can be represented as a polynomial of \(\mathbb {Z}_{q,N}[X]\): accessing the i-th value of the look-up table is equivalent to multiplying the polynomial by \(X^{-i}\) then keeping the constant term.

Let be a \({\text {GLWE}}\) encryption of such a polynomial¹⁰ and \(\boldsymbol{c}\) be a \({\text {LWE}}\) encryption of a message \(\mu \). The goal of bootstrapping is to secretly select a value of L based on the value of \(\mu \). Since there are 2N slots in L and since \(\mu \) can take q different values, one first needs to rescale \(\mu \) from [0, q] to [0, 2N], an operation known as Modulus Switching. This is simply done by multiplying each coefficient of \(\boldsymbol{c}\) by 2N/q, then by rounding to the closest integer. Let call \((\bar{a}_1,\dots , \bar{a}_n, \bar{b})\) the scaled coefficients obtained, and \(\bar{\mu }\) the value of \(\mu \) rescaled. One now has to select the \(\bar{\mu }\)-th slot of the \({\text {NLUT}}\). This can be done approximately by multiplying the polynomial , where the \(\bar{a}_i\) and \(\bar{b}\) are publicly known. Thus, computing can be done immediatly. Multiplying by \(X^{\sum \bar{a}_is_i}\) is done iteratively thanks to a series of \({\text {CMux}}\)es: by using \({\text {GGSW}}\) encryption \(\boldsymbol{\textrm{S}}_i\) of the bits of the \({\text {LWE}}\) secret key \(s_1\) to \(s_n\), one computes \(\mathop {\textsf{ACC}}\leftarrow {\text {CMux}}(\boldsymbol{\textrm{S}}_i, X^{\bar{a}_i} \mathop {\textsf{ACC}}, \mathop {\textsf{ACC}}) = \mathop {\textsf{ACC}}\cdot X^{\bar{a}_is_i}\). This yields an encryption of a polynomial which constant coefficient is \(L[\bar{\mu }^*]\). Since it is not possible to directly compute the rounding of \(\bar{\mu }^* = \bar{\mu } + \bar{\varepsilon }\) homomorphically to recover \(L[\bar{\mu }]\), the only alternative is to introduce redundancy in L, so that \(L[\bar{\mu }^*] = L[\bar{\mu }]\) for small enough values of \(\bar{\varepsilon }\). The actual number of values that the lookup table can hold thus depends on both the degree of the polynomial and the maximal size \(\bar{\varepsilon }\) can take: the bigger the polynomial the more redundancy can be introduced, the smaller \(\varepsilon \) and the lesser redundancy is needed. Now, given a \({\text {GLWE}}\) encryption of \(\sum \mu _iX^i\) under the secret key with ) and \(b = \sum b_iX^i\), one can build an \({\text {LWE}}\) encryption of \(\mu _0\) under the secret key \((s_{1,0},\dots , s_{1,N-1},\dots ,s_{k,0},\dots , s_{k,N-1})\) as:

$$\begin{aligned} (a_{1,0},-a_{1, N-1}, \dots ,-a_{1,1},\dots ,a_{k,0},-a_{k, N-1}, \dots ,-a_{k,1},b_0) \end{aligned}$$

This operation is called sample extraction and does not increase the noise in the ciphertext. A complete bootstrap cycle then consists of these three operations: modulus switching, blind rotation of the negacyclic look-up table, and sample extraction. The output noise of the bootstrapped ciphertext is independent of the input ciphertext and depends only on the number of \({\text {CMux}}\)es that has been performed, which in turn depends on the length of the \({\text {LWE}}\) key. The noise caused by each \({\text {CMux}}\) depends on the degree N of the polynomials as well as on the basis and number of levels of the \({\text {GGSW}}\) used.

B \(\textsf {Elisabeth-4}\,\) Specifications

This appendix describes the details of \(\textsf {Elisabeth-4}\,\)’s implementation.

1.1 B.1 NLUTs Table

We specify the Negacyclic Look-Up Tables used for \(\textsf {Elisabeth-4}\,\) implementation. Remember that the second half of each \({\text {NLUT}}\)’s value is entirely determined by the first.

	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
\( S_1\)	3	2	6	12	10	0	1	11	13	14	10	4	6	0	15	5
\( S_2\)	4	11	4	4	4	15	9	12	12	5	12	12	12	1	7	4
\(S_3\)	11	10	12	2	2	11	13	14	5	6	4	14	14	5	3	2
\(S_4\)	5	9	13	2	11	10	12	5	11	7	3	14	5	6	4	11
\(S_5\)	3	0	11	8	13	14	13	11	13	0	5	8	3	2	3	5
\(S_6\)	8	13	12	12	3	15	12	7	8	3	4	4	13	1	4	9
\(S_7\)	4	2	9	13	10	12	10	7	12	14	7	3	6	4	6	9
\(S_8\)	10	2	5	5	3	13	15	1	6	14	11	11	13	3	1	15

1.2 B.2 \(\textsf {Elisabeth-4}\,\) Algorithms

In this specification, notations from the article are used. For the reader’s comfort, let us remind here a few of them:

• \(\mathbb {G}= \mathbb {Z}_{16}\).

• \(S_i\) denotes the NLUTs.

• Addition (\(+\)) between two vectors of \(\mathbb {G}^k\) denotes the adddition coefficient by coefficient and substraction (−) denotes the inverse of the addition.

We define the \(\textsf {Elisabeth-4}\,\) encryption scheme as its key generation, encryption and decryption algorithm. Both encryption and decryption use the keystream algorithm.