Abstract
In this series of work, we aim at improving the bootstrapping paradigm for fully homomorphic encryption (FHE). Our main goal is to show that the amortized cost of bootstrapping within a polynomial modulus only requires \(\tilde{O}(1)\) FHE multiplications.
To achieve this, we develop substantial algebraic techniques in two papers. Particularly, the first one (this work) proposes a new mathematical framework for batch homomorphic computation that is compatible with the existing bootstrapping methods of AP14/FHEW/TFHE. To show that our overall method requires only a polynomial modulus, we develop a critical algebraic analysis over noise growth, which might be of independent interest. Overall, the framework yields an amortized complexity \(\tilde{O}(\lambda ^{0.75})\) FHE multiplications, where \(\lambda \) is the security parameter. This improves the prior methods of AP14/FHEW/TFHE, which required \(O(\lambda )\) FHE multiplications in amortization.
Developing many substantial new techniques based on the foundation of this work, the sequel (Bootstrapping II, Eurocrypt 2023) shows how to further improve the recursive bootstrapping method of MS18 (Micciancio and Sorrell, ICALP 2018), yielding a substantial theoretical improvement that can potentially lead to more practical methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Homomorphic computation refers to the ability to compute on ciphertexts (encrypted data). A fully homomorphic encryption supports general homomorphic computation, i.e., computation for any arbitrary function.
- 2.
More precisely, the computation should be denoted as \(\textsf{Eval} (\textsf{Dec} (\textsf{ct}, \cdot ), \textsf{Enc} (\textsf{sk}))\). By correctness, the output ciphertext should belong to \(\textsf{Enc} (m)\), though perhaps distributed differently from a fresh ciphertext.
- 3.
The work [4] sets \(q = \tilde{O}(\lambda )\). If we use a randomized rounding for the modulus switch, q can be further reduced to \(\tilde{O}(\sqrt{n}) = \tilde{O}(\sqrt{\lambda })\).
- 4.
The cyclotomic polynomial would be of a different form if q is not a power of two. Here we use this setting for simplicity of exposition, but note that our framework works for general cyclotomic rings.
- 5.
We abuse the notation in the subscribe by using the rings for simplicity. Precisely, this should be \(\textsf{Tr}_{K/\mathbb {Q}}\) where K is the number field for which \(\mathcal {R}\) is its ring of integers.
- 6.
We notice that \(\mathcal {R}_2\) is used to denote a second ring in our framework. To avoid notation overloading, we use \(\mathcal {R}/2\mathcal {R}\) to denote \(\mathcal {R}\) modulo 2.
- 7.
Here we use the same function name as the above, where the input type specifies which function the call refers to.
- 8.
For small d’s, the Hoistng technique [22] can be used to improve efficiency.
- 9.
In the full version of this work, we present how to achieve such a q.
- 10.
For any \((\boldsymbol{s}, \boldsymbol{a}) \in \mathbb {Z}_q^n \times \mathbb {Z}_q^n\), \(\langle \boldsymbol{s}, \boldsymbol{a}\rangle = \langle \boldsymbol{s}', \boldsymbol{a}'\rangle \) where \(\boldsymbol{a}' \in \mathbb {Z}_q^{n\log q}\) is the power-of-two of \(\boldsymbol{a}\) and \(\boldsymbol{s}'\in \mathbb {Z}_q^{n\log q}\) is the bit-decomposition of \(\boldsymbol{s}\). Using this insight, it is without loss of generality to just consider binary secret vectors in the bootstrapping task. Some practical optimizations, e.g., [6, 13, 17, 28] use binary or ternary LWE, so that the secret vector \(\boldsymbol{s}\) is set directly to binary or ternary. In this case, there is no need to blow up the dimension of \(\boldsymbol{a}\).
References
Abla, P., Liu, F.-H., Wang, H., Wang, Z.: Ring-based identity based encryption – asymptotically shorter MPK and tighter security. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13044, pp. 157–187. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_6
Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19
Alperin-Sheriff, J., Peikert, C.: Practical bootstrapping in quasilinear time. In Canetti and Garay [10], pp. 1–20 (2013)
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_17
Bonnoron, G., Ducas, L., Fillinger, M.: Large FHE gates from tensored homomorphic accumulator. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 217–251. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_13
Bonte, C., Iliashenko, I., Park, J., Pereira, H.V., Smart, N.P.: Smart. FINAL: Faster FHE instantiated with NTRU and LWE. Cryptology ePrint Archive, Report 2022/074 (2022). https://eprint.iacr.org/2022/074
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 575–584. ACM Press (2013)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 97–106. IEEE Computer Society Press (2011)
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Naor, M. (ed.) ITCS 2014, pp. 1–12. ACM (2014)
Canetti, R., Garay, J.A. (eds.): LNCS, vol. 8042. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4
Chen, H., Dai, W., Kim, M., Song, Y.: Efficient homomorphic conversion between (ring) LWE ciphertexts. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12726, pp. 460–479. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78372-3_18
Cheon, J.H., Kim, A., Kim, M., Song, Y.S.: Homomorphic encryption for arithmetic of approximate numbers. In Takagi and Peyrin [35], pp. 409–437 (2017)
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. Part I, volume 10031 of LNCS, pp. 3–33. Springer, Heidelberg (2016)
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE. In: Takagi and Peyrin [35], pp. 377–408 (2017)
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33(1), 34–91 (2020)
Chillotti, I., Ligier, D., Orfila, J.-B., Tap, S.: Improved programmable bootstrapping with larger precision and efficient arithmetic circuits for TFHE. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 670–699. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_23
Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 169–178. ACM Press (2009)
Gentry, C., Halevi, S., Smart, N.P.: Better bootstrapping in fully homomorphic encryption. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 1–16. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_1
Gentry, C.,Sahai, A. , Waters, B.: Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti and Garay [10], pp. 75–92 (2013)
Halevi, S., Shoup, V.: Bootstrapping for HElib. Cryptology ePrint Archive, Report 2014/873 (2014). https://eprint.iacr.org/2014/873
Halevi, S., Shoup, V.: Faster homomorphic linear transformations in HElib. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 93–120. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_4
Lee, Y., et al.: Efficient fhew bootstrapping with small evaluation keys, and applications to threshold homomorphic encryption. Cryptology ePrint Archive, Paper 2022/198 (2022). https://eprint.iacr.org/2022/198
Liu, F.-H., Wang, H.: Batch bootstrapping II: bootstrapping in polynomial modulus only requires \(\tilde{O}(1)\) fhe multiplications in amortization. In: Eurocrypt (2023)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Micciancio, D., Polyakov, Y.: Bootstrapping in fhew-like cryptosystems. In: WAHC 2021: Proceedings of the 9th on Workshop on Encrypted Computing & Applied Homomorphic Cryptography, Virtual Event, Korea, 15 November 2021, pp. 17–28. WAHC@ACM (2021)
Micciancio, D., Sorrell, J.: Ring packing and amortized FHEW bootstrapping. In: Chatzigiannakis, I., Kaklamanis, C., Marx, D., Sannella, D. (eds.) ICALP 2018, vol. 107 of LIPIcs, pp. 100:1–100:14. Schloss Dagstuhl (2018)
Peikert, C.: How (not) to instantiate ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_22
Peikert, C., Pepin, Z.: Algebraically structured LWE, revisited. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11891, pp. 1–23. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_1
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: Hatami, H., McKenzie, P., King, V. (eds.) 49th ACM STOC, pp. 461–473. ACM Press (2017)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (2005)
Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms. In: Foundations of Secure Computation (1978)
Takagi, T., Peyrin, T. (eds.): LNCS, vol. 10624. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8
Vaikuntanathan, V.: Homomorphic encryption references. https://people.csail.mit.edu/vinodv/FHE/FHE-refs.html
Acknowledgement
The authors would like to thank anonymous reviewers for their insightful comments that significantly help improve the presentation. Feng-Hao Liu is supported by NSF CNS-1942400. Han Wang is supported by the National Key R &D Program of China under Grant 2020YFA0712303 and State Key Laboratory of Information Security under Grant TC20221013042.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Liu, FH., Wang, H. (2023). Batch Bootstrapping I:. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14006. Springer, Cham. https://doi.org/10.1007/978-3-031-30620-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-30620-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30619-8
Online ISBN: 978-3-031-30620-4
eBook Packages: Computer ScienceComputer Science (R0)
