Bridges Connecting Encryption Schemes

Abstract

The present work investigates a type of morphisms between encryption schemes, called bridges. By associating an encryption scheme to every such bridge, we define and examine their security. Inspired by the bootstrapping procedure used by Gentry to produce fully homomorphic encryption schemes, we exhibit a general recipe for the construction of bridges. Our main theorem asserts that the security of a bridge reduces to the security of the first encryption scheme together with a technical additional assumption.

Appendices

A Examples of Gentry Bridges

The aim of this appendix is to emphasize the fact that, for an encryption scheme \(\mathscr {S}\), different representations for the decryption algorithm \(\textrm{Dec}_{\mathscr {S}}\) give rise to different bridges from \(\mathscr {S}\) to a FHE scheme \(\mathscr {H}\). For practical applications, one can select the appropriate representation that best suits the implementation of the desired application. Having this in mind, we chose to exhibit the encryption scheme CSGN introduced in [3] and implemented in [8], whose decryption algorithm admits at least four fundamentally different representations. We shall restrict ourselves in discussing the security of these bridges, because the security of the CSGN scheme is not entirely understood.

1.1 A.1 Description of the CSGN Scheme

We give a brief description of the CSGN scheme. For more details regarding the parameter selection, we refer to [3]. The plaintext space is the field \({\mathbb {F}}_2\) and the ciphertext space of this scheme is \({\mathbb {F}}_2^n\) with the monoid structure defined by component-wise multiplication. A simplified version of the scheme is defined as follows.

• \(\textrm{KeyGen}_\textrm{CSGN}(1^{\lambda })\): Choose dimension parameters n, d and s of size \(\textrm{poly}(\lambda )\), a uniformly random subset S of \(\{1,2, \dots , n \}\) of size s, and a finite distribution X on \(\{1, 2, ..., d\}\) according to [3]. Set the secret key sk to be the characteristic function of S, viewed as a bit vector.

• \(\textrm{Enc}_\textrm{CSGN}\): To encrypt 0, choose first \(k \in \{1, 2, ..., d\}\) according to X and then choose uniformly at random d numbers \(i_1, \dots , i_d\) from the set \(\{1, 2, \dots , n \}\), such that exactly k of them are in S. Finally, output the vector in \({\mathbb {F}}_2^n\) whose components corresponding to the indices \(i_1\), \(\dots \), \(i_d\) are equal to 0 and the others are equal to 1. To encrypt 1, choose uniformly at random d numbers \(i_1, \dots , i_d\) from the set \(\{1, 2, \dots , n \}\), such that none of them is in S, and output the resulting vector in \({\mathbb {F}}_2^n\) as before.

• \(\textrm{Dec}_{\textrm{CSGN}}\): To decrypt a ciphertext c using the secret key sk, output 0 if c has at least one component equal to 0 corresponding to an index from S and 1, otherwise.

The output of the decryption algorithm can be written as

$$ \textrm{Dec}_\textrm{CSGN}(sk,c) = \prod _{i \in S} c_i. $$

Notice that, the decryption map is a homomorphism of monoids from \(({\mathbb {F}}_2^n, \cdot )\) to the monoid \(({\mathbb {F}}_2, \cdot )\) with the usual multiplication.

In what follows, we present four variants of bridges from the CSGN scheme, denoted by \(\mathscr {S}\), to various FHE schemes. The latter are going to be denoted by \(\mathscr {H}\). Also, the pairing \(\langle \cdot , \cdot \rangle : R^n \times R^n \rightarrow R\) will always be the standard inner product over the ring R.

1.2 A.2 \(1^{\text {st}}\) Bridge

Let \(\mathscr {H}\) be any FHE scheme with plaintext space the field with two elements; hence, the map \(\iota \) is the identity map. The secret key \(sk_{\mathscr {S}}\) can be represented by the n-dimensional standard vectors \(e_i\), where \(i \in S\). The bridge key generation algorithm encrypts each entry of the vectors \(e_i\), \(i \in S\) using \(pk_{\mathscr {H}}\) to obtain the bridge key \( bk = \{\widetilde{e_1},..., \widetilde{e_s}\}\), a set of vectors consisting of the aforementioned encryptions.

We remark that the decryption algorithm of \(\mathscr {S}\) may be written as

$$\begin{aligned} \textrm{Dec}_{\mathscr {S}}(sk_{\mathscr {S}},c) = \prod _{i \in S} \langle c,e_i \rangle , \end{aligned}$$

so that the bridge algorithm f is as follows:

$$\begin{aligned} f(bk,c) = \prod _{i=1}^{s} \langle c,\widetilde{e_i} \rangle = \prod _{i=1}^{s} \left( \sum _{c[j] =1} \tilde{e_i}[j] \right) . \end{aligned}$$

For simplicity, we chose the trivial encryptions as the encryptions of the bits of c with \(\mathscr {H}\).

1.3 A.3 \(2^{\text {nd}}\) Bridge

We are in the same setting as before, where both plaintext spaces are \({\mathbb {F}}_2\). Recall that the secret key \(sk_{\mathscr {S}}\) is the characteristic function of the set S, represented as an n-dimensional bit vector. Then, the decryption of \(\mathscr {S}\) can be alternatively written as

$$\begin{aligned} \textrm{Dec}_{\mathscr {S}}(sk_{\mathscr {S}},c) = \prod _{i = 1}^n \Big (1 - (1- c[i]) sk_{\mathscr {S}}[i] \Big ) = \prod _{c[i] = 0} (1 - sk_{\mathscr {S}}[i]) . \end{aligned}$$

The bridge key bk is constructed as \(bk:=\{\widetilde{sk_{\mathscr {S}}}[1], ..., \widetilde{sk_{\mathscr {S}}}[n]\}\), where for every i, \(\widetilde{sk_{\mathscr {S}}}[i]\) is an encryption of \(1-sk_{\mathscr {S}}[i]\) under \(pk_{\mathscr {H}}\). Finally, the bridge is given by

$$\begin{aligned} f(bk,c) = \prod _{c[i] = 0} \widetilde{sk_{\mathscr {S}}}[i]. \end{aligned}$$

Remark 6

The last formula shows that this bridge can be constructed even if the scheme \(\mathscr {H}\) is homomorphic only with respect to multiplication. For example, it can be used when \(\mathscr {H}= \mathscr {S}\) obtaining something that resembles the key-switching technique in some FHE schemes.

1.4 A.4 \(3^{\text {rd}}\) Bridge

Here, the scheme \(\mathscr {H}\) can be any FHE scheme with plaintext space the finite field \(\mathbb {F}_p\), where p is a prime (for example the BGV and B/FV schemes, see [5, 6] and [16]).

The bridge key generation algorithm instantiates \(\textrm{KeyGen}_{\mathscr {S}}(1^\lambda )\) and then \(\textrm{KeyGen}_{\mathscr {H}}(1^{\lambda })\), assuring that the characteristic of \(\mathscr {P}_{\mathscr {H}}\) is larger than the Hamming weight of \(sk_{\mathscr {S}}\), that is \(p> s\). It then chooses positive integers \(x_1, ..., x_s\) such that \(p= 1 + x_1+ \dots + x_s\), and fixes a bijection \(\varphi : S \rightarrow \{1, ..., s\}\). Consider the vector \(sk \in \mathbb {F}_p^n\), where \(sk[i]=0\) if \(sk_{\mathscr {S}}[i]=0\) and \(sk[i]=x_{\varphi (i)}\), otherwise. For every \(i \in \{1,\dots ,n \}\), write \(\widetilde{sk}[i]\) for an encryption of sk[i] under \(pk_{\mathscr {H}}\). In this case, the bridge key bk is the set of \(\mathscr {H}\) encryptions \(bk=\{\widetilde{sk}[1], \dots , \widetilde{sk}[n] \}.\)

We remark that if \(\iota : \mathbb {F}_2 \hookrightarrow \mathbb {F}_p\) denotes the usual embedding, then the decryption of \(\mathscr {S}\) satisfies

$$\begin{aligned} \textrm{Dec}_{\mathscr {S}}(sk_{\mathscr {S}},c) = \iota ^{-1} \Big ( 1 - \big (1 + {{\,\mathrm{\langle }\,}}c, sk \rangle _{\mathbb {F}_p}\big )^{p-1}\Big ). \end{aligned}$$

The bridge map is defined as

$$\begin{aligned} f(bk,c) = \textrm{Enc}_{\mathscr {H}}(pk_{\mathscr {H}},1) - \left( \textrm{Enc}_{\mathscr {H}}(pk_{\mathscr {H}},1) + \sum _{c[i]=1} \widetilde{sk}[i] \right) ^{p-1}, \end{aligned}$$

where the additions, subtractions and exponentiation on the right hand side are homomorphic operations on the ciphertexts of \(\mathscr {H}\).

Remark 7

As mentioned in the discussion following Definition 3, one can develop a theory of bridges for which the plaintext spaces of the two encryption schemes vary with \(\lambda \) along the same lines. The bridge constructed here falls in this category because the plaintext space of \(\mathscr {H}\) is chosen after the size of the secret key is selected, as part of the Setup/KeyGen algorithm.

1.5 A.5 \(4^{\text {th}}\) Bridge

This bridge is based on an idea used in [1] for the bootstrapping procedure of the GSW scheme. Notice that if c is a ciphertext in \(\mathscr {S}\), encrypted using \(pk_{\mathscr {S}}\), then c decrypts to 1 if and only if the inner product \(\langle c, sk_{\mathscr {S}} \rangle _{\mathbb {Z}} = s\), namely

$$\begin{aligned} \textrm{Dec}_{\mathscr {S}}(sk_{\mathscr {S}},c) = [{{\,\mathrm{\langle }\,}}c, sk_{\mathscr {S}} \rangle _{\mathbb {Z}}=s], \end{aligned}$$

where \([x=y]\) is, as before, the equality test.

We observe that in the computation of the inner product \({{\,\mathrm{\langle }\,}}c, sk_{\mathscr {S}}\rangle _{\mathbb {Z}}\) one uses only the additive structure of \(\mathbb {Z}\) (also \(\mathbb {Z}_m\) with \(m > s\) would be sufficient for our purposes). To find a representation of the cyclic group \((\mathbb {Z}_m, +)\), one needs first to embed it into the symmetric group \(\mathfrak {S}_m\). The generator \(1 \in \mathbb {Z}_m\) is sent by this injective homomorphism to the cyclic permutation \(\pi _1 \in \mathfrak {S}_m\), defined as \(\pi _1(i)=i+1\) for \(1 \le i < m\) and \(\pi _1(m)=1\). On the other hand, the group \(\mathfrak {S}_m\) is isomorphic to the multiplicative group of m-by-m permutation matrices, that is matrices with 0 or 1 entries, having exactly one nonzero element in each row and each column. The isomorphism maps the permutation \(\pi \in \mathfrak {S}_m\) to the matrix \(M_{\pi } = [e_{\pi (1)}, ..., e_{\pi (m)}]\), where \(e_i \in \{0, 1\}^m\) is the \(i^{\text {th}}\) standard basis vector. The composition of these two homomorphisms gives us an embedding for the cyclic group \((\mathbb {Z}_m, +)\). For implementation purposes, it is good to notice that the permutation matrices in the image of this embedding can be represented more compactly by just their first column, because the remaining columns are just the successive cyclic shifts of this column.

Let us explain how the bridge is constructed. Let \(m=s+1\) and take \(sk = (sk[1], ..., sk[n])\) to be the aforementioned representation of the secret key \(sk_{\mathscr {S}}\), that is \(sk[i] = M_{\pi _1}\) if \(sk_{\mathscr {S}}=1\) and sk[i] is the identity matrix otherwise. Set \(\widetilde{sk}[i]\) to be an encryption of sk[i] under \(pk_{\mathscr {H}}\) for all \(i \in \overline{1, n}\), meaning that we encrypt with \(\mathscr {H}\) each entry of the matrix sk[i]. The bridge key bk consists of \(\{ \widetilde{sk}[1], \dots , \widetilde{sk}[n]\}\).

The algorithm f takes as input bk and c and computes the matrix

$$\begin{aligned} P^c := \prod _{c[i] = 1} \widetilde{sk}[i], \end{aligned}$$

where the right hand side is a product of encrypted matrices, performed homomorphically in \(\mathscr {C}_{\mathscr {H}}\). We remark that the last entry of the first row of \(P^c\) is an encryption of the value returned by the equality test \([{{\,\mathrm{\langle }\,}}c, sk_{\mathscr {S}} \rangle _{\mathbb {Z}}=s]\). Consequently, we let the output of the bridge map be

$$\begin{aligned} f(bk,c) := P^c_{1,s+1}. \end{aligned}$$

B Entangled Encryption Schemes

Informally, we say that two encryption schemes \(\mathscr {S}\) and \(\mathscr {H}\) are entangled if there is a bridge with empty bridge key from one to another.

In this appendix we give an example of such a bridge. In this example, the secret key of \(\mathscr {S}\) and \(\mathscr {H}\) are identical.

We believe that whenever two encryption schemes \(\mathscr {S}\) and \(\mathscr {H}\) are entangled, there is a relation between the ensembles of distributions of their secret keys. We regard this as an interesting question for future research.

The presented bridge does not follow Gentry’s recipe. We start by recalling the Goldwasser-Micali and Sander-Young-Yung encryption schemes. A bridge from the former to the latter is then presented. The presentation is followed by an interesting application of this bridge.

1.1 B.1 Goldwasser-Micali Cryptosystem

The Goldwasser-Micali encryption scheme is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in [22]. If p, q are two primes and \(N = p \cdot q\), then let \(J_1(N):=\{ x \in (\mathbb {Z}/ N \mathbb {Z})^\times | \left( \frac{x}{N} \right) = 1 \}\) be the multiplicative group of invertible integers modulo N with Jacobi symbol equal to 1. The GM-encryption scheme \((\mathbb {Z}/2\mathbb {Z}, J_1(N), \textrm{KeyGen}_{GM}, \textrm{Enc}_{GM}, \textrm{Dec}_{GM})\) is given as follows:

• KeyGen(\(1^{\lambda }\)): Choose two primes \(p=p(\lambda ), q=q(\lambda )\) of size \(\lambda \) and let \(N=pq\). Choose \(\eta \in (\mathbb {Z}/N\mathbb {Z})^\times \) such that \(\left( \frac{\eta }{p} \right) = \left( \frac{\eta }{q} \right) = -1\), which yields that \(\eta \in J_1(N)\). The public key is the pair \((N, \gamma :=\eta \cdot u^ 2),\) where u is a random element of \((\mathbb {Z}/ N \mathbb {Z})^\times \). The secret key is the pair (p, q).

• Enc: To encrypt \(m \in \mathbb {Z}/2 \mathbb {Z}\), choose a random \(\xi \in \mathbb {Z}/ N \mathbb {Z}\) and let \(\textrm{Enc}_{GM}(m)= \gamma ^m \xi ^2\).

• Dec: To decrypt \(c \in J_1(N)\), compute the Jacobi symbol \(\left( \frac{c}{p} \right) \). Set \(\textrm{Dec}_{GM}(c)=0\) if the answer is 1 and \(\textrm{Dec}_{GM}(c) = 1\) if the answer is \(-1\).

The GM-encryption scheme is homomorphic with respect to addition in \(\mathbb {Z}/2\mathbb {Z}\) and multiplication in \(J_1(N)\), i.e.

$$\begin{aligned} \textrm{Dec}_{GM}(c_1 \cdot c_2) = \textrm{Dec}_{GM}(c_1) + \textrm{Dec}_{GM}(c_2) \end{aligned}$$

for all \(c_1, c_2 \in J_1(N)\).

1.2 B.2 The Sander-Young-Yung Cryptosystem

In this part of the appendix we present a homomorphic encryption scheme over the multiplicative monoid \((\mathbb {Z} / 2 \mathbb {Z}, \cdot )\) introduced in [25]. To describe the scheme we shall use the encryption scheme of Goldwasser-Micali, which was recalled above.

• Keygen(\(1^{\lambda }\)): Choose two primes \(p=p(\lambda )\), \(q=q(\lambda )\) as in the Goldwasser-Micali scheme. Choose \(\ell = \ell (\lambda )\) of size \(\varTheta (\lambda )\). Compute \(N=pq\). The public key and secret keys are the same as in the Goldwasser-Micali scheme.

• Enc: If \(m=1\) set \(v = (0, ..., 0) \in \{0, 1\}^{\ell }\). If \(m=0\) set \(v = (v_1,...,v_n) \in \{0, 1\}^{\ell }\), where the components \(v_i\) are randomly chosen in \(\{0, 1\}\), not all equal to 0. Encrypt each component of v with the Goldwasser-Micali scheme to get a vector in \(\mathscr {C}_{SYY}:= J_1(N)^{\ell }\).

• Dec: To recover the plaintext from the ciphertext \(c \in \mathscr {C}\), first decrypt each component of c using the decryption algorithm of the Goldwasser-Micali scheme, and then if the obtained vector is the 0-vector the message decrypts to 1, else to 0.

Let us describe an operation \(\odot \) on the ciphertext space \(\mathscr {C}_{SYY}\). If x and y are two ciphertexts then \(z:= x \odot y\) is defined as follows:

1. 1.

   Choose uniformly at random two \(\ell \times \ell \) matrices over \(\mathbb {Z}/2 \mathbb {Z}\) until two nonsingular matrices \(A=(a_{ij})\) and \(B=(b_{ij})\) are found.

2. 2.

   If \(x=(x_1, ..., x_{\ell })\), \(y=(y_1, ..., y_{\ell })\), then compute

   $$ z_i = \displaystyle {\prod _{j, a_{ij}=1} x_j \cdot \prod _{j, b_{ij}=1} y_j} $$

for all i.

1. 3.

   Pick uniformly at random \(r_1, ..., r_{\ell } \in (\mathbb {Z}/ N \mathbb {Z})^\times \) and set \(z= (z_1 r_1^2,..., z_{\ell } r_{\ell }^2)\).

Let us denote by \(v_c\) the bit vector obtained by applying the decryption algorithm of the Goldwasser-Micali scheme componentwise to the ciphertext \(c \in \mathscr {C}\). If \(z:= x \odot y\) then Step 2 above is equivalent to:

$$\begin{aligned} v_z= A v_x + B v_y, \end{aligned}$$

where the operations are the usual addition and multiplication in \(\mathbb {Z}/ 2\mathbb {Z}\). Notice that \(\textrm{Dec}_{SYY}(z) \ne \textrm{Dec}_{SYY}(x) \cdot \textrm{Dec}_{SYY}(y)\) if and only if \(A v_x + B v_y = \textbf{0}\) (here \(\textbf{0}\) is the zero vector in \((\mathbb {Z} / 2\mathbb {Z})^{\ell }\)), and \(v_x \ne \textbf{0}\), \(v_y \ne \textbf{0}\). Since \(v_x \ne \textbf{0}\) and A is nonsingular, the product \(A v_x\) can be any nonzero vector in \((\mathbb {Z} / 2\mathbb {Z})^{\ell }\), and in fact any such vector occurs with the same probability. Of course, the same is true for \(B v_y\) such that the situation described above occurs with probability \(\le \dfrac{1}{2^{\ell }}\). In other words, except with exponentially small probability, we have that

$$\begin{aligned} \textrm{Dec}_{SYY} (x \odot y) = \textrm{Dec}_{SYY}(x) \cdot \textrm{Dec}_{SYY}(y). \end{aligned}$$

1.3 B.3 A Bridge from GM to SYY

Here, we construct a bridge from the Goldwasser-Micali encryption scheme to the Sander-Young-Yung encryption scheme. After generating a secret key (p, q) of GM, the key generation algorithm of the bridge sets the same pair (p, q) as the secret key for the SYY encryption scheme. Then, the public keys for the two encryption schemes are generated independently using their respective key generation algorithms. After that, the bridge key generation algorithm does not output anything, i.e. the support of the distribution BK is the empty set.

Now, for \(c \in J_1(N)\), choose uniformly at random a non-singular matrix \(A \in \textrm{GL}_{\ell } (\mathbb {Z} / 2\mathbb {Z})\) and compute

$$\begin{aligned} t_i = \prod _{j, a_{ij}=1} c \gamma ' = \left( c \gamma ' \right) ^{|\{j | a_{ij}=1 \}|} \end{aligned}$$

for all \(i \in \overline{1, \ell }\), where \(\gamma '\) is the second component of the public key of the SYY scheme. Pick uniformly at random \(r_1, \dots , r_{\ell } \in (\mathbb {Z}/ N \mathbb {Z})^{\times }\) and set

$$\begin{aligned} f(c) = (t_1 r_1^2, ..., t_{\ell } r_{\ell }^2). \end{aligned}$$

If \(\textrm{Dec}_{GM}(c) = 1\), then \(\textrm{Dec}_{GM}(c \gamma ') = 0\) so that \(\textrm{Dec}_{GM}(t_i) = 0\), \(\forall i\). Therefore, \(v_{f(c)} = \textbf{0}\) and hence \(\textrm{Dec}_{SYY} (f(c)) = 1\). On the other hand, if \(\textrm{Dec}_{GM}(c) = 0\), then \(\textrm{Dec}_{GM}(c \gamma ') = 1\), and since A is nonsingular there exist \(i \in \overline{1, \ell }\) such that \(\textrm{Dec}_{GM}(t_i) = 1\). We get that \(v_{f(c)} \ne \textbf{0}\), equivalently \(\textrm{Dec}_{SYY} (f(c)) = 0\).

Remark 8

The security of this bridge reduces to the security of the GM scheme (see [22]) using Theorem 2. Indeed, the bridge key distribution is empty, thus trivially polynomial-time constructible on fibers. On the other hand, the security of SYY encryption scheme can be easily reduced to the security of GM (see [25]). Alternatively, one can use Theorem 1 instead of 2. To see this, note that in the notation of Sect. 3, the public key of the scheme attached to this bridge \(PK_{\mathscr {G}_f}\) consists of just GM’s public key and the security of \(GM[PK_{\mathscr {G}_f}]\) is equivalent to the security of GM.

1.4 B.4 An Application

As an application of the above bridge we show that the comparison circuit can be evaluated homomorphically. For this, let \(\textbf{x}=(x_1, x_2, ..., x_n)\) and \(\textbf{y}=(y_1, y_2, ..., y_n)\) be two bit vectors. The two vectors coincide if and only if

$$\begin{aligned} (x_1 + y_1 + 1) \cdot ... \cdot (x_n + y_n + 1) = 1, \end{aligned}$$

so that the comparison circuit \([\textbf{x}=\textbf{y}]\) is defined by

$$ [\textbf{x}=\textbf{y}]:=(x_1 + y_1 + 1) \cdot ... \cdot (x_n + y_n + 1). $$

Suppose now that \(\textbf{c} = (c_1, ..., c_n)\) and \(\textbf{d} = (d_1, ..., d_n)\) are encryptions of the vectors \(\textbf{x}\), \(\textbf{y}\) with the Goldwasser-Micali cryptosystem. To homomorphically evaluate the comparison circuit, we compute:

$$\begin{aligned} \textrm{Eval}([\textbf{x}=\textbf{y}], \textbf{c},\textbf{d} \;):= \bigg ( \Big ( \big ( f(c_1 \cdot d_1 \cdot \gamma ) \odot f(c_2 \cdot d_2 \cdot \gamma ) \big ) \odot ... \Big ) \odot f (c_n \cdot d_n \cdot \gamma ) \bigg ). \end{aligned}$$

Notice that \(\textrm{Dec}_{SYY}\left( \textrm{Eval}([\textbf{x}=\textbf{y}], \textbf{c}, \textbf{d} \;) \right) = [\textbf{x}=\textbf{y}]\), except with negligible probability in the security parameter.

We end this appendix with the following reflection. When two encryption schemes admit the construction of a bridge which has an empty bridge key, this may be interpreted as some sort of entanglement between the schemes. Along the same line of thought, if one can prove that such a bridge cannot be constructed, the encryption schemes may be regarded as being independent.

C Experiments

We conducted experiments for the bridges described in Appendices A and B. For each of the four different bridges in Appendix A, we compare the results of the homomorphic evaluation of a circuit consisting of only one monomial in the following two ways. First, we encrypt each factor of the monomial and perform the homomorphic multiplications of these factors using the \(\textrm{CSGN}\) scheme. Then, bridges described in Appendix A are applied, in turn, to obtain a ciphertext in a fully (leveled) homomorphic encryption scheme based on (R)LWE. We compare this to the alternative option of evaluating the monomial directly on encryptions in the FHE scheme. If the degree of the monomial is larger than a certain threshold, the first procedure outperforms the second in terms of speed. We identified this threshold for each of the FHE schemes in which we performed experiments.

These computations were carried on a virtual machine having an Intel CPU (I7-4770, 4 cores, 3.4 GHz, 12 GB RAM), using a single threaded implementation. Table 1 consists of an overview of the processing times for each bridge using the implementations of BGV, BFV and TFHE schemes, namely the HElib [23], SEAL [24] and TFHE [9] software libraries. In the first two columns of the table, one can find the version of the bridge that was implemented, the FHE target scheme and the security parameters for the two schemes. The timings are measured such that all encryptions maintain approximately the same security level \(\lambda \) and listed in the last two columns. The small variation in \(\lambda \) is due to parameter tuning in the different software libraries.

Table 1. Bridge evaluation.

The reason we are missing an implementation for our third bridge using the TFHE library comes from the lack of flexibility in choosing as plaintext space a ring of characteristic \(p>2\) in this library. Additionally, we felt that adapting the TFHE library was beyond the scope of our work. Also, the timing for running the fourth bridge in BGV and BFV could not be measured because of large memory usage, which exceeded the virtual machine RAM. Moreover, regarding the fourth bridge, the implementation is optimized to store only the first column of each associated bit in the secret key, while the matrix multiplications involve only homomorphic algebraic operations on encryptions from the first column of the matrices.

Fig. 2.

The first and second bridges.

There is no doubt that homomorphically evaluating a circuit whose polynomial representation has a large number of monomials of low degree using the bridge is inefficient and there is little hope for optimizations in terms of speed. However, if some monomials have large degree, one might choose to do so, because first performing multiplications in the CSGN scheme, followed by additions in the (R)LWE setting might result in lower noise growth. Moreover, by increasing the multiplicative depth of the circuit, we observe that its evaluation is faster using the bridge than evaluating the circuit entirely in the (R)LWE schemes. This can be observed in the figures below.

Since the multiplication in the CSGN scheme is inexpensive, the evaluation time in the bridge using BGV, BFV and TFHE is almost constant as it essentially consists only of the evaluation time of the bridge algorithm for one CSGN ciphertext. Small variations in execution time for the bridge are due to the CPU scheduling process. The drops in evaluation times occur when the instruction-specific and data-specific cache at different levels in the CPU is filled with numerous repetitive instructions. The timings for evaluating the circuit entirely in the BGV or BFV scheme grow linearly with the degree of the monomial. We notice that in the TFHE case, the running time of the evaluation starts growing exponentially in the number of multiplications, at some point. This is explained by the fact that the TFHE software library goes automatically into bootstrapping, whereas in the HElib and SEAL software libraries we can choose parameters in which one can evaluate the circuit without the costly bootstrapping procedure (Figs. 2 and 3).

Fig. 3.

The third bridge - BGV & BFV.

Table 2. Homomorphic evaluation of comparison circuit using GM-SYY bridge.

We now report on the implementation of the bridge from the Goldwasser-Micali encryption scheme to the Sander-Young-Yung encryption scheme constructed in the Appendix B. In the table below, one can find the timings required for running the bridge, as well as the ones needed for the homomorphic evaluation of the comparison circuit. The measurements were performed on an Intel I7-1068NG7 CPU laptop with 32 GB of RAM. Since the parameter \(\ell \) of the SYY scheme does not have an impact on the security, but rather on the probability to correctly decrypt the ciphertext \(\left( \ge 1- \dfrac{1}{2^{\ell }}\right) \), we fix \(\ell \) to be 50.

The parameters n and N in Table 2 stand for the bit-lengths of \(\textbf{x}, \textbf{y}\) and, respectively, the Goldwaser-Micalli modulus. The timings required for the one homomorphic operation in each scheme can be found in the third and the fourth columns. We notice that the timings presented above grow linearly with the number of bits required to represent the input data. This can be observed in the following figure (Fig. 4).

Fig. 4.

Evaluation times for the comparison circuit using GM-SYY bridge.