Abstract
Amortized bootstrapping offers a way to refresh multiple ciphertexts of a fully homomorphic encryption scheme in parallel more efficiently than refreshing a single ciphertext at a time. Micciancio and Sorrell (ICALP 2018) first proposed the technique to bootstrap n LWE ciphertexts simultaneously, reducing the total cost from \(\tilde{O}(n^2)\) to \(\tilde{O}(3^\epsilon n^{1+\frac{1}{\epsilon }})\) for arbitrary \(\epsilon > 0\). Several recent works have further improved the asymptotic cost. Despite these amazing progresses in theoretical efficiency, none of them demonstrates the practicality of batched LWE ciphertext bootstrapping. Moreover, most of these works only support limited functional bootstrapping, i.e. only supporting the evaluation of some specific type of function when performing bootstrapping.
In this work, we propose a construction that is not only asymptotically efficient (requiring only \(\tilde{O}(n)\) polynomial multiplications for bootstrapping of n LWE ciphertexts) but also concretely efficient. We implement our scheme as a C++ library and show that it takes \(< 5\) ms per LWE ciphertext to bootstrap for a binary gate, which is an order of magnitude faster than the state-of-the-art C++ implementation on LWE ciphertext bootstrapping in OpenFHE. Furthermore, our construction supports batched arbitrary functional bootstrapping. For a 9-bit messages space, our scheme takes \({\sim }6.7\) ms per LWE ciphertext to evaluate an arbitrary function with bootstrapping, which is about two to three magnitudes faster than all the existing schemes that achieve a similar functionality and message space.
Y. Wang—Part of the work was done when the author was at Columbia University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In other words, they allow evaluating multiplication and additions over two vectors (component-wisely), each with N messages, by evaluating the same operations over the two RLWE ciphertexts encrypting those two vectors.
- 2.
Note that prior works use \(p = 4\).
- 3.
Recall that technically \({\textsf{sk}}\in \mathbb {Z}^n\). However, it can be transformed to \(\mathbb {Z}_q^n\) easily as long as \(\Vert {\textsf{sk}}\Vert _\infty \le \left\lfloor {q/2}\right\rfloor \). Thus, for simplicity, we view \({\textsf{sk}}\in \mathbb {Z}_q^n\). Similarly for the BFV secret key below.
- 4.
For simplicity we assume \(N/n \in \mathbb {Z}^+\).
- 5.
Note that \(-\left\lfloor {q/12}\right\rfloor \) is simply \(q - \left\lfloor {q/12}\right\rfloor \).
- 6.
LWE ciphertexts addition has the cost of O(1) \(\mathbb {Z}_q\) operations per LWE ciphertext. LWE key switching has the cost of \(\tilde{O}(N)\) \(\mathbb {Z}_{Q'}\) operations per LWE ciphertext. LWE modulus switching has the cost of O(n) \(\mathbb {Z}_{Q'}\) operations per LWE ciphertext. Thus, their costs do not affect the asymptotic behavior. Note that the prior works (e.g., [26, 34]) use a similar way to compute the asymptotic costs. Concretely, their costs are also much smaller than the BFV circuit evaluation.
- 7.
Recall that \({\textsf{sk}}\) is ternary so it can be transformed in \(\mathbb {Z}_q\) easily.
- 8.
For XOR and XNOR, prior constructions have an extra overhead in terms of error, as instead of \({\textsf{ct}}_1 + {\textsf{ct}}_2\), they need to perform \(2({\textsf{ct}}_1 - {\textsf{ct}}_2)\) before applying bootstrapping. We refer the readers to [33, Sec 3.2] for details.
- 9.
More precisely, they require the function to be first transformed into a function \(\mathbb {Z}_q \rightarrow \mathbb {Z}\) and this transformed function needs to be negacyclic. For details, see [33]. However, either way, this constraint is very strong and makes the functionality much more limited.
- 10.
- 11.
Each plaintext-by-ciphertext multiplication only requires N \(\mathbb {Z}_Q\) multiplications as the “plaintext” is a scalar.
- 12.
Asymptotically, the cost of our scheme is dominated by the number of scalar-by-ciphertext multiplications, which grows linear in p. Thus, our scheme becomes impractical when p is too large (e.g., 20 bits or more).
- 13.
To decompose a large precision ciphertext into a vector of small precision ciphertexts, one may use LMP22 [29], which introduces another 5-6 s of overhead for a 12-bit precision LWE ciphertext.
- 14.
Note that we do not compare with a concurrent and independent work [31], as it focuses on optimizing the schemes in [29] and achieving a 2-3x runtime improvement. We believe that this improvement does not affect our overall comparison, and to our knowledge, there is no open-sourced code available. However, note that this work shows a great improvement over [29] and may be preferred over our result when the number of bootstrapping needed is small.
References
Albrecht, M., Chase, M., Chen, H., et al.: Homomorphic encryption security standard. Tech. rep., HomomorphicEncryption.org, Toronto, Canada (2018)
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015). https://doi.org/10.1515/jmc-2015-0016
Alperin-Sheriff, J., Peikert, C.: Practical bootstrapping in quasilinear time, pp. 1–20 (2013)
Badawi, A.A., et al.: OpenFHE: open-source fully homomorphic encryption library. Cryptology ePrint Archive, Paper 2022/915 (2022). https://eprint.iacr.org/2022/915. commit: 122f470e0dbf94688051ab852131ccc5d26be934
Boura, C., Gama, N., Georgieva, M., Jetchev, D.: CHIMERA: combining ring-LWE-based fully homomorphic encryption schemes. J. Math. Cryptol. 14(1), 316–338 (2020). https://doi.org/10.1515/jmc-2019-0026
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 1–36 (2014)
Chen, H., Han, K.: Homomorphic lower digits removal and improved FHE bootstrapping (2018)
Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: Bootstrapping for approximate homomorphic encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 360–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_14
Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_1
Chillotti, I., Ligier, D., Orfila, J.-B., Tap, S.: Improved programmable bootstrapping with larger precision and efficient arithmetic circuits for TFHE. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 670–699. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_23
Cong, K., et al.: Labeled PSI from homomorphic encryption with reduced computation and communication. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. CCS 2021, Association for Computing Machinery (2021)
Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2012, 144 (2012)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp. 169–178 (2009)
Gentry, C., Halevi, S., Peikert, C., Smart, N.P.: Ring switching in BGV-Style homomorphic encryption. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 19–37. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_2
Guimarães, A., Borin, E., Aranha, D.F.: Revisiting the functional bootstrap in TFHE. IACR Trans. Cryptograph. Hardware Embedded Syst. 2021, 229–253 (2021). https://doi.org/10.46586/tches.v2021.i2.229-253. https://tches.iacr.org/index.php/TCHES/article/view/8793
Guimarães, A., Pereira, H.V.L., van Leeuwen, B.: Amortized bootstrapping revisited: simpler, asymptotically-faster, implemented. Cryptology ePrint Archive, Paper 2023/014 (2023). https://eprint.iacr.org/2023/014
Halevi, S., Shoup, V.: Bootstrapping for HElib. Cryptology ePrint Archive, Report 2014/873 (2014). https://eprint.iacr.org/2014/873
Halevi, S., Shoup, V.: Design and implementation of HElib: a homomorphic encryption library. Cryptology ePrint Archive, Report 2020/1481 (2020). https://eprint.iacr.org/2020/1481
Iliashenko, I., Nègre, C., Zucca, V.: Integer functions suitable for homomorphic encryption over finite fields. Cryptology ePrint Archive, Report 2021/1335 (2021). WAHC 2021
Kim, A., Polyakov, Y., Zucca, V.: Revisiting homomorphic encryption schemes for finite fields. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 608–639. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_21
Kluczniak, K., Schild, L.: FDFB: full domain functional bootstrapping towards practical fully homomorphic encryption. IACR Trans. Cryptograph. Hardware Embedd. Syst. 2023(1), 501–537 (2022). https://tches.iacr.org/index.php/TCHES/article/view/9960
Lee, Y., et al.: Efficient FHEW bootstrapping with small evaluation keys, and applications to threshold homomorphic encryption. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023, pp. 227–256. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_8
Liu, F.H., Wang, H.: Batch bootstrapping I: A new framework for SIMD bootstrapping in polynomial modulus. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023, pp. 321–352. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_11
Liu, F.H., Wang, H.: Batch bootstrapping I: Bootstrapping in polynomial modulus only requires \(\tilde{O}(1)\) FHE multiplications in amortization. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023, pp. 321–352. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_12
Liu, K., Xu, C., Dou, B., Xu, L.: Optimization of functional bootstrap with large LUT and packing key switching. Cryptology ePrint Archive, Paper 2023/631 (2023). https://eprint.iacr.org/2023/631
Liu, Z., Micciancio, D., Polyakov, Y.: Large-precision homomorphic sign evaluation using FHEW/TFHE bootstrapping. In: Advances in Cryptology - ASIACRYPT 2022: 28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, 5–9 December 2022, Proceedings, Part II, pp. 130–160. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-22966-4_5
jie Lu, W., Huang, Z., Hong, C., Ma, Y., Qu, H.: PEGASUS: bridging polynomial and non-polynomial evaluations in homomorphic encryption. SP 2021 (2020). https://eprint.iacr.org/2020/1606
Ma, S., Huang, T., Wang, A., Wang, X.: Fast and accurate: efficient full-domain functional bootstrap and digit decomposition for homomorphic computation. Cryptology ePrint Archive, Paper 2023/645 (2023). https://eprint.iacr.org/2023/645
Menon, S.J., Wu, D.J.: Spiral: Fast, high-rate single-server PIR via FHE composition. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 930–947 (2022). https://doi.org/10.1109/SP46214.2022.9833700
Micciancio, D., Polyakov, Y.: Bootstrapping in FHEW-like Cryptosystems, pp. 17–28. Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3474366.3486924
Miccianco, D., Sorrell, J.: Ring packing and amortized FHEW bootstrapping. In: 45th International Colloquium on Automata, Languages, and Programming (ICALP 2018). Leibniz International Proceedings in Informatics (LIPIcs), vol. 107. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)
Micheli, G.D., Kim, D., Micciancio, D., Suhl, A.: Faster amortized FHEW bootstrapping using ring automorphisms. Cryptology ePrint Archive, Paper 2023/112 (2023). https://eprint.iacr.org/2023/112
PALISADE Lattice Cryptography Library (release 1.11.6). https://palisade-crypto.org/ (2022)
Paterson, M.S., Stockmeyer, L.J.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM J. Comput. 2(1), 60–66 (1973)
Microsoft SEAL (2020). https://github.com/Microsoft/SEAL
Smart, N., Vercauteren, F.: Fully homomorphic SIMD operations. Designs, Codes and Cryptography (2011). https://eprint.iacr.org/2011/133
Zama-AI, THFE-RS (2023). https://github.com/zama-ai/tfhe-rs. commit: 509bf3e2846bc98dd42d0e8eeb7f27852e5b632a
Yang, Z., Xie, X., Shen, H., Chen, S., Zhou, J.: TOTA: fully homomorphic encryption with smaller parameters and stronger security. Cryptology ePrint Archive, Paper 2021/1347 (2021). https://eprint.iacr.org/2021/1347
Acknowledgements
We are grateful to Yuriy Polyakov for his insightful discussions and feedback, and to Wen-jie Lu for answering key-switching implementation questions regarding the SEAL library. We also thank all the reviewers for their insightful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Liu, Z., Wang, Y. (2023). Amortized Functional Bootstrapping in Less than 7 ms, with \(\tilde{O}(1)\) Polynomial Multiplications. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14443. Springer, Singapore. https://doi.org/10.1007/978-981-99-8736-8_4
Download citation
DOI: https://doi.org/10.1007/978-981-99-8736-8_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8735-1
Online ISBN: 978-981-99-8736-8
eBook Packages: Computer ScienceComputer Science (R0)