Skip to main content

Amortized Functional Bootstrapping in Less than 7 ms, with \(\tilde{O}(1)\) Polynomial Multiplications

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2023 (ASIACRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14443))

  • 749 Accesses

Abstract

Amortized bootstrapping offers a way to refresh multiple ciphertexts of a fully homomorphic encryption scheme in parallel more efficiently than refreshing a single ciphertext at a time. Micciancio and Sorrell (ICALP 2018) first proposed the technique to bootstrap n LWE ciphertexts simultaneously, reducing the total cost from \(\tilde{O}(n^2)\) to \(\tilde{O}(3^\epsilon n^{1+\frac{1}{\epsilon }})\) for arbitrary \(\epsilon > 0\). Several recent works have further improved the asymptotic cost. Despite these amazing progresses in theoretical efficiency, none of them demonstrates the practicality of batched LWE ciphertext bootstrapping. Moreover, most of these works only support limited functional bootstrapping, i.e. only supporting the evaluation of some specific type of function when performing bootstrapping.

In this work, we propose a construction that is not only asymptotically efficient (requiring only \(\tilde{O}(n)\) polynomial multiplications for bootstrapping of n LWE ciphertexts) but also concretely efficient. We implement our scheme as a C++ library and show that it takes \(< 5\) ms per LWE ciphertext to bootstrap for a binary gate, which is an order of magnitude faster than the state-of-the-art C++ implementation on LWE ciphertext bootstrapping in OpenFHE. Furthermore, our construction supports batched arbitrary functional bootstrapping. For a 9-bit messages space, our scheme takes \({\sim }6.7\) ms per LWE ciphertext to evaluate an arbitrary function with bootstrapping, which is about two to three magnitudes faster than all the existing schemes that achieve a similar functionality and message space.

Y. Wang—Part of the work was done when the author was at Columbia University.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In other words, they allow evaluating multiplication and additions over two vectors (component-wisely), each with N messages, by evaluating the same operations over the two RLWE ciphertexts encrypting those two vectors.

  2. 2.

    Note that prior works use \(p = 4\).

  3. 3.

    Recall that technically \({\textsf{sk}}\in \mathbb {Z}^n\). However, it can be transformed to \(\mathbb {Z}_q^n\) easily as long as \(\Vert {\textsf{sk}}\Vert _\infty \le \left\lfloor {q/2}\right\rfloor \). Thus, for simplicity, we view \({\textsf{sk}}\in \mathbb {Z}_q^n\). Similarly for the BFV secret key below.

  4. 4.

    For simplicity we assume \(N/n \in \mathbb {Z}^+\).

  5. 5.

    Note that \(-\left\lfloor {q/12}\right\rfloor \) is simply \(q - \left\lfloor {q/12}\right\rfloor \).

  6. 6.

    LWE ciphertexts addition has the cost of O(1) \(\mathbb {Z}_q\) operations per LWE ciphertext. LWE key switching has the cost of \(\tilde{O}(N)\) \(\mathbb {Z}_{Q'}\) operations per LWE ciphertext. LWE modulus switching has the cost of O(n) \(\mathbb {Z}_{Q'}\) operations per LWE ciphertext. Thus, their costs do not affect the asymptotic behavior. Note that the prior works (e.g., [26, 34]) use a similar way to compute the asymptotic costs. Concretely, their costs are also much smaller than the BFV circuit evaluation.

  7. 7.

    Recall that \({\textsf{sk}}\) is ternary so it can be transformed in \(\mathbb {Z}_q\) easily.

  8. 8.

    For XOR and XNOR, prior constructions have an extra overhead in terms of error, as instead of \({\textsf{ct}}_1 + {\textsf{ct}}_2\), they need to perform \(2({\textsf{ct}}_1 - {\textsf{ct}}_2)\) before applying bootstrapping. We refer the readers to [33, Sec 3.2] for details.

  9. 9.

    More precisely, they require the function to be first transformed into a function \(\mathbb {Z}_q \rightarrow \mathbb {Z}\) and this transformed function needs to be negacyclic. For details, see [33]. However, either way, this constraint is very strong and makes the functionality much more limited.

  10. 10.

    Note that concretely, the number of zero coefficients increases as discussed in Sect. 4.5, but this only incurs a small overhead. See Sect. 7 for more details.

  11. 11.

    Each plaintext-by-ciphertext multiplication only requires N \(\mathbb {Z}_Q\) multiplications as the “plaintext” is a scalar.

  12. 12.

    Asymptotically, the cost of our scheme is dominated by the number of scalar-by-ciphertext multiplications, which grows linear in p. Thus, our scheme becomes impractical when p is too large (e.g., 20 bits or more).

  13. 13.

    To decompose a large precision ciphertext into a vector of small precision ciphertexts, one may use LMP22 [29], which introduces another 5-6 s of overhead for a 12-bit precision LWE ciphertext.

  14. 14.

    Note that we do not compare with a concurrent and independent work [31], as it focuses on optimizing the schemes in [29] and achieving a 2-3x runtime improvement. We believe that this improvement does not affect our overall comparison, and to our knowledge, there is no open-sourced code available. However, note that this work shows a great improvement over [29] and may be preferred over our result when the number of bootstrapping needed is small.

References

  1. Albrecht, M., Chase, M., Chen, H., et al.: Homomorphic encryption security standard. Tech. rep., HomomorphicEncryption.org, Toronto, Canada (2018)

    Google Scholar 

  2. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015). https://doi.org/10.1515/jmc-2015-0016

  3. Alperin-Sheriff, J., Peikert, C.: Practical bootstrapping in quasilinear time, pp. 1–20 (2013)

    Google Scholar 

  4. Badawi, A.A., et al.: OpenFHE: open-source fully homomorphic encryption library. Cryptology ePrint Archive, Paper 2022/915 (2022). https://eprint.iacr.org/2022/915. commit: 122f470e0dbf94688051ab852131ccc5d26be934

  5. Boura, C., Gama, N., Georgieva, M., Jetchev, D.: CHIMERA: combining ring-LWE-based fully homomorphic encryption schemes. J. Math. Cryptol. 14(1), 316–338 (2020). https://doi.org/10.1515/jmc-2019-0026

  6. Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50

    Chapter  Google Scholar 

  7. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 1–36 (2014)

    Article  MathSciNet  Google Scholar 

  8. Chen, H., Han, K.: Homomorphic lower digits removal and improved FHE bootstrapping (2018)

    Google Scholar 

  9. Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: Bootstrapping for approximate homomorphic encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 360–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_14

    Chapter  Google Scholar 

  10. Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15

    Chapter  Google Scholar 

  11. Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_1

    Chapter  Google Scholar 

  12. Chillotti, I., Ligier, D., Orfila, J.-B., Tap, S.: Improved programmable bootstrapping with larger precision and efficient arithmetic circuits for TFHE. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 670–699. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_23

    Chapter  Google Scholar 

  13. Cong, K., et al.: Labeled PSI from homomorphic encryption with reduced computation and communication. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. CCS 2021, Association for Computing Machinery (2021)

    Google Scholar 

  14. Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24

    Chapter  Google Scholar 

  15. Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2012, 144 (2012)

    Google Scholar 

  16. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp. 169–178 (2009)

    Google Scholar 

  17. Gentry, C., Halevi, S., Peikert, C., Smart, N.P.: Ring switching in BGV-Style homomorphic encryption. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 19–37. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_2

    Chapter  Google Scholar 

  18. Guimarães, A., Borin, E., Aranha, D.F.: Revisiting the functional bootstrap in TFHE. IACR Trans. Cryptograph. Hardware Embedded Syst. 2021, 229–253 (2021). https://doi.org/10.46586/tches.v2021.i2.229-253. https://tches.iacr.org/index.php/TCHES/article/view/8793

  19. Guimarães, A., Pereira, H.V.L., van Leeuwen, B.: Amortized bootstrapping revisited: simpler, asymptotically-faster, implemented. Cryptology ePrint Archive, Paper 2023/014 (2023). https://eprint.iacr.org/2023/014

  20. Halevi, S., Shoup, V.: Bootstrapping for HElib. Cryptology ePrint Archive, Report 2014/873 (2014). https://eprint.iacr.org/2014/873

  21. Halevi, S., Shoup, V.: Design and implementation of HElib: a homomorphic encryption library. Cryptology ePrint Archive, Report 2020/1481 (2020). https://eprint.iacr.org/2020/1481

  22. Iliashenko, I., Nègre, C., Zucca, V.: Integer functions suitable for homomorphic encryption over finite fields. Cryptology ePrint Archive, Report 2021/1335 (2021). WAHC 2021

    Google Scholar 

  23. Kim, A., Polyakov, Y., Zucca, V.: Revisiting homomorphic encryption schemes for finite fields. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 608–639. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_21

    Chapter  Google Scholar 

  24. Kluczniak, K., Schild, L.: FDFB: full domain functional bootstrapping towards practical fully homomorphic encryption. IACR Trans. Cryptograph. Hardware Embedd. Syst. 2023(1), 501–537 (2022). https://tches.iacr.org/index.php/TCHES/article/view/9960

  25. Lee, Y., et al.: Efficient FHEW bootstrapping with small evaluation keys, and applications to threshold homomorphic encryption. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023, pp. 227–256. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_8

  26. Liu, F.H., Wang, H.: Batch bootstrapping I: A new framework for SIMD bootstrapping in polynomial modulus. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023, pp. 321–352. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_11

    Chapter  Google Scholar 

  27. Liu, F.H., Wang, H.: Batch bootstrapping I: Bootstrapping in polynomial modulus only requires \(\tilde{O}(1)\) FHE multiplications in amortization. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023, pp. 321–352. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_12

  28. Liu, K., Xu, C., Dou, B., Xu, L.: Optimization of functional bootstrap with large LUT and packing key switching. Cryptology ePrint Archive, Paper 2023/631 (2023). https://eprint.iacr.org/2023/631

  29. Liu, Z., Micciancio, D., Polyakov, Y.: Large-precision homomorphic sign evaluation using FHEW/TFHE bootstrapping. In: Advances in Cryptology - ASIACRYPT 2022: 28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, 5–9 December 2022, Proceedings, Part II, pp. 130–160. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-22966-4_5

  30. jie Lu, W., Huang, Z., Hong, C., Ma, Y., Qu, H.: PEGASUS: bridging polynomial and non-polynomial evaluations in homomorphic encryption. SP 2021 (2020). https://eprint.iacr.org/2020/1606

  31. Ma, S., Huang, T., Wang, A., Wang, X.: Fast and accurate: efficient full-domain functional bootstrap and digit decomposition for homomorphic computation. Cryptology ePrint Archive, Paper 2023/645 (2023). https://eprint.iacr.org/2023/645

  32. Menon, S.J., Wu, D.J.: Spiral: Fast, high-rate single-server PIR via FHE composition. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 930–947 (2022). https://doi.org/10.1109/SP46214.2022.9833700

  33. Micciancio, D., Polyakov, Y.: Bootstrapping in FHEW-like Cryptosystems, pp. 17–28. Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3474366.3486924

  34. Miccianco, D., Sorrell, J.: Ring packing and amortized FHEW bootstrapping. In: 45th International Colloquium on Automata, Languages, and Programming (ICALP 2018). Leibniz International Proceedings in Informatics (LIPIcs), vol. 107. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)

    Google Scholar 

  35. Micheli, G.D., Kim, D., Micciancio, D., Suhl, A.: Faster amortized FHEW bootstrapping using ring automorphisms. Cryptology ePrint Archive, Paper 2023/112 (2023). https://eprint.iacr.org/2023/112

  36. PALISADE Lattice Cryptography Library (release 1.11.6). https://palisade-crypto.org/ (2022)

  37. Paterson, M.S., Stockmeyer, L.J.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM J. Comput. 2(1), 60–66 (1973)

    Article  MathSciNet  Google Scholar 

  38. Microsoft SEAL (2020). https://github.com/Microsoft/SEAL

  39. Smart, N., Vercauteren, F.: Fully homomorphic SIMD operations. Designs, Codes and Cryptography (2011). https://eprint.iacr.org/2011/133

  40. Zama-AI, THFE-RS (2023). https://github.com/zama-ai/tfhe-rs. commit: 509bf3e2846bc98dd42d0e8eeb7f27852e5b632a

  41. Yang, Z., Xie, X., Shen, H., Chen, S., Zhou, J.: TOTA: fully homomorphic encryption with smaller parameters and stronger security. Cryptology ePrint Archive, Paper 2021/1347 (2021). https://eprint.iacr.org/2021/1347

Download references

Acknowledgements

We are grateful to Yuriy Polyakov for his insightful discussions and feedback, and to Wen-jie Lu for answering key-switching implementation questions regarding the SEAL library. We also thank all the reviewers for their insightful comments.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Zeyu Liu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, Z., Wang, Y. (2023). Amortized Functional Bootstrapping in Less than 7 ms, with \(\tilde{O}(1)\) Polynomial Multiplications. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14443. Springer, Singapore. https://doi.org/10.1007/978-981-99-8736-8_4

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8736-8_4

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8735-1

  • Online ISBN: 978-981-99-8736-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics