Design and implementation of low-depth pairing-based homomorphic encryption scheme

Abstract

Homomorphic encryption allows to carry out operations on encrypted data. In this paper, we focus on the design of a scheme based on pairings and elliptic curves, that is able to handle applications where the number of multiplication is not too high, with interesting practical efficiency when compared to lattice-based solutions. The starting point is the Boneh–Goh–Nissim (BGN for short) encryption scheme (Boneh et al. in Kilian J (ed) Theory of cryptography, second theory of cryptography conference, TCC 2005, Cambridge, MA, USA, February 10–12, 2005), which enables the homomorphic evaluation of polynomials of degree at most 2 on ciphertexts. In our scheme, we use constructions coming from Freeman (Gilbert H (ed) Advances in cryptology—EUROCRYPT 2010, 29th annual international conference on the theory and applications of cryptographic techniques, French Riviera, May 30–June 3, 2010) and Catalano and Fiore (Ray I, Li N, Kruegel C (eds) Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, Denver, CO, USA, October 12–16, 2015), to propose a variant of the \({\text {BGN}}\) scheme that can handle the homomorphic evaluation of polynomials of degree at most 4. We discuss both the mathematical structure of the scheme and its implementation. We provide simulation results, showing the relevance of this solution for applications requiring a low multiplicative depth, and give relative comparison with respect to lattice-based homomorphic encryption schemes.

Appendices

Low-multiplicative-depth Boolean circuits

We treat bit per bit encryption. Circuits are rewritten with two operators: \(\veebar \) (exclusive disjunction) and \(\wedge \). They can be written under different forms depending on operation order.

1.1 Binary data

Table 11 supplies constraints on ciphertext levels with typical examples of low-multiplicative-depth circuits.

Notation: ciphertexts a (resp. b, c, d) with level \(L_1\) (resp. level \(L_2, L_3, L_4\)), ciphertexts x (resp. y) with level \(M_1\) (resp. level \(M_2\)).

In \({\text {BGN-F-CF}}\), no multiplication is defined with a factor having a level \(\ge 3\). Therefore, operands level is limited according to multiplicative depth.

Table 11 Ciphertext levels with some low-multiplicative-depth circuits. Notations are given in Sect. A.1

1.2 Integer data

Data are n-bits integers. Input ciphertexts have level \(L=1\).

• Adder \(a_{n-1}\ldots a_0+b_{n-1}\ldots b_0 \mod 2^n\) In terms of multiplicative depth, the hardest part is the evaluation of the carry which enables to compute the most significant bit (\({\text {MSB}}\)) of the sum modulo \(2^n\). Let us compute the \({\text {MSB}}\) with \(n=3\), which is the maximal value for \({\text {BGN-F-CF}}\). Then, it can be written:

  $$\begin{aligned} a_2 \veebar b_2 \veebar ((a_1 \wedge b_1) \wedge (a_0 \wedge b_0)) . \end{aligned}$$

  The Boolean circuit has multiplicative depth \(\lceil \log _2 2(n-1) \rceil =2\). The corresponding ciphertext is the sum of three ciphertexts of level \(2(n-1)L=4\). Indeed, to add ciphertexts, we need to have ciphertexts of the same level. In this case \(a_2\) and \(b_2\) have level L but \(((a_1 \wedge b_1) \wedge (a_0 \wedge b_0))\) has level 4. To increment the level of a ciphertext, we multiply it homomorphically by an encryption of 1.

• Test \(a_{n-1}\ldots a_0==b_{n-1}\ldots b_0.\) With \({\text {BGN-F-CF}}\), we can manage up to \(n=4\) bits with the circuit of depth \(\lceil log_2(n) \rceil =2\):

  $$\begin{aligned}&((a_{3} \veebar b_{3}) \veebar 1) \wedge ((a_{2} \veebar b_{2}) \veebar 1) \\&\quad \wedge ((a_{1} \veebar b_{1}) \veebar 1) \wedge ((a_{0} \veebar b_{0}) \veebar 1). \end{aligned}$$

  The output is a ciphertext of level \(nL=4\).

1.3 Evaluation circuit

We compare SEAL v2.1, SEAL v2.3, FV-NFLlib and \({\text {BGN-F-CF}}\) on the same 2-depth test circuit, the results are given in Tables 8 and 9.

The homomorphic circuit is a toy example. It takes as input an encrypted letter and homomorphically changes lower-case letter into upper-case letter. Precomputation and postcomputation are done. Generally, they can be solutions to decrease the multiplicative depth of the homomorphic circuit. In this example, the homomorphic circuit tests characterwise if the character is a lower-case letter or not.

Let the input character, encoded in extended \({\text {ASCII}}\), be written as \(\lambda \). We denote the bits of \(\lambda +31\) as \(n_9n_8n_7n_6n_5n_4n_3n_2n_1\) and the bits of \(\lambda +5\), as \(o_9o_8o_7o_6o_5o_4o_3o_2o_1\). We precompute \(n_8\), \(n_9\) and \(o_8\). On plaintexts, the lower-case test consists in the Boolean expression:

$$\begin{aligned} n_8 \wedge \lnot n_9 \wedge \lnot o_8 \end{aligned}$$

We evaluate a corresponding homomorphic circuit:

$$\begin{aligned} {\text {Enc}}(n_8) \boxtimes ({\text {Enc}}(\mathbf{1}) \boxplus {\text {Enc}}(n_9)) \boxtimes ({\text {Enc}}(\mathbf{1}) \boxplus {\text {Enc}}(o_8)) \end{aligned}$$

The results for this circuit gives the insight of how the schemes compare with each other. The trend should remain similar for other circuits. Note that precomputation and postcomputation time are taken into account in Tables 8 and 9.

Parameter choices of SEAL and FV-NFLlib

We compare our construction of \({\text {BGN-F-CF}}\) with SEAL v2.1, SEAL v2.3 and FV-NFLlib which are implementations of the Fan–Vercauteren scheme [19]. It is worth noting that the parameter choices and their effect on security and performance of both the lattice-based schemes, SEAL v2.1, SEAL v2.3 and FV-NFLlib, are not yet definitive. We compared the schemes for a given security level.

The tool we used for security estimation of the lattice-based schemes, by Martin Albrecht and is available at https://bitbucket.org/malb/lwe-estimator, commit eb45a74. Note this is an upper level security estimator not considering the dedicated attacks on definitive schemes. We compare the three schemes for a given security level of about 100-bits.

Let n be the plaintext modulus, q be the coefficient modulus and \(\sigma \) be the standard deviation of the Gaussian noise (terms used from [48, 58]). Regev gave a lemma [31] to define the noise parameter \(\alpha \), which can be expressed as:

$$\begin{aligned} \alpha = \dfrac{\sqrt{2\pi }\sigma }{q}. \end{aligned}$$

• \(n = 2048\),

• \(q = 2^{74} - 2^{14} + 1\),

• \(\sigma = 65\).