Efficient fully homomorphic encryption from RLWE with an extension to a threshold encryption scheme

doi:10.1016/j.future.2013.10.024

Future Generation Computer Systems

Volume 36, July 2014, Pages 180-186

https://doi.org/10.1016/j.future.2013.10.024 Get rights and content

Highlights

•
We present an efficient fully homomorphic encryption (FHE) from RLWE.
•
We get the FHE scheme with re-linearization and modulus reduction techniques.
•
We extend the FHE scheme to the threshold fully homomorphic encryption scheme.

Abstract

In this paper, we present an effective fully homomorphic encryption (FHE) from ring learning with errors (RLWE) assumption without using Gentry’s standard squashing and bootstrapping techniques. Our FHE scheme is to modify the recent FHE scheme of Brakerski. We use the re-linearization technique to reduce the length of ciphertext considerably, and use the modulus reduction technique to manage the noise level and decrease the decryption complexity without introducing additional assumptions. Furthermore, with the key-homomorphic property, we extend our FHE scheme to a threshold fully homomorphic encryption (TFHE), which allows parties to cooperatively decrypt a ciphertext without learning anything but the plaintext. The TFHE scheme can be protected from related-key attacks, as long as we add extra smudging noise during sensitive operations.

Introduction

Fully homomorphic encryption (FHE) is one of the holy grails of modern cryptography. A FHE scheme allows a worker to perform arbitrary computations on encrypted data without decrypting it. The problem was first proposed by Rivest, Adleman and Dertouzos [1] back in 1978. However, until recently, a breakthrough work by Gentry [2], [3] constructed the first FHE scheme based on the hardness of problem on ideal lattice, which is a sophisticated algebraic structure with useful properties. Naturally, subsequent FHE schemes [4], [5], [6], [7], [8] followed the same blueprint from Gentry’s original construction.

Generally, the first step in Gentry’s blueprint is to construct a somewhat homomorphic encryption scheme, which is capable of evaluating limited degree polynomials homomorphically. In the following step, Gentry transforms the somewhat homomorphic encryption scheme into the FHE scheme with bootstrapping and squashing techniques. The remarkable bootstrapping technique states that it can run the decryption circuit on a ciphertext homomorphically, using an encrypted secret key, resulting in reduced noise. However, the bootstrapping technique forces the public key of the scheme to grow linearly with the maximal depth of evaluation circuits. This is a major drawback regarding the usability and the efficiency of the scheme. The squashing technique can transform a somewhat homomorphic encryption scheme into one with the same homomorphic capacity even a decryption circuit that is simple enough to allow bootstrapping, yet the squashing step adds another assumption, namely the hardness of the sparse subset sum problem. Consequently, considering the performance and usability, we need to look for some appropriate techniques to resolve the problem.

Recently, Brakerski and Vaikuntanathan [9] found a very different way to construct FHE scheme based on LWE. In the scheme, they introduced a new dimension-modulus reduction technique, which shortens the ciphertext and reduces the decryption complexity, without using the squashing step. From then on, another FHE scheme [10] based on LWE assumption with the similar technique appeared. Furthermore, Brakerski and Vaikuntanathan presented another FHE scheme [11] that followed the standard squashing and bootstrapping techniques. And the scheme was based on ring learning with errors (RLWE) assumption which was recently introduced by Lyubashevsky [12], whose security is reduced to the worst-case hardness of problems on ideal lattices, resulting in an extremely simple scheme. Subsequently, some similar schemes based on RLWE have been proposed, such as [13], [14].

Meanwhile, we observe that recent FHE schemes based on LWE or RLWE own a special property, namely (additive) key homomorphism. A key-homomorphic encryption allows us to deterministically combine public keys into a combined public key, and simultaneously combine corresponding secret keys into a corresponding combined secret key. This property allows combining encryptions of messages under different keys to produce an encryption (of the sum of the messages) under the sum of the keys. Since lattice based schemes own key-homomorphic property, it plays a great role in constructing some useful cryptographic primitives, especially in the construction of threshold fully homomorphic encryption (TFHE), which was pointed out in Gentry [2]. The TFHE scheme allows parties to cooperatively generate a common public key whose secret key is shared among them. Moreover, the parties can cooperatively decrypt a ciphertext without learning anything but the plaintext.

In this paper, we present an efficient FHE scheme and extend it to a TFHE scheme. First of all, we modify the recent FHE scheme of Brakerski [11], which was based on RLWE, with its security reduced to worst-case problems on ideal lattices. The primitive scheme followed Gentry’s standard bootstrapping and squashing steps, while in our modified scheme, the squashing step can be avoided. Moreover, the ciphertext produced by the primitive scheme contained two ring elements. However, the multiplications increased the number of ring elements in the ciphertext considerably. In general, given two ciphertexts $c = (c_{0}, c_{1}, \dots, c_{δ})$ and $c^{'} = (c_{0}^{'}, c_{1}^{'}, \dots, c_{γ}^{'})$ , the output of homomorphic multiplication contains $δ + γ + 1$ ring elements. While in our modified scheme, we employ the re-linearization technique from [9] to reduce the size of the resulting ciphertext after each multiplication, thus the ciphertext still contains two elements, and dramatically decreases the communication. The crucial question in the process of constructing FHE scheme is noise level, which grows exponentially with the number of multiplications, we have to manage the noise level so that it can be decrypted correctly. Confronted with the difficulty, Gentry leverages the bootstrapping procedure, however, which performs with great complexity to reduce the noise level. The key technique we use for noise level management is modulus reduction first introduced in the work of [9], developed in [10]. With the modulus reduction technique, our scheme enjoys the same amount of homomorphism but has a much smaller decrypt circuit. Thanks to the two techniques, we get our modified FHE scheme.

The basic idea of combining homomorphic encryption with threshold decryption was first noticed by Cramer [15]. Subsequently, some similar research work appeared, such as [16], [17]. Our idea of constructing TFHE scheme benefits greatly from the [18]. In particular, we exploit the key-homomorphic property to construct the threshold scheme and we use extra smudging noise to keep security of joint keys, so that it can withstand against related-key attacks. The construction of our TFHE scheme based on RLWE instead of LWE is a new interesting attempt. We also observe that in the work of [18], the researcher made a great effort to generate the combined evaluation key. While in our scheme, for simplicity, we resort to a Functionality $F_{KeyGen}$ to solve the thorny problem, and it executes computing honestly and prudently. Meanwhile, we find that our TFHE scheme is superior to the instantiation of [19], whose public key contains much more ring elements, yet our scheme only needs two. Furthermore, we employ extra smudging noise to keep security, while the scheme in [19] makes use of an algorithm ReRand to output a rerandomization ciphertext, which has greater complexity than ours. Moreover, we claim that our TFHE scheme can be applied to construct multiparty computation protocols, which maybe play an important role in cloud computing.

Section snippets

Preliminaries

In the remainder of this paper, we use the following notation. We use $κ$ to denote the security parameter and $negl (κ)$ to denote a negligible function. For a real number $κ$ , we denote by $⌈ κ ⌉, ⌊ κ ⌋, ⌊ κ ⌉$ the rounding of a up, down, or to the nearest integer respectively. For an integer $n$ , we use the notational $[n]$ to denote the set $[n] = {1, \dots, n}$ . For some distribution $χ$ , writing $x \leftarrow χ$ means that $x$ is distributed according to $χ$ .

A somewhat homomorphic encryption scheme

In this section, we begin to describe a somewhat homomorphic public-key encryption scheme based on RLWE which is modified from the private-key encryption scheme in [11]. In order to guarantee correctness and security, we set parameters below which depend on the security parameter $κ$ . Now we define the ring $R = Z [X] / 〈 f (x) 〉$ and $R_{q} = Z_{q} [x] / 〈 f (x) 〉$ , with the cyclotomic polynomial $f (x) = x^{n} + 1$ . We set the error distribution $χ$ to be the truncated discrete Gaussian $D_{Z^{n}, r}$ for standard deviation $r$ . A sample

Fully homomorphic encryption scheme

As described in Section 3.1, with the re-linearization technique, we keep the ciphertext size constant when performing evaluation. However, we left out the crucial question of noise level, whose magnitude grows exponentially with the number of multiplications. To tackle this, we employ a modulus reduction technique, which uses progressively smaller moduli $q_{ℓ}$ for each level $ℓ$ and simply rescales the ciphertext to the smaller modulus to reduce its noise level. In particular, for a secret key $s$ ,

Key homomorphic properties

In this part, we describe the useful key-homomorphic properties of the FHE scheme, which play an important role in constructing a threshold scheme.

Let $s, s^{'}$ be two secret keys, and $e_{0}, e_{0}^{'}$ be two error ring elements from $χ$ . First of all, we keep $a_{0}$ fixed. Note that: $p k = (a_{0}, b_{0} = - (a_{0} s + 2 e_{0})) = FHE.PubKeygen (s; a_{0}; e_{0})$ ; $p k^{'} = (a_{0}, b_{0}^{'} = - (a_{0}^{'} s^{'} + 2 e_{0}^{'})) = FHE.PubKeygen (s^{'}; a_{0}; e_{0}^{'})$ .

We get $(a_{0}, b_{0} + b_{0}^{'}) = (a_{0}, - a_{0} (s + s^{'}) - 2 (e_{0} + e_{0}^{'})) = FHE.PubKeygen (s + s^{'}; a_{0}; e_{0} + e_{0}^{'})$ , thus we get our combined $p k^{*} = (a_{0}, b_{0} + b_{0}^{'})$ , and its

Performance comparison

In this section, we give the detail of performance comparison among our modified FHE scheme, the FHE scheme of [11] and the SHE scheme of [13] in Table 1. Here, we assume that $L$ is the depth of the circuit to be evaluated, $B_{init}$ is the initial magnitude of the noise, clearly, ${noise}_{q} (c, s) = {[v - w s]}_{q}$ is bounded by $B_{init}$ , where $c = ((v, w), 0)$ . Given two initial ciphertexts, after $L$ levels of multiplication followed by $A$ additions, in the FHE scheme of $[11]$ , the noise grows from an initial magnitude of $B_{}$

Conclusion

In this paper, we exploit re-linearization and modulus reduction techniques to modify the FHE from Brakerski’s scheme, and extend our modified FHE to a TFHE scheme. With the re-linearization technique, we keep the size of ciphertexts created during evaluation of the circuit constant. With the modulus reduction technique, we manage the magnitude of the noise to ensure its decryption successfully. We also prove that our TFHE scheme is achieved security against key-related attacks. We will be

Acknowledgments

The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of this paper. This work is supported by the Science and Technology on Communication Security Laboratory Foundation (Grant No. 9140C110301110C1103) and the National Natural Science Foundation of China (No. 61370203).

Xiaojun Zhang received his B.Sc. degree in mathematics and applied mathematics at Hebei Normal University in 2009, PR China and received M.Sc. degree in pure mathematics at Guangxi University in 2012. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cryptography, network security and cloud computing security.

References (19)

R. Rivest et al.
On date banks and privacy homomorphisms
C. Gentry, A fully homomorphic encryption scheme, Ph.D. Thesis, Stanford University,...
C. Gentry
Fully homomorphic encryption using ideal lattices
M. Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in: EUROCRYPT 2010,...
N.P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in: PKC 2010,...
D. Stehle, R. Steinfeld, Faster fully homomorphic encryption, in: ASIACRYPT 2010, Vol. 6477, pp....
C. Gentry, S. Halevi, Implementing Gentry’s fully homomorphic encryption scheme, in: EUROCRYPT 2011, Vol. 6632, pp....
J.S. Coron, A. Mandal, D. Naccache, M. Tibouchi, Fully homomorphic encryption over the integers with shorter public...
Z. Brakeraki, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in: FOCS,...

There are more references available in the full text version of this article.

Cited by (25)

HBRSS: Providing high-secure data communication and manipulation in insecure cloud environments
2021, Computer Communications
Citation Excerpt :
Based on a set of security metrics and a quantitative model, the new co-resident attack can be detected and defended. Zhang et al. [20] propose an efficient FHE scheme. They modify the FHE scheme of Brakerski [21].
Cloud storage and cloud services provide a stronger computing power and distributed computing capability for IoT users with a minimal cost. However, the security issues of cloud always limit the development of cloud computing and storage. In the meanwhile, the channel instability and exposure of the public network make the security of data in transmission challenged (HTTPS protocol cannot guarantee the security of data after receiving by servers). Even if homomorphic encryption can protect IoTs’ sensitive data, attackers still can infer sensitive behaviors about users by listening to the frequency of cloud services usage. To solve the above problems, in this paper, we propose a novel data transmission structure named HBRSS for high-security data transmission and data processing in insecure cloud environments and channels. HBRSS harnesses proposed data splitting principle to divide the data into blocks, packages the block data and forms a block ring based on the concept of blockchain to ensure the non-tamperability and non-destructibility of data. In addition, we propose an improved partial homomorphic encryption algorithm, which adds fuzzy processing for the data service functions to improve function-privacy. We also build a virtual mistrusted cloud service scene by using Docker and Kubernetes to evaluate our method’s performance, which can also be utilized as a standard attack drill platform for all researchers to test their own security algorithms. Based on our best knowledge, this platform is the first open-source automatic cloud attack exploitation system that contains attacks against browsers, channels, and servers. The experimental results indicate that our new encryption algorithm brings larger key-space and lower power consumption compared with some encryption algorithms.
Homomorphic encryption systems statement: Trends and challenges
2020, Computer Science Review
For securing our own systems, encryption got the major interest, especially when talking about homomorphic encryption, which has spread like wildfire. Therefore, in this study, we will be presenting different known cryptosystems based, in a great part of its construction, on the homomorphic encryption, all joined with other techniques to enhance the cryptosystem performance and the privacy ratio. In addition, the homomorphic encryption has the feature to be highly adequate with any field it is used in, giving numerous advantages and a tremendous performance. Hence, the following survey presents different domains using homomorphic encryption and a final comparison between the adopted techniques.
PLCOM: Privacy-preserving outsourcing computation of Legendre circularly orthogonal moment over encrypted image data
2019, Information Sciences
In the image outsourcing system, image privacy is still an increasing concern since the cloud service provider and image owners are not in the same trusted domain. The most straightforward method for guaranteeing image privacy is to leverage cryptographic tools, but traditional cryptographic tools make feature extraction algorithms useless. To this end, we propose a privacy-preserving feature extraction scheme for Legendre circularly orthogonal moment, which is a novel global feature descriptor and can be used for image analysis. We first develop a novel feature descriptor, which is one of the circularly orthogonal moments and termed as Legendre Circularly Orthogonal Moment (LCOM). Then, we present a mathematical framework for implementing Privacy-preserving Legendre Circularly Orthogonal Moment (PLCOM) by combining LCOM and somewhat homomorphic encryption, and implement the image reconstruction in the encrypted domain based on PLCOM. Besides, the detailed theoretical analysis of message space and expanding factor generated by the quantitative technology shows that LCOM and image reconstruction in the plaintext domain can be realized with the aid of PLCOM. Finally, experimental results verify that the PLCOM’s performance in terms of image reconstruction capability and image recognition accuracy is acceptable.
A methodical FHE-based cloud computing model
2019, Future Generation Computer Systems
Citation Excerpt :
In contrast, a fixed-point representation assumes that one can rescale the encrypted messages. While batching has been successfully applied to a large amount of cryptosystems [15,19–21], rescaling consists of a modification to modulus-switching, which is applicable to a more restricted set of cryptosystems [15,21]. Thus, stochastic number representations are a more general technique than fixed-point arithmetic.
Attacks such as Meldown and Spectre have shown that traditional cloud computing isolation mechanisms are not sufficient to guarantee the confidentiality of processed data. With Fully Homomorphic Encryption (FHE), data may be processed encrypted in the cloud, making any leaked information look random to an attacker. Furthermore, a client might also be interested in protecting the processing algorithm. While there has been research on ensuring the confidentiality of the processing algorithm, the resulting systems are impractical. Herein, we propose an automatic and methodical technique to approximate a wide range of functions homomorphically. As the approximations are all evaluated in the same manner, a homomorphic evaluator has no way to distinguish them. Since the derivation of the FHE circuit is decoupled from the function development process, users benefit from traditional programming and debugging tools. The proposed tools may exploit different kinds of number representations during the homomorphic evaluation of functions, namely stochastic number representations and fixed-point arithmetic, each with its own characteristics. Additionally, an implementation of the system is presented, its applicability is verified in practice for commonly used applications, including image processing and machine learning, and the two number representations are thoroughly compared.
Special issue on behavior data security issues in network information propagation
2014, Future Generation Computer Systems
A retrospective analysis on fully homomorphic encryption scheme
2024, International Journal of Electronic Security and Digital Forensics

View all citing articles on Scopus

Chunxiang Xu received her B.Sc., M.Sc. and Ph.D. degrees at Xidian University, in 1985, 1988 and 2004 respectively, PR China. She is presently engaged in information security, cloud computing security and cryptography as a professor at University of Electronic Science Technology of China (UESTC).

Chunhua Jin received her B.Sc. degree in telecommunication at Northwestern Polytechnical University in 2007, PR China and received M.Sc. degree in Xidian University, in 2011. She is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). She is presently engaged in cryptography, network security and cloud computing security.

Run Xie received his M.Sc. degree in mathematics and applied mathematics at Southwest Jiaotong University in 2006, PR China. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cryptography, network security and cloud computing security.

Jining Zhao received his B.Sc. degree in information and computing science at Henan Normal University in 2009, PR China. He is a M.Sc. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cloud computing security, network security and cryptography.

View full text