Efficient fully homomorphic encryption from RLWE with an extension to a threshold encryption scheme
Introduction
Fully homomorphic encryption (FHE) is one of the holy grails of modern cryptography. A FHE scheme allows a worker to perform arbitrary computations on encrypted data without decrypting it. The problem was first proposed by Rivest, Adleman and Dertouzos [1] back in 1978. However, until recently, a breakthrough work by Gentry [2], [3] constructed the first FHE scheme based on the hardness of problem on ideal lattice, which is a sophisticated algebraic structure with useful properties. Naturally, subsequent FHE schemes [4], [5], [6], [7], [8] followed the same blueprint from Gentry’s original construction.
Generally, the first step in Gentry’s blueprint is to construct a somewhat homomorphic encryption scheme, which is capable of evaluating limited degree polynomials homomorphically. In the following step, Gentry transforms the somewhat homomorphic encryption scheme into the FHE scheme with bootstrapping and squashing techniques. The remarkable bootstrapping technique states that it can run the decryption circuit on a ciphertext homomorphically, using an encrypted secret key, resulting in reduced noise. However, the bootstrapping technique forces the public key of the scheme to grow linearly with the maximal depth of evaluation circuits. This is a major drawback regarding the usability and the efficiency of the scheme. The squashing technique can transform a somewhat homomorphic encryption scheme into one with the same homomorphic capacity even a decryption circuit that is simple enough to allow bootstrapping, yet the squashing step adds another assumption, namely the hardness of the sparse subset sum problem. Consequently, considering the performance and usability, we need to look for some appropriate techniques to resolve the problem.
Recently, Brakerski and Vaikuntanathan [9] found a very different way to construct FHE scheme based on LWE. In the scheme, they introduced a new dimension-modulus reduction technique, which shortens the ciphertext and reduces the decryption complexity, without using the squashing step. From then on, another FHE scheme [10] based on LWE assumption with the similar technique appeared. Furthermore, Brakerski and Vaikuntanathan presented another FHE scheme [11] that followed the standard squashing and bootstrapping techniques. And the scheme was based on ring learning with errors (RLWE) assumption which was recently introduced by Lyubashevsky [12], whose security is reduced to the worst-case hardness of problems on ideal lattices, resulting in an extremely simple scheme. Subsequently, some similar schemes based on RLWE have been proposed, such as [13], [14].
Meanwhile, we observe that recent FHE schemes based on LWE or RLWE own a special property, namely (additive) key homomorphism. A key-homomorphic encryption allows us to deterministically combine public keys into a combined public key, and simultaneously combine corresponding secret keys into a corresponding combined secret key. This property allows combining encryptions of messages under different keys to produce an encryption (of the sum of the messages) under the sum of the keys. Since lattice based schemes own key-homomorphic property, it plays a great role in constructing some useful cryptographic primitives, especially in the construction of threshold fully homomorphic encryption (TFHE), which was pointed out in Gentry [2]. The TFHE scheme allows parties to cooperatively generate a common public key whose secret key is shared among them. Moreover, the parties can cooperatively decrypt a ciphertext without learning anything but the plaintext.
In this paper, we present an efficient FHE scheme and extend it to a TFHE scheme. First of all, we modify the recent FHE scheme of Brakerski [11], which was based on RLWE, with its security reduced to worst-case problems on ideal lattices. The primitive scheme followed Gentry’s standard bootstrapping and squashing steps, while in our modified scheme, the squashing step can be avoided. Moreover, the ciphertext produced by the primitive scheme contained two ring elements. However, the multiplications increased the number of ring elements in the ciphertext considerably. In general, given two ciphertexts and , the output of homomorphic multiplication contains ring elements. While in our modified scheme, we employ the re-linearization technique from [9] to reduce the size of the resulting ciphertext after each multiplication, thus the ciphertext still contains two elements, and dramatically decreases the communication. The crucial question in the process of constructing FHE scheme is noise level, which grows exponentially with the number of multiplications, we have to manage the noise level so that it can be decrypted correctly. Confronted with the difficulty, Gentry leverages the bootstrapping procedure, however, which performs with great complexity to reduce the noise level. The key technique we use for noise level management is modulus reduction first introduced in the work of [9], developed in [10]. With the modulus reduction technique, our scheme enjoys the same amount of homomorphism but has a much smaller decrypt circuit. Thanks to the two techniques, we get our modified FHE scheme.
The basic idea of combining homomorphic encryption with threshold decryption was first noticed by Cramer [15]. Subsequently, some similar research work appeared, such as [16], [17]. Our idea of constructing TFHE scheme benefits greatly from the [18]. In particular, we exploit the key-homomorphic property to construct the threshold scheme and we use extra smudging noise to keep security of joint keys, so that it can withstand against related-key attacks. The construction of our TFHE scheme based on RLWE instead of LWE is a new interesting attempt. We also observe that in the work of [18], the researcher made a great effort to generate the combined evaluation key. While in our scheme, for simplicity, we resort to a Functionality to solve the thorny problem, and it executes computing honestly and prudently. Meanwhile, we find that our TFHE scheme is superior to the instantiation of [19], whose public key contains much more ring elements, yet our scheme only needs two. Furthermore, we employ extra smudging noise to keep security, while the scheme in [19] makes use of an algorithm ReRand to output a rerandomization ciphertext, which has greater complexity than ours. Moreover, we claim that our TFHE scheme can be applied to construct multiparty computation protocols, which maybe play an important role in cloud computing.
Section snippets
Preliminaries
In the remainder of this paper, we use the following notation. We use to denote the security parameter and to denote a negligible function. For a real number , we denote by the rounding of a up, down, or to the nearest integer respectively. For an integer , we use the notational to denote the set . For some distribution , writing means that is distributed according to .
A somewhat homomorphic encryption scheme
In this section, we begin to describe a somewhat homomorphic public-key encryption scheme based on RLWE which is modified from the private-key encryption scheme in [11]. In order to guarantee correctness and security, we set parameters below which depend on the security parameter . Now we define the ring and , with the cyclotomic polynomial . We set the error distribution to be the truncated discrete Gaussian for standard deviation . A sample
Fully homomorphic encryption scheme
As described in Section 3.1, with the re-linearization technique, we keep the ciphertext size constant when performing evaluation. However, we left out the crucial question of noise level, whose magnitude grows exponentially with the number of multiplications. To tackle this, we employ a modulus reduction technique, which uses progressively smaller moduli for each level and simply rescales the ciphertext to the smaller modulus to reduce its noise level. In particular, for a secret key ,
Key homomorphic properties
In this part, we describe the useful key-homomorphic properties of the FHE scheme, which play an important role in constructing a threshold scheme.
Let be two secret keys, and be two error ring elements from . First of all, we keep fixed. Note that: ; .
We get , thus we get our combined , and its
Performance comparison
In this section, we give the detail of performance comparison among our modified FHE scheme, the FHE scheme of [11] and the SHE scheme of [13] in Table 1. Here, we assume that is the depth of the circuit to be evaluated, is the initial magnitude of the noise, clearly, is bounded by , where . Given two initial ciphertexts, after levels of multiplication followed by additions, in the FHE scheme of , the noise grows from an initial magnitude of
Conclusion
In this paper, we exploit re-linearization and modulus reduction techniques to modify the FHE from Brakerski’s scheme, and extend our modified FHE to a TFHE scheme. With the re-linearization technique, we keep the size of ciphertexts created during evaluation of the circuit constant. With the modulus reduction technique, we manage the magnitude of the noise to ensure its decryption successfully. We also prove that our TFHE scheme is achieved security against key-related attacks. We will be
Acknowledgments
The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of this paper. This work is supported by the Science and Technology on Communication Security Laboratory Foundation (Grant No. 9140C110301110C1103) and the National Natural Science Foundation of China (No. 61370203).
Xiaojun Zhang received his B.Sc. degree in mathematics and applied mathematics at Hebei Normal University in 2009, PR China and received M.Sc. degree in pure mathematics at Guangxi University in 2012. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cryptography, network security and cloud computing security.
References (19)
- et al.
On date banks and privacy homomorphisms
- C. Gentry, A fully homomorphic encryption scheme, Ph.D. Thesis, Stanford University,...
Fully homomorphic encryption using ideal lattices
- M. Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in: EUROCRYPT 2010,...
- N.P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in: PKC 2010,...
- D. Stehle, R. Steinfeld, Faster fully homomorphic encryption, in: ASIACRYPT 2010, Vol. 6477, pp....
- C. Gentry, S. Halevi, Implementing Gentry’s fully homomorphic encryption scheme, in: EUROCRYPT 2011, Vol. 6632, pp....
- J.S. Coron, A. Mandal, D. Naccache, M. Tibouchi, Fully homomorphic encryption over the integers with shorter public...
- Z. Brakeraki, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in: FOCS,...
Cited by (25)
HBRSS: Providing high-secure data communication and manipulation in insecure cloud environments
2021, Computer CommunicationsCitation Excerpt :Based on a set of security metrics and a quantitative model, the new co-resident attack can be detected and defended. Zhang et al. [20] propose an efficient FHE scheme. They modify the FHE scheme of Brakerski [21].
Homomorphic encryption systems statement: Trends and challenges
2020, Computer Science ReviewA methodical FHE-based cloud computing model
2019, Future Generation Computer SystemsCitation Excerpt :In contrast, a fixed-point representation assumes that one can rescale the encrypted messages. While batching has been successfully applied to a large amount of cryptosystems [15,19–21], rescaling consists of a modification to modulus-switching, which is applicable to a more restricted set of cryptosystems [15,21]. Thus, stochastic number representations are a more general technique than fixed-point arithmetic.
Special issue on behavior data security issues in network information propagation
2014, Future Generation Computer SystemsA retrospective analysis on fully homomorphic encryption scheme
2024, International Journal of Electronic Security and Digital Forensics
Xiaojun Zhang received his B.Sc. degree in mathematics and applied mathematics at Hebei Normal University in 2009, PR China and received M.Sc. degree in pure mathematics at Guangxi University in 2012. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cryptography, network security and cloud computing security.
Chunxiang Xu received her B.Sc., M.Sc. and Ph.D. degrees at Xidian University, in 1985, 1988 and 2004 respectively, PR China. She is presently engaged in information security, cloud computing security and cryptography as a professor at University of Electronic Science Technology of China (UESTC).
Chunhua Jin received her B.Sc. degree in telecommunication at Northwestern Polytechnical University in 2007, PR China and received M.Sc. degree in Xidian University, in 2011. She is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). She is presently engaged in cryptography, network security and cloud computing security.
Run Xie received his M.Sc. degree in mathematics and applied mathematics at Southwest Jiaotong University in 2006, PR China. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cryptography, network security and cloud computing security.
Jining Zhao received his B.Sc. degree in information and computing science at Henan Normal University in 2009, PR China. He is a M.Sc. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cloud computing security, network security and cryptography.