Fully Homomorphic Encryption with k-bit Arithmetic Operations

We present a fully homomorphic encryption scheme continuing the line of works of Ducas and Micciancio (2015, [29]), Chillotti et al. (2016, [23]; 2017, [24]; 2018, [25]), and Gao (2018,[32]). Ducas and Micciancio (2015) show that homomorphic computation of one bit operation on LWE ciphers can be done in less than a second, which is then reduced by Chillotti et al. (2016, 2017, 2018) to 13ms. According to Chillotti et al. (2018, [26]), the cipher expansion for TFHE is still 8000. The ciphertext expansion problem was greatly reduced by Gao (2018) to 6 with private-key encryption and 20 for public key encryption. The bootstrapping in Gao (2018) is only done one bit at a time, and the bootstrapping design matches the previous two works in efficiency. Our contribution is to present a fully homomorphic encryption scheme based on these preceding schemes that generalizes the Gao (2018) scheme to perform operations on k-bit encrypted data and also removes the need for the Independence Heuristic of the Chillotti et al. papers. The amortized cost of computing k-bits at a time improves the efficiency. Operations supported include addition and multiplication modulo 2, addition and multiplication in the integers as well as exponentiation, field inversion and the machine learning activation function RELU. The ciphertext expansion factor is also further improved, for k = 4 our scheme achieves a ciphertext expansion factor of 2.5 under secret key and 6.5 under public key. Asymptotically as k → ∞, our scheme achieves the optimal ciphertext expansion factor of 1 under private key encryption and 2 under public key encryption. We also introduces techniques for reducing the size of the bootstrapping key.

[1]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[2]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[3]  Guang Gong,et al.  sLiSCP: Simeck-Based Permutations for Lightweight Sponge Cryptographic Primitives , 2017, SAC.

[4]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[5]  Mingjie Liu,et al.  Solving BDD by Enumeration: An Update , 2013, CT-RSA.

[6]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[7]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[8]  Hao Chen,et al.  Attacks on Search RLWE , 2015, IACR Cryptol. ePrint Arch..

[9]  Martin R. Albrecht,et al.  On the Efficacy of Solving LWE by Reduction to Unique-SVP , 2013, ICISC.

[10]  Nicolas Gama,et al.  TFHE: Fast Fully Homomorphic Encryption Over the Torus , 2019, Journal of Cryptology.

[11]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[12]  Pierre-Alain Fouque,et al.  An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices , 2015, IACR Cryptol. ePrint Arch..

[13]  Guang Gong,et al.  Error analysis of weak Poly-LWE instances , 2018, Cryptography and Communications.

[14]  Ronald L. Rivest,et al.  ON DATA BANKS AND PRIVACY HOMOMORPHISMS , 1978 .

[15]  Damien Stehlé,et al.  Faster LLL-type Reduction of Lattice Bases , 2016, IACR Cryptol. ePrint Arch..

[16]  Zvika Brakerski,et al.  Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP , 2012, CRYPTO.

[17]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[18]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[19]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[20]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..

[21]  Thijs Laarhoven,et al.  Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing , 2015, LATINCRYPT.

[22]  Daniele Micciancio,et al.  Practical, Predictable Lattice Basis Reduction , 2016, EUROCRYPT.

[23]  Wouter Castryck,et al.  Provably Weak Instances of Ring-LWE Revisited , 2016, EUROCRYPT.

[24]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[25]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[26]  Feng Zhang,et al.  A Three-Level Sieve Algorithm for the Shortest Vector Problem , 2013, IACR Cryptol. ePrint Arch..

[27]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[28]  Xiaoyun Wang,et al.  Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem , 2011, ASIACCS '11.

[29]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[30]  Damien Stehlé,et al.  Algorithms for the Shortest and Closest Lattice Vector Problems , 2011, IWCC.

[31]  Kristin E. Lauter,et al.  Provably Weak Instances of Ring-LWE , 2015, CRYPTO.

[32]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[33]  Hao Chen,et al.  Security Considerations for Galois Non-dual RLWE Families , 2016, SAC.

[34]  Shuhong Gao Efficient Fully Homomorphic Encryption Scheme , 2018, IACR Cryptol. ePrint Arch..

[35]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[36]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[37]  Léo Ducas,et al.  FHEW: Bootstrapping Homomorphic Encryption in Less Than a Second , 2015, EUROCRYPT.

[38]  Martin R. Albrecht,et al.  Lazy Modulus Switching for the BKW Algorithm on LWE , 2014, Public Key Cryptography.

[39]  P. Rigollet 18.S997: High Dimensional Statistics , 2015 .

[40]  Luis Ruiz,et al.  FHEW with Efficient Multibit Bootstrapping , 2015, LATINCRYPT.

[41]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[42]  Shi Bai,et al.  Lattice Decoding Attacks on Binary LWE , 2014, ACISP.

[43]  Serge Vaudenay,et al.  Better Algorithms for LWE and LWR , 2015, EUROCRYPT.

[44]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[45]  Kristin E. Lauter,et al.  Weak Instances of PLWE , 2014, Selected Areas in Cryptography.