We describe a working implementation of leveled homomorphic encryption (with or without bootstrapping) that can evaluate the AES-128 circuit. This implementation is built on top of the HElib library, whose design was inspired by an early version of this work. Our main implementation (without bootstrapping) takes about 4 minutes and 3GB of RAM, running on a small laptop, to evaluate an entire AES-128 encryption operation. Using SIMD techniques, we can process upto 120 blocks in each such evaluation, yielding an amortized rate of just over 2 seconds per block. For cases where further processing is needed after the AES computation, we describe a different setting that uses bootstrapping. We describe an implementation that lets us process 180 blocks in just over 18 minutes using 3.7GB of RAM on the same laptop, yielding amortized 6 seconds/block. We note that somewhat better amortized per-block cost can be obtained using “byte-slicing” (and maybe also “bit-slicing”) implementations, at the cost of significantly slower wall-clock time for a single evaluation. In this article we describe many of the optimizations that went into this implementation. These include both AES-specific optimizations, as well as several “generic” tools for FHE evaluation (which are incorporated in the HElib library). The generic tools include (among others) a different variant of the Brakerski-Vaikuntanathan key-switching technique that does not require reducing the norm of the ciphertext vector, and a method of implementing the Brakerski-Gentry-Vaikuntanathan modulusswitching transformation on ciphertexts in CRT representation.
[1]
Frederik Vercauteren,et al.
Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes
,
2010,
Public Key Cryptography.
[2]
Claudio Orlandi,et al.
A New Approach to Practical Active-Secure Two-Party Computation
,
2012,
IACR Cryptol. ePrint Arch..
[3]
Brent Waters,et al.
Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based
,
2013,
CRYPTO.
[4]
Chris Peikert,et al.
Better Key Sizes (and Attacks) for LWE-Based Encryption
,
2011,
CT-RSA.
[5]
Jonathan Katz,et al.
Faster Secure Two-Party Computation Using Garbled Circuits
,
2011,
USENIX Security Symposium.
[6]
Marcel Keller,et al.
Secure Multiparty AES
,
2010,
Financial Cryptography.
[7]
Benny Pinkas,et al.
Secure Two-Party Computation is Practical
,
2009,
IACR Cryptol. ePrint Arch..
[8]
Nicolas Gama,et al.
Predicting Lattice Reduction
,
2008,
EUROCRYPT.
[9]
Craig Gentry,et al.
Fully Homomorphic Encryption without Bootstrapping
,
2011,
IACR Cryptol. ePrint Arch..
[10]
Ivan Damgård,et al.
Multiparty Computation from Somewhat Homomorphic Encryption
,
2012,
IACR Cryptol. ePrint Arch..
[11]
Coron Jean-Sebastien,et al.
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
,
2012
.