nach oben

Journal of Cryptology

Erschienen in:

25.04.2019

TFHE: Fast Fully Homomorphic Encryption Over the Torus

verfasst von: Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, Malika Izabachène

Erschienen in: Journal of Cryptology | Ausgabe 1/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This work describes a fast fully homomorphic encryption scheme over the torus (TFHE) that revisits, generalizes and improves the fully homomorphic encryption (FHE) based on GSW and its ring variants. The simplest FHE schemes consist in bootstrapped binary gates. In this gate bootstrapping mode, we show that the scheme FHEW of Ducas and Micciancio (Eurocrypt, 2015) can be expressed only in terms of external product between a GSW and an LWE ciphertext. As a consequence of this result and of other optimizations, we decrease the running time of their bootstrapping from 690 to 13 ms single core, using 16 MB bootstrapping key instead of 1 GB, and preserving the security parameter. In leveled homomorphic mode, we propose two methods to manipulate packed data, in order to decrease the ciphertext expansion and to optimize the evaluation of lookup tables and arbitrary functions in \({\mathrm {RingGSW}}\)-based homomorphic schemes. We also extend the automata logic, introduced in Gama et al. (Eurocrypt, 2016), to the efficient leveled evaluation of weighted automata, and present a new homomorphic counter called \(\mathrm {TBSR}\), that supports all the elementary operations that occur in a multiplication. These improvements speed up the evaluation of most arithmetic functions in a packed leveled mode, with a noise overhead that remains additive. We finally present a new circuit bootstrapping that converts \(\mathsf {LWE}\) ciphertexts into low-noise \({\mathrm {RingGSW}}\) ciphertexts in just 137 ms, which makes the leveled mode of TFHE composable and which is fast enough to speed up arithmetic functions, compared to the gate bootstrapping approach. Finally, we provide an alternative practical analysis of LWE based schemes, which directly relates the security parameter to the error rate of LWE and the entropy of the LWE secret key, and we propose concrete parameter sets and timing comparison for all our constructions.

Vorheriger Artikel Solving LPN Using Covering Codes

Nächster Artikel Kummer for Genus One Over Prime-Order Fields

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

For the first two distributions, it is tight, but the uniform distribution over \([-\,\sqrt{3}\sigma ,\sqrt{3}\sigma ]\) is even \(0.78\sigma \)-sub-Gaussian.

Mathematically speaking, a more accurate notion would be \(\text {dist}_p(\varvec{x},\varvec{y})=\left\| \varvec{x}-\varvec{y}\right\| _p\), which is a distance. However, the norm symbol is clearer for almost all practical purposes.

Probabilistic polynomial time.

An equivalence between \(\mathsf {LWE}\) and \(\mathsf {bin}\mathsf {LWE}\), i.e., \(\mathsf {LWE}\) with binary secret, has been proven in [13, 42]. The same reduction for the Ring variant of \(\mathsf {LWE}\) is still an open problem.

A submodule G is sufficiently dense if there exists an intermediate submodule H such that \(G\subseteq H\subseteq \mathbb {T}^n\), the relative smoothing parameter \(\eta _{H,\varepsilon }(G)\) (a.k.a. smoothing parameter of H / G) is \(\le \alpha \), and H is the orthogonal in \(\mathbb {T}^n\) of at most \(n-1\) vectors of \(\mathbb {Z}^n\). This definition allows to convert any (Ring)-\(\mathsf {LWE}\) with non-binary secret to a \(\mathsf {TLWE}\) instance via binary decomposition.

Talking about maximum amplitude is an abuse of notation. A more correct approach would be to use a truncated distribution (as suggested in [43]) in order to avoid all the negligible amounts appearing in the probability formulas.

Circular security assumption could still be avoided in leveled mode if we accept to work with many keys.

The \(\mathsf {TRLWE}\) samples can be trivial samples, in the case where the function f and its LUT are public.

If the sub-function \(f_j\) and its LUT are public, the LUT values \(\sigma _{j,0}, \ldots , \sigma _{j,2^d-1}\) can be given in clear. This means that the \(\mathsf {TRLWE}\) samples \(\varvec{d}_{p}\), for \(p \in \llbracket 0,\frac{2^d}{N}-1 \rrbracket \), are given as trivial \(\mathsf {TRLWE}\) samples \(\varvec{d}_p \leftarrow (\mathbf {0},\sum _{i=0}^{N-1} \sigma _{j,pN+i}X^i)\) in input to Algorithm 5.

For the pth bit, one would return \(\mathsf {SampleExtract}(c_p)+(\mathbf {0},\frac{1}{4})\), but it is always 0 if \(l\in [0,N-1]\).

Amplifying a distinguishing advantage from \(\epsilon \) to \(\varOmega (1)\) requires at least \(O(1/\varepsilon )\) and at most \((1/\varepsilon ^2)\) trials, depending on the shape of the symmetric difference between the two distributions. Here, the difference between a modular Gaussian with large parameter and the uniform distribution is uniformly small, so we have to apply the upper bound.

M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi, J. Hoffstein, K. Laine, K. Lauter, S. Lokam, D. Micciancio, D. Moody, T. Morrison, A. Sahai, V. Vaikuntanathan, Homomorphic encryption security standard. Technical report, HomomorphicEncryption.org, Toronto, Canada, (November 2018)

M. R. Albrecht, On dual lattice attacks against small-secret LWE and parameter choices in helib and SEAL, in EUROCRYPT 2017, pp. 103–129, 2017

M. R. Albrecht, C. Cid, J. Faugère, R. Fitzpatrick, L. Perret, On the complexity of the BKW algorithm on LWE. Designs, Codes and Cryptography, 74/2, 325–354 (2015)MathSciNetCrossRef

M. R. Albrecht, B. R. Curtis, A. Deo, A. Davidson, R. Player, E. Postlethwaite, F. Virdia, T. Wunderer, Estimate all the \(\{\)LWE, NTRU\(\}\) schemes. https://estimate-all-the-lwe-ntru-schemes.github.io/docs, (2017)

M. R. Albrecht, A. Deo, Large modulus ring-lwe \(>=\) module-lwe, in ASIACRYPT 2017, 2017

M. R. Albrecht, R. Player, S. Scott, On the concrete hardness of learning with errors. J. Mathematical Cryptology 9(3), 169–203 (2015)MathSciNetCrossRef

E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe, Post-quantum key exchange - A new hope, in 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016, pp. 327–343, 2016

J. Alperin-Sheriff, C. Peikert. Faster bootstrapping with polynomial error, in Crypto, pp. 297–314, 2014CrossRef

J.-C. Bajard, J. Eynard, A. Hasan, V. Zucca, A full rns variant of fv like somewhat homomorphic encryption schemes, in SAC 2016, volume 10532 of LNCS, pp. 423–442, 2016

10.

D. Benarroch, Z. Brakerski, T. Lepoint, Fhe over the integers: Decomposed and batched in the post-quantum regime. Cryptology ePrint Archive, 2017/065

11.

A. Blum, A. Kalai, H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model. J. of ACM 50(4), 506–519 (2003)MathSciNetCrossRef

12.

Z. Brakerski, C. Gentry, V. Vaikuntanathan, (leveled) fully homomorphic encryption without bootstrapping, in ITCS, pp. 309–325, 2012

13.

Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D.Stehlé, Classical hardness of learning with errors, in Proc. of 45th STOC, pp. 575–584 (ACM, 2013)

14.

Z. Brakerski, R. Perlman, Lattice-based fully dynamic multi-key FHE with short ciphertexts, in Crypto’2016, volume 9814, pp. 190–213, 2016

15.

Z. Brakerski, V. Vaikuntanathan, Lattice-based FHE as secure as PKE, in ITCS, pp. 1–12, 2014

16.

A. L. Buchsbaum, R. Giancarlo, J. R. Westbrook. On the determinization of weighted finite automata. SIAM Journal on Computing 30(5), 1502–1531 (2000)MathSciNetCrossRef

17.

Y. Chen, P. Q. Nguyen, BKZ 2.0: Better lattice security estimates. In Proc. of Asiacrypt, pp. 1–20, 2011

18.

J. H. Cheon, J. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, A. Yun. Batch fully homomorphic encryption over the integers, in EUROCRYPT 2013, 2013CrossRef

19.

J. H. Cheon, K. Han, A. Kim, M. Kim, Y. Song, A full RNS variant of approximate homomorphic encryption, in SAC 2018, pp. 347–368, 2018CrossRef

20.

J. H. Cheon, A. Kim, M. Kim, Y. Song, Homomorphic encryption for arithmetic of approximate numbers, in Asiacrypt 2017, 2016. http://eprint.iacr.org/2016/421

21.

J. H. Cheon, D. Stehlé, Fully homomophic encryption over the integers revisited, in EUROCRYPT 2015 (Springer, 2015), pp. 513–536

22.

I. Chillotti, N. Gama, M. Georgieva, M. Izabachène. Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds, in Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I (Springer, 2016), pp. 3–33

23.

I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, A homomorphic lwe based e-voting scheme, in PQ Cryptography (Springer, 2016), pp. 245–265

24.

I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE, in Advances in Cryptology - ASIACRYPT 2017 (Springer, 2017)

25.

I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, TFHE: Fast fully homomorphic encryption library. https://tfhe.github.io/tfhe/ (August 2016)

26.

J. Coron, T. Lepoint, M. Tibouchi, Scale-invariant fully homomorphic encryption over the integers, in PKC 2014, pp. 311–328, 2014CrossRef

27.

R. Cramer, L. Ducas, B. Wesolowski, Short stickelberger class relations and application to ideal-svp, in Eurocrypt 2017, 2016

28.

M. Droste, P. Gastin, Weighted automata and weighted logics, in Handbook of weighted automata (Springer, 2009), pp. 175–211

29.

L. Ducas, D. Micciancio, FHEW: Bootstrapping homomorphic encryption in less than a second, in Eurocrypt, pp. 617–640, 2015

30.

M. Frigo, S. G. Johnson, The design and implementation of FFTW3. Proceedings of the IEEE 93(2), 216–231 (2005). Special issue on “Program Generation, Optimization, and Platform Adaptation”CrossRef

31.

N. Gama, M. Izabachène, P. Q. Nguyen, X. Xie, Structural lattice reduction: Generalized worst-case to average-case reductions. ePrint Archive, 2014/283, 2016

32.

N. Gama, P. Q. Nguyen, Predicting Lattice Reduction, in Eurocrypt, 2008

33.

C. Gentry, Fully homomorphic encryption using ideal lattices, in STOC, 2009

34.

C. Gentry, A. Sahai, B. Waters, Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based, in Crypto’13, 2013

35.

S. Gorbunov, V. Vaikuntanathan, H. Wee, Attribute-based encryption for circuits. Journal of the ACM (JACM) 62(6), 45 (2015)MathSciNetCrossRef

36.

S. Halevi, I. V. Shoup, Helib - an implementation of homomorphic encryption. https://github.com/shaih/HElib/ (September 2014)

37.

S. Halevi, V. Shoup, Algorithms in helib, in Crypto’2014, pp. 554–571, 2014CrossRef

38.

N. Howgrave-Graham, Approximate integer common divisors, in CaLC, volume 1 (Springer, 2001), pp. 51–66

39.

A. Langlois, D. Stehlé, Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography 75(3), 565–599 (2015).MathSciNetCrossRef

40.

M. Liu, P. Q. Nguyen, Solving bdd by enumeration: An update, in Proc. of CT-RSA, volume 7779 of LNCS (Springer, 2013), pp. 293–309

41.

V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings, in EUROCRYPT, pp. 1–23, 2010

42.

D. Micciancio, On the hardness of learning with errors with binary secrets. Theory of Computing 14(1), 1–17 (2018)MathSciNetCrossRef

43.

D. Micciancio, C. Peikert, Trapdoors for lattices: Simpler, tighter, faster, smaller, in Eurocrypt ’12, LNCS (Springer, 2012)

44.

D. Micciancio, M. Walter, Practical, predictable lattice basis reduction, in Proc. of Eurocrypt 2016, volume 9665 of LNCS (Springer, 2016), pp. 820–849

45.

A. I. R. V. of the BFV Homomorphic Encryption Scheme. Shai halevi and yuriy polyakov and victor shoup. In CT-RSA 2019, volume 11405 of LNCS (Springer, 2019), pp. 83–105

46.

M. A. R. Hiromasa, T. Okamoto, Packing messages and optimizing bootstrapping in gsw-fhe, in PKC ’15, pp. 699–715, 2015

47.

O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in STOC, pp. 84–93, 2005

48.

N. Smart, F. Vercauteren, Fully homomorphic simd operations. Cryptology ePrint Archive, Report 2011/133, 2011. https://eprint.iacr.org/2011/133

49.

N. P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in Public Key Cryptography - PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, May 26-28, 2010. Proceedings, pp. 420–443, 2010

50.

N. P. Smart, F. Vercauteren, Fully homomorphic SIMD operations. Des. Codes Cryptography 71(1), 57–81 (2014)CrossRef

51.

D. Stehlé, R. Steinfeld, K. Tanaka, K. Xagawa, Efficient public key encryption based on ideal lattices, in Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings, pp. 617–635, 2009

52.

M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in Eurocrypt, pp. 24–43, 2010

Titel: TFHE: Fast Fully Homomorphic Encryption Over the Torus
verfasst von: Ilaria Chillotti
Nicolas Gama
Mariya Georgieva
Malika Izabachène
Publikationsdatum: 25.04.2019
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 1/2020
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-019-09319-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2020

Locally Decodable and Updatable Non-malleable Codes and Their Applications

Solving LPN Using Covering Codes

Practical Collision Attacks against Round-Reduced SHA-3

Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems

On the Power of Secure Two-Party Computation

Topology-Hiding Computation on All Graphs

Premium Partner