國立臺灣大學理學院數學研究所 碩士論文
Institute of Mathematical College of Science
National Taiwan University Master Thesis
LWR, MPLWE 和 MPLWR 上的全同態加密
Fully Homomorphic Encryption on LWR, MPLWE and MPLWR
洪逸霖 Yi-Lin Hung
指導教授: 陳君明 博士 Advisor: Jiun-Ming Chen Ph.D.
中華民國 109 年 7 月
Acknowledgements
經過 2 年的時光,終於完成了這篇論文,我要感謝指導教授陳君明老師 帶給我的啟發,以及幫我處理一些困難的部分,此外我也很感謝我的同學以及曾 經教過我的老師給我一個環境能夠寫出這篇論文,非常的感謝大家。
摘要
我們改良了 Zvika Brakerski 研發的全同態加密系統,改成使用難題假設 LWR 以及 RLWR 而不是原先使用的 LWE 以及 RLWE 難題假設。並且我們用類似 的方法使得可以在 MPLWR 難題假設上使用同態加密。在過去,Rosca 證明了難 題假設 MPLWE 的安全性,我們同樣使用相似於的方法做成全同態加密。
關鍵字: LWR 同態加密、環 LWR 同態加密、中間積 LWE 同態加密、中間積 LWR 同態加密
Abstract
We modified the fully homomorphic encryption (FHE) scheme produced by Zvika
Brakerski with the hardness assumption learning with rounding (LWR) and ring learn-
ing with rounded (RLWR) instead of the hardness assumption learning with error (LWE)
and ring learning with rounding (RLWE). And we use the similar methods on the hard-
ness assumption middle product learning with rounding (MPLWR), i.e. making it into
FHE. In present, Rosca proves the hardness assumption middle product learning with er-
ror (MPLWE). We also use ”similar” Brakerski ideas to make it into FHE.
Keywords: Learning with rounding FHE, Ring learning with rounding FHE, Middle product learning with error FHE, Middle product learning with rounding FHE
Contents
Page
Acknowledgements 3
摘要 5
Abstract 7
Contents 9
Denotation 11
Chapter 1 Introduction 1
1.1 Our result . . . 2
1.2 Modular Switching . . . 2
1.3 FHE Scheme . . . 3
1.4 Compare to LWE (RLWE) . . . 3
Chapter 2 Preliminaries 5 Chapter 3 Our Construction 9 3.1 Basic LWR (RLWR) encryption scheme . . . 9
3.2 Basic MPLWE encryption scheme . . . 10
3.3 Basic MPLWR encryption scheme . . . 10
3.6 FHE scheme . . . 15
Chapter 4 Correctness 17
4.1 Correctness of LWR (RLWR) scheme . . . 17 4.2 Correctness of MPLWE(MPLWR) scheme . . . 18
Chapter 5 Optimization 21
5.1 Bootstrapping and Batching . . . 21 5.2 Public Key Compression for LWR . . . 21
Chapter 6 Zero knowledge proof 23
Chapter 7 Application 25
Chapter 8 Summary 27
Chapter 9 Future Work 29
References 31
Denotation
FHE 全同態加密 (Fully Homomorphic Encryption)
MPC 多方運算 (Mutiparty Computation)
(R)LWE (環) 從誤差中學習 ((Ring) Learning with Error)
(R)LWR (環) 從四捨五入學習 ((Ring) Learning with rounding)
MPLWE 中間積從誤差中學習 (Middle Product Learning with Error)
MPLWR 中間積從四捨五入中學習 (Middle Product Learning with Round- ing)
Chapter 1 Introduction
Fully Homomorphic Encryption (FHE) is a scheme which supports both addi- tions and multiplications on ciphertexts. We can use these properties in cloud computing and multiparty computation (MPC) [2]. In 2009, Craig Gentry, using lattice-based cryp- tography, described the first homomorphic encryption scheme[4]. It starts from somewhat homomorphic encryption scheme and using Gentry’s ideas to make it bootstrappable , i.e., capable of evaluating its own decryption circuit and then at least one more operation.
These schemes are so-called first-generation FHE, i.e., bootstraping the somowhat homo- morphic encryption scheme.
In 2011, Zvika Brakerski, Craig Gentry and Vinod Vaikuntanathan publish ”Fully Ho- momorphic Encryption without Bootstrapping[11]”, representative of second-generation FHE. The second-generation FHE all feature a much slower growth of the noise during the homomorphic encryption. And they are efficient enough for many applications, even with- out invoking bootstrapping. The security of most of these schemes (second-generation FHE) based on the hardness of the LWE (RLWE)[10] problem, however, the variant LWR (RLWR)[7] does not describe in second-generation. So, we plan to change the scheme on the hardness assumption LWR (RLWR).
1.1 Our result
The LWE version has the form b = A′s′ + 2e where b, A′ are known and s′ is the secret key and e ∈ {0, 1} is the error term. We have to random e to make it secret.
We think the error term can neglect and can decide by A, s with LWR based, which is often the advantages of LWR. The LWR based encryption have the basic form b =d12Asc.
We think the key point to turn encryption into fully homomorphic encryption is double the error term (error term isd12Asc − 12As ). It will finally be modular in the decryption process.
In chapter 3, we also described the MPLWE and MPLWR, which publishes in 2017 and 2019. We use our idea to make MPLWR into FHE and use ”similar” Brakerski ideas to make MPLWE into FHE. It means that we introduce a new inner product compatible to MPLWE and MPLWR and use Brakerski ideas to make them into FHE.
1.2 Modular Switching
We use the methods described in [11] and change they compatible to our new in- ner producth·, ·i⊙since the product used in MPLWE and MPLWR are not standard matrix product, they introduced the ”middle product” instead. Our work in modular switching step is to make sure the method described in [11] still work this means that we can also use same methods to make them into FHE. To make our proof clear, the definition of inner product we define will become complex, but we just want to prove the properties written in [11].
1.3 FHE Scheme
Since the work in key switching, it looks the same for our LWR (RLWR), MPLWE, MPLWR scheme. Actually, LWR (RLWR) scheme is the same as [11], since it is an equivalent modification from original LWE edition while MPLWE and MPLWR scheme should look different, i.e. we should read section 3.4 to know what should do in MPLWE and MPLWR .
1.4 Compare to LWE (RLWE)
We can use the hardness assumption LWR (RLWR), MPLWE and MPLWR which usually think to be harder than LWE hardness assumption. In [8], it proves that the worst cases of LWR (RLWR) is harder than LWE (RLWE) average cases. And in [9], it proves that MPLWE is harder than polynomial LWE problems, also in [10], it proves that MPLWR is harder than polynomial LWR problems. And for LWR and MPLWR based encryption, we expand the dimension of public key size to trade-off the error generation.
Chapter 2 Preliminaries
Definition 1. (LWE)
For security parameter λ, let n = n(λ) be an integer dimension, let q = q(λ) ≥ 2 be an integer, and let χ = χ(λ) be a distribution overZ. The LWEn,q,χ problem is to distinguish the following two distributions: In the first distribution, one samples (ai, bi) uniformly from Zn+1q . In the second distribution, one first draws s ← Znq uniformly and then samples (ai, bi) ∈ Zn+1q by sampling ai ← Znq uniformly, ei ← χ, and setting bi =ha, a · si+ ei . The LWEn,q,χassumption is that the LWEn,q,χproblem is infeasible.
Definition 2. (LWR)
For security parameter λ, let n = n(λ) be an integer dimension, let q = q(λ) ≥ 2 be an integer and p = p(λ) < q, and let χ = χ(λ) be a distribution overZ. The LWRn,q,χ
problem is to distinguish the following two distributions: In the first distribution, one samples (ai, bi) uniformly fromZn+1q . In the second distribution, one first draws s← Znq
uniformly and then samples (ai, bi) ∈ Zn+1q by sampling ai ← Znq uniformly and setting bi =dpq · a · sic . The LWRn,q,χassumption is that the LWRn,q,χproblem is infeasible.
Definition 3. Let da, db, d, k be integers such that da+db−1 = d+2k. The middle-product d: R<da [x]× Rb<d[x]→ R<d[x] is the map:
(a, b)7→ a db =
⌊(a·b) mod xk+d xk
⌋
We use the same notationdfor every da, dbsuch that da+ db−1−d is non-negative and even.
Definition 4. (modular rounding function)
Let p and q be integers both larger than 1. A modular rounding functionb·ep :Zq → Zpasbxep =bpq · xe mod p. The rounding function extends component-wise to vectors overZqand coefficient-wise to polynomials inZq[x]. Note that we use the same notation as Banerjee et al. [1] for the purpose of coherence. It is also possible to use the floor rounding function b·c, where each element is rounded down to the next smaller integer, as for instance done by Chen et al. [8].
Definition 5. (MP distribution)
Let n, d > 0, q ≥ 2, and χ a distribution over R<d[x]. For s ∈ Z<n+dq −1[x], we define the distribution MPq,n,d,χ(s) overZ<nq [x]×R<dq [x] as the one obtained by: sampling a← U(Z<nq [x]), e← χ and returning (a, b = a ds + e).
Definition 6. (MP-LWE)
Let n, d > 0, q ≥ 2, and a distribution χ over R<d[x]. The (decision) MP-LWEn,d,q,χ consists in distinguishing between arbitrarily many samples from MPq,n,d,χ(s) and the same number of samples from U (Z<nq [x]× R<dq [x]), with non-negligible probability over the choices of s← U(Z<n+dq −1[x]).
Definition 7. (MP-CLWR assumption)
Let d, n, p, q and t be positive integers fulfilling 0 < d ≤ n and q ≥ p ≥ 2. Choose
s uniformly at random over (Z<n+dq −1[x])×. Denote by χs the distribution of (a,ba d
sep), where a ← U(Z<nq [x]), and denote byU the distribution of (a, bbep ), where a ← U (Z<nq [x]) and b ← U(Z<dq [x]). For i∈ {1, 2} define the input for Sias (vari, con), where var1 denotes the distribution χts , and var2 the distribution Ut , and con is an arbitrary distribution over{0, 1}∗which is independent from var1and var2. For a fixed challenger C let PC,A be the probability for an adversary A to win Exp1(C, A, S1), whileQC,A be that forA to win Exp2(C, A, S2).
Definition 8. Let l, ra, rbbe the integers. The middle inner productha, bi⊙(l,rda,rb): Ral+<d[x]× Rl+<db [x] → Rl+<d[x] is the function such that a, b do standard inner product for first l entries of a, b , and the remainders do middle product for ra each rows of remainder a products rbeach rows of remainder b.
l
ra1 · · ·
l
rb1 · · ·
(The first l entries compute stardard inner product and plus ra1drb2+· · · + rak rbk, where l = k× h )
Notice that we use the notationha, bi⊙d to denoteha, bi⊙(d,t,<n+d+kd −1)
Chapter 3 Our Construction
We describe each basic encryption scheme on section 3.1 to section 3.3 and de- scribed the key switching for each scheme in section 3.4 and section 3.5. In section 3.6 we lay out our FHE scheme for each encryption scheme.
3.1 Basic LWR (RLWR) encryption scheme
In this section, our encryption scheme do not need to generate the error terms and we use the hardness LWR (RLWR) instead. Basic encryption scheme:
• E.Setup: Choose d = d(λ, µ, b), n = n(λ, µ, b), χ = χ(λ, µ, b) N = d(2n + 3) log qc same as the [11] scheme. And let R =Z[x]/(xd+ 1)
• E.SecretKeyGen: s′ ← χn. sk = s = (1, s′[1], s′[2], . . . , s′[n]). s∈ Rn+1q
• E.PublicKeyGen: Generate matrix A′ ∈ RNq ×nand set b = 22 × d12A′s′c − (2 − 1)A′s′ ∈ Rq. Set A = [ b| − A′], notice thathA, si = 22(d12A′s′c − 12A′s′)
• E.Encryption: To encryption a message m ∈ R2. Set m = (m, 0, . . . , 0) ∈ Rn+12 ,
3.2 Basic MPLWE encryption scheme
In this section, we adjust the encryption scheme describe in [9] and compatible to our homomorphic encryption scheme. Let χ = bDαqe denote the distribution over Z<d+k[x] where each coefficient is sampled from Dα·qand then rounded to nearest integer.
And let t≥ 2.
• E.KeyGen: Random s′ ← U(Z<n+d+k−1
q [x]). For every i ≤ t, random a′i ← U (Z<nq [x]), ei ← χ and compute bi = a′i d+k s′ + 2ei ∈ Z<d+kq [x]. The se- cret key sk=s = (1, s′) ∈ Z<n+2d+kq −1[x] and the public key pk = (a′i, bi)i≤t. Set A = [ b| − A′]
• E.Encryption: To encryption a message m∈ {0, 1}<d[x]. Set m = (m, 0, . . . , 0)∈ Z<d+t[x], random ri ← U({0, 1}k+1[x]) and output the ciphertext c = m + ATdr
• E.Decryption: Output m =hc, si⊙qd mod 2
3.3 Basic MPLWR encryption scheme
In this section, we lay out our encryption scheme of MPLWR with the hardness assumption describe in [10]. Let χ = bDαqe denote the distribution over Z<d+k[x] where each coefficient is sampled from Dα·qand then rounded to nearest integer. And let t≥ 3.
• E.KeyGen: Random s′ ← U(Z<n+d+kq −1[x]). For every i ≤ t, random a′i ← U (Z<nq [x]), ei ← χ and compute bi = 4da′i d+ks′c2-a′i d+ks′ ∈ Zd+kq [x]. The secret key sk = s = (1, s′) ∈ Z<n+2d+kq −1[x] and the public key pk = (a′i, bi)i≤t. Set A = [ b| − A′]
• E.Encryption: To encryption a message m∈ {0, 1}<d[x]. Set m = (m, 0, . . . , 0)∈ Z<d+t[x], random ri ← U({0, 1}k+1[x]) and output the ciphertext c = m + ATdr
• E.Decryption: Output m =hc, si⊙qd mod 2
3.4 Key Switching for MPLWE and MPLWR based
FHE is a scheme which supports both additions and multiplications on cipher- texts. It is obviously that the addition property is barely not support, so we focus on how to satisfy multiplication property. Kroncker product is a heuristic way in our scheme.
That is, to compute m1× m2, we computehc1⊗ c2, s⊗ si. However, if the levels of the multiplication are too depth, the noise will become huge. In [11], its solution is the switch key method, which refreshes the ciphertexts to fix long. The scheme is evidently compat- ible to our LWE (RLWE) scheme. And our work is to prove that it can be compatible to MPLWE and MPLWR scheme. We use the notation denote in [11].
• BitDecomp (x∈ Znq[x], q) decomposes x into its bit representation for each entries.
Namely, write x = ∑⌈log q⌋
j=0 2j · uj, where all of the uj ∈ {0, 1}n[x], and output (u0, . . . , u⌈log q⌋)∈ Z⌈log q⌋×n2 [x]
• Powerof2 (x ∈ Zmq [x], q) Output (x, 2· x, . . . , 2⌈log q⌋· x) ∈ Z⌈log q⌋×mq [x]
Lemma 1. We haveh BitDecomp(c, q), Powerof2(s, q)i⊙(⌈log q⌋,t,n+d+k−1)d =hc, si⊙d mod q for vectors c∈ Zd+tq , s∈ Zn+2d+kq −1
tations then it is correct. Hence
hc, si⊙d =h
⌈log q⌋∑
j=0
2j · uj, si⊙d
=
⌈log q⌋∑
j=0
h2j · uj, si⊙d
=
⌈log q⌋∑
j=0
huj, 2j · si⊙d
=hBitDecomp(c, q), Powerof2(s, q)i⊙(dd⌈log q⌋,t,n+d+k−1)
By the proof of our main lemma we can now introduce how to refresh the ciphertexts into fixed long.
SwitchKeyGen(s1 ∈ Znq1[x], s2 ∈ Znq2[x]):
1. Run A← E.PublicKeyGen(s2, N ) for N = n1· dlog qc.
2. Set B← A + Powerof2(s1) (add it to A’s first column). Output τs1→s2 = B
SwitchKey(τs1→s2, c1): Output c2 = BitDecomp(c1)TdB∈ Znq2[x]
Lemma 2. Let s1, s2, q, n1, n2, A, B = τs1→s2 be as in SwitchKeyGen(s1, s2), and let Ads2 = 2e2 ∈ Znq2[x](For MPLWR we have Ads2= 2(2da′ids′ic2− a′ids′i)). Let c1 ∈ Znq1[x] and c2 ← SwitchKey(τs1→s2, c1). Then,
hc2, s2i⊙d = 2hBitDecomp(c1), e2i⊙(⌈log q⌋,nd 1−d,n2−d)+hc1, s1i⊙d
Proof.
hc2, s2i = BitDecomp(c1)dBds1
= BitDecomp(c1)d(2e2+ Powerof2(s1))
= 2hBitDecomp(c1), e2i⊙(⌈log q⌋,nd 1−d,n2−d)+hBitDecomp(c1), Powerof2(s1)i⊙(⌈log q⌋,nd 1−d,n2−d)
= 2hBitDecomp(c1), e2i⊙(⌈log q⌋,nd 1−d,n2−d)+hc1, s1i⊙d
3.5 Key Switching for LWR(RLWR) based
In this section we will provide the LWR(RLWR) based key switching. Since it is an equivalent modification from LWE(RLWE) based, we will find it similar to it. We will use the notation denoted in [11].
• BitDecomp(x ∈ Rnq, q) decomposes x into its bit representation for each entries.
Namely, write x =∑⌈log q⌋
j=0 2j·uj, where all of the uj ∈ Rn2, and output (u0, . . . , u⌈log q⌋)∈ R⌈log q⌋×n2
• Powerof2(x∈ Rmq , q) Output (x, 2· x, . . . , 2⌈log q⌋· x) ∈ R⌈log q⌋×mq
Proof.
hc, si =
⟨⌈log q⌉
∑
j=0
2j · uj, s
⟩
=
⌈log q⌉∑
j=0
h2j· uj, si
=
⌈log q⌉∑
j=0
huj, 2j · si
=hc, sihBitDecomp(c, q), Powerof2(s, q)i
And hence we have
SwitchKeyGen(s1 ∈ Rnq1, s2 ∈ Rnq2):
1. Run A← E.PublicKeyGen(s2, N ) for N = n1· dlog qc.
2. Set B← A + Powerof2(s1) (add it to A’s first column). Output τs1→s2 = B
SwitchKey(τs1→s2, c1): Output c2 = BitDecomp(c1)T· B ∈ Rnq2
Lemma 4. Let s1, s2, q, n1, n2, A, B = τs1→s2 be as in SwitchKeyGen(s1, s2), and let A· s2 = 22(d12A′s′c − 12A′s′)∈ RNq . Let c1 ∈ Rqn1 and c2 ← SwitchKey(τs1←s2, c1). Then,
hc2, s2i = 2hBitDecomp(c1), 2(d1
2A′s′c −1
2A′s′)i + hc1, s1i mod q
Proof.
hc2, s2i = BitDecomp(c1)T· B · s2
= BitDecomp(c1)T· (22(d1
2A′s′c − 1
2A′s′) + Powerof2(s1))
= 2hBitDecomp(c1), 2(d1
2A′s′c − 1
2A′s′)i + hBitDecomp(c1), Powerof2(s1)i
= 2hBitDecomp(c1, 2(d1
2A′s′c − 1
2A′s′)i + hc1, s1i
3.6 FHE scheme
The previous lemma provide us compatible to [11] scheme. In this section, we will present our scheme modify from [11].(Notation: Lc(x) = hc, xi⊙q is a ciphertext- dependent linear equation over the coefficients of x, and a linear equation Llongc
1,c2(x⊗ x) is a linear equation over the coefficient over the coefficients of x⊗ x )
• FHE.KenGen. For j = L→ 0 do
1. Generation sj and Aj for each encryption scheme.
2. Set s′j = sj ⊗ sj kronecker tensor in here.
3. Set s′′j = BitDecomp(s′j, qj) 4. Run τs′′
j→sj =SwitchKeyGen(s′′j, sj−1) (Omit this step in the beginning i.e.
j = L)
• FHE.Enc. Basic encryption scheme to encrypt messages.
• FHE.Dec. Suppose the cipertext is under key sj. Decrypt the message under key sj in E.Decryption
• FHE.Add. Take two cipertexts encrypt under key sj (if not, do FHE.Refresh to make it encrypts under same key sj). Set c3 = c1+ c2 mod qj. (In [11], it expands the cipertexts size to make it indistinguishable to FHE.Mult) Hence we interpret c3
• FHE.Mult. Take two cipertexts encrypt under key sj (if not, do FHE.Refresh to make it encrypts under same key sj). The new cipertexts is the kronecker tensor of two cipertexts, with key s′j = sj⊗ sj, and store it into a line, i.e. c3 = Llongc1,c2(x⊗ x) and output
c4 = FHE.Refresh(c3, τs′′
j→sj−1, qj, qj−1)
• FHE.Refresh. Takes a cipertext encrypted under s′j, the auxiliary information τs′′
j→sj−1
to facilitate key switching, and the current and next modulo qjand qj−1. Do the fol- lowing:
1. Expand: Set c1 = Powerof2(c, qj).
2. Switch Moduli: Set c2 = Scale(c1, qj, qj−1, 2), a ciphertext under the key s′′j for modulus qj−1.
3. Switch Keys: Output c3 = SwitchKey(τs′′
j→sj−1, c2, qj−1), a ciphertext under the key sj−1 for modulus qj−1.
Since we have expressed our notation compatible to [11] it may look similar to its scheme. But, it actually does different things in MPLWE and MPLWR schemes. And for the LWR(RLWR) scheme, it can seem to be an equivalent modification to LWE(RLWE) scheme. Hence, we can use initial LWE(RLWE) scheme to make them into FHE. Since it looks almost the same, so we do not emphasis it particular.
Chapter 4 Correctness
4.1 Correctness of LWR (RLWR) scheme
Lemma 5 (Correctness). Let c, A, r be described in the Encryption scheme of LWR (RLWR), then we can decrypt the message m∈ {0, 1} using the secret key s
Proof.
m =hc, siq mod 2 =hm + ATr, si = hm, si + hATr, si
= m + 2× 2 × (d1
2A′sc − 1
2A′s)r mod 2
= m
Lemma 6 (homomorphic properties). Let c1, c2 be two different messages encrypt by s and A, r be described in Encryption scheme of LWR (RLWR), then we can decrypt the message m1+ m2 and m1× m2 using the secrete key s
Proof.
m1× m2 =hc1⊗ c2, s⊗ si = h(m1+ ATr1)⊗ (m2+ ATr2), s⊗ si
=hm1⊗ m2, s⊗ si + hATr1⊗ m2, s⊗ si +hm1⊗ ATr2, s⊗ si + hATr1⊗ ATr2, s⊗ si
= m1× m2
4.2 Correctness of MPLWE(MPLWR) scheme
Lemma 7 (Correctness). Assume that α < 1/(16√
λtk) and q≥ 16t(k + 1). With prob- ability≥ 1−d·2−Ω(λ)over the randomness of (sk, pk)← KeyGen, for all plaintext µ and with probability 1 over the randomness of Encrypt, we have Decrypt(sk, Encrypt(pk, µ)) = µ
Proof. In [9] Lemma 4.1.
Lemma 8 (homomorphic properties). Let c1, c2 be two different messages encrypt by s and A, r be described in Encryption scheme of MPLWE (MPLWR), then we can decrypt the message m1+ m2and m1× m2 using the secrete key s
Proof.
m1+ m2 =hc1+ c2, si⊙qd =hc1, si⊙qd+hc2, si⊙qd
= m1 + m2
m1× m2 =hc1⊗ c2, s⊗ si⊙qd =h(m1+ ATr1)⊙qd⊗ (m2+ ATr2), s⊗ si⊙qd
=hm1⊗ m2, s⊗ si⊙qd+hATr1⊗ m2, s⊗ si⊙qd
+hm1⊗ ATr2, s⊗ si⊙qd+hATr1⊗ ATr2, s⊗ si⊙qd
= m1× m2
Chapter 5 Optimization
5.1 Bootstrapping and Batching
A somewhat homomorphic encryption scheme is a scheme which contains ad- dition and multiple properties at the same time (Roughly speaking). In [4], Gentry has proved that there exist an efficient transformation that given a description of a bootstrap- pable scheme ε and a parameter d = d(λ) outputs a description of another encryption scheme such that ε(d) is compact (which means the size of the ciphertext is bound) and ε(d)is homomorphic for all circuits of depth up to d.
Our scheme is obviously a somewhat homomorphic scheme, i.e. we still can make our scheme into bootstrappable. The advantage to make our scheme into bootstrapple is that in [5] it has described a way to batch the bootstrapping scheme and have high efficient in specific problems.
5.2 Public Key Compression for LWR
In [6], introduce a way to compress the public key size with a pseudo-random
• KeyGen(1λ) Generate a random prime integer p of size η bits. And randomly gener- ate ai’s, compute bi = 4d12aisc − ais. Initialize a pseudo-random number generator f with a random seed se. Use f (se) to generate a set of integers χi ∈ [0, 2γ) for 1≤ i ≤ τ. For all 1 ≤ i ≤ τ compute:
δi =hχiip+ ξ· p − ri
where ri ← Z ∩ (−2ρ, 2ρ) and ξi ← Z ∩ [0, 2λ+η/p]. For all 1≤ i ≤ τ compute:
bi = χi− δi
Let pk = (a0, . . . , aτ, se, δ0, . . . , δτ) and sk = p
We should store all of ai and about a one dimension terms bi’s, i.e. we store about τ · η + γ + η bits public key instead of 2τη public key, which is about halves the initial public key, but notice that we should calculate the public key each time we need to use.
Chapter 6 Zero knowledge proof
In [3], it introduces a way to do Zero knowledge proof via fully homomorphic encryption. It is still compatible to our scheme. The generic protocol, between a prover P and a verifier V, is as follows.
P1. Choose an encryption c′ = b′+ r′ of zero and send c′ to the verifier.
V1. Select e← {0, 1} and send e to the prover.
P2. If e = 0, set d = b′, or if e=1, set d = b + b′. Transmit d.
V2. Verify that d is a lattice point, and check that the noise ec + c′− d is well-formed and sufficiently small.
This is also our advantage to choose lattice based encryption. It is easily to compatible our scheme to other lattice based protocol.
Chapter 7 Application
There are many situations we will likely to use fully homomorphic encryption.
For example, machine learning may need a huge amounts of computing. However, it may be a hard time for a start-up company to buy high-performance computers. The solutions to this situation are to rend computing power via cloud computing. However, how to save data security ? Hence, we can save our security via fully homomorphic encryption. Since we have addition properties and multiplication properties. We can do all kinds of comput- ing in encrypted state.
Although we may spend more computing resource to keep the data security, it is still pay-off if the total spending time is fewer than using personal computer. Hence fully ho- momorphic encryption may be a good choice to keep data safe and save more times than usual.
Otherwise, fully homomorphic encryption may also be a good choice to do multi- party computation. Since we have addition properties and multiplication properties we can easily construct a scheme.
If you want to do secure multi-party computation, you can express the computation as a boolean circuit C, and you can easily transform any circuit so that it uses only AND
ing relationship: when working with 0,1, AND can be done by multiplication (x AND y
=xy), and NOT can be done with addition (NOT(x) =1−x). Since the fully homomorphic encryption lets you do addition, subtraction, and multiplication on encrypted values, it also lets you do NOT and AND on encrypted values, which is all you need to do secure multi-party computation.
Chapter 8 Summary
We introduce a way to do FHE on LWR, MPLWE and MPLWR which have higher security than basic LWE scheme. And it seems that the variants of LWE have the similar properties. And we also introduce the public key compression, which is useful when the transfer costs may be high in certain case.
The table below show the different between these protocol. The estimate time showed in the table is calculated by the numbers of multiplication. We consider that we calculate 1 GB messages AES-128 with 3.60GHz. And the multiplication in AES-128 contains 7568 multiplications over finite field. The finite field multiplication algorithm we use is the Montgomery modular multiplication with each piece 32 bits. The estimated performance times is about 484 times AES-128 computing times (about 14.48 (s) for 1GB AES-128).
LWE LWR MPLWE MPLWR
Public key d(2n + 3) log qc d(2n + 3) log qc (n + d + k− 1)t (n + d + k− 1)t Secret key (n + 1) log q (n + 1) log q (n + d + k− 1) log q (n + d + k − 1) log q Ciphertext (n + 1) log q (n + 1) log q (n + k) log q + d log q (n + k) log q + d + k
Estimate time 1.953 (h) 1.954 (h) 2.198 (h) 2.210 (h)
Hardness LWE≤LWR, LWE≤MPLWE≤MPLWR
Chapter 9 Future Work
In 2018, the most simple fully homomorphic encryption scheme DGHV is said to be broken via quantum computer in quantum polynomial times. For our scheme, we still do not have a security proof to withstand quantum computer. We hope that we can prove the quantum security to our scheme. Otherwise, it seems that we have to transmit more information on computing, if there is some transmitting error the message will be to break. We hope that we can solve this problem for example changing the scheme for code based encryption.
References
[1] C. P. Abhishek Banerjee and A. Rosen. Pseudorandom functions and lattices. 26, 2011.
[2] E. T. Adriana Lopez-Alt and V. Vaikuntanathan. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. 70, 2013.
[3] G. T. D. K. G. Christopher Carr, Anamaria Costache and M. Strand. Zero-knowledge proof of decryption for fhe ciphertexts. 16:16, 2018.
[4] C. Gentry. Fully homomorphic encryption using ideal lattices. 28:169–178, 2009.
[5] T. L. Jean-Sebastien Coron and M. Tibouchi. Batch fully homomorphic encryption over the integers. 27, 2013.
[6] D. N. Jean-S´ebastien Coron and M. Tibouchi. Public key compression and modulus switching for fully homomorphic encryption over the integers. 27, 2011.
[7] K. P. Joel Alwen, Stephan Krenn and D. Wichs. Learning with rounding, revisited.
Annual Cryptology Conference, 18:57–74, 2013.
[9] D. S. Miruna Rosca, Amin Sakzad and R. Steinfeld. Middle-product learning with errors. 17, 2017.
[10] D. D. A. R.-L. W. W. Shi Bai, Katharina Boudgoust and Z. Zhang. Middle-product learning with rounding problem and its applications. 32, 2019.
[11] C. G. Zvika Brakerski and V. Vaikuntanathan. Fully homomorphic encryption with- out bootstrapping. 26, 2011.