Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 6520258, 11 pages
https://doi.org/10.1155/2018/6520258
Research Article

Bootstrapping of FHE over the Integers with Large Message Space

1State Key Laboratory of Integrated Service Networks, Xidian University, Xian 710071, China
2Jiangsu Key Laboratory of Education Big Data Science and Engineering, Jiangsu Normal University, Xuzhou 221116, China

Correspondence should be addressed to Zhizhu Lian; moc.qq@970933495

Received 4 April 2018; Accepted 27 May 2018; Published 29 July 2018

Academic Editor: Rongxing Lu

Copyright © 2018 Zhizhu Lian et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

For the decryption of the fully homomorphic encryption (FHE) over the integers with the message space , Nuida and Kurosawa proposed a -multiplicative-degree circuit to compute it at Eurocrypt 2015, where is the security parameter and the message size is a constant. Since the degree of the decryption circuit is polynomial in , the range of the message size is limited. In this work, we solve this open problem as long as is large enough (larger than ). We represent the decryption circuit as a arithmetic polynomial of multiplicative degree , which is independent of the message size except a constraint . Moreover, the bootstrapping process requires only number of multiplications to implement the decryption circuit, which is significantly lower than of Nuida and Kurosawa’s work. We also show the efficiency of the FHE scheme with message space compared to the FHE scheme with binary message space. As a result, we have that the former is preferable.

1. Introduction

In 1978, Rivest, Adleman, and Dertouzos introduced the notion of fully homomorphic encryption (FHE) which can compute any circuit on encrypted data without decryption [1]. It solves the ciphertext data calculation and the privacy protection of private cloud user in cloud computing environment. Until 2009, Gentry proposed firstly a fully homomorphic encryption scheme based on ideal lattices [2].

Gentry’s Blueprint. First, Gentry constructed a somewhat homomorphic encryption (SHE) scheme, whose ciphertexts contain some noises for the security of the scheme. Noises, however, also limit the number of the homomorphic operations, e.g., ciphertexts multiplications. The second step is squashing the decryption circuit associated with an arbitrary ciphertext to obtain a low enough degree polynomial in the ciphertext bits and the secret key bits, which can be homomorphically evaluated by SHE scheme (called bootstrappable scheme). The last step is Gentry’s breakthrough, called bootstrapping, which refreshed ciphertexts by homomorphically evaluating this low multiplicative degree decryption circuit on the encryption of those bits, thus resulting in a new encryption of the same plaintext, but with possibly reduced noise. The refreshed ciphertexts can then support subsequent homomorphic operations. By repeatedly refreshing ciphertexts, the number of permissible homomorphic operations becomes unlimited. So a pure FHE scheme is transformed from the bootstrappable SHE scheme.

1.1. FHE over the Integers

At Eurocrypt 2010, van Dijk et al. [3] proposed the first FHE scheme over the integers (called DGHV scheme) following Gentry’s blueprint. The security of DGHV relies on the hardness of the Approximate Greatest Common Divisor problem (AGCD) and the Sparse Subset Sum problem (SSSP). Several works have dramatically improved the efficiency and the hardness assumption needed to implement it, including [412]. Some of the schemes above are leveled FHE scheme, but they essentially follow Gentry’s blueprint.

In DGHV scheme, for the ciphertext encryption of message under secret key (where is a prime number), the decryption can be turned into the following circuit: where the length vector is the secret key with Hamming weight , and each is a real number with bits of precision after the binary point, satisfying . This decryption circuit is implemented with a binary circuit of degree on the secret key bits .

Message Space. Practically, the computation over bitwise encryptions is not efficient. It is important to construct the FHE over lager integers for secure integer arithmetic (see [6, 13]). Fortunately, it is quite straightforward to extend the message space from to for SHE scheme [6, 14]. But they cannot convert this extended SHE scheme to an FHE scheme via the bootstrapping procedure. Because computing -ary addition seems to need more complex carry computations than binary addition, it seemed technically difficult to obtain a mod- arithmetic circuit that performs the decryption circuit

At Eurocrypt 2015, Nuida and Kurosawa [8] proposed a -ary half adder, yielding the carry in the procedure for any . They determined a carry function where . It has the multiplicative degree . The squashed decryption in [8] works as where is a constant prime, the secret key is length vector with Hamming weight , and is a real number with bits of precision after the -ary point, satisfying . The decryption circuit is computed by a mod- arithmetic circuit of multiplicative degree , where is a constant.

In 2017, Cheon et al. [15] presented a faster bootstrapping of FHE over the integers than the previous work in [8]. The degree of the decryption is , and the number of homomorphic multiplications is , where is some small constant (being affected by the modulus ).

However, the modulus still needs to be a constant.

For , Cheon and Kim [16] expressed the decryption circuit as an -restricted depth-3 circuit by the technique in [17]. The -degree is at most and the number of product gates is at most . As we know, is in [3] and is reduced to in [4]. The decryption is too complexity to bootstrap. So, in the FHE scheme, the ciphertext associated with the large prime message space needs a low-degree decryption circuit.

Efficiency. To evaluate homomorphically a mod- arithmetic circuit, one can use the FHE scheme with message space directly, or one can firstly convert the arithmetic circuit to a Boolean one and carry out all the computation using an FHE scheme with binary message space. At ACNS 2016, Kim and Tibouchi [18] compared the two approaches for the Nuida-Kurosawa scheme, denoted by , and showed that the scheme with nonbinary message space is less efficient than its variant with binary message space. Fortunately, the bootstrapping method proposed by Cheon et al. [15] is worthwhile for of constant size by comparing both above approaches for CLT scheme. However, the modulus still needs to be a constant.

Therefore, it is open for large value of to express the decryption circuit of FHE schemes with the form (5) as a low-degree polynomial.

1.2. Contributions

In this paper, we solve this open problem as long as is large enough (larger than ).

The usual technique for squashing the decryption circuit amounts to homomorphically evaluating a large integer sum of the form , where the are secret bits and the are public constants computed from the original ciphertexts and public parameters. In [8], Nuida and Kurosawa represented the ’s as their Q-ary expansion and applied the mod- circuit for iterated addition. And they have also proved that the degree of the polynomial computing the carry of -ary half adder is the lowest degree. In order to obtain a low enough degree (be independent of ) of decryption circuit, we cannot deal with the carry bit any more. Instead, in this paper we use the binary representation of the real number . This means that we have to use mod- arithmetic circuit gates to emulate bit operations. Specifically for bits and , the XOR operation is computed by , and the AND operation is computed by . So we can use the mod- arithmetic circuit to implement the decryption circuit. Usually, emulating binary operations are not that efficient since emulating binary addition needs multiplication. The challenge is how to compute it efficiently.

Note that if using only a three-for-two trick, as mentioned in Section 2.2, the decryption can be implemented with a multiplicative degree of mod- arithmetic circuit, which is better than the result of [16]. Our main contribution is reducing the multiplicative degree to for any large prime with a constraint .

Now let us recall the circuit procedure computing in DGHV scheme [3].(1)The first circuit computes the Hamming weight of the vector , i.e., for , and denotes the binary representation of as . Hence, . Specifically, for , , the -th bit of can be obtained by using the elementary symmetric polynomial .(2)The second circuit computes and , satisfying by applying the three-for-two trick over repeatedly.(3)The third circuit computes by a polynomial of degree 4.

In this work, we use mod- arithmetic circuit to simulate those bit operations in the above binary circuit. It is easy to simulate the second circuit by applying the three-for-two trick over . It will cost some additional multiplicative degree, since we need an arithmetic polynomial of degree 2 to compute the XOR operation. The third circuit is also easy to be simulated with a polynomial of degree 4.

However, to emulate the elementary symmetric polynomial in step , it will take a polynomial of a high degree (greater than , where is in [3] and is reduced to in [4]). This cost is unacceptable. So we need to find a new arithmetic function to compute , the bits in the binary representation of .

Our main idea is as follows.

If we know the value of an integer , it is easy to obtain each bit in the binary representation of , but if we only get the range of value of , namely, for some integer , it can be a little tricky to get each bit of . We observe that we can overcome it by applying Lagrange interpolating polynomial, as shown in Section 2.3. Since the Hamming weight of the secret key vector is , the Hamming weight of the vector is not bigger than , namely, . So we can get just by using the mod- addition gate to directly add up at the cost of an additional condition that . Then, for , we can obtain all bits by applying Lagrange interpolating polynomial on .

Conclusion: now we can express the decryption as mod- arithmetic polynomial with a constraint . The simulation circuit computing step is degree of the Lagrange interpolating polynomial. The simulation circuit computing step has the multiplicative degree at most . Hence, the multiplicative degree of our decryption circuit is where we set , . Moreover, the number of the multiplications required in our decryption is only , comparable with in [8].

Efficiency. The arithmetic decryption circuit in scheme is not competitive as pointed out by [18], due to the fact that the squashed decryption circuit for has a depth polynomial in . Fortunately, the degree of our squashed decryption circuit is independent of with a constraint .

We use the leveled FHE scheme over the integer proposed by Coron, Lepoint, and Tibouchi, denoted by , and extend its message space to , denoted by . To state the efficiency of with our bootstrapping procedure, we compare it with the scheme - converting the mod- arithmetic circuit to binary and evaluating all the operation using the scheme with binary message space. Here we compare in terms of the ciphertext size and the time complexity of basic operation implemented during homomorphic evaluation.

Then ciphertext size of is a little shorter than that of -, specifically And for some , we have when . The ciphertexts for and - are of the same size.

Moreover, we denote by the time complexity of a single ciphertext refresh operation in and by the time complexity of carrying out a multiplication mod- in - (by homomorphically evaluating the Boolean circuit for modular multiplication, with a refresh operation after each gate). Then we show that For instance, is faster than by a factor of more than 930, when .

Then, we say that a pure FHE scheme with large message space with our bootstrapping procedure is preferable.

1.3. The Organization

We summarize some notations and tricks in Section 2. In Section 3, we express the decryption circuit as a mod- arithmetic circuit of a low enough multiplicative degree. In Section 4, we present an FHE scheme over the integers with bootstrapping for the large prime message space and show its efficiency compared to the FHE scheme with binary message space. Finally, conclusion is given in Section 5.

2. Preliminaries

2.1. Notations

For a real number , we denote by , , the rounding of a up, down, or the nearest integer. For integers , , we denote the integer sets and by , and , respectively. For a real number , we use to denote the -ary representation of with bits of precision after the -ary point. When , it denotes the binary representation of . Given , we let denote the unique number in that is congruent to . All logarithms in the text are base-2 unless stated otherwise.

For a positive integer , and , define with , and ; then we have

2.2. Three-for-Two Trick over

Three-for-two trick is used to transform three numbers of arbitrary bit length into two numbers that are at most 1 bit longer, such that the sum of the two output numbers is the same as the sum of the three input numbers. And three-for-two trick over has been mentioned in [17]. For , let , , and ; thenwhere while for , the bit operation , and .

2.3. Lagrange Interpolating Polynomial

The Lagrange interpolating polynomial is the polynomial of degree that passes through the points , and given by , where Our goal of introducing the Lagrange interpolation polynomial is to obtain the mod- arithmetic polynomial expression of computing any bit in the binary representation of the integer . For every integer , let , where . For each index , we construct a set consisting of integer and its -th bit , where , namely, denote the set as for each . So for each index , the points set is If the variable equates to an integer , for the index , the output of the Lagrange interpolating polynomial is , which equates to the -th bit in the binary representation of . The multiplicative degree of the mod- arithmetic circuit is .

3. Bootstrapping the Decryption

This section deals mainly with how to implement the decryption with a mod- arithmetic circuit of a low degree.

3.1. Squashing the Decryption with SSSP Assumption

The decryption circuit is Let be a vector of rational number in with bits of precision after the binary point, and let be the secret key vector of bits with Hamming weight such that , where . We firstly compute , keeping only bits of precision after the binary point for . So for some with . We have

We set the bit length of ciphertext is ; thus, . And we observe that . Since is a valid ciphertext, satisfying that the value of is within of an integer as the definition in [3]; thus, is within of an integer. Therefore, we have For , let , where is the integer part of and is the fractional part. Then we have where is within of an integer. (Note that most of the context above in this subsection has been described by van Dijk et al. in [3], which is the procedure of squashing the decryption circuit for the case of .)

3.2. Bootstrapping

For the integer part, we need to compute . We can firstly reduce with the modulo and sum up for all , namely, It only takes multiplication-by-constant gates and mod- addition gates.

For the factional part, in order to compute , here we firstly construct a mod- circuit that outputs each bit in the binary representation of the sum in the following step .(1)Generate integer numbers such that , namely, is the Hamming weight of the vector . Since the Hamming weight of the vector is , then is not bigger than , i.e., . Firstly, compute the sums by directly using mod- addition gates, this works since . Let . Then convert the small integer into their bit representation by applying the Lagrange interpolating polynomial introduced in Section 2.3; namely, for , , we have , where the multiplicative degree is .(2)Now , which is the sum of   -bit length of numbers. We can compute it by applying the three-for-two trick over mentioned in Section 2.2 repeatedly, resulting in two numbers and satisfying . Since we need to apply this trick times, the bit length of and becomes .(3)Let , , thenTo evaluate , let Let be all the carry bits generated in the addition procedure, where . Thus, we have Since is within of some integer mentioned in Section 3.1, we have , ; thusUsing mod- gates to compute those bit operations,which is a polynomial of degree 4. For integer part, to implement , we can compute and with the stored numbers for . Since for an integer ,The modified decryption works as

We conclude that the degree of the polynomial in the first step is , the degree of the polynomial in the second step is at most , and the degree of the polynomial in the third step is 4. Therefore, the total degree of the decryption circuit over is bounded by . Since we set for security, the degree is at most . So the multiplicative degree of the decryption circuit is for any prime with the constraint .

Remark 1. In [4], the authors set ( when ). It means that we can express the decryption circuit of FHE scheme over the integers as a low-degree polynomial over for any . The multiplicative degree of decryption circuit in [8] is for the case that is a constant prime, and in [16] for the case . If is bigger than 15, our degree of decryption circuit is smaller than that of [8]. See Table 1.

Table 1: Multiplicative degree of decryption circuit.

Moreover, we reduce the number of multiplications in the decryption circuit which is better than almost previous works as shown in Table 2. Here we have to emphasize that we do not count the number of multiplication-by-constant gates in the decryption circuit to the number of multiplications.

Table 2: The number of multiplications in the decryption circuit.

Proposition 2. The number of multiplications in our squashed decryption circuit is at most .

Proof. For the integer part, we use multiplication-by-constant gates and mod- addition gates.
For the factional part, in step , we apply the Lagrange interpolating polynomial in variate, which is a polynomial of degree . For a variate , first we compute which requires multiplications. So a Lagrange interpolating polynomial consists of multiplications, multiplication-by-constant gates, and additions gates. Then we need the multiplications in step .
The 3-for-2 trick over for the bits needs 4 multiplications gates. Step needs to sum up the   -bit length of numbers, and for the first time applying this trick, it takes multiplications gates, the second time needs to sum up about   -bit of numbers, and it takes multiplications gates, and so on. Then it takes about multiplication gates in step .
In step ), we need 9 multiplications to compute .
So the number of multiplications in our squashed circuit is

3.3. Removing the Constraint

The constraint is required because we want to compute the bits of the Hamming weight by directly summing up without regard to the carry bits generated from the addition. We observe that the optimization of the binary decryption circuit proposed in [4] does not counter the Hamming weight, so we can remove the constraint. With the three-for-two trick over , we can transform the binary decryption circuit to mod- arithmetic circuit, resulting in more complexity of the decryption circuit.

More precisely, we can divide the secret key into boxes of bits each, such that each box has single 1-bit in it. Then Let be obtained by adding numbers, with only one being nonzero. So It only requires the mod- addition gates. Then applying three-for-two trick over to add up the numbers and using the rounding computations in step (3) in last subsection, the decryption circuit is implemented by a polynomial of multiplicative degree , i.e., .

The goal we describe in this subsection is to emphasize that our work in the last subsection reduces the multiplicative degree of decryption circuit from to .

4. FHE Scheme with Our Bootstrapping Procedure

To show the usefulness of our squashed decryption circuit, we present a variant of FHE scheme over the integers with our bootstrapping procedure and then compare it with the original scheme in binary setting. By Gentry’s bootstrapping theory, we can get the “pure” FHE scheme transformed from the somewhat FHE scheme or the leveled FHE scheme. Here we only describe the latter scheme, since in the former situation the FHE scheme in mod- setting is not perforable to the binary setting.

Here we describe an FHE scheme over the integers with bootstrapping for large prime message space just like Cheon, Han, and Kim did in [15], which is a variant of the FHE scheme presented by Coron, Lepoint, and Tibouchi in [7].

Let be a bound on the bit length of the noise, the bit length of the original secret key, and the bit length of the ciphertext. The parameter refers to the number of encryptions of zero contained in the public key for encryption, the size of the secret vector, the Hamming weight of the vector, and the bit length of the rational numbers in the public key.

These parameters must satisfy the following constraints.(i), to protect against the brute force attacks on the noise.(ii), where is the depth of multiplication of the circuits to be evaluated.(iii), to avoid lattice-based attacks [3, 4].(iv), in order to use the leftover hash lemma in the security proof.(v), to avoid known attacks on the sparse subset sum problem [4, 5].(vi) to avoid an attack on the sparse subset sum problem [19].(vii) is required in Section 3.1.

4.1. FHE Scheme with Message Space

In this subsection, we describe an FHE scheme over the integers for message space for a prime modulus , where can be any prime bigger than the security parameter , denoted by .

For an -bit odd integer , and an integer in , we define the set

. Generate a -bit prime and a -bit integer with and .

Generate the public key for encryption. For , sample , and .

Generate the public key for multiplication. Let be a vector of numbers with bit of precision following the binary point, denoted by . Choose uniformly a -bit vector at random such that with . Then, define where the components of are randomly chosen from and those of from .

(3) Generate the public key for bootstrapping. Choose uniformly a -bit vector at random, with Hamming weight .

Choose a random integer such that and set .

For , choose in such a way that . Set , and denote it by the vector . Then for some .

For , generate the vector : where and for .

Output the secret key , and the public key .

. Given a message , uniformly sample a subset , and output

. Given a ciphertext , output .

. Given two ciphertexts , output .

. Given a ciphertext , output , where .

. Given two ciphertexts , output .

. Given a ciphertext and a constant , output .

. Given a ciphertext for a message , for , compute , keeping only bits of precision after binary point. Denote the binary representation of as . And given the decryption , which is

output a refreshed ciphertext . The algorithm homomorphically evaluates the decryption circuit on the encryptions of the secret key bits , referring to the bootstrapping process in Section 3 for more details.

4.2. Correctness

In this subjection, we prove the correctness of the homomorphic procedure.

For the scheme , the ciphertext has the form that with two kinds of noise and . In [7], it is called a ciphertext with noise if and . The authors of [15] proposed a noise growth analysis during the homomorphic addition and multiplication as shown in Lemma 3.

Lemma 3 (Lemma 3 in [15]). Let and be ciphertext with and , respectively. Let and .(i) is a ciphertext with noise (ii) is a ciphertext with noise .

Suppose during the homomorphic evaluation. By Lemma 3, for the CLT scheme, the noise length in bits has only grown by an additive factor . The noise growth during homomorphic evaluation is linear; then we have the following.

Lemma 4 (recryption noise). Let be a ciphertext for a message ; is a ciphertext with noise where the depth of decryption is , less than .

Proof. The decryption circuit has been described in Section 3. We get the refreshed ciphertext , where the noise of encryption of the secret key bit is . We describe the noise increasing with homomorphic evaluations in the bootstrapping procedure. Here we only consider the evaluations for the fraction part in bootstrapping to approximately compute the noise.
In step of Section 3.2, we get the encryption of the Hamming weight of the vector with noise . The degree of the Lagrange interpolating polynomial is , which can be implemented by a circuit of depth . So we obtain the ciphertexts encrypted the bit of the Hamming weight with the noise .
In step , it needs to apply three-for-two trick times. After implementing three-for-two trick one time, we get the ciphertexts with noise . Then we get the ciphertexts with noise after implementing step (2).
The circuit which computes step has multiplicative degree 4; we get the ciphertexts with noise

Set the depth , namely, , and ; the scheme is correct and bootstrappable.

According to the conditions for the parameters, one can take , , , , , and .

Note that is chosen so that the sparse subset sum problem is hard. We consider that is unaffected by change of . We set , then for any satisfying all the above conditions.

The following theorem holds by the bootstrapping theorem proposed by Gentry in [2].

Theorem 5. Our scheme with the above parameters setting is a pure fully homomorphic encryption.

4.3. Security

The FHE scheme over the integers is IND-CPA secure under the AGCD assumption. Our scheme just extends its message space from to and combines a squashing procedure before the bootstrapping. Thus, it is easy to see that the following theorem holds.

Theorem 6. Under the assumption that both of AGCD and SSSP are hard, our scheme is IND-CPA secure.

4.4. Efficiency

As mentioned in [18], to evaluate a mod- arithmetic circuit with FHE scheme over the integers, one could either use the FHE scheme with large message space directly or first convert the arithmetic circuit to a Boolean one and then evaluate that converted circuit using an FHE scheme with binary message space.

We denote and as the Boolean circuits to perform addition and multiplication on two -bit integers modulus as in [18], and we have the following numbers of AND gates for and .

Proposition 7 (see [18]). For an -bit prime , uses AND gates, and uses AND gates.

We denote - the FHE scheme obtained from with binary message space using the converting circuit with the and . Note that, for the scheme , the decryption is implemented by a circuit of degree of as presented in [4], in which the number of multiplication equals . Just like [18], we compare - and in terms of the size of the ciphertexts and the time complexity of basic operations carried out during homomorphic evaluation.

4.4.1. Comparing the Size of the Ciphertexts

The ciphertext size of equals and grows in the when grows. Proposition 8 tells us that the ciphertext size of is almost the same as that of - when .

Proposition 8. For a given security parameter , and any prime , let . Then we have

Proof. We have , where the implied constant does not depend on . Since for odd prime , and for ; thus,

In Figure 1, we show that the value of as a function of for the case . It tells us that the ciphertext size of is a little shorter than -. When , namely, , we have