Security and Communication Networks

Volume 2018, Article ID 6520258, 11 pages

https://doi.org/10.1155/2018/6520258

## Bootstrapping of FHE over the Integers with Large Message Space

^{1}State Key Laboratory of Integrated Service Networks, Xidian University, Xian 710071, China^{2}Jiangsu Key Laboratory of Education Big Data Science and Engineering, Jiangsu Normal University, Xuzhou 221116, China

Correspondence should be addressed to Zhizhu Lian; moc.qq@970933495

Received 4 April 2018; Accepted 27 May 2018; Published 29 July 2018

Academic Editor: Rongxing Lu

Copyright © 2018 Zhizhu Lian et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

For the decryption of the fully homomorphic encryption (FHE) over the integers with the message space , Nuida and Kurosawa proposed a -multiplicative-degree circuit to compute it at Eurocrypt 2015, where is the security parameter and the message size is a constant. Since the degree of the decryption circuit is polynomial in , the range of the message size is limited. In this work, we solve this open problem as long as is large enough (larger than ). We represent the decryption circuit as a arithmetic polynomial of multiplicative degree , which is independent of the message size except a constraint . Moreover, the bootstrapping process requires only number of multiplications to implement the decryption circuit, which is significantly lower than of Nuida and Kurosawa’s work. We also show the efficiency of the FHE scheme with message space compared to the FHE scheme with binary message space. As a result, we have that the former is preferable.

#### 1. Introduction

In 1978, Rivest, Adleman, and Dertouzos introduced the notion of fully homomorphic encryption (FHE) which can compute any circuit on encrypted data without decryption [1]. It solves the ciphertext data calculation and the privacy protection of private cloud user in cloud computing environment. Until 2009, Gentry proposed firstly a fully homomorphic encryption scheme based on ideal lattices [2].

*Gentry’s Blueprint.* First, Gentry constructed a somewhat homomorphic encryption (SHE) scheme, whose ciphertexts contain some noises for the security of the scheme. Noises, however, also limit the number of the homomorphic operations, e.g., ciphertexts multiplications. The second step is squashing the decryption circuit associated with an arbitrary ciphertext to obtain a low enough degree polynomial in the ciphertext bits and the secret key bits, which can be homomorphically evaluated by SHE scheme (called bootstrappable scheme). The last step is Gentry’s breakthrough, called bootstrapping, which refreshed ciphertexts by homomorphically evaluating this low multiplicative degree decryption circuit on the encryption of those bits, thus resulting in a new encryption of the same plaintext, but with possibly reduced noise. The refreshed ciphertexts can then support subsequent homomorphic operations. By repeatedly refreshing ciphertexts, the number of permissible homomorphic operations becomes unlimited. So a pure FHE scheme is transformed from the bootstrappable SHE scheme.

##### 1.1. FHE over the Integers

At Eurocrypt 2010, van Dijk et al. [3] proposed the first FHE scheme over the integers (called DGHV scheme) following Gentry’s blueprint. The security of DGHV relies on the hardness of the Approximate Greatest Common Divisor problem (AGCD) and the Sparse Subset Sum problem (SSSP). Several works have dramatically improved the efficiency and the hardness assumption needed to implement it, including [4–12]. Some of the schemes above are leveled FHE scheme, but they essentially follow Gentry’s blueprint.

In DGHV scheme, for the ciphertext encryption of message under secret key (where is a prime number), the decryption can be turned into the following circuit: where the length vector is the secret key with Hamming weight , and each is a real number with bits of precision after the binary point, satisfying . This decryption circuit is implemented with a binary circuit of degree on the secret key bits .

*Message Space*. Practically, the computation over bitwise encryptions is not efficient. It is important to construct the FHE over lager integers for secure integer arithmetic (see [6, 13]). Fortunately, it is quite straightforward to extend the message space from to for SHE scheme [6, 14]. But they cannot convert this extended SHE scheme to an FHE scheme via the bootstrapping procedure. Because computing -ary addition seems to need more complex carry computations than binary addition, it seemed technically difficult to obtain a mod- arithmetic circuit that performs the decryption circuit

At Eurocrypt 2015, Nuida and Kurosawa [8] proposed a -ary half adder, yielding the carry in the procedure for any . They determined a carry function where . It has the multiplicative degree . The squashed decryption in [8] works as where is a constant prime, the secret key is length vector with Hamming weight , and is a real number with bits of precision after the -ary point, satisfying . The decryption circuit is computed by a mod- arithmetic circuit of multiplicative degree , where is a constant.

In 2017, Cheon et al. [15] presented a faster bootstrapping of FHE over the integers than the previous work in [8]. The degree of the decryption is , and the number of homomorphic multiplications is , where is some small constant (being affected by the modulus ).

However, the modulus still needs to be a constant.

For , Cheon and Kim [16] expressed the decryption circuit as an -restricted depth-3 circuit by the technique in [17]. The -degree is at most and the number of product gates is at most . As we know, is in [3] and is reduced to in [4]. The decryption is too complexity to bootstrap. So, in the FHE scheme, the ciphertext associated with the large prime message space needs a low-degree decryption circuit.

*Efficiency.* To evaluate homomorphically a mod- arithmetic circuit, one can use the FHE scheme with message space directly, or one can firstly convert the arithmetic circuit to a Boolean one and carry out all the computation using an FHE scheme with binary message space. At ACNS 2016, Kim and Tibouchi [18] compared the two approaches for the Nuida-Kurosawa scheme, denoted by , and showed that the scheme with nonbinary message space is less efficient than its variant with binary message space. Fortunately, the bootstrapping method proposed by Cheon et al. [15] is worthwhile for of constant size by comparing both above approaches for CLT scheme. However, the modulus still needs to be a constant.

Therefore, it is open for large value of to express the decryption circuit of FHE schemes with the form (5) as a low-degree polynomial.

##### 1.2. Contributions

In this paper, we solve this open problem as long as is large enough (larger than ).

The usual technique for squashing the decryption circuit amounts to homomorphically evaluating a large integer sum of the form , where the are secret bits and the are public constants computed from the original ciphertexts and public parameters. In [8], Nuida and Kurosawa represented the ’s as their Q-ary expansion and applied the mod- circuit for iterated addition. And they have also proved that the degree of the polynomial computing the carry of -ary half adder is the lowest degree. In order to obtain a low enough degree (be independent of ) of decryption circuit, we cannot deal with the carry bit any more. Instead, in this paper we use the binary representation of the real number . This means that we have to use mod- arithmetic circuit gates to emulate bit operations. Specifically for bits and , the XOR operation is computed by , and the AND operation is computed by . So we can use the mod- arithmetic circuit to implement the decryption circuit. Usually, emulating binary operations are not that efficient since emulating binary addition needs multiplication. The challenge is how to compute it efficiently.

Note that if using only a three-for-two trick, as mentioned in Section 2.2, the decryption can be implemented with a multiplicative degree of mod- arithmetic circuit, which is better than the result of [16]. Our main contribution is reducing the multiplicative degree to for any large prime with a constraint .

Now let us recall the circuit procedure computing in DGHV scheme [3].(1)The first circuit computes the Hamming weight of the vector , i.e., for , and denotes the binary representation of as . Hence, . Specifically, for , , the -th bit of can be obtained by using the elementary symmetric polynomial .(2)The second circuit computes and , satisfying by applying the three-for-two trick over repeatedly.(3)The third circuit computes by a polynomial of degree 4.

In this work, we use mod- arithmetic circuit to simulate those bit operations in the above binary circuit. It is easy to simulate the second circuit by applying the three-for-two trick over . It will cost some additional multiplicative degree, since we need an arithmetic polynomial of degree 2 to compute the XOR operation. The third circuit is also easy to be simulated with a polynomial of degree 4.

However, to emulate the elementary symmetric polynomial in step , it will take a polynomial of a high degree (greater than , where is in [3] and is reduced to in [4]). This cost is unacceptable. So we need to find a new arithmetic function to compute , the bits in the binary representation of .

Our main idea is as follows.

If we know the value of an integer , it is easy to obtain each bit in the binary representation of , but if we only get the range of value of , namely, for some integer , it can be a little tricky to get each bit of . We observe that we can overcome it by applying Lagrange interpolating polynomial, as shown in Section 2.3. Since the Hamming weight of the secret key vector is , the Hamming weight of the vector is not bigger than , namely, . So we can get just by using the mod- addition gate to directly add up at the cost of an additional condition that . Then, for , we can obtain all bits by applying* Lagrange interpolating polynomial* on .

**Conclusion**: now we can express the decryption as mod- arithmetic polynomial with a constraint . The simulation circuit computing step is degree of the Lagrange interpolating polynomial. The simulation circuit computing step has the multiplicative degree at most . Hence, the multiplicative degree of our decryption circuit is where we set , . Moreover, the number of the multiplications required in our decryption is only , comparable with in [8].

*Efficiency*. The arithmetic decryption circuit in scheme is not competitive as pointed out by [18], due to the fact that the squashed decryption circuit for has a depth polynomial in . Fortunately, the degree of our squashed decryption circuit is independent of with a constraint .

We use the leveled FHE scheme over the integer proposed by Coron, Lepoint, and Tibouchi, denoted by , and extend its message space to , denoted by . To state the efficiency of with our bootstrapping procedure, we compare it with the scheme **-** converting the mod- arithmetic circuit to binary and evaluating all the operation using the scheme with binary message space. Here we compare in terms of the ciphertext size and the time complexity of basic operation implemented during homomorphic evaluation.

Then ciphertext size of is a little shorter than that of **-**, specifically And for some , we have when . The ciphertexts for and **-** are of the same size.

Moreover, we denote by the time complexity of a single ciphertext refresh operation in and by the time complexity of carrying out a multiplication mod- in **-** (by homomorphically evaluating the Boolean circuit for modular multiplication, with a refresh operation after each gate). Then we show that For instance, is faster than by a factor of more than 930, when .

Then, we say that a pure FHE scheme with large message space with our bootstrapping procedure is preferable.

##### 1.3. The Organization

We summarize some notations and tricks in Section 2. In Section 3, we express the decryption circuit as a mod- arithmetic circuit of a low enough multiplicative degree. In Section 4, we present an FHE scheme over the integers with bootstrapping for the large prime message space and show its efficiency compared to the FHE scheme with binary message space. Finally, conclusion is given in Section 5.

#### 2. Preliminaries

##### 2.1. Notations

For a real number , we denote by , , the rounding of a up, down, or the nearest integer. For integers , , we denote the integer sets and by , and , respectively. For a real number , we use to denote the -ary representation of with bits of precision after the -ary point. When , it denotes the binary representation of . Given , we let denote the unique number in that is congruent to . All logarithms in the text are base-2 unless stated otherwise.

For a positive integer , and , define with , and ; then we have

##### 2.2. Three-for-Two Trick over

Three-for-two trick is used to transform three numbers of arbitrary bit length into two numbers that are at most 1 bit longer, such that the sum of the two output numbers is the same as the sum of the three input numbers. And three-for-two trick over has been mentioned in [17]. For , let , , and ; thenwhere while for , the bit operation , and .

##### 2.3. Lagrange Interpolating Polynomial

The Lagrange interpolating polynomial is the polynomial of degree that passes through the points , and given by , where Our goal of introducing the Lagrange interpolation polynomial is to obtain the mod- arithmetic polynomial expression of computing any bit in the binary representation of the integer . For every integer , let , where . For each index , we construct a set consisting of integer and its -th bit , where , namely, denote the set as for each . So for each index , the points set is If the variable equates to an integer , for the index , the output of the Lagrange interpolating polynomial is , which equates to the -th bit in the binary representation of . The multiplicative degree of the mod- arithmetic circuit is .

#### 3. Bootstrapping the Decryption

This section deals mainly with how to implement the decryption with a mod- arithmetic circuit of a low degree.

##### 3.1. Squashing the Decryption with SSSP Assumption

The decryption circuit is Let be a vector of rational number in with bits of precision after the binary point, and let be the secret key vector of bits with Hamming weight such that , where . We firstly compute , keeping only bits of precision after the binary point for . So for some with . We have

We set the bit length of ciphertext is ; thus, . And we observe that . Since is a valid ciphertext, satisfying that the value of is within of an integer as the definition in [3]; thus, is within of an integer. Therefore, we have For , let , where is the integer part of and is the fractional part. Then we have where is within of an integer. (Note that most of the context above in this subsection has been described by van Dijk et al. in [3], which is the procedure of squashing the decryption circuit for the case of .)

##### 3.2. Bootstrapping

For the integer part, we need to compute . We can firstly reduce with the modulo and sum up for all , namely, It only takes multiplication-by-constant gates and mod- addition gates.

For the factional part, in order to compute , here we firstly construct a mod- circuit that outputs each bit in the binary representation of the sum in the following step .(1)Generate integer numbers such that , namely, is the Hamming weight of the vector . Since the Hamming weight of the vector is , then is not bigger than , i.e., . Firstly, compute the sums by directly using mod- addition gates, this works since . Let . Then convert the small integer into their bit representation by applying the* Lagrange interpolating polynomial* introduced in Section 2.3; namely, for , , we have , where the multiplicative degree is .(2)Now , which is the sum of -bit length of numbers. We can compute it by applying the three-for-two trick over mentioned in Section 2.2 repeatedly, resulting in two numbers and satisfying . Since we need to apply this trick times, the bit length of and becomes .(3)Let , , then To evaluate , let Let be all the carry bits generated in the addition procedure, where . Thus, we have Since is within of some integer mentioned in Section 3.1, we have , ; thus Using mod- gates to compute those bit operations, which is a polynomial of degree 4. For integer part, to implement , we can compute and with the stored numbers for . Since for an integer , The modified decryption works as

We conclude that the degree of the polynomial in the first step is , the degree of the polynomial in the second step is at most , and the degree of the polynomial in the third step is 4. Therefore, the total degree of the decryption circuit over is bounded by . Since we set for security, the degree is at most . So the multiplicative degree of the decryption circuit is for any prime with the constraint .

*Remark 1. *In [4], the authors set ( when ). It means that we can express the decryption circuit of FHE scheme over the integers as a low-degree polynomial over for any . The multiplicative degree of decryption circuit in [8] is for the case that is a constant prime, and in [16] for the case . If is bigger than 15, our degree of decryption circuit is smaller than that of [8]. See Table 1.