Security and Communication Networks

Volume 2018, Article ID 9325082, 8 pages

https://doi.org/10.1155/2018/9325082

## Generalized Bootstrapping Technique Based on Block Equality Test Algorithm

Department of Information Research and Security, Zhengzhou Information Science Technology Institute, Zhengzhou, 450001, China

Correspondence should be addressed to Xiufeng Zhao; moc.361@gnef_uix_oahz

Received 29 September 2018; Revised 19 November 2018; Accepted 9 December 2018; Published 24 December 2018

Guest Editor: Pelin Angin

Copyright © 2018 Xiufeng Zhao and Ailan Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

With the rapid development of cloud computation and big data, the data storage and outsource computation are delegated to the untrusted cloud, which has led to a series of challenging security and privacy threats. Fully homomorphic encryption can be used to protect the privacy of cloud data and solve the trust problem of third party. The key problem of achieving fully homomorphic encryption is how to reduce the increasing noise during the ciphertext evaluation. Bootstrapping procedure can refresh ciphertext with large error, such that the resulting ciphertext has potentially smaller error and allows being continuous homomorphic evaluation. In this paper, we investigated the bootstrapping procedure used to construct fully homomorphic encryption scheme. We proposed a new concept of block homomorphic equality test algorithm and gave an instance based on the FH-SIMD scheme. Furthermore, based on the block homomorphic equality test algorithm, we proposed a faster bootstrapping procedure with smaller bootstrapping keys. Both theory analysis and experiment simulation validate high performance of our bootstrapping algorithm.

#### 1. Introduction

Rapidly developing cloud storage and computation platform allow user delegate data outsource to the cloud server. Cloud computing has the characteristics of data concentration, resource sharing, highly interconnecting, fully opening, etc. It breaks the information island of traditional IT field; meanwhile, it brings even more serious security problems. To protect the privacy of data and the confidential of business secret, it is necessary to encrypting the upload data. However, it is difficult to process ciphertext for traditional encryption algorithm, and this promoted the improvement and development of fully homomorphic encryption (FHE). The prominent advantage of the fully homomorphic encryption is that it can solve ciphertext evaluation problem.

In 2009, Gentry [1, 2] constructed the first fully homomorphic encryption scheme using ideal lattice, which supports arbitrary depth circuit evaluation. Since then many fully homomorphic encryption schemes have appeared involving new mathematical concepts and NP hard problems and improving efficiency, such as FHE from LWE [3], Ring LWE [4], Integer [5], and LWR [6].

In PKC 2010, Smart and Vercauteren [7] proposed a variant of Gentry’s scheme with relatively small key and ciphertext sizes. Packing messages allows us to apply single-instruction-multiple data (SIMD) homomorphic operations to many encrypted messages. Smart and Vercautren [8] showed that applying the Chinese reminder theorem (CRT) to number fields partitions the message space of Gentry’s FHE scheme into a vector of plaintext slots, resulting in a substantial speed-up, the scheme denoted as FH-SIMD. In the work, they explained that the SIMD operations could be utilized to perform many higher level operations, such as performing AES encryption homomorphically and searching an encrypted database on a remote untrusted server.

Gentry, Sahai and Waters [9] constructed a simple homomorphic encryption scheme from learning with errors in Crypto 2013, called GSW scheme. In this work, they proposed a new technique for building FHE scheme via the approximate eigenvector method. The homomorphic addition and multiplication In GSW scheme are just matrix addition and multiplication, which makes GSW scheme both asymptotically faster and easier to understand. Otherwise, GSW scheme operates single bit once encryption and it is required to take heavy cost for evaluating a large number of ciphertexts.

Bootstrapping technique is a central technique on fully homomorphic encryption (FHE), which converts “somewhat homomorphic” encryption (SHE) scheme into a fully homomorphic one. That is, bootstrapping procedure homomorphically evaluating the SHE scheme’s decryption function on a ciphertext that cannot support any further homomorphic operations, and produces a new one that encrypts the same message and can handle more homomorphic operations.

Bootstrapping procedure is computationally very expensive, and it is becomes the main bottleneck of fully homomorphic encryption practicability. Therefore, there are lots of works try to improve its efficiency. Gentry, Halevi, and Smart [9] proposed a simpler approach that bypasses the homomorphic modular-reduction bottleneck by working with a modulus very close to a power of two. In Crypto 2013, Alperin-Sheriff and Peikert [10] gave entirely algebraic algorithm for bootstrapping in quasilinear time. They gave a method for homomorphically evaluating a class of structured linear transformation using “ring-switching” procedure, resulting in evaluating the decryption function efficiently.

Recently, Alperin-Sheriff and Peikert [11] proposed generalized bootstrapping technique using GSW scheme. The homomorphic decryption of FHE scheme from LWE concludes inner production and rounding operation, and homomorphic equation text algorithm is the key subprocedure of the rounding operation. Embedding the additive group into the symmetric group of permutation matrices is another technique used in the work [11].

In Eurocrypt 2015, Ducas and Micciancio [12] gave an efficient bootstrapping technique by encoding the cyclic group into the group of roots unity: , where is primitive root of unity. This allows implementing a bootstrapping procedure similar to the work of Alperin-Sheriff and Peikert [11], but where each cyclic group element is encoded by a single ciphertext, rather than a vector of ciphertext, this efficiently reduces the size of bootstrapping key.

In AsiaCrypt2016, Chillotti et al. constructed an efficient bootstrapping fully homomorphic encryption scheme, called TFHE [13]. Its time of running bootstrapping is less than 0.1 second. In AsiaCrypt2017, Chillotti et al. [14] optimized the multiple addends of work [13], and made the bootstrapping time reduced 13 milliseconds. 2018, Zhou et al. [15] optimized the serial addends to parallel addends, and the speed of single bootstrapping gate is faster that of work [14]. TFHE scheme and the optimized version both are single bit bootstrapping procedure [13–15]. Although a lot of effort is being spent on improving bootstrapping, the efficient and effective method has yet to be developed. And how to construct efficient multibit bootstrapping procedure is worth further study.

*Our Results*. In this paper we investigate the homomorphic equality test algorithm in bootstrapping procedure and proposed the concept of block homomorphic equality test algorithm B_Eq? and give an instance based on the FH-SIMD scheme. Furthermore, we proposed a faster bootstrapping procedure based on the block homomorphic equality test algorithm. Both theory analysis and experiment simulation validate the higher performance of our bootstrapping algorithm than that of Alperin-Sheriff and Peikert’s work [11].

*Organization.* In Section 2, we describe some preliminaries on the field and homomorphism, and the concept of generalized bootstrapping technique. In Section 3, we proposed block homomorphic equality test algorithm B_Eq? and give a faster bootstrapping procedure based on B_Eq? algorithm. In Section 4, we give theory analysis and experiment simulation. We give conclusions in Section 5.

#### 2. Preliminaries

##### 2.1. Field and Homomorphism

Let be a monic polynomial of degree , which decomposed to exactly distinct irreducible factors as follows:where every polynomial has degree .

Letting denote the algebra , we can get the natural homomorphism via Chinese Remainder Theorem (CRT):

For , the finite field is a subfield of . Let denote a fixed canonical representation of , where is some irreducible polynomial of degree Let be a fixed root of in the algebraic closure of . Since is contained in each of , there is a homomorphic embedding as follows:where is a root of in algebra , that is,

According to CRT and the above homomorphic embedding, we can obtain a homomorphic embedding of into the algebra which defined as follows:where the polynomials and is obtained by CRT and computed as follows:From the above definition of , we can see that maps a vector of binary polynomials each of degree less than , into a single polynomial of degree less than . The map defines an isomorphism between and , so the inverse map is well defined from to . We can represent as follows:There are two methods to compute elements in : one method is computes component wise on vectors of elements in ; the other concludes three process, firstly, mapping all the inputs to the algebra by ; secondly, performing computations in algebra ; finally, mapping the results back to by . Furthermore, the fully homomorphic encryption scheme FH-SIMD performs one evaluation for* l* elements in using the algebra A.

##### 2.2. Generalized Bootstrapping Technique

Gentry firstly proposed bootstrapping technique, which may transform a somewhat homomorphic encryption scheme to a fully homomorphic encryption scheme. Subsequently, Jacob Alperin-Sheriff and Chris Peikert [11] proposed generalized bootstrapping technique. The generalized bootstrapping technique involves two encryption schemes, outer encryption scheme and inner encryption scheme. It performs decryption procedure of inner encryption scheme using outer encryption scheme, resulting in reducing error in ciphertext. The generalized bootstrapping technique allows that the outer encryption is different from the inner one, realizing that we can design corresponding outer encryption scheme for the concretely inner encryption scheme, such that it effectively performs the decryption circuit of inner encryption scheme. Therefore, the generalized bootstrapping is more efficient than the ordinary one.

##### 2.3. The Decryption of FHE from LWE

The decryption of all fully homomorphic schemes based on LWE involved computing inner production and rounding, that is, input secret key and binary ciphertext ; the decryption algorithm is written aswhere the modular rounding function : indicates whether its arguments is “far from” or “close to” 0 (modulo q), and the modulus* q* and the dimension* d* can both be made as small as quasi-linear in the security parameter via dimension-modulus reduction [3], while still providing provable security under conventional lattice assumption. The inner product is just summing the elements of vector selectively, that is,Supposing that , the algorithm rounding can be interpreted by iteration aswhere denotes the equality test algorithm, when is equality to , outputs 1; otherwise, outputs 0.

Now, we give the decryption algorithm of FHE based LWE in the ciphertext state. During the bootstrapping procedure, the ciphertext of secret is written by as bootstrapping public key. The inner product in the ciphertext state is denoted as . And the rounding algorithm in the ciphertext state is denoted aswhere “” denotes the homomorphic addition on the ciphertext space and indicates the homomorphic equality test algorithm; it outputs the ciphertext of 1 if and only if ; otherwise it outputs the ciphertext of 0. We let denote the ciphertext of 1 and denote the ciphertext of 0.

##### 2.4. Generalized Bootstrapping Procedure of FHE from LWE

Assume that the binary ciphertext to be bootstrapped is , the secret key is , and the dimension and the module are enough small (). The decryption function of FHE scheme from LWE is . We also supposed that the outer encryption scheme is FH-SIMD, that is, FHE scheme which supports SIMD operation. The generalized bootstrapping technique concludes two algorithms:** BootGen** algorithm and** Bootstrap** algorithm [11].(i)**BootGen**: input secret key vector , and the public key of FH-SIMD encryption; output the bootstrapping public key , that is, encrypt the secret key vector via FH-SIMD scheme and resulting the ciphertext as the bootstrapping public key .(ii)**Bootstrap**: input the bootstrapping pubic key and the ciphertext vector , output a new ciphertext of original encryption scheme based LWE, and the result of decrypting using secret key is same as the one decrypting using secret key , but with less error.

#### 3. Faster Bootstrapping Based on FH-SIMD

##### 3.1. Main Ideas

Jacob Alperin-Sheriff and Chris Peikert proposed the generalized bootstrapping method based on the GSW scheme. Homomorphic equality test is a key component of the generalized bootstrapping algorithm, that is, for the fixed , under the ciphertext state, travels every which satisfies , and decide that whether or not, see Figure 1.