Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 9325082, 8 pages
https://doi.org/10.1155/2018/9325082
Research Article

Generalized Bootstrapping Technique Based on Block Equality Test Algorithm

Department of Information Research and Security, Zhengzhou Information Science Technology Institute, Zhengzhou, 450001, China

Correspondence should be addressed to Xiufeng Zhao; moc.361@gnef_uix_oahz

Received 29 September 2018; Revised 19 November 2018; Accepted 9 December 2018; Published 24 December 2018

Guest Editor: Pelin Angin

Copyright © 2018 Xiufeng Zhao and Ailan Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

With the rapid development of cloud computation and big data, the data storage and outsource computation are delegated to the untrusted cloud, which has led to a series of challenging security and privacy threats. Fully homomorphic encryption can be used to protect the privacy of cloud data and solve the trust problem of third party. The key problem of achieving fully homomorphic encryption is how to reduce the increasing noise during the ciphertext evaluation. Bootstrapping procedure can refresh ciphertext with large error, such that the resulting ciphertext has potentially smaller error and allows being continuous homomorphic evaluation. In this paper, we investigated the bootstrapping procedure used to construct fully homomorphic encryption scheme. We proposed a new concept of block homomorphic equality test algorithm and gave an instance based on the FH-SIMD scheme. Furthermore, based on the block homomorphic equality test algorithm, we proposed a faster bootstrapping procedure with smaller bootstrapping keys. Both theory analysis and experiment simulation validate high performance of our bootstrapping algorithm.

1. Introduction

Rapidly developing cloud storage and computation platform allow user delegate data outsource to the cloud server. Cloud computing has the characteristics of data concentration, resource sharing, highly interconnecting, fully opening, etc. It breaks the information island of traditional IT field; meanwhile, it brings even more serious security problems. To protect the privacy of data and the confidential of business secret, it is necessary to encrypting the upload data. However, it is difficult to process ciphertext for traditional encryption algorithm, and this promoted the improvement and development of fully homomorphic encryption (FHE). The prominent advantage of the fully homomorphic encryption is that it can solve ciphertext evaluation problem.

In 2009, Gentry [1, 2] constructed the first fully homomorphic encryption scheme using ideal lattice, which supports arbitrary depth circuit evaluation. Since then many fully homomorphic encryption schemes have appeared involving new mathematical concepts and NP hard problems and improving efficiency, such as FHE from LWE [3], Ring LWE [4], Integer [5], and LWR [6].

In PKC 2010, Smart and Vercauteren [7] proposed a variant of Gentry’s scheme with relatively small key and ciphertext sizes. Packing messages allows us to apply single-instruction-multiple data (SIMD) homomorphic operations to many encrypted messages. Smart and Vercautren [8] showed that applying the Chinese reminder theorem (CRT) to number fields partitions the message space of Gentry’s FHE scheme into a vector of plaintext slots, resulting in a substantial speed-up, the scheme denoted as FH-SIMD. In the work, they explained that the SIMD operations could be utilized to perform many higher level operations, such as performing AES encryption homomorphically and searching an encrypted database on a remote untrusted server.

Gentry, Sahai and Waters [9] constructed a simple homomorphic encryption scheme from learning with errors in Crypto 2013, called GSW scheme. In this work, they proposed a new technique for building FHE scheme via the approximate eigenvector method. The homomorphic addition and multiplication In GSW scheme are just matrix addition and multiplication, which makes GSW scheme both asymptotically faster and easier to understand. Otherwise, GSW scheme operates single bit once encryption and it is required to take heavy cost for evaluating a large number of ciphertexts.

Bootstrapping technique is a central technique on fully homomorphic encryption (FHE), which converts “somewhat homomorphic” encryption (SHE) scheme into a fully homomorphic one. That is, bootstrapping procedure homomorphically evaluating the SHE scheme’s decryption function on a ciphertext that cannot support any further homomorphic operations, and produces a new one that encrypts the same message and can handle more homomorphic operations.

Bootstrapping procedure is computationally very expensive, and it is becomes the main bottleneck of fully homomorphic encryption practicability. Therefore, there are lots of works try to improve its efficiency. Gentry, Halevi, and Smart [9] proposed a simpler approach that bypasses the homomorphic modular-reduction bottleneck by working with a modulus very close to a power of two. In Crypto 2013, Alperin-Sheriff and Peikert [10] gave entirely algebraic algorithm for bootstrapping in quasilinear time. They gave a method for homomorphically evaluating a class of structured linear transformation using “ring-switching” procedure, resulting in evaluating the decryption function efficiently.

Recently, Alperin-Sheriff and Peikert [11] proposed generalized bootstrapping technique using GSW scheme. The homomorphic decryption of FHE scheme from LWE concludes inner production and rounding operation, and homomorphic equation text algorithm is the key subprocedure of the rounding operation. Embedding the additive group into the symmetric group of permutation matrices is another technique used in the work [11].

In Eurocrypt 2015, Ducas and Micciancio [12] gave an efficient bootstrapping technique by encoding the cyclic group into the group of roots unity: , where is primitive root of unity. This allows implementing a bootstrapping procedure similar to the work of Alperin-Sheriff and Peikert [11], but where each cyclic group element is encoded by a single ciphertext, rather than a vector of ciphertext, this efficiently reduces the size of bootstrapping key.

In AsiaCrypt2016, Chillotti et al. constructed an efficient bootstrapping fully homomorphic encryption scheme, called TFHE [13]. Its time of running bootstrapping is less than 0.1 second. In AsiaCrypt2017, Chillotti et al. [14] optimized the multiple addends of work [13], and made the bootstrapping time reduced 13 milliseconds. 2018, Zhou et al. [15] optimized the serial addends to parallel addends, and the speed of single bootstrapping gate is faster that of work [14]. TFHE scheme and the optimized version both are single bit bootstrapping procedure [1315]. Although a lot of effort is being spent on improving bootstrapping, the efficient and effective method has yet to be developed. And how to construct efficient multibit bootstrapping procedure is worth further study.

Our Results. In this paper we investigate the homomorphic equality test algorithm in bootstrapping procedure and proposed the concept of block homomorphic equality test algorithm B_Eq? and give an instance based on the FH-SIMD scheme. Furthermore, we proposed a faster bootstrapping procedure based on the block homomorphic equality test algorithm. Both theory analysis and experiment simulation validate the higher performance of our bootstrapping algorithm than that of Alperin-Sheriff and Peikert’s work [11].

Organization. In Section 2, we describe some preliminaries on the field and homomorphism, and the concept of generalized bootstrapping technique. In Section 3, we proposed block homomorphic equality test algorithm B_Eq? and give a faster bootstrapping procedure based on B_Eq? algorithm. In Section 4, we give theory analysis and experiment simulation. We give conclusions in Section 5.

2. Preliminaries

2.1. Field and Homomorphism

Let be a monic polynomial of degree , which decomposed to exactly distinct irreducible factors as follows:where every polynomial has degree .

Letting denote the algebra , we can get the natural homomorphism via Chinese Remainder Theorem (CRT):

For , the finite field is a subfield of . Let denote a fixed canonical representation of , where is some irreducible polynomial of degree Let be a fixed root of in the algebraic closure of . Since is contained in each of , there is a homomorphic embedding as follows:where is a root of in algebra , that is,

According to CRT and the above homomorphic embedding, we can obtain a homomorphic embedding of into the algebra which defined as follows:where the polynomials and is obtained by CRT and computed as follows:From the above definition of , we can see that maps a vector of binary polynomials each of degree less than , into a single polynomial of degree less than . The map defines an isomorphism between and , so the inverse map is well defined from to . We can represent as follows:There are two methods to compute elements in : one method is computes component wise on vectors of elements in ; the other concludes three process, firstly, mapping all the inputs to the algebra by ; secondly, performing computations in algebra ; finally, mapping the results back to by . Furthermore, the fully homomorphic encryption scheme FH-SIMD performs one evaluation for l elements in using the algebra A.

2.2. Generalized Bootstrapping Technique

Gentry firstly proposed bootstrapping technique, which may transform a somewhat homomorphic encryption scheme to a fully homomorphic encryption scheme. Subsequently, Jacob Alperin-Sheriff and Chris Peikert [11] proposed generalized bootstrapping technique. The generalized bootstrapping technique involves two encryption schemes, outer encryption scheme and inner encryption scheme. It performs decryption procedure of inner encryption scheme using outer encryption scheme, resulting in reducing error in ciphertext. The generalized bootstrapping technique allows that the outer encryption is different from the inner one, realizing that we can design corresponding outer encryption scheme for the concretely inner encryption scheme, such that it effectively performs the decryption circuit of inner encryption scheme. Therefore, the generalized bootstrapping is more efficient than the ordinary one.

2.3. The Decryption of FHE from LWE

The decryption of all fully homomorphic schemes based on LWE involved computing inner production and rounding, that is, input secret key and binary ciphertext ; the decryption algorithm is written aswhere the modular rounding function : indicates whether its arguments is “far from” or “close to” 0 (modulo q), and the modulus q and the dimension d can both be made as small as quasi-linear in the security parameter via dimension-modulus reduction [3], while still providing provable security under conventional lattice assumption. The inner product is just summing the elements of vector selectively, that is,Supposing that , the algorithm rounding can be interpreted by iteration aswhere denotes the equality test algorithm, when is equality to , outputs 1; otherwise, outputs 0.

Now, we give the decryption algorithm of FHE based LWE in the ciphertext state. During the bootstrapping procedure, the ciphertext of secret is written by as bootstrapping public key. The inner product in the ciphertext state is denoted as . And the rounding algorithm in the ciphertext state is denoted aswhere “” denotes the homomorphic addition on the ciphertext space and indicates the homomorphic equality test algorithm; it outputs the ciphertext of 1 if and only if ; otherwise it outputs the ciphertext of 0. We let denote the ciphertext of 1 and denote the ciphertext of 0.

2.4. Generalized Bootstrapping Procedure of FHE from LWE

Assume that the binary ciphertext to be bootstrapped is , the secret key is , and the dimension and the module are enough small (). The decryption function of FHE scheme from LWE is . We also supposed that the outer encryption scheme is FH-SIMD, that is, FHE scheme which supports SIMD operation. The generalized bootstrapping technique concludes two algorithms: BootGen algorithm and Bootstrap algorithm [11].(i)BootGen: input secret key vector , and the public key of FH-SIMD encryption; output the bootstrapping public key , that is, encrypt the secret key vector via FH-SIMD scheme and resulting the ciphertext as the bootstrapping public key .(ii)Bootstrap: input the bootstrapping pubic key and the ciphertext vector , output a new ciphertext of original encryption scheme based LWE, and the result of decrypting using secret key is same as the one decrypting using secret key , but with less error.

3. Faster Bootstrapping Based on FH-SIMD

3.1. Main Ideas

Jacob Alperin-Sheriff and Chris Peikert proposed the generalized bootstrapping method based on the GSW scheme. Homomorphic equality test is a key component of the generalized bootstrapping algorithm, that is, for the fixed , under the ciphertext state, travels every which satisfies , and decide that whether or not, see Figure 1.

Figure 1: Homomorphic equality test.

We intend to proposed block homomorphic equality test algorithm, that is, it travels a block , which satisfies , and decide that whether this batch of exits a such that holds, see Figure 2.

Figure 2: Block homomorphic equality test.

Resort to the FH-SIMD homomorphic encryption scheme [7], we will give a block homomorphic equality test algorithm B_Eq?, and then propose an efficient generalized bootstrapping algorithm. The bootstrapping key is an encryption of each coordinate of the secret key , and consists of FH-SIMD ciphertexts. To bootstrapping , the inner product is computed homomorphically as a subset-sum using addition method, and the rounding function is computed using block homomorphic equality test algorithm and addition method.

3.2. Block Homomorphic Equality Test Algorithm

In this section, we describe our block homomorphic equality test algorithm, called B_Eq?.

Input: ciphertex and plaintext block .

Output: if there exits a such that holds, then the block homomophic equality test algorithm outputs ; otherwise it outputs .

We assume that and all are bits in length, and thus can be encoded as an element of the finite filed , where . The concrete procedure is described as follows:

For , where every satisfies , embed each coordinate as an element of . Our aim is to pack into single element , so we compute . Then compute the trivial encryption of in the algebra A using FH-SIMD scheme. It is worth noting that we encrypt without random, such that saving computational cost. That is,

Then compute

Sum the ciphertext and , and denote the sum as , that is,

Homomorphically raised to the power , that is,

And compute

According to the homomorphism of encryption scheme FH-SIMD, the power of ciphertext is corresponding to the power of plaintext. Of course, the ciphertext is homomorphically raised to the power , via performing 2n applications of multiplication. Since the plaintext corresponding to is an element of finite field and its max multiplicative order is , then the plaintext corresponding to is either 0 or 1. Therefore, is a ciphertext of encrypting 1 (nonzero element) or a ciphertext of encrypting 0 (zero element). When is an encryption of 0, this means that holds; when is an encryption of 1, this means that does nit hold.

Compute

We can see that as long as the equation holds, the i-th component of is ; otherwise, the i-th component of is . Therefore, if there exits a such that holds, then , and all other , for all . It follows that . That is, if there exits a such that holds, the block homomophic equality test algorithm outputs ; otherwise it outputs .

From the above steps, we finish the block homomorphic equality test; then we can homomorphic compute , that is, .

3.3. Faster Bootstrapping Technique

In this section, we construct faster bootstrapping procedure from the block homomorphic equality test algorithm B_Eq?. The bootstrapping procedure consists of two algorithms: BootKeyGen and Bootstrap. The procedure is used to refresh ciphertexts of all known standard LWE-based FHE. We get the input ciphertext for Bootstrap, and it is from the dimension-modulus reduction and bit-decomposition of the ciphertext to be bootstrapped. Let be the secret key that corresponding to the ciphertext

BootGen: input the secret key for the ciphertext to be refreshed and the public key pk of FH-SIMD scheme. Without loss of generality, for every , encode each coordinate to the element of finite field . Then encrypt its ciphertext under FH-SIMD scheme, and generate the bootstrapping key:

Output the bootstrapping public key . The bootstrapping key consists of FH-SIMD ciphertexts.

Bootstrap: input the binary ciphertext , and perform the following two phases:(i) Inner Product Homomorphically compute inner product using the bootstrapping public key . It is known thatIt follows that(ii) Round For every which satisfies , arrange in order of size, and divide them into blocks of items, and let us suppose they are distinct from one another, and there are altogether blocks:For every block , run block homomorphic equality test algorithm in parallel,Then compute

We can see that is either or , and then is the encryption of , is also either or , and it refreshed ciphertext with smaller error. Note that the output is a FH-SIMD ciphertext encrypted under . If desired, we can convert this ciphertext back to one for the original LWE FHE cryptosystem. We can also perform key-switch from back to the original secret keys.

4. Analysis

4.1. Correctness Analysis

Lemma 1 (correctness). For , the FH-SIMD ciphertext   is designed to encrypt .

Proof. Firstly, the FH-SIMD ciphertext is designed to encrypt from (18). Therefore, since is homomorphic embedding, the ciphertext as defined as in (20) designed to encryptBy correctness of block homomorphic equality test algorithm B_Eq?, the homomorphic sum is designed to encrypt 1 if and only if . Finally, since the homomorphic sum is taken over every such that , it is designed to encrypt 1 if and only if .

4.2. Security Analysis

Lemma 2 (semantic security). Suppose that the FH-SIMD scheme secret key is generated independently of the secret key of FHE scheme from LWE; then Ind-CPA security of the bootstrapping key follows immediately from the Ind-CPA security of FH-SIMD, hence from SIVP of ideal lattice.

Proof. For , if there is not an adversary can distinguish the bootstrapping key from a random element in the same space, then the bootstrapping procedure called satisfing semantic security.
In our bootstrapping procedure, for , the bootstrapping key consists of FH-SIMD ciphertexts; that is, is generated via FH-SIMD scheme, whereSuppose that there is an adversary can distinguish the bootstrapping from random element. Then we can construct an algorithm by calling the adversary and break the Ind-CPA security of FH-SIMD scheme and, furthermore, solve the SIVP of ideal lattice.

4.3. Performance Analysis

Our block homomorphic equality test algorithm B_Eq? has a cost of per data block, where denotes add operation of the ciphertext and denotes multiplicative operation of the ciphertext, whereas the homomorphic equality test algorithm Eq? involves , which is exponential times of B_Eq? algorithm, meaning that the computation of Eq? algorithm is more costly, reference to Table 1.

Table 1: Compare of the performance of homomorphic equality test algorithm.

In the work of Alperin-Sheriff and Peikert [11], one inner product evaluation of bootstrapping needs to compute ciphertexts compose evaluation, and one rounding evaluation of bootstrapping needs to call Eq? algorithm, and ciphertext multiplicative operation. Whereas one inner production of our faster bootstrapping needs to compute ciphertext additions, and one rounding evaluation needs to call B_Eq? algorithm, where is the size of block, and is the number of block, .

Suppose that LWE problem has 80 bits security when is set to be 2003. Parameters setting as above, and when is set to be 2003, 2047, 2501, 3001, 4093, and 12899, we give the relation between multiplicative operation quantity and modulus , as shown in Figure 3. As the modulus q increases, the number of ciphertext multiplicative operation grows swiftly in the AP’s bootstrapping procedure, whereas the number of ciphertext multiplicative operation grows slowly.

Figure 3: The relation between the ciphertext multiplicative quantity and the modulus .

On the other hand, for the fixed modulus and m, we give the relation between multiplicative operation quantity once running our faster bootstrapping procedure based on the block size of block homomorphic equality test algorithm B_Eq?. When , , and , so , we set , which satisfies . Then we set the size of block as , that is, the size of block . Then the number of blocks . We can see from Figure 4, as the block size increases, the ciphertext multiplicative operation drops dramatically.

Figure 4: The relation between the ciphertext multiplicative quantity and the block size.

5. Conclusions

Fully homomorphic encryption scheme allows evaluating encrypted data, without decrypting the corresponding ciphertext. In fully homomorphic encryption scheme, the ciphertext has a noise that grows at each homomorphic evaluation. When the noise reaches a threshold, then the ciphertext cannot be decrypted correctly. The number of homomorphic operations can be made asymptotically large using bootstrapping technique.

In this paper, we further investigated the bootstrapping procedure. We proposed the concept of block homomorphic equality test algorithm and give an instance based on the FH-SIMD scheme. Furthermore, we give a faster bootstrapping procedure based on the block homomorphic equality test algorithm. Both theory analysis and experiment simulation validate the higher performance of our bootstrapping than that of the work [11].

Data Availability

Our underlying data related to the article is the paper as cited as in [11].

Conflicts of Interest

The authors declare that they have no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work is supported by the National Nature Science Foundation of China under Grant no. 61601515 and Nature Science Foundation of Henan Province under Grant no. 162300410332.

References

  1. C. Gentry, “Fully homomorphic encryption using ideal lattices,” In Proc of the 41th Annual ACM Symp on Theory of Computing (STOC),” pp. 169–178, ACM, New York, NY, USA, 2009. View at Google Scholar
  2. C. Gentry, A fully homomophic encryption scheme [Ph.D. thesis], Stanford University, 2009, http://crypto.stanford.edu/craig.
  3. Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS '11), pp. 97–106, Palm Springs, Calif, USA, October 2011. View at Publisher · View at Google Scholar · View at Scopus
  4. Z. Brakerski and V. Vaikuntanathan, “Fully homomorphic encryption from ring-LWE and security for key dependent messages,” in Advances in Cryptology—CRYPTO 2011, R. Phillip, Ed., vol. 6841, pp. 505–524, Springer, Berlin, Germany, 2011. View at Publisher · View at Google Scholar · View at MathSciNet
  5. M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” in Advances in cryptology (EUROCRYPT), vol. 6110, pp. 24–43, Springer, Berlin, Germany, 2010. View at Publisher · View at Google Scholar · View at MathSciNet
  6. Fucai Luo, Fuqun Wang, Kunpeng Wang, Jie Li, and Kefei Chen, “LWR-Based Fully Homomorphic Encryption, Revisited,” Security and Communication Networks, vol. 2018, Article ID 5967635, 12 pages, 2018. View at Publisher · View at Google Scholar
  7. N. P. Smart and F. Vercauteren, “Fully homomorphic SIMD operations,” Designs, Codes and Cryptography, vol. 71, no. 1, pp. 57–81, 2014. View at Publisher · View at Google Scholar · View at Scopus
  8. C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceputally-simpler, asymptotically-faster, attribute-based,” in CRYPTO, LNCS, R. Canetti and J. A. Garay, Eds., vol. 8042, pp. 75–92, Springer, Heidelberg, Germany, 2013. View at Google Scholar
  9. C. Gentry, S. Halevi, and N. P. Smart, “Better bootstrapping in fully homomorphic encryption,” in Public key cryptography (PKC), vol. 7293 of Lecture Notes in Comput. Sci., pp. 1–16, Springer, Heidelberg, 2012. View at Publisher · View at Google Scholar · View at MathSciNet
  10. J. Alperin-Sheriff and C. Peikert, “Practical bootstrapping in quasilinear time,” in Advances in Cryptology – CRYPTO, vol. 8042, pp. 1–20, 2013. View at Publisher · View at Google Scholar · View at MathSciNet
  11. J. Alperin-Sheriff and C. Peikert, “Faster bootstrapping with polynomial error,” in Proceedings of the International Cryptology Conference, J. A. Garay and R. Gennaro, Eds., pp. 297–314, Springer, Berlin, Germany, 2014. View at Publisher · View at Google Scholar · View at MathSciNet
  12. L. Ducas and D. Micciancio, “FHEW: Bootstrapping homomorphic encryption in less than a second,” in EUROCRYPT, Part I, LNCS, E. Oswald and M. Fischlin, Eds., vol. 9056, pp. 617–640, Springer, Heidelberg, Germany, 2015. View at Google Scholar
  13. I. Chillotti, N. Gama, M. Georgieva et al., “Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds,” in Advances in Cryptology - ASIACRYPT, pp. 3–33, Springer, Heidelberg, Germany, 2016. View at Publisher · View at Google Scholar
  14. I. Chillotti, N. Gama, M. Georgieva et al., “Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE,” in ASIACRYPT 2017. LNCS, T. Takagi and T. Peyrin, Eds., vol. 10624, pp. 377–408, Springer, Cham, UK, 2017. View at Google Scholar
  15. T. Zhou, X. Yang, L. Liu, W. Zhang, and N. Li, “Faster Bootstrapping With Multiple Addends,” IEEE Access, vol. 6, pp. 49868–49876, 2018. View at Publisher · View at Google Scholar