



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A lecture on Fully Homomorphic Encryption II, which is a special topic in Cryptography. The lecture covers the construction of a leveled-FHE using learning with errors (LWE) and why this construction is correct. The technical difficulty focused on in this lecture is ensuring that the leveled-FHE construction is multiplicatively homomorphic. The lecture culminates with a discussion of how leveled-FHE can be combined with an additional security assumption to produce FHE with an unbounded number of homomorphic operations. a detailed description of the encryption scheme and its algorithms.
Typology: Lecture notes
1 / 7
This page cannot be seen from the preview
Don't miss anything!




University of Illinois, Urbana Champaign CS 598DK Special Topics in Cryptography
Instructor: Dakshita Khurana Scribe: Sarah Christensen, Siheng Pan, Nerla Jean-Louis Date: October 11, 2019
Fully Homomorphic Encryption II
In the prior lecture, we were first introduced to the concept of fully homomorphic encryp- tion (FHE). In particular, we covered the motivation for the problem, its formal definition, and how FHE schemes can leverage learning with errors (LWE) in their construction. In this lecture, we continued our discussion of FHE, diving more deeply into the details of how to construct a leveled-FHE using LWE and why this construction is correct. The key technical difficulty focused on in this lecture is ensuring that the leveled-FHE construction is multiplicatively homomorphic, which requires significantly more care than its additive analog. Indeed, the intuition behind the construction only becomes apparent in hindsight, after understanding how it behaves under multiplication. The lecture culminated with a discussion of how leveled-FHE, which allows only a bounded number of homomorphic operations, can be combined with an additional security assumption to produce FHE with an unbounded number of homomorphic operations [1]. This result, called bootstrapping, is one of the most exciting breakthroughs in recent cryptography.
We begin by describing a leveled fully homomorphic public-key encryption scheme that uti- lizes LWE (for a review on LWE, see Lecture 10). Recall that any encryption scheme is de- fined by a tuple of probabilistic polynomial-time algorithms (KeyGen, Encrypt, Decrypt).
KeyGen(prime number q, 1n):
[ (^) −s 1
b
Encrypt(public key B, message μ ∈ { 0 , 1 }):
(n + 1)(blog qc + 1)
matrix as follows:
1 2... 2 blog^ qc^0... 0... 0 0 0... 0 1... 2 blog^ qc^... 0 .. .
0 0... 0 0... 0... 2 blog^ qc
In other words, G is a matrix with the sequence [1, 2 , ..., 2 blog^ qc] repeated in each row; in the ith row, this pattern begins in column j = i·(blog qc+1). We state the entries of G here for completeness, but the intuition behind it will only make sense in hindsight when proving this scheme is multiplicatively homomorphic.
C = BR + μG.
Note that BR has dimension (n + 1) × m. For this matrix multiplication to make sense, we need to set m =
(n + 1)(blog qc + 1)
Decrypt(secret key t, ciphertext C):
tT^ C = tT^ (BR + μG) = tT^ BR + μtT^ G
= [ −s^1 ]
A sA+eT
R + μtT^ G
= eT^ R + μtT^ G = Low norm error term + μtT^ G (12.1)
Low norm error term μ = 0 Low norm error term + tT^ G μ = 1
time we wish to show that we can compute the ciphertext encoding μ 1 μ 2 mod q. The most natural thing to try for an evaluation algorithm is the following (ignoring dimension issues):
EvaluateN aive(×, ciphertext C, ciphertext C′):
Unfortunately, when we simplify CM ult in our decryption step, we run into some difficulties.
tT^ CM ult = tT^ CC′ = tT^ (BR 1 + μ 1 G)(BR 2 + μ 2 G) = tT^ BR 1 BR 2 + tT^ BR 1 μ 2 G + tT^ BR 2 μ 1 G + tT^ μ 1 μ 2 G^2 = eT^ R 1 BR 2 + eT^ R 1 μ 2 G + eT^ R 2 μ 1 G + μ 1 μ 2 tT^ G^2
In addition to the obvious dimension problems, we obtain the term μ 1 μ 2 tT^ G^2 , which does not fit the functional form of Equation 12.1. Also, only one of the Bs was reduced to eT^ in the first term. This leaves an error term multiplied by the remaining B, which will likely be too large since entries in B are relatively large. We modify this evaluation scheme by introducing the operator G−^1 , which functions as the inverse to G. The intuition behind doing this is that it will cancel an extra G from the final term as well as shrink the entries in the extra B of the first term to control error.
Evaluate(×, ciphertext C, ciphertext C′):
x 0 , 0 x 0 , 1... x 0 ,m− 1 .. .
xn, 0 xn, 1... xn,m− 1
We define G−^1 on that matrix as follows:
Bin(x 0 , 0 ) 0 Bin(x 0 , 1 ) 0... Bin(x 0 ,m− 1 ) 0 Bin(x 0 , 0 ) 1 Bin(x 0 , 1 ) 1... Bin(x 0 ,m− 1 ) 1 .. .
Bin(x 0 , 0 )(blog qc) Bin(x 0 , 1 )(blog qc)... Bin(x 0 ,m− 1 )(blog qc) .. .
Bin(xn, 0 )(blog qc) Bin(xn, 1 )(blog qc)... Bin(xn,m− 1 )(blog qc)
where Bin(x 0 , 0 ) 0 is the first bit in the binary decomposition of x 0 , 0 ∈ Zq into ((n + 1)(blog qc + 1)) bits. Note that the number of columns does not change. Each element in the input matrix gets expanded into (blog qc + 1) rows, so the number of rows in the output matrix increases by a factor of (blog qc + 1).
Figure 12.1: Each identity sub-matrix I corresponds to the expansion of the sequence [1, 2 , ..., 2 blog^ qc] for one row in G. Each I is of dimension (blog qc + 1) × (blog qc + 1).
Remark 12.1. G and G−^1 are both operators. G performs binary recomposition, and G−^1 performs binary decomposition. While G is a linear operator (whose operations can therefore be encoded in a matrix), G−^1 is not a linear operator.
Remark 12.2. G−^1 takes as input a small matrix with large entries and creates a large matrix with small entries. How convenient!
Fact 12.3. For any matrix X ∈ Z(qn +1)×m, G(G−^1 (X)) = X. Similarly, G−^1 (G) is equal to the identity matrix Im×m.
To convince yourself of the second half of this fact, recall that each row in the matrix representation of G has the sequence [1, 2 , ..., 2 blog^ qc]. When expanded into a component- wise binary decomposition, this sequence is just the identity matrix I(blog qc+1)×(blog qc+1). Next, observe that the spacing of the sequences in G is such that these identity sub-matrices line up along the diagonal of the output matrix, forming a full identity matrix as claimed (see Figure 12.3). Now, we finally show that with this modified evaluation function, our decryption scheme returns the correct result.
CM ult = CG−^1 (C′) = (BR 1 + μ 1 G)G−^1 (BR 2 + μ 2 G) = (BR 1 + μ 1 G)(G−^1 (BR 2 ) + G−^1 (G)μ 2 ) = BR 1 G−^1 (BR 2 ) + BR 1 μ 2 + μ 1 BR 2 + μ 1 μ 2 G
Multiplying by the secret key, we have
tT^ CM ult = tT^
BR 1 G−^1 (BR 2 ) + BR 1 μ 2 + μ 1 BR 2 + μ 1 μ 2 G
= tT^ BR 1 G−^1 (BR 2 ) + tT^ BR 1 μ 2 + tT^ BR 2 μ 1 + tT^ μ 1 μ 2 G
= eT^ R 1 G−^1 (BR 2 ) + eT^
R 1 μ 2 + R 2 μ 1
This is very close to the invariant functional form that we are looking for. Note that the final term is exactly in the same form as Equation 12.1. The middle term is bounded above
CPA-security, we have that for all messages μ 0 , μ 1 Encpk(μ 0 ) ≈ Encpk(μ 1 ). Under some- thing called Circular-Security, we have that all messages μ 0 , μ 1 Encpk (μ 0 ), Encpk (sk) ≈ Encpk (μ 1 ), Encpk (sk). Note that it is not known that CPA-security implies Circular- Security, and that Circular-Security is a stronger assumption. What we have shown is that if we had leveled-FHE with Circular-Security, then we can build a true FHE with unbounded homomorphism.
Remark 12.5. FHE with bounded homomorphism is often referred to as leveled-FHE. FHE with unbounded homomorphism is often just referred to as FHE.
Open Problem 12.6. Construct a FHE with unbounded homomorphism without relying on the additional circular security assumption.
These scribe notes were prepared by editing a light modification of the template designed by Alexander Sherstov.
[1] C. Gentry et al. Fully homomorphic encryption using ideal lattices. In STOC, volume 9, pages 169–178, 2009.