bootstrapping (with small error growth)cpeikert/pubs/slides-heat1.pdffully homomorphic encryption...
TRANSCRIPT
![Page 1: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/1.jpg)
Bootstrapping(with Small Error Growth)
Chris Peikert
University of Michigan
HEAT Summer School12 Oct 2015
1 / 14
![Page 2: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/2.jpg)
Fully Homomorphic Encryption [RAD’78,Gentry’09]
I FHE lets you do this:
µ Eval(f) f(µ)
A cryptographic “holy grail” with countless applications.
First solved in [Gentry’09], followed by[vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ]
I “Naturally occurring” schemes are somewhat homomorphic (SHE):can only evaluate functions of an a priori bounded depth.
µ Eval(f) f(µ) Eval(g) g(f(µ))
I Thus far, “bootstrapping” is required to achieve unbounded FHE.
2 / 14
![Page 3: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/3.jpg)
Fully Homomorphic Encryption [RAD’78,Gentry’09]
I FHE lets you do this:
µ Eval(f) f(µ)
A cryptographic “holy grail” with countless applications.
First solved in [Gentry’09], followed by[vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ]
I “Naturally occurring” schemes are somewhat homomorphic (SHE):can only evaluate functions of an a priori bounded depth.
µ Eval(f) f(µ) Eval(g) g(f(µ))
I Thus far, “bootstrapping” is required to achieve unbounded FHE.
2 / 14
![Page 4: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/4.jpg)
Fully Homomorphic Encryption [RAD’78,Gentry’09]
I FHE lets you do this:
µ Eval(f) f(µ)
A cryptographic “holy grail” with countless applications.
First solved in [Gentry’09], followed by[vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ]
I “Naturally occurring” schemes are somewhat homomorphic (SHE):can only evaluate functions of an a priori bounded depth.
µ Eval(f) f(µ) Eval(g) g(f(µ))
I Thus far, “bootstrapping” is required to achieve unbounded FHE.
2 / 14
![Page 5: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/5.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphically evaluate the SHE decryption function to “refresh” aciphertext µ , allowing further homomorphic operations.
I Decrypting µ as a function of sk:
sk Dec(· , µ
)µ
I Homomorphically decrypting µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime of Eval(Dec) is controlled by complexity of Dec.
Error growth of Eval(Dec) determines strength of cryptographic
assumption – e.g., initial LWE noise “rate” of sk .
3 / 14
![Page 6: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/6.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphically evaluate the SHE decryption function to “refresh” aciphertext µ , allowing further homomorphic operations.
I Decrypting µ as a function of sk:
sk Dec(· , µ
)µ
I Homomorphically decrypting µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime of Eval(Dec) is controlled by complexity of Dec.
Error growth of Eval(Dec) determines strength of cryptographic
assumption – e.g., initial LWE noise “rate” of sk .
3 / 14
![Page 7: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/7.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphically evaluate the SHE decryption function to “refresh” aciphertext µ , allowing further homomorphic operations.
I Decrypting µ as a function of sk:
sk Dec(· , µ
)µ
I Homomorphically decrypting µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime of Eval(Dec) is controlled by complexity of Dec.
Error growth of Eval(Dec) determines strength of cryptographic
assumption – e.g., initial LWE noise “rate” of sk .
3 / 14
![Page 8: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/8.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphically evaluate the SHE decryption function to “refresh” aciphertext µ , allowing further homomorphic operations.
I Decrypting µ as a function of sk:
sk Dec(· , µ
)µ
I Homomorphically decrypting µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime of Eval(Dec) is controlled by complexity of Dec.
Error growth of Eval(Dec) determines strength of cryptographic
assumption – e.g., initial LWE noise “rate” of sk .
3 / 14
![Page 9: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/9.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphically evaluate the SHE decryption function to “refresh” aciphertext µ , allowing further homomorphic operations.
I Decrypting µ as a function of sk:
sk Dec(· , µ
)µ
I Homomorphically decrypting µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime of Eval(Dec) is controlled by complexity of Dec.
Error growth of Eval(Dec) determines strength of cryptographic
assumption – e.g., initial LWE noise “rate” of sk .
3 / 14
![Page 10: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/10.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphic decryption of µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime: quasi-linear O(λ) using rings [GHS’12,AP’13]
I Error growth using [BGV’12,B’12,GSW’13]:
F Homom Addition: Error grows additively.
F Homom Multiplication: Error grows by poly(λ) factor.
I Known boolean decryption circuits have logarithmic O(log λ) depth.
=⇒ Quasi-polynomial λO(log λ) error growth & lattice approx factors.
Can we do better??
4 / 14
![Page 11: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/11.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphic decryption of µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime: quasi-linear O(λ) using rings [GHS’12,AP’13]
I Error growth using [BGV’12,B’12,GSW’13]:
F Homom Addition: Error grows additively.
F Homom Multiplication: Error grows by poly(λ) factor.
I Known boolean decryption circuits have logarithmic O(log λ) depth.
=⇒ Quasi-polynomial λO(log λ) error growth & lattice approx factors.
Can we do better??
4 / 14
![Page 12: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/12.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphic decryption of µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime: quasi-linear O(λ) using rings [GHS’12,AP’13]
I Error growth using [BGV’12,B’12,GSW’13]:
F Homom Addition: Error grows additively.
F Homom Multiplication: Error grows by poly(λ) factor.
I Known boolean decryption circuits have logarithmic O(log λ) depth.
=⇒ Quasi-polynomial λO(log λ) error growth & lattice approx factors.
Can we do better??
4 / 14
![Page 13: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/13.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphic decryption of µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime: quasi-linear O(λ) using rings [GHS’12,AP’13]
I Error growth using [BGV’12,B’12,GSW’13]:
F Homom Addition: Error grows additively.
F Homom Multiplication: Error grows by poly(λ) factor.
I Known boolean decryption circuits have logarithmic O(log λ) depth.
=⇒ Quasi-polynomial λO(log λ) error growth & lattice approx factors.
Can we do better??
4 / 14
![Page 14: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/14.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphic decryption of µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime: quasi-linear O(λ) using rings [GHS’12,AP’13]
I Error growth using [BGV’12,B’12,GSW’13]:
F Homom Addition: Error grows additively.
F Homom Multiplication: Error grows by poly(λ) factor.
I Known boolean decryption circuits have logarithmic O(log λ) depth.
=⇒ Quasi-polynomial λO(log λ) error growth & lattice approx factors.
Can we do better??
4 / 14
![Page 15: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/15.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphic decryption of µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime: quasi-linear O(λ) using rings [GHS’12,AP’13]
I Error growth using [BGV’12,B’12,GSW’13]:
F Homom Addition: Error grows additively.
F Homom Multiplication: Error grows by poly(λ) factor.
I Known boolean decryption circuits have logarithmic O(log λ) depth.
=⇒ Quasi-polynomial λO(log λ) error growth & lattice approx factors.
Can we do better??
4 / 14
![Page 16: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/16.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphic decryption of µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime: quasi-linear O(λ) using rings [GHS’12,AP’13]
I Error growth using [BGV’12,B’12,GSW’13]:
F Homom Addition: Error grows additively.
F Homom Multiplication: Error grows by poly(λ) factor.
I Known boolean decryption circuits have logarithmic O(log λ) depth.
=⇒ Quasi-polynomial λO(log λ) error growth & lattice approx factors.
Can we do better??
4 / 14
![Page 17: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/17.jpg)
Bootstrapping: SHE → FHE [Gentry’09]
I Homomorphic decryption of µ on sk :
sk Eval(
Dec(· , µ
) )µ
I Runtime: quasi-linear O(λ) using rings [GHS’12,AP’13]
I Error growth using [BGV’12,B’12,GSW’13]:
F Homom Addition: Error grows additively.
F Homom Multiplication: Error grows by poly(λ) factor.
I Known boolean decryption circuits have logarithmic O(log λ) depth.
=⇒ Quasi-polynomial λO(log λ) error growth & lattice approx factors.
Can we do better??
4 / 14
![Page 18: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/18.jpg)
Agenda for the Talk
1 Branching program bootstrapping with (large) polynomial runtimeand error growth [BrakerskiVaikuntanathan’14]
2 Arithmetic bootstrapping with small polynomial runtime and growth[Alperin-SheriffPeikert’14]
3 Fast (< 1s) ring-based implementation[DucasMicciancio’15]
5 / 14
![Page 19: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/19.jpg)
Agenda for the Talk
1 Branching program bootstrapping with (large) polynomial runtimeand error growth [BrakerskiVaikuntanathan’14]
2 Arithmetic bootstrapping with small polynomial runtime and growth[Alperin-SheriffPeikert’14]
3 Fast (< 1s) ring-based implementation[DucasMicciancio’15]
5 / 14
![Page 20: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/20.jpg)
Agenda for the Talk
1 Branching program bootstrapping with (large) polynomial runtimeand error growth [BrakerskiVaikuntanathan’14]
2 Arithmetic bootstrapping with small polynomial runtime and growth[Alperin-SheriffPeikert’14]
3 Fast (< 1s) ring-based implementation[DucasMicciancio’15]
5 / 14
![Page 21: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/21.jpg)
Somewhat Homomorphic Encryption [GentrySahaiWaters’13]
I Recall “gadget” matrix G over Zq [MP’12]: for any matrix A over Zq,
G−1(A) is short (over Z) and G ·G−1(A) = A (mod q).
I Ciphertext encrypting µ ∈ Z under s is a Zq-matrix C satisfying
sC = µ · sG+ e ≈ µ · sG (mod q).
I Homomorphic add: C1 ‘ C2 := C1 +C2.
I Homomorphic mult: C1 d C2 := C1 ·G−1(C2).
s ·C1 ·G−1(C2) = (µ1 · sG+ e1) ·G−1(C2)
= µ1 · sC2 + e1 ·G−1(C2)
= µ1µ2 · sG+ µ1 · e2 + e1 ·G−1(C2)︸ ︷︷ ︸new error e
.
I (Can randomize G−1 for tighter error growth, full rerandomization.)
6 / 14
![Page 22: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/22.jpg)
Somewhat Homomorphic Encryption [GentrySahaiWaters’13]
I Recall “gadget” matrix G over Zq [MP’12]: for any matrix A over Zq,
G−1(A) is short (over Z) and G ·G−1(A) = A (mod q).
I Ciphertext encrypting µ ∈ Z under s is a Zq-matrix C satisfying
sC = µ · sG+ e ≈ µ · sG (mod q).
I Homomorphic add: C1 ‘ C2 := C1 +C2.
I Homomorphic mult: C1 d C2 := C1 ·G−1(C2).
s ·C1 ·G−1(C2) = (µ1 · sG+ e1) ·G−1(C2)
= µ1 · sC2 + e1 ·G−1(C2)
= µ1µ2 · sG+ µ1 · e2 + e1 ·G−1(C2)︸ ︷︷ ︸new error e
.
I (Can randomize G−1 for tighter error growth, full rerandomization.)
6 / 14
![Page 23: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/23.jpg)
Somewhat Homomorphic Encryption [GentrySahaiWaters’13]
I Recall “gadget” matrix G over Zq [MP’12]: for any matrix A over Zq,
G−1(A) is short (over Z) and G ·G−1(A) = A (mod q).
I Ciphertext encrypting µ ∈ Z under s is a Zq-matrix C satisfying
sC = µ · sG+ e ≈ µ · sG (mod q).
I Homomorphic add: C1 ‘ C2 := C1 +C2.
I Homomorphic mult: C1 d C2 := C1 ·G−1(C2).
s ·C1 ·G−1(C2) = (µ1 · sG+ e1) ·G−1(C2)
= µ1 · sC2 + e1 ·G−1(C2)
= µ1µ2 · sG+ µ1 · e2 + e1 ·G−1(C2)︸ ︷︷ ︸new error e
.
I (Can randomize G−1 for tighter error growth, full rerandomization.)
6 / 14
![Page 24: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/24.jpg)
Somewhat Homomorphic Encryption [GentrySahaiWaters’13]
I Recall “gadget” matrix G over Zq [MP’12]: for any matrix A over Zq,
G−1(A) is short (over Z) and G ·G−1(A) = A (mod q).
I Ciphertext encrypting µ ∈ Z under s is a Zq-matrix C satisfying
sC = µ · sG+ e ≈ µ · sG (mod q).
I Homomorphic add: C1 ‘ C2 := C1 +C2.
I Homomorphic mult: C1 d C2 := C1 ·G−1(C2).
s ·C1 ·G−1(C2) = (µ1 · sG+ e1) ·G−1(C2)
= µ1 · sC2 + e1 ·G−1(C2)
= µ1µ2 · sG+ µ1 · e2 + e1 ·G−1(C2)︸ ︷︷ ︸new error e
.
I (Can randomize G−1 for tighter error growth, full rerandomization.)
6 / 14
![Page 25: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/25.jpg)
Somewhat Homomorphic Encryption [GentrySahaiWaters’13]
I Recall “gadget” matrix G over Zq [MP’12]: for any matrix A over Zq,
G−1(A) is short (over Z) and G ·G−1(A) = A (mod q).
I Ciphertext encrypting µ ∈ Z under s is a Zq-matrix C satisfying
sC = µ · sG+ e ≈ µ · sG (mod q).
I Homomorphic add: C1 ‘ C2 := C1 +C2.
I Homomorphic mult: C1 d C2 := C1 ·G−1(C2).
s ·C1 ·G−1(C2) = (µ1 · sG+ e1) ·G−1(C2)
= µ1 · sC2 + e1 ·G−1(C2)
= µ1µ2 · sG+ µ1 · e2 + e1 ·G−1(C2)︸ ︷︷ ︸new error e
.
I (Can randomize G−1 for tighter error growth, full rerandomization.)
6 / 14
![Page 26: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/26.jpg)
Somewhat Homomorphic Encryption [GentrySahaiWaters’13]
I Recall “gadget” matrix G over Zq [MP’12]: for any matrix A over Zq,
G−1(A) is short (over Z) and G ·G−1(A) = A (mod q).
I Ciphertext encrypting µ ∈ Z under s is a Zq-matrix C satisfying
sC = µ · sG+ e ≈ µ · sG (mod q).
I Homomorphic add: C1 ‘ C2 := C1 +C2.
I Homomorphic mult: C1 d C2 := C1 ·G−1(C2).
s ·C1 ·G−1(C2) = (µ1 · sG+ e1) ·G−1(C2)
= µ1 · sC2 + e1 ·G−1(C2)
= µ1µ2 · sG+ µ1 · e2 + e1 ·G−1(C2)︸ ︷︷ ︸new error e
.
I (Can randomize G−1 for tighter error growth, full rerandomization.)
6 / 14
![Page 27: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/27.jpg)
Somewhat Homomorphic Encryption [GentrySahaiWaters’13]
I Recall “gadget” matrix G over Zq [MP’12]: for any matrix A over Zq,
G−1(A) is short (over Z) and G ·G−1(A) = A (mod q).
I Ciphertext encrypting µ ∈ Z under s is a Zq-matrix C satisfying
sC = µ · sG+ e ≈ µ · sG (mod q).
I Homomorphic add: C1 ‘ C2 := C1 +C2.
I Homomorphic mult: C1 d C2 := C1 ·G−1(C2).
s ·C1 ·G−1(C2) = (µ1 · sG+ e1) ·G−1(C2)
= µ1 · sC2 + e1 ·G−1(C2)
= µ1µ2 · sG+ µ1 · e2 + e1 ·G−1(C2)︸ ︷︷ ︸new error e
.
I (Can randomize G−1 for tighter error growth, full rerandomization.)
6 / 14
![Page 28: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/28.jpg)
Somewhat Homomorphic Encryption [GentrySahaiWaters’13]
I Recall “gadget” matrix G over Zq [MP’12]: for any matrix A over Zq,
G−1(A) is short (over Z) and G ·G−1(A) = A (mod q).
I Ciphertext encrypting µ ∈ Z under s is a Zq-matrix C satisfying
sC = µ · sG+ e ≈ µ · sG (mod q).
I Homomorphic add: C1 ‘ C2 := C1 +C2.
I Homomorphic mult: C1 d C2 := C1 ·G−1(C2).
s ·C1 ·G−1(C2) = (µ1 · sG+ e1) ·G−1(C2)
= µ1 · sC2 + e1 ·G−1(C2)
= µ1µ2 · sG+ µ1 · e2 + e1 ·G−1(C2)︸ ︷︷ ︸new error e
.
I (Can randomize G−1 for tighter error growth, full rerandomization.)
6 / 14
![Page 29: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/29.jpg)
Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14]
I Error growth for multiplication is asymmetric and “quasi-additive:”
Error in C := C1 d C2 is e1 · poly(λ) + µ1 · e2.
I Right-associative multiplication: for Ci encrypting µi ∈ {0,±1},
C1 d (· · · (Ct−2 d (Ct−1 d Ct)) · · · ) has error∑
i ei · poly(λ).
I Generalizes to orthogonal matrices over Z, e.g., permutation matrices.
Encrypt bitwise:(0 1
1 0
)︸ ︷︷ ︸
P1
d
(0 1
1 0
)︸ ︷︷ ︸
P2
=
(1 0
0 1
)︸ ︷︷ ︸
P1·P2(e1,1 e1,2e2,1 e2,2
)︸ ︷︷ ︸
E
,
(f1,1 f1,2f2,1 f2,2
)︸ ︷︷ ︸
F
→ E · poly(λ) +(f2,1 f2,2f1,1 f1,2
)︸ ︷︷ ︸
P1·F
7 / 14
![Page 30: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/30.jpg)
Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14]
I Error growth for multiplication is asymmetric and “quasi-additive:”
Error in C := C1 d C2 is e1 · poly(λ) + µ1 · e2.
I Right-associative multiplication: for Ci encrypting µi ∈ {0,±1},
C1 d (· · · (Ct−2 d (Ct−1 d Ct)) · · · ) has error∑
i ei · poly(λ).
I Generalizes to orthogonal matrices over Z, e.g., permutation matrices.
Encrypt bitwise:(0 1
1 0
)︸ ︷︷ ︸
P1
d
(0 1
1 0
)︸ ︷︷ ︸
P2
=
(1 0
0 1
)︸ ︷︷ ︸
P1·P2(e1,1 e1,2e2,1 e2,2
)︸ ︷︷ ︸
E
,
(f1,1 f1,2f2,1 f2,2
)︸ ︷︷ ︸
F
→ E · poly(λ) +(f2,1 f2,2f1,1 f1,2
)︸ ︷︷ ︸
P1·F
7 / 14
![Page 31: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/31.jpg)
Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14]
I Error growth for multiplication is asymmetric and “quasi-additive:”
Error in C := C1 d C2 is e1 · poly(λ) + µ1 · e2.
I Right-associative multiplication: for Ci encrypting µi ∈ {0,±1},
C1 d (· · · (Ct−2 d (Ct−1 d Ct)) · · · ) has error∑
i ei · poly(λ).
I Generalizes to orthogonal matrices over Z, e.g., permutation matrices.
Encrypt bitwise:(0 1
1 0
)︸ ︷︷ ︸
P1
d
(0 1
1 0
)︸ ︷︷ ︸
P2
=
(1 0
0 1
)︸ ︷︷ ︸
P1·P2(e1,1 e1,2e2,1 e2,2
)︸ ︷︷ ︸
E
,
(f1,1 f1,2f2,1 f2,2
)︸ ︷︷ ︸
F
→ E · poly(λ) +(f2,1 f2,2f1,1 f1,2
)︸ ︷︷ ︸
P1·F
7 / 14
![Page 32: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/32.jpg)
Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14]
I Polynomial error growth for any product of encrypted permutations.
I Barrington’s Theorem: boolean circuit → branching program:
0
0
1
P0,1
P0,0
P1,1
P1,0
. . .
. . .
P14,1
P14,0
P15,1
P15,0
I To refresh µ : convert Dec(·, µ ) to BP; homomorphically evaluateusing encrypted bits of sk to select from pairs Pi,0,Pi,1.
7 Drawback: Barrington’s transformation is very inefficient.
8 / 14
![Page 33: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/33.jpg)
Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14]
I Polynomial error growth for any product of encrypted permutations.
I Barrington’s Theorem: boolean circuit → branching program:
0
0
1
depth d
≈ 3 log λ
P0,1
P0,0
P1,1
P1,0
. . .
. . .
P14,1
P14,0
P15,1
P15,0
length 4d
≈ λ6
I To refresh µ : convert Dec(·, µ ) to BP; homomorphically evaluateusing encrypted bits of sk to select from pairs Pi,0,Pi,1.
7 Drawback: Barrington’s transformation is very inefficient.
8 / 14
![Page 34: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/34.jpg)
Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14]
I Polynomial error growth for any product of encrypted permutations.
I Barrington’s Theorem: boolean circuit → branching program:
0
0
1
depth d
≈ 3 log λ
P0,1
P0,0
P1,1
P1,0
. . .
. . .
P14,1
P14,0
P15,1
P15,0
length 4d
≈ λ6
I To refresh µ : convert Dec(·, µ ) to BP; homomorphically evaluateusing encrypted bits of sk to select from pairs Pi,0,Pi,1.
7 Drawback: Barrington’s transformation is very inefficient.
8 / 14
![Page 35: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/35.jpg)
Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14]
I Polynomial error growth for any product of encrypted permutations.
I Barrington’s Theorem: boolean circuit → branching program:
0
0
1
depth d
≈ 3 log λ
P0,1
P0,0
P1,1
P1,0
. . .
. . .
P14,1
P14,0
P15,1
P15,0
length 4d
≈ λ6
I To refresh µ : convert Dec(·, µ ) to BP; homomorphically evaluateusing encrypted bits of sk to select from pairs Pi,0,Pi,1.
7 Drawback: Barrington’s transformation is very inefficient.
8 / 14
![Page 36: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/36.jpg)
Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14]
I Polynomial error growth for any product of encrypted permutations.
I Barrington’s Theorem: boolean circuit → branching program:
0
0
1
depth d ≈ 3 log λ
P0,1
P0,0
P1,1
P1,0
. . .
. . .
P14,1
P14,0
P15,1
P15,0
length 4d ≈ λ6
I To refresh µ : convert Dec(·, µ ) to BP; homomorphically evaluateusing encrypted bits of sk to select from pairs Pi,0,Pi,1.
7 Drawback: Barrington’s transformation is very inefficient.
8 / 14
![Page 37: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/37.jpg)
More Efficient Bootstrapping [Alperin-SheriffPeikert’14]
I Faster algorithm with small polynomial error growth
Result: quasi-optimal O(λ) homom ops; O(λ2) error growth.
I Treats decryption as an arithmetic function over Zq, not a circuit.
Avoids Barrington’s Theorem – but still uses permutation matrices!
I Key idea: embed additive group (Zq,+) into a small symmetric group.
9 / 14
![Page 38: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/38.jpg)
More Efficient Bootstrapping [Alperin-SheriffPeikert’14]
I Faster algorithm with small polynomial error growth
Result: quasi-optimal O(λ) homom ops; O(λ2) error growth.
I Treats decryption as an arithmetic function over Zq, not a circuit.
Avoids Barrington’s Theorem – but still uses permutation matrices!
I Key idea: embed additive group (Zq,+) into a small symmetric group.
9 / 14
![Page 39: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/39.jpg)
More Efficient Bootstrapping [Alperin-SheriffPeikert’14]
I Faster algorithm with small polynomial error growth
Result: quasi-optimal O(λ) homom ops; O(λ2) error growth.
I Treats decryption as an arithmetic function over Zq, not a circuit.
Avoids Barrington’s Theorem – but still uses permutation matrices!
I Key idea: embed additive group (Zq,+) into a small symmetric group.
9 / 14
![Page 40: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/40.jpg)
More Efficient Bootstrapping [Alperin-SheriffPeikert’14]
I Faster algorithm with small polynomial error growth
Result: quasi-optimal O(λ) homom ops; O(λ2) error growth.
I Treats decryption as an arithmetic function over Zq, not a circuit.
Avoids Barrington’s Theorem – but still uses permutation matrices!
I Key idea: embed additive group (Zq,+) into a small symmetric group.
9 / 14
![Page 41: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/41.jpg)
More Efficient Bootstrapping [Alperin-SheriffPeikert’14]
I Faster algorithm with small polynomial error growth
Result: quasi-optimal O(λ) homom ops; O(λ2) error growth.
I Treats decryption as an arithmetic function over Zq, not a circuit.
Avoids Barrington’s Theorem – but still uses permutation matrices!
I Key idea: embed additive group (Zq,+) into a small symmetric group.
9 / 14
![Page 42: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/42.jpg)
Overview of Bootstrapping Algorithm [AP’14]
I Decryption in LWE-based schemes is a “rounded inner product:”
Dec(s, c) := b〈s, c〉e2 ∈ {0, 1} with s ∈ Znq , c ∈ {0, 1}n
1 Prepare: Encrypt each sj ∈ Zq, embedded into a certain group G.
We need two homomorphic algorithms for Zq ⊆ G:
a ‘ b = a+ b and Equal?( v , z) =
{1 if v = z
0 otherwise
Given ciphertext c ∈ {0, 1}n and encryptions sj , we evaluate:
2 Inner Product: compute v := 〈 s , c〉 =ð
j: cj=1
sj
3 Round: compute bve2 :=ð
z: bze2=1
Equal?( v , z)
I It remains to define the group G andÐ
, Equal? operations
10 / 14
![Page 43: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/43.jpg)
Overview of Bootstrapping Algorithm [AP’14]
I Decryption in LWE-based schemes is a “rounded inner product:”
Dec(s, c) := b〈s, c〉e2 ∈ {0, 1} with s ∈ Znq , c ∈ {0, 1}n
1 Prepare: Encrypt each sj ∈ Zq, embedded into a certain group G.
We need two homomorphic algorithms for Zq ⊆ G:
a ‘ b = a+ b and Equal?( v , z) =
{1 if v = z
0 otherwise
Given ciphertext c ∈ {0, 1}n and encryptions sj , we evaluate:
2 Inner Product: compute v := 〈 s , c〉 =ð
j: cj=1
sj
3 Round: compute bve2 :=ð
z: bze2=1
Equal?( v , z)
I It remains to define the group G andÐ
, Equal? operations
10 / 14
![Page 44: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/44.jpg)
Overview of Bootstrapping Algorithm [AP’14]
I Decryption in LWE-based schemes is a “rounded inner product:”
Dec(s, c) := b〈s, c〉e2 ∈ {0, 1} with s ∈ Znq , c ∈ {0, 1}n
1 Prepare: Encrypt each sj ∈ Zq, embedded into a certain group G.
We need two homomorphic algorithms for Zq ⊆ G:
a ‘ b = a+ b and Equal?( v , z) =
{1 if v = z
0 otherwise
Given ciphertext c ∈ {0, 1}n and encryptions sj , we evaluate:
2 Inner Product: compute v := 〈 s , c〉 =ð
j: cj=1
sj
3 Round: compute bve2 :=ð
z: bze2=1
Equal?( v , z)
I It remains to define the group G andÐ
, Equal? operations
10 / 14
![Page 45: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/45.jpg)
Overview of Bootstrapping Algorithm [AP’14]
I Decryption in LWE-based schemes is a “rounded inner product:”
Dec(s, c) := b〈s, c〉e2 ∈ {0, 1} with s ∈ Znq , c ∈ {0, 1}n
1 Prepare: Encrypt each sj ∈ Zq, embedded into a certain group G.
We need two homomorphic algorithms for Zq ⊆ G:
a ‘ b = a+ b and Equal?( v , z) =
{1 if v = z
0 otherwise
Given ciphertext c ∈ {0, 1}n and encryptions sj , we evaluate:
2 Inner Product: compute v := 〈 s , c〉 =ð
j: cj=1
sj
3 Round: compute bve2 :=ð
z: bze2=1
Equal?( v , z)
I It remains to define the group G andÐ
, Equal? operations
10 / 14
![Page 46: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/46.jpg)
Overview of Bootstrapping Algorithm [AP’14]
I Decryption in LWE-based schemes is a “rounded inner product:”
Dec(s, c) := b〈s, c〉e2 ∈ {0, 1} with s ∈ Znq , c ∈ {0, 1}n
1 Prepare: Encrypt each sj ∈ Zq, embedded into a certain group G.
We need two homomorphic algorithms for Zq ⊆ G:
a ‘ b = a+ b and Equal?( v , z) =
{1 if v = z
0 otherwise
Given ciphertext c ∈ {0, 1}n and encryptions sj , we evaluate:
2 Inner Product: compute v := 〈 s , c〉 =ð
j: cj=1
sj
3 Round: compute bve2 :=ð
z: bze2=1
Equal?( v , z)
I It remains to define the group G andÐ
, Equal? operations
10 / 14
![Page 47: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/47.jpg)
Overview of Bootstrapping Algorithm [AP’14]
I Decryption in LWE-based schemes is a “rounded inner product:”
Dec(s, c) := b〈s, c〉e2 ∈ {0, 1} with s ∈ Znq , c ∈ {0, 1}n
1 Prepare: Encrypt each sj ∈ Zq, embedded into a certain group G.
We need two homomorphic algorithms for Zq ⊆ G:
a ‘ b = a+ b and Equal?( v , z) =
{1 if v = z
0 otherwise
Given ciphertext c ∈ {0, 1}n and encryptions sj , we evaluate:
2 Inner Product: compute v := 〈 s , c〉 =ð
j: cj=1
sj
3 Round: compute bve2 :=ð
z: bze2=1
Equal?( v , z)
I It remains to define the group G andÐ
, Equal? operations10 / 14
![Page 48: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/48.jpg)
Warmup: Embedding (Zq,+) into G = (Sq, ·)
Zq 0 1 . . . q − 1
Sq
1
1 1
0
1
...
. . .
0
1
0 1
1
1
1...
. . .
0
1
. . .
0
1
1... 1
. . .
0
1
1
1
P0 P1 . . . Pq−1
I Embed s ∈ Zq as Ps and encrypt entry-wise (only need first column).
I Addition: a ‘ b implemented as Pa d Pb = Pa ·Pb
F Recall: Right-associative multiplication yields polynomial error growth.
I Equality test: Equal?( Pa , b): output bth entry.
I Bottom line: O(λ3) homomorphic operations to bootstrap.
11 / 14
![Page 49: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/49.jpg)
Warmup: Embedding (Zq,+) into G = (Sq, ·)
Zq 0 1 . . . q − 1
Sq
1
1 1
0 1...
. . .
0 1
0
1
1
1
1
.... . .
0 1
. . .
0 1
1
...
1
. . .
0 1
1
1
P0 P1 . . . Pq−1
I Embed s ∈ Zq as Ps and encrypt entry-wise (only need first column).
I Addition: a ‘ b implemented as Pa d Pb = Pa ·Pb
F Recall: Right-associative multiplication yields polynomial error growth.
I Equality test: Equal?( Pa , b): output bth entry.
I Bottom line: O(λ3) homomorphic operations to bootstrap.
11 / 14
![Page 50: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/50.jpg)
Warmup: Embedding (Zq,+) into G = (Sq, ·)
Zq 0 1 . . . q − 1
Sq
1
1 1
0 1...
. . .
0 1
0
1
1
1
1
.... . .
0 1
. . .
0 1
1
...
1
. . .
0 1
1
1
P0 P1 . . . Pq−1
I Embed s ∈ Zq as Ps and encrypt entry-wise (only need first column).
I Addition: a ‘ b implemented as Pa d Pb = Pa ·Pb
F Recall: Right-associative multiplication yields polynomial error growth.
I Equality test: Equal?( Pa , b): output bth entry.
I Bottom line: O(λ3) homomorphic operations to bootstrap.
11 / 14
![Page 51: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/51.jpg)
Warmup: Embedding (Zq,+) into G = (Sq, ·)
Zq 0 1 . . . q − 1
Sq
1
1 1
0 1...
. . .
0 1
0
1
1
1
1
.... . .
0 1
. . .
0 1
1
...
1
. . .
0 1
1
1
P0 P1 . . . Pq−1
I Embed s ∈ Zq as Ps and encrypt entry-wise (only need first column).
I Addition: a ‘ b implemented as Pa d Pb = Pa ·Pb
F Recall: Right-associative multiplication yields polynomial error growth.
I Equality test: Equal?( Pa , b): output bth entry.
I Bottom line: O(λ3) homomorphic operations to bootstrap.
11 / 14
![Page 52: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/52.jpg)
Warmup: Embedding (Zq,+) into G = (Sq, ·)
Zq 0 1 . . . q − 1
Sq
1
1 1
0 1...
. . .
0 1
0
1
1
1
1
.... . .
0 1
. . .
0 1
1
...
1
. . .
0 1
1
1
P0 P1 . . . Pq−1
I Embed s ∈ Zq as Ps and encrypt entry-wise (only need first column).
I Addition: a ‘ b implemented as Pa d Pb = Pa ·Pb
F Recall: Right-associative multiplication yields polynomial error growth.
I Equality test: Equal?( Pa , b): output bth entry.
I Bottom line: O(λ3) homomorphic operations to bootstrap.
11 / 14
![Page 53: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/53.jpg)
Embedding (Zq,+) into Smaller Symmetric Groups
I Use q = p1 · · · pt = O(λ) for distinct prime pi.
F Prime Number Theorem allows pi, t = O(log λ).
Chinese Remainder Theorem: Zq ∼= Zp1 × · · · × Zpt
I New embedding:
Zq → Sp1 × · · · × Spt[⊆ S∑ pi
]x 7→ (Px mod p1 , . . . ,Px mod pt)
I Addition ‘: same as in warmup, but component-wise
I Equality test:
Equalq( a , b) =ô
i
Equalpi( ai , b mod pi)
I Bottom line: O(λ) homomorphic operations to bootstrap.
12 / 14
![Page 54: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/54.jpg)
Embedding (Zq,+) into Smaller Symmetric Groups
I Use q = p1 · · · pt = O(λ) for distinct prime pi.
F Prime Number Theorem allows pi, t = O(log λ).
Chinese Remainder Theorem: Zq ∼= Zp1 × · · · × Zpt
I New embedding:
Zq → Sp1 × · · · × Spt[⊆ S∑ pi
]x 7→ (Px mod p1 , . . . ,Px mod pt)
I Addition ‘: same as in warmup, but component-wise
I Equality test:
Equalq( a , b) =ô
i
Equalpi( ai , b mod pi)
I Bottom line: O(λ) homomorphic operations to bootstrap.
12 / 14
![Page 55: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/55.jpg)
Embedding (Zq,+) into Smaller Symmetric Groups
I Use q = p1 · · · pt = O(λ) for distinct prime pi.
F Prime Number Theorem allows pi, t = O(log λ).
Chinese Remainder Theorem: Zq ∼= Zp1 × · · · × ZptI New embedding:
Zq → Sp1 × · · · × Spt[⊆ S∑ pi
]x 7→ (Px mod p1 , . . . ,Px mod pt)
I Addition ‘: same as in warmup, but component-wise
I Equality test:
Equalq( a , b) =ô
i
Equalpi( ai , b mod pi)
I Bottom line: O(λ) homomorphic operations to bootstrap.
12 / 14
![Page 56: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/56.jpg)
Embedding (Zq,+) into Smaller Symmetric Groups
I Use q = p1 · · · pt = O(λ) for distinct prime pi.
F Prime Number Theorem allows pi, t = O(log λ).
Chinese Remainder Theorem: Zq ∼= Zp1 × · · · × ZptI New embedding:
Zq → Sp1 × · · · × Spt[⊆ S∑ pi
]x 7→ (Px mod p1 , . . . ,Px mod pt)
I Addition ‘: same as in warmup, but component-wise
I Equality test:
Equalq( a , b) =ô
i
Equalpi( ai , b mod pi)
I Bottom line: O(λ) homomorphic operations to bootstrap.
12 / 14
![Page 57: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/57.jpg)
Embedding (Zq,+) into Smaller Symmetric Groups
I Use q = p1 · · · pt = O(λ) for distinct prime pi.
F Prime Number Theorem allows pi, t = O(log λ).
Chinese Remainder Theorem: Zq ∼= Zp1 × · · · × ZptI New embedding:
Zq → Sp1 × · · · × Spt[⊆ S∑ pi
]x 7→ (Px mod p1 , . . . ,Px mod pt)
I Addition ‘: same as in warmup, but component-wise
I Equality test:
Equalq( a , b) =ô
i
Equalpi( ai , b mod pi)
I Bottom line: O(λ) homomorphic operations to bootstrap.
12 / 14
![Page 58: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/58.jpg)
Embedding (Zq,+) into Smaller Symmetric Groups
I Use q = p1 · · · pt = O(λ) for distinct prime pi.
F Prime Number Theorem allows pi, t = O(log λ).
Chinese Remainder Theorem: Zq ∼= Zp1 × · · · × ZptI New embedding:
Zq → Sp1 × · · · × Spt[⊆ S∑ pi
]x 7→ (Px mod p1 , . . . ,Px mod pt)
I Addition ‘: same as in warmup, but component-wise
I Equality test:
Equalq( a , b) =ô
i
Equalpi( ai , b mod pi)
I Bottom line: O(λ) homomorphic operations to bootstrap.
12 / 14
![Page 59: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/59.jpg)
Refinement and Implementation [DucasMicciancio’15]
I Observation [AP’14]: using ring-LWE in the mth cyclotomic ring R,can work with r-dim orthogonal matrices over R (instead of Z):the generalized symmetric group Zm o Sr.
In particular, m = q and r = 1 yields Zq.
I With a clever view of NAND as a mod-4 additive threshold, [DM’15]
designed a specialized “bootstrapped NAND” procedure.
I FFTW for fast ring operations =⇒ bootstrapping in 0.6 sec: FHEW!
13 / 14
![Page 60: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/60.jpg)
Refinement and Implementation [DucasMicciancio’15]
I Observation [AP’14]: using ring-LWE in the mth cyclotomic ring R,can work with r-dim orthogonal matrices over R (instead of Z):the generalized symmetric group Zm o Sr.In particular, m = q and r = 1 yields Zq.
I With a clever view of NAND as a mod-4 additive threshold, [DM’15]
designed a specialized “bootstrapped NAND” procedure.
I FFTW for fast ring operations =⇒ bootstrapping in 0.6 sec: FHEW!
13 / 14
![Page 61: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/61.jpg)
Refinement and Implementation [DucasMicciancio’15]
I Observation [AP’14]: using ring-LWE in the mth cyclotomic ring R,can work with r-dim orthogonal matrices over R (instead of Z):the generalized symmetric group Zm o Sr.In particular, m = q and r = 1 yields Zq.
I With a clever view of NAND as a mod-4 additive threshold, [DM’15]
designed a specialized “bootstrapped NAND” procedure.
I FFTW for fast ring operations =⇒ bootstrapping in 0.6 sec: FHEW!
13 / 14
![Page 62: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/62.jpg)
Refinement and Implementation [DucasMicciancio’15]
I Observation [AP’14]: using ring-LWE in the mth cyclotomic ring R,can work with r-dim orthogonal matrices over R (instead of Z):the generalized symmetric group Zm o Sr.In particular, m = q and r = 1 yields Zq.
I With a clever view of NAND as a mod-4 additive threshold, [DM’15]
designed a specialized “bootstrapped NAND” procedure.
I FFTW for fast ring operations =⇒ bootstrapping in 0.6 sec: FHEW!
13 / 14
![Page 63: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/63.jpg)
Open Problems
I Can we bootstrap in sublinear # homom ops with polynomial error?
Bottleneck in [GSW’13]: few plaintext bits / ciphertext (no “packing”).
I Circular security for unbounded FHE?
As usual, unbounded FHE requires a “circular security” assumption:that it is safe to reveal an encryption of (embedded) sk under itself.
Does our representation of sk help or hurt security?
I Can we bootstrap FHS/ABE/PE?
Current schemes are like “somewhat homomorphic” encryption: theyhave an a priori bound on circuits they can handle.
Thanks!
14 / 14
![Page 64: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/64.jpg)
Open Problems
I Can we bootstrap in sublinear # homom ops with polynomial error?
Bottleneck in [GSW’13]: few plaintext bits / ciphertext (no “packing”).
I Circular security for unbounded FHE?
As usual, unbounded FHE requires a “circular security” assumption:that it is safe to reveal an encryption of (embedded) sk under itself.
Does our representation of sk help or hurt security?
I Can we bootstrap FHS/ABE/PE?
Current schemes are like “somewhat homomorphic” encryption: theyhave an a priori bound on circuits they can handle.
Thanks!
14 / 14
![Page 65: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/65.jpg)
Open Problems
I Can we bootstrap in sublinear # homom ops with polynomial error?
Bottleneck in [GSW’13]: few plaintext bits / ciphertext (no “packing”).
I Circular security for unbounded FHE?
As usual, unbounded FHE requires a “circular security” assumption:that it is safe to reveal an encryption of (embedded) sk under itself.
Does our representation of sk help or hurt security?
I Can we bootstrap FHS/ABE/PE?
Current schemes are like “somewhat homomorphic” encryption: theyhave an a priori bound on circuits they can handle.
Thanks!
14 / 14
![Page 66: Bootstrapping (with Small Error Growth)cpeikert/pubs/slides-heat1.pdfFully Homomorphic Encryption [RAD’78,Gentry’09] I FHE lets you do this: Eval(f) f( ) A cryptographic \holy](https://reader031.vdocuments.us/reader031/viewer/2022022513/5af04ef97f8b9ac57a8e6999/html5/thumbnails/66.jpg)
Open Problems
I Can we bootstrap in sublinear # homom ops with polynomial error?
Bottleneck in [GSW’13]: few plaintext bits / ciphertext (no “packing”).
I Circular security for unbounded FHE?
As usual, unbounded FHE requires a “circular security” assumption:that it is safe to reveal an encryption of (embedded) sk under itself.
Does our representation of sk help or hurt security?
I Can we bootstrap FHS/ABE/PE?
Current schemes are like “somewhat homomorphic” encryption: theyhave an a priori bound on circuits they can handle.
Thanks!
14 / 14