Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content

Bootstrapping for HElib

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

Gentry’s bootstrapping technique is still the only known method of obtaining fully homomorphic encryption where the system’s parameters do not depend on the complexity of the evaluated functions. Bootstrapping involves a recryption procedure where the scheme’s decryption algorithm is evaluated homomorphically. Prior to this work, there were very few implementations of recryption and fewer still that can handle “packed ciphertexts” that encrypt vectors of elements. In the current work, we report on an implementation of recryption of fully packed ciphertexts using the HElib library for somewhat homomorphic encryption. This implementation required extending previous recryption algorithms from the literature, as well as many aspects of the HElib library. Our implementation supports bootstrapping of packed ciphertexts over many extension fields/rings. One example that we tested involves ciphertexts that encrypt vectors of 1024 elements from \({\text {GF}}(2^{16})\). In that setting, the recryption procedure takes under 3 min (at security level \(\approx 80\)) on a single core and allows a multiplicative depth-11 computation before the next recryption is needed. This report updates the results that we reported in Eurocrypt 2015 in several ways. Most importantly, it includes a much more robust method for deriving the parameters, ensuring that recryption errors only occur with negligible probability. Many aspects of this analysis are proved, and for the few well-specified heuristics that we made, we report on thorough experimentation to validate them. The procedure that we describe here is also significantly more efficient than in the previous version, incorporating many optimizations that were reported elsewhere (such as more efficient linear transformations) and adding a few new ones. Finally, our implementation now also incorporates Chen and Han’s techniques from Eurocrypt 2018 for more efficient digit extraction (for some parameters), as well as for “thin bootstrapping” when the ciphertext is only sparsely packed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1

Similar content being viewed by others

Notes

  1. The latter setting is conducive to homomorphic AES, see, e.g., the long version of [20].

  2. This is a slight simplification, the actual formula for \(p=2\) is \(\mathfrak {m}\leftarrow \mathfrak {u}\langle {e}\rangle \oplus \mathfrak {u}\langle {e-1}\rangle \oplus \mathfrak {u}\langle {0}\rangle \), see Lemma 5.1.

  3. As we discuss in Sect. 7, there are still sufficiently many settings that satisfy these requirements.

  4. The analysis in Sect. 4 considered a more general notion of powerful basis, with respect to arbitrary pair-wise coprime factorizations of m. The analysis here does not apply to this more general notion.

  5. The p value of a statistic is the probability of seeing this value under the distribution that we want to test for (i.e., normal with variance \(\sigma ^2\) in our case).

  6. We ran the estimator with reduction_cost_model=BKZ.sieve and secret_distribution=((-1,1), HammingWeight).

  7. For this, we used a slightly more conservative bound than (13), with \(\tfrac{2}{3} p^r(B^* + 0.5)\) on the right-hand side.

  8. The implementation employs a heuristic method, choosing Chen–Han when it appears that it should save on noise.

  9. Whether or not we use ring switching, each stage of the linear transformation has depth of at least one multiply-by-constant, which consumes at least half a level in terms of added noise.

  10. More specifically, the key switching matrices that allow us to process it must be defined in a large ring.

References

  1. M. R. Albrecht, R. Player, and S. Scott. On the concrete hardness of learning with errors. Journal of Mathematical Cryptology, 9:169–203, 10 2015. See also https://bitbucket.org/malb/lwe-estimator/src/master/ and https://ia.cr/2015/046 (accessed September 2020).

  2. J. Alperin-Sheriff and C. Peikert. Practical bootstrapping in quasilinear time. In R. Canetti and J. A. Garay, editors, Advances in Cryptology - CRYPTO’13, volume 8042 of Lecture Notes in Computer Science, pages 1–20. Springer, 2013.

  3. T. W. Anderson and D. A. Darling. Asymptotic Theory of Certain “Goodness of Fit" Criteria Based on Stochastic Processes. Ann. Math. Statist., 23(2):193–212, 06 1952.

  4. C. Boura, N. Gama, and M. Georgieva. Chimera: a unified framework for B/FV, TFHE and HEAAN fully homomorphic encryption and predictions for deep learning. IACR Cryptology ePrint Archive, 2018:758, 2018.

    Google Scholar 

  5. Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory, 6(3):13, 2014.

    Article  MathSciNet  Google Scholar 

  6. H. Chen and K. Han. Homomorphic lower digits removal and improved FHE bootstrapping. In EUROCRYPT 2018, volume 10820 of Lecture Notes in Computer Science, pages 315–337. Springer, 2018.

  7. J. H. Cheon, J. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, and A. Yun. Batch fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings, pages 315–335, 2013.

  8. J. H. Cheon, K. Han, A. Kim, M. Kim, and Y. Song. Bootstrapping for approximate homomorphic encryption. In EUROCRYPT 2018, volume 10820 of Lecture Notes in Computer Science, pages 360–384. Springer, 2018.

  9. J. H. Cheon, A. Kim, M. Kim, and Y. Song. Homomorphic encryption for arithmetic of approximate numbers. In Asiacrypt 2017, volume 10625 of Lecture Notes in Computer Science, pages 409–437. Springer, 2017.

  10. I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène. Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds. In ASIACRYPT 2016, volume 10031 of Lecture Notes in Computer Science, pages 3–33. Springer, 2016.

  11. I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène. Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE. In ASIACRYPT 2017, volume 10624 of Lecture Notes in Computer Science, pages 377–408. Springer, 2017.

  12. J. Coron, T. Lepoint, and M. Tibouchi. Batch fully homomorphic encryption over the integers. IACR Cryptology ePrint Archive, 2013:36, 2013.

    MATH  Google Scholar 

  13. J. Coron, D. Naccache, and M. Tibouchi. Public key compression and modulus switching for fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings, pages 446–464, 2012.

  14. I. Damgård, V. Pastro, N. Smart, and S. Zakarias. Multiparty computation from somewhat homomorphic encryption. Cryptology ePrint Archive, Report 2011/535, 2011. https://eprint.iacr.org/2011/535.

  15. L. Ducas and D. Micciancio. FHE Bootstrapping in less than a second. Cryptology ePrint Archive, Report 2014/816, 2014. http://eprint.iacr.org/.

  16. C. Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st ACM Symposium on Theory of Computing – STOC 2009, pages 169–178. ACM, 2009.

  17. C. Gentry and S. Halevi. Implementing gentry’s fully-homomorphic encryption scheme. In Advances in Cryptology - EUROCRYPT 2011, volume 6632 of Lecture Notes in Computer Science, pages 129–148. Springer, 2011.

  18. C. Gentry, S. Halevi, C. Peikert, and N. P. Smart. Field switching in BGV-style homomorphic encryption. Journal of Computer Security, 21(5):663–684, 2013.

    Article  Google Scholar 

  19. C. Gentry, S. Halevi, and N. Smart. Fully homomorphic encryption with polylog overhead. In Advances in Cryptology – EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 465–482. Springer, 2012. Full version at http://eprint.iacr.org/2011/566.

  20. C. Gentry, S. Halevi, and N. Smart. Homomorphic evaluation of the AES circuit. In Advances in Cryptology – CRYPTO 2012, volume 7417 of Lecture Notes in Computer Science, pages 850–867. Springer, 2012. Full version at http://eprint.iacr.org/2012/099.

  21. C. Gentry, S. Halevi, and N. P. Smart. Better bootstrapping in fully homomorphic encryption. In Public Key Cryptography – PKC 2012, volume 7293 of Lecture Notes in Computer Science, pages 1–16. Springer, 2012.

  22. C. Gentry, A. Sahai, and B. Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In R. Canetti and J. A. Garay, editors, Advances in Cryptology - CRYPTO 2013, Part I, pages 75–92. Springer, 2013.

  23. S. Halevi and V. Shoup. Algorithms in HElib. In J. A. Garay and R. Gennaro, editors, Advances in Cryptology – CRYPTO 2014, Part I, pages 554–571. Springer, 2014. Long version at http://eprint.iacr.org/2014/106.

  24. S. Halevi and V. Shoup. Bootstrapping for HElib. In EUROCRYPT 2015, volume 9056 of Lecture Notes in Computer Science, pages 641–670. Springer, 2015.

  25. S. Halevi and V. Shoup. Faster homomorphic linear transformations in helib. In H. Shacham and A. Boldyreva, editors, Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part I, volume 10991 of Lecture Notes in Computer Science, pages 93–120. Springer, 2018.

  26. S. Halevi and V. Shoup. HElib - An Implementation of homomorphic encryption. https://github.com/shaih/HElib/, Accessed September 2014.

  27. K. Han, M. Hhan, and J. H. Cheon. Improved homomorphic discrete fourier transforms and FHE bootstrapping. IEEE Access, 7:57361–57370, 2019.

    Article  Google Scholar 

  28. K. Han and D. Ki. Better bootstrapping for approximate homomorphic encryption. IACR Cryptology ePrint Archive, 2019:688, 2019.

    MATH  Google Scholar 

  29. J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A ring-based public key cryptosystem. In J. Buhler, editor, ANTS, volume 1423 of Lecture Notes in Computer Science, pages 267–288. Springer, 1998.

  30. E. Juárez, R. Cortés-Maldonado, and F. Pérez-Rodriguez. Relationship between the inverses of a matrix and a submatrix. Computación y Sistemas, 20:251–262, 2016.

    Google Scholar 

  31. A. López-Alt, E. Tromer, and V. Vaikuntanathan. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In STOC, pages 1219–1234, 2012.

  32. V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. J. ACM, 60(6):43, 2013. Early version in EUROCRYPT 2010.

  33. V. Lyubashevsky, C. Peikert, and O. Regev. A toolkit for ring-lwe cryptography. Cryptology ePrint Archive, Report 2013/293, 2013. https://eprint.iacr.org/2013/293.

  34. O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6), 2009.

  35. R. Rivest, L. Adleman, and M. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Computation, pages 169–177. Academic Press, 1978.

  36. K. Rohloff and D. B. Cousins. A scalable implementation of fully homomorphic encryption built on NTRU. 2nd Workshop on Applied Homomorphic Cryptography and Encrypted Computing, WAHC’14, 2014. Available at https://www.dcsec.uni-hannover.de/fileadmin/ful/mitarbeiter/brenner/wahc14_RC.pdf, accessed September 2014.

  37. S. Roman. Field Theory. Springer, 2nd edition, 2005.

  38. N. P. Smart and F. Vercauteren. Fully homomorphic SIMD operations. Des. Codes Cryptography, 71(1):57–81, 2014. Early verion at http://eprint.iacr.org/2011/133.

  39. M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30 - June 3, 2010. Proceedings, pages 24–43, 2010.

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Shai Halevi.

Additional information

Editorial responsibility Frederik Vercauteren

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Work partially done in IBM Research. The second author was supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via 2019-19-020700006. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of ODNI, IARPA, or the US Government. The US Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Halevi, S., Shoup, V. Bootstrapping for HElib. J Cryptol 34, 7 (2021). https://doi.org/10.1007/s00145-020-09368-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-020-09368-7

Keywords