Abstract
Gentry’s bootstrapping technique is still the only known method of obtaining fully homomorphic encryption where the system’s parameters do not depend on the complexity of the evaluated functions. Bootstrapping involves a recryption procedure where the scheme’s decryption algorithm is evaluated homomorphically. Prior to this work, there were very few implementations of recryption and fewer still that can handle “packed ciphertexts” that encrypt vectors of elements. In the current work, we report on an implementation of recryption of fully packed ciphertexts using the HElib library for somewhat homomorphic encryption. This implementation required extending previous recryption algorithms from the literature, as well as many aspects of the HElib library. Our implementation supports bootstrapping of packed ciphertexts over many extension fields/rings. One example that we tested involves ciphertexts that encrypt vectors of 1024 elements from \({\text {GF}}(2^{16})\). In that setting, the recryption procedure takes under 3 min (at security level \(\approx 80\)) on a single core and allows a multiplicative depth-11 computation before the next recryption is needed. This report updates the results that we reported in Eurocrypt 2015 in several ways. Most importantly, it includes a much more robust method for deriving the parameters, ensuring that recryption errors only occur with negligible probability. Many aspects of this analysis are proved, and for the few well-specified heuristics that we made, we report on thorough experimentation to validate them. The procedure that we describe here is also significantly more efficient than in the previous version, incorporating many optimizations that were reported elsewhere (such as more efficient linear transformations) and adding a few new ones. Finally, our implementation now also incorporates Chen and Han’s techniques from Eurocrypt 2018 for more efficient digit extraction (for some parameters), as well as for “thin bootstrapping” when the ciphertext is only sparsely packed.
Similar content being viewed by others
Notes
The latter setting is conducive to homomorphic AES, see, e.g., the long version of [20].
This is a slight simplification, the actual formula for \(p=2\) is \(\mathfrak {m}\leftarrow \mathfrak {u}\langle {e}\rangle \oplus \mathfrak {u}\langle {e-1}\rangle \oplus \mathfrak {u}\langle {0}\rangle \), see Lemma 5.1.
As we discuss in Sect. 7, there are still sufficiently many settings that satisfy these requirements.
The analysis in Sect. 4 considered a more general notion of powerful basis, with respect to arbitrary pair-wise coprime factorizations of m. The analysis here does not apply to this more general notion.
The p value of a statistic is the probability of seeing this value under the distribution that we want to test for (i.e., normal with variance \(\sigma ^2\) in our case).
We ran the estimator with reduction_cost_model=BKZ.sieve and secret_distribution=((-1,1), HammingWeight).
For this, we used a slightly more conservative bound than (13), with \(\tfrac{2}{3} p^r(B^* + 0.5)\) on the right-hand side.
The implementation employs a heuristic method, choosing Chen–Han when it appears that it should save on noise.
Whether or not we use ring switching, each stage of the linear transformation has depth of at least one multiply-by-constant, which consumes at least half a level in terms of added noise.
More specifically, the key switching matrices that allow us to process it must be defined in a large ring.
References
M. R. Albrecht, R. Player, and S. Scott. On the concrete hardness of learning with errors. Journal of Mathematical Cryptology, 9:169–203, 10 2015. See also https://bitbucket.org/malb/lwe-estimator/src/master/ and https://ia.cr/2015/046 (accessed September 2020).
J. Alperin-Sheriff and C. Peikert. Practical bootstrapping in quasilinear time. In R. Canetti and J. A. Garay, editors, Advances in Cryptology - CRYPTO’13, volume 8042 of Lecture Notes in Computer Science, pages 1–20. Springer, 2013.
T. W. Anderson and D. A. Darling. Asymptotic Theory of Certain “Goodness of Fit" Criteria Based on Stochastic Processes. Ann. Math. Statist., 23(2):193–212, 06 1952.
C. Boura, N. Gama, and M. Georgieva. Chimera: a unified framework for B/FV, TFHE and HEAAN fully homomorphic encryption and predictions for deep learning. IACR Cryptology ePrint Archive, 2018:758, 2018.
Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory, 6(3):13, 2014.
H. Chen and K. Han. Homomorphic lower digits removal and improved FHE bootstrapping. In EUROCRYPT 2018, volume 10820 of Lecture Notes in Computer Science, pages 315–337. Springer, 2018.
J. H. Cheon, J. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, and A. Yun. Batch fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings, pages 315–335, 2013.
J. H. Cheon, K. Han, A. Kim, M. Kim, and Y. Song. Bootstrapping for approximate homomorphic encryption. In EUROCRYPT 2018, volume 10820 of Lecture Notes in Computer Science, pages 360–384. Springer, 2018.
J. H. Cheon, A. Kim, M. Kim, and Y. Song. Homomorphic encryption for arithmetic of approximate numbers. In Asiacrypt 2017, volume 10625 of Lecture Notes in Computer Science, pages 409–437. Springer, 2017.
I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène. Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds. In ASIACRYPT 2016, volume 10031 of Lecture Notes in Computer Science, pages 3–33. Springer, 2016.
I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène. Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE. In ASIACRYPT 2017, volume 10624 of Lecture Notes in Computer Science, pages 377–408. Springer, 2017.
J. Coron, T. Lepoint, and M. Tibouchi. Batch fully homomorphic encryption over the integers. IACR Cryptology ePrint Archive, 2013:36, 2013.
J. Coron, D. Naccache, and M. Tibouchi. Public key compression and modulus switching for fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings, pages 446–464, 2012.
I. Damgård, V. Pastro, N. Smart, and S. Zakarias. Multiparty computation from somewhat homomorphic encryption. Cryptology ePrint Archive, Report 2011/535, 2011. https://eprint.iacr.org/2011/535.
L. Ducas and D. Micciancio. FHE Bootstrapping in less than a second. Cryptology ePrint Archive, Report 2014/816, 2014. http://eprint.iacr.org/.
C. Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st ACM Symposium on Theory of Computing – STOC 2009, pages 169–178. ACM, 2009.
C. Gentry and S. Halevi. Implementing gentry’s fully-homomorphic encryption scheme. In Advances in Cryptology - EUROCRYPT 2011, volume 6632 of Lecture Notes in Computer Science, pages 129–148. Springer, 2011.
C. Gentry, S. Halevi, C. Peikert, and N. P. Smart. Field switching in BGV-style homomorphic encryption. Journal of Computer Security, 21(5):663–684, 2013.
C. Gentry, S. Halevi, and N. Smart. Fully homomorphic encryption with polylog overhead. In Advances in Cryptology – EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pages 465–482. Springer, 2012. Full version at http://eprint.iacr.org/2011/566.
C. Gentry, S. Halevi, and N. Smart. Homomorphic evaluation of the AES circuit. In Advances in Cryptology – CRYPTO 2012, volume 7417 of Lecture Notes in Computer Science, pages 850–867. Springer, 2012. Full version at http://eprint.iacr.org/2012/099.
C. Gentry, S. Halevi, and N. P. Smart. Better bootstrapping in fully homomorphic encryption. In Public Key Cryptography – PKC 2012, volume 7293 of Lecture Notes in Computer Science, pages 1–16. Springer, 2012.
C. Gentry, A. Sahai, and B. Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In R. Canetti and J. A. Garay, editors, Advances in Cryptology - CRYPTO 2013, Part I, pages 75–92. Springer, 2013.
S. Halevi and V. Shoup. Algorithms in HElib. In J. A. Garay and R. Gennaro, editors, Advances in Cryptology – CRYPTO 2014, Part I, pages 554–571. Springer, 2014. Long version at http://eprint.iacr.org/2014/106.
S. Halevi and V. Shoup. Bootstrapping for HElib. In EUROCRYPT 2015, volume 9056 of Lecture Notes in Computer Science, pages 641–670. Springer, 2015.
S. Halevi and V. Shoup. Faster homomorphic linear transformations in helib. In H. Shacham and A. Boldyreva, editors, Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part I, volume 10991 of Lecture Notes in Computer Science, pages 93–120. Springer, 2018.
S. Halevi and V. Shoup. HElib - An Implementation of homomorphic encryption. https://github.com/shaih/HElib/, Accessed September 2014.
K. Han, M. Hhan, and J. H. Cheon. Improved homomorphic discrete fourier transforms and FHE bootstrapping. IEEE Access, 7:57361–57370, 2019.
K. Han and D. Ki. Better bootstrapping for approximate homomorphic encryption. IACR Cryptology ePrint Archive, 2019:688, 2019.
J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A ring-based public key cryptosystem. In J. Buhler, editor, ANTS, volume 1423 of Lecture Notes in Computer Science, pages 267–288. Springer, 1998.
E. Juárez, R. Cortés-Maldonado, and F. Pérez-Rodriguez. Relationship between the inverses of a matrix and a submatrix. Computación y Sistemas, 20:251–262, 2016.
A. López-Alt, E. Tromer, and V. Vaikuntanathan. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In STOC, pages 1219–1234, 2012.
V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. J. ACM, 60(6):43, 2013. Early version in EUROCRYPT 2010.
V. Lyubashevsky, C. Peikert, and O. Regev. A toolkit for ring-lwe cryptography. Cryptology ePrint Archive, Report 2013/293, 2013. https://eprint.iacr.org/2013/293.
O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6), 2009.
R. Rivest, L. Adleman, and M. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Computation, pages 169–177. Academic Press, 1978.
K. Rohloff and D. B. Cousins. A scalable implementation of fully homomorphic encryption built on NTRU. 2nd Workshop on Applied Homomorphic Cryptography and Encrypted Computing, WAHC’14, 2014. Available at https://www.dcsec.uni-hannover.de/fileadmin/ful/mitarbeiter/brenner/wahc14_RC.pdf, accessed September 2014.
S. Roman. Field Theory. Springer, 2nd edition, 2005.
N. P. Smart and F. Vercauteren. Fully homomorphic SIMD operations. Des. Codes Cryptography, 71(1):57–81, 2014. Early verion at http://eprint.iacr.org/2011/133.
M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30 - June 3, 2010. Proceedings, pages 24–43, 2010.
Author information
Authors and Affiliations
Corresponding author
Additional information
Editorial responsibility Frederik Vercauteren
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Work partially done in IBM Research. The second author was supported in part by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via 2019-19-020700006. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of ODNI, IARPA, or the US Government. The US Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation therein.
Rights and permissions
About this article
Cite this article
Halevi, S., Shoup, V. Bootstrapping for HElib. J Cryptol 34, 7 (2021). https://doi.org/10.1007/s00145-020-09368-7
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-020-09368-7