34 research outputs found
Practical Bootstrapping in Quasilinear Time
Gentry\u27s ``bootstrapping\u27\u27 technique (STOC 2009) constructs a fully
homomorphic encryption (FHE) scheme from a ``somewhat homomorphic\u27\u27
one that is powerful enough to evaluate its own decryption function.
To date, it remains the only known way of obtaining unbounded FHE.
Unfortunately, bootstrapping is computationally very expensive,
despite the great deal of effort that has been spent on improving its
efficiency. The current state of the art, due to Gentry, Halevi, and
Smart (PKC 2012), is able to bootstrap ``packed\u27\u27 ciphertexts (which
encrypt up to a linear number of bits) in time only \emph{quasilinear}
\Otil(\lambda) = \lambda \cdot \log^{O(1)} \lambda in the security
parameter. While this performance is \emph{asymptotically} optimal up
to logarithmic factors, the practical import is less clear: the
procedure composes multiple layers of expensive and complex
operations, to the point where it appears very difficult to implement,
and its concrete runtime appears worse than those of prior methods
(all of which have quadratic or larger asymptotic runtimes).
In this work we give \emph{simple}, \emph{practical}, and entirely
\emph{algebraic} algorithms for bootstrapping in quasilinear time, for
both ``packed\u27\u27 and ``non-packed\u27\u27 ciphertexts. Our methods are easy
to implement (especially in the non-packed case), and we believe that
they will be substantially more efficient in practice than all prior
realizations of bootstrapping. One of our main techniques is a
substantial enhancement of the ``ring-switching\u27\u27 procedure of Gentry
et al.~(SCN 2012), which we extend to support switching between two
rings where neither is a subring of the other. Using this procedure,
we give a natural method for homomorphically evaluating a broad class
of structured linear transformations, including one that lets us
evaluate the decryption function efficiently
Ring Packing and Amortized FHEW Bootstrapping
The FHEW fully homomorphic encryption scheme (Ducas and Micciancio, Eurocrypt 2015) offers very fast homomorphic NAND-gate computations (on encrypted data) and a relatively fast refreshing procedure that allows to homomorphically evaluate arbitrary NAND boolean circuits. Unfortunately, the refreshing procedure needs to be executed after every single NAND computation, and each refreshing operates on a single encrypted bit, greatly decreasing the overall throughput of the scheme. We give a new refreshing procedure that simultaneously refreshes n FHEW ciphertexts, at a cost comparable to a single-bit FHEW refreshing operation. As a result, the cost of each refreshing is amortized over n encrypted bits, improving the throughput for the homomorphic evaluation of boolean circuits roughly by a factor n
A Survey on Homomorphic Encryption Schemes: Theory and Implementation
Legacy encryption systems depend on sharing a key (public or private) among
the peers involved in exchanging an encrypted message. However, this approach
poses privacy concerns. Especially with popular cloud services, the control
over the privacy of the sensitive data is lost. Even when the keys are not
shared, the encrypted material is shared with a third party that does not
necessarily need to access the content. Moreover, untrusted servers, providers,
and cloud operators can keep identifying elements of users long after users end
the relationship with the services. Indeed, Homomorphic Encryption (HE), a
special kind of encryption scheme, can address these concerns as it allows any
third party to operate on the encrypted data without decrypting it in advance.
Although this extremely useful feature of the HE scheme has been known for over
30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE)
scheme, which allows any computable function to perform on the encrypted data,
was introduced by Craig Gentry in 2009. Even though this was a major
achievement, different implementations so far demonstrated that FHE still needs
to be improved significantly to be practical on every platform. First, we
present the basics of HE and the details of the well-known Partially
Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which
are important pillars of achieving FHE. Then, the main FHE families, which have
become the base for the other follow-up FHE schemes are presented. Furthermore,
the implementations and recent improvements in Gentry-type FHE schemes are also
surveyed. Finally, further research directions are discussed. This survey is
intended to give a clear knowledge and foundation to researchers and
practitioners interested in knowing, applying, as well as extending the state
of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the
survey that is being submitted to ACM CSUR and has been uploaded to arXiv for
feedback from stakeholder
Extend FHEW to General Case
When talking about FHE, refresh process is a little different from bootstrapping process. Bootstrapping always means that a scheme homomorphic decrypting its process, while refresh imply that use another scheme, always in large scale, to perform its decryption process. In EUROCRYPT’2015, Ducas and Micciancio proposed a FHE which can perform refresh process in less than a second, called DM14, while the scheme only support bite plaintext space, which is cumbersome for many applications. Extending DM14 to a large plaintext space becomes an open problem. In order to solve it, we improved the msbExtract process to endure a large base, by mapping the element to position. As a result, we constructed an efficient FHE with large plaintext space and quickly refresh process. We implemented our scheme in computer, and made a comparison between our performance and DM14. The result is that the running time is almost same, when extend the plaintext space from 2 to 8
Optimization of Bootstrapping in Circuits
In 2009, Gentry proposed the first Fully Homomorphic Encryption (FHE) scheme, an extremely powerful cryptographic primitive that enables to perform computations, i.e., to evaluate circuits, on encrypted data without decrypting them first. This has many applications, in particular in cloud computing.
In all currently known FHE schemes, encryptions are associated to some (non-negative integer) noise level, and at each evaluation of an AND gate, the noise level increases. This is problematic because decryption can only work if the noise level stays below some maximum level at every gate of the circuit. To ensure that property, it is possible to perform an operation called _bootstrapping_ to reduce the noise level. However, bootstrapping is time-consuming and has been identified as a critical operation. This motivates a new problem in discrete optimization, that of choosing where in the circuit to perform bootstrapping operations so as to control the noise level; the goal is to minimize the number of bootstrappings in circuits.
In this paper, we formally define the _bootstrap problem_, we design a polynomial-time -approximation algorithm using a novel method of rounding of a linear program, and we show a matching hardness result: -inapproximability for any
Faster Bootstrapping with Multiple Addends
As an important cryptographic primitive in cloud computing and outsourced computation, fully homomorphic encryption (FHE) is an animated area of modern cryptography. However, the efficiency of FHE has been a bottleneck that impeding its application. According to Gentry’s blueprint, bootstrapping, which is used to decrease ciphertext errors, is the most important process in FHE. However, bootstrapping is also the most expensive process that affecting the efficiency of the whole system. Firstly, we notice that, hundreds of serial homomorphic additions take most of the time of bootstrapping. We made use of the properties of Boolean circuit to reduce the number of serial homomorphic additions by two-thirds, and thus constructed an efficient FHE scheme with bootstrapping in 10ms. Secondly, the most expensive parts in our bootstrapping, EHCM and addition operations of multiple matrices, can be accelerated by parallel. This parallel may accelerate the bootstrapping. At last, we found a set of more efficient combination of parameters. As a result, our security parameter level is 128 bits and the correctness is elevated, compared with TFHE scheme in ASIACRYPT 2016. Experiments show that the running time of our bootstrapping is 10ms, which is only 52 percent of TFHE, and is less than CGGI17
cuXCMP: CUDA-Accelerated Private Comparison Based on Homomorphic Encryption
Private comparison schemes constructed on homomorphic encryption offer the noninteractive, output expressive and parallelizable features, and have advantages in communication bandwidth and performance. In this paper, we propose cuXCMP, which allows negative and float inputs, offers fully output expressive feature, and is more extensible and practical compared to XCMP (AsiaCCS 2018). Meanwhile, we introduce several memory-centric optimizations of the constant term extraction kernel tailored for CUDA-enabled GPUs. Firstly, we fully utilize the shared memory and present compact GPU implementations of NTT and INTT using a single block; Secondly, we fuse multiple kernels into one AKS kernel, which conducts the automorphism and key switching operation, and reduce the grid dimension for better resource usage, data access rate and synchronization. Thirdly, we precisely measure the IO latency and choose an appropriate number of CUDA streams to enable concurrent execution of independent operations, yielding a constant term extraction kernel with perfect latency hide, i.e., CTX. Combining these approaches, we boost the overall execution time to optimum level and the speedup ratio increases with the comparison scales. For one comparison, we speedup the AKS by 23.71×, CTX by 15.58×, and scheme by 1.83× (resp., 18.29×, 11.75×, and 1.42×) compared to C (resp., AVX512) baselines, respectively. For 32 comparisons, our CTX and scheme implementations outperform the C (resp., AVX512) baselines by 112.00× and 1.99× (resp., 81.53× and 1.51×)
Fully Homomorphic Encryption for Point Numbers
In this paper, based on the FV scheme, we construct a first fully homomorphic encryption scheme FHE4FX that can homomorphically compute addition and/or multiplication of encrypted fixed point numbers without knowing the secret key. Then, we show that in the FHE4FX scheme one can efficiently and homomorphically compare magnitude of two encrypted numbers. That is, one can compute an encryption of the greater-than bit
that represents whether or not given two ciphertexts and (of and , respectively) without knowing the secret key. Finally we show that these properties of the FHE4FX scheme enables us to construct a fully homomorphic encryption scheme FHE4FL that can homomorphically compute addition and/or multiplication of encrypted floating point numbers
Faster Bootstrapping with Polynomial Error
\emph{Bootstrapping} is a technique, originally due to Gentry (STOC
2009), for ``refreshing\u27\u27 ciphertexts of a somewhat homomorphic
encryption scheme so that they can support further homomorphic
operations. To date, bootstrapping remains the only known way of
obtaining fully homomorphic encryption for arbitrary unbounded
computations.
Over the past few years, several works have dramatically improved the
efficiency of bootstrapping and the hardness assumptions needed to
implement it. Recently, Brakerski and Vaikuntanathan~(ITCS~2014)
reached the major milestone of a bootstrapping algorithm based on
Learning With Errors for \emph{polynomial} approximation factors.
Their method uses the Gentry-Sahai-Waters~(GSW)
cryptosystem~(CRYPTO~2013) in conjunction with Barrington\u27s ``circuit
sequentialization\u27\u27 theorem~(STOC~1986). This approach, however,
results in \emph{very large} polynomial runtimes and approximation
factors. (The approximation factors can be improved, but at even
greater costs in runtime and space.)
In this work we give a new bootstrapping algorithm whose runtime and
associated approximation factor are both \emph{small} polynomials.
Unlike most previous methods, ours implements an elementary and
efficient \emph{arithmetic} procedure, thereby avoiding the
inefficiencies inherent to the use of boolean circuits and
Barrington\u27s Theorem. For security under conventional
lattice assumptions, our method requires only a \emph{quasi-linear}
\Otil(\lambda) number of homomorphic operations on GSW ciphertexts,
which is optimal (up to polylogarithmic factors) for schemes that
encrypt just one bit per ciphertext. As a contribution of independent
interest, we also give a technically simpler variant of the GSW system
and a tighter error analysis for its homomorphic operations