Advertisement

Journal of Cryptology

, Volume 33, Issue 1, pp 34–91 | Cite as

TFHE: Fast Fully Homomorphic Encryption Over the Torus

  • Ilaria Chillotti
  • Nicolas GamaEmail author
  • Mariya Georgieva
  • Malika Izabachène
Article

Abstract

This work describes a fast fully homomorphic encryption scheme over the torus (TFHE) that revisits, generalizes and improves the fully homomorphic encryption (FHE) based on GSW and its ring variants. The simplest FHE schemes consist in bootstrapped binary gates. In this gate bootstrapping mode, we show that the scheme FHEW of Ducas and Micciancio (Eurocrypt, 2015) can be expressed only in terms of external product between a GSW and an LWE ciphertext. As a consequence of this result and of other optimizations, we decrease the running time of their bootstrapping from 690 to 13 ms single core, using 16 MB bootstrapping key instead of 1 GB, and preserving the security parameter. In leveled homomorphic mode, we propose two methods to manipulate packed data, in order to decrease the ciphertext expansion and to optimize the evaluation of lookup tables and arbitrary functions in \({\mathrm {RingGSW}}\)-based homomorphic schemes. We also extend the automata logic, introduced in Gama et al. (Eurocrypt, 2016), to the efficient leveled evaluation of weighted automata, and present a new homomorphic counter called \(\mathrm {TBSR}\), that supports all the elementary operations that occur in a multiplication. These improvements speed up the evaluation of most arithmetic functions in a packed leveled mode, with a noise overhead that remains additive. We finally present a new circuit bootstrapping that converts \(\mathsf {LWE}\) ciphertexts into low-noise \({\mathrm {RingGSW}}\) ciphertexts in just 137 ms, which makes the leveled mode of TFHE composable and which is fast enough to speed up arithmetic functions, compared to the gate bootstrapping approach. Finally, we provide an alternative practical analysis of LWE based schemes, which directly relates the security parameter to the error rate of LWE and the entropy of the LWE secret key, and we propose concrete parameter sets and timing comparison for all our constructions.

Keywords

Fully homomorphic encryption Bootstrapping Lattices LWE GSW Boolean circuit Deterministic automata 

Notes

Acknowledgements

This work has been supported in part by the CRYPTOCOMP project. The authors would like to thank the anonymous reviewers of this paper and of the papers [22, 24], as well as the Asiacrypt 2016 committee for rewarding [22] with the best paper award. The authors would also like to thank Damien Stehlé, Fernando Virdia and Matthias Minihold for the discussions and for their helpful comments.

References

  1. 1.
    M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi, J. Hoffstein, K. Laine, K. Lauter, S. Lokam, D. Micciancio, D. Moody, T. Morrison, A. Sahai, V. Vaikuntanathan, Homomorphic encryption security standard. Technical report, HomomorphicEncryption.org, Toronto, Canada, (November 2018)Google Scholar
  2. 2.
    M. R. Albrecht, On dual lattice attacks against small-secret LWE and parameter choices in helib and SEAL, in EUROCRYPT 2017, pp. 103–129, 2017Google Scholar
  3. 3.
    M. R. Albrecht, C. Cid, J. Faugère, R. Fitzpatrick, L. Perret, On the complexity of the BKW algorithm on LWE. Designs, Codes and Cryptography, 74/2, 325–354 (2015)MathSciNetCrossRefGoogle Scholar
  4. 4.
    M. R. Albrecht, B. R. Curtis, A. Deo, A. Davidson, R. Player, E. Postlethwaite, F. Virdia, T. Wunderer, Estimate all the \(\{\)LWE, NTRU\(\}\) schemes. https://estimate-all-the-lwe-ntru-schemes.github.io/docs, (2017)
  5. 5.
    M. R. Albrecht, A. Deo, Large modulus ring-lwe \(>=\) module-lwe, in ASIACRYPT 2017, 2017Google Scholar
  6. 6.
    M. R. Albrecht, R. Player, S. Scott, On the concrete hardness of learning with errors. J. Mathematical Cryptology 9(3), 169–203 (2015)MathSciNetCrossRefGoogle Scholar
  7. 7.
    E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe, Post-quantum key exchange - A new hope, in 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016, pp. 327–343, 2016Google Scholar
  8. 8.
    J. Alperin-Sheriff, C. Peikert. Faster bootstrapping with polynomial error, in Crypto, pp. 297–314, 2014CrossRefGoogle Scholar
  9. 9.
    J.-C. Bajard, J. Eynard, A. Hasan, V. Zucca, A full rns variant of fv like somewhat homomorphic encryption schemes, in SAC 2016, volume 10532 of LNCS, pp. 423–442, 2016Google Scholar
  10. 10.
    D. Benarroch, Z. Brakerski, T. Lepoint, Fhe over the integers: Decomposed and batched in the post-quantum regime. Cryptology ePrint Archive, 2017/065Google Scholar
  11. 11.
    A. Blum, A. Kalai, H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model. J. of ACM 50(4), 506–519 (2003)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Z. Brakerski, C. Gentry, V. Vaikuntanathan, (leveled) fully homomorphic encryption without bootstrapping, in ITCS, pp. 309–325, 2012Google Scholar
  13. 13.
    Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D.Stehlé, Classical hardness of learning with errors, in Proc. of 45th STOC, pp. 575–584 (ACM, 2013)Google Scholar
  14. 14.
    Z. Brakerski, R. Perlman, Lattice-based fully dynamic multi-key FHE with short ciphertexts, in Crypto’2016, volume 9814, pp. 190–213, 2016Google Scholar
  15. 15.
    Z. Brakerski, V. Vaikuntanathan, Lattice-based FHE as secure as PKE, in ITCS, pp. 1–12, 2014Google Scholar
  16. 16.
    A. L. Buchsbaum, R. Giancarlo, J. R. Westbrook. On the determinization of weighted finite automata. SIAM Journal on Computing 30(5), 1502–1531 (2000)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Y. Chen, P. Q. Nguyen, BKZ 2.0: Better lattice security estimates. In Proc. of Asiacrypt, pp. 1–20, 2011Google Scholar
  18. 18.
    J. H. Cheon, J. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, A. Yun. Batch fully homomorphic encryption over the integers, in EUROCRYPT 2013, 2013CrossRefGoogle Scholar
  19. 19.
    J. H. Cheon, K. Han, A. Kim, M. Kim, Y. Song, A full RNS variant of approximate homomorphic encryption, in SAC 2018, pp. 347–368, 2018CrossRefGoogle Scholar
  20. 20.
    J. H. Cheon, A. Kim, M. Kim, Y. Song, Homomorphic encryption for arithmetic of approximate numbers, in Asiacrypt 2017, 2016. http://eprint.iacr.org/2016/421
  21. 21.
    J. H. Cheon, D. Stehlé, Fully homomophic encryption over the integers revisited, in EUROCRYPT 2015 (Springer, 2015), pp. 513–536Google Scholar
  22. 22.
    I. Chillotti, N. Gama, M. Georgieva, M. Izabachène. Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds, in Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I (Springer, 2016), pp. 3–33Google Scholar
  23. 23.
    I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, A homomorphic lwe based e-voting scheme, in PQ Cryptography (Springer, 2016), pp. 245–265Google Scholar
  24. 24.
    I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE, in Advances in Cryptology - ASIACRYPT 2017 (Springer, 2017)Google Scholar
  25. 25.
    I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, TFHE: Fast fully homomorphic encryption library. https://tfhe.github.io/tfhe/ (August 2016)
  26. 26.
    J. Coron, T. Lepoint, M. Tibouchi, Scale-invariant fully homomorphic encryption over the integers, in PKC 2014, pp. 311–328, 2014CrossRefGoogle Scholar
  27. 27.
    R. Cramer, L. Ducas, B. Wesolowski, Short stickelberger class relations and application to ideal-svp, in Eurocrypt 2017, 2016Google Scholar
  28. 28.
    M. Droste, P. Gastin, Weighted automata and weighted logics, in Handbook of weighted automata (Springer, 2009), pp. 175–211Google Scholar
  29. 29.
    L. Ducas, D. Micciancio, FHEW: Bootstrapping homomorphic encryption in less than a second, in Eurocrypt, pp. 617–640, 2015Google Scholar
  30. 30.
    M. Frigo, S. G. Johnson, The design and implementation of FFTW3. Proceedings of the IEEE 93(2), 216–231 (2005). Special issue on “Program Generation, Optimization, and Platform Adaptation”CrossRefGoogle Scholar
  31. 31.
    N. Gama, M. Izabachène, P. Q. Nguyen, X. Xie, Structural lattice reduction: Generalized worst-case to average-case reductions. ePrint Archive, 2014/283, 2016Google Scholar
  32. 32.
    N. Gama, P. Q. Nguyen, Predicting Lattice Reduction, in Eurocrypt, 2008Google Scholar
  33. 33.
    C. Gentry, Fully homomorphic encryption using ideal lattices, in STOC, 2009Google Scholar
  34. 34.
    C. Gentry, A. Sahai, B. Waters, Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based, in Crypto’13, 2013Google Scholar
  35. 35.
    S. Gorbunov, V. Vaikuntanathan, H. Wee, Attribute-based encryption for circuits. Journal of the ACM (JACM) 62(6), 45 (2015)MathSciNetCrossRefGoogle Scholar
  36. 36.
    S. Halevi, I. V. Shoup, Helib - an implementation of homomorphic encryption. https://github.com/shaih/HElib/ (September 2014)
  37. 37.
    S. Halevi, V. Shoup, Algorithms in helib, in Crypto’2014, pp. 554–571, 2014CrossRefGoogle Scholar
  38. 38.
    N. Howgrave-Graham, Approximate integer common divisors, in CaLC, volume 1 (Springer, 2001), pp. 51–66Google Scholar
  39. 39.
    A. Langlois, D. Stehlé, Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography 75(3), 565–599 (2015).MathSciNetCrossRefGoogle Scholar
  40. 40.
    M. Liu, P. Q. Nguyen, Solving bdd by enumeration: An update, in Proc. of CT-RSA, volume 7779 of LNCS (Springer, 2013), pp. 293–309Google Scholar
  41. 41.
    V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings, in EUROCRYPT, pp. 1–23, 2010Google Scholar
  42. 42.
    D. Micciancio, On the hardness of learning with errors with binary secrets. Theory of Computing 14(1), 1–17 (2018)MathSciNetCrossRefGoogle Scholar
  43. 43.
    D. Micciancio, C. Peikert, Trapdoors for lattices: Simpler, tighter, faster, smaller, in Eurocrypt ’12, LNCS (Springer, 2012)Google Scholar
  44. 44.
    D. Micciancio, M. Walter, Practical, predictable lattice basis reduction, in Proc. of Eurocrypt 2016, volume 9665 of LNCS (Springer, 2016), pp. 820–849Google Scholar
  45. 45.
    A. I. R. V. of the BFV Homomorphic Encryption Scheme. Shai halevi and yuriy polyakov and victor shoup. In CT-RSA 2019, volume 11405 of LNCS (Springer, 2019), pp. 83–105Google Scholar
  46. 46.
    M. A. R. Hiromasa, T. Okamoto, Packing messages and optimizing bootstrapping in gsw-fhe, in PKC ’15, pp. 699–715, 2015Google Scholar
  47. 47.
    O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in STOC, pp. 84–93, 2005Google Scholar
  48. 48.
    N. Smart, F. Vercauteren, Fully homomorphic simd operations. Cryptology ePrint Archive, Report 2011/133, 2011. https://eprint.iacr.org/2011/133
  49. 49.
    N. P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in Public Key Cryptography - PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, May 26-28, 2010. Proceedings, pp. 420–443, 2010Google Scholar
  50. 50.
    N. P. Smart, F. Vercauteren, Fully homomorphic SIMD operations. Des. Codes Cryptography 71(1), 57–81 (2014)CrossRefGoogle Scholar
  51. 51.
    D. Stehlé, R. Steinfeld, K. Tanaka, K. Xagawa, Efficient public key encryption based on ideal lattices, in Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings, pp. 617–635, 2009Google Scholar
  52. 52.
    M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in Eurocrypt, pp. 24–43, 2010Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Ilaria Chillotti
    • 1
  • Nicolas Gama
    • 2
    • 4
    Email author
  • Mariya Georgieva
    • 3
    • 4
  • Malika Izabachène
    • 5
  1. 1.imec-COSICKU LeuvenLeuven-HeverleeBelgium
  2. 2.Laboratoire de Mathématiques de Versailles, UVSQ, CNRSUniversité Paris-SaclayVersaillesFrance
  3. 3.EPFLLausanneSwitzerland
  4. 4.InpherLausanneSwitzerland
  5. 5.CEA, LISTGif-sur-Yvette CedexFrance

Personalised recommendations