Abstract
We describe a somewhat homomorphic GSW-like encryption scheme, natively encrypting matrices rather than just single elements. This scheme offers much better performance than existing homomorphic encryption schemes for evaluating encrypted (nondeterministic) finite automata (NFAs). Differently from GSW, we do not know how to reduce the security of this scheme from LWE, instead we reduce it from a stronger assumption, that can be thought of as an inhomogeneous variant of the NTRU assumption. This assumption (that we term iNTRU) may be useful and interesting in its own right, and we examine a few of its properties. We also examine methods to encode regular expressions as NFAs, and in particular explore a new optimization problem, motivated by our application to encrypted NFA evaluation. In this problem, we seek to minimize the number of states in an NFA for a given expression, subject to the constraint on the ambiguity of the NFA.
N. Genise—This work was done when the author was at UCSD.
C. Gentry and S. Halevi—This work was done when the authors were in IBM Research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For example, many ClamAV virus signatures (https://www.clamav.net/downloads) are regular expressions of the form \(\varSigma ^*K_1 \cdots \varSigma ^*K_n \cdot \varSigma ^*\) with no more than 1 K symbols, where \(\varSigma \) is the alphabet and each \(K_i\) is a set of a few hex strings.
- 2.
The initial vector \(\mathbf {v}\) is not required to be encrypted, as it reveals no information about the automaton. However, the intermediate vectors obtained after each matrix-vector multiplication should be kept secret. So, we will need a scheme supporting matrix-vector multiplication where both the matrix and the vector are encrypted.
- 3.
The techniques in [23] only handle multiplication of plaintext matrices by encrypted vectors, but many of these tools can be adapted to the case of encrypted matrices.
- 4.
Technically, the nodes on the rightmost path of the tree can use matrix-vector multiplications, but this makes hardly any difference on the efficiency of the overall computation.
- 5.
As we describe later, we use a slightly different variant to encrypt the vector \(\mathbf {v}\).
- 6.
Here we refer to the multiple-secret variant of LWE, which can be reduced from the normal LWE.
- 7.
Matrix-NTRU has been used in lattice-based signatures [5], though the most efficient versions of these lattice signatures use the standard, algebraic NTRU assumption.
- 8.
Namely, one can let the initial state vector \(\mathbf {v}\) be an “errorless” encryption, because the initial state does not reveal any information about the rest of the automaton.
- 9.
Consider writing both NTRU and RLWE-Regev in matrix form, representing ring elements by their matrices: In both NTRU and RLWE-Regev we have a ciphertext matrix \(\mathbf {C}\) encrypting a plaintext matrix \(\mathbf {M}\) relative to the secret matrix \(\mathbf {S}\) (and plaintext space \(\bmod ~p\)) if \(\mathbf {S}\mathbf {C} = \mathbf {M} + p\mathbf {E} \bmod q\).
- 10.
\(\widetilde{O}(\cdot )\) hides poly-logarithmic factors in n.
- 11.
We use a slightly larger gadget matrix than usual, with an extra first block. The reason will become clear when we prove Lemma 4 below.
- 12.
Notice that a DFA \(\mathcal {M}\) has \({\mathrm {da}}(\mathcal {M},k)\le 1\) for all \(k\ge 0\), but the converse is not necessarily true. An NFA can have multiple nondeterministic choices at every state but still satisfies \({\mathrm {da}}(\mathcal {M},k)\le 1\), in such cases at most one of these choices could lead to a final state.
- 13.
Note that \(\deg (\mathcal {M}')\) is bounded if and only if \({\mathrm {da}}(\mathcal {M}',k)\) is at most a polynomial in k for all \(k>0\).
- 14.
The source code of our proof-of-concept implementation can be accessed at https://www.dropbox.com/s/10g2nocx3pmyu4t/henfa.zip.
- 15.
References
Albrecht, M.R., et al.: Estimate all the \(\{\)LWE, NTRU\(\}\) schemes! IACR Cryptology ePrint Archive 2018:331 (2018)
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_17
Antimirov, V.M.: Partial derivatives of regular expressions and finite automaton constructions. Theor. Comput. Sci. 155(2), 291–319 (1996)
Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)
Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Topics in Cryptology - CT-RSA 2014 - The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25–28, 2014. Proceedings, pp. 28–47 (2014)
Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296(1), 625–635 (1993)
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: analysis of the DES modes of operation. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 394–403. IEEE Press (1997)
Björklund, H., Martens, W.: The tractability frontier for NFA minimization. J. Comput. Syst. Sci. 78(1), 198–210 (2012)
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory 6(3), 13 (2014)
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, June 1–4, 2013, pp. 575–584. ACM (2013)
Brakerski, Z., Vaikuntanathan.: Lattice-based FHE as secure as PKE. In: Naor, M. (ed.) Innovations in Theoretical Computer Science, ITCS 2014, pp. 1–12. ACM (2014)
Brzozowski, J.A.: Derivatives of regular expressions. J. ACM 11(4), 481–494 (1964)
Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_1
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 377–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_14
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2012, 144 (2012)
Gama, N., Izabachène, M., Nguyen, P.Q., Xie, X.: Structural lattice reduction: generalized worst-case to average-case reductions and homomorphic cryptosystems. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 528–558. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_19
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st ACM Symposium on Theory of Computing - STOC 2009, pp. 169–178. ACM (2009)
Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_20
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Dwork, C. (ed.) Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, 17–20 May 2008, pp. 197–206. ACM (2008)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Halevi, S., Shoup, V.: Faster homomorphic linear transformations in HElib. IACR Cryptol. ePrint Arch. 2018, 244 (2018)
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Hiromasa, R., Abe, M., Okamoto, T.: Packing messages and optimizing bootstrapping in GSW-FHE. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 699–715. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_31
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_9
Hromkovic, J., Schnitger, G.: Ambiguity and communication. Theory Comput. Syst. 48(3), 517–534 (2011)
Jiang, T., Ravikumar, B.: Minimal NFA problems are hard. SIAM J. Comput. 22(6), 1117–1141 (1993)
Leung, H.: Separating exponentially ambiguous finite automata from polynomially ambiguous finite automata. SIAM J. Comput. 27(4), 1073–1082 (1998)
Leung, H.: Descriptional complexity of NFA of different ambiguity. Int. J. Found. Comput. Sci. 16(5), 975–984 (2005)
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: STOC, pp. 1219–1234 (2012)
May, A., Silverman, J.H.: Dimension reduction methods for convolution modular lattices. In: Silverman [41], pp. 110–125
Meyer, A.R., Fischer, M.J.: Economy of description by automata, grammars, and formal systems. In: 12th Annual Symposium on Switching and Automata Theory, East Lansing, Michigan, USA, 13–15 October 1971, pp. 188–191 (1971)
Micciancio, D.: Improving lattice based cryptosystems using the hermite normal form. In: Silverman [41], pp. 126–145
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. In: 45th Symposium on Foundations of Computer Science (FOCS 2004), 17–19 October 2004, Rome, Italy, Proceedings, pp. 372–381. IEEE Computer Society (2004)
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)
Rivest, R., Adleman, L., Dertouzos, M.: On data banks and privacy homomorphisms. In: Foundations of Secure Computation, pp. 169–177. Academic Press (1978)
Silverman, J.H. (ed.): CaLC 2001. LNCS, vol. 2146. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2
Smart, N.P., Vercauteren, F.: Fully homomorphic SIMD operations. Des. Codes Cryptography 71(1), 57–81 (2014). Early verion at http://eprint.iacr.org/2011/133
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_2
Wang, B., Wang, X., Xue, R., Huang, X.: Matrix FHE and its application in optimizing bootstrapping. Comput. J. 61(12), 1845–1861 (2018)
Weber, A., Seidl, H.: On the degree of ambiguity of finite automata. Theor. Comput. Sci. 88(2), 325–349 (1991)
Yu, S.: Regular languages. In: Rozenberg, G., Salomaa, A. (eds.) Handbook of Formal Languages, vol. 1, pp. 41–110. Springer, Heidelberg (1997). https://doi.org/10.1007/978-3-642-59136-5_2
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Definitions on Regular Expressions and NFA
We recall some standard definitions about regular languages and finite automata [46]. Let \(\varSigma \) be a finite alphabet, and \(\varSigma ^*\) the free monoid generated by \(\varSigma \). A string w is an element of \(\varSigma ^*\), which can be written as a finite sequence of symbols \(w = w_1w_2\cdots w_k\) where \(w_1,\ldots ,w_k \in \varSigma \), and its length is \(|w| = k\). The empty string is denoted by \(\epsilon \), which is the neutral element of \(\varSigma ^*\). The concatenation of two strings \(u = u_1\cdots u_m\) and \(v = v_1\cdots v_n\) is a string \(uv = u_1\cdots u_mv_1\cdots v_n\). A language over \(\varSigma \) is a subset of \(\varSigma ^*\). For any languages L and K, we consider the following regular operations: (union) \(L \cup K\), (product) \(LK = \{uv \mid u\in L, v\in K\}\), and (Kleene star) \(L^* = \cup _{i\ge 0}L^i\), where \(L^0 = \{\epsilon \}\), and \(L^i = LL^{i-1}\) for \(i>0\). Regular languages are the smallest class of languages containing the basic languages \(\emptyset \), \(\{\epsilon \}\), and \(\{a_i\}\) for all \(a_i \in \varSigma \) that are closed under regular operations.
A nondeterministic finite automaton (NFA) over \(\varSigma \) is a quintuple \(M = (Q,\varSigma ,\delta ,Q_I,Q_F)\), where \(Q = \{s_1,\ldots ,s_n\}\) is a finite set of states, \(\delta : Q \times \varSigma \rightarrow \wp (Q)\) is a transition function, \(Q_I \subseteq Q\) is the set of initial states, and \(Q_F \subseteq Q\) is the set of final states. We can extend \(\delta \) to a function \(\delta : Q \times \varSigma ^* \rightarrow \wp (Q)\) over strings in the natural way. Without loss of generality, we assume that all our NFAs have a single initial state \(s_1\). A string \(w\in \varSigma ^*\) is accepted by an NFA M if \(\delta (s_1,w) \cap Q_F \ne \emptyset \). The set of all the strings accepted by an NFA M is called the language of M, and it is denoted by \({\mathcal {L}}(M)\). A deterministic finite automaton (DFA) is an NFA such that \(\delta (s,a_i)\) is a singleton set for all \(s\in Q\) and \(a_i\in \varSigma \), and \(|Q_I|=1\).
A regular expression over \(\varSigma \) is a formal expression generated by the following grammar rules:
where \(a_i\) ranges over \(\varSigma \). The operator \(*\) takes the highest precedence, followed by \(\cdot \), and then by \(+\). The parentheses can be omitted when there is no ambiguity. The operator \(\cdot \) is usually omitted as well, and concatenations can be written as juxtapositions of regular expressions. For a regular expression e, its language \({\mathcal {L}}(e)\) can be defined inductively as follows:
where \(a_i\) ranges over \(\varSigma \), and \(e_0,e_1\) are regular expressions. For any set R of regular expressions, let \({\mathcal {L}}(R) = \cup _{e\in R}{\mathcal {L}}(e)\). It is well known that the languages defined by regular expressions are exactly the regular languages, which are exactly the languages accepted by finite automata.
For any sets R, T of regular expressions, we write RT for the set of regular expressions
and we write \(Re = \{f \cdot e \mid f \in R\}\) and \(eR = \{e \cdot f \mid f \in R\}\); in particular, \(\emptyset T = R \emptyset = \emptyset e = e \emptyset = \emptyset \).
B Proofs
In this section we present proofs that are omitted in the main paper.
Proposition 3
For any \(n \ge 1\), if \(\mathcal {M}\) is an NFA with \(r \le n\) states, and w a string of length k, the noise vector \(\mathbf {e}^{(k)}\) at the end of homomorphic evaluation of encrypted \(\mathcal {M}\) on w satisfies the following bounds:
-
If \(\mathcal {M}\) is unambiguous, then \(\Vert \mathbf {e}^{(k)}\Vert _\infty \le bnk\chi \log _b{q}\).
-
If \(\mathcal {M}\) is finitely ambiguous, then \(\Vert \mathbf {e}^{(k)}\Vert _\infty \le bnrk\chi \log _b{q}\).
-
If \(\mathcal {M}\) is infinitely ambiguous, then \(\Vert \mathbf {e}^{(k)}\Vert _\infty \le bnk^{\deg (\mathcal {M})+1}\chi \log _b{q}\).
Proof
Let \(\mathcal {M}= (Q,\varSigma ,\delta ,\{s_1\},Q_F)\) be an NFA with r states \(s_1,\ldots ,s_r\), and for each input symbol \(\sigma \in \varSigma \), denote by \(\mathbf {M}_\sigma \in \{0,1\}^{n\times n}\) the transition matrix of \(\mathcal {M}\) on \(\sigma \) (padded with 0s in the extra columns and rows), where \((\mathbf {M}_\sigma )_{t,s}=1\) if \(t \in \delta (s,\sigma )\), and \((\mathbf {M}_\sigma )_{t,s}=0\) othewise. For any \(t\in Q\) let \(\mathcal {M}_t = (Q,\varSigma ,\delta ,Q,\{t\})\) be the NFA obtained from \(\mathcal {M}\) by setting all states to be initial and t the only final state. Notice that \({\mathrm {da}}(\mathcal {M}_t,l)\) is an upper bound on the total number of paths in \(\mathcal {M}\) on a string of length l from any state to t.
Let \(w=w_1\cdots w_k\) be the string to be scanned on \(\mathcal {M}\). For all \(1 \le i \le k\), the encrypted state vector \(\mathbf {q}^{(i)}\) after reading \(w_i\) is:
where \(\mathbf {e}^{(i-1)}\) is the noise term after reading the previous symbol \(w_{i-1}\). As in our assumption, \(s_1\) is always the sole initial state in \(\mathcal {M}\), we can set the initial noise \(\mathbf {e}^{(0)} = \mathbf {0}\) without leaking any additional information about the NFA \(\mathcal {M}\). By expanding all the noise terms, we get
Notice that, for any symbol \(a\in \varSigma \), the (t, s)’th entry of \(\mathbf {M}_a\) is 1 if \(t\in \delta (s,a)\) and it is 0 otherwise. So the (t, s)’th entry of the product \(\mathbf {M}_{w_k}\cdots \mathbf {M}_{w_l}\) counts the number of paths from s to t on the string \(w_l \cdots w_k\), where \(1\le l\le k\). Let \(\mathbf {1}\) be the vector whose entries are all 1. Then the t’th entry of the vector \(\mathbf {M}_{w_k}\cdots \mathbf {M}_{w_l}\mathbf {1}\) counts the total number of paths from an arbitrary state to t on this string, which is at most \({\mathrm {da}}(\mathcal {M}_{t},k-l+1)\). Thus we have
It follows that the final noise vector \(\mathbf {e}^{(k)}\) can be bounded by
If \(\mathcal {M}\) is unambiguous, then \({\mathrm {da}}(\mathcal {M}_{t},l)\le 1\) for all \(t \in Q\) and \(l \ge 0\), so
If \(\mathcal {M}\) is finitely ambiguous, then for all \(s,t\in Q\), the number of paths of w from s to t is at most 1 [45]. So \({\mathrm {da}}(\mathcal {M}_{t},l) \le r\) for all \(t\in Q\) and \(l \ge 0\), and \(\mathbf {e}^{(k)}\) can be bounded by
For the case where \(\mathcal {M}\) is infinitely ambiguous, notice that \({\mathrm {da}}(\mathcal {M}_t,l) \le l^{\deg (\mathcal {M})}\) for all \(l\ge 1\), and we have
\(\square \)
C Performance Comparisons with HAO15
In this section we present a brief analysis of applying the matrix-FHE scheme of HAO15 [25] to the case of homomorphic evaluation of NFA.
Fix an NFA \(\mathcal {M}\) of r states and with an alphabet \(\varSigma \), and let \(\mathbf {M}_\sigma \in \{0,1\}^{r \times r}\) for \(\sigma \in \varSigma \) be its transition matrices on symbol \(\sigma \). Recall the “leveled version” of the HAO15 scheme as described in Sect. 3.1. To encrypt \(\mathcal {M}\) for homomorphic evaluation on any string of length at most k, we sample \(k+1\) secret keys \(\mathsf {sk}_i\) for \(i=0,1,\ldots ,k\), and for each \(\sigma \in \varSigma \), we encrypt \(\mathbf {M}_\sigma \) with all keys \(\mathsf {sk}_i\) to get \(\mathbf {C}_{\sigma ,i} \leftarrow \mathsf {HAO}.\mathsf {MatEnc}_{\mathsf {sk}_i}(\mathbf {M}_\sigma )\). We also encrypt the initial state vector \(\mathbf {v} = (1,0,\ldots ,0)^t\) in a ciphertext \(\mathbf {c} = \mathsf {HAO}.\mathsf {VecEnc}_{\mathsf {sk}_0}(\mathbf {v})\).
To scan \(w = w_1\cdots w_k\) on \(\mathcal {M}\), set \(\mathbf {c}_0 = \mathbf {c}\) and \(\mathbf {c}_i = \mathsf {HAO}.\mathsf {Mul}(\mathbf {C}_{w_i,i},\mathbf {c}_{i-1}) = \mathbf {C}_{w_i,i} \times \mathbf {G}^{-1}(\mathbf {c}_{i-1})\). Then each ciphertext \(\mathbf {c}_i\) satisfies \(\mathbf {S}_i\mathbf {c}_i = (\prod _{j=i}^1 \mathbf {M}_{w_j}) \times \mathbf {v} + \mathbf {e}_i\) for some noise vector \(\mathbf {e}_i\). By Eq. 1, the \(l_\infty \) norm of \(\mathbf {e}_k\) can be bounded by
which must be bounded away from q/4.
For performance comparison, consider two cases of the ambiguity measures of \(\mathcal {M}\):
-
\(\mathcal {M}\) is finitely ambiguous: We have \({\mathrm {da}}(\mathcal {M},l) \le r\) for all \(1 \le l \le k\), so w.h.p.
$$\begin{aligned} \Vert \mathbf {e}_k\Vert _\infty \le \alpha q (n+r) (kr+1) \log {q}, \end{aligned}$$where \(\alpha = \sqrt{2n}/q\) is the LWE noise parameter. Thus, in the HAO15 scheme we can homomorphically evaluate \(\mathcal {M}\) on strings of length \(k \le \frac{1}{\alpha (n+r)r \log {q}}\). For example, assuming at least 100 bit of security is needed, for an NFA of up to 1024 states on strings of length up to 275, we need \(n=1024\) and \(q=2^{42}\). On the other hand, using our scheme we can evaluate \(\mathcal {M}\) on strings of length \(k \le \frac{q}{b^2 n \chi r \log _b{q}}\). So, using our scheme with the above sets of parameters, we can homomorphically evaluate an NFA of up to 1024 states on strings of length up to 551.
-
\(\mathcal {M}\) is infinitely ambiguous: We have \({\mathrm {da}}(\mathcal {M},l) \le l^{\deg (\mathcal {M})}\), so w.h.p.
$$\begin{aligned} \Vert \mathbf {e}_k\Vert _\infty \le \alpha q (n+r) \log {q} \cdot (\sum _{l=1}^k l^{\deg (\mathcal {M})} + 1) \le \alpha q (n+r) \log {q} k^{\deg (\mathcal {M})+1} \end{aligned}$$Using the same parameters as the above to achieve at least 100 bit of security, and assuming that \(\deg (\mathcal {M})=2\) for the NFA \(\mathcal {M}\), we can homomorphically evaluate \(\mathcal {M}\) on strings of length up to 65 in the HAO15 scheme, whereas we can homomorphically evaluate \(\mathcal {M}\) on strings of length up to 82 in our scheme.
Moreover, the computational complexity of k homomorphic matrix multiplications, assuming naive matrix-vector multiplication of complexity \(O(n^2)\), is \(O(k(r+n)^2\log {q})\). On the other hand, the complexity of our homomorphic evaluation procedure is \(O(kn^2 \log {q})\).
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Genise, N., Gentry, C., Halevi, S., Li, B., Micciancio, D. (2019). Homomorphic Encryption for Finite Automata. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11922. Springer, Cham. https://doi.org/10.1007/978-3-030-34621-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-34621-8_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34620-1
Online ISBN: 978-3-030-34621-8
eBook Packages: Computer ScienceComputer Science (R0)