Abstract
In this paper, we propose a Multi-Key Homomorphic Encryption (MKHE) scheme by generalizing the low-latency homomorphic encryption by Chillotti et al. (ASIACRYPT 2016). Our scheme can evaluate a binary gate on ciphertexts encrypted under different keys followed by a bootstrapping.
The biggest challenge to meeting the goal is to design a multiplication between a bootstrapping key of a single party and a multi-key RLWE ciphertext. We propose two different algorithms for this hybrid product. Our first method improves the ciphertext extension by Mukherjee and Wichs (EUROCRYPT 2016) to provide better performance. The other one is a whole new approach which has advantages in storage, complexity, and noise growth.
Compared to previous work, our construction is more efficient in terms of both asymptotic and concrete complexity. The length of ciphertexts and the computational costs of a binary gate grow linearly and quadratically on the number of parties, respectively. We provide experimental results demonstrating the running time of a homomorphic NAND gate with bootstrapping. To the best of our knowledge, this is the first attempt in the literature to implement an MKHE scheme.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We define only the Ring version TRGSW, since this is the only sample we need in this paper. TGSW can be defined in the same way. For more details we refer to [15].
- 2.
For the reader who is familiar with the GSW scheme, let us cite a similar example. For GSW ciphertexts \(C_i\), we denote by \(\boxtimes \) the multiplication between GSW ciphertexts. Both \(C_1\boxtimes (C_2\boxtimes C_3)\) and \((C_1\boxtimes C_2)\boxtimes C_3\) are computing the same function (product of three plaintexts) but latter one introduces a much smaller error.
- 3.
In [15], the authors recommend to take more conservative parameters for the original TFHE scheme as well. This new parameter set will affect their gate bootstrapping timing by making it increase of a few milliseconds with respect to the original given execution timing of about 13 ms.
- 4.
References
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Asharov, G., Jain, A., López-Alt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_29
Boneh, D., et al.: Threshold cryptosystems from threshold fully homomorphic encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 565–596. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_19
Bonnoron, G., Ducas, L., Fillinger, M.: Large FHE gates from tensored homomorphic accumulator. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 217–251. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_13
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of ITCS, pp. 309–325. ACM (2012)
Brakerski, Z., Perlman, R.: Lattice-based fully dynamic multi-key FHE with short ciphertexts. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 190–213. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_8
Carpov, S., Izabachène, M., Mollimard, V.: New techniques for multi-value homomorphic evaluation and applications. IACR Cryptology ePrint Archive, 2018:622 (2018)
Chen, H., Han, K.: Homomorphic lower digits removal and improved FHE bootstrapping. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 315–337. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_12
Chen, L., Zhang, Z., Wang, X.: Batched multi-hop multi-key FHE from ring-LWE with compact ciphertext extension. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 597–627. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_20
Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: Bootstrapping for approximate homomorphic encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 360–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_14
Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_1
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 377–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_14
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. (2019)
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption library, August 2016. https://tfhe.github.io/tfhe/
Clear, M., McGoldrick, C.: Multi-identity and multi-key leveled FHE from learning with errors. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 630–656. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_31
Cramer, R., Damgård, I., Nielsen, J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–300. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_18
Dodis, Y., Halevi, S., Rothblum, R.D., Wichs, D.: Spooky encryption and its applications. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 93–122. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_4
Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptology ePrint Archive, 2012:144 (2012)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Dov Gordon, S., Liu, F.-H., Shi, E.: Constant-round MPC with fairness and guarantee of output delivery. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 63–82. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_4
Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_25
Jain, A., Rasmussen, P.M.R., Sahai, A.: Threshold fully homomorphic encryption. Cryptology ePrint Archive, Report 2017/257 (2017). https://eprint.iacr.org/2017/257
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Proceedings of the Forty-fourth Annual ACM Symposium on Theory of Computing, pp. 1219–1234. ACM (2012)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 735–763. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_26
Peikert, C., Shiehian, S.: Multi-key FHE from LWE, revisited. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 217–238. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_9
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, STOC 2005, pp. 84–93. ACM, New York (2005)
Schoenmakers, B., Veeningen, M.: Universally verifiable multiparty computation from threshold homomorphic cryptosystems. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 3–22. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_1
Acknowledgments
The second author (I.C.) has been supported in part by ERC Advanced Grant ERC-2015-AdG-IMPaCT and by the FWO under an Odysseus project GOH9718N. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the ERC or FWO.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Noise Estimation
A Noise Estimation
For the decomposition base B and degree d, let \(\epsilon ^2=1/(12B^{2d})\) be the variance of uniform distribution over the interval \((-\frac{1}{2}B^{-d}, \frac{1}{2}B^{-d}]\). We denote by \(V_B ={\left\{ \begin{array}{ll} \frac{1}{12}(B^2-1) &{} \text {if } B \text { is odd}, \\ \frac{1}{12}(B^2+2) &{} \text {if } B \text { is even;} \end{array}\right. }\) the mean square of a uniform distribution over \({\mathbb Z}\cap (-B/2, B/2]\). We similarly define \(\epsilon '^2\) and \(V_{B'}\) based on the parameter \(B'\) and \(d'\) for the key-switching algorithm. We set the RGSW and LWE secret distributions \(\chi , \psi \) as uniform distributions over \(\{0,1\}^N\) and \(\{0,1\}^n\), respectively.
The variance of a random variable e over \({\mathbb R}\) is denoted by \(\textsf {Var}(e)\). For a random variable e over \({\mathbb R}[X]/(X^N+1)\), it denotes the variance of a coefficient when all coefficients have the same variance. If \({\mathbf e}\) is a vector of random variables, \(\textsf {Var}({\mathbf e})\) denotes the maximum of its entries’ variances.
We mainly compute the variance of a noise. Our average-case analysis is based on the heuristic assumption that a noise behaves like a Gaussian distribution, which has been empirically shown in the previous work (Fig. 10, [15]).
Hybrid Product Method 1
Step 1: Ciphertext extension. Let us suppose that
We let \({\mathbf e}_0=\mathbf {0}\) for simplicity. Then for any \(0\le j\le k\), the j-th row of \(\overline{\mathbf D}_i\) satisfies that
for the decomposition error \({\mathbf e}_j'\in {\mathbb R}^d\) such that \({\mathbf e}'[\ell ]=\langle {\mathbf g}^{-1}({\mathbf b}_j[\ell ]),{\mathbf g}\rangle -{\mathbf b}_j[\ell ]\) for \(\ell \in [d]\), and
Therefore, the j-th row is decrypted into \(\mu _iz_j\cdot {\mathbf g}+{\mathbf e}_{i,j}\) for the GSW extension error \({\mathbf e}_{i,j}=r_i\cdot ({\mathbf e}_j+{\mathbf e}_j')+z_j\cdot {\mathbf e}_{i,1}+{\mathbf M}_j\cdot {\mathbf e}_{i,2}\).
Its variance is bounded by
since \(\textsf {Var}(r_i)=\textsf {Var}(z_j)=1/2\), \(\textsf {Var}({\mathbf e}_j)\le \textsf {Var}({\mathbf e}_{i,1})=\textsf {Var}({\mathbf e}_{i,2})=\beta ^2\), \(\textsf {Var}({\mathbf e}_j')=\epsilon ^2\) and \(\textsf {Var}({\mathbf M}_j\cdot {\mathbf e}_{i,2})=d N \cdot V_B\cdot \beta ^2\).
Step 2: Multi-key GSW external product. Let \(\overline{\mathbf c}\) and \(\overline{\mathbf D}\) be multi-key RLWE and RGSW ciphertexts. Suppose that \(\overline{\mathbf D}\) satisfies \(\overline{\mathbf D}\overline{\mathbf z}=\mu \cdot {\mathbf G}_{k+1}\overline{\mathbf z}+\overline{\mathbf e}\) for a plaintext \(\mu \in R\) and an error vector \(\overline{\mathbf e}\). We denote by \(\textsf {VarErr}(\overline{\mathbf D})=\textsf {Var}(\overline{\mathbf e})\). The external product outputs an RLWE ciphertext \(\overline{\mathbf c}'\) satisfying
for the decomposition error \(\overline{\mathbf e}'={\mathbf G}_{k+1}^{-1}(\overline{\mathbf c})\cdot {\mathbf G}_{k+1}-\overline{\mathbf c}\). Therefore, the variance of external product error \(e_{ep}=\mu \cdot \langle \overline{\mathbf e}',\overline{\mathbf z}\rangle +{\mathbf G}^{-1}_{k+1}(\overline{\mathbf c})\cdot \overline{\mathbf e}\) is
since \(\textsf {Var}(\overline{\mathbf e}')=\epsilon ^2\) and \(\textsf {Var}({\mathbf G}_{k+1}^{-1}(\overline{\mathbf c}))=V_B\).
In our case, \(\overline{\mathbf D}=\overline{\mathbf D}_i\) is an extended RGSW ciphertext whose error variance is \(V_{exp}\le (N/2)\epsilon ^2+(1+d\cdot V_B)\cdot N\beta ^2\). As a result, our first method returns a ciphertext whose noise variance is
In our MKHE scheme, the decomposition error \(\epsilon ^2\) can be easily controlled. Hence the extension error is mainly dominated by \(V_{exp}\approx dN\cdot V_B\cdot \beta ^2\). Similarly, the noise of hybrid product is dominated by \(V_1\approx (k+1) dN\cdot V_B\cdot V_{exp}\approx (k+1)d^2\cdot N^2\cdot V_B^2\cdot \beta ^2\).
Hybrid Product Method 2. As shown earlier, the output \(\overline{\mathbf c}'\) of the second multiplication algorithm satisfies \(\langle \overline{\mathbf c}',\overline{\mathbf z}\rangle =\sum _{j=0}^ku_j\cdot z_j+\sum _{j=0}^k(w_{j,0}+w_{j,1}\cdot z_i)\). The first term is
for the decomposition error \(e'=\sum _{j=0}^k\left( \langle {\mathbf g}^{-1}(c_j),{\mathbf g}\rangle -c_j\right) \cdot z_j\), while the second term is
for \(e''=\sum _{j=0}^k\left( \langle {\mathbf g}^{-1}(v_j),{\mathbf g}\rangle -v_j\right) \). Note that \(\textsf {Var}(e')=\epsilon ^2 (1+kN/2)\) and \(\textsf {Var}(e'')=\epsilon ^2(k+1)\).
Therefore, the noise of \(\overline{\mathbf c}'\) is
and its variance
is dominated by \(V_2\approx \frac{1}{2}(kd+k+1)\cdot N^2\cdot V_B\cdot \beta ^2\).
Rounding Error. In (2-2), we compute \(\tilde{b}=\lfloor {2N\cdot b'}\rceil \) and \(\tilde{\mathbf {a}}_i=\lfloor {2N\cdot \mathbf {a}_i'}\rceil \). We assume that each of the rounding errors behaves like a uniform random variable on the interval \({\mathbb R}\pmod {1}=(-0.5,0.5]\). Therefore, the total rounding error \((\tilde{b}-\lfloor {2N\cdot b'}\rceil )+\sum _{j=1}^k \langle \tilde{\mathbf {a}}_j-\lfloor {2N\cdot \mathbf {a}_j'}\rceil , {\mathbf s}_j\rangle \) has the variance of \(\frac{1}{12}\left( 1+kn/2\right) \).
Mux Gate. Suppose that \(\overline{\mathbf c}_0,\overline{\mathbf c}_1\) are RLWE ciphertexts and \(\overline{\mathbf C}\) is an RGSW encryption of \(\mu \in \{0,1\}\) with error \(\overline{\mathbf e}\). The mux gate is to compute \(\overline{\mathbf c}=\overline{\mathbf c}_0+\texttt {RLWE}.\texttt {Prod}(\overline{\mathbf c}_1-\overline{\mathbf c}_0, \overline{\mathbf C})\) to choose \(\overline{\mathbf c}_\mu \) homomorphically:
for the decomposition error \(\overline{\mathbf e}'={\mathbf G}_{k+1}^{-1}(\overline{\mathbf c}_1-\overline{\mathbf c}_0)\cdot {\mathbf G}_{k+1}-(\overline{\mathbf c}_1-\overline{\mathbf c}_0)\). The noise has the variance of \(\mu ^2\cdot \epsilon ^2(1+kN/2)+(k+1)dN\cdot V_B\cdot \textsf {VarErr}(\overline{\mathbf C})\), exactly the same as external product.
Accumulation. The initial RLWE ciphertext has no noise. All bootstrapping keys \(\overline{\mathbf C}_{i,\ell }\) have the same variance of noise \(\textsf {VarErr}(\overline{\mathbf C}_{i,\ell })=(N/2)\epsilon ^2+(1+N+dNV_B)\beta ^2\) from the expansion algorithm. We recursively evaluate the mux gate \(k\cdot n\) times and an encrypted secret \(s_{i,\ell }\) is sampled uniformly from \(\{0,1\}\). Therefore, the output of accumulator has an error of variance
Multi-key Switching. Let \(\overline{\mathsf {ct}}=(b,\mathbf {a}_1,\dots ,\mathbf {a}_k)\) be an input LWE ciphertext and \(\overline{\mathsf {ct}}'=(b',\mathbf {a}_1',\dots ,\mathbf {a}_k')\) be the output of multi-key-switching algorithm. Then, we have
for the decomposition error \(e_{i,j}'=\langle {\mathbf g}'^{-1}(a_{i,j}),{\mathbf g}\rangle -a_{i,j}\). As a result, the variance of a multi-key-switching error \(e_{ks}=\sum _{i=1}^k\sum _{j=1}^N \left( t_{i,j}\cdot e_{i,j}'+\langle {\mathbf g}'^{-1}(a_{i,j}), {\mathbf e}_{i,j}\rangle \right) \) is obtained by
We note that this term does not include the error of input LWE ciphertext. If \(\langle \mathsf {ct}',(1,\overline{\mathbf t})\rangle =\frac{1}{4}m+e \pmod 1\) for a bit \(m\in \{0,1\}\) and an error \(e\in {\mathbb R}\), then \(\mathsf {ct}'\) will be an encryption of the same message m with error \(e'=e+e_{ks}\).
Multi-key Switching (Modified). Different from the previous algorithm, the key-switching key of the i-th party consists of LWE encryptions of \(a \cdot B'^\ell \cdot t_{i,j}\) for \(1\le j\le N\), \(0\le \ell <d'\) and \(a\in {\mathbb Z}_{B'}\) encrypted under the secret \({\mathbf s}_i\). For an input LWE ciphertext \(\overline{\mathsf {ct}}=(b,\mathbf {a}_1,\dots ,\mathbf {a}_k)\), the (modified) multi-key switching algorithm computes \({\mathbf g}'^{-1}(a_{i,j})=(a_{i,j,\ell })_{0\le \ell <d'}\) for each \(1\le i\le k\) and \(1\le j\le N\), and then compute the summation of LWE encryptions of \(a_{i,j,\ell }\cdot B'^\ell \cdot t_{i,j}\) for \(1\le i\le k\), \(1\le j\le N\) and \(0\le \ell <d'\). Therefore, the output ciphertext \(\overline{\mathsf {ct}}'\) satisfies that
for the decomposition error \(e_{i,j}'=\langle {\mathbf g}'^{-1}(a_{i,j}),{\mathbf g}'\rangle -a_{i,j}\). As a result, the variance of a multi-key-switching error \(e_{ks}=\sum _{i=1}^k\sum _{j=1}^N t_{i,j}\cdot e_{i,j}'+\sum _{i=1}^k \sum _{j=1}^N\sum _{\ell =0}^{d'-1} e_{i,j,a_{i,j,\ell }}\) is obtained by
which is smaller than that of standard key-switching error (2).
Bootstrapping. The bootstrapping noise is simply the sum of the accumulation and multi-key-switching errors so that it has the variance of (1) + (3).
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Chen, H., Chillotti, I., Song, Y. (2019). Multi-Key Homomorphic Encryption from TFHE. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11922. Springer, Cham. https://doi.org/10.1007/978-3-030-34621-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-34621-8_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34620-1
Online ISBN: 978-3-030-34621-8
eBook Packages: Computer ScienceComputer Science (R0)