Multi-Key Homomorphic Encryption from TFHE

Abstract

In this paper, we propose a Multi-Key Homomorphic Encryption (MKHE) scheme by generalizing the low-latency homomorphic encryption by Chillotti et al. (ASIACRYPT 2016). Our scheme can evaluate a binary gate on ciphertexts encrypted under different keys followed by a bootstrapping.

The biggest challenge to meeting the goal is to design a multiplication between a bootstrapping key of a single party and a multi-key RLWE ciphertext. We propose two different algorithms for this hybrid product. Our first method improves the ciphertext extension by Mukherjee and Wichs (EUROCRYPT 2016) to provide better performance. The other one is a whole new approach which has advantages in storage, complexity, and noise growth.

Compared to previous work, our construction is more efficient in terms of both asymptotic and concrete complexity. The length of ciphertexts and the computational costs of a binary gate grow linearly and quadratically on the number of parties, respectively. We provide experimental results demonstrating the running time of a homomorphic NAND gate with bootstrapping. To the best of our knowledge, this is the first attempt in the literature to implement an MKHE scheme.

A Noise Estimation

For the decomposition base B and degree d, let \(\epsilon ^2=1/(12B^{2d})\) be the variance of uniform distribution over the interval \((-\frac{1}{2}B^{-d}, \frac{1}{2}B^{-d}]\). We denote by \(V_B ={\left\{ \begin{array}{ll} \frac{1}{12}(B^2-1) &{} \text {if } B \text { is odd}, \\ \frac{1}{12}(B^2+2) &{} \text {if } B \text { is even;} \end{array}\right. }\) the mean square of a uniform distribution over \({\mathbb Z}\cap (-B/2, B/2]\). We similarly define \(\epsilon '^2\) and \(V_{B'}\) based on the parameter \(B'\) and \(d'\) for the key-switching algorithm. We set the RGSW and LWE secret distributions \(\chi , \psi \) as uniform distributions over \(\{0,1\}^N\) and \(\{0,1\}^n\), respectively.

The variance of a random variable e over \({\mathbb R}\) is denoted by \(\textsf {Var}(e)\). For a random variable e over \({\mathbb R}[X]/(X^N+1)\), it denotes the variance of a coefficient when all coefficients have the same variance. If \({\mathbf e}\) is a vector of random variables, \(\textsf {Var}({\mathbf e})\) denotes the maximum of its entries’ variances.

We mainly compute the variance of a noise. Our average-case analysis is based on the heuristic assumption that a noise behaves like a Gaussian distribution, which has been empirically shown in the previous work (Fig. 10, [15]).

Hybrid Product Method 1

Step 1: Ciphertext extension. Let us suppose that

$$\begin{aligned}&{\mathbf b}_j = -z_j\cdot \mathbf {a}+{\mathbf e}_j \pmod 1 \text { for } j\in [k],\\&{\mathbf d}_i = r_i\cdot \mathbf {a}+ \mu _i\cdot {\mathbf g}+ {\mathbf e}_{i,1} \pmod 1,\\&\mathbf f_{i,0}+z_i\cdot \mathbf f_{i,1} = r_i\cdot {\mathbf g}+{\mathbf e}_{i,2} \pmod 1 \text { for some } \mu \in R \text { and }\\&\overline{\mathbf D}_i \leftarrow \texttt {RLWE}.\texttt {Extend}\left( ({\mathbf d}_i,{\mathbf F}_i),\{{\mathbf b}_j\}_{j\in [k]}\right) . \end{aligned}$$

We let \({\mathbf e}_0=\mathbf {0}\) for simplicity. Then for any \(0\le j\le k\), the j-th row of \(\overline{\mathbf D}_i\) satisfies that

$$\begin{aligned} {\mathbf x}_j+z_i\cdot {\mathbf {y}}_j={\mathbf M}_j\cdot (r_i\cdot {\mathbf g}+{\mathbf e}_{i,2})=r_i\cdot {\mathbf b}_j+(r_i\cdot {\mathbf e}_j'+{\mathbf M}_j\cdot {\mathbf e}_{i,2}) \pmod 1 \end{aligned}$$

for the decomposition error \({\mathbf e}_j'\in {\mathbb R}^d\) such that \({\mathbf e}'[\ell ]=\langle {\mathbf g}^{-1}({\mathbf b}_j[\ell ]),{\mathbf g}\rangle -{\mathbf b}_j[\ell ]\) for \(\ell \in [d]\), and

$$\begin{aligned} z_j\cdot {\mathbf d}_i=~&r_iz_j\cdot \mathbf {a}+\mu _i z_j\cdot {\mathbf g}+z_j\cdot {\mathbf e}_{i,1}\\ =~&-r_i\cdot {\mathbf b}_j+\mu _iz_j\cdot {\mathbf g}+(r_i\cdot {\mathbf e}_j+z_j\cdot {\mathbf e}_{i,1}) \pmod 1. \end{aligned}$$

Therefore, the j-th row is decrypted into \(\mu _iz_j\cdot {\mathbf g}+{\mathbf e}_{i,j}\) for the GSW extension error \({\mathbf e}_{i,j}=r_i\cdot ({\mathbf e}_j+{\mathbf e}_j')+z_j\cdot {\mathbf e}_{i,1}+{\mathbf M}_j\cdot {\mathbf e}_{i,2}\).

Its variance is bounded by

$$\begin{aligned} V_{exp}\le (N/2)\epsilon ^2+(1+d\cdot V_B) \cdot N\beta ^2 \end{aligned}$$

since \(\textsf {Var}(r_i)=\textsf {Var}(z_j)=1/2\), \(\textsf {Var}({\mathbf e}_j)\le \textsf {Var}({\mathbf e}_{i,1})=\textsf {Var}({\mathbf e}_{i,2})=\beta ^2\), \(\textsf {Var}({\mathbf e}_j')=\epsilon ^2\) and \(\textsf {Var}({\mathbf M}_j\cdot {\mathbf e}_{i,2})=d N \cdot V_B\cdot \beta ^2\).

Step 2: Multi-key GSW external product. Let \(\overline{\mathbf c}\) and \(\overline{\mathbf D}\) be multi-key RLWE and RGSW ciphertexts. Suppose that \(\overline{\mathbf D}\) satisfies \(\overline{\mathbf D}\overline{\mathbf z}=\mu \cdot {\mathbf G}_{k+1}\overline{\mathbf z}+\overline{\mathbf e}\) for a plaintext \(\mu \in R\) and an error vector \(\overline{\mathbf e}\). We denote by \(\textsf {VarErr}(\overline{\mathbf D})=\textsf {Var}(\overline{\mathbf e})\). The external product outputs an RLWE ciphertext \(\overline{\mathbf c}'\) satisfying

$$\begin{aligned} \langle \overline{\mathbf c}',\overline{\mathbf z}\rangle&={\mathbf G}_{k+1}^{-1}(\overline{\mathbf c})\cdot \overline{\mathbf D}\overline{\mathbf z}\pmod 1\\&= {\mathbf G}_{k+1}^{-1}(\overline{\mathbf c})\cdot (\mu \cdot {\mathbf G}_{k+1}\overline{\mathbf z}+\overline{\mathbf e}) \pmod 1\\&=\mu \cdot \langle \overline{\mathbf c},\overline{\mathbf z}\rangle +\left( \mu \cdot \langle \overline{\mathbf e}',\overline{\mathbf z}\rangle +{\mathbf G}^{-1}_{k+1}(\overline{\mathbf c})\cdot \overline{\mathbf e}\right) \pmod 1 \end{aligned}$$

for the decomposition error \(\overline{\mathbf e}'={\mathbf G}_{k+1}^{-1}(\overline{\mathbf c})\cdot {\mathbf G}_{k+1}-\overline{\mathbf c}\). Therefore, the variance of external product error \(e_{ep}=\mu \cdot \langle \overline{\mathbf e}',\overline{\mathbf z}\rangle +{\mathbf G}^{-1}_{k+1}(\overline{\mathbf c})\cdot \overline{\mathbf e}\) is

$$\begin{aligned} V_{ep}=\mu ^2\cdot \epsilon ^2(1+kN/2)+(k+1)dN \cdot V_B\cdot \textsf {VarErr}(\overline{\mathbf D}) \end{aligned}$$

since \(\textsf {Var}(\overline{\mathbf e}')=\epsilon ^2\) and \(\textsf {Var}({\mathbf G}_{k+1}^{-1}(\overline{\mathbf c}))=V_B\).

In our case, \(\overline{\mathbf D}=\overline{\mathbf D}_i\) is an extended RGSW ciphertext whose error variance is \(V_{exp}\le (N/2)\epsilon ^2+(1+d\cdot V_B)\cdot N\beta ^2\). As a result, our first method returns a ciphertext whose noise variance is

$$\begin{aligned} V_1=\mu _i^2\cdot \epsilon ^2(1+kN/2)+(k+1)dN\cdot V_B\cdot V_{exp}. \end{aligned}$$

In our MKHE scheme, the decomposition error \(\epsilon ^2\) can be easily controlled. Hence the extension error is mainly dominated by \(V_{exp}\approx dN\cdot V_B\cdot \beta ^2\). Similarly, the noise of hybrid product is dominated by \(V_1\approx (k+1) dN\cdot V_B\cdot V_{exp}\approx (k+1)d^2\cdot N^2\cdot V_B^2\cdot \beta ^2\).

Hybrid Product Method 2. As shown earlier, the output \(\overline{\mathbf c}'\) of the second multiplication algorithm satisfies \(\langle \overline{\mathbf c}',\overline{\mathbf z}\rangle =\sum _{j=0}^ku_j\cdot z_j+\sum _{j=0}^k(w_{j,0}+w_{j,1}\cdot z_i)\). The first term is

$$\begin{aligned}&\sum _{j=0}^k u_j\cdot z_j=\sum _{j=0}^k \left\langle {{\mathbf g}^{-1}(c_j),r_i\cdot \mathbf {a}+\mu _i\cdot {\mathbf g}+{\mathbf e}_{i,1}}\right\rangle \cdot z_j \pmod 1\\=\,&\mu _i\cdot \langle \overline{\mathbf c},\overline{\mathbf z}\rangle +\mu _i \cdot e'+r_i\cdot \sum _{j=0}^k \langle {\mathbf g}^{-1}(c_j),z_j\cdot \mathbf {a}\rangle +\sum _{j=0}^k \langle {\mathbf g}^{-1}(c_j),{\mathbf e}_{i,1}\rangle \cdot z_j \pmod 1\\ =\,&\mu _i\cdot \langle \overline{\mathbf c},\overline{\mathbf z}\rangle -r_i\cdot \sum _{j=0}^k v_j+\mu _i\cdot e'+r_i\cdot \sum _{j=0}^k\langle {\mathbf g}^{-1}(c_j),{\mathbf e}_j\rangle +\left\langle {\sum _{j=0}^kz_j\cdot {\mathbf g}^{-1}(c_j),{\mathbf e}_{i,1}}\right\rangle \end{aligned}$$

for the decomposition error \(e'=\sum _{j=0}^k\left( \langle {\mathbf g}^{-1}(c_j),{\mathbf g}\rangle -c_j\right) \cdot z_j\), while the second term is

$$\begin{aligned}&\sum _{j=0}^k (w_{j,0}+w_{j,1}z_i)=\sum _{j=0}^k \langle {\mathbf g}^{-1}(v_j),\mathbf f_{i,0}+z_i\cdot \mathbf f_{i,1}\rangle \pmod 1\\ =&\sum _{j=0}^k\langle {\mathbf g}^{-1}(v_j),r_i\cdot {\mathbf g}+{\mathbf e}_{i,2}\rangle =r_i\cdot \sum _{j=0}^kv_j+r_i\cdot e''+\left\langle \sum _{j=0}^k{\mathbf g}^{-1}(v_j),{\mathbf e}_{i,2}\right\rangle \pmod 1 \end{aligned}$$

for \(e''=\sum _{j=0}^k\left( \langle {\mathbf g}^{-1}(v_j),{\mathbf g}\rangle -v_j\right) \). Note that \(\textsf {Var}(e')=\epsilon ^2 (1+kN/2)\) and \(\textsf {Var}(e'')=\epsilon ^2(k+1)\).

Therefore, the noise of \(\overline{\mathbf c}'\) is

$$\begin{aligned} \mu _i\cdot e'+r_i\cdot \sum _{j=0}^k\langle {\mathbf g}^{-1}(c_j),{\mathbf e}_j\rangle +\left\langle {\sum _{j=0}^kz_j\cdot {\mathbf g}^{-1}(c_j),{\mathbf e}_{i,1}}\right\rangle +r_i\cdot e''+\left\langle \sum _{j=0}^k{\mathbf g}^{-1}(v_j),{\mathbf e}_{i,2}\right\rangle , \end{aligned}$$

and its variance

$$\begin{aligned} V_2 = \mu _i^2 N\epsilon ^2(1+kN/2)+(N^2/2)(k+1) V_B \beta ^2+dN (1+kN/2) V_B \beta ^2\\ +\,(N/2)\epsilon ^2(k+1)+(k+1)N V_B \beta ^2, \end{aligned}$$

is dominated by \(V_2\approx \frac{1}{2}(kd+k+1)\cdot N^2\cdot V_B\cdot \beta ^2\).

Rounding Error. In (2-2), we compute \(\tilde{b}=\lfloor {2N\cdot b'}\rceil \) and \(\tilde{\mathbf {a}}_i=\lfloor {2N\cdot \mathbf {a}_i'}\rceil \). We assume that each of the rounding errors behaves like a uniform random variable on the interval \({\mathbb R}\pmod {1}=(-0.5,0.5]\). Therefore, the total rounding error \((\tilde{b}-\lfloor {2N\cdot b'}\rceil )+\sum _{j=1}^k \langle \tilde{\mathbf {a}}_j-\lfloor {2N\cdot \mathbf {a}_j'}\rceil , {\mathbf s}_j\rangle \) has the variance of \(\frac{1}{12}\left( 1+kn/2\right) \).

Mux Gate. Suppose that \(\overline{\mathbf c}_0,\overline{\mathbf c}_1\) are RLWE ciphertexts and \(\overline{\mathbf C}\) is an RGSW encryption of \(\mu \in \{0,1\}\) with error \(\overline{\mathbf e}\). The mux gate is to compute \(\overline{\mathbf c}=\overline{\mathbf c}_0+\texttt {RLWE}.\texttt {Prod}(\overline{\mathbf c}_1-\overline{\mathbf c}_0, \overline{\mathbf C})\) to choose \(\overline{\mathbf c}_\mu \) homomorphically:

$$\begin{aligned} \langle \overline{\mathbf c}, \overline{\mathbf z}\rangle&=\langle \overline{\mathbf c}_0, \overline{\mathbf z}\rangle +{\mathbf G}_{k+1}^{-1}(\overline{\mathbf c}_1-\overline{\mathbf c}_0)\cdot (\mu \cdot {\mathbf G}_{k+1}\overline{\mathbf z}+\overline{\mathbf e}) \pmod 1\\&=(1-\mu )\cdot \langle \overline{\mathbf c}_0,\overline{\mathbf z}\rangle +\mu \cdot \langle \overline{\mathbf c}_1,\overline{\mathbf z}\rangle +\left( \mu \cdot \langle \overline{\mathbf e}',\overline{\mathbf z}\rangle +{\mathbf G}_{k+1}^{-1}(\overline{\mathbf c}_1-\overline{\mathbf c}_0)\cdot \overline{\mathbf e}\right) \pmod 1, \end{aligned}$$

for the decomposition error \(\overline{\mathbf e}'={\mathbf G}_{k+1}^{-1}(\overline{\mathbf c}_1-\overline{\mathbf c}_0)\cdot {\mathbf G}_{k+1}-(\overline{\mathbf c}_1-\overline{\mathbf c}_0)\). The noise has the variance of \(\mu ^2\cdot \epsilon ^2(1+kN/2)+(k+1)dN\cdot V_B\cdot \textsf {VarErr}(\overline{\mathbf C})\), exactly the same as external product.

Accumulation. The initial RLWE ciphertext has no noise. All bootstrapping keys \(\overline{\mathbf C}_{i,\ell }\) have the same variance of noise \(\textsf {VarErr}(\overline{\mathbf C}_{i,\ell })=(N/2)\epsilon ^2+(1+N+dNV_B)\beta ^2\) from the expansion algorithm. We recursively evaluate the mux gate \(k\cdot n\) times and an encrypted secret \(s_{i,\ell }\) is sampled uniformly from \(\{0,1\}\). Therefore, the output of accumulator has an error of variance

$$\begin{aligned} \frac{1}{2}kn\cdot \epsilon ^2(1+kN/2)+(k+1)kdnN\cdot V_B\cdot \left( (N/2)\epsilon ^2+(1+N+dNV_B)\beta ^2\right) .\end{aligned}$$

(1)

Multi-key Switching. Let \(\overline{\mathsf {ct}}=(b,\mathbf {a}_1,\dots ,\mathbf {a}_k)\) be an input LWE ciphertext and \(\overline{\mathsf {ct}}'=(b',\mathbf {a}_1',\dots ,\mathbf {a}_k')\) be the output of multi-key-switching algorithm. Then, we have

$$\begin{aligned} \langle \overline{\mathsf {ct}}',(1,\overline{\mathbf s})\rangle&= b+\sum _{i=1}^k (b_i'+\langle \mathbf {a}_i',{\mathbf s}_i\rangle ) \pmod 1\\&= b+\sum _{i=1}^k\sum _{j=1}^N \langle {\mathbf g}'^{-1}(a_{i,j}), t_{i,j}\cdot {\mathbf g}' +{\mathbf e}_{i,j}\rangle \pmod 1 \\&= \langle \overline{\mathsf {ct}},(1,\overline{\mathbf t})\rangle +\sum _{i=1}^k\sum _{j=1}^N \left( t_{i,j}\cdot e_{i,j}'+\langle {\mathbf g}'^{-1}(a_{i,j}), {\mathbf e}_{i,j}\rangle \right) \pmod 1 \end{aligned}$$

for the decomposition error \(e_{i,j}'=\langle {\mathbf g}'^{-1}(a_{i,j}),{\mathbf g}\rangle -a_{i,j}\). As a result, the variance of a multi-key-switching error \(e_{ks}=\sum _{i=1}^k\sum _{j=1}^N \left( t_{i,j}\cdot e_{i,j}'+\langle {\mathbf g}'^{-1}(a_{i,j}), {\mathbf e}_{i,j}\rangle \right) \) is obtained by

$$\begin{aligned} \textsf {Var}(e_{ks})=kN\left( \frac{1}{2}\epsilon '^2+d' \cdot V_{B'} \cdot \alpha ^2\right) . \end{aligned}$$

(2)

We note that this term does not include the error of input LWE ciphertext. If \(\langle \mathsf {ct}',(1,\overline{\mathbf t})\rangle =\frac{1}{4}m+e \pmod 1\) for a bit \(m\in \{0,1\}\) and an error \(e\in {\mathbb R}\), then \(\mathsf {ct}'\) will be an encryption of the same message m with error \(e'=e+e_{ks}\).

Multi-key Switching (Modified). Different from the previous algorithm, the key-switching key of the i-th party consists of LWE encryptions of \(a \cdot B'^\ell \cdot t_{i,j}\) for \(1\le j\le N\), \(0\le \ell <d'\) and \(a\in {\mathbb Z}_{B'}\) encrypted under the secret \({\mathbf s}_i\). For an input LWE ciphertext \(\overline{\mathsf {ct}}=(b,\mathbf {a}_1,\dots ,\mathbf {a}_k)\), the (modified) multi-key switching algorithm computes \({\mathbf g}'^{-1}(a_{i,j})=(a_{i,j,\ell })_{0\le \ell <d'}\) for each \(1\le i\le k\) and \(1\le j\le N\), and then compute the summation of LWE encryptions of \(a_{i,j,\ell }\cdot B'^\ell \cdot t_{i,j}\) for \(1\le i\le k\), \(1\le j\le N\) and \(0\le \ell <d'\). Therefore, the output ciphertext \(\overline{\mathsf {ct}}'\) satisfies that

$$\begin{aligned} \langle \overline{\mathsf {ct}}',(1,\overline{\mathbf s})\rangle&=b+\sum _{i=1}^k\sum _{j=1}^N\sum _{\ell =0}^{d'-1}{\mathbf g}'^{-1}(a_{i,j})[\ell ]\cdot B'^\ell \cdot t_{i,j} +e_{i,j,a_{i,j,\ell }}\pmod 1\\&=b+\sum _{i=1}^k\sum _{j=1}^N (a_{i,j}+e_{i,j}')\cdot t_{i,j}+\sum _{i=1}^k\sum _{j=1}^N\sum _{\ell =0}^{d'-1} e_{i,j,a_{i,j,\ell }} \pmod 1\\&= \langle \overline{\mathsf {ct}},(1,\overline{\mathbf t})\rangle +\left( \sum _{i=1}^k\sum _{j=1}^N t_{i,j}\cdot e_{i,j}'+\sum _{i=1}^k \sum _{j=1}^N\sum _{\ell =0}^{d'-1} e_{i,j,a_{i,j,\ell }}\right) \pmod 1,\end{aligned}$$

for the decomposition error \(e_{i,j}'=\langle {\mathbf g}'^{-1}(a_{i,j}),{\mathbf g}'\rangle -a_{i,j}\). As a result, the variance of a multi-key-switching error \(e_{ks}=\sum _{i=1}^k\sum _{j=1}^N t_{i,j}\cdot e_{i,j}'+\sum _{i=1}^k \sum _{j=1}^N\sum _{\ell =0}^{d'-1} e_{i,j,a_{i,j,\ell }}\) is obtained by

$$\begin{aligned} \textsf {Var}(e_{ks})=kN\left( \frac{1}{2}\epsilon _{\mathbf K}^2+d'\alpha ^2\right) ,\end{aligned}$$

(3)

which is smaller than that of standard key-switching error (2).

Bootstrapping. The bootstrapping noise is simply the sum of the accumulation and multi-key-switching errors so that it has the variance of (1) + (3).