Abstract
In this paper we propose Fasta, a stream cipher design optimised for implementation over popular fully homomorphic encryption schemes. A number of symmetric encryption ciphers have been recently proposed for FHE applications, e.g. the block cipher LowMC, and the stream ciphers Rasta (and variants), FLIP and Kreyvium. The main design criterion employed in these ciphers has typically been to minimise the multiplicative complexity of the algorithm. However, other aspects affecting their efficient evaluation over common FHE libraries are often overlooked, compromising their real-world performance. Whilst Fasta may also be considered as a variant of Rasta, it has its parameters and linear layer especially chosen to allow efficient implementation over the BGV scheme, particularly as implemented in the HElib library. This results in a speedup by a factor of 25 compared to the most efficient publicly available implementation of Rasta. Fasta ’s target is BGV, as implemented in HElib. However the design ideas introduced in the cipher could also be potentially employed to achieve improvements in the homomorphic evaluation in other popular FHE schemes/libraries. We do consider such alternatives in this paper (e.g. BFV and BGVrns, as implemented in SEAL and PALISADE), but argue that, unlike BGV in HElib, it is more challenging to make use of their parallelism in a Rasta-like stream cipher design.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To avoid confusion between symmetric and FHE ciphertexts, we will normally use an asterisk “*” as a superscript on any literal denoting a FHE ciphertext.
- 2.
Strictly speaking, the result will be in fact a ciphertext which will decrypt to P under the FHE private key sk.
- 3.
The designers also mention in [DEG+18] the technical report “Algebraic cryptanalysis of RASTA”, by Bile, Perret and Faugère. However we were unable to publicly locate this work.
- 4.
The \(\mathsf {mul}\) function was optimised in HElib in March 2018, the earlier name for the same function was \(\mathsf {matMul}\) [HS18].
- 5.
See [HPS18] for a discussion on the very similar BFVrns scheme.
- 6.
Since Fasta has a 1645-bit state, this sets the maximum length of the keystream generated under the same key to \(2^{64}\) bits.
References
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference, version 3.0, January 2011. https://keccak.team/files/Keccak-reference-3.0.pdf
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS’12, pp. 309–325. ACM, New York (2012)
Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 313–333. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_16
Cheon, J.H., Han, K., Kim, D.: Faster bootstrapping of FHE over the integers. In: Seo, J.H. (ed.) ICISC 2019. LNCS, vol. 11975, pp. 242–259. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40921-0_15
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_1
Daemen, J.: Cipher and hash function design, strategies based on linear and differential cryptanalysis. Ph.D. thesis. K.U. Leuven (1995). http://jda.noekeon.org/
Dobraunig, C., et al.: Rasta: a cipher with low ANDdepth and few ANDs per bit. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 662–692. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_22
Dobraunig, C., Grassi, L., Guinet, A., Kuijsters, D.: CIMINION: symmetric encryption based on Toffoli-gates over large finite fields. Cryptology ePrint Archive, Report 2021/267 (2021). https://ia.cr/2021/267
Dobraunig, C., Grassi, L., Helminger, L., Rechberger, C., Schofnegger, M., Walch, R.: Framework for hybrid homomorphic encryption (2021). https://github.com/IAIK/hybrid-HE-framework
Dobraunig, C., Grassi, L., Helminger, L., Rechberger, C., Schofnegger, M., Walch, R.: Pasta: a case for hybrid homomorphic encryption. Cryptology ePrint Archive, Report 2021/731 (2021). https://ia.cr/2021/731
Duval, S., Lallemand, V., Rotella, Y.: Cryptanalysis of the FLIP family of stream ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 457–475. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_17
Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24
Faugère, J.C.: A new efficient algorithm for computing gröbner bases without reduction to zero (f5). In: ISSAC’02: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, pp. 75–83, July 2002
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, STOC’09, pp. 169–178. ACM, New York (2009)
Ha, J., et al.: Masta: an HE-friendly cipher using modular arithmetic. IEEE Access 8, 194741–194751 (2020)
Hebborn, P., Leander, G.: Dasta - alternative linear layer for Rasta. IACR Trans. Symmetric Cryptol. 2020(3), 46–86 (2020)
Halevi, S., Polyakov, Y., Shoup, V.: An improved RNS variant of the BFV homomorphic encryption scheme. Cryptology ePrint Archive, Report 2018/117 (2018). https://eprint.iacr.org/2018/117
Halevi, S., Shoup, V.: Faster homomorphic linear transformations in HElib. Cryptology ePrint Archive, Report 2018/244 (2018). https://eprint.iacr.org/2018/244
Halevi, S., Shoup, V.: Design and implementation of HElib: a homomorphic encryption library. Cryptology ePrint Archive, Report 2020/1481 (2020). https://eprint.iacr.org/2020/1481
Liu, F., Sarkar, S., Meier, W., Isobe, T.: Algebraic attacks on Rasta and Dasta using low-degree equations. Cryptology ePrint Archive, Report 2021/474 (2021). https://eprint.iacr.org/2021/474
Méaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_13
PALISADE - An Open-Source Lattice Crypto Software Library. https://palisade-crypto.org/
Polyakov, Y., Rohloff, K., Ryan, G.W., Cousins, D.: PALISADE Lattice Cryptography Library User Manual (v1.11.2) (2021). https://eprint.iacr.org/2018/117
Rivest, R.L., Adleman, L., Dertouzos, M.L.: On Data Banks and Privacy Homomorphisms. Foundations of Secure Computation, pp. 169–179. Academia Press (1978)
Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., De Win, E.: The cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 99–111. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_47
Stoffelen, K., Daemen, J.: Column parity mixers. IACR Trans. Symmetric Cryptol. 2018(1), 126–159 (2018)
Microsoft SEAL (release 3.6). Microsoft Research, Redmond, November 2020. https://github.com/Microsoft/SEAL
Acknowledgements
We wish to thank Joan Daemen for helpful advice and discussions on column parity mixers in the early stage of this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Matrix Structure of Rotation-Based Linear Transformations
To observe and study the structure of rotation-based linear transformation matrices introduced in Sect. 3.1, we recall the steps for constructing a rotation-based linear transformation acting on b s-bit words \(w_0,\ldots ,w_{b-1}\).
-
1.
Define a column parity mixer based on a \(\varTheta \) operation using rotations of low amounts (compared to the word length s; see Fig. 3).
-
2.
Apply rotations to the words \(w_i\) between applications of the column parity mixer.
-
3.
Iterate applications of column parity mixers with rotations in between, as much as needed until the entire cipher state is affected.
To describe the structure of (binary) matrices defined as above, it is helpful to consider rotation-based linear transformations as operations over the module \(\mathcal {R}^b\), where \(\mathcal {R}\) is the ring \(\mathbb {F}_2[X]/(X^s+1)\). In this case, each \(w_i\) can be considered as a polynomial \(w_i(X) = a_{s-1}X^{s-1} + \ldots + a_2 X^2 + a_1 X + 1\), where \(a_j \in \mathbb {F}_2\). Note that the XOR operation of two words \(w_i, w_j\) corresponds to addition in \(\mathcal {R}\), while the rotation operation \(w_i<<r \) corresponds to the multiplication of \(w_i(X)\) by \(X^r\).
Then let \(\boldsymbol{w}=(w_0,\ldots ,w_{b-1}) \in \mathcal {R}^b\) be the input of a rotation-based linear transformation L defined as above. The application of a column parity mixer based on a \(\varTheta \) operation using rotations/XORs (step 1) corresponds to:
-
(i)
\((w_0,\ldots ,w_{b-1}) \mapsto (w_0 + \ldots + w_{b-1}) = w \in \mathcal {R}\)
-
(ii)
\( w \mapsto w \cdot p_{\varTheta }\), where \(p_{\varTheta } \in \mathcal {R}\) is a polynomial defined by the rotations and XOR operations in \({\varTheta }\).
-
(iii)
\(w \cdot p_{\varTheta } \mapsto (w_0 + w \cdot p_{\varTheta },\ldots ,w_{b-1} + w \cdot p_{\varTheta }) \in \mathcal {R}^b\).
Thus application of a column parity mixer operation on \(\boldsymbol{w}=(w_0,\ldots ,w_{b-1}) \in \mathcal {R}^b\) can be represented as a matrix over \(\mathcal {R}\) given by
Likewise, the application of rotations \(<<r_i\) to the individual words \(w_i\) of the state (step 2) can be represented as a matrix
where \(v = (r_0, r_1, \ldots , r_{b-1})\). These two operations are then iterated n times, using different \(\varTheta _i\) and word rotations \(v_i = (r_0, \ldots r_{b-1})\) (step 3). It follows that the matrix M representing a rotation-based linear transformation over \(\mathcal {R}^b\) can be defined as
Every entry of M is a univariate polynomial of degree at most \(s-1\). Note that the multiplication of \(w_i \in \mathcal {R}\) by a polynomial \(p \in \mathcal {R}\), when considered as a \(\mathbb {F}_2\)-linear transformation, can be represented as a binary circulant matrix. It follows that, when considered as a \(\mathbb {F}_2\)-linear transformation acting on the state block \(\boldsymbol{w} \in (\mathbb {F}_2)^{bs}\), the \(bs\times bs\) matrix M realising a rotation-based linear transformation L, with \(L(\boldsymbol{w})=\boldsymbol{w}M\), can be decomposed into \(b^2\) sub-matrices as described in Proposition 1.
For example in Fasta, we have \(b=5\) and \(s=329\). Moreover, \(\varTheta \) can be realised by multiplication by the polynomial \(p_{\varTheta } = X^{r_3} + X^{r_2} + X^{r_1} + 1\) (where \(1 \le r_1 \le 3\), \(4 \le r_2 \le 6\), and \(7 \le r_3 \le 9\); refer to Fig. 6), and the word rotation operations \(R_v\) are defined as given in Fig. 7. Four iterations are required to generate the matrix M. As discussed in Sect. 4, these choices ensure that the matrices \(P_{\varTheta }, R_v\), and as consequence M, are invertible. An example of such a matrix M generated following this method can be seen in Fig. 9a. Each of the 25 blocks is a \(329 \times 329\) circulant matrix over \(\mathbb {F}_2\).
For the purpose of comparison, we also include the matrix for a linear transformation realising five parallel calls to Rasta with same parameters (Fig. 9b). In this case, the resulting linear transformation can be represented as a block diagonal matrix, with random \(329 \times 329\) sub-matrices in the diagonal, and all zero matrices elsewhere.
B Mapping \(\alpha _j\) to Rotation Values and Round Constants
Let \(r_1^{(t)}\), \(r_2^{(t)}\) and \(r_3^{(t)}\) be the rotation amounts used in \(\varTheta \) in iteration t, for \(1\le t\le 4\). There are then 24 rotation amounts that need to be decided from \(\alpha _j\). The \(r_1^{(t)}\) and \(r_2^{(t)}\) can take 3 values each, and \(r_3^{(t)}\) is computed from these, for a total of nine different instances of \(\varTheta \). Each of the four \(i_*, j_*, l_*\) can take 5, 19, and 62 values each, respectively. There are therefore \(T=3^8\cdot 5^4\cdot 19^4\cdot 62^4\approx 2^{62.78}\) different instances in the class \(\mathcal {L}\) of rotation-based linear transformations we have defined.
We split \(\alpha _j\) into \(\alpha _j=(\alpha _j^r,\alpha _j^c)\), where \(\alpha _j^r\) is 63 bits and \(\alpha _j^c\) is 1645 bits. The 24 rotation values are computed from \(\alpha _j^r\), as in Algorithm 1. Apart from the \(r_3^{(t)}\) values, what we are essentially doing is first computing \(B=\alpha _j^r\mod T\), and then writing B in a mixed base: the eight least significant digits in base 3, the next four digits in base 5, the next four in base 19, and the four most significant digits in base 62. Keeping in mind that \(r_1^{(t)}\) and \(r_2^{(t)}\) will have 1 and 4 added to them, the rotation amounts can then be read out as the digits of B, written in this mixed base:
After applying the linear transformation, the 1645-bit value \(\alpha _j^c\) is XORed onto the state to produce the affine layer output.
C Standard Linearization-Based Attack Against FASTA
We examine the question of the number of monomials actually occurring in an algebraic description of Fasta, following a similar discussion from [DEG+18].
Let M be the matrix over \(\mathbb {F}_2\) that realises one of Fasta ’s rotation-based linear transformations, let \(x = (x_0, \ldots , x_{1644})\) be the input state and \(A(x) = M \cdot x + c\). From the description of \(\chi \) in the non-linear layer S, one round \(S \circ A(x)\) of Fasta can be described by the following equations (from [DEG+18]):
where i denotes the polynomial representing the i-th bit in the cipher block after \(S \circ A(x)\). As the word size is 329, \(i+1\) and \(i+2\) “wrap around”, i.e. they are calculated as \(i-328\) and \(i - 327\) when i mod \(329 = 328\) and 327. The coefficients of \(S \circ A(x)_i\) are given by
We can see that the term containing the coefficient \(a^i_{j, l}\) contains the only multiplication, meaning it is the only place where the algebraic degree may increase. We only need \(a^i_{j, l} = 1\) for at least one i for the corresponding monomial to be present in the output. We first find the probability that each coefficient \(a^i_{j, l}\) is 0. From the above equations we get
In Sect. 5.1, we found when two entries in M are equal with certainty, due to the rotational structure in M, and when they are considered independent. Put into context of Eq. 4, we have that two entries \(M_{i+1,j}\) and \(M_{i+2,l}\) are equal when
Otherwise, \(M_{i+1,j}\) and \(M_{i+2,l}\) are considered as independent in our analysis.
The equal entries are split into two cases, depending on whether j or l are crossing from one sub matrix to another or not, i.e., to handle “wrap-around” of sub-matrices.
We expect each entry in M to be present with probability one half, following the discussion in Sect. 5.1. This allows us to calculate \( P[a^i_{j, l} = 0]\). We begin with the case where the two entries from M are equal, i.e., in general when \(l=j+1\):
For all independent entries, we get instead:
This last result is the same as expected for any two entries in a random matrix. It follows that the probability that all the coefficients for the product \(x_j \cdot x_l\) are equal to 0 can be estimated as
In other words, at least one of these coefficients are 1 with probability at least \(1 - \left( \frac{5}{8}\right) ^{329}\).
If we consider the monomials of degree 2, it follows that we can expect an average number of monomials in each word \(w_i\) of degree 2 to be at least
We can use the same reasoning we used for monomials of degree 1, resulting in an expected number of these monomials to be \(329 \cdot (1-2^{-329}) \approx 329\). This argument can also be applied for monomials of higher degrees. We therefore conclude that the expected number of monomials appearing in the algebraic equations linking the unknowns \(k_0,\ldots ,k_{328}\) to the keystream bits is approximated by U, the maximum possible number of monomials.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Cid, C., Indrøy, J.P., Raddum, H. (2022). FASTA – A Stream Cipher for Fast FHE Evaluation. In: Galbraith, S.D. (eds) Topics in Cryptology – CT-RSA 2022. CT-RSA 2022. Lecture Notes in Computer Science(), vol 13161. Springer, Cham. https://doi.org/10.1007/978-3-030-95312-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-95312-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95311-9
Online ISBN: 978-3-030-95312-6
eBook Packages: Computer ScienceComputer Science (R0)