FASTA – A Stream Cipher for Fast FHE Evaluation

Abstract

In this paper we propose Fasta, a stream cipher design optimised for implementation over popular fully homomorphic encryption schemes. A number of symmetric encryption ciphers have been recently proposed for FHE applications, e.g. the block cipher LowMC, and the stream ciphers Rasta (and variants), FLIP and Kreyvium. The main design criterion employed in these ciphers has typically been to minimise the multiplicative complexity of the algorithm. However, other aspects affecting their efficient evaluation over common FHE libraries are often overlooked, compromising their real-world performance. Whilst Fasta may also be considered as a variant of Rasta, it has its parameters and linear layer especially chosen to allow efficient implementation over the BGV scheme, particularly as implemented in the HElib library. This results in a speedup by a factor of 25 compared to the most efficient publicly available implementation of Rasta. Fasta ’s target is BGV, as implemented in HElib. However the design ideas introduced in the cipher could also be potentially employed to achieve improvements in the homomorphic evaluation in other popular FHE schemes/libraries. We do consider such alternatives in this paper (e.g. BFV and BGVrns, as implemented in SEAL and PALISADE), but argue that, unlike BGV in HElib, it is more challenging to make use of their parallelism in a Rasta-like stream cipher design.

Appendices

A Matrix Structure of Rotation-Based Linear Transformations

To observe and study the structure of rotation-based linear transformation matrices introduced in Sect. 3.1, we recall the steps for constructing a rotation-based linear transformation acting on b s-bit words \(w_0,\ldots ,w_{b-1}\).

1. 1.

   Define a column parity mixer based on a \(\varTheta \) operation using rotations of low amounts (compared to the word length s; see Fig. 3).

2. 2.

   Apply rotations to the words \(w_i\) between applications of the column parity mixer.

3. 3.

   Iterate applications of column parity mixers with rotations in between, as much as needed until the entire cipher state is affected.

To describe the structure of (binary) matrices defined as above, it is helpful to consider rotation-based linear transformations as operations over the module \(\mathcal {R}^b\), where \(\mathcal {R}\) is the ring \(\mathbb {F}_2[X]/(X^s+1)\). In this case, each \(w_i\) can be considered as a polynomial \(w_i(X) = a_{s-1}X^{s-1} + \ldots + a_2 X^2 + a_1 X + 1\), where \(a_j \in \mathbb {F}_2\). Note that the XOR operation of two words \(w_i, w_j\) corresponds to addition in \(\mathcal {R}\), while the rotation operation \(w_i<<r \) corresponds to the multiplication of \(w_i(X)\) by \(X^r\).

Then let \(\boldsymbol{w}=(w_0,\ldots ,w_{b-1}) \in \mathcal {R}^b\) be the input of a rotation-based linear transformation L defined as above. The application of a column parity mixer based on a \(\varTheta \) operation using rotations/XORs (step 1) corresponds to:

1. (i)

   \((w_0,\ldots ,w_{b-1}) \mapsto (w_0 + \ldots + w_{b-1}) = w \in \mathcal {R}\)

2. (ii)

   \( w \mapsto w \cdot p_{\varTheta }\), where \(p_{\varTheta } \in \mathcal {R}\) is a polynomial defined by the rotations and XOR operations in \({\varTheta }\).

3. (iii)

   \(w \cdot p_{\varTheta } \mapsto (w_0 + w \cdot p_{\varTheta },\ldots ,w_{b-1} + w \cdot p_{\varTheta }) \in \mathcal {R}^b\).

Thus application of a column parity mixer operation on \(\boldsymbol{w}=(w_0,\ldots ,w_{b-1}) \in \mathcal {R}^b\) can be represented as a matrix over \(\mathcal {R}\) given by

$$ P_{\varTheta } = \begin{pmatrix} p_{\varTheta } + 1 &{} p_{\varTheta } &{} \ldots &{} p_{\varTheta }\\ p_{\varTheta } &{} p_{\varTheta } + 1 &{} \ldots &{} p_{\varTheta }\\ \ldots &{} \ldots &{} \ldots &{} \ldots \\ p_{\varTheta } &{} p_{\varTheta } &{} \ldots &{} p_{\varTheta }+ 1\\ \end{pmatrix} $$

Likewise, the application of rotations \(<<r_i\) to the individual words \(w_i\) of the state (step 2) can be represented as a matrix

$$ R_v = \begin{pmatrix} X^{r_0} &{} 0 &{} \ldots &{} 0\\ 0 &{} X^{r_1} &{} \ldots &{} 0\\ \ldots &{} \ldots &{} \ldots &{} \ldots \\ 0 &{} 0 &{} \ldots &{} X^{r_{b-1}}\\ \end{pmatrix}, $$

where \(v = (r_0, r_1, \ldots , r_{b-1})\). These two operations are then iterated n times, using different \(\varTheta _i\) and word rotations \(v_i = (r_0, \ldots r_{b-1})\) (step 3). It follows that the matrix M representing a rotation-based linear transformation over \(\mathcal {R}^b\) can be defined as

$$ M = P_{\varTheta _1} \cdot R_{v_1} \cdot P_{\varTheta _2} \cdot R_{v_2} \cdot \ldots \cdot R_{v_{n-1}} \cdot P_{\varTheta _n} $$

Every entry of M is a univariate polynomial of degree at most \(s-1\). Note that the multiplication of \(w_i \in \mathcal {R}\) by a polynomial \(p \in \mathcal {R}\), when considered as a \(\mathbb {F}_2\)-linear transformation, can be represented as a binary circulant matrix. It follows that, when considered as a \(\mathbb {F}_2\)-linear transformation acting on the state block \(\boldsymbol{w} \in (\mathbb {F}_2)^{bs}\), the \(bs\times bs\) matrix M realising a rotation-based linear transformation L, with \(L(\boldsymbol{w})=\boldsymbol{w}M\), can be decomposed into \(b^2\) sub-matrices as described in Proposition 1.

For example in Fasta, we have \(b=5\) and \(s=329\). Moreover, \(\varTheta \) can be realised by multiplication by the polynomial \(p_{\varTheta } = X^{r_3} + X^{r_2} + X^{r_1} + 1\) (where \(1 \le r_1 \le 3\), \(4 \le r_2 \le 6\), and \(7 \le r_3 \le 9\); refer to Fig. 6), and the word rotation operations \(R_v\) are defined as given in Fig. 7. Four iterations are required to generate the matrix M. As discussed in Sect. 4, these choices ensure that the matrices \(P_{\varTheta }, R_v\), and as consequence M, are invertible. An example of such a matrix M generated following this method can be seen in Fig. 9a. Each of the 25 blocks is a \(329 \times 329\) circulant matrix over \(\mathbb {F}_2\).

For the purpose of comparison, we also include the matrix for a linear transformation realising five parallel calls to Rasta with same parameters (Fig. 9b). In this case, the resulting linear transformation can be represented as a block diagonal matrix, with random \(329 \times 329\) sub-matrices in the diagonal, and all zero matrices elsewhere.

Fig. 9.

Structure of matrices for Fasta and five parallel calls to Rasta. Black pixels indicate 1-bits and blue pixels are 0-bits.

B Mapping \(\alpha _j\) to Rotation Values and Round Constants

Let \(r_1^{(t)}\), \(r_2^{(t)}\) and \(r_3^{(t)}\) be the rotation amounts used in \(\varTheta \) in iteration t, for \(1\le t\le 4\). There are then 24 rotation amounts that need to be decided from \(\alpha _j\). The \(r_1^{(t)}\) and \(r_2^{(t)}\) can take 3 values each, and \(r_3^{(t)}\) is computed from these, for a total of nine different instances of \(\varTheta \). Each of the four \(i_*, j_*, l_*\) can take 5, 19, and 62 values each, respectively. There are therefore \(T=3^8\cdot 5^4\cdot 19^4\cdot 62^4\approx 2^{62.78}\) different instances in the class \(\mathcal {L}\) of rotation-based linear transformations we have defined.

We split \(\alpha _j\) into \(\alpha _j=(\alpha _j^r,\alpha _j^c)\), where \(\alpha _j^r\) is 63 bits and \(\alpha _j^c\) is 1645 bits. The 24 rotation values are computed from \(\alpha _j^r\), as in Algorithm 1. Apart from the \(r_3^{(t)}\) values, what we are essentially doing is first computing \(B=\alpha _j^r\mod T\), and then writing B in a mixed base: the eight least significant digits in base 3, the next four digits in base 5, the next four in base 19, and the four most significant digits in base 62. Keeping in mind that \(r_1^{(t)}\) and \(r_2^{(t)}\) will have 1 and 4 added to them, the rotation amounts can then be read out as the digits of B, written in this mixed base:

$$ \begin{array}{rcl} B &{} = &{} k_3\cdot 62^3\cdot 19^4\cdot 5^4\cdot 3^8 + k_2\cdot 62^2\cdot 19^4\cdot 5^4\cdot 3^8 + \ldots \\ &{} &{} +\, r_2^{(2)}\cdot 3^5 + r_2^{(1)}\cdot 3^4 + r_1^{(4)}\cdot 3^3 + r_1^{(3)}\cdot 3^2+r_1^{(2)}\cdot 3+r_1^{(1)}.\\ \end{array} $$

After applying the linear transformation, the 1645-bit value \(\alpha _j^c\) is XORed onto the state to produce the affine layer output.

C Standard Linearization-Based Attack Against FASTA

We examine the question of the number of monomials actually occurring in an algebraic description of Fasta, following a similar discussion from [DEG+18].

Let M be the matrix over \(\mathbb {F}_2\) that realises one of Fasta ’s rotation-based linear transformations, let \(x = (x_0, \ldots , x_{1644})\) be the input state and \(A(x) = M \cdot x + c\). From the description of \(\chi \) in the non-linear layer S, one round \(S \circ A(x)\) of Fasta can be described by the following equations (from [DEG+18]):

$$\begin{aligned} S \circ A(x)_i = \sum _{j=0}^{k-1} \sum _{l=j+1}^{k-1} a^i_{j, l} \cdot x_j \cdot x_l + \sum _{j=0}^{k-1} b^i_j \cdot x_j + g^i, \end{aligned}$$

(3)

where i denotes the polynomial representing the i-th bit in the cipher block after \(S \circ A(x)\). As the word size is 329, \(i+1\) and \(i+2\) “wrap around”, i.e. they are calculated as \(i-328\) and \(i - 327\) when i mod \(329 = 328\) and 327. The coefficients of \(S \circ A(x)_i\) are given by

$$\begin{aligned}&a^i_{j, l} = M_{i+1,j} \cdot M_{i+2,l} + M_{i+2,j} \cdot M_{i+1,l},\\&b^i_j = M_{i,j} + c_{i+2} \cdot M_{i+1,j} + (1 + c_{i+1}) \cdot M_{i+2, j},\\&g^i = c_i + c_{i+2} + c_{i+1} \cdot c_{i+2}. \end{aligned}$$

We can see that the term containing the coefficient \(a^i_{j, l}\) contains the only multiplication, meaning it is the only place where the algebraic degree may increase. We only need \(a^i_{j, l} = 1\) for at least one i for the corresponding monomial to be present in the output. We first find the probability that each coefficient \(a^i_{j, l}\) is 0. From the above equations we get

$$\begin{aligned} \begin{aligned} P[a^i_{j, l} = 0]&= P[M_{i+1,j} M_{i+2,l} = M_{i+2,j} M_{i+1,l} = 0]\\&+\,P[M_{i+1,j} M_{i+2,l} = M_{i+2,j} M_{i+1,l} = 1] \end{aligned} \end{aligned}$$

(4)

In Sect. 5.1, we found when two entries in M are equal with certainty, due to the rotational structure in M, and when they are considered independent. Put into context of Eq. 4, we have that two entries \(M_{i+1,j}\) and \(M_{i+2,l}\) are equal when

$$l=\left\{ \begin{array}{rc} j+1 &{} \text{ for } j\ne 328 \mod 329\\ j-328 &{} \text{ for } j=328 \mod 329 \end{array} \right. $$

Otherwise, \(M_{i+1,j}\) and \(M_{i+2,l}\) are considered as independent in our analysis.

The equal entries are split into two cases, depending on whether j or l are crossing from one sub matrix to another or not, i.e., to handle “wrap-around” of sub-matrices.

We expect each entry in M to be present with probability one half, following the discussion in Sect. 5.1. This allows us to calculate \( P[a^i_{j, l} = 0]\). We begin with the case where the two entries from M are equal, i.e., in general when \(l=j+1\):

$$\begin{aligned} P[a^i_{j, j+1} = 0]&= P[M_{i+1,j} M_{i+2,j+1} = M_{i+2,j} M_{i+1,j+1} = 0] \\&+\, P[M_{i+1,j} M_{i+2,j+1} = M_{i+2,j} M_{i+1,j+1} = 1] \\&= \frac{1}{2}\cdot \frac{3}{4} + \frac{1}{2}\cdot \frac{1}{4} = \frac{1}{2}. \end{aligned}$$

For all independent entries, we get instead:

$$\begin{aligned} P[a^i_{j, l} = 0] = \left( \frac{3}{4} \right) ^2 + \left( \frac{1}{4} \right) ^2 = \frac{5}{8}. \end{aligned}$$

This last result is the same as expected for any two entries in a random matrix. It follows that the probability that all the coefficients for the product \(x_j \cdot x_l\) are equal to 0 can be estimated as

$$\begin{aligned} P[a^i_{j, l} = 0,\ \forall {i} = 0, \ldots , 328] \le \left( \frac{5}{8}\right) ^{329}. \end{aligned}$$

In other words, at least one of these coefficients are 1 with probability at least \(1 - \left( \frac{5}{8}\right) ^{329}\).

If we consider the monomials of degree 2, it follows that we can expect an average number of monomials in each word \(w_i\) of degree 2 to be at least

$$\begin{aligned} \left( {\begin{array}{c}329\\ 2\end{array}}\right) \cdot \left( 1 - \left( \frac{5}{8}\right) ^{329}\right) \simeq \left( {\begin{array}{c}329\\ 2\end{array}}\right) . \end{aligned}$$

We can use the same reasoning we used for monomials of degree 1, resulting in an expected number of these monomials to be \(329 \cdot (1-2^{-329}) \approx 329\). This argument can also be applied for monomials of higher degrees. We therefore conclude that the expected number of monomials appearing in the algebraic equations linking the unknowns \(k_0,\ldots ,k_{328}\) to the keystream bits is approximated by U, the maximum possible number of monomials.