Keywords

1 Introduction

Let q be a prime, let \(\mathbb {F}_q\) be the finite field with q elements, and let \({\varvec{f}}(x)\in \mathbb {F}_q[x]\) and \({\varvec{F}}(y)\in \mathbb {F}_q[y]\) be irreducible monic polynomials of degree n. Then

$$\begin{aligned} \mathbb {X}\mathrel {\mathop :}=\mathbb {F}_q[x]/({\varvec{f}}(x)) \quad \text {and}\quad \mathbb {Y}\mathrel {\mathop :}=\mathbb {F}_q[y]/({\varvec{F}}(y)) \end{aligned}$$
(1)

are isomorphic fields with \(q^n\) elements. Given knowledge of \({\varvec{f}}(x)\) and \({\varvec{F}}(y)\), it is easy to write down an explicit isomorphism \(\mathbb {X}\rightarrow \mathbb {Y}\) and its inverse. We normalize mod q polynomials by choosing their coefficients between \(-\frac{1}{2}q\) and \(\frac{1}{2}q\), and then we define the size of a polynomial to be the magnitude of its largest coefficient. It is then an observation that, except in trivial cases, the isomorphism \(\mathbb {X}\rightarrow \mathbb {Y}\) does not respect the Archimedian property of size. Indeed, when \({\varvec{f}}\) and \({\varvec{F}}\) are distinct monic irreducible polynomials, we have observed that polynomials within a sphere of small radius (with respect to the \(L^\infty \) or \(L^2\) norm) in \(\mathbb {X}\) appear to be essentially uniformly distributed in \(\mathbb {Y}\). We record this observation formally, and construct arguments for its veracity in Sect. 2.2.1.

Observation 1

Let \({\mathcal M}_{n,q}\) be the set of all degree n monic irreducible polynomials mod q and fix \(1\le \beta <q/2\). Sample \({\varvec{f}}\in \mathbb {F}_q[x]\) and \({\varvec{F}}\in \mathbb {F}_q[y]\) uniformly from \({\mathcal M}_{n,q}\), and construct \(\mathbb {X}\), \(\mathbb {Y}\) and the associated isomorphism \(\phi : \mathbb {X}\rightarrow \mathbb {Y}\) as in (1). Let \(\chi _\beta \) be a distribution that produces samples with bounded length less than \(\beta \). Then the image in \(\mathbb {Y}\) of a collection of polynomials in \(\mathbb {X}\) sampled from \(\chi _\beta \) is computationally hard to distinguish from a collection of polynomials sampled uniformly in \(\mathbb {Y}\). By a proper choice of parameters, the ability to distinguish such a collection can be made arbitrarily difficult.

Remark 1

We will refer to elements of \(\mathbb {X}\) or \(\mathbb {Y}\) as short if they have infinity norm less than \(\beta \), where generally \(\beta \) will be less than q / 4.

We will find it essential to choose \({\varvec{f}}\) from a subset of \({\mathcal M}_{n,q}\) consisting of monic irreducible polynomials of degree n whose coefficients have absolute value less than or equal to 1. Observation 1 appears to remain true, even when restricted to this subset of \({\mathcal M}_{n,q}\), and the security of our proposed homomorphic scheme will rest on:

Observation 2

Observation 1 remains true if \({\varvec{f}}\in \mathbb {F}_q[x]\) is chosen from the subset of polynomials in \({\mathcal M}_{n,q}\) whose coefficients have a max absolute value 1.

In this paper we base two distinct, but related, problems on Observation 2.

Definition 1

(FFI). Finite Field Isomorphism Problems: Let k be a positive integer. Let \(\mathbb {X}, \mathbb {Y}, \phi , \chi _\beta \) be as above. Let \({\varvec{a}}_1(x),\dots ,{\varvec{a}}_k(x), {\varvec{b}}_1(x)\) be samples from \(\chi _\beta \), and \({\varvec{A}}_i=\phi ({\varvec{a}}_i)\) and \({\varvec{B}}_1 = \phi ({\varvec{b}}_1)\) be the corresponding images. Also sample \({\varvec{B}}_2(y)\) uniformly from \(\mathbb {Y}\).

Computational FFI problem: Given \(\mathbb {Y}, {\varvec{A}}_1(y),\dots ,{\varvec{A}}_k(y)\), recover \({\varvec{f}}(x)\) and/or \({\varvec{a}}_1(x),\dots ,{\varvec{a}}_k(x)\).

Decisional FFI problem: Given \(\mathbb {Y}, {\varvec{A}}_1(y),\dots ,{\varvec{A}}_k(y)\), \({\varvec{B}}_1\) and \({\varvec{B}}_2\), with one of \({\varvec{B}}_1,{\varvec{B}}_2\) an image of a sample from \(\chi _\beta \), identify the image with a probability greater than 1/2.

Clearly, the decisional FFI problem can be solved if the computational FFI problem can be solved, and if Observation 1 is correct, then the decisional FFI problem can be made arbitrarily hard. We will demonstrate that if a certain lattice reduction problem of dimension roughly 2n can be solved, then the decisional FFI problem can be solved, and this lattice reduction problem can be made arbitrarily hard. We do not, however, have a reduction showing that ability to solve the decisional problem implies the ability to solve a lattice reduction problem. In other words, the strongest attacks we have found on the decisional problem are via lattice reduction arguments, but we cannot rule out the possibility of other, potentially stronger, attacks.

Our plan is to build a somewhat homomorphic encryption scheme based on the decisional FFI problem. This will have double exponential noise growth, but will also have the advantage of being able to handle a reasonable number of multiplications (and additions) of moderate sized integers. We will then analyze the noise performance, and introduce a bit-decomposition-based noise management scheme that allows us to reduce the noise growth to single exponential. This will yield a bootstrappable, thus a fully homomorphic encryption scheme.

We will encode numbers, i.e. messages, as short elements in \(\mathbb {X}\), with noise added for semantic security, and view their corresponding images in \(\mathbb {Y}\) as ciphertexts. This will create a symmetric encryption algorithm, which will be somewhat homomorphic in the following sense: Polynomials in elements of \(\mathbb {X}\) can be evaluated, and lifted to polynomials over \(\mathbb {Z}[x]/({\varvec{f}}(x))\) as long as their coefficients do not exceed q / 2 in absolute value. Knowledge of these output polynomials will allow the user with knowledge of \({\varvec{f}}(x)\) to recover the value of the polynomial over \(\mathbb {Z}\), and the output of the computation. The corresponding ciphertext polynomials in \(\mathbb {Y}\) can be evaluated by anyone with knowledge of the public key \({\varvec{F}}(y)\), and substantial reduction modulo q will occur. Decryption will occur by mapping isomorphically back to \(\mathbb {X}\), and the correct result will be output as long as the coefficients do not exceed q / 2 in absolute value.

This is where an important point arises. In 1996, (eventually published in [25]), NTRU introduced the idea that if two short polynomials in \(\mathbb {Z}[x]\) are multiplied, and the result is reduced modulo \(x^n - 1\), then the reduced product is also (moderately) short. This observation has been used, in the years since then, in a variety of cryptographic constructions. In this paper we make use of a variation on this observation: This property remains true for a considerably larger class of polynomials than \(x^n \pm 1\). In particular, if \({\varvec{f}}(x)\) is chosen to be monic, of degree n, and have coefficients from the set \(\{-1,0,1\}\), then a short polynomial times a short polynomial remains moderately short when reduced modulo \({\varvec{f}}(x)\). If parameters are chosen properly, the search space for \({\varvec{f}}(x)\) can be made arbitrarily large, making it impractical to locate \({\varvec{f}}(x)\) by a brute force search.

The symmetric system sketched above can be converted into a public key encryption scheme using the standard technique of publishing a list of encryptions of 0 and adding short linear combinations of these encryptions as noise. Its semantic security can be seen to be based on the decisional FFI problem, not on the presumably harder computational FFI problem. It is not immediately obvious that this is the case, as all ciphertexts of messages will be images of short vectors in \(\mathbb {X}\), but in the simple instantiation we will present here, it can be shown that this is true. (See Theorem 1 in Sect. 3.2.4.)

1.1 Subfield Attack

Despite major advances over the past few years the biggest challenge preventing the deployment of FHE schemes in real life applications is efficiency. To address the efficiency bottleneck, many optimizations were proposed including some that take advantage of specialization of the underlying field/ring structure. Such specializations enable efficient batched parallel evaluations, make it possible to choose parameters that support highly efficient number theoretical transforms, and in some cases even reduce the size of evaluation keys.

However, such customizations may potentially introduce weaknesses in the security assumptions of the schemes. A recent family of attacks proposed by Albrecht et al. [29], by Cheon et al. [8], and by Kirchner and Fouque [27] exploit the special structure, namely subfields, in ring based FHE schemes. Furthermore, the attack in [27] also works when the underly ring does not admit subfields. Moving to a subfield with a Norm mapping as in [29], or a Trace mapping as in [8] or the Gentry-Szydlo mapping [22] as in [27] will reduce the dimension of the lattice. Then, via a projection, also named zero-forcing in the original May-Silverman description [30], the Kirchner-Fouque method is able to create a lattice with an even smaller dimension, at the cost of reducing the number of unique shortest vectors in the lattice.

This set of attacks demonstrated that several NTRU based FHEs with medium size parameters are no longer secure. Specifically, if the NTRU scheme is constructed with the DSPR security assumption, which is the case in some of the NTRU based FHE schemes [3, 28], the assumed security level of the scheme can be significantly reduced. While the authors suggest more caution on parameter selection by avoiding specialized fields in this particular case, there could be further attacks that exploit specialized parameters. It has become quite clear that we need more generic constructions that avoid specialized structures as much as possible. Furthermore, we need diversity in the FHE constructions, i.e. FHEs that remain secure even if other conjectured hard problems, e.g. DSPR or Approximate GCD, are shown to be weaker than expected.

These are among the goals of the FHE scheme proposed in this paper: The proposed construction is based on the DFFI problem; a new problem we propose and analyze here for the first time. The proposed construction avoids specializations. The FHE scheme is based on a fixed prime q and a class of short generic private keys \({\varvec{f}}(x)\) with the property that \({\varvec{f}}(x)\) is monic, irreducible mod q, and the Galois group of the associated finite field \(\mathbb {Z}_q[x]/({\varvec{f}}(x))\) is \(C_n\).

With such choice of parameters it is safe to claim that attacks in [8, 29] no longer apply due to the lack of subfields. In addition, as one shall see in Sect. 2.4, the unique shortest vectors in this class of lattices are not sparse vectors with many 0s, and they are not cyclic rotations of each other. Therefore, the projection method will not work either. Thus we also assert that attack in [27] is not applicable either.

Remark 2

The security of the finite field homomorphic encryption scheme presented here is based on the decisional problem (DFFI). It may be possible to construct a homomorphic encryption scheme that solely depends on the computational problem, (CFFI), but in the interest of simplicity we will not pursue this here. It is certainly possible to construct a signature scheme, based on the CFFI, and this will appear elsewhere.

1.2 A Sketch of the Main Ideas

Messages, which are integers, will be mapped to elements of \(\mathbb {X}\) by some method. These elements will be sparse, low weight polynomials, m(x), of degree at most \(n-1\). For each message encryption, a sparse low weight, e.g. trinary, polynomial r(x) of degree at most \(n-1\) will be chosen at random. A polynomial p(x) will be fixed as a public parameter. This polynomial will have coefficients with small infinity norm. Two useful possibilities for p(x) are \(p(x) = 2\), and \(p(x) = x-2\). We will illustrate below with the example \(p(x) = x-2\). To encode an integer \(1\le m<2^n\), write m in base two as \(m = b_0 + 2b_1 +\dots + 2^{n-1}b_{n-1}\), and represent m by \(m(x)= b_0 + b_1x + \dots +b_{n-1}x^{n-1}\). Thus \(m(2) = m\). An encoding of m(x) in \(\mathbb {X}\) will be done as follows:

  • Choose r(x) at random from a given distribution of sparse, binary or trinary, polynomials of degree less than n.

  • The encoded message is \(e_m(x) := m(x)+ p(x) r(x) \mod f(x)\). As the coefficients of p(x) and r(x) are very small, and f(x) is chosen as described above, the reduction of \(m(x)+ p(x) r(x)\) mod f(x) will have coefficients that remain small relative to q. In other words, the lift of \(e_m(x)\) from \(\mathbb {X}\) to an element of \(\mathbb {Z}[x]/(f(x))\) with coefficients in the interval \((-q/2,q/2]\) will have no reduction modulo q occurring.

Encryption of \(e_m(x)\) is done by mapping \(e_m(x)\) to its isomorphic image \(E_m(y)\) in \(\mathbb {Y}\), using the isomorphism \(\mathbb {X}\rightarrow \mathbb {Y}\) that is known to the encryptor. The somewhat homomorphic property for multiplication is seen as follows: Given \(e_{m_1}(x) = m_1(x)+p(x)r_1(x)\) and \(e_{m_2}(x) = m_2(x)+ p(x) r_2(x)\), the product is given by

$$\begin{aligned}&\,\,\, e_{m_1}(x)e_{m_2}(x) \nonumber \\&\qquad = m_1(x)m_2(x) + p(x)r_1(x)m_2(x) +p(x)r_2(x)m_1(x) +p(x)^2r_1(x)r_2(x) \nonumber \\&= m_1(x)m_2(x) +p(x)[r_1(x)m_2(x)+r_2(x)m_1(x)+p(x)r_1(x)r_2(x)] \mod (f(x), q).\nonumber \\ \end{aligned}$$
(2)

The key observation is that since the coefficients of \(e_{m_1}(x)\) and \(e_{m_2}(x)\) are small compared to q, the product, even after reduction mod f(x), will still have coefficients that are small compared to q. As a result, if the reduced product \(e_{m_1}(x)e_{m_2}(x)\) is lifted from \(\mathbb {X}\) to \(\mathbb {Z}[x]/(f(x))\) with coefficients chosen from the interval \((-q/2,q/2]\), then the coefficients will be the same as if the computation had taken place over \(\mathbb {Z}[x]/(f(x))\).

A similar comment applies to \(e_{m_1}(x)+e_{m_2}(x)\). Because the mapping between \(\mathbb {X}\) and \(\mathbb {Y}\) is a field isomorphism, it follows that

$$ E_{m_1}(y)E_{m_2}(y) = E_{m_1 m_2}(y) \,\, \text {and} \,\, E_{m_1}(y)+E_{m_2}(y) = E_{m_1+ m_2}(y). $$

This means that a polynomial function of elements of \(\mathbb {X}\) can be computed on the isomorphic images of these elements in \(\mathbb {Y}\) and the output mapped back to \(\mathbb {X}\), and, as long as the coefficients in the corresponding \(\mathbb {X}\) computation remain in the interval \((-q/2,q/2]\), the image of the output in \(\mathbb {X}\) can be lifted to \(\mathbb {Z}[x]/(f(x))\) without any loss of information.

The key question then is how to recover m(x) from a polynomial of the form \(m(x) + p(x) r(x)\) in \(\mathbb {X}\). After a computation is performed, as seen in (2) above, the output in \(\mathbb {X}\) will still have this form, although the coefficients of m(x) and r(x) may be considerably larger than binary or trinary. As long as they have not passed q / 2 in absolute value, the lift to \(\mathbb {Z}[x]/(f(x))\) will not involve any mod q reduction. The decryption process, then consists of:

  • Map the output of the computation in \(\mathbb {Y}\) back to \(\mathbb {X}\). It will have the form \(m'(x) + p(x) r'(x)\), for unknown polynomials \(m'(x)\) and \(r'(x)\)

  • This can be further lifted to \(\mathbb {Z}[x]\) by viewing of it as \(m'(x) + p(x) r('x) + s(x) f(x)\) for some also unknown polynomial s(x)

  • Compute the resultant of f(x) and p(x). This is the ideal in \(\mathbb {Z}[x]\) generated by p(x) and f(x) which, in the case \(p(x) = x-2\), is simply f(2). Also, \(m'(x) + p(x) r'(x) + s(x) f(x)\) reduced mod f(x) and \(x-2\) is m(2) mod f(2). Thus, as long as m is less than f(2), \(m = m(2)\) will be recovered exactly.

The process breaks down when the size of any coefficient of the computation exceeds q / 2 in absolute value. Note that the collection of all p(x)r(x) in \(\mathbb {X}\) is all possible encodings of 0, and their images in \(\mathbb {Y}\) are all possible encryptions of 0. As we are in a field, not a ring, the ideal generated by all such p(x)r(x) is, of course, all of \(\mathbb {Y}\).

1.3 Related Work

The first Fully Homomorphic Encryption (FHE) scheme was constructed by Gentry [17, 19] in 2009, answering a problem that had remained open for over three decades. Gentry’s scheme is based on ideal lattices and the security assumptions are based on hard problems in lattices. A key innovation in Gentry’s construction is bootstrapping, which allows a party to refresh the noise level in a ciphertext without having access to a secret key. Despite its success, bootstrapping has remained the bottleneck in FHE implementations. After Gentry’s original scheme, many other constructions based on a variety of hardness assumptions followed that aimed to improve the efficiency of FHE.

One such construction based on the learning-with-errors (LWE) problem was proposed by Brakerski and Vaikuntanathan [6]. The security of the scheme is based on the hardness of short vector problems. The LWE-based construction was later improved by Brakerski, Gentry and Vaikuntanathan (BGV) in [5] using a modulus switching technique that slows the noise accumulation drastically. Modulus switching is applied at each multiplicative level, which prevents exponential noise growth. Thereby the noise remains fixed throughout the homomorphic evaluation levels. Later, a new noise management technique was introduced by Brakerski [4], applicable to LWE schemes, that decreases noise growth from quadratic to linear using tensor products. Gentry et al. [20] demonstrated that it is possible to perform deep homomorphic evaluations by providing the first AES evaluation implemented using the BGV scheme embodied in a software library called HElib [23]. The authors optimize the design using the SIMD technique introduced in [31] to batch multiple messages and process parallel AES operations. Another FHE construction based on the assumed hardness of the Integer Approximate-GCD problem was proposed by van Dijk et al. [12]. This work was followed by Coron et al. [10], where the public key size was reduced from \(\lambda \mathcal {O}(\kappa ^{10})\) to \(\mathcal {O}(\kappa ^{7})\) where \(\kappa \) is the security parameter. In [11] the public key size was further reduced from \(\mathcal {O}(\kappa ^{7})\) to \(\mathcal {O}(\kappa ^{5})\) and modulus switching methods were adapted to the integer scheme. Another follow up work by Coron et al. [9] implements a variant of van Dijk et al.’s scheme using the scale invariant property introduced earlier by Brakerski [4].

Another leveled FHE scheme was presented by López-Alt, Tromer, Vaikuntanathan (LTV) in [28]. It is based on a variant of NTRU [25] constructed earlier by Stehlé and Steinfeld [32]. The scheme is a multi-party scheme that is capable of processing homomorphic functions for various users each with their individual keys. The authors use the relinearization technique introduced in [6] and also adapt modulus switching to mitigate the noise growth, thus keeping the growth linear in size over the levels. To compute relinearization, the scheme requires evaluation keys, which increases the memory requirement and becomes prohibitive especially in deep evaluations. The NTRU variant by Stehlé and Steinfeld [32] was later modified and implemented by Bos et al. in [3]. Their scheme, named YASHE, adopts the tensor product technique in [4] and achieves a scale-invariant scheme with limited noise growth on homomorphic operations. Also, with the use of the tensor product technique, the authors managed to improve the security of the LTV scheme [28] by using much higher levels of noise and thereby removed the Decisional Small Polynomial Ratio (DSPR) assumption. Instead, the scheme relies only on standard lattice reductions as in [32]. However, as the authors also note, the YASHE scheme requires a large evaluation key and a complicated key switching procedure. In [3] the authors introduce a modification (YASHE’) to their scheme to eliminate the problems of expensive tensor product calculations and large evaluation keys. However, this modification re-introduces the DSPR assumption. Another modified LTV-FHE implementation, along with AES evaluation, was presented by Doröz et al. in [13]. The security of their scheme depends on the DSPR and R-LWE assumptions as in [28]. Their implementation uses the relinearization and modulus switching methods as in [28] to cope with noise, and it introduced a specialized ring structure to significantly reduce the evaluation key size. Since both the YASHE’ and LTV-FHE schemes rely on the DSPR problem, both are vulnerable to the Subfield Attack [29].

Motivated by the large evaluation key requirements come by complex noise management techniques such as relinearization, modulus switching, and bootstrapping employed by earlier FHE schemes Gentry et al. [21] proposed a new scheme based on the approximate eigenvector problem. The system uses matrix additions and multiplications, which makes it asymptotically faster. At first, they constructed the GSW scheme as a somewhat homomorphic scheme, since for a depth L circuit with B-bounded parameters, the noise grows with a double exponential \(B^{2^L}\). To convert the scheme into a leveled FHE, they introduced a Flattening operation that decomposes the ciphertext entries into bits. The secret key is also kept in a special powers-of-two form. With these modifications, the noise performance is improved significantly. For a depth L circuit with B-bounded secret key entries and 1-bounded (flattened) ciphertexts, the error magnitude is at most \((N+1)^LB\) for \(N=\log (q)(n+1)\). However, ciphertexts still require a considerable amount space, roughly \(\varTheta (n^2\log (q)^2)\), and as noted by GSW [21], in practice their scheme may not be as efficient as existing leveled schemes. More recently, the Flattening technique was adapted by Doröz and Sunar to NTRU in a new FHE scheme called F-NTRU [14]. Similar to the GSW scheme, F-NTRU does not require evaluation keys or key switching. More significantly, the scheme eliminates the DSPR assumption and relies only on the standard R-LWE assumption which makes it the only NTRU variant FHE scheme immune to the Subfield Attack.

1.4 Paper Organization

In Sect. 2 we formally introduce the finite field isomorphisms problem, state hardness assumptions, and study lattice and non-lattice techniques to establish the difficulty of the problem against known techniques. We then show how to construct a fully homomorphic public-key encryption scheme in Sect. 3 by first building a somewhat homomorphic encryption scheme and then by converting it into a bootstrapable scheme via a new bit decomposition based noise management scheme. In Sect. 4, we conclude our paper.

In the appendices, we discuss how to construct field representations \(\mathbb {X}\) and \(\mathbb {Y}\) and the necessary isomorphisms \(\mathbb {X}\rightarrow \mathbb {Y}\) and \(\mathbb {Y}\rightarrow \mathbb {X}\) (Sect. A), we give a more detailed noise analysis (Sect. B), we perform security analysis and give estimates on the parameters (Sect. C), and we give test results for our observation 2 (Sect. D).

2 The Finite Field Isomorphism (FFI) Problem

2.1 Preliminaries

We begin by formally introducing some notation that has already been used in the previous section. Additional notation will be introduced at the start of Sect. 3. For given degree n monic irreducible polynomials \({\varvec{f}}(x) \in \mathbb {F}_q[x]\) and \({\varvec{F}}(y)\in \mathbb {F}_q[y]\), we create two copies of \(\mathbb {F}_{q^n}\), which we denote by \(\mathbb {X}\mathrel {\mathop :}=\mathbb {F}_q[x]/({\varvec{f}}(x))\) and \(\mathbb {Y}\mathrel {\mathop :}=\mathbb {F}_q[y]/({\varvec{F}}(y))\). In general, polynomials denoted by lower case letters will be polynomials in \(\mathbb {X}\), and their isomorphic images in \(\mathbb {Y}\) will be denoted with the corresponding capital letters. The vector form of a polynomial is simply the vector consisting of its coefficients. We often identify polynomials and vectors when there is no ambiguity. Consider a polynomial \({\varvec{a}}(x) = a_0 + a_1x + \dots + a_{n-1}x^{n-1}\in \mathbb {X}\). We will informally say that \({\varvec{a}}(x)\) is short if for all i, the congruence class \(a_i\bmod q\) reduced into the interval \((-q/2,q/2]\) is small relative to q. An important class of such polynomials are those satisfying \(a_i \in \{-1,0,1\}\); these are called trinary polynomials. We denote by \(\Vert {\varvec{a}}\Vert = \Vert {\varvec{a}}\Vert _\infty := \max |a_i|\) and \(\Vert {\varvec{a}}\Vert _2 := (a_0^2+\cdots +a_{n-1}^2)^{1/2}\) the \(L^\infty \) and \(L^2\) norms of \({\varvec{a}}\), respectively, where it is understood that the coefficents of \({\varvec{a}}\) are always normalized to lie in the interval \((-q/2,q/2]\). Denote by \({\mathcal M}_{n,q}\) the set of all degree n monic irreducible polynomials mod q. When there is no ambiguity, we will suppress the subscripts.

2.2 Discussions and Proofs

2.2.1 Arguments for the Truth of Observation 1

Lemma 1

For large n, for any fixed \({\varvec{f}}(x) \in \mathbb {F}_q[x]\), and any given degree \(n-1\) polynomial \(\phi (y) \in \mathbb {F}_q[y]\), there will exist, with probability approaching 1, a unique monic irreducible \({\varvec{F}}(y)\in \mathbb {F}_q[y]\) such that the map \(x \rightarrow \phi (y)\) induces an isomorphism between \(\mathbb {F}_q[x]/({\varvec{f}}(x))\) and \(\mathbb {F}_q[y]/({\varvec{F}}(y))\).

Proof

As \(\mathbb {F}_{q^n}/\mathbb {F}_q\) is Galois, any irreducible polynomial with one root must split completely, implying that \({\varvec{f}}(x)\) has n distinct roots in \(\mathbb {F}_q[y]/({\varvec{F}}(y))\), and similarly, that no two monic irreducible polynomials of degree n in \(\mathbb {F}_q[x]\) can share a root. Fix a degree n monic irreducible polynomial \({\varvec{f}}(x) \in \mathbb {F}_q[x]\). By the prime number theorem for function fields, for fixed q and large n, \(\left| {\mathcal M}_{n,q}\right| \), i.e., the number of distinct irreducible monic polynomials over \(\mathbb {F}_q[x]\), is asymptotic to \(q^n/n\); see [26, Chap. 7, Sect. 2, Corollary 2]. It follows that for any polynomial \({\varvec{f}}\in {\mathcal M}_{n,q}\) there are asymptotically \(q^n/n\) distinct isomorphic images of \(\mathbb {F}_q[x]/({\varvec{f}}(x))\) and hence also \(q^n/n\) potential \({\varvec{F}}\). Choose at random a degree \(n-1\) polynomial \(\phi (y) \in \mathbb {F}_q[y]\). There are exactly \((q-1)q^{n-1}\) such polynomials. There are also, asymptotically, a total of \(n \times q^n/n = q^n\) isomorphisms between \(\mathbb {F}_q[x]/({\varvec{f}}(x))\) and all possible \(\mathbb {F}_q[y]/({\varvec{F}}(y))\), where \({\varvec{F}}(y)\) varies over all distinct monic irreducible polynomials. These are given by sending x to each of the n distinct roots of each \({\varvec{F}}(y)\). With probability approaching 1 (for large q), these sets have the same order, and as one is contained in the other, they are asymptotically equal.    \(\square \)

This provides evidence for the truth of Observations 1 for the following reason. Suppose one chooses, independently, a private monic irreducible \({\varvec{f}}(x)\), and a \(\phi (y)\), with the coefficients of \(\phi (y)\) chosen randomly and uniformly from \(\mathbb {F}_q\). Then with high probability there will be a corresponding (monic, irreducible) \({\varvec{F}}_1(y)\) and a short polynomial \({\varvec{a}}(x)\) will be mapped to \({\varvec{A}}(y) ={\varvec{a}}(\phi (y))\) reduced modulo \({\varvec{F}}_1(y)\). As the coefficients of \(\phi (y)\) are random and uniformly distributed modulo q it is reasonable to assume that the coefficients of \({\varvec{A}}(y)\) will be similarly uniformly distributed modulo q. Unfortunately, because of the highly non-linear aspect of this mapping, it appears to be hard to construct a proof of this. The polynomial \({\varvec{F}}_1(y)\) can be used as the public key. However, it may be convenient to use a polynomial of a simpler form, such as \({\varvec{F}}_2(y) = y^n -y-1\) to make computations easier for the public party. In this case the composite isomorphism

$$ \mathbb {F}_q[x]/({\varvec{f}}(x)) \rightarrow \mathbb {F}_q[y]/({\varvec{F}}_1(y)) \rightarrow \mathbb {F}_q[y]/({\varvec{F}}_2(y)) $$

can be used for encryption. It is again reasonable to assume, though hard to prove, that the composite mapping continues to cause coefficients of images of short polynomials to be uniformly distributed modulo q.

Remark 3

Because of Observation 2, that non-trivial isomorphisms send short polynomials in \(\mathbb {X}\) to uniformly distributed elements of \(\mathbb {Y}\), we believe that there are no easy cases of CFFI. Hence, similar to hard lattice problems such as those described in [1], we suspect that there may well be an average-case/worst-case equivalence for the computational finite field isomorphism problem. However, research in this direction is beyond the scope of the present paper and clearly requires considerable further study.

2.2.2 Arguments for the Truth of Observation 2

In order to build a multiplicative homomorphic encryption scheme we require that products of short elements in \(\mathbb {X}\) are also short. Hence, we cannot simply sample \({\varvec{f}}(x)\) uniformly from \({\mathcal M}_{n,q}\). Instead, we will sample \({\varvec{f}}(x)\) uniformly from \({\mathcal M}_{n,q}\) with the requirement that \(\Vert {\varvec{f}}(x)\Vert \) is bounded.

In order to estimate the size of the search space for \({\varvec{f}}(x)\), we will rely on the following very reasonable assumption:

Assumption 1

Monic irreducible polynomials are uniformly distributed over \(\mathbb {F}_q[x]\).

This assumption implies that Observation 2 is true. It also implies (together with the argument that \(|{\mathcal M}_{n,q}|\) is on the order of \(q^n/n\)) that for \(1\le \beta \le \frac{1}{2}q\) there are approximately \((2\beta )^n/n\) distinct irreducible monic polynomials \({\varvec{a}}(x)\) over \(\mathbb {F}_q[x]\) satisfying \(\Vert {\varvec{a}}(x)\Vert \le \beta \). This quantifies the size of the set of all possible \({\varvec{f}}\) and enables us to verify that with well chosen parameters it is large enough to be robust against a brute force search.

This shortness of \({\varvec{f}}(x)\) is exploited via the following useful property:

Property 1

If \({\varvec{f}}(x)\) is short, and if \({\varvec{a}}(x)\) and \({\varvec{b}}(x)\) are short elements of \(\mathbb {X}\), then the product \({\varvec{a}}(x){\varvec{b}}(x)\bmod {\varvec{f}}(x)\) is also a reasonably short element of \(\mathbb {X}\).

As remarked earlier, Property 1 has been widely exploited in ideal and lattice-based cryptography, especially with \({\varvec{f}}(x)=x^n\pm 1\), starting with the original NTRUEncrypt [25].

2.3 An Algorithm to Find an Isomorphism

We explain how to find suitable polynomials \({\varvec{f}}(x)\) and \({\varvec{F}}(y)\) and an explicit isomorphism \( \mathbb {F}_q[x]/({\varvec{f}}(x)) \mapsto \mathbb {F}_q[y]/({\varvec{F}}(y)). \) We need to find four polynomials \( ({\varvec{f}},{\varvec{F}},{\varvec{\phi }},{\varvec{\psi }})\) satisfying:

  • \({\varvec{f}}(x)\in \mathbb {F}_q[x]\) is irreducible monic of degree n with \(\Vert {\varvec{f}}(x)\Vert \le \beta \).

  • \({\varvec{F}}(y)\in \mathbb {F}_q[y]\) is irreducible monic of degree n with random coefficients.

  • \({\varvec{\phi }}(y)\in \mathbb {F}_q[y]\) and \({\varvec{\psi }}(x)\in \mathbb {F}_q[x]\) have degree less than n.

  • \({\varvec{F}}(y) \bigm | {\varvec{f}}\bigl ({\varvec{\phi }}(y)\bigr )\).

  • \({\varvec{\phi }}\bigl ({\varvec{\psi }}(x)\bigr ) \equiv x \pmod {{\varvec{f}}(x)}\).

The algorithm for finding such an isomorphism is shown in Algorithm 1.

figure a

Remark 4

We note again that the secret polynomial \({\varvec{f}}(x)\) and the public polynomial \({\varvec{F}}(y)\) are chosen independently, so in particular, knowledge of \({\varvec{F}}(y)\) reveals no information about \({\varvec{f}}(x)\). In other words, any polynomial satisfying the norm bound is a potential candidate for \({\varvec{f}}(x)\). The attacker only begins to acquire information about \({\varvec{f}}(x)\) when she is given isomorphic images in \(\mathbb {Y}\) of (short) polynomials in \(\mathbb {X}\). Further, the fact that there are no security issues in the choice of \({\varvec{F}}(y)\), other than the requirement that it be irreducible in \(\mathbb {F}_q[y]\), means that \({\varvec{F}}(y)\) may be chosen to simplify field operations in the quotient field \(\mathbb {F}_q[y]/({\varvec{F}}(y))\). For example, one could take \({\varvec{F}}(y)\) to be a trinomial. The point is that the attacker can always replace your \({\varvec{F}}(y)\) with her choice of \({\varvec{F}}'(y)\), since she can easily construct an isomorphism from \(\mathbb {F}_q[y]/({\varvec{F}}(y))\) to \(\mathbb {F}_q[y]/({\varvec{F}}'(y))\).

We now discuss the steps in the generation algorithm in more details. In Step 2, we are required to find a root of a polynomial \({\varvec{f}}(x)\) in a finite field \(\mathbb {F}_{q^n}\) that is given explicitly as a quotient \(\mathbb {F}_q[y]/({\varvec{F}}(y))\). There are fast polynomial-time algorithms for doing this.Footnote 1 We note that in our set-up, the polynomial \({\varvec{f}}(x)\) is irreducible of degree n, so any one of its roots generates the field \(\mathbb {F}_{q^n}\), and since any two fields with \(q^n\) elements are isomorphic, it follows that \({\varvec{f}}(x)\) must have a root in \(\mathbb {F}_q[y]/({\varvec{F}}(y))\). Further, since \(\mathbb {F}_{q^n}/\mathbb {F}_q\) is Galois, any irreducible polynomial with one root must split completely, so in fact \({\varvec{f}}(x)\) has n distinct roots in \(\mathbb {F}_q[y]/({\varvec{F}}(y))\). We may take \({\varvec{\phi }}(y)\bmod {{\varvec{F}}(y)}\) to be any one of these roots.

In Step 3, we need to construct \({\varvec{\psi }}(x)\). We describe three ways to do this. All are efficient. Method 2 is always faster than method 1. It is not clear which is the more efficient between methods 2 and 3.

  1. 1.

    One can compute the roots of \({\varvec{F}}(y)\) in \(\mathbb {F}_q[x]/({\varvec{f}}(x))\). As above, there will be n distinct roots, and one of them will be the desired \({\varvec{\psi }}(x)\).

  2. 2.

    One can compute a root of \({\varvec{\phi }}(y)-x\) in the field \(\mathbb {F}_q[x]/({\varvec{f}}(x))\).

  3. 3.

    One can use linear algebra as described in Appendix A.

2.4 Known Approaches to Recovering the Secret Isomorphism

In this section, we explore two possible methods to solve the finite field isomorphism problem. Such an isomorphism will be described as an n-by-n matrix M. The first approach is based on lattice reduction. The second approach is a highly non-linear attack of unknown but, we believe, high difficulty.

2.4.1 Lattice Attack of (\(\dim \approx 2n\))

In this subsection we describe a lattice attack that uses a transcript of ciphertexts. We formulate this abstractly by saying that there is an unknown n-by-n matrix M with mod q coefficients, and there are known vectors \({\varvec{A}}_1,{\varvec{A}}_2,\ldots ,{\varvec{A}}_k\) with the property that the unknown vectors \(M{\varvec{A}}_i\bmod q\) are small for all \(i=1,2,\ldots ,k\).

For the computational isomorphism problem we would need to recover the rows of M exactly, and place them in the correct order. However, to solve the decisional problem it would suffice to search for a single row of M. The dimension of an attack lattice can be further reduced. To accomplish this, let \({\varvec{m}}\) be some (unknown) row of M, say the \(j^{th}\) row, and let \(b_i = {\varvec{m}}\cdot {\varvec{A}}_i\) for \(i=1,2,\ldots ,k\), be the corresponding (unknown) small values of the indicated dot products. Then

$$ A = ({\varvec{A}}_1 \mid {\varvec{A}}_2 \mid \cdots \mid {\varvec{A}}_k), a = ({\varvec{a}}_1\mid {\varvec{a}}_2\mid \ldots \mid {\varvec{a}}_k), {\varvec{b}}_j = (b_1,b_2,\dots ,b_k), $$

and we set \( D = \begin{pmatrix} A \\ qI \end{pmatrix}. \) Thus A and a are two n-by-k matrices, and D is an \((n+k)\)-by-k matrix. The vector \( {\varvec{b}}_j \) is a k dimensonal “slice” consisting of the \(j^{th}\) coordinates of the \({\varvec{a}}_i\), which are the inverse images in \(\mathbb {X}\) of the \({\varvec{A}}_i\). Let \({\mathcal L}(D)\) denote the row span of D, so \(\dim {\mathcal L}(D)=k\). Then \({\mathcal L}(D)\) contains the short row vector of \( {\varvec{b}}_j \). If we choose k sufficiently large, then the vectors \( {\varvec{b}}_j \) will stand out as unusually short, relative to the Gaussian heuristic, and a successful lattice reduction argument would recover them, or short linear combinations of them. This means that an attacker with sufficient lattice reduction resources could solve the decisional FFI problem, in the following way. Suppose the attacker is provided with a list of \({\varvec{A}}_i\), images in \(\mathbb {Y}\) of short vectors in \(\mathbb {X}\), and a vector \({\varvec{B}}\), which might or might not be the image in \(\mathbb {Y}\) of a short vector in \(\mathbb {X}\). Considering

$$({\varvec{A}}_1 \mid {\varvec{A}}_2 \mid \cdots \mid {\varvec{A}}_k \mid {\varvec{B}}),$$

a successful lattice reduction could produce a slice through the \(j^{th}\) coordinates. If each \( {\varvec{A}}_i = (a_{i,1},a_{i,2}, \dots ,a_{i,n})^T \) then \( (a_{1,j}, a_{2,j}, \dots ,a_{k,j}, b_j) \) will be in \({\mathcal L}(D)\). If \({\varvec{B}}\) is the image of a short vector in \(\mathbb {X}\) then \((a_{1,j}, a_{2,j}, \dots ,a_{k,j}, b_j)\) will have all short entries, say, around \(\beta \) in absolute value, and a successful lattice reduction argument should recover it. If \({\varvec{B}}\) is not the image of a short vector in \(\mathbb {X}\) then \((a_{1,j}, a_{2,j}, \dots ,a_{k,j}, b_j)\) will have k short entries and one entry that is random mod q. If the vector, with this new final entry were recovered by lattice reduction, it is highly unlikely that the random length of the final entry would be on the order of \(\beta \), and, as q will be considerably larger than k, it is also highly unlikely that this output would be shorter than the gaussian heuristic expected vector. This would enable the decision problem to be solved with greater than \(50\%\) probability. The technical estimates are given in the remainder of this section.

Since \(\Vert {\varvec{a}}\Vert \le \beta \), the length of the target vector is roughly \( \Vert {\varvec{a}}\Vert _2 \asymp \beta \sqrt{k}. \) The determinant of \({\mathcal L}(D)\) is the gcd of the k-by-k minors of the matrix D. Each such minor includes at least \(k-n\) rows from the bottom part of the matrix, which gives a factor of \(q^{k-n}\) to each k-by-k minor. Since the entries of A are more-or-less random, it is likely that \(\det {\mathcal L}(D)\) is some small multiple of \(q^{k-n}\). Hence the Gaussian expected shortest vector in \({\mathcal L}(D)\) has length roughly

$$ \gamma \bigl ({\mathcal L}(D)\bigr ) \asymp \sqrt{\frac{\dim {\mathcal L}(D)}{2\pi e}}\bigl ({\text {Det}}{\mathcal L}(D)\bigr )^{1/\dim {\mathcal L}(D)} = \sqrt{\frac{k}{2\pi e}}\cdot (q^{k-n})^{1/k}. $$

To analyze the hardness of recovering this vector via lattice reductions, we focus on the k-th root of the ratio between the Gaussian expected length and the unique shortest vectors:

$$\left( \frac{q^\frac{k-n}{k}}{\beta \sqrt{2\pi e}}\right) ^{\frac{1}{k}}.$$

This attack appears to be optimal when \(k \approx 2n\). In the meantime, analyses in [7, 16] suggest that recovering this vector is hard for BKZ 2.0 algorithm when \(q^\frac{1}{4n}\beta ^{-\frac{1}{2n}} \lessapprox 1.005.\)

Remark 5

This lattice is a little different from those used in instantiating the unique shortest vector problem, as in our lattice, there are roughly n unique shortest non-zero vectors of similar length. Previous results in [15, 16] show that the hardness of finding a short vector in q-ary lattices that contain many unique shortest vectors depends not on the gap, but rather on the ratio between the Gaussian heuristic and the actual length of the shortest vector. We conjecture a similar property applies to our lattice.

2.4.2 A Non-Lattice Attack on Small Solutions

There are two pieces of structure lurking within the isomorphism \(\mathbb {X}\rightarrow \mathbb {Y}\) that are not used in the lattice attack described in Sect. 2.4.1:

  1. 1.

    The map \(\mathbb {X}\rightarrow \mathbb {Y}\) is a field isomorphism between two copies of \(\mathbb {F}_{q^n}\), not merely an \(\mathbb {F}_q\)-vector space isomorphism between two copies of \(\mathbb {F}_q^n\);

  2. 2.

    The secret polynomial \({\varvec{f}}(x)\) used to define one of the copies of \(\mathbb {F}_{q^n}\) has small coefficients. (And the attacker may, in principle, take \({\varvec{F}}(y)\) to be any irreducible polynomial that she chooses.)

In this section we explain how to exploit these properties to formulate an attack that requires finding small solutions to systems of higher degree multivariable polynomial equations. We note that solving such systems appears to be exponentially difficult. The polynomials \({\varvec{f}}(x)\) and \({\varvec{F}}(y)\) almost, but not quite, determine the polynomials \({\varvec{\phi }}(y)\) and \({\varvec{\psi }}(x)\) used to define the isomorphism

$$ \mathbb {F}_q[x]/({\varvec{f}}(x))\cong \mathbb {F}_q[y]/({\varvec{F}}(y)). $$

More precisely, if \(x\rightarrow {\varvec{\phi }}'(y)\) is some other isomorphism, then necessarily

$$ {\varvec{\phi }}'(y) = {\varvec{\phi }}(y)^{q^t}\pmod {{\varvec{F}}(y)} \quad \text {for some }0\le t<d. $$

This follows immediately from the fact that \({\text {Gal}}(\mathbb {F}_{q^d}/\mathbb {F}_q)\) is cyclic of order d, generated by the q-power Frobenius map. Alternatively, the possible values for \({\varvec{\phi }}(y)\) are exactly the roots of \({\varvec{f}}(x)\) in the field \(\mathbb {F}_q[y]/({\varvec{F}}(y))\), so in any case there are exactly d possible \({\varvec{\phi }}(y)\)’s. As stated in Remark 4, an attacker knows no useful information about \({\varvec{f}}(x)\) until she acquires an image, since as already noted, the public value \({\varvec{F}}(y)\) is chosen independently of \({\varvec{f}}(x)\). We assume that the attacker is given the value of an arbitrary number of images. As per Definition 1, the attacker is given \({\varvec{A}}_1,\dots ,{\varvec{A}}_k\in \mathbb {Y}\) with the promise that \({\varvec{a}}_i,\dots ,{\varvec{a}}_k\in \mathbb {X}\) are small, in other words:

$$\begin{aligned} {\varvec{A}}_i(y) = {\varvec{a}}_i\bigl ({\varvec{\phi }}(y)\bigr ) \bmod {{\varvec{F}}(y)}, \end{aligned}$$
(3)

where \({\varvec{a}}_i\) has small coefficients. The Eq. (3) contain 2n quantities that are unknown to the attacker, namely the coefficients of \({\varvec{a}}\) and \({\varvec{\phi }}\). Of these, the coefficients of \({\varvec{a}}\) are small, so she can try to eliminate the coefficients of \({\varvec{\phi }}\). We note that (3) really gives n equations for the coefficients, since both sides are polynomials of degree \(n-1\). Unfortunately, this doesn’t quite allow her to eliminate all n of the coefficients of \({\varvec{\phi }}\). If she uses both \({\varvec{A}}_1(y)\) and \({\varvec{A}}_2(y)\), then she obtains 2n equations for the 3n unknowns consisting of the coefficients of \({\varvec{a}}_1\)\({\varvec{a}}_2\), and \({\varvec{\phi }}\). So using elimination theory (as a practical matter, using Gröbner basis algorithms), she can eliminate the coefficients of \({\varvec{\phi }}\) and obtain a system of n equations for the 2n coefficients of \({\varvec{a}}_1\) and \({\varvec{a}}_2\). These are highly non-linear equations over the field \(\mathbb {F}_q\), so the attacker is faced with the problem of finding an \(\mathbb {F}_q\)-point with small coordinates on a high degree n-dimensional subvariety of \(\mathbb {F}_q^{2n}\). As far as we are aware, there are no algorithms to solve such problems that are faster than an exhaustive (or possibly collision-based) search. Indeed, there does not appear to be an efficient algorithm to solve the decision problem of whether a small solution exists.

We note that the attacker may continue eliminating variables until eventually arriving at a single equation in \(\mathbb {F}_q^{n+1}\). But this is likely to be counter-productive, since it greatly increases the degree of the underlying equation while discarding the information that the eliminated variables are small. Alternatively, the attacker can use one element in \(\mathbb {Y}\) and the knowledge that there is a polynomial \({\varvec{f}}(x)\) with small coefficients that satisfies

$$\begin{aligned} {\varvec{f}}\bigl ({\varvec{\phi }}(y)\bigr ) = 0 \bmod {{\varvec{F}}(y)}. \end{aligned}$$
(4)

Thus (3) and (4) again provide 2n equations, this time for the 3n coefficients of \({\varvec{a}}\)\({\varvec{f}}\), and \({\varvec{\phi }}\). The first two polynomials have small coefficients, so eliminating the coefficients of \({\varvec{\phi }}\) again yields an n-dimensional subvariety in \(\mathbb {F}_q^{2n}\) on which the attacker must find a small point.

3 Fully Homomorphic Encryption Based on DFFI

In this section we use the approach of López-Alt et al. [28] to show how to turn our scheme into a fully homomorphic encryption scheme. First, we present Gentry’s definitions and theorems on fully homomorphic encryption [17, 18]. Later, we show that our scheme satisfies the definitions on somewhat homomorphism, but it does not reach the circuit depth required for evaluating decryption circuit homomorphically. We resolve the issue by turning our scheme into a leveled homomorphic encryption scheme using a technique to reduce the noise growth from doubly exponential to singly exponential. We then describe our leveled homomorphic scheme and show that it is fully homomorphic by showing that it is able to evaluate its decryption circuit homomorphically.

3.1 Fully Homomorphic Encryption Definitions

We give the definitions of fully homomorphic encryption and leveled homomorphic encryption.

Definition 31

(\(\mathcal {C}\)-Homomorphic Encryption [6]). Let \(\mathcal {C}=\{ \mathcal {C}_\kappa \}_{\kappa \in \mathbb {N}}\) be a class of functions with security parameter \(\kappa \). A scheme \(\mathcal {E}\) is \(\mathcal {C}\)-homomorphic if for any sequence of functions \(f_\kappa \in \mathcal {C}_\kappa \) and respective inputs \(\mu _1, \dots , \mu _\ell \in \{0,1\}\) (where \(\ell = \ell (\kappa )\)), it is true that

$$ \text {PR}[\mathcal {E}.\mathsf{Dec}_{sk}(\mathcal {E}.\mathsf{Eval}_{evk}(f, c_1 , \dots , c_\ell )) \ne f(\mu _1, \dots , \mu _\ell )] = \text {negl}(\kappa ), $$

where (pk, evk, sk)\(\leftarrow \mathcal {E}.\mathsf{KeyGen}(1^\kappa )\) and \(c_i \leftarrow \mathcal {E}.\mathsf{Enc}_{pk}(\mu _i)\).

Definition 32

(Fully Homomorphic Encryption [28]). An encryption scheme \(\mathcal {E}\) is fully homomorphic if it satisfies the following properties:

  • Correctness: \(\mathcal {E}\) is \(\mathcal {C}\)-homomorphic for the class \(\mathcal {C}\) of all circuits.

  • Compactness: The computational complexity of \(\mathcal {E}\)’s algorithms is polynomial in the security parameter \(\kappa \), and in the case of the evaluation algorithm, i.e. the size of the circuit.

Now as given in [28], we continue with the leveled homomorphic encryption definition that is taken from [5]. It is a modified definition of fully homomorphic encryption (Definition 32) into a leveled homomorphic encryption scheme. It removes the requirement that the scheme is able to evaluate all possible circuits and instead imposes a circuit depth D. It requires the scheme to be able to evaluate all circuits (including the decryption circuit) that are depth at most D.

Definition 33

(Leveled Homomorphic Encryption [28]). Let \(\mathcal {C}^{(D)}\) be the class of all circuits of depth at most D (that use some specified complete set of gates). We say that a family of homomorphic encryption schemes \(\{\mathcal {E}^{(D)} : D \in {\mathbb {Z}}^+\}\) is leveled fully homomorphic if, for all \(D \in {\mathbb {Z}}^+ \), it satisfies the following properties:

  • Correctness: \(\mathcal {E}^{(D)}\) is \(\mathcal {C}^{(D)}\)-homomorphic.

  • Compactness: The computational complexity of \(\mathcal {E}^{(D)}\)s algorithms is polynomial in the security parameter \(\kappa \) and D, and in the case of the evaluation algorithm, the size of the circuit. We emphasize that this polynomial must be the same for all D.

3.2 Somewhat Homomorphic FF-Encrypt Construction

We present a somewhat homomorphic version of our FF-Encrypt construction. We first give the details of our construction, and then we prove that our scheme is able to evaluate homomorphic circuits (multiplications and additions) of bounded depth.

3.2.1 Preliminaries

Here we give some preliminary notation and information that we use for the construction of our homomorphic schemes:

  • The error distribution \(\chi \) is a truncated Gaussian distribution \(D_{\mathbb {Z}^n_r}\) with standard deviation r.

  • The random polynomials \({\varvec{r}}(x)\) are ephemeral short noise polynomials that are sampled from \(\chi \).

  • The message space uses a fixed polynomial \({\varvec{p}}(x)\), which we take for this instantiation to be the number 2.

  • The message \({\varvec{m}}(x)\) consists of a monomial with a single coefficient that is chosen from \(\{0,1\}\).

Polynomial Multiplication Noise in \(\mathbb {X}\) . The noise of the product of two polynomials is significantly affected by the choice of the polynomial \({\varvec{f}}(x)\). Two factors that affect noise growth are the choice of the coefficient bound \(\beta _f\) for \({\varvec{f}}(x)\) and the degree \(d:=\deg ({\varvec{f}}'(x))\), where we write \({\varvec{f}}(x) = x^n + {\varvec{f}}'(x)\). The noise bound for the product of two \(\beta \)-bounded polynomial \({\varvec{a}}(x)\) and \({\varvec{b}}(x)\) for \(d<n/2\) satisfies

$$\begin{aligned} \bigl \Vert {\varvec{a}}(x){\varvec{b}}(x) \bmod {\varvec{f}}(x)\bigr \Vert _\infty \le n[(d+1)^2+1] \beta ^2. \end{aligned}$$
(5)

A detailed noise analysis for general \({\varvec{f}}(x)\) is given in Appendix B.

3.2.2 Secret-Key Instantiation

The secret key version of our Somewhat Homomorphic Finite Field scheme uses the following four algorithms:

  • SHFF-SK.Keygen(\(1^\kappa \)):

    • Input a security parameter \(\kappa \).

    • Generate a parameter set \(\varXi =\{n, q, \beta \}\) as a function of \(\kappa \).

    • Use Algorithm 1 ( from the FF-Encrypt paper) to generate a finite field homomorphism \(\{{\varvec{f}},{\varvec{F}}, {\varvec{\psi }},{\varvec{\phi }}\}\).

    • Output \(\{{\varvec{f}}, {\varvec{F}}, {\varvec{\psi }}, {\varvec{\phi }}\}\). Also output \({\varvec{p}}(x)\) and \(\gamma >0\).

  • SHFF-SK.Enc(\({\varvec{f}}, {\varvec{F}}, {\varvec{\phi }}, {\varvec{m}}\)):

    • Encode a plaintext by some method into a short polynomial \({\varvec{m}}(x)\in \mathbb {X}\);

    • Sample a polynomial \({\varvec{r}}(x)\in \mathbb {X}\) from the distribution \(\chi _\beta \).

    • Compute \({\varvec{C}}(y) = {\varvec{p}}({\varvec{\phi }}(y)){\varvec{r}}({\varvec{\phi }}(y)) + {\varvec{m}}({\varvec{\phi }}(y)) \mod {\varvec{F}}(y)\).

    • Output \({\varvec{C}}(y)\) as the ciphertext.

  • SHFF-SK.Dec(\({\varvec{f}}, {\varvec{\psi }},{\varvec{C}}\)):

    • For a ciphertext \({\varvec{C}}(y)\), compute \({\varvec{c}}'(x) = {\varvec{C}}( {\varvec{\psi }}(x))\).

    • Output \({\varvec{m}}'(x) = {\varvec{c}}'(x)\bmod \bigl ({\varvec{p}}(x),{\varvec{f}}(x)\bigr )\).

  • SHFF-SK.Eval(\(C, {\varvec{C}}_1, {\varvec{C}}_2, \dots , {\varvec{C}}_{\ell }\)):

    • The circuit C is represented by two input binary arithmetic circuits with gates \(\{+,\times \}\). Then, we can evaluate the circuit C homomorphically, since we can perform homomorphic addition and homomorphic multiplication.

3.2.3 Public-Key Instantiation

The public key version of our Somewhat Homomorphic Finite Field scheme is similar to the secret key instantiation in most aspects. We use a subset sum problem to instatiate the public key version. The scheme uses the following four algorithms:

  • SHFF-PK.Keygen(\(1^\kappa \)):

    • Perform the key generation as in secret key instantiation SHFF-SK.Keygen(\(1^\kappa \)).

    • Choose two integers \(\mathsf{S}, \mathsf{s}\) which \(\left( {\begin{array}{c}\mathsf{S}\\ \mathsf{s}\end{array}}\right) > 2^\kappa \) for security parameter \(\kappa \).

    • Set \(c_i\) = SHFF-SK.Enc( \({\varvec{f}}, {\varvec{F}}, {\varvec{\phi }}, 0\mathsf{)}_i\), create an array of zero encryptions \(\mathsf{pk} = \mathcal {S} = \{{\varvec{C}}_0(y), {\varvec{C}}_1(y), \dots , {\varvec{C}}_{\mathsf{S}-1}(y)\}\).

  • SHFF-PK.Enc(\(\mathcal {S}, {\varvec{m}}\)):

    • Choose \(\mathsf{s}\) random encryptions of zero \({\varvec{C}}_i(y)\) from \(\mathcal {S}\) and compute their summation with message \({\varvec{C}}(y) = \sum _{i = rand(\mathsf{S}) } {\varvec{C}}_i(y) + {\varvec{M}}(y)\) in which \({\varvec{M}}\) is the representation of the message m in \(\mathbb {Y}\).

    • Output \({\varvec{C}}(y)\) as the ciphertext.

  • SHFF-PK.Dec(\({\varvec{f}}, {\varvec{\psi }},{\varvec{C}}\)):

    • Compute and output SHFF-SK.Dec(\({\varvec{f}}, {\varvec{\psi }},{\varvec{C}}\)).

  • SHFF-PK.Eval(\(C, {\varvec{C}}_1, {\varvec{C}}_2, \dots , {\varvec{C}}_{\ell }\)):

    • Compute and output SHFF-SK.Eval(\(C, {\varvec{C}}_1, {\varvec{C}}_2, \dots , {\varvec{C}}_{\ell }\)).

The noise and depth performance of this scheme is captured by the following Lemma.

Lemma 2

The encryption scheme

$$ \mathcal {E}_{\mathsf{SHFF}}=(\mathsf{\mathsf{SHFF}.KeyGen}, \mathsf{\mathsf{SHFF}.Enc}, \mathsf{\mathsf{SHFF}.Dec}, \mathsf{\mathsf{SHFF}.Eval}) $$

described above is somewhat homomorphic for circuits having depth less than \(D < \log \log {q} - \log {(3\log n)}\) where \(q=2^{n^\varepsilon }\) with \(\varepsilon \in (0,1)\), and \(\chi \) is a \(\beta \)-bounded Gaussian distribution for random sampling.

Proof

We denote the encryptions of two messages \({\varvec{m}}_1\) and \({\varvec{m}}_2\) by \({\varvec{C}}_1(y)\) and \({\varvec{C}}_2(y)\). Then we want the noise of the ciphertexts after an addition or a multiplication to be smaller than q/2 so that it can be correctly decrypted.

Addition. Set \({\varvec{C}}(y) = {\varvec{C}}_1(y) + {\varvec{C}}_2(y)\). Dropping y from the notation, we have \( {\varvec{C}}= \left( \sum {\varvec{p}}({\varvec{\phi }}){\varvec{r}}_1({\varvec{\phi }}) + {\varvec{m}}_1({\varvec{\phi }}) \right) + \left( \sum {\varvec{p}}({\varvec{\phi }}){\varvec{r}}_2({\varvec{\phi }}) + {\varvec{m}}_2({\varvec{\phi }}) \right) . \) Apply \({\varvec{\psi }}(x)\) as the first step of the decryption \( {\varvec{C}}(x) = \left( \sum {\varvec{p}}(x){\varvec{r}}_1(x) + {\varvec{m}}_1(x) \right) + \left( \sum {\varvec{p}}(x){\varvec{r}}_2(x) + {\varvec{m}}_2(x) \right) .\) Then the infinity norm of \({\varvec{C}}(x)\) is \( \Vert {\varvec{C}}(x) \Vert _\infty = 2 {\mathsf{s}} \beta '.\)

Multiplication. We compute

$$\begin{aligned} {\varvec{C}}&= \left( \sum {\varvec{p}}({\varvec{\phi }}){\varvec{r}}_1({\varvec{\phi }}) + {\varvec{m}}_1({\varvec{\phi }}) \right) \cdot \left( \sum {\varvec{p}}({\varvec{\phi }}){\varvec{r}}_2({\varvec{\phi }}) + {\varvec{m}}_2({\varvec{\phi }}) \right) \\&= \sum {\varvec{p}}({\varvec{\phi }})^2{\varvec{r}}_1({\varvec{\phi }}){\varvec{r}}_2({\varvec{\phi }}) + \sum {\varvec{p}}({\varvec{\phi }}){\varvec{r}}_1({\varvec{\phi }}){\varvec{m}}_2({\varvec{\phi }})\\&\quad + \sum {\varvec{p}}({\varvec{\phi }}){\varvec{r}}_2({\varvec{\phi }}){\varvec{m}}_1({\varvec{\phi }}) + {\varvec{m}}_1({\varvec{\phi }}){\varvec{m}}_2({\varvec{\phi }}). \end{aligned}$$

We calculate the infinity norm of \({\varvec{C}}(x)\) using Eq. 5,

$$ \Vert {\varvec{C}}(x) \Vert _\infty = n\bigl ((d+1)^2+1\bigr )({\mathsf{s}} \beta ')^2 + 2 {\mathsf{s}} \beta '. $$

Multiplicative Level \(\varvec{D}\) . For D-level homomorphic operations, we need to compute the bound of \(\bigl \Vert \bigl ({\varvec{p}}(x){\varvec{r}}(x) + {\varvec{m}}(x)\bigr )^{2^D} \bigr \Vert _\infty \). Since \({\varvec{p}}(x){\varvec{r}}(x) \gg {\varvec{m}}(x)\), this is essentialy equal to \(\bigl \Vert \bigl ({\varvec{p}}(x){\varvec{r}}(x)\bigr )^{2^D}\bigr \Vert _\infty \). This gives an error bound equal to \((nd')^{2^D-1}({\mathsf{s}} \beta ')^{2^D}\) with \(d' = (d+1)^2+1\). We want this noise to be smaller than q / 2, so we impose the inequality \( (nd')^{2^D-1}({\mathsf{s}} \beta ')^{2^D} < q/2. \) Taking the logarithms, we rewrite this as \( (2^D-1)\log (nd') + (2^D)\log ({\mathsf{s}} \beta ') < \log {q}-1 \) Taking logarithm again yields \( D + \log (\log {(nd')}+ \log ({\mathsf{s}} \beta ')) < \log (\log {q}+\log {(nd')}-1). \) We can simplify this inequality by noting that \(d' \approx n^2/4\), which makes \(\log {(nd')} \approx 3\log {(n)} > \log (sB')\) and \(\log {(q)} > 3\log {(n)}\). Omitting small terms, we obtain

$$ D < \log \log {q} - \log {(3\log n)} $$

Taking \(q=2^{n^\varepsilon }\), our upper bound for the multiplicative depth D is \(\mathcal {O}(\varepsilon \log {n})\).    \(\square \)

3.2.4 Security

Our construction relies on two security assumptions. The first assumption is the hardness of the Decisional Finite Field Isomorphism problem, which ensures that small norm elements in \(\mathbb {X}\) are mapped to random-looking elements in \(\mathbb {Y}\). The mapping function is secret, and an attacker has to find some way of identifying images of short objects in \(\mathbb {X}\) in order to break the scheme. The second assumption is the difficulty of the subset sum problem that is used to generate encryptions of 0 to add to encryptions of messages. We will choose \({\mathsf{s}}\) ciphertexts from a list length \({\mathsf{S}}\), so the pair of parameters \(({\mathsf{S},\mathsf{s}})\) should give reasonable combinatorial security, e.g., \(\left( {\begin{array}{c}{\mathsf{S}} \\ {\mathsf{s}}\end{array}}\right) > 2^{256}\). Beyond combinatorial security, solving this subset sum problem and identifying an encryption of 0 can be translated into a lattice reduction problem in the rows of an S by \(S+n\) matrix, which can be made arbitrarily difficult. In particular \(S >2n\) should suffice. We prove the semantic security via the following theorem.

Theorem 1

If there is an algorithm \({\mathcal A}\) that breaks the semantic security with parameter \(\varXi =\{n, q, \beta \}\) and \({\varvec{p}}(x)= p\), i.e., if one inputs of any public keys \(({\varvec{C}}_1,\dots , {\varvec{C}}_k)\), a ciphertext \({\varvec{D}}\) which encrypts a message m of either 0 or 1, and \({\mathcal A}\) outputs the message m with probability \( 1/2+\epsilon \) for some non-negligible \(\epsilon >0\), then there exist another algorithm \({\mathcal B}\) that solves the decisional FFI with parameter \(\{n, q, \beta /p\}\) with probability \(1/2+\epsilon \).

Proof

Notice that if the input \(({\varvec{C}}_1,\dots , {\varvec{C}}_k, {\varvec{D}})\) to algorithm \({\mathcal A}\) is invalid (either \({\varvec{D}}\) cannot be written as subset sum of \({\varvec{C}}_i\), or \({\varvec{D}}\) does not encrypt 0 or 1), it will either output an error or output 0 or 1 with equal probability. On the other hand, if the input is valid, it will output the correct m with probability \(1/2 + \epsilon \).

Now we can use \({\mathcal A}\) to build an algorithm \({\mathcal B}\) as follows. Let \({\varvec{A}}_1,\dots , {\varvec{A}}_k, {\varvec{B}}_1,{\varvec{B}}_2\) be the input to the decisional FFI problem. Upon receiving those inputs, algorithm \({\mathcal A}\) calls algorithm \({\mathcal B}\) with a “public key” \((p{\varvec{B}}_1, p{\varvec{A}}_2,\dots ,p{\varvec{A}}_k)\) and a ciphertext \(\mathbf 0\). Therefore, if \({\varvec{B}}_1\) has short images in \(\mathbb {X}\), then \((p{\varvec{B}}_1, p{\varvec{A}}_2,\dots ,p{\varvec{A}}_k)\) is a legit public key, while if \({\varvec{B}}_1\) is uniformly sampled in \(\mathbb {Z}_q[x]\), then the probability of \((p{\varvec{B}}_1, p{\varvec{A}}_2,\dots ,p{\varvec{A}}_k)\) been a legitimate public key is negligible, roughly \((\frac{\beta }{pq})^n\).

Notice that \(\mathbf 0\) is a subset sum of the “public key” regardless if the “public key” is legitimate or not. So from \({\mathcal A}\)’s point of view, \(\mathbf 0\) is a legit ciphertext that encrypts 0 if \({\varvec{B}}_1\) has a short image. Upon receiving those public key and ciphertext, \({\mathcal A}\) will return 0 with probability \(1/2 + \epsilon \) if \({\varvec{B}}_1\) has a short image. It will return error or random if \({\varvec{B}}_1\) doesn’t. Thus \({\mathcal B}\) solves the decisional FFI with probability \(1/2 + \epsilon \).    \(\square \)

For completeness sake, we also show that if one can solve the Decisional FFI, one can also break the semantic security. Given a ciphertext \({\varvec{C}}\) with an image \({\varvec{C}}= {\varvec{p}}{\varvec{r}}+\ell {\varvec{m}}\), one can compute \({\varvec{p}}^{-1} {\varvec{C}}\bmod q\) (assuming \({\varvec{p}}\) is an integer, say 2) which has a reverse image \({\varvec{r}}+ {\varvec{p}}^{-1} \ell {\varvec{m}}\). If \(m = 0\), this quantity will be short. If \(m= 1\), this quantity will be of length \(\Vert {\varvec{p}}^{-1}\ell \ {\varvec{r}}\bmod q\Vert \). This is highly probable to be large, as if, say, \({\varvec{p}}= 2\), then \(\Vert {\varvec{p}}^{-1}\bmod {\varvec{r}}\bmod q\Vert \) will probably be of a size that takes random values mod q as \(\ell \) varies.

3.3 From Somewhat to Fully Homomorphic Encryption

We give the definitions of bootstrappable scheme and weak circular security [17, 18]. Later, we use these two definitions to describe the bootstrapping theorem.

Definition 34

(Bootstrappable Scheme [18]). Let \(\mathcal {E} = (\mathsf{Keygen}, \mathsf{Enc}, \mathsf{Dec}, \mathsf{Eval})\) be a \(\mathcal {C}\)-homomorphic encryption scheme, and let and be the augmented decryption functions of the scheme defined as

$$\begin{aligned} f^{c_1,c_2}_\mathsf{add} (\mathsf{sk})&= \mathsf{Dec}(\mathsf{sk}, c_1) \quad \mathsf{XOR} \quad \mathsf{Dec}(\mathsf{sk}, c_2),\\ f^{c_1,c_2}_\mathsf{mult} (\mathsf{sk})&= \mathsf{Dec}(\mathsf{sk}, c_1) \quad \mathsf{AND} \quad \mathsf{Dec}(\mathsf{sk}, c_2). \end{aligned}$$

Then we say that \(\mathcal {E}\) is bootstrappable if \(\{f^{c_1,c_2}_\mathsf{add}, f^{c_1,c_2}_\mathsf{mult}\}_{c_1,c_2} \subseteq \mathcal {C}\), i.e., if \(\mathcal {E}\) can homomorphically evaluate \(f_\mathsf{add}\) and \(f_\mathsf{mult}\).

Definition 35

(Weak Circular Security [18]). A public-key encryption scheme \(\mathcal {E}=(\mathsf{Keygen}, \mathsf{Enc}, \mathsf{Dec})\) is weakly circular secure if it is IND-CPA secure even for an adversary with auxiliary information containing encryptions of all secret key bits: \(\{ \mathsf{Enc}(\mathsf{pk},\mathsf{sk}[i])\}_i\). In other words, no polynomial-time adversary can distinguish an encryption of 0 from an encryption of 1, even given this additional information.

Theorem 2

Let \(\mathcal {E}\) be a bootstrappable scheme that is also weakly circular secure. Then there exists a fully homomorphic encryption scheme \(\mathcal {E}'\).

In its current construction, our scheme is not bootstrappable, because it cannot reach the required multiplicative depth for decryption. For details on the evaluation of the depth of decryption circuit, see Sect. 3.3.5. The current scheme is only able to compute circuits with depth \(\varepsilon \log (n)\). In order to convert our scheme into a bootstrappable one, in the next section we introduce a multiplication method with better noise management. This helps to significantly improve the depth of the circuits that the scheme can evaluate.

3.3.1 Regular Multiplication

A straightforward multiplication in the \(\mathsf{SHFF}\) scheme causes the noise to grow doubly exponentially \( (nd')^{2^D-1}({\mathsf{s}} \beta ')^{2^D}\) with respect to the level D. To reduce the growth to singly exponential, we introduce a multiplication technique similar to the flattening in [21]. In rest of this section for notational simplicity, we drop x and y and represent elements of \(\mathbb {X}\) with lowercase letters and elements of \(\mathbb {Y}\) with uppercase letters, e.g., \({\varvec{r}}\in \mathbb {X}\) and \({\varvec{R}}\in \mathbb {Y}\) satisfy \({\varvec{r}}({\varvec{\phi }}(y))= {\varvec{R}}(y)\). We first consider the product for two ciphertexts, \( {\varvec{C}}_1 = \sum {\varvec{P}}{\varvec{R}}_1 + {\varvec{M}}_1 \quad \text {and}\quad {\varvec{C}}_2 = \sum {\varvec{P}}{\varvec{R}}_2 + {\varvec{M}}_2. \) To ease notation we write \({{\overline{\varvec{R}}}}= \sum {\varvec{R}}\). Then \( {\varvec{C}}_1 \cdot {\varvec{C}}_2 = {\varvec{P}}^2 {{\overline{\varvec{R}}}}_1 {{\overline{\varvec{R}}}}_2 + {\varvec{P}}{{\overline{\varvec{R}}}}_1 {\varvec{M}}_2 + {\varvec{P}}{{\overline{\varvec{R}}}}_2 {\varvec{M}}_1 + {\varvec{M}}_1 {\varvec{M}}_2. \)

Remark 6

Obviously this method creates a significant noise term \({\varvec{P}}^2 {{\overline{\varvec{R}}}}_1 {{\overline{\varvec{R}}}}_2 + {\varvec{P}}{{\overline{\varvec{R}}}}_1 {\varvec{M}}_2 + {\varvec{P}}{{\overline{\varvec{R}}}}_2 {\varvec{M}}_1\). If we map it back to \(\mathbb {X}\), the norm of the noise is bounded by \(\Vert {\varvec{p}}^2 \mathsf{s}^2 {\varvec{r}}^2 + 2 {\varvec{p}}\mathsf{s}{\varvec{r}}\Vert \) for \(m\in \{0,1\}\).

We look at the steps more closely. If we expand the second ciphertext \({\varvec{C}}_2(y)\) and do not expand \({\varvec{C}}_1(y)\), we obtain \( {\varvec{C}}_1 \cdot {\varvec{C}}_2 = {\varvec{P}}{{\overline{\varvec{R}}}}_2 {\varvec{C}}_1 + {\varvec{C}}_1 {\varvec{M}}_2. \) Here \({\varvec{C}}_1 {\varvec{M}}_2\) gives the desired message product, with the side effect that the \({\varvec{P}}{{\overline{\varvec{R}}}}_2 {\varvec{C}}_1\) term adds a significant amount of noise. To curb the noise growth, we have to find a way to evaluate \({\varvec{C}}_1 {\varvec{M}}_2\) while avoiding \({\varvec{P}}{{\overline{\varvec{R}}}}_2 {\varvec{C}}_1\).

3.3.2 Multiplication with Noise Management

In this section we explain the idea behind computing the ciphertext product while avoiding the noisy \({\varvec{P}}{{\overline{\varvec{R}}}}_2 {\varvec{C}}_1\) term. To achieve this we change the format of the ciphertexts and define two ciphertext operands: the Left-Hand-Side (LHS) and the Right-Hand-Side (RHS).

LHS  Operand: The LHS-operand format is simply a matrix formed by bit decomposition of the ciphertext. We write \(\varvec{\hat{{{\varvec{C}}}}}_{ BD }^{{\varvec{m}}}\) for the bit decomposition matrix of the ciphertext \({\varvec{C}}= {\varvec{P}}{{\overline{\varvec{R}}}}+ {\varvec{M}}\) with message \({\varvec{m}}(x)\). We denote the elements of the matrix by \({\varvec{C}}_{i,j} = \varvec{\hat{{{\varvec{C}}}}}_{ BD }^{{\varvec{m}}}[i][j]\) for \(0<i<n\) and \(0<j<\ell \). More precisely, in the matrix, the entry \({\varvec{C}}_{i,j}\) denotes the \(j^{ th }\) bit of the \(i^{ th }\) coefficient of \({\varvec{C}}\). From this point on, we denote matrices by using a hat on top of the letters, e.g., \(\varvec{\hat{{{\varvec{C}}}}}\) means that it is a matrix.

RHS  Operand: We create an n-by-\(\ell \) matrix \(\varvec{\hat{{{\varvec{C}}}}}\), where each entry is a ciphertext that holds the message \({\varvec{m}}\) with a specific construction. For simplicity we drop the indices on \({{\overline{\varvec{R}}}}\), so each \({{\overline{\varvec{R}}}}\) represents a different sample. Then, the entries of the matrix are computed as \( \varvec{\hat{{{\varvec{C}}}}}^{{\varvec{m}}}[i][j] = {\varvec{P}}{{\overline{\varvec{R}}}}_{i,j} + 2^i{\varvec{\psi }}({\varvec{\phi }})^{j} {\varvec{M}}\quad \text {for}\quad 0\le i<n~\text {and}~0\le j<\ell . \) Note that with each new row, we multiply the message by 2, and for each new column, we increase the power of \({\varvec{\psi }}({\varvec{\phi }})\). Since \(y={\varvec{\psi }}({\varvec{\phi }})\), this matrix is equal to \( \varvec{\hat{{{\varvec{C}}}}}^{{\varvec{m}}}[i][j] = {\varvec{P}}{{\overline{\varvec{R}}}}_{i,j} + 2^iy^{j} {\varvec{M}}\quad \text {for}\quad 0\le i<n~\text {and}~0\le j<\ell . \)

One-Sided Homomorphic Multiplication: In the first method we use an LHS operand and an RHS operand to create an LHS operand, i.e., \(\mathsf{LHS}=\mathsf{LHS}\times \mathsf{RHS}\). The homomorphic product is computed by computing a component-wise product followed by a summation over the products:

If we look more closely, each column in the component-wise product creates an encrypted version of the coefficients of the ciphertext \({\varvec{C}}_1\). The result of the product is a standard FF-Encrypt ciphertext. To continue using the result, we apply bit decomposition BD to obtain an LHS ciphertext. An LHS operand can be computed from a regular ciphertext on the fly via bit-decomposition. An RHS operand must be constructed before it is given to the cloud/server. This means that the ciphertext size grows by a factor of \(n \ell \) for RHS operands only.

Remark 7

Noise growth in multiplications is significantly reduced compared to the earlier method. Using this one-sided multiplication approach and having fresh ciphertexts on the right-hand side, with flattening we obtain a new noise bound of \(n\ell \Vert p \mathsf{s}r\Vert \). Therefore the noise growth is no longer doubly exponential, and we can support deep evaluations with reasonably sized parameters as long as we restrict evaluations to be one sided evaluations. This may be achieved by expressing the circuit first using NAND gates and then evaluating left to right similar to GSW.

Remark 8

Another significant contribution is that we eliminate polynomial multiplications and only perform polynomial additions. This way, the effect of \({\varvec{f}}(x)\) is omitted for noise analysis, i.e., it does not have any effect on noise.

Lemma 3

Let n be the polynomial degree, let \(q=2^{n^\varepsilon }\) be the modulus, let \(\chi = D_{\mathbb {Z}^n,r}\) be the \(\beta \)-bounded Gaussian distribution, and let D be the multiplicative level. Then, the proposed One-Sided Homomorphic Multiplication algorithm has noise bound \((2^D-1)(n\ell + 1) \Vert p \mathsf{s}r\Vert = O(2^D n \log q)\) for fixed \(\mathsf{s}\) and \(\beta \).

Generic Homomorphic Multiplication: This second method uses two RHS operands to do multiplication and achieves an RHS product as the result of the multiplication, i.e., \(\mathsf{RHS}=\mathsf{RHS}\times \mathsf{RHS}\). The multiplication is similar to the multiplication algorithm for LHS and RHS operands. We represent an element (ciphertext) in the RHS operand matrix as \({\varvec{C}}^{{\varvec{m}}}[k][l]\) (\(k^{ th }\) row and \(l^{ th }\) column). In order to compute all the elements in the matrix we compute the following:

$$\begin{aligned} {\varvec{C}}^{{\varvec{m}}_1 \cdot {\varvec{m}}_2}[k][l] = \langle \varvec{\hat{{{\varvec{C}}}}}_{ BD }^{{\varvec{m}}_1}[k][l], \varvec{\hat{{{\varvec{C}}}}}^{{\varvec{m}}_2} \rangle&= \sum _{i< n} {\sum _{j < \ell } {\varvec{C}}_{i,j}[k][l] \cdot \left( {\varvec{P}}{{\overline{\varvec{R}}}}_{i,j} + 2^{j} y^{i} {\varvec{M}}_2 \right) }\\&= \sum \sum {\varvec{P}}{{\overline{\varvec{R}}}}_{i,j} + {\varvec{P}}{{\overline{\varvec{R}}}}_1 {\varvec{M}}_2 + 2^k y^l {\varvec{M}}_1 {\varvec{M}}_2. \end{aligned}$$

Here we compute an element of the matrix using same approach that we used for LHS-RHS multiplication. We take an element in the matrix at any location (kl) and apply the bit decomposition of that element \({\varvec{C}}_{ BD }^{{\varvec{m}}_1}[k][l]\). Later, we compute component-wise products, which gives us the ciphertext result at location (kl) in the result matrix. One \(\mathsf{RHS}\times \mathsf{RHS}\) multiplication requires \(n\ell \) multiplications of \(\mathsf{LHS}\times \mathsf{RHS}\) type. Also, multiplication does not require one-sided evaluation as in the One-Sided Homomorphic Multiplication method. Since we can create an RHS operand, we can evaluate an arbitrary circuit, which gives an advantage over One-Sided Homomorphic Multiplication. The noise growth in multiplications is still low, but it accumulates as we compute depth D multiplication using a binary tree multiplication. This leads to a worse noise growth compared to LHS-RHS multiplication. But just as in method 1, we have still eliminated the effect of \({\varvec{f}}(x)\) on noise.

Lemma 4

Let n be the polynomial degree, let \(q=2^{n^\varepsilon }\) be the modulus, let \(\chi = D_{\mathbb {Z}^n,r}\) is the \(\beta \)-bounded Gaussian distribution, and let D be the multiplicative level. Then, the proposed Generic Homomorphic Multiplication algorithm has noise bound \((n\ell + 1)^D \Vert p \mathsf{s}r\Vert = O((n\log q)^D)\) for fixed \(\mathsf{s}\) and \(\beta \).

3.3.3 Leveled Homomorphic Public Key Scheme Instantiation

We construct a leveled homomorphic scheme using the noise management technique described above and the SHFF-PKscheme. Here we list the primitive functions of the Leveled Homomorphic Public Key scheme:

  • LHFF-PK.Keygen(\(1^\kappa \)):

    • Compute SHFF-PK.Keygen(\(1^\kappa \)).

  • LHFF-PK.Enc(\(\mathcal {S}, {\varvec{m}}\)):

    • We form n by \(\ell \) ciphertext matrix \(\varvec{\hat{{{\varvec{C}}}}}\) by computing its elements

      \({\varvec{C}}(y)[i][j] = \mathsf{\mathsf{SHFF-PK}.Enc(\mathcal {S}, 2^i {\varvec{\psi }}^j {\varvec{m}})}\) for \(i < \ell \) and \(j < n\).

    • Output \(\varvec{\hat{{{\varvec{C}}}}}\) as the ciphertext.

  • LHFF-PK.Dec(\({\varvec{f}}, {\varvec{\psi }},\varvec{\hat{{{\varvec{C}}}}}\)):

    • Compute SHFF-PK.Dec(\({\varvec{f}}, {\varvec{\psi }},{\varvec{C}}[0][0]\)).

  • LHFF-PK.Eval(\(C, \varvec{\hat{{{\varvec{C}}}}}_1, \varvec{\hat{{{\varvec{C}}}}}_2, \dots , \varvec{\hat{{{\varvec{C}}}}}_{\ell }\)):

    • We follow a similar approach to that we used in SHFF-SK. We show that the homomorphic properties are preserved under the binary circuit evaluation with gates \(\{+,\times \}\). This proves that any circuit C can be evaluated using two gates with two binary inputs.

Homomorphic Addition ( \(\varvec{+}\) ). Homomorphic addition of two ciphertext matrices \(\varvec{\hat{{{\varvec{C}}}}}_1\) and \(\varvec{\hat{{{\varvec{C}}}}}_2\) is evaluated by performing a matrix addition, \( \varvec{\hat{{{\varvec{C}}}}} = \varvec{\hat{{{\varvec{C}}}}}_1 + \varvec{\hat{{{\varvec{C}}}}}_2. \) Namely, we compute the elements of the ciphertext matrix at each location (kl) by computing \( {\varvec{C}}(y)[k][l] = {\varvec{C}}_1(y)[k][l] + {\varvec{C}}_2(y)[k][l] \pmod {{\varvec{F}}(y)}. \) The summation at each location preserves the ciphertext matrix property, \( {\varvec{C}}[k][l] = ({\varvec{P}}{{\overline{\varvec{R}}}}_1 + 2^k y^l {\varvec{M}}_1) + ({\varvec{P}}{{\overline{\varvec{R}}}}_2 + 2^k y^l {\varvec{M}}_2), \) which simplifies to \( {\varvec{C}}[k][l] = {\varvec{P}}({{\overline{\varvec{R}}}}_1 + {{\overline{\varvec{R}}}}_2) + 2^k y^l ({\varvec{M}}_1 + {\varvec{M}}_2). \) This shows that the ciphertext property of the matrix holds. Also, the first element \({\varvec{C}}[0][0]\) is decryptable and gives us the result of the summation.

Homomorphic Multiplication ( \(\varvec{\times }\) ). Homomorphic multiplication is evaluated using the multiplication method that is explained in Sect. 3.3.2. A matrix ciphertext multiplication preserves its format, which allows it to continue the homomorphic process. This may be sees by comparing the format of a fresh ciphertext and a product of ciphertexts. First we recall the format of an element of a fresh ciphertext: \({\varvec{C}}^{{\varvec{m}}_1}[k][l] = {\varvec{P}}{{\overline{\varvec{R}}}}_1 + 2^k y^l {\varvec{M}}_1.\) Next we recall the result of multiplication using multiplication method 2:

$$\begin{aligned} {\varvec{C}}^{{\varvec{m}}_1 \cdot {\varvec{m}}_2}[k][l]&= \langle \varvec{\hat{{{\varvec{C}}}}}_{ BD }^{{\varvec{m}}_1}[k][l], \varvec{\hat{{{\varvec{C}}}}}^{{\varvec{m}}_2} \rangle = \sum \sum {\varvec{P}}{{\overline{\varvec{R}}}}_{i,j} + {\varvec{P}}{{\overline{\varvec{R}}}}_1 {\varvec{M}}_2 + 2^k y^l {\varvec{M}}_1 {\varvec{M}}_2. \end{aligned}$$

When we compare the ciphertext elements, it is clear that in a multiplication, we preserve the ciphertext matrix format while computing the multiplication, i.e., \(2^k y^l {\varvec{M}}_1 {\varvec{M}}_2\). Also, in order to decrypt successfully, we need only decrypt the first element \({\varvec{C}}[0][0]\) of the matrix .

Multiplicative Level \(\varvec{D}\) . We capture the multiplicative depth of the leveled homomorphic scheme as follows.

Lemma 5

The encryption scheme

$$ \mathcal {E}_\mathsf{LH}\{ \mathsf{LHFF-PK.KeyGen, LHFF-PK.Enc, LHFF-PK.Dec, LHFF-PK.Eval}\} $$

described above is leveled homomorphic for circuits having depth \(D = O(n^\varepsilon / {\log {n}})\) where \(q=2^{n^\varepsilon }\) with \(\varepsilon \in (0,1)\), and \(\chi \) is a \(\beta \)-bounded Gaussian distribution for random sampling.

Proof

In order to determine an upper bound for depth D, we use the noise bound that is calculated in Sect. 3.3.2. The noise has a bound \((n \log {q}+1)^D \Vert pr \Vert \), which is equal to \((n \log {q}+1)^D (\mathsf{s}\beta ')\). We require that this be smaller than q / 2, which gives an upper bound for multiplicative level D in the form \( (n \log {q} +1 )^D (\mathsf{s}\beta ') < q/2. \) Taking the logarithm of both sides gives \( D\log {(n \log {q}+1)} + \log {(\mathsf{s}\beta ')} < \log {q} - 1. \) Since \(1 \ll n\log {q}\), using \(q=2^{n^{\varepsilon }}\) yields

$$ D < \frac{n^{\varepsilon }- 1 - \log {(\mathsf{s}\beta ')}}{\log {n} + \varepsilon \log {n}}. $$

In big-\(\mathcal {O}\) notation, this gives an upper bound of the form \(O(n^\varepsilon / {\log {n}})\).    \(\square \)

3.3.4 Security

The construction of the leveled homomorphic encryption is based on the Somewhat Homomorphic Finite Field Encryption scheme. Since there is not any significant change that affects the security, the leveled version of our construction is based on the same security assumptions as SHFF-PK: the hardness of the Decisional FFI and the subset sum problems.

Lemma 6

Let n be the polynomial degree, let \(q=2^{n^\varepsilon }\) be the modulus, and let \(\chi = D_{\mathbb {Z}^n,r}\) be a Gaussian distribution. Then, the proposed leveled homomorphic encryption scheme

$$ \mathcal {E}_\mathsf{LH}\{ \mathsf{LHFF-PK.KeyGen, LHFF-PK.Enc, LHFF-PK.Dec, LHFF-PK.Eval}\} $$

is secure under the assumptions of hardness of the Decisional Finite Field Isomorphism problem and the subset sum problem.

3.3.5 Bootstrapping

In order to demonstrate that \(\mathcal {E}\) is fully homomorphic, we show that the depth of the decryption circuit can be homomorphically achieved by our scheme. First we look at the depth of the decryption circuit.

Decryption Circuit Depth. We recall that decryption is given by evaluating \( {\varvec{c}}'(x) = {\varvec{C}}({\varvec{\psi }}(x)) \pmod {{\varvec{p}}(x),{\varvec{f}}(x)}. \) Denoting the coefficients of \({\varvec{C}}(y)\) by \({{\varvec{\zeta }}}_i\), this can be expanded as \( {\varvec{c}}'(x) = {{\varvec{\zeta }}}_0 + {{\varvec{\zeta }}}_1 {\varvec{\psi }}(x) + {{\varvec{\zeta }}}_2 {\varvec{\psi }}(x)^2 + \dots {{\varvec{\zeta }}}_{n-1} {\varvec{\psi }}(x)^{n-1} \pmod {{\varvec{f}}(x), {\varvec{p}}(x)}. \) Modular reduction by \({\varvec{f}}(x)\) can be avoided by pre-computing \({\varvec{\psi }}'^{(i)}(x) = {\varvec{\psi }}(x)^i \pmod {{\varvec{f}}(x)}\). This turns decryption into summation of polynomials are multiplied by scalars, \( {\varvec{c}}'(x) = \sum _{i < n} {\varvec{\zeta }}_i {\varvec{\psi }}'^{(i)}(x). \) Let \({\varvec{c}}'_j\) be the coefficients of the result \({\varvec{c}}'(x)\). Then each coefficient is evaluated by computing \( {\varvec{c}}'_j = \sum _{i < n} {\varvec{\zeta }}_i {\varvec{\psi }}'^{(i)}_j \) where \({\varvec{\psi }}'^{(i)}_j\) denotes the \(j^{ th }\) coefficient of \({\varvec{\psi }}'^{(i)}\).

In [6, Lemma 4.5] the authors prove that evaluating the sum of n elements with \(\log {q}\) bits results in circuit depth \({O}(\log {n}+\log {\log {q}})\). They also show that they can do modular reduction mod q with circuit depth \({O}(\log {n}+\log {\log {q}})\). Since \({\varvec{p}}(x)\) is small, say \({\varvec{p}}(x)=2\), we can perform modular reduction mod \({\varvec{p}}\) by taking the first bit, which does not require any circuit. Therefore, the bootstrapping operation has an upper bound \({O}(\log {n}+\log {\log {q}})\).

Theorem 3

Let \(\chi \) is a \(\beta \)-bounded distribution for \(\beta \) = poly(n), and let \(q=2^{n^{\varepsilon }}\) for \(0<\varepsilon <1\). Then there exists a fully homomorphic encryption scheme based on the leveled homomorphic encryption scheme \(\mathcal {E} = \mathsf{LHFF-PK}\) with the assumptions that scheme is secure under the Decisional Finite Field Isomorphism Problem and that it is weakly circular secure.

Proof

The decryption circuit requires \({O}(\log {n}+\log {\log {q}})\) depth, and our scheme can compute \({O}(n^\varepsilon / {\log {n}})\) depth circuits (Lemma 5). Therefore, the following inequality is sufficient in order to be bootstrappable:

$$ \varUpsilon (\log {n}+\log {\log {q}}) < n^\varepsilon / {\log {n}} $$

where \(\varUpsilon >0\) is used to capture the constants in the circuit. Since \(0<\varepsilon <1\), in worst case scenario we obtain \(2 \varUpsilon < {\log {q}/\log ^2 n}\).    \(\square \)

4 Conclusion

In this work we proposed a new conjectured hard problem: the finite field isomorphism problem. Informally, the FFI problem asks one to construct an explicit isomorphism between two representations of a finite field, given only access to long (large norm) representations of field elements and the assurance of the existence of a representation where each of these elements has a short (low norm) expression. We formalized the FFI problem and study the effectiveness of various approaches, including lattice attacks and non-lattice algebraic techniques, for recovering the secret isomorphism. Relying on the assumed hardness of the decisional-FFI problem, we first presented a secret-key somewhat homomorphic encryption scheme. This was extended, using a subset-sum problem technique, to a public-key scheme. We briefly analyze the noise performance of both schemes and introduced a bit-decomposition-based noise managements scheme that allows us to reduce the noise growth to single exponential. This yielded a bootstrapable, and thus a fully homomorphic encryption scheme.