FHE over the Integers

This is a fully homomorphic encryption relying only on modular arithmetic introduced by van Dijk et al ^[1]. The authors first create a somewhat homomorphic scheme which is bootstrappable and then apply Gentry's technique to construct a fully homomorphic scheme. We refer to Gentry's article ^[2] for the precise definitions of "somewhat homomorphic" and "bootstrappable" schemme.

One of the main advantages of this scheme represents its conceptual simplicity. The security of the scheme is reduced to the approximate gcd problem over the integers, that is, given a list of integers that are near-multiples of an unknown integer d, find d.

A somewhat homomorphic encryption scheme

Using a theorem of Gentry, the authors are able to construct a homomorphic encryption scheme that can handle circuits of any depth from a scheme that is capable of evaluating just a little more than its own decryption circuit.

Let us first construct a somewhat homomorphic encryption scheme.

Definition. Let ${\displaystyle {\mathcal {E}}=(Keygen,Encrypt,Decrypt,Evaluate)}$ be an encryption scheme where ${\displaystyle Decrypt}$ is implemented by a circuit that depends only on the security parameter. For a given value ${\displaystyle \lambda }$ of the security parameter, the set of augmented decryption circuits consists of two circuits, both take as input a secret key and two ciphertexts. One circuit decrypts both ciphertexts and adds the resulting plaintext bits modulo ${\displaystyle 2}$, the other decrypts both ciphertexts and multiplies the resulting plaintext bits modulo ${\displaystyle 2}$. The authors denote this set by ${\displaystyle D_{\mathcal {E}}(\lambda )}$.

A homomorphic encyption scheme ${\displaystyle {\mathcal {E}}=}$ is called bootstrappable if for every value of the security parameter, the scheme can handle all the circuits in ${\displaystyle D_{\lambda }}$.

Given such a scheme ${\displaystyle {\mathcal {E}}}$ and a paramater ${\displaystyle d=d(\lambda )}$, there is an efficient transformation that outputs the description of another encryption scheme ${\displaystyle {\mathcal {E}}^{(d)}}$ which is compact, has the same ${\displaystyle Decryption}$ circuit as ${\displaystyle {\mathcal {E}}}$, and is homomorphic for all circuits of depth up to ${\displaystyle d}$.

If we assume that the initial bootstrappable scheme ${\displaystyle {\mathcal {E}}}$ is circular secure then it can be converted into a single compact fully-homomorphic encryption scheme ${\displaystyle {\mathcal {E}}'}$.

We refer to Gentry's article [2] for the precise definition of "compact", "bootstrappable" and "circular security".

The construction of the scheme

The construction has many parameters controlling the number of integers in the public key and the bit-length of various integers. We choose omit most of them in this presentation, but we refer the interested reader to M. van Dijk et al. for their precise description.

${\displaystyle Keygen(\lambda )}$: The secret key is an odd ${\displaystyle \eta }$ bit integer. For the public key ${\displaystyle p_{k}}$, integers ${\displaystyle x_{0},x_{1},\dots ,x_{\tau }}$ are sampled uniformly from a given set of near-multiples of ${\displaystyle p}$. As previously mentioned, finding the secret key ${\displaystyle p}$ would require force an attacker to give a resolution for an approximate gcd problem in the integers. The latter is known to be very difficult.

${\displaystyle Encrypt(p_{k},m\in \{0,1\})}$: Choose a random subset ${\displaystyle S\subseteq \{1,2,\dots ,\tau \}}$ and a random integer ${\displaystyle r}$ in a specified range, and output ${\displaystyle c\leftarrow \left(m+2r+2\sum _{i\in S}x_{i}\right){\pmod {x_{0}}}}$.

${\displaystyle Evaluate(p_{k},C,c_{1},\dots ,c_{t})}$: Given the (binary) circuit ${\displaystyle C}$ with ${\displaystyle t}$ inputs and ciphertexts ${\displaystyle c_{1},\dots ,c_{t}}$, apply the integer addition and multiplication gates of ${\displaystyle C}$ to the ciphertexts, performing all the operations over the integers and output the result, an integer.

${\displaystyle Decrypt(s_{k},c)}$: Output ${\displaystyle m'\leftarrow }$ (${\displaystyle c}$ mod ${\displaystyle p}$) mod 2.

Remark. The encryption can be viewed as adding the underlying message ${\displaystyle m}$ to a random subset sum of encryptions of zero. Indeed, notice that each ${\displaystyle w_{i}=2x_{i}{\pmod {x}}_{0}}$ and also ${\displaystyle x_{0}}$ is essentially an encryption of zero; its noise is even. Moreover, ${\displaystyle c=m+2r+\sum _{i\in S}w_{i}-k\cdot x_{0}}$ for some integer ${\displaystyle k}$.

The proposers of the scheme prove that ${\displaystyle {\mathcal {E}}}$ can handle circuits if these can be represented by multivariate polynomials with degree smaller than some given, explicit bound.

Ciphertext compression

The authors of the scheme describe various optimisations in order to keep the evaluated ciphertexts of the same length as the original "fresh" ciphertexts. However, the size of the evaluated ciphertexts is still very large large for applications.

To solve this problem, the authors propose a compression of these ciphertexts down to the size of an RSA modulus. This reduces the communication complexity of the scheme dramatically.

The price of this optimisation is that the compressed ciphertexts cannot be further evaluated and hence this compression can be used only on the final output ciphertexts, after all the desired evaluations were completed.

Making the scheme fully homomorphic

In order to successfully transform ${\displaystyle {\mathcal {E}}}$ into a bootstrappable scheme, the authors slightly modify the decryption circuit of ${\displaystyle {\mathcal {E}}}$. The problem with ${\displaystyle {\mathcal {E}}}$ is that its decryption equation ${\displaystyle m'\leftarrow (c-\lfloor c/p\rfloor )}$ mod 2, requires Boolean circuits that are deeper than what ${\displaystyle {\mathcal {E}}}$ can handle.

An idea of Gentry is used to “squash”, i.e. to simplify, the decryption circuit. In this transformation, one adds to the public key some extra information about the secret key. This extra information is then used to “post process” the ciphertext such that the latter can be decrypted more efficiently.

This is paid for by introducing another so called “hardness assumption”, basically assuming that the extra information in the public key does not help an attacker break the scheme.

In the modified scheme, we add to the public key from the original ${\displaystyle {\mathcal {E}}}$ a set ${\displaystyle {\mathcal {y}}=\{y_{1},\dots ,y_{\theta }\}}$ of ${\displaystyle \theta }$ rational numbers belonging to ${\displaystyle [0,2)}$ such that there is a sparse (in a precise sense) subset ${\displaystyle S\subset \{1,\dots ,\theta \}}$ with ${\displaystyle \sum _{I\in S}y_{i}\approx 1/p}$ (mod 2). The secret key is replaced by the indicator vector of the subset ${\displaystyle S}$.

The new key generation procedure will output the aforementioned public and secret keys.

To encrypt or evaluate, one generates a ciphertext ${\displaystyle c*}$ as in the scheme ${\displaystyle {\mathcal {E}}}$. Then for each ${\displaystyle I\in S}$, set ${\displaystyle z_{i}\leftarrow c*\cdot y_{i}}$ (mod 2) (of course, these operations are done with a bounded number of bits of precision). The procedure outputs ${\displaystyle c*}$ and the vector ${\displaystyle z=<z_{1},\dots ,z_{\theta }>}$.

To decrypt, one just has to output ${\displaystyle m'\leftarrow c*-\lfloor s_{i}z_{i}\rfloor }$ (mod 2).

It can be easily shown that the modified scheme is correct for all the circuits that the original scheme ${\displaystyle {\mathcal {E}}}$ could handle.

On the other hand, the authors prove (see Theorem 3 of loc. cit.) that new scheme can handle its decryption circuit, hence it can be bootstrapped and transformed into a fully homomorphic encryption scheme.

References