Difference between revisions of "BFV"

Revision as of 12:35, 26 May 2020

Around 2012 Brakerski ^[1] proposed a new efficient FHE scheme whose security is based on the LWE problem. Later on, this scheme was ported to the ring-LWE setting by Fan and Vercauteren. ^[2] The various optimisations achieved by the last two authors made the scheme suitable for implementation. One such implementation is available in Microsoft SEAL ^[3] is an actively maintained library which makes homomorphic encryption available in an easy-to-use form both to experts and to non-experts.

Overview of the BFV scheme

In BFV the plaintext space consists of polynomials of degree less than Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle n } with coefficients modulo Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle t} , more precisely Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal R_t = \mathbb Z_{t}[x]/(x^n+1) } . This is a ring, where addition is just the usual addition of polynomials. Multiplication is also quite intuitive, in the sense that multiplication of two elements is just multiplication of the underlying polynomials with Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle x^n } being converted to Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle -1 } . In this way, the result of ring operations on Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal R_t } is always a polynomial of degree strictly less than Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle n } .

The homomorphic operations on ciphertext, that will be described later, will carry through encryption to addition and multiplication operations in the plaintext Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal R_t } .

If we wish to encrypt an integer or a rational number, then we need to encode it first into a plaintext polynomial in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal R_t } and the result can be encrypted only after that. We mention that distinction should be made between encoding and encrypting data. The first one is a public operation, i.e. anybody can reverse it by decoding , whereas the latter can be reverse just by someone who knows the (secret) encryption key. In order to be able to compute additions and multiplications on, for example, integers in encrypted form, the encoding must be such that addition and multiplication of encoded polynomials in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal R_t } carry over correctly to the integers when the result is decoded. The aforementioned library Microsoft SEAL provides a few different standard encoders that users can use at their convenience.

The ciphertext space in this scheme consists of arrays of polynomials in ${\mathcal {R}}_{q}$ , for some different (much larger than $t$ ) integer $q$ . These arrays contain at least two polynomials. Their length grows with each homomorphic multiplication, unless an operation called reliniarization is performed. The latter is a procedure which takes a ciphertext consisting of more than $2$ polynomials in ${\mathcal {R}}_{q}$ back to a ciphertext with $2$ polynomials encrypting the same message $m\in {\mathcal {R}}_{t}$ .

Description of the scheme

Let $\lambda$ be the security parameter. Let $w$ be a base (one can think of $w=2$ for the sake of presentation) and let $l+1=\lfloor \log _{w}q\rfloor +1$ denote the number of terms in the decomposition into base Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle q} . Polynomials in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal R_q } will also be decomposed into base Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle w } components coefficient-wise, resulting in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle l+1 } polynomials. When Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle S} is a set, we denote Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle a \leftarrow S } we denote the fact that Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle a } is sampled uniformly from the set Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle S} .

The BFV scheme has the algorithms Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle SecretKeyGen, PublicKeyGen, EvaluationKeyGen, Encrypt, Decrypt, Add } and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Multiply } . We describe these below.

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle SecretKeyGen(\lambda) } : This just samples Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle s \leftarrow \mathcal R_2 } and outputs the secre key Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle sk=s } .

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle PublicKeyGen(sk) } : Set Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle s =sk } , sample Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle a \leftarrow \mathcal R_q } uniformly and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle e \leftarrow \chi } from an error distribution. Output the public key Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle pk = ([-(as+e)]_q, a) } .

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle EvaluationKeyGen(sk,w) } : for Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle i \in \{0,\dots, l \} } , sample Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle a_i \leftarrow \mathcal R_q } and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle e_i \leftarrow \chi } . Output

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle evk = ([-(a_is+e_i)+w^is^2]_q,a_i) } .

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Encrypt(pk,m):} For Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle m \in \mathcal R_t } , let Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle p_k = (p_0,p_1)} . Sample Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle u \leftarrow \mathcal R_2 } uniformly and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle e_1, e_2 \leftarrow \chi } . Compute and output

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle ct = ([ \frac{q}{t} \cdot m + p_0 u+e_1]_q, [p_qu +e_2]_q)} .

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Decrypt(sk,ct) } : Set Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle s=sk, c_0 = ct[0] } and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_1 = ct[1] } . Output

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \left[ \left\lfloor \frac{t}{q} \cdot [c_0+c_1s]_q \right\rfloor \right]_t } .

The homomorphic operations on ciphertext are as follows

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Add(ct_0, ct_1):} Output Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle (ct_0[0]+ct_1[0], ct_0[1]+ct_1[1]).}

As one can see addition is done in the most natural way, component-wise. Multiplication is a little bit more tricky.

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Multiply(ct_0, ct_1):} Compute

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_0 = \left[ \left\lfloor \frac{t}{q} ct_0[0] ct_1[0] \right\rceil \right]_q } , Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_1 = \left[ \left\lfloor \frac{t}{q}(ct_0[0]ct_1[1]+ct_0[1]ct_1[0]) \right\rceil \right]_q } ,

and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_2 = \left[ \left\lfloor \frac{t}{q} (ct_0[1]ct_1[1]) \right\rceil \right]_q } .

This first step is quite easy. One can think of Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle ct_i } as a polynomial Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle ct_i(x)= ct_i[0] + x \cdot ct_i[1] } with coefficients in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal R_q } . What we did so far corresponds to computing the product of the polynomials $ct_{1}(x)$ and $ct_{2}(x)$ , resulting in a (quadratic in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle x} ) polynomial Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_0+c_1x+c_2x^2 } . This corresponds to a length Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle 3} array Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle (c_0,c_1,c_2) } . To keep the size of the ciphertext small, we now apply a reliniarization step. The latter consists in computing

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_0' = c_0+ \sum_{i=0}^l evk[i][0] c_2^{(i)} } , Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_1' = c_1 + \sum_{i=0}^l evk[i][1] c_2^{(i)} } ,

and return as output the ciphertext Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle (c_0', c_1')} .

↑ Z. Brakerski. Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. CRYPTO 2012. http://eprint.iacr.org/2012/078.pdf
↑ J. Fan and F. Vercauteren. Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144, Mar. 2012. https://eprint.iacr.org/2012/144.pdf
↑ Microsoft Research. Microsoft SEAL (release 3.5). 2020. https://github.com/Microsoft/SEAL

[1] Z. Brakerski. Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. CRYPTO 2012. http://eprint.iacr.org/2012/078.pdf

[2] J. Fan and F. Vercauteren. Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144, Mar. 2012. https://eprint.iacr.org/2012/144.pdf

[SEAL-3] Microsoft Research. Microsoft SEAL (release 3.5). 2020. https://github.com/Microsoft/SEAL

[1]

[2]

[3]

@@ Line 37: / Line 37: @@
 The homomorphic operations on ciphertext are as follows
+* <math>Add(ct_0, ct_1):</math> Output <math>(ct_0[0]+ct_1[0], ct_0[1]+ct_1[1]).</math>
+As one can see addition is done in the most natural way, component-wise. Multiplication is a little bit more tricky.
+* <math>Multiply(ct_0, ct_1):</math> Compute
+<center><math>  c_0 = \left[ \left\lfloor \frac{t}{q} ct_0[0] ct_1[0] \right\rceil \right]_q </math>,</center>
+<center><math> c_1 = \left[ \left\lfloor \frac{t}{q}(ct_0[0]ct_1[1]+ct_0[1]ct_1[0]) \right\rceil \right]_q </math> ,</center>
+and <math> c_2 = \left[ \left\lfloor \frac{t}{q} (ct_0[1]ct_1[1]) \right\rceil \right]_q </math>.
+This first step is quite easy. One can think of <math>ct_i </math> as a polynomial <math>ct_i(x)= ct_i[0] + x \cdot ct_i[1] </math> with coefficients in <math> \mathcal R_q </math>. What we did so far corresponds to computing the product of the polynomials <math>ct_1(x) </math>  and <math>ct_2(x) </math>, resulting in a (quadratic in <math> x</math>) polynomial <math> c_0+c_1x+c_2x^2 </math>. This corresponds to a length <math> 3</math> array <math>(c_0,c_1,c_2) </math>. To keep the size of the ciphertext small, we now apply a reliniarization step. The latter consists in computing
+<center> <math>  c_0' = c_0+ \sum_{i=0}^l evk[i][0] c_2^{(i)} </math>,</center>
+<center> <math> c_1' = c_1 + \sum_{i=0}^l evk[i][1] c_2^{(i)} </math> ,</center>
+and return as output the ciphertext <math>(c_0', c_1')</math>.

Difference between revisions of "BFV"

Revision as of 12:35, 26 May 2020

Overview of the BFV scheme

Description of the scheme

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools