This scheme proposed by Brakerski [1] has a number of advantages over previous candidates such as BGV. In particular, it uses the same modulus throughout the evaluation process, so there's no need for modulus switching. Security of these scheme is baed on the hardness of the GapSVP problem.
Preliminaries
For an integer , write . This is not the same with the ring . For any , write for the unique value in that is congruent to modulo .
If are two -dimensional vectors, then the tensor product is the dimensional vector containing all elements of the form . Note that
Building Blocks of a homomorphic encryption scheme
We start by presenting Regev's [2] basic public-key encryption scheme.
The Regev scheme
Let be an integer function and let be a distribution over . The scheme 'Regev' is defined as follows:
- Regev.SecretKeygen( ): Sample uniformly. Output .
- Regev.PublicKeygen(): Let . Sample uniformly then sample . Compute . Here we apply to every entry in the -dimensional vector and define
.
Output .
- Regev.Enc(): To encrypt a message using , sample uniformly and output the ciphertext
where .
- Regev.Dec(): To decrypt using the secret key , compute
In order to prove corectness, the author first shows (Lemma 3.1 in [1]) that if and - -bounded are parameters for the 'Regev' scheme described above and if is the fresh encryption of some message , then
for some with .
Then, Lemma 3.2 in the same article asserts that if is some vector and is such that
with and , then
Regev.Dec( )= .
Brakerski claims that the security of this scheme reduces to the hardness of (a decisional variant of) LWE problem by classical arguments (originally due to Regev [2]).
Vector decompositions
Recall from BGV the procedures
and
When the modulus is clear from the context we will omit its writing.
We also recall the property
.
Key switching
In the functions described below is an integer and is a distribution over .
- ): For a 'source' key and target key this outputs matrix with rows and columns, very similar to an encryption of under the secret key . Let us call this matrix .
- : To switch a ciphertext from a secret key to , output
.
Details on the correctness and security of this scheme are given at the end of Section 3 in [1].
A scale Invariant Homomorphic Encryption Scheme
Let be an integer function, a polynomial and a distribution over the integers. The SI-HE scheme is defined as follows:
- SI-HE.Keygen(): Sample vectors Regev.SecretKeygen( ) and generate a Regev public key for the first one: . For all , define
and compute
.
Output and and .
- SI-HE.Enc(): This is identical to Regev's. Just output .
- SI-HE.Eval(): Here we describe homomorphic addition and multiplication over the field with two elements, operations that allow the evaluation of depth arithmetic circuits in a gate-by-gate manner. The convention for a gate at level of the circuit is that the operand ciphertexts are decryptable using , and the output of the homomorphic operation is decryptable using .
Recall that evk contains key switching parameters from to , homomorphic addition and multiplication both first produce an intermediate output that corresponds to and then use key switching to obtain the final output.
-- SI-HE.: Assume that both input ciphertexts are encrypted under the same secret key . First compute
and then output
Above the ciphertexts are first added (as vectors) to obtain , but the output of this corresponds to and not , as required. The vector is generated by tensoring with a trivial ciphertext, the result being an encryption of the sum under the key . This result can now be key-switched to obtain an output corresponding to . The PowersOfTwo procedure is used in order to control the norm of the secret key.
-- SI-HE.: Again, we assume that both input ciphertexts are encrypted under the same secret key .
One first computes
,
then output
.
- SI-HE.: If is a ciphertext that corresponds to , then decryption is identical to the one in Regev's scheme. Just output .
References
- ↑ Z. Brakerski, Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32009-5_50
- ↑ O. Regev. On lattices, learning with errors, random linear codes, and cryptography.
In Harold N. Gabow and Ronald Fagin, editors, STOC, pages 84–93. ACM, 2005