GSW
Around 2013, Gentry, Sahai and Waters [1] proposed a new way of building FHE schemes whose homomorphic multiplication algorithms are more natural than those presented in BFV or BGV. A distinguished feature of the scheme we are about to present is an asymmetric formula for the growth of the noise when multiplying two ciphertexts. Due to this feature, certain types of circuits have a very slow noise growth rate. Based on this asymmetry, Alperin-Sheriff and Peikert [2] found a very efficient bootstrapping technique for the GSW scheme.
More efficient FHE schemes based on ring variants of GSW have been proposed since then. These achieve very fast bootstrapping via various optimisation techniques, such as "refreshing the ciphertexts" after every single homomorphic operation. To our knowledge, among the schemes based on GSW (and not only), TFHE [3] holds the record for fastest bootstrapping. In the literature, the schemes based on the aformentioned work of Gentry, Sahai and Waters are commonly referred to as "third generation FHE". Their security is based on the so-called approximate eigenvector problem.
Overview of the GSW scheme
We follow the exposition in the paper "Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based" [1] by Gentry, Sahai and Waters.
The description of this scheme is strikingly simple. In GSW, homomorphic encryption based on LWE is achieved while the homomorphic addition and multiplications correspond to matrix addition and multiplication, respectively.
Let be a natural number, representing some modulus and a dimension parameter. A ciphertext is a matrix of dimension with "small" entries from . A secret key is a -dimensional vector over with one big coefficient . We can intuitively think of "small" as meaning much smaller (in order of magnitude) than and "big" meaning the same order of magnitude as . In fact, we will make use of the case when the entries of belong to . We also restrict the message to be a "small" integer.
encrypts under if , where is a small error vector.
To decrypt, one first exacts the -th row of . Compute . Now, as is large and small, we have
Basically, is almost an eigenvector for corresponding to the eigenvalue . This is commonly referred to being an approximate eigenvector.
Observe that if and encrypt and respectively under the same key vector , then
where represents the error vector of , for . As long as the sum is small, the sum matrix is an encryption of .
Looking at the equality
,
we observe that is an encryption of the product , which can be decrypted correctly if the -th component of the vector is smaller than .
Remark that is also an encryption of , even though matrix multiplication is not commutative. The essence of the previously anticipated asymmetry is captured by the fact that the noises of and are very different.
Flattening ciphertexts and keeping the noise small
We can decrypt homomorphically evaluated ciphertext as long as the -th component of the error vector is small enough. As we saw in the overview section, the noise might grow quickly with each multiplication. To mitigate this and to perform homomorphically evaluations of deep circuits (in the sense of multiplication depth), observing that the noise growth depends of the size of the coefficients of the ciphertexts, the size of the messages and the fresh error size (in an asymmetric way), we can try to restrict the message space and the entries of the ciphertexts to . We also impose a bound for the entries of the fresh fresh error vectors .
Such ciphertexts will be further called -strongly bounded, terminology that is used throughout the paper GSW [1].
The homomorphic operations performed on ciphertexts should correspond to operations "in the clear" that keep the message within the set . To achieve this, we will use only NAND gates to evaluate any circuit.
Notice that if are two -strongly bounded ciphertexts, the ciphertext obtained by evaluating a NAND gate has underlying message in , but the coefficients of 's error vector have magnitude at most . If one could ensure that the coefficients of have magnitude at most , then the noise after evaluating a NAND gate will remain quite small, allowing us to evaluate deeper circuits.
The authors introduce an operation on ciphertexts called flattening, inspired by ideas in second generation FHE schemes such as BFV and BGV. Flattening is basically an operation that modify vectors without affecting their dot product.
Let , where and is a positive integer. We will consider , two -dimensional vector spaces.
For any -dimensional vector , define
and
The authors also introduce
Some obvious properties of these definitions are
- ;
- For any -dimensional , we have that
The latter is showing us an interesting feature of , i.e. it makes the coefficients of a vector "small", without changing its inner product with
We will have to "flatten" ciphertexts, which are matrices. When is applied to a matrix , this will be done by applying to each row of . Recall that a step in the decryption process is multiplying the ciphertext matrix with a secret key vector . We will always use , a vector of this special form in order for flattening to preserve the product between and required for decryption.
Now, for any ciphertext matrix , we have
After computing a ciphertext for the NAND gate, we will immediately flatten it, namely we will set
References
- ↑ 1.0 1.1 1.2 C. Gentry, A. Sahai, and B. Waters. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. In CRYPTO 2013 (Springer). https://eprint.iacr.org/2013/340
- ↑ J. Alperin-Sheriff and C. Peikert. Faster Bootstrapping with Polynomial Error. In CRYPTO 2014 (Springer). https://eprint.iacr.org/2014/094
- ↑ I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène. TFHE: Fast Fully Homomorphic Encryptionover the Torus. In Journal of Cryptology, volume 33, pages 34–91 (2020). https://eprint.iacr.org/2018/421