GSW - Bootstrapping
Gentry's bootstrapping theorem allows for converting a “somewhat homomorphic” encryption scheme (which supports only a bounded number of homomorphic operations) into a fully homomorphic encryption one (which has no such bound). The bounded nature of all known somewhat homomorphic schemes cannot be avoided due to “error” terms in their ciphertexts, which are necessary for security. The error grows as a result of performing homomorphic operations, and if it grows too large, the ciphertext will no longer decrypt correctly.
Bootstrapping the error of a ciphertext so that it can support more homomorphic operations, by homomorphically evaluating the decryption function on the ciphertext. The result is a ciphertext that still encrypts the original encrypted message. If the error coming from the homomorphic evaluation is smaller than the error in the original ciphertext, we say that the ciphertext is “refreshed”. To date, bootstrapping is the only known way of obtaining an unbounded FHE scheme, i.e., one that can homomorphically evaluate any efficient function using keys and ciphertexts of a fixed size.
Here we present an efficient bootstrapping method for a variant of the GSW scheme, as presented in the paper of Alperin-Sheriff and Peikert [1].
Contents
A "simpler" variant of the GSW cryptosystem
The authors present a variant of the GSW scheme which permits a tighter analysis of its error growth under homomorphic operations.
Given a modulus , let us denote by and define the "gadget" (we will think of it as column) vector
Remark that , according to our choice of .
A randomized decomposition function. There is a randomized, efficiently computable function such that is "subgaussian" with parameter , and always satisfies . [2]
In particular is randomized and has low entries with very large probability.
For vectors and matrices over , define the randomized function by applying independently to each entry. Notice that for any , if , then has small entries (is "subgaussian") and
is the block matrix with copies of as diagonal blocks, and zeros elsewhere.
This version of the GSW scheme has as parameters a dimension , a modulus and , as defined above. For bootstrapping, we only work with ciphertexts encrypting messages in . The ciphertext space is . For simplicity, we present just a symmetric-key scheme, which can be converted to a public key setting, similar to the one described in GSW.
A substantial difference between the original GSW scheme and this variant is the following: the homomorphic multiplication procedure in the current variant uses the randomized operation presented above. This gives important advantages, such as very simple error analysis (using the subgaussianity property) and the ability to completely re-randomize the error in a ciphertext.
The algorithms of the scheme are as follows
- GSW.Gen(): choose and output the secret key .
- GSW.Enc(): choose uniformly and , let mod , and output the ciphertext
where .
- GSW.Dec(): let be the penultimate column of . Output , where indicates whether its argument is closer modulo to or to , the penultimate entry of .
- GSW.Add(): Output .
- GSW.Multiply( ): Output . This operation is a ramdomized one, as is randomized. The multiplication is also right-associative.
The authors remark that a fresh ciphertext is just plus a matrix which contains independent LWE samples under the secret which are pseudorandom if one assumes the hardness of .
Correctness and homomorphic operations
A ciphertext is said to be designed to encrypt a message (under a secret key ) if it is a fresh encryption of , or if is the sum (or the product) of two ciphertexts that are designed to encrypt and .
The error vector of a ciphertext designed to encrypt a message under the key is (mod ).
Notice that the matrix is designed to encrypt and has error .
Claim. If is designed to encrypt some and has error vector whose penultimate coordinate has magnitude less than , then GSW.Dec() correctly outputs .
This follows from the fact that and the penultimate column of is , where mod .
Let be ciphertexts designed to encrypt and have error vectors . Then, their homomorphic sum has error vector . Moreover, if is the homomorphic product of these ciphertexts, then for (subgaussian), we have the following
which as is further equal to
It is important to remember that the error upon multiplication is quasi-additive and asymmetric with respect to the errors . The first error is multiplied by a subgaussian matrix , the second error vector is only multiplied by the message , which the authors make sure they always keep in .
Homomorphic product of multiple ciphertexts. Suppose that are designed to encrypt and have error vectors . Then for any fixed values of these variables, the matrix
has an error vector whose entries are mutually independent and subgaussian with parameter , where is the concatenation of the individual error vectors.
Homomorphic encryption for Symmetric Groups
We describe HEPerm a homomorphic encryption scheme for symmetric groups. Let be the ciphertext space for the GSW scheme. The main procedures of HEPerm are as follows:
- HEPerm.Enc(): let be the permutation matrix associated with
References
- ↑ J. Alperin-Sheriff and C. Peikert. Faster Bootstrapping with Polynomial Error. In CRYPTO 2014 (Springer). https://eprint.iacr.org/2014/094
- ↑ D. Micciancio and C. Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In EUROCRYPT, pages 700–718. 2012 https://www.iacr.org/archive/eurocrypt2012/72370695/72370695.pdf