Difference between revisions of "BGV"

In 2011, Brakerski, Gentry and Vaikuntanathan (BGV) published the paper ^[1] in which they introduce a new (leveled) fully homomorphic encryption (FHE) that improves performance and bases security on weaker assumptions than schemes from the previous generation.

A central conceptual contribution of this work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry’s bootstrapping procedure.

Until recently, the BGV scheme was considered to be the most efficient homomorphic encryption scheme when performing the same operations on multiple ciphertexts at once.

New noise management technique

@TODO

Leveled Fully Homomorphic Encryption

Most of the work done by the will focus on the construction of a leveled fully homomorphic scheme, in the sense that the parameters of the scheme depend (polynomially) on the depth of the circuits that the scheme is capable of evaluating.

Definition. We say that a family of homomorphic encryption schemes ${\displaystyle \{{\mathcal {E}}^{(L)}:L\in \mathbb {Z} ^{+}\}}$ is leveled fully homomorphic if, for all ${\displaystyle L\in \mathbb {Z} ^{+}}$, they all use the same decryption circuit, ${\displaystyle {\mathcal {E}}^{(L)}}$ compactly evaluates all circuits of depth at most ${\displaystyle L}$ (that use some specified complete set of gates), and the computational complexity of ${\displaystyle {\mathcal {E}}^{(L)}}$'s algorithms is polynomial (a fixed polynomial for all ${\displaystyle L}$) in the security parameter ${\displaystyle L}$, and the size of the circuit (in the case of the evaluation algorithm).

The construction: FHE without bootstrapping

The authors base the security of their scheme on the hardness of Ring-Learning with errors problems, a generalisation of the classical LWE problem.

Let ${\displaystyle \lambda }$ be a security parameter, representing ${\displaystyle 2^{\lambda }}$ security against known attacks.

Let ${\displaystyle R}$ be a ring. For any integer ${\displaystyle q}$, we write ${\displaystyle R_{q}}$ for the quotient ${\displaystyle R/qR}$.

Let ${\displaystyle q=q(\lambda )}$ be an odd modulus and ${\displaystyle \chi =\chi (\lambda )}$ a ``noise" distribution over ${\displaystyle R}$. Let ${\displaystyle N=N(\lambda )}$ be an additional parameter of the system which is larger than ${\displaystyle 3\cdot \log {q}}$.

Let us assume that the plaintext is ${\displaystyle R_{2}=R/2R}$.

• E.Setup(${\displaystyle 1^{\lambda },1^{\mu }}$): Choose a ${\displaystyle \mu }$-bit modulus ${\displaystyle q}$ and choose the other parameters ${\displaystyle d=d(\lambda ,\mu )}$, and ${\displaystyle N=\lceil 3\log q\rceil }$, ${\displaystyle \chi (\lambda ,\mu )}$ appropriately to ensure that the scheme is based on a Ring-LWE instance that achieves ${\displaystyle 2^{\lambda }}$ security against known attacks. Let ${\displaystyle R=\mathbb {Z} [X]/(x^{d}+1)}$ and let params = ${\displaystyle (q,d,N,\chi )}$.

• E.SecretKetGen(params): Draw ${\displaystyle s'\leftarrow \chi }$. Set ${\displaystyle sk=s\leftarrow (1,s')\in R_{q}^{2}}$.

• E.PublicKeyGen(params, sk): Recall that the secret key is ${\displaystyle sk=s=(1,s')}$. This algorithm generates a (column) vector ${\displaystyle A'\leftarrow R_{q}^{N}}$, uniformly and a vector ${\displaystyle e\leftarrow \chi ^{N}}$. The algorithm computes

${\displaystyle b=A's'+2e}$. Then, set ${\displaystyle A}$ to be the ${\displaystyle N\times 2}$ matrix obtained by setting ${\displaystyle b}$ on the first column followed by the entries of ${\displaystyle -A'}$. We remark that ${\displaystyle A\cdot s=2e}$. The algorithm outputs the public key ${\displaystyle pk=A}$.

• E.Enc(params, pk,m): To encrypt a message ${\displaystyle m\in R_{2}=R/2R}$, set ${\displaystyle m\leftarrow (m,0)\in R_{q}^{2}}$, sample ${\displaystyle r\leftarrow R_{2}^{N}}$ uniformly and output the ciphertext ${\displaystyle c\leftarrow m+A^{T}\cdot r\in R_{q}^{2}}$.

• E.Dec(params, sk, c): Output ${\displaystyle m\leftarrow [[<c,s>]_{q}]_{2}}$. Where ${\displaystyle [\cdot ]_{q}}$ denotes reduction into the range ${\displaystyle (-q/2,q/2]}$.

Correctness is easy to verify, whereas we refer to the paper for details upon security.

Key switching (Dimension reduction)

Recall that in the above scheme, the decryption equation for a ciphertext ${\displaystyle c}$ that encrypts a message ${\displaystyle m}$ under the secret key ${\displaystyle s}$ can be written as ${\displaystyle m=E.Dec(params,s,c)=[[L_{c}(s)]_{q}]_{2},}$ where ${\displaystyle L_{c}}$ is a linear operator which depends on ${\displaystyle c}$. To be precise, the latter is just the inner product ${\displaystyle L_{c}(s)=<c,s>}$ between two vectors in ${\displaystyle R_{q}^{2}}$.

To understand the key switching procedures, we have to (at least briefly) describe the following subroutines first:

• BitDecomp(${\displaystyle x\in R_{q}^{n},q}$): decomposes ${\displaystyle x}$ into its bit representation, namely ${\displaystyle x=\sum _{j=0}^{\lfloor \log q\rfloor }2^{j}u_{j},}$ where all of the ${\displaystyle u_{j}\in R_{2}^{n}}$. The procedure outputs the vector

${\displaystyle (u_{0},u_{1},\dots ,u_{\lfloor \log q\rfloor })\in R_{2}^{n\cdot \lceil \log q\rceil }}$

• Powersof2(${\displaystyle x\in R_{q}^{n},q}$): outputs the vector

${\displaystyle (x,2\cdot x,\dots ,2^{\lfloor \log q\rfloor }\cdot x)\in R_{q}^{n\cdot \lceil \log q\rceil }.}$

It is easy to see that for vectors ${\displaystyle c,s}$ of the same length ${\displaystyle n}$, we have:

${\displaystyle <BitDecomp(c,q),Powersof2(s,q)>=<c,s>{\pmod {q}}}$.

Now, key switching consists of two procedures:

• SwitchKeyGen(${\displaystyle s_{1}\in R_{q}^{n_{1}},s_{2}\in R_{q}^{n_{2}}}$):

• • Run ${\displaystyle A\leftarrow E.PublicKeyGen(s_{2},N)}$ for ${\displaystyle N=n_{1}\cdot \lceil \log q\rceil }$.

• • Set ${\displaystyle B\leftarrow A+Powersof2(s_{1})}$ (Add Powersof2(${\displaystyle s_{1}}$)), which is an element of ${\displaystyle R_{q}^{N}}$ to ${\displaystyle A}$'s first column. Output ${\displaystyle \tau _{s_{1}\to s_{2}}=B}$.

• SwitchKey(${\displaystyle \tau _{s_{1}\to s_{2}},c_{1}}$): Output ${\displaystyle c_{2}=BitDecomp(c_{1})^{T}\cdot B\in R_{q}^{n_{2}}}$.

Note that, in SwitchKeyGen, the matrix ${\displaystyle A}$ consists of encryptions of ${\displaystyle 0}$ under the key ${\displaystyle s_{2}}$. Then, pieces of the key ${\displaystyle s_{1}}$ are added to these encryptions of ${\displaystyle 0}$. Thus, in some sense, the matrix ${\displaystyle B}$ consists of encryptions of pieces of ${\displaystyle s_{1}}$ (in a certain format) under the key ${\displaystyle s_{2}}$.

The authors establish the following correctness result (See Lemma 3 in the paper):

${\displaystyle [[<c_{2},s_{2}>]_{q}]_{2}=[[<c_{1},s_{1}>]_{q}]_{2}}$

${\displaystyle c_{2}}$ is a valid encryption of ${\displaystyle m}$ under the key ${\displaystyle s_{2}}$, and one can see that the noise of ${\displaystyle c_{2}}$ is larger by a small additive factor.

Modulus switching

If ${\displaystyle c}$ is a valid encryption of ${\displaystyle m}$ under the key ${\displaystyle s}$, and ${\displaystyle s}$ is (what the authors call) a ``short vector" and ${\displaystyle c'}$ is a simple scaling of ${\displaystyle c}$, i.e. ${\displaystyle c'}$ is the ${\displaystyle R}$-vector closest to ${\displaystyle (p/q)\cdot c}$ under the additional constraint that

${\displaystyle c'=c{\pmod {2}}}$,

it turns out that (under some conditions) the vector ${\displaystyle c'}$ is a valid encryption of ${\displaystyle m}$, under the secret key ${\displaystyle s}$ using the modulus ${\displaystyle p}$.

In other words, under some conditions, one can change the modulus ${\displaystyle q}$ in the decryption equation to another (maybe smaller) modulus ${\displaystyle p}$, while preserving the correctness of decryption under the same secret key ${\displaystyle s}$.

For an integer vector ${\displaystyle x}$ and integers ${\displaystyle q>p>m}$, the authors define

${\displaystyle x'\leftarrow \mathrm {Scale} (x,q,p,r)}$

to be the ${\displaystyle R}$-vector closest to ${\displaystyle (p/q)\cdot x}$ which satisfies ${\displaystyle x'=x{\pmod {r}}.}$

For the details concerning the conditions on ${\displaystyle p,q}$ and the vector ${\displaystyle s}$ required for the preservation of decryption correctness, we refer to Lemma 4 and its Corollary 1 in [1].

The aforementioned results assert that assuming ${\displaystyle p}$ is smaller than ${\displaystyle q}$ and ${\displaystyle s}$ has coefficients that are small in relation to ${\displaystyle q}$ , this ``modulus swithcing" procedure permits the evaluator to reduce the magnitude of the noise without knowing the secret key. The evaluator only has to know a bound on ${\displaystyle \vert \vert s\vert \vert }$.

Leveled FHE

We will only present the version of the scheme which is based on Ring version of LWE (R-LWE) and we reffer to Section 3.4 in [1] for an analogous construction of a scheme based on the classical LWE.

In the scheme, the authors use a parameter ${\displaystyle L}$ indicating the number of levels of arithmetic circuit that the FHE scheme should be able of evaluating.

FHE without Bootstrapping:

• FHE.Setup(${\displaystyle 1^{\lambda },1^{L}}$): Takes as imput the security parameter and a number of levels ${\displaystyle L}$. Let ${\displaystyle \mu :=\mu (\lambda ,L)=\theta (\log {\lambda }+\log {L})}$ be a parameter (see the original paper [1] for details about its choice).

For ${\displaystyle j=L}$ to ${\displaystyle 0}$ (output level), run ${\displaystyle params_{j}\leftarrow E.Setup(1^{\lambda },1^{(j+1)\mu })}$ to obtain a ladder of decreasing moduli from ${\displaystyle q_{L}}$ - which has ${\displaystyle (L+1)\cdot \mu }$ bits - down to ${\displaystyle q_{0}=\mu }$ bits.

For ${\displaystyle j=L-1}$ to ${\displaystyle 0}$, replace the value of ${\displaystyle d_{j}}$ in ${\displaystyle params_{j}}$ with ${\displaystyle d=d_{L}}$ and the distribution ${\displaystyle \chi _{j}}$ with ${\displaystyle \chi _{L}}$. By this, one ensures that the ring dimension and the noise distribution do not depend on the circuit level, but the vector dimension ${\displaystyle n_{j}}$ might depend.

• FHE. KeyGen(${\displaystyle \{params_{j}:j={\overline {0,L}}\}}$ ): For ${\displaystyle j=L}$ down to ${\displaystyle 0}$, do the following:

1. Run ${\displaystyle s_{j}\leftarrow }$ E.SecretKeygen(${\displaystyle params_{j}}$) and ${\displaystyle A_{j}\leftarrow }$ E.PublicKeyGen(${\displaystyle params_{j},s_{j}}$).

2. Set ${\displaystyle s_{j}'\leftarrow s_{j}\otimes s_{j}}$, namely ${\displaystyle s_{j}}$ tensored with itself.

3. Set ${\displaystyle s_{j}''\leftarrow }$ BitDecomp(${\displaystyle (s_{j}',q_{j})}$).

4. Run ${\displaystyle \tau _{s_{j+1}''\to s_{j}}\leftarrow }$ SwitchKeyGen(${\displaystyle s_{j}'',s_{j-1}}$). Omit this step when ${\displaystyle j=L}$.

References