FHE over the Integers

From certFHE Community KB
Jump to navigation Jump to search

This is a fully homomorphic encryption relying only on modular arithmetic. The authors first create an somewhat homomorphic scheme which is bootstrappable and then apply Gentry's technique to construct a fully homomorphic scheme.

One of the main advantages of this scheme represents its conceptual simplicity. The security of the scheme is reduced to the approximate gcd problem over the integers, that is, given a list of integers that are near-multiples of an unknown integer d , find d .

The bootstrappable encryption scheme

Using a theorem of Gentry, the authors are able to construct a homomorphic encryption scheme that can handle circuits of any depth from a scheme that is capable of evaluating just a little more than its own decryption circuit.

Definition. Let be an encryption scheme where is implemented by a circuit that depends only on the security parameter. For a given value of the security parameter, the set of augmented decryption circuits consists of two circuits, both take as input a secret key and two ciphertexts. One circuit decrypts both ciphertexts and adds the resulting plaintext bits modulo , the other decrypts both ciphertexts and multiplies the resulting plaintext bits modulo . The authors denote this set by .

A homomorphic encyption scheme is called bootstrappable if for every value of the security parameter, the scheme can handle all the circuits in .

Given such a scheme and a paramater , there is an efficient transformation that outputs the description of another encryption scheme which is compact, has the same circuit as , and is homomorphic for all circuits of depth up to .


If we assume that the initial bootstrappable scheme is circular secure then it can be converted into a single compact fully-homomorphic encryption scheme .


The construction of the scheme

The construction has many parameters controlling the number of integers in the public key and the bit-length of various integers. We choose omit most of them in this presentation, but we refer the interested reader to M. van Dijk et al. for their precise description.

: The secret key is an odd bit integer. For the public key , integers are sampled uniformly from a given set of near-multiples of . As previously mentioned, finding the secret key would require force an attacker to give a resolution for an approximate gcd problem in the integers. The latter is known to be very difficult.

: Choose a random subset and a random integer in a specified range, and output .

: Given the (binary) circuit with inputs and ciphertexts , apply the integer addition and multiplication gates of to the ciphertexts, performing all the operations over the integers and output the result, an integer.

: Output ( mod ) mod 2.

Remark. The encryption can be viewed as adding the underlying message to a random subset sum of encryptions of zero. Indeed, notice that each and also is essentially an encryption of zero; its noise is even. Moreover, for some integer .

The proposers of the scheme prove that can handle circuits if these can be represented by multivariate polynomials with degree smaller than some given, explicit bound.

Ciphertext compression

The authors of the scheme describe various optimisations in order to keep the evaluated ciphertexts at of the same length as the original "fresh" ciphertexts. However, the size of the evaluated ciphertexts is still very large large for applications.

To solve this problem, the authors propose a compression of these ciphertexts down to the size of an RSA modulus. This reduces the communication complexity of the scheme dramatically.

The price of this optimisation is that the compressed ciphertexts cannot be further evaluated and hence this compression can be used only on the final output ciphertexts, after all the desired evaluations were completed.