Difference between revisions of "GSW"

Revision as of 12:47, 4 June 2020

Around 2013, Gentry, Sahai and Waters ^[1] proposed a new way of building FHE schemes whose homomorphic multiplication algorithms are more natural than those presented in BFV or BGV. A distinguished feature of the scheme we are about to present is an asymmetric formula for the growth of the noise when multiplying two ciphertexts. Due to this feature, certain types of circuits have a very slow noise growth rate. Based on this asymmetry, Alperin-Sheriff and Peikert ^[2] found a very efficient bootstrapping technique for the GSW scheme.

More efficient FHE schemes based on ring variants of GSW have been proposed since then. These achieve very fast bootstrapping via various optimisation techniques, such as "refreshing the ciphertexts" after every single homomorphic operation. To our knowledge, among the schemes based on GSW (and not only), TFHE ^[3] holds the record for fastest bootstrapping. In the literature, the schemes based on the aformentioned work of Gentry, Sahai and Waters are commonly referred to as "third generation FHE". Their security is based on the so-called approximate eigenvector problem.

Overview of the GSW scheme

We follow the exposition in the paper "Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based" ^[1] by Gentry, Sahai and Waters.

The description of this scheme is strikingly simple. In GSW, homomorphic encryption based on LWE is achieved while the homomorphic addition and multiplications correspond to matrix addition and multiplication, respectively.

Let $q$ be a natural number, representing some modulus and $N$ a dimension parameter. A ciphertext is a matrix $C$ of dimension $N\times N$ with "small" entries from $\mathbb {Z} _{q}$ . A secret key ${\vec {v}}$ is a $N$ -dimensional vector over $\mathbb {Z} _{q}$ with one big coefficient $v_{i}$ . We can intuitively think of "small" as meaning much smaller (in order of magnitude) than $q$ and "big" meaning the same order of magnitude as $q$ . In fact, we will make use of the case when the entries of $C$ belong to $\{0,1\}$ . We also restrict the message $\mu$ to be a "small" integer.

$C$ encrypts $\mu$ under ${\vec {v}}$ if $C\cdot {\vec {v}}=\mu \cdot {\vec {v}}+{\vec {e}}$ , where ${\vec {e}}$ is a small error vector.

To decrypt, one first exacts the $i$ -th row $C_{i}$ of $C$ . Compute $x\leftarrow \langle C_{i},{\vec {v}}\rangle =\mu \cdot v_{i}+e_{i}$ . Now, as $v_{i}$ is large and $e_{i}$ small, we have

\mu =\lfloor x/v_{i}\rceil

References

↑ ^1.0 ^1.1 C. Gentry, A. Sahai, and B. Waters. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. In CRYPTO 2013 (Springer). https://eprint.iacr.org/2013/340
↑ J. Alperin-Sheriff and C. Peikert. Faster Bootstrapping with Polynomial Error. In CRYPTO 2014 (Springer). https://eprint.iacr.org/2014/094
↑ I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène. TFHE: Fast Fully Homomorphic Encryptionover the Torus. In Journal of Cryptology, volume 33, pages 34–91 (2020). https://eprint.iacr.org/2018/421

[GSW-1] 1.0 ^1.1 C. Gentry, A. Sahai, and B. Waters. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. In CRYPTO 2013 (Springer). https://eprint.iacr.org/2013/340

[2] J. Alperin-Sheriff and C. Peikert. Faster Bootstrapping with Polynomial Error. In CRYPTO 2014 (Springer). https://eprint.iacr.org/2014/094

[3] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène. TFHE: Fast Fully Homomorphic Encryptionover the Torus. In Journal of Cryptology, volume 33, pages 34–91 (2020). https://eprint.iacr.org/2018/421

[1]

[2]

[3]

@@ Line 9: / Line 9: @@
 The description of this scheme is strikingly simple. In GSW, homomorphic encryption based on [[LWE]] is achieved while the homomorphic addition and multiplications correspond to matrix addition and multiplication, respectively.
+Let <math> q </math> be a natural number, representing some modulus and <math> N </math> a dimension parameter. A ciphertext is a matrix <math>  C </math> of dimension <math> N \times N </math> with "small" entries from <math> \mathbb Z_q </math>. A secret key <math> \vec{v} </math> is a <math> N</math>-dimensional vector over <math>\mathbb Z_q </math> with one big coefficient <math> v_i</math>. We can intuitively think of "small" as meaning much smaller (in order of magnitude) than <math> q</math> and "big" meaning the same order of magnitude as <math>q </math>. In fact, we will make use of the case when the entries of <math>C </math> belong to <math>\{0,1 \} </math>. We also restrict the message <math> \mu </math> to be a "small" integer.
+<math>C </math> encrypts <math>\mu </math> under <math> \vec{v}</math> if <math>C \cdot \vec{v} = \mu \cdot \vec{v} + \vec{e} </math>, where <math> \vec{e} </math> is a small error vector.
+To decrypt, one first exacts the <math>i</math>-th row <math>C_i</math> of <math>C</math>. Compute <math>x \leftarrow \langle C_i, \vec{v} \rangle = \mu \cdot v_i + e_i </math>. Now, as <math> v_i</math> is large and <math> e_i </math> small, we have
+<center> <math>  \mu = \lfloor x/v_i \rceil </math>  </center>
 == References ==

Difference between revisions of "GSW"

Revision as of 12:47, 4 June 2020

Overview of the GSW scheme

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools