Difference between revisions of "GSW"

Around 2013, Gentry, Sahai and Waters ^[1] proposed a new way of building FHE schemes whose homomorphic multiplication algorithms are more natural than those presented in BFV or BGV. A distinguished feature of the scheme we are about to present is an asymmetric formula for the growth of the noise when multiplying two ciphertexts. Due to this feature, certain types of circuits have a very slow noise growth rate. Based on this asymmetry, Alperin-Sheriff and Peikert ^[2] found a very efficient bootstrapping technique for the GSW scheme.

More efficient FHE schemes based on ring variants of GSW have been proposed since then. These achieve very fast bootstrapping via various optimisation techniques, such as "refreshing the ciphertexts" after every single homomorphic operation. To our knowledge, among the schemes based on GSW (and not only), TFHE ^[3] holds the record for fastest bootstrapping. In the literature, the schemes based on the aformentioned work of Gentry, Sahai and Waters are commonly referred to as "third generation FHE". Their security is based on the so-called approximate eigenvector problem.

Overview of the GSW scheme

We follow the exposition in the paper "Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based" ^[1] by Gentry, Sahai and Waters.

The description of this scheme is strikingly simple. In GSW, homomorphic encryption based on LWE is achieved while the homomorphic addition and multiplications correspond to matrix addition and multiplication, respectively.

Let ${\displaystyle q}$ be a natural number, representing some modulus and ${\displaystyle N}$ a dimension parameter. A ciphertext is a matrix ${\displaystyle C}$ of dimension ${\displaystyle N\times N}$ with "small" entries from ${\displaystyle \mathbb {Z} _{q}}$. A secret key ${\displaystyle {\vec {v}}}$ is a ${\displaystyle N}$-dimensional vector over ${\displaystyle \mathbb {Z} _{q}}$ with one big coefficient ${\displaystyle v_{i}}$. We can intuitively think of "small" as meaning much smaller (in order of magnitude) than ${\displaystyle q}$ and "big" meaning the same order of magnitude as ${\displaystyle q}$. In fact, we will make use of the case when the entries of ${\displaystyle C}$ belong to ${\displaystyle \{0,1\}}$. We also restrict the message ${\displaystyle \mu }$ to be a "small" integer.

${\displaystyle C}$ encrypts ${\displaystyle \mu }$ under ${\displaystyle {\vec {v}}}$ if ${\displaystyle C\cdot {\vec {v}}=\mu \cdot {\vec {v}}+{\vec {e}}}$, where ${\displaystyle {\vec {e}}}$ is a small error vector.

To decrypt, one first exacts the ${\displaystyle i}$-th row ${\displaystyle C_{i}}$ of ${\displaystyle C}$. Compute ${\displaystyle x\leftarrow \langle C_{i},{\vec {v}}\rangle =\mu \cdot v_{i}+e_{i}}$. Now, as ${\displaystyle v_{i}}$ is large and ${\displaystyle e_{i}}$ small, we have

${\displaystyle \mu =\lfloor x/v_{i}\rceil }$.

Basically, ${\displaystyle {\vec {v}}}$ is almost an eigenvector for ${\displaystyle C}$ corresponding to the eigenvalue ${\displaystyle \mu }$. This is commonly referred to being an approximate eigenvector.

Observe that if ${\displaystyle C_{1}}$ and ${\displaystyle C_{2}}$ encrypt ${\displaystyle \mu _{1}}$ and ${\displaystyle \mu _{2}}$ respectively under the same key vector ${\displaystyle v}$, then

${\displaystyle (C_{1}+C_{2})\cdot {\vec {v}}=(\mu _{1}+\mu _{2})\cdot {\vec {v}}+{\vec {e_{1}}}+{\vec {e_{2}}}}$,

where ${\displaystyle {\vec {e_{i}}}}$ represents the error vector of ${\displaystyle C_{i}}$, for ${\displaystyle i\in \{1,2\}}$ . As long as the sum ${\displaystyle {\vec {e_{1}}}+{\vec {e_{2}}}}$ is small, the sum matrix ${\displaystyle C_{1}+C_{2}}$ is an encryption of ${\displaystyle \mu _{1}+\mu _{2}}$.

Looking at the equality

${\displaystyle (C_{1}\cdot C_{2})\cdot {\vec {v}}=C_{1}\cdot (\mu _{2}\cdot {\vec {v}}+{\vec {e_{2}}})=\mu _{1}\mu _{2}\cdot {\vec {v}}+\mu _{2}\cdot {\vec {e_{1}}}+C_{1}\cdot {\vec {e_{2}}}}$

,

we observe that ${\displaystyle C_{1}\cdot C_{2}}$ is an encryption of the product ${\displaystyle \mu _{1}\mu _{2}}$, which can be decrypted correctly if the ${\displaystyle i}$-th component of the vector ${\displaystyle \mu _{2}\cdot {\vec {e_{1}}}+C_{1}\cdot {\vec {e_{2}}}}$ is smaller than ${\displaystyle v_{i}}$.

Remark that ${\displaystyle C_{2}\cdot C_{1}}$ is also an encryption of ${\displaystyle \mu _{1}\mu _{2}}$, even though matrix multiplication is not commutative. The essence of the previously anticipated asymmetry is captured by the fact that the noises of ${\displaystyle C_{1}\cdot C_{2}}$ and ${\displaystyle C_{2}\cdot C_{1}}$ are very different.

Flattening ciphertexts and keeping the noise small

We can decrypt homomorphically evaluated ciphertext ${\displaystyle C}$ as long as the ${\displaystyle i}$-th component of the error vector ${\displaystyle {\vec {e}}}$ is small enough. As we saw in the overview section, the noise might grow quickly with each multiplication. To mitigate this and to perform homomorphically evaluations of deep circuits (in the sense of multiplication depth), observing that the noise growth depends of the size of the coefficients of the ciphertexts, the size of the messages and the fresh error size (in an asymmetric way), we can try to restrict the message space and the entries of the ciphertexts to ${\displaystyle \{0,1\}}$. We also impose a bound ${\displaystyle B}$ on the error side.

Such ciphertexts will be further called ${\displaystyle B}$-strongly bounded, to keep the terminology of ^[1].

References