GSW - Bootstrapping

Gentry's bootstrapping theorem ^[1] allows for converting a “somewhat homomorphic” encryption scheme (which supports only a bounded number of homomorphic operations) into a fully homomorphic encryption one (which has no such bound). The bounded nature of all known somewhat homomorphic schemes cannot be avoided due to “error” terms in their ciphertexts, which are necessary for security. The error grows as a result of performing homomorphic operations, and if it grows too large, the ciphertext will no longer decrypt correctly.

Bootstrapping the error of a ciphertext so that it can support more homomorphic operations, by homomorphically evaluating the decryption function on the ciphertext. The result is a ciphertext that still encrypts the original encrypted message. If the error coming from the homomorphic evaluation is smaller than the error in the original ciphertext, we say that the ciphertext is “refreshed”. To date, bootstrapping is the only known way of obtaining an unbounded FHE scheme, i.e., one that can homomorphically evaluate any efficient function using keys and ciphertexts of a fixed size.

Here we present an efficient bootstrapping method for a variant of the GSW scheme, as presented in the paper of Alperin-Sheriff and Peikert ^[2].

Recall that in GSW, a ciphertext is a square binary matrix ${\displaystyle C}$, a secret key is a "structured" mod ${\displaystyle q}$ vector ${\displaystyle s}$, and ${\displaystyle s}$ is an "approximate mod ${\displaystyle q}$ eigenvector" of ${\displaystyle C}$, in the sense that ${\displaystyle s^{t}C\approx \mu \cdot s^{t}}$, where ${\displaystyle \mu \in \mathbb {Z} }$ is the message.

In this new variant, a ciphertext is a rectangular mod ${\displaystyle q}$ matrix ${\displaystyle C}$, a secret key is some (unstructured, short) integer vector ${\displaystyle s\in \mathbb {Z} ^{n}}$ and ${\displaystyle s^{t}C\approx \mu \cdot s^{t}G}$ (mod ${\displaystyle q}$), i.e. ${\displaystyle s}$ amd ${\displaystyle G^{t}s}$ are corresponding left- and right- "approximate singular vectors" of ${\displaystyle C}$.

A "simpler" variant of the GSW cryptosystem

The authors present a variant of the GSW scheme which permits a tighter analysis of its error growth under homomorphic operations.

Given a modulus ${\displaystyle q}$, let us denote by ${\displaystyle l=\lceil \log _{2}(q)\rceil }$ and define the "gadget" (we will think of it as column) vector

${\displaystyle {\mathfrak {g}}=(1,2,4,\dots ,2^{l-1})\in \mathbb {Z} _{q}^{l}.}$

Remark that ${\displaystyle 2^{l-2}\in [q/4,q/2){\pmod {q}}}$, according to our choice of ${\displaystyle l}$.

A randomized decomposition function. There is a randomized, efficiently computable function ${\displaystyle {\mathfrak {g}}^{-1}:\mathbb {Z} _{q}\to \mathbb {Z} ^{l}}$ such that ${\displaystyle x\leftarrow {\mathfrak {g}}^{-1}(a)}$ is "subgaussian" with parameter ${\displaystyle O(1)}$, and always satisfies ${\displaystyle \langle g,x\rangle =a}$. ^[3]

In particular ${\displaystyle x}$ is randomized and has low entries with very large probability.

For vectors and matrices over ${\displaystyle \mathbb {Z} _{q}}$, define the randomized function ${\displaystyle G^{-1}:\mathbb {Z} _{q}^{n\times m}\to \mathbb {Z} ^{nl\times m}}$ by applying ${\displaystyle {\mathfrak {g}}}$ independently to each entry. Notice that for any ${\displaystyle A\in \mathbb {Z} _{q}^{n\times m}}$, if ${\displaystyle X\leftarrow G^{-1}(A)}$, then ${\displaystyle X}$ has small entries (is "subgaussian") and

${\displaystyle G\cdot X=A}$, where ${\displaystyle G={\mathfrak {g}}^{t}\otimes I_{n}=\mathrm {diag} ({\mathfrak {g}}^{t},\dots ,{\mathfrak {g}}^{t})\in \mathbb {Z} _{q}^{n\times nl},}$

is the block matrix with ${\displaystyle n}$ copies of ${\displaystyle {\mathfrak {g}}^{t}}$ as diagonal blocks, and zeros elsewhere.

This version of the GSW scheme has as parameters a dimension ${\displaystyle n}$, a modulus ${\displaystyle q}$ and ${\displaystyle l=\lceil \log _{2}(q)\rceil }$, as defined above. For bootstrapping, we only work with ciphertexts encrypting messages in ${\displaystyle \{0,1\}\subseteq \mathbb {Z} }$. The ciphertext space is ${\displaystyle {\mathcal {C}}=\mathbb {Z} _{q}^{n\times nl}}$. For simplicity, we present just a symmetric-key scheme, which can be converted to a public key setting, similar to the one described in GSW.

A substantial difference between the original GSW scheme and this variant is the following: the homomorphic multiplication procedure in the current variant uses the randomized ${\displaystyle G^{-1}(\cdot )}$ operation presented above. This gives important advantages, such as very simple error analysis (using the subgaussianity property) and the ability to completely re-randomize the error in a ciphertext.

The algorithms of the scheme are as follows

• GSW.Gen(): choose ${\displaystyle {\overline {s}}\leftarrow \chi ^{n-1}}$ and output the secret key ${\displaystyle s=({\overline {s}},1)\in \mathbb {Z} ^{n}}$.

• GSW.Enc(${\displaystyle ({\overline {s}},1),\mu \in \mathbb {Z} }$): choose ${\displaystyle {\overline {C}}\leftarrow Z_{q}^{(n-1)\times nl}}$ uniformly and ${\displaystyle e\leftarrow \chi ^{nl}}$, let ${\displaystyle b^{t}=e^{t}-{\overline {s}}^{t}{\overline {C}}}$ mod ${\displaystyle q}$, and output the ciphertext

${\displaystyle C=\left({\begin{array}{c}{\overline {C}}\\b^{t}\end{array}}\right)+\mu G\in {\mathcal {C}},}$

where ${\displaystyle G=\mathrm {diag} ({\mathfrak {g}}^{t},\dots ,{\mathfrak {g}}^{t})\in \mathbb {Z} _{q}^{n\times nl}}$.

• GSW.Dec(${\displaystyle s,C\in {\mathcal {C}}}$): let ${\displaystyle c}$ be the penultimate column of ${\displaystyle C}$. Output ${\displaystyle \mu =\lfloor \langle s,c\rangle \rceil _{2}}$, where ${\displaystyle \lfloor \cdot \rfloor _{2}:\mathbb {Z} _{q}\to \{0,1\}}$ indicates whether its argument is closer modulo ${\displaystyle q}$ to ${\displaystyle 0}$ or to ${\displaystyle 2^{l-2}}$, the penultimate entry of ${\displaystyle {\mathfrak {g}}}$.

• GSW.Add(${\displaystyle C_{1},C_{2}}$): Output ${\displaystyle C_{1}+C_{2}}$.

• GSW.Multiply(${\displaystyle C_{1},C_{2}}$ ): Output ${\displaystyle C_{1}\cdot G^{-1}(C_{2})}$. This operation is a ramdomized one, as ${\displaystyle G^{-1}}$ is randomized. The multiplication is also right-associative.

The authors remark that a fresh ciphertext is just ${\displaystyle \mu G}$ plus a matrix which contains ${\displaystyle nl}$ independent LWE samples under the secret ${\displaystyle {\overline {s}}}$ which are pseudorandom if one assumes the hardness of ${\displaystyle LWE_{n-1},q,\chi }$.

Correctness and homomorphic operations

A ciphertext ${\displaystyle C}$ is said to be designed to encrypt a message ${\displaystyle \mu \in \mathbb {Z} }$ (under a secret key ${\displaystyle s}$) if it is a fresh encryption of ${\displaystyle \mu }$, or if ${\displaystyle C}$ is the sum (or the product) of two ciphertexts that are designed to encrypt ${\displaystyle \mu _{1},\mu _{2}\in \mathbb {Z} }$ and ${\displaystyle \mu =\mu _{1}+\mu _{2}}$.

The error vector of a ciphertext ${\displaystyle C}$ designed to encrypt a message ${\displaystyle \mu }$ under the key ${\displaystyle s}$ is ${\displaystyle e^{t}=s^{t}C-\mu \cdot s^{t}G}$ (mod ${\displaystyle q}$).

Notice that the matrix ${\displaystyle \mu G}$ is designed to encrypt ${\displaystyle \mu }$ and has error ${\displaystyle 0}$.

Claim. If ${\displaystyle C}$ is designed to encrypt some ${\displaystyle \mu \in \{0,1\}\subset \mathbb {Z} }$ and has error vector ${\displaystyle e^{t}}$ whose penultimate coordinate has magnitude less than ${\displaystyle q/8}$, then GSW.Dec(${\displaystyle s,C}$) correctly outputs ${\displaystyle \mu }$.

This follows from the fact that ${\displaystyle s=({\overline {s}},1)}$ and the penultimate column of ${\displaystyle G}$ is ${\displaystyle (0,\dots ,0,2^{l-2})}$, where ${\displaystyle 2^{l-2}\in [q/4,q/2)}$ mod ${\displaystyle q}$.

Let ${\displaystyle C_{1},C_{2}}$ be ciphertexts designed to encrypt ${\displaystyle \mu _{1},\mu _{2}\in \mathbb {Z} }$ and have error vectors ${\displaystyle e_{1}^{t},e_{2}^{t}}$. Then, their homomorphic sum has error vector ${\displaystyle e_{1}^{t}+e_{2}^{t}}$. Moreover, if ${\displaystyle C_{1}\boxdot C_{2}}$ is the homomorphic product of these ciphertexts, then for ${\displaystyle X\leftarrow G^{-1}(C_{2})}$ (subgaussian), we have the following

${\displaystyle s^{t}(C_{1}\boxdot C_{2})=s^{t}C_{1}\cdot X=(e_{1}^{t}+\mu _{1}\cdot s^{t}G)X}$,

which as ${\displaystyle G\cdot X=C_{2}}$ is further equal to

${\displaystyle s^{t}(C_{1}\boxdot C_{2})=e_{1}^{t}X+\mu _{1}(e_{2}^{t}+\mu _{2}\cdot s^{t}G)=(e_{1}^{t}X+\mu _{1}e_{2}^{t})+\mu _{1}\mu _{2}\cdot s^{t}G.}$

It is important to remember that the error upon multiplication is quasi-additive and asymmetric with respect to the errors ${\displaystyle e_{1}^{t},e_{2}^{t}}$. The first error is multiplied by a subgaussian matrix ${\displaystyle X}$, the second error vector ${\displaystyle e_{2}^{t}}$ is only multiplied by the message ${\displaystyle \mu _{1}}$, which the authors make sure they always keep in ${\displaystyle \{0,1\}}$.

Homomorphic product of multiple ciphertexts. Suppose that ${\displaystyle C_{i},i\in [k]}$ are designed to encrypt ${\displaystyle \mu _{i}\in \{0,1\}}$ and have error vectors ${\displaystyle e_{i}^{t}}$. Then for any fixed values of these variables, the matrix

${\displaystyle C\leftarrow C_{1}\boxdot \left(C_{2}\boxdot (\dots C_{k}\boxdot G)\dots )\right)}$

has an error vector whose entries are mutually independent and subgaussian with parameter ${\displaystyle O(||e||)}$, where ${\displaystyle e^{t}=(e_{1}^{t},\dots ,e_{k}^{t})\in \mathbb {Z} ^{knl}}$ is the concatenation of the individual error vectors.

Homomorphic encryption for Symmetric Groups

We describe HEPerm a homomorphic encryption scheme for symmetric groups. Let ${\displaystyle {\mathcal {C}}}$ be the ciphertext space for the GSW scheme. The main procedures of HEPerm are as follows:

• HEPerm.Enc(${\displaystyle sk,\pi \in S_{r}}$): let ${\displaystyle P=(p_{i,j})\in \{0,1\}^{r\times r}}$ be the permutation matrix associated with ${\displaystyle \pi \in S_{r}}$. Output the following ciphertext space

${\displaystyle C=(c_{i,j})\in {\mathcal {C}}^{r\times r},}$, where ${\displaystyle c_{i,j}\leftarrow GSW.Enc(sk,p_{i,j}).}$

This is an entry-wise encryption of ${\displaystyle P}$. Decryption is obvious. A ciphertext ${\displaystyle C\in {\mathcal {C}}^{r\times r}}$ is said to be "designed" to encrypt a permutation ${\displaystyle pi\in S_{r}}$, if its ${\displaystyle C}$-entries are designed to encrypt the corresponding entries of ${\displaystyle P_{\pi }}$.

${\displaystyle J\in {\mathcal {C}}^{r\times r}}$ will denote the encryption of the identity permutation, where each entry is encrypted with zero noise.

• Homomorphic composition: ${\displaystyle C^{\pi }\circ C^{\sigma }}$ will be computed in the obvious way. Namely, the entries of the output ${\displaystyle C^{\pi }\circ C^{\sigma }=(c_{i,j})\in {\mathcal {C}}^{r\times r}}$ where

${\displaystyle c_{i,j}\leftarrow \sum \limits _{l\in [r]}(c_{i,l}^{\pi }\boxdot c_{l,j}^{\sigma })\in {\mathcal {C}}.}$

Like the multiplication ${\displaystyle \boxdot }$ for ciphertexts in the GSW, the composition ${\displaystyle \circ }$ is right associative.

• Homomorphic equality test Eq?(${\displaystyle C^{\pi }=(c_{i,j}^{\pi },\sigma \in S_{r})}$): Given a ciphertext encrypting some permutation ${\displaystyle \pi \in S_{r}}$ and a permutation ${\displaystyle \sigma \in S_{r}}$ (in the clear), output a ciphertext ${\displaystyle c\in {\mathcal {C}}}$ encrypting ${\displaystyle 1}$ if ${\displaystyle \pi =\sigma }$ and ${\displaystyle 0}$ otherwise, i.e. output

${\displaystyle c\leftarrow \prod \limits _{i\in [r]}c_{\sigma (i),i}^{\pi }\boxdot g}$ ,

where ${\displaystyle g\in {\mathcal {C}}}$ is the fixed zero-error encryption of ${\displaystyle 1}$.

Remark the for the two operations above, the GSW ciphertext(s) that appear in the output are always designed to encrypt ${\displaystyle \{0,1\}}$ messages.

To analyse the noise resulting in these operations, let is recall that the GSW scheme is parameterized by ${\displaystyle n,q}$. Denote the space of error vectors by ${\displaystyle {\mathcal {E}}=\mathbb {Z} ^{m}}$, where ${\displaystyle m=n\lceil \log _{2}(q)\rceil }$. The Euclidean norm on ${\displaystyle {\mathcal {E}}^{r}=\mathbb {Z} ^{mr}}$ is defined in the ovious way. In the following analysis, we will often consider vectors and matrices over ${\displaystyle {\mathcal {E}}}$, i.e. in which the entries are vectors from ${\displaystyle {\mathcal {E}}}$.

Claim. (Lemma 4.1 in the first reference) The error matrix in ${\displaystyle C^{\pi }\circ C^{\sigma }}$ is ${\displaystyle E+P^{\pi }\cdot E^{\sigma }}$, where ${\displaystyle P^{\pi }}$ is the matrix encoding ${\displaystyle \pi }$ (in the clear), ${\displaystyle E^{\sigma }\in {\mathcal {E}}^{r\times r}}$ is the error of ${\displaystyle C^{\sigma }}$ and the ${\displaystyle \mathbb {Z} }$-entries of the matrix ${\displaystyle E}$ are mutually independent, and those in its ${\displaystyle i}$-th row are subgaussian with parameter ${\displaystyle O(||e_{i}^{\pi }||)}$, where ${\displaystyle e_{i}^{\pi }}$ is the ${\displaystyle i}$-th row of ${\displaystyle E^{\pi }}$.

Similarly to a multiplication chain of GSW ciphertexts, one can perform a (right-associative) chain of compositions while incurring only small error growth. For conveniece of analysis, we always include the fixed zero-error ciphertext ${\displaystyle J\in {\mathcal {C}}^{r\times r}}$ as the rightmost ciphertext in the chain.

Claim. (Corollary 4.2 in the first reference) Suppose that ${\displaystyle C_{i}}$ are designed to encrypt permutation matrices ${\displaystyle P_{i}\in \{0,1\}^{r\times r}}$ and have error matrices ${\displaystyle E_{i}\in {\mathcal {E}}^{r\times r}}$. Then for any fixed values of these variables,

${\displaystyle C\leftarrow C_{1}\circ (C_{2}\circ (\dots (C_{k}\circ J)\dots ))}$

has an error matrix whose ${\displaystyle \mathbb {Z} }$-entries are mutually independent, and those in its ${\displaystyle i}$-th row are subgaussian with parameter ${\displaystyle O(||e_{i}||)}$, where ${\displaystyle e_{i}^{t}\in {\mathcal {E}}^{kr}}$ is the ${\displaystyle i}$-th row of the concatenated matrices ${\displaystyle [E_{1}|\dots |E_{k}]}$.

Bootstrapping

We have to instantiate the GSW and HEPerm with parameters ${\displaystyle n,Q,\chi }$. Importantly, the ciphertext modulus ${\displaystyle Q}$ is not the modulus ${\displaystyle q}$ of the scheme to be bootstrapped, but rather some modulus ${\displaystyle Q>>q}$. Let ${\displaystyle {\mathcal {C}}}$ be the ciphertext of the GSW scheme.

Let ${\displaystyle q}$ be of the form ${\displaystyle q=\prod _{i\in [t]}r_{i}}$, where ${\displaystyle r_{i}}$ are small powers of distinct primes. One can choose ${\displaystyle q={\tilde {O}}(\lambda )}$ to be large enough by letting it be the product of all maximal prime-powers ${\displaystyle r_{i}}$ that are bounded by ${\displaystyle O(\log(\lambda ))}$, of which there are ${\displaystyle t=O(\log(\lambda )/log(\log(\lambda )))}$. Let ${\displaystyle \phi }$ be the group embedding of ${\displaystyle \mathbb {Z} _{q}}$ into ${\displaystyle S=S_{r_{1}}\times S_{r_{t}}}$, and let ${\displaystyle \phi _{i}}$ denote the ${\displaystyle i}$-th component of this embedding, i.e. the one from ${\displaystyle \mathbb {Z} _{q}}$ into ${\displaystyle S_{r_{i}}}$.

• BootGen(${\displaystyle s\in \mathbb {Z} _{q}^{d},sk}$): Given secret key ${\displaystyle s\in \mathbb {Z} _{q}^{d}}$ for the scheme GSW and a secret key ${\displaystyle sk}$ for HEPerm, embed each coordinate ${\displaystyle s_{j}\in \mathbb {Z} _{q}}$ of ${\displaystyle s}$ as ${\displaystyle \phi (s_{j})\in S}$ and encrypt the components under HEPerm. That is, generate and output the bootstrapping key

${\displaystyle bk=\{C_{i,j}\leftarrow HEPerm.Enc(sk,\phi _{i}(s_{j})):i\in [t],j\in [d]\}}$.

Recalling that we are working with embeddings of ${\displaystyle \mathbb {Z} _{r_{i}}}$, each ${\displaystyle C_{i,j}\in {\mathcal {C}}^{r_{i}}}$ can be represented as a tuple of ${\displaystyle r_{i}}$ GSW ciphertexts encrypting an indicator vector. Since ${\displaystyle t,r_{i}=O(\log \lambda )}$ and ${\displaystyle d={\tilde {O}}(\lambda )}$, the bootstrapping key has ${\displaystyle {\tilde {O}}(\lambda )}$ ciphertexts.

• Bootstrap(${\displaystyle bk,c\in \{0,1\}^{d}}$): given a binary ciphertext ${\displaystyle c\in \{0,1\}^{d}}$, do the following:

First, homomorphically compute an encryption of ${\displaystyle v=\langle s,c\rangle =\sum _{j:c_{j}=1}s_{j}\in \mathbb {Z} _{q}}$ using the encryptions of the ${\displaystyle s_{j}\in \mathbb {Z} _{q}}$ as embedded into the permutation group ${\displaystyle S}$. Additions above are replaced using a chain of compositions.

Then, one has to round. Homomorphically map ${\displaystyle v\in \mathbb {Z} _{q}}$ to ${\displaystyle \{0,1\}}$, in the following way. For each ${\displaystyle x\in \mathbb {Z} _{q}}$ such that ${\displaystyle f(x)=1}$, homomorphically tests whether ${\displaystyle v=x}$ by evaluating the homomorphic product of the resulting ciphertexts from all the equality tests ${\displaystyle v=x}$ mod ${\displaystyle r_{i}}$. Then homomorphically sum the results of all the ${\displaystyle v=x}$ tests.

Bootstrapping performs ${\displaystyle {\tilde {O}}(\lambda )}$ homomorphic multiplications and additions on GSW ciphertexts.

We refer to the paper of Alperin-Sheriff and Peikert [2] for a detailed analysis of the security and correctness.

References