Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff - PowerPoint PPT Presentation

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech CRYPTO 2014 19 August 2014 1 / 10

Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] 2 / 10

Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] ◮ “Naturally occurring” schemes are somewhat homomorphic (SHE): can only evaluate functions of an a priori bounded depth. µ Eval ( f ) f ( µ ) Eval ( g ) g ( f ( µ )) 2 / 10

Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] ◮ “Naturally occurring” schemes are somewhat homomorphic (SHE): can only evaluate functions of an a priori bounded depth. µ Eval ( f ) f ( µ ) Eval ( g ) g ( f ( µ )) ◮ Thus far, “bootstrapping” is required to achieve unbounded FHE. 2 / 10

Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk 3 / 10

Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. 3 / 10

Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : 3 / 10

Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. 3 / 10

Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. 3 / 10

Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known decryption circuits have logarithmic O (log λ ) depth. 3 / 10

Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known decryption circuits have logarithmic O (log λ ) depth. ⇒ Quasi-polynomial λ O (log λ ) error growth and lattice approx factors = 3 / 10

Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known decryption circuits have logarithmic O (log λ ) depth. ⇒ Quasi-polynomial λ O (log λ ) error growth and lattice approx factors = ◮ Can we do better? 3 / 10

Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . 4 / 10

Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . ◮ Make multiplication right-associative: C 1 d ( · · · ( C t − 2 d ( C t − 1 d C t )) · · · ) has error � i e i · poly ( λ ) 4 / 10

Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . ◮ Make multiplication right-associative: C 1 d ( · · · ( C t − 2 d ( C t − 1 d C t )) · · · ) has error � i e i · poly ( λ ) ◮ Barrington’s Theorem . . . ( P 0 , 1 ) ( P 1 , 1 ) ( P 14 , 1 ) ( P 15 , 1 ) . . . ( P 0 , 0 ) ( P 1 , 0 ) ( P 14 , 0 ) ( P 15 , 0 ) depth d length 4 d 4 / 10

Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . ◮ Make multiplication right-associative: C 1 d ( · · · ( C t − 2 d ( C t − 1 d C t )) · · · ) has error � i e i · poly ( λ ) ◮ Barrington’s Theorem 0 . . . ( P 0 , 1 ) ( P 1 , 1 ) ( P 14 , 1 ) ( P 15 , 1 ) 0 . . . ( P 0 , 0 ) ( P 1 , 0 ) ( P 14 , 0 ) ( P 15 , 0 ) 1 depth d length 4 d 4 / 10

Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . ◮ Make multiplication right-associative: C 1 d ( · · · ( C t − 2 d ( C t − 1 d C t )) · · · ) has error � i e i · poly ( λ ) ◮ Barrington’s Theorem 0 . . . ( P 0 , 1 ) ( P 1 , 1 ) ( P 14 , 1 ) ( P 15 , 1 ) 0 . . . ( P 0 , 0 ) ( P 1 , 0 ) ( P 14 , 0 ) ( P 15 , 0 ) 1 length 4 d ≈ λ 6 depth d ≈ 3 log λ ✗ Problem: Barrington’s transformation is very inefficient. 4 / 10

Our Results 1 Faster bootstrapping with small polynomial error growth 5 / 10

Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. 5 / 10

Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! 5 / 10

Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! ⋆ Key Idea: Embed additive group ( Z q , +) into small symmetric group 5 / 10

Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! ⋆ Key Idea: Embed additive group ( Z q , +) into small symmetric group Reference # Homom Ops Noise Growth ˜ λ O (log λ ) [GHS’12,AP’13] (packing) O (1) ✔ ˜ O ( λ 6 ) [BV’14] large poly( λ ) ˜ ˜ O ( λ 2 ) This work O ( λ ) ✔ 5 / 10

Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! ⋆ Key Idea: Embed additive group ( Z q , +) into small symmetric group Reference # Homom Ops Noise Growth ˜ λ O (log λ ) [GHS’12,AP’13] (packing) O (1) ✔ ˜ O ( λ 6 ) [BV’14] large poly( λ ) ˜ ˜ O ( λ 2 ) This work O ( λ ) ✔ 2 Variant of [GSW’13] encryption scheme 5 / 10

Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! ⋆ Key Idea: Embed additive group ( Z q , +) into small symmetric group Reference # Homom Ops Noise Growth ˜ λ O (log λ ) [GHS’12,AP’13] (packing) O (1) ✔ ˜ O ( λ 6 ) [BV’14] large poly( λ ) ˜ ˜ O ( λ 2 ) This work O ( λ ) ✔ 2 Variant of [GSW’13] encryption scheme ⋆ Very simple description and error analysis 5 / 10