This work describes a fast fully homomorphic encryption scheme over the torus (TFHE) that revisits, generalizes and improves the fully homomorphic encryption (FHE) based on GSW and its ring variants. The simplest FHE schemes consist in bootstrapped binary gates. In this gate bootstrapping mode, we show that the scheme FHEW of Ducas and Micciancio (Eurocrypt, 2015 ) can be expressed only in terms of external product between a GSW and an LWE ciphertext. As a consequence of this result and of other optimizations, we decrease the running time of their bootstrapping from 690 to 13 ms single core, using 16 MB bootstrapping key instead of 1 GB, and preserving the security parameter. In leveled homomorphic mode, we propose two methods to manipulate packed data, in order to decrease the ciphertext expansion and to optimize the evaluation of lookup tables and arbitrary functions in $${\mathrm {RingGSW}}$$ RingGSW -based homomorphic schemes. We also extend the automata logic, introduced in Gama et al. (Eurocrypt, 2016 ), to the efficient leveled evaluation of weighted automata, and present a new homomorphic counter called $$\mathrm {TBSR}$$ TBSR , that supports all the elementary operations that occur in a multiplication. These improvements speed up the evaluation of most arithmetic functions in a packed leveled mode, with a noise overhead that remains additive. We finally present a new circuit bootstrapping that converts $$\mathsf {LWE}$$ LWE ciphertexts into low-noise $${\mathrm {RingGSW}}$$ RingGSW ciphertexts in just 137 ms, which makes the leveled mode of TFHE composable and which is fast enough to speed up arithmetic functions, compared to the gate bootstrapping approach. Finally, we provide an alternative practical analysis of LWE based schemes, which directly relates the security parameter to the error rate of LWE and the entropy of the LWE secret key, and we propose concrete parameter sets and timing comparison for all our constructions.

中文翻译：

---

TFHE：环面上的快速全同态加密

这项工作描述了一种快速的环面全同态加密方案 (TFHE)，它重新审视、概括和改进了基于 GSW 及其环变体的全同态加密 (FHE)。最简单的 FHE 方案包括自举二元门。在这种门自举模式中，我们表明 Ducas 和 Micciancio (Eurocrypt, 2015) 的方案 FHEW 只能用 GSW 和 LWE 密文之间的外部积来表示。由于这一结果和其他优化，我们将引导的运行时间从 690 毫秒单核减少到 13 毫秒，使用 16 MB 引导密钥而不是 1 GB，并保留安全参数。在分级同态模式下，我们提出了两种操作打包数据的方法，为了减少密文扩展并优化基于 $${\mathrm {RingGSW}}$$ RingGSW 的同态方案中的查找表和任意函数的评估。我们还扩展了 Gama 等人介绍的自动机逻辑。(Eurocrypt, 2016 )，对加权自动机进行高效的分级评估，并提出了一个名为 $$\mathrm {TBSR}$$ TBSR 的新同态计数器，它支持发生在乘法中的所有基本运算。这些改进在打包的水平模式下加速了大多数算术函数的评估，但噪声开销仍然是可加性的。我们最终提出了一个新的电路引导程序，可以在 137 毫秒内将 $$\mathsf {LWE}$$ LWE 密文转换为低噪声 $${\mathrm {RingGSW}}$$ RingGSW 密文，与门自举方法相比，这使得 TFHE 的水平模式可组合，并且足够快以加速算术函数。最后，我们提供了基于 LWE 的方案的替代实际分析，该方案将安全参数与 LWE 的错误率和 LWE 密钥的熵直接相关，并为我们的所有构造提出了具体的参数集和时序比较。