Skip to main content
Log in

TFHE: Fast Fully Homomorphic Encryption Over the Torus

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

This work describes a fast fully homomorphic encryption scheme over the torus (TFHE) that revisits, generalizes and improves the fully homomorphic encryption (FHE) based on GSW and its ring variants. The simplest FHE schemes consist in bootstrapped binary gates. In this gate bootstrapping mode, we show that the scheme FHEW of Ducas and Micciancio (Eurocrypt, 2015) can be expressed only in terms of external product between a GSW and an LWE ciphertext. As a consequence of this result and of other optimizations, we decrease the running time of their bootstrapping from 690 to 13 ms single core, using 16 MB bootstrapping key instead of 1 GB, and preserving the security parameter. In leveled homomorphic mode, we propose two methods to manipulate packed data, in order to decrease the ciphertext expansion and to optimize the evaluation of lookup tables and arbitrary functions in \({\mathrm {RingGSW}}\)-based homomorphic schemes. We also extend the automata logic, introduced in Gama et al. (Eurocrypt, 2016), to the efficient leveled evaluation of weighted automata, and present a new homomorphic counter called \(\mathrm {TBSR}\), that supports all the elementary operations that occur in a multiplication. These improvements speed up the evaluation of most arithmetic functions in a packed leveled mode, with a noise overhead that remains additive. We finally present a new circuit bootstrapping that converts \(\mathsf {LWE}\) ciphertexts into low-noise \({\mathrm {RingGSW}}\) ciphertexts in just 137 ms, which makes the leveled mode of TFHE composable and which is fast enough to speed up arithmetic functions, compared to the gate bootstrapping approach. Finally, we provide an alternative practical analysis of LWE based schemes, which directly relates the security parameter to the error rate of LWE and the entropy of the LWE secret key, and we propose concrete parameter sets and timing comparison for all our constructions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. For the first two distributions, it is tight, but the uniform distribution over \([-\,\sqrt{3}\sigma ,\sqrt{3}\sigma ]\) is even \(0.78\sigma \)-sub-Gaussian.

  2. Mathematically speaking, a more accurate notion would be \(\text {dist}_p(\varvec{x},\varvec{y})=\left\| \varvec{x}-\varvec{y}\right\| _p\), which is a distance. However, the norm symbol is clearer for almost all practical purposes.

  3. Probabilistic polynomial time.

  4. An equivalence between \(\mathsf {LWE}\) and \(\mathsf {bin}\mathsf {LWE}\), i.e., \(\mathsf {LWE}\) with binary secret, has been proven in [13, 42]. The same reduction for the Ring variant of \(\mathsf {LWE}\) is still an open problem.

  5. A submodule G is sufficiently dense if there exists an intermediate submodule H such that \(G\subseteq H\subseteq \mathbb {T}^n\), the relative smoothing parameter \(\eta _{H,\varepsilon }(G)\) (a.k.a. smoothing parameter of H / G) is \(\le \alpha \), and H is the orthogonal in \(\mathbb {T}^n\) of at most \(n-1\) vectors of \(\mathbb {Z}^n\). This definition allows to convert any (Ring)-\(\mathsf {LWE}\) with non-binary secret to a \(\mathsf {TLWE}\) instance via binary decomposition.

  6. Talking about maximum amplitude is an abuse of notation. A more correct approach would be to use a truncated distribution (as suggested in [43]) in order to avoid all the negligible amounts appearing in the probability formulas.

  7. Circular security assumption could still be avoided in leveled mode if we accept to work with many keys.

  8. The \(\mathsf {TRLWE}\) samples can be trivial samples, in the case where the function f and its LUT are public.

  9. If the sub-function \(f_j\) and its LUT are public, the LUT values \(\sigma _{j,0}, \ldots , \sigma _{j,2^d-1}\) can be given in clear. This means that the \(\mathsf {TRLWE}\) samples \(\varvec{d}_{p}\), for \(p \in \llbracket 0,\frac{2^d}{N}-1 \rrbracket \), are given as trivial \(\mathsf {TRLWE}\) samples \(\varvec{d}_p \leftarrow (\mathbf {0},\sum _{i=0}^{N-1} \sigma _{j,pN+i}X^i)\) in input to Algorithm 5.

  10. For the pth bit, one would return \(\mathsf {SampleExtract}(c_p)+(\mathbf {0},\frac{1}{4})\), but it is always 0 if \(l\in [0,N-1]\).

  11. Amplifying a distinguishing advantage from \(\epsilon \) to \(\varOmega (1)\) requires at least \(O(1/\varepsilon )\) and at most \((1/\varepsilon ^2)\) trials, depending on the shape of the symmetric difference between the two distributions. Here, the difference between a modular Gaussian with large parameter and the uniform distribution is uniformly small, so we have to apply the upper bound.

References

  1. M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi, J. Hoffstein, K. Laine, K. Lauter, S. Lokam, D. Micciancio, D. Moody, T. Morrison, A. Sahai, V. Vaikuntanathan, Homomorphic encryption security standard. Technical report, HomomorphicEncryption.org, Toronto, Canada, (November 2018)

  2. M. R. Albrecht, On dual lattice attacks against small-secret LWE and parameter choices in helib and SEAL, in EUROCRYPT 2017, pp. 103–129, 2017

    Google Scholar 

  3. M. R. Albrecht, C. Cid, J. Faugère, R. Fitzpatrick, L. Perret, On the complexity of the BKW algorithm on LWE. Designs, Codes and Cryptography, 74/2, 325–354 (2015)

    Article  MathSciNet  Google Scholar 

  4. M. R. Albrecht, B. R. Curtis, A. Deo, A. Davidson, R. Player, E. Postlethwaite, F. Virdia, T. Wunderer, Estimate all the \(\{\)LWE, NTRU\(\}\) schemes. https://estimate-all-the-lwe-ntru-schemes.github.io/docs, (2017)

  5. M. R. Albrecht, A. Deo, Large modulus ring-lwe \(>=\) module-lwe, in ASIACRYPT 2017, 2017

  6. M. R. Albrecht, R. Player, S. Scott, On the concrete hardness of learning with errors. J. Mathematical Cryptology 9(3), 169–203 (2015)

    Article  MathSciNet  Google Scholar 

  7. E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe, Post-quantum key exchange - A new hope, in 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016, pp. 327–343, 2016

  8. J. Alperin-Sheriff, C. Peikert. Faster bootstrapping with polynomial error, in Crypto, pp. 297–314, 2014

    Chapter  Google Scholar 

  9. J.-C. Bajard, J. Eynard, A. Hasan, V. Zucca, A full rns variant of fv like somewhat homomorphic encryption schemes, in SAC 2016, volume 10532 of LNCS, pp. 423–442, 2016

  10. D. Benarroch, Z. Brakerski, T. Lepoint, Fhe over the integers: Decomposed and batched in the post-quantum regime. Cryptology ePrint Archive, 2017/065

  11. A. Blum, A. Kalai, H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model. J. of ACM 50(4), 506–519 (2003)

    Article  MathSciNet  Google Scholar 

  12. Z. Brakerski, C. Gentry, V. Vaikuntanathan, (leveled) fully homomorphic encryption without bootstrapping, in ITCS, pp. 309–325, 2012

  13. Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D.Stehlé, Classical hardness of learning with errors, in Proc. of 45th STOC, pp. 575–584 (ACM, 2013)

  14. Z. Brakerski, R. Perlman, Lattice-based fully dynamic multi-key FHE with short ciphertexts, in Crypto’2016, volume 9814, pp. 190–213, 2016

  15. Z. Brakerski, V. Vaikuntanathan, Lattice-based FHE as secure as PKE, in ITCS, pp. 1–12, 2014

  16. A. L. Buchsbaum, R. Giancarlo, J. R. Westbrook. On the determinization of weighted finite automata. SIAM Journal on Computing 30(5), 1502–1531 (2000)

    Article  MathSciNet  Google Scholar 

  17. Y. Chen, P. Q. Nguyen, BKZ 2.0: Better lattice security estimates. In Proc. of Asiacrypt, pp. 1–20, 2011

    Google Scholar 

  18. J. H. Cheon, J. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, A. Yun. Batch fully homomorphic encryption over the integers, in EUROCRYPT 2013, 2013

    Chapter  Google Scholar 

  19. J. H. Cheon, K. Han, A. Kim, M. Kim, Y. Song, A full RNS variant of approximate homomorphic encryption, in SAC 2018, pp. 347–368, 2018

    Chapter  Google Scholar 

  20. J. H. Cheon, A. Kim, M. Kim, Y. Song, Homomorphic encryption for arithmetic of approximate numbers, in Asiacrypt 2017, 2016. http://eprint.iacr.org/2016/421

  21. J. H. Cheon, D. Stehlé, Fully homomophic encryption over the integers revisited, in EUROCRYPT 2015 (Springer, 2015), pp. 513–536

  22. I. Chillotti, N. Gama, M. Georgieva, M. Izabachène. Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds, in Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I (Springer, 2016), pp. 3–33

  23. I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, A homomorphic lwe based e-voting scheme, in PQ Cryptography (Springer, 2016), pp. 245–265

  24. I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE, in Advances in Cryptology - ASIACRYPT 2017 (Springer, 2017)

  25. I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, TFHE: Fast fully homomorphic encryption library. https://tfhe.github.io/tfhe/ (August 2016)

  26. J. Coron, T. Lepoint, M. Tibouchi, Scale-invariant fully homomorphic encryption over the integers, in PKC 2014, pp. 311–328, 2014

    Chapter  Google Scholar 

  27. R. Cramer, L. Ducas, B. Wesolowski, Short stickelberger class relations and application to ideal-svp, in Eurocrypt 2017, 2016

  28. M. Droste, P. Gastin, Weighted automata and weighted logics, in Handbook of weighted automata (Springer, 2009), pp. 175–211

  29. L. Ducas, D. Micciancio, FHEW: Bootstrapping homomorphic encryption in less than a second, in Eurocrypt, pp. 617–640, 2015

  30. M. Frigo, S. G. Johnson, The design and implementation of FFTW3. Proceedings of the IEEE 93(2), 216–231 (2005). Special issue on “Program Generation, Optimization, and Platform Adaptation”

    Article  Google Scholar 

  31. N. Gama, M. Izabachène, P. Q. Nguyen, X. Xie, Structural lattice reduction: Generalized worst-case to average-case reductions. ePrint Archive, 2014/283, 2016

  32. N. Gama, P. Q. Nguyen, Predicting Lattice Reduction, in Eurocrypt, 2008

  33. C. Gentry, Fully homomorphic encryption using ideal lattices, in STOC, 2009

  34. C. Gentry, A. Sahai, B. Waters, Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based, in Crypto’13, 2013

  35. S. Gorbunov, V. Vaikuntanathan, H. Wee, Attribute-based encryption for circuits. Journal of the ACM (JACM) 62(6), 45 (2015)

    Article  MathSciNet  Google Scholar 

  36. S. Halevi, I. V. Shoup, Helib - an implementation of homomorphic encryption. https://github.com/shaih/HElib/ (September 2014)

  37. S. Halevi, V. Shoup, Algorithms in helib, in Crypto’2014, pp. 554–571, 2014

    Chapter  Google Scholar 

  38. N. Howgrave-Graham, Approximate integer common divisors, in CaLC, volume 1 (Springer, 2001), pp. 51–66

  39. A. Langlois, D. Stehlé, Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography 75(3), 565–599 (2015).

    Article  MathSciNet  Google Scholar 

  40. M. Liu, P. Q. Nguyen, Solving bdd by enumeration: An update, in Proc. of CT-RSA, volume 7779 of LNCS (Springer, 2013), pp. 293–309

  41. V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings, in EUROCRYPT, pp. 1–23, 2010

    Google Scholar 

  42. D. Micciancio, On the hardness of learning with errors with binary secrets. Theory of Computing 14(1), 1–17 (2018)

    Article  MathSciNet  Google Scholar 

  43. D. Micciancio, C. Peikert, Trapdoors for lattices: Simpler, tighter, faster, smaller, in Eurocrypt ’12, LNCS (Springer, 2012)

  44. D. Micciancio, M. Walter, Practical, predictable lattice basis reduction, in Proc. of Eurocrypt 2016, volume 9665 of LNCS (Springer, 2016), pp. 820–849

  45. A. I. R. V. of the BFV Homomorphic Encryption Scheme. Shai halevi and yuriy polyakov and victor shoup. In CT-RSA 2019, volume 11405 of LNCS (Springer, 2019), pp. 83–105

  46. M. A. R. Hiromasa, T. Okamoto, Packing messages and optimizing bootstrapping in gsw-fhe, in PKC ’15, pp. 699–715, 2015

  47. O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in STOC, pp. 84–93, 2005

  48. N. Smart, F. Vercauteren, Fully homomorphic simd operations. Cryptology ePrint Archive, Report 2011/133, 2011. https://eprint.iacr.org/2011/133

  49. N. P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in Public Key Cryptography - PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, May 26-28, 2010. Proceedings, pp. 420–443, 2010

  50. N. P. Smart, F. Vercauteren, Fully homomorphic SIMD operations. Des. Codes Cryptography 71(1), 57–81 (2014)

    Article  Google Scholar 

  51. D. Stehlé, R. Steinfeld, K. Tanaka, K. Xagawa, Efficient public key encryption based on ideal lattices, in Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings, pp. 617–635, 2009

  52. M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in Eurocrypt, pp. 24–43, 2010

Download references

Acknowledgements

This work has been supported in part by the CRYPTOCOMP project. The authors would like to thank the anonymous reviewers of this paper and of the papers [22, 24], as well as the Asiacrypt 2016 committee for rewarding [22] with the best paper award. The authors would also like to thank Damien Stehlé, Fernando Virdia and Matthias Minihold for the discussions and for their helpful comments.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Nicolas Gama.

Additional information

Communicated by Nigel Smart.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This work was done while I. Chillotti was a PhD student in the Laboratoire de Mathématiques de Versailles, UVSQ (Versailles, France), and while M. Georgieva worked in Gemalto (Meudon, France).

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chillotti, I., Gama, N., Georgieva, M. et al. TFHE: Fast Fully Homomorphic Encryption Over the Torus. J Cryptol 33, 34–91 (2020). https://doi.org/10.1007/s00145-019-09319-x

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00145-019-09319-x

Keywords

Navigation