Abstract
This work describes a fast fully homomorphic encryption scheme over the torus (TFHE) that revisits, generalizes and improves the fully homomorphic encryption (FHE) based on GSW and its ring variants. The simplest FHE schemes consist in bootstrapped binary gates. In this gate bootstrapping mode, we show that the scheme FHEW of Ducas and Micciancio (Eurocrypt, 2015) can be expressed only in terms of external product between a GSW and an LWE ciphertext. As a consequence of this result and of other optimizations, we decrease the running time of their bootstrapping from 690 to 13 ms single core, using 16 MB bootstrapping key instead of 1 GB, and preserving the security parameter. In leveled homomorphic mode, we propose two methods to manipulate packed data, in order to decrease the ciphertext expansion and to optimize the evaluation of lookup tables and arbitrary functions in \({\mathrm {RingGSW}}\)-based homomorphic schemes. We also extend the automata logic, introduced in Gama et al. (Eurocrypt, 2016), to the efficient leveled evaluation of weighted automata, and present a new homomorphic counter called \(\mathrm {TBSR}\), that supports all the elementary operations that occur in a multiplication. These improvements speed up the evaluation of most arithmetic functions in a packed leveled mode, with a noise overhead that remains additive. We finally present a new circuit bootstrapping that converts \(\mathsf {LWE}\) ciphertexts into low-noise \({\mathrm {RingGSW}}\) ciphertexts in just 137 ms, which makes the leveled mode of TFHE composable and which is fast enough to speed up arithmetic functions, compared to the gate bootstrapping approach. Finally, we provide an alternative practical analysis of LWE based schemes, which directly relates the security parameter to the error rate of LWE and the entropy of the LWE secret key, and we propose concrete parameter sets and timing comparison for all our constructions.
Similar content being viewed by others
Notes
For the first two distributions, it is tight, but the uniform distribution over \([-\,\sqrt{3}\sigma ,\sqrt{3}\sigma ]\) is even \(0.78\sigma \)-sub-Gaussian.
Mathematically speaking, a more accurate notion would be \(\text {dist}_p(\varvec{x},\varvec{y})=\left\| \varvec{x}-\varvec{y}\right\| _p\), which is a distance. However, the norm symbol is clearer for almost all practical purposes.
Probabilistic polynomial time.
A submodule G is sufficiently dense if there exists an intermediate submodule H such that \(G\subseteq H\subseteq \mathbb {T}^n\), the relative smoothing parameter \(\eta _{H,\varepsilon }(G)\) (a.k.a. smoothing parameter of H / G) is \(\le \alpha \), and H is the orthogonal in \(\mathbb {T}^n\) of at most \(n-1\) vectors of \(\mathbb {Z}^n\). This definition allows to convert any (Ring)-\(\mathsf {LWE}\) with non-binary secret to a \(\mathsf {TLWE}\) instance via binary decomposition.
Talking about maximum amplitude is an abuse of notation. A more correct approach would be to use a truncated distribution (as suggested in [43]) in order to avoid all the negligible amounts appearing in the probability formulas.
Circular security assumption could still be avoided in leveled mode if we accept to work with many keys.
The \(\mathsf {TRLWE}\) samples can be trivial samples, in the case where the function f and its LUT are public.
If the sub-function \(f_j\) and its LUT are public, the LUT values \(\sigma _{j,0}, \ldots , \sigma _{j,2^d-1}\) can be given in clear. This means that the \(\mathsf {TRLWE}\) samples \(\varvec{d}_{p}\), for \(p \in \llbracket 0,\frac{2^d}{N}-1 \rrbracket \), are given as trivial \(\mathsf {TRLWE}\) samples \(\varvec{d}_p \leftarrow (\mathbf {0},\sum _{i=0}^{N-1} \sigma _{j,pN+i}X^i)\) in input to Algorithm 5.
For the pth bit, one would return \(\mathsf {SampleExtract}(c_p)+(\mathbf {0},\frac{1}{4})\), but it is always 0 if \(l\in [0,N-1]\).
Amplifying a distinguishing advantage from \(\epsilon \) to \(\varOmega (1)\) requires at least \(O(1/\varepsilon )\) and at most \((1/\varepsilon ^2)\) trials, depending on the shape of the symmetric difference between the two distributions. Here, the difference between a modular Gaussian with large parameter and the uniform distribution is uniformly small, so we have to apply the upper bound.
References
M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi, J. Hoffstein, K. Laine, K. Lauter, S. Lokam, D. Micciancio, D. Moody, T. Morrison, A. Sahai, V. Vaikuntanathan, Homomorphic encryption security standard. Technical report, HomomorphicEncryption.org, Toronto, Canada, (November 2018)
M. R. Albrecht, On dual lattice attacks against small-secret LWE and parameter choices in helib and SEAL, in EUROCRYPT 2017, pp. 103–129, 2017
M. R. Albrecht, C. Cid, J. Faugère, R. Fitzpatrick, L. Perret, On the complexity of the BKW algorithm on LWE. Designs, Codes and Cryptography, 74/2, 325–354 (2015)
M. R. Albrecht, B. R. Curtis, A. Deo, A. Davidson, R. Player, E. Postlethwaite, F. Virdia, T. Wunderer, Estimate all the \(\{\)LWE, NTRU\(\}\) schemes. https://estimate-all-the-lwe-ntru-schemes.github.io/docs, (2017)
M. R. Albrecht, A. Deo, Large modulus ring-lwe \(>=\) module-lwe, in ASIACRYPT 2017, 2017
M. R. Albrecht, R. Player, S. Scott, On the concrete hardness of learning with errors. J. Mathematical Cryptology 9(3), 169–203 (2015)
E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe, Post-quantum key exchange - A new hope, in 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016, pp. 327–343, 2016
J. Alperin-Sheriff, C. Peikert. Faster bootstrapping with polynomial error, in Crypto, pp. 297–314, 2014
J.-C. Bajard, J. Eynard, A. Hasan, V. Zucca, A full rns variant of fv like somewhat homomorphic encryption schemes, in SAC 2016, volume 10532 of LNCS, pp. 423–442, 2016
D. Benarroch, Z. Brakerski, T. Lepoint, Fhe over the integers: Decomposed and batched in the post-quantum regime. Cryptology ePrint Archive, 2017/065
A. Blum, A. Kalai, H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model. J. of ACM 50(4), 506–519 (2003)
Z. Brakerski, C. Gentry, V. Vaikuntanathan, (leveled) fully homomorphic encryption without bootstrapping, in ITCS, pp. 309–325, 2012
Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D.Stehlé, Classical hardness of learning with errors, in Proc. of 45th STOC, pp. 575–584 (ACM, 2013)
Z. Brakerski, R. Perlman, Lattice-based fully dynamic multi-key FHE with short ciphertexts, in Crypto’2016, volume 9814, pp. 190–213, 2016
Z. Brakerski, V. Vaikuntanathan, Lattice-based FHE as secure as PKE, in ITCS, pp. 1–12, 2014
A. L. Buchsbaum, R. Giancarlo, J. R. Westbrook. On the determinization of weighted finite automata. SIAM Journal on Computing 30(5), 1502–1531 (2000)
Y. Chen, P. Q. Nguyen, BKZ 2.0: Better lattice security estimates. In Proc. of Asiacrypt, pp. 1–20, 2011
J. H. Cheon, J. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi, A. Yun. Batch fully homomorphic encryption over the integers, in EUROCRYPT 2013, 2013
J. H. Cheon, K. Han, A. Kim, M. Kim, Y. Song, A full RNS variant of approximate homomorphic encryption, in SAC 2018, pp. 347–368, 2018
J. H. Cheon, A. Kim, M. Kim, Y. Song, Homomorphic encryption for arithmetic of approximate numbers, in Asiacrypt 2017, 2016. http://eprint.iacr.org/2016/421
J. H. Cheon, D. Stehlé, Fully homomophic encryption over the integers revisited, in EUROCRYPT 2015 (Springer, 2015), pp. 513–536
I. Chillotti, N. Gama, M. Georgieva, M. Izabachène. Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds, in Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I (Springer, 2016), pp. 3–33
I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, A homomorphic lwe based e-voting scheme, in PQ Cryptography (Springer, 2016), pp. 245–265
I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE, in Advances in Cryptology - ASIACRYPT 2017 (Springer, 2017)
I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, TFHE: Fast fully homomorphic encryption library. https://tfhe.github.io/tfhe/ (August 2016)
J. Coron, T. Lepoint, M. Tibouchi, Scale-invariant fully homomorphic encryption over the integers, in PKC 2014, pp. 311–328, 2014
R. Cramer, L. Ducas, B. Wesolowski, Short stickelberger class relations and application to ideal-svp, in Eurocrypt 2017, 2016
M. Droste, P. Gastin, Weighted automata and weighted logics, in Handbook of weighted automata (Springer, 2009), pp. 175–211
L. Ducas, D. Micciancio, FHEW: Bootstrapping homomorphic encryption in less than a second, in Eurocrypt, pp. 617–640, 2015
M. Frigo, S. G. Johnson, The design and implementation of FFTW3. Proceedings of the IEEE 93(2), 216–231 (2005). Special issue on “Program Generation, Optimization, and Platform Adaptation”
N. Gama, M. Izabachène, P. Q. Nguyen, X. Xie, Structural lattice reduction: Generalized worst-case to average-case reductions. ePrint Archive, 2014/283, 2016
N. Gama, P. Q. Nguyen, Predicting Lattice Reduction, in Eurocrypt, 2008
C. Gentry, Fully homomorphic encryption using ideal lattices, in STOC, 2009
C. Gentry, A. Sahai, B. Waters, Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based, in Crypto’13, 2013
S. Gorbunov, V. Vaikuntanathan, H. Wee, Attribute-based encryption for circuits. Journal of the ACM (JACM) 62(6), 45 (2015)
S. Halevi, I. V. Shoup, Helib - an implementation of homomorphic encryption. https://github.com/shaih/HElib/ (September 2014)
S. Halevi, V. Shoup, Algorithms in helib, in Crypto’2014, pp. 554–571, 2014
N. Howgrave-Graham, Approximate integer common divisors, in CaLC, volume 1 (Springer, 2001), pp. 51–66
A. Langlois, D. Stehlé, Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography 75(3), 565–599 (2015).
M. Liu, P. Q. Nguyen, Solving bdd by enumeration: An update, in Proc. of CT-RSA, volume 7779 of LNCS (Springer, 2013), pp. 293–309
V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings, in EUROCRYPT, pp. 1–23, 2010
D. Micciancio, On the hardness of learning with errors with binary secrets. Theory of Computing 14(1), 1–17 (2018)
D. Micciancio, C. Peikert, Trapdoors for lattices: Simpler, tighter, faster, smaller, in Eurocrypt ’12, LNCS (Springer, 2012)
D. Micciancio, M. Walter, Practical, predictable lattice basis reduction, in Proc. of Eurocrypt 2016, volume 9665 of LNCS (Springer, 2016), pp. 820–849
A. I. R. V. of the BFV Homomorphic Encryption Scheme. Shai halevi and yuriy polyakov and victor shoup. In CT-RSA 2019, volume 11405 of LNCS (Springer, 2019), pp. 83–105
M. A. R. Hiromasa, T. Okamoto, Packing messages and optimizing bootstrapping in gsw-fhe, in PKC ’15, pp. 699–715, 2015
O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in STOC, pp. 84–93, 2005
N. Smart, F. Vercauteren, Fully homomorphic simd operations. Cryptology ePrint Archive, Report 2011/133, 2011. https://eprint.iacr.org/2011/133
N. P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in Public Key Cryptography - PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, May 26-28, 2010. Proceedings, pp. 420–443, 2010
N. P. Smart, F. Vercauteren, Fully homomorphic SIMD operations. Des. Codes Cryptography 71(1), 57–81 (2014)
D. Stehlé, R. Steinfeld, K. Tanaka, K. Xagawa, Efficient public key encryption based on ideal lattices, in Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings, pp. 617–635, 2009
M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in Eurocrypt, pp. 24–43, 2010
Acknowledgements
This work has been supported in part by the CRYPTOCOMP project. The authors would like to thank the anonymous reviewers of this paper and of the papers [22, 24], as well as the Asiacrypt 2016 committee for rewarding [22] with the best paper award. The authors would also like to thank Damien Stehlé, Fernando Virdia and Matthias Minihold for the discussions and for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Nigel Smart.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This work was done while I. Chillotti was a PhD student in the Laboratoire de Mathématiques de Versailles, UVSQ (Versailles, France), and while M. Georgieva worked in Gemalto (Meudon, France).
Rights and permissions
About this article
Cite this article
Chillotti, I., Gama, N., Georgieva, M. et al. TFHE: Fast Fully Homomorphic Encryption Over the Torus. J Cryptol 33, 34–91 (2020). https://doi.org/10.1007/s00145-019-09319-x
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-019-09319-x