Tải bản đầy đủ - 0 (trang)
2 Nuida--Kurosawa Fully Homomorphic Encryption Scheme

# 2 Nuida--Kurosawa Fully Homomorphic Encryption Scheme

Tải bản đầy đủ - 0trang

440

E. Kim and M. Tibouchi

• Choose uniformly at random a Θ-bit vector (s1 , · · · , sΘ ) ∈ {0, 1}Θ with

Hamming weight θ.

• Set Xp = Qκ ([p]Q )/p . For i ∈ [Θ], choose ui ← [0, Qκ+1 ) ∩ Z in such a

way that

Θ

si ui ≡ Xp

(mod Qκ+1 ).

i=1

• Choose qi ← [0, q0 ) ∩ Z and ri ← (−2ρ , 2ρ ) ∩ Z, and generate vi ← [pqi +

Qri + si ]N for i ∈ [Θ].

• Output a public key pk = N, {xξ }ξ∈[τ ] , x , {ui }i∈[Θ] , {vi }i∈[Θ] , and a

secret key sk = (s1 , · · · , sΘ ).

– NK. Encrypt(pk, m) → c: Given a plaintext m ∈ M, output a ciphertext c

deﬁned by

xξ ⎦

c := ⎣mx +

ξ∈T

N

where T ⊂ [τ ] is a uniformly random subset.

– NK. Decrypt(sk, c) → m: Given a ciphertext c, compute zi := (cui /Qκ )L =

(zi;0 .zi;1 · · · zi;L ). Then output

m := c − ⎣

si zi ⎥

⎥ mod Q.

i∈[Θ]

– NK.SHE Evaluate(pk, f, c1 , · · · , ct ) → c∗ : Given a polynomial f with integer

coeﬃcients and ciphertexts c1 , · · · , ct , output

c∗ := [f (c1 , · · · , ct )]N

– NK. Evaluate(pk, f, c1 , · · · , ct ) → c∗ is obtained using Gentry’s bootstrapping

technique by applying NK.SHE Evaluate to the squashed decryption circuit

NK. Decrypt.

Let us brieﬂy explain the correctness of NK scheme [NK15, Sect. 7]. For a

ciphertext c, we can write as c = α(c) · p + β(c) · Q + m where α(c) and β(c)

are some integers depending on c, and |β(c) · Q + m| is smaller than p. For zi ’s,

Θ

which are computed in Decrypt(sk, c), we have

i=1 si zi = α(c) · p + β · Q for

the same α(c), and hence we can decrypt c correctly:

Θ

si zi = α(c) · p + β(c) · Q + m − (α(c) · p + β · Q) ≡ m

c−

i=1

(mod Q).

FHE Over the Integers and Modular Arithmetic Circuits

2.3

441

More Remarks on NK Scheme

For NK scheme to be bootstrappable, we have to squash Decrypt – namely lower

the depth of the decryption circuit – so that it is expressed as a low-degree

polynomial. This is done in [DGHV10] for the case of Q = 2, but generalizing

this for the case of Q > 2 was not easy. Then, in [NK15], the authors resolved

the problem by constructing a mod-Q half adder and extending the decryption

circuit of [DGHV10] to mod-Q message spaces.

Q−1

y

of

They ﬁrst constructed a polynomial fcarry,Q (x, y) = i=1 xi Q Q−i

Q

degree Q (it is proved that the degree Q is lowest), for which one can easily

check that c = fcarry,Q (x, y) mod Q where x + y = c · Q + s for x, y ∈ Z/QZ.

Then given x, y ∈ Z/QZ as input, a mod-Q half adder HAQ computes the sum

s = x+y mod Q and the carry c = fcarry,Q (x, y) mod Q. See Algorithm 1 below.

Algorithm 1. HAQ , a mod-Q half adder

Input: x, y ∈ Z/QZ

Output: (c, s)Q where x + y = c · Q + s

s ← x + y mod Q

c ← fcarry,Q (x, y) mod Q

return (c, s)Q

The following lemma tells us that NK. Decrypt can be computed by polynomials of degree less than Q3 λ.

Lemma 1 [NK15, Theorem 4]. For any positive integer Θ and for L =

logQ λ + 2 with λ a security parameter, there are L + 1 polynomials of degree

≤ QL+1 ∼ Q3 λ over Z/QZ which compute the mod-Q sum of Θ Q-ary real

numbers with L digits of precision after the Q-ary point.

Finally, we recall the concrete choice of parameters given in [NK15, Sect. 5],

where message size Q is regarded as constant.

– ρ = Θ(λ log log log λ), η = Θ(λ2 log log λ), γ = Θ(λ4 log2 λ), and τ = γ + λ

– L = logQ θ + 2, κ = (γ − log(4Q − 5))/ log Q + 2, Θ = Θ((λ log λ)4 ), and

θ = λ.

In a nutshell, we compare the case Q > 2 with the case Q = 2, so we have to

handle Q more carefully. We will study the dependence of parameters on Q in

Sect. 4.1.

3

Homomorphic Evaluation of mod-Q Arithmetic Circuit

Using FHE Scheme with Binary Message Space

In this section, we present a way to homomorphically perform arithmetic operations in Z/QZ using an FHE scheme with binary message space. For a given

442

E. Kim and M. Tibouchi

FHE scheme Π2 = (KeyGen2 , Encrypt2 , Decrypt2 , Evaluate2 ) with the message

space M = Z/2Z, one can construct an FHE scheme ΠQ = (KeyGenQ , EncryptQ ,

DecryptQ , EvaluateQ ) with message space M = Z/QZ by encrypting messages

bit by bit in their binary expansions (n = log(Q + 1) ):

– KeyGenQ (1λ ) → (pk, sk): Given a security parameter λ, run

(pk, sk) ← KeyGen2 (1λ ).

Then output a public key pk and a secret key sk.

– EncryptQ (pk, m) → c: Given a plaintext m ∈ M, write m = (mn−1 , · · · , m0 )

as its binary expansion. Encrypt each bit mi using

ci ← Encrypt2 (pk, mi ).

Then output a ciphertext tuple c := (cn−1 , · · · , c0 ).

– DecryptQ (sk, c) → m: Given a ciphertext c = (cn−1 , · · · , c0 ), decrypt

component-wise to get

mi ← Decrypt2 (sk, ci )

and output m :=

n−1

i=0

mi 2i .

A ciphertext of the scheme ΠQ is an n-tuple of ciphertexts of the scheme Π2 , so

the ciphertext size of ΠQ is log Q times that of Π2 .

3.1

EvaluateQ and mod-Q Arithmetic Circuits

In what follows, we describe Boolean circuits BAddQ and BMultQ to perform

addition and multiplication on two n-bit integers modulo Q (these circuits are

mostly chosen for their simplicity, and are far from optimal, particularly in terms

of depth, but they will be suﬃcient for our purpose). Then, the evaluation algorithm EvaluateQ of ΠQ is obtained by carrying out the homomorphic evaluation

of these Boolean circuits on ciphertext tuples.

For m, m ∈ Z/QZ, BAddQ ﬁrst adds two numbers over Z, and reduces it

mod Q. See Algorithm 2. Note that reducing m + m mod Q is done by ﬁrst

checking whether it is greater than or equals to Q, and subtracting Q only

if it is so. Subtracting Q or nothing is suﬃcient for modular reduction since

0 ≤ m + m < 2Q. We denote the circuit carrying out this reduction step by

(see Fig. 1).

Modn+1

Q

n−1

i

BMultQ circuit computes m · m =

i=0 m · mi 2 by using the formular

(· · · ((m · mn−1 · 2 + m · mn−2 ) · 2 + m · mn−3 ) · · · ) · 2 + m · m0 . See Algorithm 3.

Whenever the possibility that intermediate values are getting bigger than Q

circuit to the current value.

occurs, apply Modn+1

Q

We ﬁnish this section by counting the complexities of the two circuits BAddQ

and BMultQ in terms of the number of AND gates they use. This is a reasonable

measure of complexity, as the homomorphic evaluation of those AND gates are

FHE Over the Integers and Modular Arithmetic Circuits

443

Input: m, m ∈ Z/QZ

Output: m + m mod Q

sum ← m + m

sum ← sum − 0 or Q

return sum

(7n AND)

Modn+1

Q

n + 1 Input bits of A

···

bit-by-bit

AND

..

.

..

.

..

..

.

..

.

A−Q

..

.

..

.

..

.

bit-by-bit

AND

n Output bits of A (mod Q)

A ≥ Q?

.

..

.

Fig. 1. Modn+1

Q : For an (n + 1)-bit input integer A with 0 ≤ A < 2Q, the circuit

outputs

A mod Q. The ‘A ≥ Q?’ part takes an (n + 1)-bit integer A as input

Modn+1

Q

and returns 1 if A ≥ Q and 0 otherwise. ‘bit-by-bit AND’ part takes an n-bit string

(an−1 , · · · , a0 ) and a bit b as inputs, and output n-bit string (an−1 ∧ b, · · · , a0 ∧ b)

Algorithm 3. BMultQ , Boolean circuit for mod-Q multiplication

Input: m, m = (mn−1 , · · · , m0 ) ∈ Z/QZ

Output: m · m mod Q

prod ← m · mn−1

for i = n − 2, · · · , 1, 0 do

prod ← (prod

1) − 0 or Q

next ← m · mi

end for

return prod

(7n AND)

Modn+1

Q

n bit-by-bit AND operation (n AND)