Tải bản đầy đủ - 0 (trang)
2 Nuida--Kurosawa Fully Homomorphic Encryption Scheme

2 Nuida--Kurosawa Fully Homomorphic Encryption Scheme

Tải bản đầy đủ - 0trang

440



E. Kim and M. Tibouchi



• Choose uniformly at random a Θ-bit vector (s1 , · · · , sΘ ) ∈ {0, 1}Θ with

Hamming weight θ.

• Set Xp = Qκ ([p]Q )/p . For i ∈ [Θ], choose ui ← [0, Qκ+1 ) ∩ Z in such a

way that

Θ



si ui ≡ Xp



(mod Qκ+1 ).



i=1



• Choose qi ← [0, q0 ) ∩ Z and ri ← (−2ρ , 2ρ ) ∩ Z, and generate vi ← [pqi +

Qri + si ]N for i ∈ [Θ].

• Output a public key pk = N, {xξ }ξ∈[τ ] , x , {ui }i∈[Θ] , {vi }i∈[Θ] , and a

secret key sk = (s1 , · · · , sΘ ).

– NK. Encrypt(pk, m) → c: Given a plaintext m ∈ M, output a ciphertext c

defined by





xξ ⎦



c := ⎣mx +

ξ∈T



N



where T ⊂ [τ ] is a uniformly random subset.

– NK. Decrypt(sk, c) → m: Given a ciphertext c, compute zi := (cui /Qκ )L =

(zi;0 .zi;1 · · · zi;L ). Then output









m := c − ⎣

si zi ⎥

⎥ mod Q.



i∈[Θ]

– NK.SHE Evaluate(pk, f, c1 , · · · , ct ) → c∗ : Given a polynomial f with integer

coefficients and ciphertexts c1 , · · · , ct , output

c∗ := [f (c1 , · · · , ct )]N

– NK. Evaluate(pk, f, c1 , · · · , ct ) → c∗ is obtained using Gentry’s bootstrapping

technique by applying NK.SHE Evaluate to the squashed decryption circuit

NK. Decrypt.

Let us briefly explain the correctness of NK scheme [NK15, Sect. 7]. For a

ciphertext c, we can write as c = α(c) · p + β(c) · Q + m where α(c) and β(c)

are some integers depending on c, and |β(c) · Q + m| is smaller than p. For zi ’s,

Θ

which are computed in Decrypt(sk, c), we have

i=1 si zi = α(c) · p + β · Q for

the same α(c), and hence we can decrypt c correctly:

Θ



si zi = α(c) · p + β(c) · Q + m − (α(c) · p + β · Q) ≡ m



c−

i=1



(mod Q).



FHE Over the Integers and Modular Arithmetic Circuits



2.3



441



More Remarks on NK Scheme



For NK scheme to be bootstrappable, we have to squash Decrypt – namely lower

the depth of the decryption circuit – so that it is expressed as a low-degree

polynomial. This is done in [DGHV10] for the case of Q = 2, but generalizing

this for the case of Q > 2 was not easy. Then, in [NK15], the authors resolved

the problem by constructing a mod-Q half adder and extending the decryption

circuit of [DGHV10] to mod-Q message spaces.

Q−1

y

of

They first constructed a polynomial fcarry,Q (x, y) = i=1 xi Q Q−i

Q



degree Q (it is proved that the degree Q is lowest), for which one can easily

check that c = fcarry,Q (x, y) mod Q where x + y = c · Q + s for x, y ∈ Z/QZ.

Then given x, y ∈ Z/QZ as input, a mod-Q half adder HAQ computes the sum

s = x+y mod Q and the carry c = fcarry,Q (x, y) mod Q. See Algorithm 1 below.



Algorithm 1. HAQ , a mod-Q half adder

Input: x, y ∈ Z/QZ

Output: (c, s)Q where x + y = c · Q + s

s ← x + y mod Q

c ← fcarry,Q (x, y) mod Q

return (c, s)Q



The following lemma tells us that NK. Decrypt can be computed by polynomials of degree less than Q3 λ.

Lemma 1 [NK15, Theorem 4]. For any positive integer Θ and for L =

logQ λ + 2 with λ a security parameter, there are L + 1 polynomials of degree

≤ QL+1 ∼ Q3 λ over Z/QZ which compute the mod-Q sum of Θ Q-ary real

numbers with L digits of precision after the Q-ary point.

Finally, we recall the concrete choice of parameters given in [NK15, Sect. 5],

where message size Q is regarded as constant.

– ρ = Θ(λ log log log λ), η = Θ(λ2 log log λ), γ = Θ(λ4 log2 λ), and τ = γ + λ

– L = logQ θ + 2, κ = (γ − log(4Q − 5))/ log Q + 2, Θ = Θ((λ log λ)4 ), and

θ = λ.

In a nutshell, we compare the case Q > 2 with the case Q = 2, so we have to

handle Q more carefully. We will study the dependence of parameters on Q in

Sect. 4.1.



3



Homomorphic Evaluation of mod-Q Arithmetic Circuit

Using FHE Scheme with Binary Message Space



In this section, we present a way to homomorphically perform arithmetic operations in Z/QZ using an FHE scheme with binary message space. For a given



442



E. Kim and M. Tibouchi



FHE scheme Π2 = (KeyGen2 , Encrypt2 , Decrypt2 , Evaluate2 ) with the message

space M = Z/2Z, one can construct an FHE scheme ΠQ = (KeyGenQ , EncryptQ ,

DecryptQ , EvaluateQ ) with message space M = Z/QZ by encrypting messages

bit by bit in their binary expansions (n = log(Q + 1) ):

– KeyGenQ (1λ ) → (pk, sk): Given a security parameter λ, run

(pk, sk) ← KeyGen2 (1λ ).

Then output a public key pk and a secret key sk.

– EncryptQ (pk, m) → c: Given a plaintext m ∈ M, write m = (mn−1 , · · · , m0 )

as its binary expansion. Encrypt each bit mi using

ci ← Encrypt2 (pk, mi ).

Then output a ciphertext tuple c := (cn−1 , · · · , c0 ).

– DecryptQ (sk, c) → m: Given a ciphertext c = (cn−1 , · · · , c0 ), decrypt

component-wise to get

mi ← Decrypt2 (sk, ci )

and output m :=



n−1

i=0



mi 2i .



A ciphertext of the scheme ΠQ is an n-tuple of ciphertexts of the scheme Π2 , so

the ciphertext size of ΠQ is log Q times that of Π2 .

3.1



EvaluateQ and mod-Q Arithmetic Circuits



In what follows, we describe Boolean circuits BAddQ and BMultQ to perform

addition and multiplication on two n-bit integers modulo Q (these circuits are

mostly chosen for their simplicity, and are far from optimal, particularly in terms

of depth, but they will be sufficient for our purpose). Then, the evaluation algorithm EvaluateQ of ΠQ is obtained by carrying out the homomorphic evaluation

of these Boolean circuits on ciphertext tuples.

For m, m ∈ Z/QZ, BAddQ first adds two numbers over Z, and reduces it

mod Q. See Algorithm 2. Note that reducing m + m mod Q is done by first

checking whether it is greater than or equals to Q, and subtracting Q only

if it is so. Subtracting Q or nothing is sufficient for modular reduction since

0 ≤ m + m < 2Q. We denote the circuit carrying out this reduction step by

(see Fig. 1).

Modn+1

Q

n−1

i

BMultQ circuit computes m · m =

i=0 m · mi 2 by using the formular

(· · · ((m · mn−1 · 2 + m · mn−2 ) · 2 + m · mn−3 ) · · · ) · 2 + m · m0 . See Algorithm 3.

Whenever the possibility that intermediate values are getting bigger than Q

circuit to the current value.

occurs, apply Modn+1

Q

We finish this section by counting the complexities of the two circuits BAddQ

and BMultQ in terms of the number of AND gates they use. This is a reasonable

measure of complexity, as the homomorphic evaluation of those AND gates are



FHE Over the Integers and Modular Arithmetic Circuits



443



Algorithm 2. BAddQ , Boolean circuit for mod-Q addition

Input: m, m ∈ Z/QZ

Output: m + m mod Q

sum ← m + m

sum ← sum − 0 or Q

return sum



n bit addition (2n AND)

(7n AND)

Modn+1

Q



n + 1 Input bits of A

···



bit-by-bit

AND



..

.



..

.



..



..

.



..

.



A−Q

..



.



..

.



..

.



bit-by-bit

AND



n Output bits of A (mod Q)



A ≥ Q?



.



..

.



Fig. 1. Modn+1

Q : For an (n + 1)-bit input integer A with 0 ≤ A < 2Q, the circuit

outputs

A mod Q. The ‘A ≥ Q?’ part takes an (n + 1)-bit integer A as input

Modn+1

Q

and returns 1 if A ≥ Q and 0 otherwise. ‘bit-by-bit AND’ part takes an n-bit string

(an−1 , · · · , a0 ) and a bit b as inputs, and output n-bit string (an−1 ∧ b, · · · , a0 ∧ b)



Algorithm 3. BMultQ , Boolean circuit for mod-Q multiplication

Input: m, m = (mn−1 , · · · , m0 ) ∈ Z/QZ

Output: m · m mod Q

prod ← m · mn−1

for i = n − 2, · · · , 1, 0 do

prod ← (prod

1) − 0 or Q

next ← m · mi

prod ← BAddQ (prod, next)

end for

return prod



(7n AND)

Modn+1

Q

n bit-by-bit AND operation (n AND)

BAddQ (9n AND)



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

2 Nuida--Kurosawa Fully Homomorphic Encryption Scheme

Tải bản đầy đủ ngay(0 tr)

×