2 Nuida--Kurosawa Fully Homomorphic Encryption Scheme
Tải bản đầy đủ - 0trang
440
E. Kim and M. Tibouchi
• Choose uniformly at random a Θ-bit vector (s1 , · · · , sΘ ) ∈ {0, 1}Θ with
Hamming weight θ.
• Set Xp = Qκ ([p]Q )/p . For i ∈ [Θ], choose ui ← [0, Qκ+1 ) ∩ Z in such a
way that
Θ
si ui ≡ Xp
(mod Qκ+1 ).
i=1
• Choose qi ← [0, q0 ) ∩ Z and ri ← (−2ρ , 2ρ ) ∩ Z, and generate vi ← [pqi +
Qri + si ]N for i ∈ [Θ].
• Output a public key pk = N, {xξ }ξ∈[τ ] , x , {ui }i∈[Θ] , {vi }i∈[Θ] , and a
secret key sk = (s1 , · · · , sΘ ).
– NK. Encrypt(pk, m) → c: Given a plaintext m ∈ M, output a ciphertext c
deﬁned by
⎤
⎡
xξ ⎦
c := ⎣mx +
ξ∈T
N
where T ⊂ [τ ] is a uniformly random subset.
– NK. Decrypt(sk, c) → m: Given a ciphertext c, compute zi := (cui /Qκ )L =
(zi;0 .zi;1 · · · zi;L ). Then output
⎢
⎤
⎢
⎢
m := c − ⎣
si zi ⎥
⎥ mod Q.
⎥
i∈[Θ]
– NK.SHE Evaluate(pk, f, c1 , · · · , ct ) → c∗ : Given a polynomial f with integer
coeﬃcients and ciphertexts c1 , · · · , ct , output
c∗ := [f (c1 , · · · , ct )]N
– NK. Evaluate(pk, f, c1 , · · · , ct ) → c∗ is obtained using Gentry’s bootstrapping
technique by applying NK.SHE Evaluate to the squashed decryption circuit
NK. Decrypt.
Let us brieﬂy explain the correctness of NK scheme [NK15, Sect. 7]. For a
ciphertext c, we can write as c = α(c) · p + β(c) · Q + m where α(c) and β(c)
are some integers depending on c, and |β(c) · Q + m| is smaller than p. For zi ’s,
Θ
which are computed in Decrypt(sk, c), we have
i=1 si zi = α(c) · p + β · Q for
the same α(c), and hence we can decrypt c correctly:
Θ
si zi = α(c) · p + β(c) · Q + m − (α(c) · p + β · Q) ≡ m
c−
i=1
(mod Q).
FHE Over the Integers and Modular Arithmetic Circuits
2.3
441
More Remarks on NK Scheme
For NK scheme to be bootstrappable, we have to squash Decrypt – namely lower
the depth of the decryption circuit – so that it is expressed as a low-degree
polynomial. This is done in [DGHV10] for the case of Q = 2, but generalizing
this for the case of Q > 2 was not easy. Then, in [NK15], the authors resolved
the problem by constructing a mod-Q half adder and extending the decryption
circuit of [DGHV10] to mod-Q message spaces.
Q−1
y
of
They ﬁrst constructed a polynomial fcarry,Q (x, y) = i=1 xi Q Q−i
Q
degree Q (it is proved that the degree Q is lowest), for which one can easily
check that c = fcarry,Q (x, y) mod Q where x + y = c · Q + s for x, y ∈ Z/QZ.
Then given x, y ∈ Z/QZ as input, a mod-Q half adder HAQ computes the sum
s = x+y mod Q and the carry c = fcarry,Q (x, y) mod Q. See Algorithm 1 below.
Algorithm 1. HAQ , a mod-Q half adder
Input: x, y ∈ Z/QZ
Output: (c, s)Q where x + y = c · Q + s
s ← x + y mod Q
c ← fcarry,Q (x, y) mod Q
return (c, s)Q
The following lemma tells us that NK. Decrypt can be computed by polynomials of degree less than Q3 λ.
Lemma 1 [NK15, Theorem 4]. For any positive integer Θ and for L =
logQ λ + 2 with λ a security parameter, there are L + 1 polynomials of degree
≤ QL+1 ∼ Q3 λ over Z/QZ which compute the mod-Q sum of Θ Q-ary real
numbers with L digits of precision after the Q-ary point.
Finally, we recall the concrete choice of parameters given in [NK15, Sect. 5],
where message size Q is regarded as constant.
– ρ = Θ(λ log log log λ), η = Θ(λ2 log log λ), γ = Θ(λ4 log2 λ), and τ = γ + λ
– L = logQ θ + 2, κ = (γ − log(4Q − 5))/ log Q + 2, Θ = Θ((λ log λ)4 ), and
θ = λ.
In a nutshell, we compare the case Q > 2 with the case Q = 2, so we have to
handle Q more carefully. We will study the dependence of parameters on Q in
Sect. 4.1.
3
Homomorphic Evaluation of mod-Q Arithmetic Circuit
Using FHE Scheme with Binary Message Space
In this section, we present a way to homomorphically perform arithmetic operations in Z/QZ using an FHE scheme with binary message space. For a given
442
E. Kim and M. Tibouchi
FHE scheme Π2 = (KeyGen2 , Encrypt2 , Decrypt2 , Evaluate2 ) with the message
space M = Z/2Z, one can construct an FHE scheme ΠQ = (KeyGenQ , EncryptQ ,
DecryptQ , EvaluateQ ) with message space M = Z/QZ by encrypting messages
bit by bit in their binary expansions (n = log(Q + 1) ):
– KeyGenQ (1λ ) → (pk, sk): Given a security parameter λ, run
(pk, sk) ← KeyGen2 (1λ ).
Then output a public key pk and a secret key sk.
– EncryptQ (pk, m) → c: Given a plaintext m ∈ M, write m = (mn−1 , · · · , m0 )
as its binary expansion. Encrypt each bit mi using
ci ← Encrypt2 (pk, mi ).
Then output a ciphertext tuple c := (cn−1 , · · · , c0 ).
– DecryptQ (sk, c) → m: Given a ciphertext c = (cn−1 , · · · , c0 ), decrypt
component-wise to get
mi ← Decrypt2 (sk, ci )
and output m :=
n−1
i=0
mi 2i .
A ciphertext of the scheme ΠQ is an n-tuple of ciphertexts of the scheme Π2 , so
the ciphertext size of ΠQ is log Q times that of Π2 .
3.1
EvaluateQ and mod-Q Arithmetic Circuits
In what follows, we describe Boolean circuits BAddQ and BMultQ to perform
addition and multiplication on two n-bit integers modulo Q (these circuits are
mostly chosen for their simplicity, and are far from optimal, particularly in terms
of depth, but they will be suﬃcient for our purpose). Then, the evaluation algorithm EvaluateQ of ΠQ is obtained by carrying out the homomorphic evaluation
of these Boolean circuits on ciphertext tuples.
For m, m ∈ Z/QZ, BAddQ ﬁrst adds two numbers over Z, and reduces it
mod Q. See Algorithm 2. Note that reducing m + m mod Q is done by ﬁrst
checking whether it is greater than or equals to Q, and subtracting Q only
if it is so. Subtracting Q or nothing is suﬃcient for modular reduction since
0 ≤ m + m < 2Q. We denote the circuit carrying out this reduction step by
(see Fig. 1).
Modn+1
Q
n−1
i
BMultQ circuit computes m · m =
i=0 m · mi 2 by using the formular
(· · · ((m · mn−1 · 2 + m · mn−2 ) · 2 + m · mn−3 ) · · · ) · 2 + m · m0 . See Algorithm 3.
Whenever the possibility that intermediate values are getting bigger than Q
circuit to the current value.
occurs, apply Modn+1
Q
We ﬁnish this section by counting the complexities of the two circuits BAddQ
and BMultQ in terms of the number of AND gates they use. This is a reasonable
measure of complexity, as the homomorphic evaluation of those AND gates are
FHE Over the Integers and Modular Arithmetic Circuits
443
Algorithm 2. BAddQ , Boolean circuit for mod-Q addition
Input: m, m ∈ Z/QZ
Output: m + m mod Q
sum ← m + m
sum ← sum − 0 or Q
return sum
n bit addition (2n AND)
(7n AND)
Modn+1
Q
n + 1 Input bits of A
···
bit-by-bit
AND
..
.
..
.
..
..
.
..
.
A−Q
..
.
..
.
..
.
bit-by-bit
AND
n Output bits of A (mod Q)
A ≥ Q?
.
..
.
Fig. 1. Modn+1
Q : For an (n + 1)-bit input integer A with 0 ≤ A < 2Q, the circuit
outputs
A mod Q. The ‘A ≥ Q?’ part takes an (n + 1)-bit integer A as input
Modn+1
Q
and returns 1 if A ≥ Q and 0 otherwise. ‘bit-by-bit AND’ part takes an n-bit string
(an−1 , · · · , a0 ) and a bit b as inputs, and output n-bit string (an−1 ∧ b, · · · , a0 ∧ b)
Algorithm 3. BMultQ , Boolean circuit for mod-Q multiplication
Input: m, m = (mn−1 , · · · , m0 ) ∈ Z/QZ
Output: m · m mod Q
prod ← m · mn−1
for i = n − 2, · · · , 1, 0 do
prod ← (prod
1) − 0 or Q
next ← m · mi
prod ← BAddQ (prod, next)
end for
return prod
(7n AND)
Modn+1
Q
n bit-by-bit AND operation (n AND)
BAddQ (9n AND)