1 `39`42`"613A``45`47`"603AEvaluateQ and mod-Q Arithmetic Circuits
Tải bản đầy đủ - 0trang
FHE Over the Integers and Modular Arithmetic Circuits
443
Algorithm 2. BAddQ , Boolean circuit for mod-Q addition
Input: m, m ∈ Z/QZ
Output: m + m mod Q
sum ← m + m
sum ← sum − 0 or Q
return sum
n bit addition (2n AND)
(7n AND)
Modn+1
Q
n + 1 Input bits of A
···
bit-by-bit
AND
..
.
..
.
..
..
.
..
.
A−Q
..
.
..
.
..
.
bit-by-bit
AND
n Output bits of A (mod Q)
A ≥ Q?
.
..
.
Fig. 1. Modn+1
Q : For an (n + 1)-bit input integer A with 0 ≤ A < 2Q, the circuit
outputs
A mod Q. The ‘A ≥ Q?’ part takes an (n + 1)-bit integer A as input
Modn+1
Q
and returns 1 if A ≥ Q and 0 otherwise. ‘bit-by-bit AND’ part takes an n-bit string
(an−1 , · · · , a0 ) and a bit b as inputs, and output n-bit string (an−1 ∧ b, · · · , a0 ∧ b)
Algorithm 3. BMultQ , Boolean circuit for mod-Q multiplication
Input: m, m = (mn−1 , · · · , m0 ) ∈ Z/QZ
Output: m · m mod Q
prod ← m · mn−1
for i = n − 2, · · · , 1, 0 do
prod ← (prod
1) − 0 or Q
next ← m · mi
prod ← BAddQ (prod, next)
end for
return prod
(7n AND)
Modn+1
Q
n bit-by-bit AND operation (n AND)
BAddQ (9n AND)
444
E. Kim and M. Tibouchi
typically the costly operation in the underlying scheme Π2 : for example, in the
Nuida–Kurosawa scheme, they correspond to a large integer modular multiplication followed by an expensive ciphertext refresh (i.e. bootstrapping) operation.
Since the usual full adder and full subtractor can be realized by using 2
AND gates, both n-bit addition and subtraction circuits are constructed using
consists of one comparison (A ≥ Q?), one
2n AND gates. The circuit Modn+1
Q
subtraction (A − Q), and two bit-by-bit AND operations. It is well known that,
for two bits b and b , the bit inequality (b > b ) is determined by b ∧ ¬b (where
(statement) = 1 if the statement is true, and 0 otherwise). One can check the bit
equality (b = b ) from b ⊕ ¬b . Then the comparison (A > B) of two (n + 1)-bit
n
n
integers A = i=0 ai 2i and B = i=0 bi 2i is:
⎧
(an > bn ), or
⎪
⎪
⎪
⎨ (an = bn ) ∧ (an−1 > bn−1 ), or
..
⎪
.
⎪
⎪
⎩
(an = bn ) ∧ · · · ∧ (a1 = b1 ) ∧ (a0 > b0 ).
We need 3n AND gates for the comparison; n + 1 AND for bit inequalities
(ai > bi ), n − 1 AND among bit equalities (an = bn ) ∧ · · · ∧ (a1 = b1 ), and n
more AND for the last parts ∧(ai > bi ). An n bit subtraction and a bit-by-bit
circuit
AND operation use 2n and n AND gates, respectively, and so Modn+1
Q
requires 7n AND gates in total. BAddQ circuit contains one n-bit addition and
one call to Modn+1
Q , and BMultQ circuit iterates about n times and each iteration
uses 17n AND gates. Summarizing, we need the following numbers of AND gates
for BAddQ and BMultQ :
Proposition 1. For an n-bit prime Q, BAddQ uses 9n AND gates, and BMultQ
uses 17n2 AND gates.
4
Comparison of Convert-NK2 with NKQ
The main goal of this paper is to understand how much of an improvement that
Nuida–Kurosawa’s approach to the homomorphic evaluation of modular arithmetic circuits have achieved over a more naive technique based on conversions
to and from binary representations.
In this section, we quantify this improvement in concrete terms, by comparing
the eﬃciency of two approaches that evaluate mod-Q message homomorphically,
focusing on the NK scheme. For any prime Q, denote by NKQ the NK FHE scheme
with message space M = Z/QZ, and by Convert-NK2 the FHE scheme obtained
from Π2 = NK2 using the naive conversion method described in Sect. 3. Then
we will compare the two schemes Convert-NK2 and NKQ in terms of the size
of ciphertexts and the time complexity of basic operations carried out during
homomorphic evaluation.
As mentioned in the introduction, it is easy to see that Convert-NK2 will be
more eﬃcient than NKQ for large values of Q, due to the fact that the squashed
FHE Over the Integers and Modular Arithmetic Circuits
445
decryption circuit (and hence each ciphertext refresh operation) of NKQ has a
depth polynomial in Q, whereas the overhead incurred by using bitwise representations as in Convert-NK2 is at most polylogarithmic in Q. However, a
more careful analysis is needed to compare the relative eﬃciencies of NKQ and
Convert-NK2 for very small Q, such as Q is 3, 5 or 7.
4.1
Dependence of NKQ Parameters upon Q
As we pointed out above, there are several factors making parameters depend on
the message size Q. Decrypting a ciphertext is done by a circuit of degree Q3 λ as
in Lemma 1. As a result, the noise of a refreshed ciphertext is Q3 λ times larger
than that of encrypted secret key bits. To ensure the correctness, the secret prime
p should be larger than that noise bound. Thus, Q aﬀects the size η of p since the
multiplicative degree of Bootstrap is related to the degree of Decrypt and hence
it depends on Q. Although Q is regarded as constant in the parameter selection
of [NK15], estimating how it concretely aﬀects the parameters is necessary to
compare Convert-NK2 with NKQ .
In the key generation step of NKQ , the secret key bits si ’s are encrypted as
vi = pqi +Qri +si with |ri | < 2ρ , and then we have |Qri +si | ≤ Q|ri |+1 ≤ Q·2ρ .
Note that vi ’s are published as a part of the public key, and one can execute
bootstrapping with input vi ’s to refresh a ciphertext. Meanwhile, by Lemma 1
the decryption is done by a circuit of degree Q3 λ. Therefore, for any encryption
c of a message m, the refreshed ciphertext c∗ ← Bootstrap(pk, c) will be of the
form c∗ = pq ∗ + Qr∗ + m with log |Qr∗ + m| ≤ Q3 λ · (log Q + ρ) ∝ Q3 (since
log Q
ρ). Since the size η of p should be greater than log |Qr∗ + m| to prevent
a decryption failure, we can conclude that η is proportional to Q3 : η ∝ Q3 .
Similarly the size γ of N is proportional to Q6 as γ ∝ η 2 : γ ∝ Q6 . We will
use subscript notation ηQ and γQ to emphasize this dependence. Obviously, the
number L of digits of precision depends on Q by deﬁnition, so we denote it
by LQ . Note that since p ∈ [2ηQ −1 , 2ηQ ) ∩ Z and N ∈ [1, 2γQ ) ∩ Z, p and N also
rely on Q. So we also denote them by pQ and NQ to highlight the eﬀect of Q.
On the other hand, there are also some parameters independent of Q. The
error size ρ is chosen so that the approximate GCD problem is hard, and the
number Θ of secret bits si is chosen so that the sparse subset sum problem is
hard [NK15, Sect. 5]. These two problems remain unaﬀected by change of Q, so
the same ρ and Θ will work for both Convert-NK2 and NKQ schemes. We restate
the selection of parameters of Sect. 2.3 with the eﬀect of Q:
ηQ = Θ(Q3 λ2 log log λ), γQ = Θ(Q6 λ4 log2 λ), and LQ = logQ λ + 2.
4.2
Eﬃciency of Convert-NK2 Measured Against NKQ
Since ciphertexts in the scheme NKQ are deﬁned modulo NQ ∈ [1, 2γQ ) ∩ Z, they
are of size γQ . A ciphertext of Convert-NK2 , on the other hand, is an n-tuple of
ciphertexts of NK2 , so its size will be n · γ2 ∼ γ2 log Q. Proposition 2 tells us that
ciphertext size of Convert-NK2 is asymptotically smaller than that of NKQ .
446
E. Kim and M. Tibouchi
Proposition 2. For a given security parameter λ and any prime Q, let γ2 =
γ2 · log Q. Then we have
γ2
log Q
∼ 64 ·
.
γQ
Q6
Proof. By the argument in the previous section, we have γQ = Θ(Q6 λ4 log2 λ)
where the implied constant does not depend on Q. Therefore (note that γ2 is γQ
with Q = 2)
γ2
γ2 · log Q
26 λ4 log2 λ · log Q
64 log Q
∼
∼
.
∼
2
6
4
γQ
γQ
Q6
Q λ log λ
Then, we would like to compare the speed, in a suitable sense, of homomorphic operations in NKQ on the one hand and Convert-NK2 on the other.
That speed is essentially determined by the cost of homomorphic multiplications modulo Q. Now, in NKQ , a homomorphic multiplication consists of an
integer multiplication modulo NQ followed by a bootstrapping operation, and
that latter operation will dominate the cost of the computation1 . On the other
hand, in Convert-NK2 , a homomorphic multiplication is carried out by homomorphically evaluating the Boolean circuit for multiplication modulo Q using
NK2 , which in turns costs as many NK2 ciphertext refresh operations as there
are AND gates in that Boolean circuit BMultQ . Therefore, we compare precisely
those two quantities in the following proposition.
Proposition 3. For a given security parameter λ and any
the time complexity of a single ciphertext refresh operation
the time complexity of carrying out a multiplication mod Q
homomorphically evaluating the Boolean circuit for modular
a refresh operation after each AND gate). Then we have
prime Q, let TQ be
in NKQ , and T2 be
in Convert-NK2 (by
multiplication, with
log4 Q
T2
≤ 2176 ·
.
TQ
Q7
To prove Proposition 3, we need to count a more precise number of operations
needed to carry out the Nuida–Kurosawa mod-Q bootstrapping. This is done
in the next two lemmas: Lemma 2 gives the number of AND gates used in the
half adder HAQ , and Lemma 3 gives the number of calls to HAQ in squashed
decryption circuit. By combining the two lemmas, we can estimate the number
of used homomorphic AND gates in bootstrapping procedure of Convert-NK2 .
1
One can ask whether it could be beneﬁcial to choose parameters in such a way that
refreshed ciphertexts support not just one but several levels of multiplication before
another bootstrapping is required. The answer is no: to support d additional levels
of multiplications, one needs to increase the size η of the secret prime p by a factor
2d , and hence overall ciphertext size γ by a factor Ω(22d ). This makes all operations
on ciphertexts at least Ω(22d ) slower, while one gains a factor at most O(2d ) on the
number of required bootstrapping operations, so there is a net eﬃciency loss overall.
FHE Over the Integers and Modular Arithmetic Circuits
447
Q−1
y
Lemma 2. One can evaluate fcarry,Q (x, y) = i=1 xi Q Q−i
mod Q using
Q
4Q − 7 mod-Q multiplications. In particular, when Q = 2, we need only 1 mod-2
multiplication, i.e., 1 AND operation, as we expect.
a
b Q = a(a − 1) · · · (a − b + 1) · InvQ (b!), we have
Q−1 x
Q−1
y
i=1
i=1 x(x−1) · · · (x−i+1)·y(y−1) · · · (y−
i Q Q−i Q =
Proof. By the deﬁnition of
fcarry,Q (x, y) =
Q + i + 1)InvQ (i!(Q − i)!). First we compute Y1 = (y − 1), Y2 = (y − 1)(y − 2),
· · · , YQ−2 = (y−1)(y−2) · · · (y−Q+2) which requires Q−3 multiplications. And
compute X0 = yx, X1 = yx(x − 1), · · · , XQ−2 = yx(x − 1) · · · (x − Q + 2) which
is done by Q − 2 multiplications. Then i-th term in fcarry,Q is Xi · YQ−i−1 ·
InvQ (i!(Q − i)!) that requires 2 more multiplications, and in total 2(Q − 1)
multiplications since we iterate this for i = 1, · · · , Q − 1. To sum up, we need
(Q − 3) + (Q − 2) + 2(Q − 1) = 4Q − 7 mod-Q multiplications to compute
fcarry,Q (x, y).
Lemma 3. In NKQ . Decrypt, one can compute the iterated addition
using HAQ at most ΘL2 times.
Θ
i=1 si zi
Proof. Here we concentrate on counting the number of call to HAQ only, and
full algorithm is described in [NK15, Sect. 4].
Θ
Let ai = si zi and ai;j = si zi;j for 1 ≤ i ≤ Θ, 0 ≤ j ≤ L. Then i=1 si zi =
Θ
i=1 ai is computed by
a1 = a1;0 . a1;1 · · · a1;L
a2 = a2;0 . a2;1 · · · a2;L
..
.
+) aΘ = aΘ;0 . aΘ;1 · · · aΘ;L
(First iteration) For j-th column (a1;j , a2;j , · · · , aΘ;j ) , apply HAQ Θ times
Θ
sequentially to obtain (αj , (β2;j , · · · , βΘ;j ) ) such that
i=1 ai;j = αj + Q ·
Θ
β
.
Since
we
do
this
for
0
≤
j
≤
L,
we
need
to
apply
HAQ about Θ · L
i=2 i;j
times.
(Next iteration) Each column has diﬀerent weight; for j-th column we have
the weight of Q−j , and so
Θ
−j
ai;j Q
−j
= αj · Q
Θ
+
i=1
βi;j
i=2
Therefore it suﬃces to add the following:
α0 . α1 · · · αL−1
β2;1 . β2;2 · · · β2;L
..
.
+) βΘ;1 . βΘ;2 · · · βΘ;L
· Q−(j−1) .
448
E. Kim and M. Tibouchi
Note that αL is the last digit of the result, and β2;0 , · · · , βΘ;0 are canceled by
modulo Q reduction. Repeat a similar process with the ﬁrst iteration. To obtain
all the digits of the result, we have to iterate these processes about L more times.
One can do this by applying HAQ about ΘL2 times altogether.
Now we present the proof of Proposition 3:
Proof (Proof of Proposition 3). For any constant prime Q, let us denote by tQ
the time complexity of mod-NQ multiplication. Then TQ is tQ multiplied by
the number of multiplications in NKQ . Decrypt, and T2 is T2 multiplied by the
number of AND gates in BMultQ circuit.
As far as we know, the best time complexity for k-bit multiplication is
∗
ur09]. In our
k log k2O(log k) where log k represents the iterated logarithm [Fă
case, k is γQ and log γQ = log Θ(Q6 λ4 log2 λ) = 6 log Q + 4 log λ + 2 log log λ +
constant. Here the eﬀect of log Q is dominated by that of log λ, so we can esti∗
mate t2 /tQ by γ2 /γQ since we can ignore eﬀect of Q in the part log γQ 2O(log γQ ) .
Furthermore, γ2 /γQ = 26 λ4 log2 λ/Q6 λ4 log2 λ = 64/Q6 .
By Lemma 3, we call HAQ in NKQ . Decrypt about ΘL2Q times. Since each
half adder HAQ consists of exactly one evaluation of the polynomial fcarry,Q ,
the number of multiplications in NKQ . Decrypt is about 4QΘL2Q by Lemma 2.
On the other hand, we need 17 log2 Q AND gates for the Boolean circuit BMultQ
as in Proposition 1.
T2
17 log2 Q · 8ΘL22 t2
34 log2 Q log2 λ 64
2176 log4 Q
≤
·
∼
.
· 6 ∼
2
2
2
TQ
4QΘLQ
tQ
Q7
Q log λ/ log Q Q
Remark 1. The value
64 log Q
Q6
is 0.139146 if Q = 3 and 0.009511 if Q = 5, and
4
Q
is 0.809588 for
becomes much smaller as Q grows. Similarly, the value 2176Qlog
7
Q = 5 and 0.164120 for Q = 7. Thus, as shown in Table 1, even for small Q,
Convert-NK2 is more advantageous than NKQ in all practical respects.
Table 1. The values 64 log Q/Q6 and 2176 log4 Q/Q7 for the ﬁrst ﬁve odd primes
Q 64 log Q/Q6 2176 log4 Q/Q7
3
0.139146
6.278936
5
0.009511
0.809588
7
0.001527
0.164120
11 0.000125
0.015993
13 0.000049
0.006502
FHE Over the Integers and Modular Arithmetic Circuits
5
449
Conclusion
In this work, we have compared the two schemes NKQ and Convert-NK2 , and
have seen that the latter is preferable in almost every measure, even for very
small values of Q. That conclusion follows from a detailed analysis quantifying the precise dependence of the parameters of the underlying scheme with
respect to the modulus Q. It is also based on a particularly simple choice of the
Boolean circuits for modular arithmetic; more careful choices may result in an
even greater performance advantage in favor of the naive bitwise approach.
Based on our concrete estimates, we conclude that the Nuida–Kurosawa approach is not competitive for any Q > 3 (and possibly not even Q = 3) as soon as
one needs to carry out ciphertext refresh operations—and if one does not need
bootstrapping, other somewhat homomorphic schemes with large message space
are certainly preferable.
References
[CCK+13] Cheon, J.H., Coron, J.-S., Kim, J., Lee, M.S., Lepoint, T., Tibouchi,
M., Yun, A.: Batch Fully Homomorphic Encryption over the Integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013.
LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013). doi:10.1007/
978-3-642-38348-9 20
[CLT14] Coron, J.-S., Lepoint, T., Tibouchi, M.: Scale-invariant fully homomorphic encryption over the integers. In: Krawczyk, H. (ed.) PKC 2014.
LNCS, vol. 8383, pp. 311–328. Springer, Heidelberg (2014). doi:10.1007/
978-3-642-54631-0 18
[CMNT11] Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully homomorphic
encryption over the integers with shorter public keys. In: Rogaway, P. (ed.)
CRYPTO 2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011).
doi:10.1007/978-3-642-22792-9 28
[CNT12] Coron, J.-S., Naccache, D., Tibouchi, M.: Public key compression and
modulus switching for fully homomorphic encryption over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012.
LNCS, vol. 7237, pp. 446–464. Springer, Heidelberg (2012). doi:10.1007/
978-3-642-29011-4 27
[CS15] Cheon, J.H., Stehl´e, D.: Fully homomophic encryption over the integers revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015.
LNCS, vol. 9056, pp. 513–536. Springer, Heidelberg (2015). doi:10.1007/
978-3-662-46800-5 20
[DGHV10] Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic
encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010.
LNCS, vol. 6110, pp. 2443. Springer, Heidelberg (2010). doi:10.1007/
978-3-642-13190-5 2
[Fă
ur09] Fă
urer, M.: Faster integer multiplication. SIAM J. Comput. 39(3), 9791005
(2009). doi:10.1137/070711761
[Gen09a] Gentry. C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford
University (2009). crypto.stanford.edu/craig
450
E. Kim and M. Tibouchi
[Gen09b] Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) STOC 2009, pp. 169–178. ACM (2009). doi:10.1145/
1536414.1536440
[NK15] Nuida, K., Kurosawa, K.: (Batch) fully homomorphic encryption over integers for non-binary message spaces. In: Oswald, E., Fischlin, M. (eds.)
Advances in Cryptology–EUROCRYPT 2015. LNCS, vol. 9056, pp. 537–
555. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5 21
[PAD12] Pisa, P.S., Abdalla, M., Duarte, O.C.M.B.: Somewhat homomorphic
encryption scheme for arithmetic operations on large integers. In: GIIS
2012, pp. 1–8. IEEE (2012). doi:10.1109/GIIS.2012.6466769
[RAD78] Rivest, R.L., Adleman, L.M., Dertouzos, M.L.: On data banks and privacy
homomorphisms. In: DeMillo, R.A. (ed.) Foundations of Secure Computation, pp. 169–180. Academic Press (1978)
[vzGS91] von zur Gathen, J., Seroussi, G.: Boolean circuits versus arithmetic circuits.
Inf. Comput. 91(1), 142–154 (1991). doi:10.1016/0890-5401(91)90078-G
An Eﬃcient Somewhat Homomorphic
Encryption Scheme Based on Factorization
G´erald Gavin(B)
ERIC - Universit´e de Lyon, 5 av. Mend´es France, 69676 Bron, France
gavin@univ-lyon1.fr
Abstract. Surprisingly, most of existing provably secure FHE or SWHE
schemes are lattice-based constructions. It is legitimate to question
whether there is a mysterious link between homomorphic encryptions and
lattices. This paper can be seen as a ﬁrst (partial) negative answer to this
question. We propose a very simple private-key (partially) homomorphic
encryption scheme whose security relies on factorization. This encryption
scheme deals with a secret multivariate rational function φD deﬁned over
Zn , n being an RSA-modulus. An encryption of x is simply a vector c
such that φD (c) = x + noise. To get homomorphic properties, nonlinear
operators are speciﬁcally developed. We ﬁrst prove IND-CPA security
in the generic ring model assuming the hardness of factoring. We then
extend this model in order to integrate lattice-based cryptanalysis and
we reduce the security of our scheme (in this extended model) to an algebraic condition. This condition is extensively discussed for several choices
of parameters. Some of these choices lead to competitive performance
with respect to other existing homomorphic encryptions. While quantum
computers are not only dreams anymore, designing factorization-based
cryptographic schemes might appear as irrelevant. But, it is important
to notice that, in our scheme, the factorization of n is not required to
decrypt. The factoring assumption simply ensures that solving nonlinear
equations or ﬁnding non-null polynomials with many roots is diﬃcult.
Consequently, the ideas behind our construction could be re-used in rings
satisfying these properties.
1
Introduction
The prospect of outsourcing an increasing amount of data storage and management to cloud services raises many new privacy concerns for individuals and
businesses alike. The privacy concerns can be satisfactorily addressed if users
encrypt the data they send to the cloud. If the encryption scheme is homomorphic, the cloud can still perform meaningful computations on the data, even
though it is encrypted.
The theoretical problem of constructing a fully homomorphic encryption
scheme (FHE) supporting arbitrary functions f , was only recently solved by
the breakthrough work of Gentry [6]. More recently, further fully homomorphic
schemes were presented [4,7,16,17] following Gentry’s framework. The underlying tool behind all these schemes is the use of Euclidean lattices, which have
c Springer International Publishing AG 2016
S. Foresti and G. Persiano (Eds.): CANS 2016, LNCS 10052, pp. 451–464, 2016.
DOI: 10.1007/978-3-319-48965-0 27
452
G. Gavin
previously proved powerful for devising many cryptographic primitives. A central aspect of Gentry’s fully homomorphic scheme (and the subsequent schemes)
is the ciphertext refreshing Recrypt operation. Even if many improvements have
been made, this operation remains very costly [8,12].
In many real-world applications, in the medical, ﬁnancial, and the advertising
domains, which require only that the encryption scheme is somewhat homomorphic. Somewhat homomorphic encryption schemes (SWHE), which support a
limited number of homomorphic operations, can be much faster, and more compact than fully homomorphic encryption schemes. Even if several quite eﬃcient
lattice-based SWHE exist in the literature, signiﬁcant eﬃciency improvements
should be done for most real-world applications. This paper aims at elaborating
an eﬃcient SWHE whose security relies on factorization.
Many cryptographic constructions are based on the famous problem
LWE [14]. In particular, this cryptographic problem is currently the most relevant to build FHE [2,9]. Typically, the secret key is a vector s ∈ Zκn and
an encryption c of a value x
n is a randomly chosen vector satisfying1
s · c = x + noise. This scheme is born (partially) additively homomorphic
making it vulnerable against lattice-based attacks. We propose a slight modiﬁcation to remove this homomorphic property. In our scheme, the secret key
becomes a pair of vectors (s 1 , s 2 ) and c is a randomly chosen vector satisfying
s 1 · c/s 2 · c = x + noise ( mod n). Clearly, the vector sum is not a homomorphic
operator anymore. This is a sine qua non condition for overcoming lattice-based
attacks. Indeed, as a ciphertext c is a vector, it is always possible to write it as
a linear combination of other known ciphertexts. Thus, if the vector sum were a
homomorphic operator, the cryptosystem would not be secure at all. This simple remark suﬃces to prove the weakness of the homomorphic cryptosystems
presented in [11,18]. In order to use the vector sum as a homomorphic operator, noise should be injected into the encryptions as done in all existing FHE
[3,4,6,7,16,17] and lattice-based attacks can be mount to recover linear combinations with small coeﬃcients. To resist against such attacks, the dimension of
c should be chosen suﬃciently large which dramatically degrades performance.
To obtain homomorphic properties, nonlinear homomorphic operators Add
and Mult should be developed and published. Quadratic homomorphic operators
can be naturally deﬁned. However, it should be ensured that these operators do
not leak information about the secret key. We get results in this sense under the
factoring assumption where n is a product of large secret primes. In particular,
we prove the IND-CPA security of our scheme in the generic ring model [1,10] for
any κ ≥ 2. In this model, the CPA attacker is assumed to only perform arithmetic
operations +, −, ×, /. A security proof in the generic model indicates that the
idea of basing the security on factorization is not totally ﬂawed. This leads us
more or less to the situation of RSA where it was recently shown that breaking
the security of RSA in the generic ring model is as diﬃcult as factoring [1].
A classical objection against security analysis in the generic ring model deals
with the Jacobi symbol Jn . For concreteness, it was shown in [10] that computing
1
s · c denoting the scalar product between s and c.
An Eﬃcient Somewhat Homomorphic Encryption Scheme
453
Jn is diﬃcult in the generic ring model while it is not in general. However, this
result is neither surprising nor relevant because Jn is not a rational function2 .
Indeed, we can even show that φ(x) = Jn (x) with probability smaller than 1/2
provided φ is a rational function and x uniform over Z∗n . In our scheme, the
function φ deﬁned by φ(c) = x + noise is rational suggesting that a security
analysis in the generic ring model is meaningful.
However, the security analysis in the generic ring model is not suﬃcient
because lattice-based cryptanalysis exploiting the fact that x + noise is small is
not considered in this model. In Sect. 5, we propose a general characterization of
lattice-based attacks which naturally extends the generic ring model. We reduce
the non-existence of such attacks to an algebraic condition. This condition is
discussed in Sect. 5.3 for several choices of κ. We prove that this condition is satisﬁed for κ = Θ(λ) proving the non-existence of lattice-based attacks. Moreover,
the simplest and most natural lattice-based attack is shown ineﬃcient provided
κ = Ω(log λ). By assuming that this attack is also the most eﬃcient, choosing
κ = Θ(log λ) could hopefully ensure the non-existence of eﬃcient lattice-based
attacks.
Notation. We use standard Landau notations. Throughout this paper, we let
λ denote the security parameter: all known attacks against the cryptographic
scheme under scope should require 2Ω(λ) bit operations to mount.
– δ ≥ 2 is a positive integer independent of λ.
– The inner product of two vectors v and v is denoted by v · v
– The set of all square 2κ − by − 2κ matrices over Zn is denoted by Zn2κ×2κ . The
ith row of S ∈ Zn2κ×2κ is denoted by si and Li denotes the linear function
deﬁned by Li (v ) = si · v .
– A δ-RSA modulus n is a product of δ η-bit primes p1 · · · pδ where η is chosen suﬃciently large to ensure that the factorization of n requires Ω(2λ ) bit
operations provided p1 , . . . , pδ are randomly chosen.
– The set of the positive integer strictly smaller than ξ is denotes by Iξ =
{0, . . . , ξ − 1}.
Remark 1. The number M (m, d) of m-variate monomials of degree d is equal to
d+m−1
. In particular, M (2κ, κ) > 3κ for any κ ≥ 2.
d
Because of the lack of space, most of the proofs were omitted. They
can be found in [5].
2
Preliminary Deﬁnitions and Results
Let δ ≥ 2 be a positive integer (independent of the security parameter) and let
n = p1 · · · pδ be a randomly chosen δ-RSA modulus. Given a r-variate function
φ and a subset I ⊆ Zrn , zφ,I denotes the probability over I that φ(x) = 0,
2
It comes from the fact that Jn (x) mod p (resp. Jn (x) mod q) is not a function of
x mod p (resp. x mod q).