Tải bản đầy đủ - 0 (trang)
1 `39`42`"613A``45`47`"603AEvaluateQ and mod-Q Arithmetic Circuits

# 1 `39`42`"613A``45`47`"603AEvaluateQ and mod-Q Arithmetic Circuits

Tải bản đầy đủ - 0trang

FHE Over the Integers and Modular Arithmetic Circuits

443

Algorithm 2. BAddQ , Boolean circuit for mod-Q addition

Input: m, m ∈ Z/QZ

Output: m + m mod Q

sum ← m + m

sum ← sum − 0 or Q

return sum

n bit addition (2n AND)

(7n AND)

Modn+1

Q

n + 1 Input bits of A

···

bit-by-bit

AND

..

.

..

.

..

..

.

..

.

A−Q

..

.

..

.

..

.

bit-by-bit

AND

n Output bits of A (mod Q)

A ≥ Q?

.

..

.

Fig. 1. Modn+1

Q : For an (n + 1)-bit input integer A with 0 ≤ A < 2Q, the circuit

outputs

A mod Q. The ‘A ≥ Q?’ part takes an (n + 1)-bit integer A as input

Modn+1

Q

and returns 1 if A ≥ Q and 0 otherwise. ‘bit-by-bit AND’ part takes an n-bit string

(an−1 , · · · , a0 ) and a bit b as inputs, and output n-bit string (an−1 ∧ b, · · · , a0 ∧ b)

Algorithm 3. BMultQ , Boolean circuit for mod-Q multiplication

Input: m, m = (mn−1 , · · · , m0 ) ∈ Z/QZ

Output: m · m mod Q

prod ← m · mn−1

for i = n − 2, · · · , 1, 0 do

prod ← (prod

1) − 0 or Q

next ← m · mi

prod ← BAddQ (prod, next)

end for

return prod

(7n AND)

Modn+1

Q

n bit-by-bit AND operation (n AND)

444

E. Kim and M. Tibouchi

typically the costly operation in the underlying scheme Π2 : for example, in the

Nuida–Kurosawa scheme, they correspond to a large integer modular multiplication followed by an expensive ciphertext refresh (i.e. bootstrapping) operation.

Since the usual full adder and full subtractor can be realized by using 2

AND gates, both n-bit addition and subtraction circuits are constructed using

consists of one comparison (A ≥ Q?), one

2n AND gates. The circuit Modn+1

Q

subtraction (A − Q), and two bit-by-bit AND operations. It is well known that,

for two bits b and b , the bit inequality (b > b ) is determined by b ∧ ¬b (where

(statement) = 1 if the statement is true, and 0 otherwise). One can check the bit

equality (b = b ) from b ⊕ ¬b . Then the comparison (A > B) of two (n + 1)-bit

n

n

integers A = i=0 ai 2i and B = i=0 bi 2i is:

(an > bn ), or

⎨ (an = bn ) ∧ (an−1 > bn−1 ), or

..

.

(an = bn ) ∧ · · · ∧ (a1 = b1 ) ∧ (a0 > b0 ).

We need 3n AND gates for the comparison; n + 1 AND for bit inequalities

(ai > bi ), n − 1 AND among bit equalities (an = bn ) ∧ · · · ∧ (a1 = b1 ), and n

more AND for the last parts ∧(ai > bi ). An n bit subtraction and a bit-by-bit

circuit

AND operation use 2n and n AND gates, respectively, and so Modn+1

Q

requires 7n AND gates in total. BAddQ circuit contains one n-bit addition and

one call to Modn+1

Q , and BMultQ circuit iterates about n times and each iteration

uses 17n AND gates. Summarizing, we need the following numbers of AND gates

for BAddQ and BMultQ :

Proposition 1. For an n-bit prime Q, BAddQ uses 9n AND gates, and BMultQ

uses 17n2 AND gates.

4

Comparison of Convert-NK2 with NKQ

The main goal of this paper is to understand how much of an improvement that

Nuida–Kurosawa’s approach to the homomorphic evaluation of modular arithmetic circuits have achieved over a more naive technique based on conversions

to and from binary representations.

In this section, we quantify this improvement in concrete terms, by comparing

the eﬃciency of two approaches that evaluate mod-Q message homomorphically,

focusing on the NK scheme. For any prime Q, denote by NKQ the NK FHE scheme

with message space M = Z/QZ, and by Convert-NK2 the FHE scheme obtained

from Π2 = NK2 using the naive conversion method described in Sect. 3. Then

we will compare the two schemes Convert-NK2 and NKQ in terms of the size

of ciphertexts and the time complexity of basic operations carried out during

homomorphic evaluation.

As mentioned in the introduction, it is easy to see that Convert-NK2 will be

more eﬃcient than NKQ for large values of Q, due to the fact that the squashed

FHE Over the Integers and Modular Arithmetic Circuits

445

decryption circuit (and hence each ciphertext refresh operation) of NKQ has a

depth polynomial in Q, whereas the overhead incurred by using bitwise representations as in Convert-NK2 is at most polylogarithmic in Q. However, a

more careful analysis is needed to compare the relative eﬃciencies of NKQ and

Convert-NK2 for very small Q, such as Q is 3, 5 or 7.

4.1

Dependence of NKQ Parameters upon Q

As we pointed out above, there are several factors making parameters depend on

the message size Q. Decrypting a ciphertext is done by a circuit of degree Q3 λ as

in Lemma 1. As a result, the noise of a refreshed ciphertext is Q3 λ times larger

than that of encrypted secret key bits. To ensure the correctness, the secret prime

p should be larger than that noise bound. Thus, Q aﬀects the size η of p since the

multiplicative degree of Bootstrap is related to the degree of Decrypt and hence

it depends on Q. Although Q is regarded as constant in the parameter selection

of [NK15], estimating how it concretely aﬀects the parameters is necessary to

compare Convert-NK2 with NKQ .

In the key generation step of NKQ , the secret key bits si ’s are encrypted as

vi = pqi +Qri +si with |ri | < 2ρ , and then we have |Qri +si | ≤ Q|ri |+1 ≤ Q·2ρ .

Note that vi ’s are published as a part of the public key, and one can execute

bootstrapping with input vi ’s to refresh a ciphertext. Meanwhile, by Lemma 1

the decryption is done by a circuit of degree Q3 λ. Therefore, for any encryption

c of a message m, the refreshed ciphertext c∗ ← Bootstrap(pk, c) will be of the

form c∗ = pq ∗ + Qr∗ + m with log |Qr∗ + m| ≤ Q3 λ · (log Q + ρ) ∝ Q3 (since

log Q

ρ). Since the size η of p should be greater than log |Qr∗ + m| to prevent

a decryption failure, we can conclude that η is proportional to Q3 : η ∝ Q3 .

Similarly the size γ of N is proportional to Q6 as γ ∝ η 2 : γ ∝ Q6 . We will

use subscript notation ηQ and γQ to emphasize this dependence. Obviously, the

number L of digits of precision depends on Q by deﬁnition, so we denote it

by LQ . Note that since p ∈ [2ηQ −1 , 2ηQ ) ∩ Z and N ∈ [1, 2γQ ) ∩ Z, p and N also

rely on Q. So we also denote them by pQ and NQ to highlight the eﬀect of Q.

On the other hand, there are also some parameters independent of Q. The

error size ρ is chosen so that the approximate GCD problem is hard, and the

number Θ of secret bits si is chosen so that the sparse subset sum problem is

hard [NK15, Sect. 5]. These two problems remain unaﬀected by change of Q, so

the same ρ and Θ will work for both Convert-NK2 and NKQ schemes. We restate

the selection of parameters of Sect. 2.3 with the eﬀect of Q:

ηQ = Θ(Q3 λ2 log log λ), γQ = Θ(Q6 λ4 log2 λ), and LQ = logQ λ + 2.

4.2

Eﬃciency of Convert-NK2 Measured Against NKQ

Since ciphertexts in the scheme NKQ are deﬁned modulo NQ ∈ [1, 2γQ ) ∩ Z, they

are of size γQ . A ciphertext of Convert-NK2 , on the other hand, is an n-tuple of

ciphertexts of NK2 , so its size will be n · γ2 ∼ γ2 log Q. Proposition 2 tells us that

ciphertext size of Convert-NK2 is asymptotically smaller than that of NKQ .

446

E. Kim and M. Tibouchi

Proposition 2. For a given security parameter λ and any prime Q, let γ2 =

γ2 · log Q. Then we have

γ2

log Q

∼ 64 ·

.

γQ

Q6

Proof. By the argument in the previous section, we have γQ = Θ(Q6 λ4 log2 λ)

where the implied constant does not depend on Q. Therefore (note that γ2 is γQ

with Q = 2)

γ2

γ2 · log Q

26 λ4 log2 λ · log Q

64 log Q

.

2

6

4

γQ

γQ

Q6

Q λ log λ

Then, we would like to compare the speed, in a suitable sense, of homomorphic operations in NKQ on the one hand and Convert-NK2 on the other.

That speed is essentially determined by the cost of homomorphic multiplications modulo Q. Now, in NKQ , a homomorphic multiplication consists of an

integer multiplication modulo NQ followed by a bootstrapping operation, and

that latter operation will dominate the cost of the computation1 . On the other

hand, in Convert-NK2 , a homomorphic multiplication is carried out by homomorphically evaluating the Boolean circuit for multiplication modulo Q using

NK2 , which in turns costs as many NK2 ciphertext refresh operations as there

are AND gates in that Boolean circuit BMultQ . Therefore, we compare precisely

those two quantities in the following proposition.

Proposition 3. For a given security parameter λ and any

the time complexity of a single ciphertext refresh operation

the time complexity of carrying out a multiplication mod Q

homomorphically evaluating the Boolean circuit for modular

a refresh operation after each AND gate). Then we have

prime Q, let TQ be

in NKQ , and T2 be

in Convert-NK2 (by

multiplication, with

log4 Q

T2

≤ 2176 ·

.

TQ

Q7

To prove Proposition 3, we need to count a more precise number of operations

needed to carry out the Nuida–Kurosawa mod-Q bootstrapping. This is done

in the next two lemmas: Lemma 2 gives the number of AND gates used in the

half adder HAQ , and Lemma 3 gives the number of calls to HAQ in squashed

decryption circuit. By combining the two lemmas, we can estimate the number

of used homomorphic AND gates in bootstrapping procedure of Convert-NK2 .

1

One can ask whether it could be beneﬁcial to choose parameters in such a way that

refreshed ciphertexts support not just one but several levels of multiplication before

another bootstrapping is required. The answer is no: to support d additional levels

of multiplications, one needs to increase the size η of the secret prime p by a factor

2d , and hence overall ciphertext size γ by a factor Ω(22d ). This makes all operations

on ciphertexts at least Ω(22d ) slower, while one gains a factor at most O(2d ) on the

number of required bootstrapping operations, so there is a net eﬃciency loss overall.

FHE Over the Integers and Modular Arithmetic Circuits

447

Q−1

y

Lemma 2. One can evaluate fcarry,Q (x, y) = i=1 xi Q Q−i

mod Q using

Q

4Q − 7 mod-Q multiplications. In particular, when Q = 2, we need only 1 mod-2

multiplication, i.e., 1 AND operation, as we expect.

a

b Q = a(a − 1) · · · (a − b + 1) · InvQ (b!), we have

Q−1 x

Q−1

y

i=1

i=1 x(x−1) · · · (x−i+1)·y(y−1) · · · (y−

i Q Q−i Q =

Proof. By the deﬁnition of

fcarry,Q (x, y) =

Q + i + 1)InvQ (i!(Q − i)!). First we compute Y1 = (y − 1), Y2 = (y − 1)(y − 2),

· · · , YQ−2 = (y−1)(y−2) · · · (y−Q+2) which requires Q−3 multiplications. And

compute X0 = yx, X1 = yx(x − 1), · · · , XQ−2 = yx(x − 1) · · · (x − Q + 2) which

is done by Q − 2 multiplications. Then i-th term in fcarry,Q is Xi · YQ−i−1 ·

InvQ (i!(Q − i)!) that requires 2 more multiplications, and in total 2(Q − 1)

multiplications since we iterate this for i = 1, · · · , Q − 1. To sum up, we need

(Q − 3) + (Q − 2) + 2(Q − 1) = 4Q − 7 mod-Q multiplications to compute

fcarry,Q (x, y).

Lemma 3. In NKQ . Decrypt, one can compute the iterated addition

using HAQ at most ΘL2 times.

Θ

i=1 si zi

Proof. Here we concentrate on counting the number of call to HAQ only, and

full algorithm is described in [NK15, Sect. 4].

Θ

Let ai = si zi and ai;j = si zi;j for 1 ≤ i ≤ Θ, 0 ≤ j ≤ L. Then i=1 si zi =

Θ

i=1 ai is computed by

a1 = a1;0 . a1;1 · · · a1;L

a2 = a2;0 . a2;1 · · · a2;L

..

.

+) aΘ = aΘ;0 . aΘ;1 · · · aΘ;L

(First iteration) For j-th column (a1;j , a2;j , · · · , aΘ;j ) , apply HAQ Θ times

Θ

sequentially to obtain (αj , (β2;j , · · · , βΘ;j ) ) such that

i=1 ai;j = αj + Q ·

Θ

β

.

Since

we

do

this

for

0

j

L,

we

need

to

apply

HAQ about Θ · L

i=2 i;j

times.

(Next iteration) Each column has diﬀerent weight; for j-th column we have

the weight of Q−j , and so

Θ

−j

ai;j Q

−j

= αj · Q

Θ

+

i=1

βi;j

i=2

Therefore it suﬃces to add the following:

α0 . α1 · · · αL−1

β2;1 . β2;2 · · · β2;L

..

.

+) βΘ;1 . βΘ;2 · · · βΘ;L

· Q−(j−1) .

448

E. Kim and M. Tibouchi

Note that αL is the last digit of the result, and β2;0 , · · · , βΘ;0 are canceled by

modulo Q reduction. Repeat a similar process with the ﬁrst iteration. To obtain

all the digits of the result, we have to iterate these processes about L more times.

One can do this by applying HAQ about ΘL2 times altogether.

Now we present the proof of Proposition 3:

Proof (Proof of Proposition 3). For any constant prime Q, let us denote by tQ

the time complexity of mod-NQ multiplication. Then TQ is tQ multiplied by

the number of multiplications in NKQ . Decrypt, and T2 is T2 multiplied by the

number of AND gates in BMultQ circuit.

As far as we know, the best time complexity for k-bit multiplication is

ur09]. In our

k log k2O(log k) where log k represents the iterated logarithm [Fă

case, k is γQ and log γQ = log Θ(Q6 λ4 log2 λ) = 6 log Q + 4 log λ + 2 log log λ +

constant. Here the eﬀect of log Q is dominated by that of log λ, so we can esti∗

mate t2 /tQ by γ2 /γQ since we can ignore eﬀect of Q in the part log γQ 2O(log γQ ) .

Furthermore, γ2 /γQ = 26 λ4 log2 λ/Q6 λ4 log2 λ = 64/Q6 .

By Lemma 3, we call HAQ in NKQ . Decrypt about ΘL2Q times. Since each

half adder HAQ consists of exactly one evaluation of the polynomial fcarry,Q ,

the number of multiplications in NKQ . Decrypt is about 4QΘL2Q by Lemma 2.

On the other hand, we need 17 log2 Q AND gates for the Boolean circuit BMultQ

as in Proposition 1.

T2

17 log2 Q · 8ΘL22 t2

34 log2 Q log2 λ 64

2176 log4 Q

·

.

· 6 ∼

2

2

2

TQ

4QΘLQ

tQ

Q7

Q log λ/ log Q Q

Remark 1. The value

64 log Q

Q6

is 0.139146 if Q = 3 and 0.009511 if Q = 5, and

4

Q

is 0.809588 for

becomes much smaller as Q grows. Similarly, the value 2176Qlog

7

Q = 5 and 0.164120 for Q = 7. Thus, as shown in Table 1, even for small Q,

Convert-NK2 is more advantageous than NKQ in all practical respects.

Table 1. The values 64 log Q/Q6 and 2176 log4 Q/Q7 for the ﬁrst ﬁve odd primes

Q 64 log Q/Q6 2176 log4 Q/Q7

3

0.139146

6.278936

5

0.009511

0.809588

7

0.001527

0.164120

11 0.000125

0.015993

13 0.000049

0.006502

FHE Over the Integers and Modular Arithmetic Circuits

5

449

Conclusion

In this work, we have compared the two schemes NKQ and Convert-NK2 , and

have seen that the latter is preferable in almost every measure, even for very

small values of Q. That conclusion follows from a detailed analysis quantifying the precise dependence of the parameters of the underlying scheme with

respect to the modulus Q. It is also based on a particularly simple choice of the

Boolean circuits for modular arithmetic; more careful choices may result in an

even greater performance advantage in favor of the naive bitwise approach.

Based on our concrete estimates, we conclude that the Nuida–Kurosawa approach is not competitive for any Q > 3 (and possibly not even Q = 3) as soon as

one needs to carry out ciphertext refresh operations—and if one does not need

bootstrapping, other somewhat homomorphic schemes with large message space

are certainly preferable.

References

[CCK+13] Cheon, J.H., Coron, J.-S., Kim, J., Lee, M.S., Lepoint, T., Tibouchi,

M., Yun, A.: Batch Fully Homomorphic Encryption over the Integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013.

LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013). doi:10.1007/

978-3-642-38348-9 20

[CLT14] Coron, J.-S., Lepoint, T., Tibouchi, M.: Scale-invariant fully homomorphic encryption over the integers. In: Krawczyk, H. (ed.) PKC 2014.

LNCS, vol. 8383, pp. 311–328. Springer, Heidelberg (2014). doi:10.1007/

978-3-642-54631-0 18

[CMNT11] Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully homomorphic

encryption over the integers with shorter public keys. In: Rogaway, P. (ed.)

CRYPTO 2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011).

doi:10.1007/978-3-642-22792-9 28

[CNT12] Coron, J.-S., Naccache, D., Tibouchi, M.: Public key compression and

modulus switching for fully homomorphic encryption over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012.

LNCS, vol. 7237, pp. 446–464. Springer, Heidelberg (2012). doi:10.1007/

978-3-642-29011-4 27

[CS15] Cheon, J.H., Stehl´e, D.: Fully homomophic encryption over the integers revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015.

LNCS, vol. 9056, pp. 513–536. Springer, Heidelberg (2015). doi:10.1007/

978-3-662-46800-5 20

[DGHV10] Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic

encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010.

LNCS, vol. 6110, pp. 2443. Springer, Heidelberg (2010). doi:10.1007/

978-3-642-13190-5 2

[Fă

ur09] Fă

urer, M.: Faster integer multiplication. SIAM J. Comput. 39(3), 9791005

(2009). doi:10.1137/070711761

[Gen09a] Gentry. C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford

University (2009). crypto.stanford.edu/craig

450

E. Kim and M. Tibouchi

[Gen09b] Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) STOC 2009, pp. 169–178. ACM (2009). doi:10.1145/

1536414.1536440

[NK15] Nuida, K., Kurosawa, K.: (Batch) fully homomorphic encryption over integers for non-binary message spaces. In: Oswald, E., Fischlin, M. (eds.)

Advances in Cryptology–EUROCRYPT 2015. LNCS, vol. 9056, pp. 537–

555. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5 21

[PAD12] Pisa, P.S., Abdalla, M., Duarte, O.C.M.B.: Somewhat homomorphic

encryption scheme for arithmetic operations on large integers. In: GIIS

2012, pp. 1–8. IEEE (2012). doi:10.1109/GIIS.2012.6466769

[RAD78] Rivest, R.L., Adleman, L.M., Dertouzos, M.L.: On data banks and privacy

homomorphisms. In: DeMillo, R.A. (ed.) Foundations of Secure Computation, pp. 169–180. Academic Press (1978)

[vzGS91] von zur Gathen, J., Seroussi, G.: Boolean circuits versus arithmetic circuits.

Inf. Comput. 91(1), 142–154 (1991). doi:10.1016/0890-5401(91)90078-G

An Eﬃcient Somewhat Homomorphic

Encryption Scheme Based on Factorization

G´erald Gavin(B)

ERIC - Universit´e de Lyon, 5 av. Mend´es France, 69676 Bron, France

gavin@univ-lyon1.fr

Abstract. Surprisingly, most of existing provably secure FHE or SWHE

schemes are lattice-based constructions. It is legitimate to question

whether there is a mysterious link between homomorphic encryptions and

lattices. This paper can be seen as a ﬁrst (partial) negative answer to this

question. We propose a very simple private-key (partially) homomorphic

encryption scheme whose security relies on factorization. This encryption

scheme deals with a secret multivariate rational function φD deﬁned over

Zn , n being an RSA-modulus. An encryption of x is simply a vector c

such that φD (c) = x + noise. To get homomorphic properties, nonlinear

operators are speciﬁcally developed. We ﬁrst prove IND-CPA security

in the generic ring model assuming the hardness of factoring. We then

extend this model in order to integrate lattice-based cryptanalysis and

we reduce the security of our scheme (in this extended model) to an algebraic condition. This condition is extensively discussed for several choices

of parameters. Some of these choices lead to competitive performance

with respect to other existing homomorphic encryptions. While quantum

computers are not only dreams anymore, designing factorization-based

cryptographic schemes might appear as irrelevant. But, it is important

to notice that, in our scheme, the factorization of n is not required to

decrypt. The factoring assumption simply ensures that solving nonlinear

equations or ﬁnding non-null polynomials with many roots is diﬃcult.

Consequently, the ideas behind our construction could be re-used in rings

satisfying these properties.

1

Introduction

The prospect of outsourcing an increasing amount of data storage and management to cloud services raises many new privacy concerns for individuals and

businesses alike. The privacy concerns can be satisfactorily addressed if users

encrypt the data they send to the cloud. If the encryption scheme is homomorphic, the cloud can still perform meaningful computations on the data, even

though it is encrypted.

The theoretical problem of constructing a fully homomorphic encryption

scheme (FHE) supporting arbitrary functions f , was only recently solved by

the breakthrough work of Gentry [6]. More recently, further fully homomorphic

schemes were presented [4,7,16,17] following Gentry’s framework. The underlying tool behind all these schemes is the use of Euclidean lattices, which have

c Springer International Publishing AG 2016

S. Foresti and G. Persiano (Eds.): CANS 2016, LNCS 10052, pp. 451–464, 2016.

DOI: 10.1007/978-3-319-48965-0 27

452

G. Gavin

previously proved powerful for devising many cryptographic primitives. A central aspect of Gentry’s fully homomorphic scheme (and the subsequent schemes)

is the ciphertext refreshing Recrypt operation. Even if many improvements have

been made, this operation remains very costly [8,12].

In many real-world applications, in the medical, ﬁnancial, and the advertising

domains, which require only that the encryption scheme is somewhat homomorphic. Somewhat homomorphic encryption schemes (SWHE), which support a

limited number of homomorphic operations, can be much faster, and more compact than fully homomorphic encryption schemes. Even if several quite eﬃcient

lattice-based SWHE exist in the literature, signiﬁcant eﬃciency improvements

should be done for most real-world applications. This paper aims at elaborating

an eﬃcient SWHE whose security relies on factorization.

Many cryptographic constructions are based on the famous problem

LWE [14]. In particular, this cryptographic problem is currently the most relevant to build FHE [2,9]. Typically, the secret key is a vector s ∈ Zκn and

an encryption c of a value x

n is a randomly chosen vector satisfying1

s · c = x + noise. This scheme is born (partially) additively homomorphic

making it vulnerable against lattice-based attacks. We propose a slight modiﬁcation to remove this homomorphic property. In our scheme, the secret key

becomes a pair of vectors (s 1 , s 2 ) and c is a randomly chosen vector satisfying

s 1 · c/s 2 · c = x + noise ( mod n). Clearly, the vector sum is not a homomorphic

operator anymore. This is a sine qua non condition for overcoming lattice-based

attacks. Indeed, as a ciphertext c is a vector, it is always possible to write it as

a linear combination of other known ciphertexts. Thus, if the vector sum were a

homomorphic operator, the cryptosystem would not be secure at all. This simple remark suﬃces to prove the weakness of the homomorphic cryptosystems

presented in [11,18]. In order to use the vector sum as a homomorphic operator, noise should be injected into the encryptions as done in all existing FHE

[3,4,6,7,16,17] and lattice-based attacks can be mount to recover linear combinations with small coeﬃcients. To resist against such attacks, the dimension of

c should be chosen suﬃciently large which dramatically degrades performance.

To obtain homomorphic properties, nonlinear homomorphic operators Add

and Mult should be developed and published. Quadratic homomorphic operators

can be naturally deﬁned. However, it should be ensured that these operators do

not leak information about the secret key. We get results in this sense under the

factoring assumption where n is a product of large secret primes. In particular,

we prove the IND-CPA security of our scheme in the generic ring model [1,10] for

any κ ≥ 2. In this model, the CPA attacker is assumed to only perform arithmetic

operations +, −, ×, /. A security proof in the generic model indicates that the

idea of basing the security on factorization is not totally ﬂawed. This leads us

more or less to the situation of RSA where it was recently shown that breaking

the security of RSA in the generic ring model is as diﬃcult as factoring [1].

A classical objection against security analysis in the generic ring model deals

with the Jacobi symbol Jn . For concreteness, it was shown in [10] that computing

1

s · c denoting the scalar product between s and c.

An Eﬃcient Somewhat Homomorphic Encryption Scheme

453

Jn is diﬃcult in the generic ring model while it is not in general. However, this

result is neither surprising nor relevant because Jn is not a rational function2 .

Indeed, we can even show that φ(x) = Jn (x) with probability smaller than 1/2

provided φ is a rational function and x uniform over Z∗n . In our scheme, the

function φ deﬁned by φ(c) = x + noise is rational suggesting that a security

analysis in the generic ring model is meaningful.

However, the security analysis in the generic ring model is not suﬃcient

because lattice-based cryptanalysis exploiting the fact that x + noise is small is

not considered in this model. In Sect. 5, we propose a general characterization of

lattice-based attacks which naturally extends the generic ring model. We reduce

the non-existence of such attacks to an algebraic condition. This condition is

discussed in Sect. 5.3 for several choices of κ. We prove that this condition is satisﬁed for κ = Θ(λ) proving the non-existence of lattice-based attacks. Moreover,

the simplest and most natural lattice-based attack is shown ineﬃcient provided

κ = Ω(log λ). By assuming that this attack is also the most eﬃcient, choosing

κ = Θ(log λ) could hopefully ensure the non-existence of eﬃcient lattice-based

attacks.

Notation. We use standard Landau notations. Throughout this paper, we let

λ denote the security parameter: all known attacks against the cryptographic

scheme under scope should require 2Ω(λ) bit operations to mount.

– δ ≥ 2 is a positive integer independent of λ.

– The inner product of two vectors v and v is denoted by v · v

– The set of all square 2κ − by − 2κ matrices over Zn is denoted by Zn2κ×2κ . The

ith row of S ∈ Zn2κ×2κ is denoted by si and Li denotes the linear function

deﬁned by Li (v ) = si · v .

– A δ-RSA modulus n is a product of δ η-bit primes p1 · · · pδ where η is chosen suﬃciently large to ensure that the factorization of n requires Ω(2λ ) bit

operations provided p1 , . . . , pδ are randomly chosen.

– The set of the positive integer strictly smaller than ξ is denotes by Iξ =

{0, . . . , ξ − 1}.

Remark 1. The number M (m, d) of m-variate monomials of degree d is equal to

d+m−1

. In particular, M (2κ, κ) > 3κ for any κ ≥ 2.

d

Because of the lack of space, most of the proofs were omitted. They

can be found in [5].

2

Preliminary Deﬁnitions and Results

Let δ ≥ 2 be a positive integer (independent of the security parameter) and let

n = p1 · · · pδ be a randomly chosen δ-RSA modulus. Given a r-variate function

φ and a subset I ⊆ Zrn , zφ,I denotes the probability over I that φ(x) = 0,

2

It comes from the fact that Jn (x) mod p (resp. Jn (x) mod q) is not a function of

x mod p (resp. x mod q).

### Tài liệu bạn tìm kiếm đã sẵn sàng tải về

1 `39`42`"613A``45`47`"603AEvaluateQ and mod-Q Arithmetic Circuits

Tải bản đầy đủ ngay(0 tr)

×