Homomorphic Encryption (Part II):
Bootstrapping, FHE, and More
Shai Halevi
* Many slides taken from Craig Gentry
May 18, 2015
Simons Institute, Cryptography Boot Camp
Fully Homomorphic Encryption (FHE)

A FHE scheme can evaluate unbounded depth circuits
 Not
limited by bound specified at Setup
 Parameters (like size of ciphertext) do not depend on
evaluated depth

So far, GSW can evaluate only depth log 𝑚+1 𝑞
 How

do we make it fully homomorphic?
Bootstrapping: A way to get FHE…
A Digression into Philosophy…

Can the human mind understand itself?
 Or,
as a mind becomes more complex, does the task of
understanding also become more complex, so that selfunderstanding it always just out of reach?

Self-reference can sometimes be proven impossible
 Godel’s
incompleteness theorem
 Turing’s Halting Problem
Philosophy Meets Cryptography

Can a homomorphic encryption scheme decrypt itself?
 We
can try to plug the decryption function Dec(·,·) into Eval.
 If we run Evalpk(Dec(·,·), c), does it work?
 Suppose our HE scheme can Eval depth-d circuits, can we
make Dec(·,·) fit in a depth-d circuit (or less)?

Recryption = the process of running Eval on Dec(·,·).
So Far: Bounded Processing

We can evaluate bounded-depth circuits f:
μ1
μ2
…
f
f(μ1, μ2 ,…, μt)
μt

We get a noisy “evaluated ciphertext” y
 Can
still be decrypted
 But eval f’(y) will increase noise too much
Recryption: Refreshing a Ciphertext



For ciphertext c, consider the function Dc(·) = Dec(·,c)
Suppose we can Eval depth d, but Dc(·) has depth d-1.
Include in the public key also Encpk(sk)
c y
sk1
sk2
…
skn
Dc
c' = Dc(sk)
= Dec(sk,c) = y
Bootstrapping Theorem (Informal)

Suppose Ɛ is a HE scheme
 that
can evaluate arithmetic circuits of depth d
 whose decryption algorithm is a circuit of depth d-1



Call Ɛ a “bootstrappable” HE scheme
Thm: From a bootstrappable somewhat homomorphic
scheme, we can construct a fully homomorphic scheme.
Technique: Refresh noisy ciphertexts by evaluating the
decryption circuit homomorphically (Recryption)
Recryption for GSW

GSW. 𝐷𝑒𝑐𝒕 𝐶 :
0 𝑖𝑓 𝒛 𝑖𝑠 𝑐𝑙𝑜𝑠𝑒𝑟 𝑡𝑜 𝟎
 Compute 𝒛 ≔ 𝐶 × 𝒕 𝒒 , output
1 𝑖𝑓 𝒛 𝑖𝑠 𝑐𝑙𝑜𝑠𝑒𝑟 𝑡𝑜 𝒕′ = 𝐺 × 𝒕

Let 𝒘 = (𝑞/2,0, … , 0), so 𝒘, 𝒕
𝑞
= 𝑞/2
Denote 𝒄 = 𝐺 −1 𝒘 × 𝐶
−1 𝒘 × 𝐶 × 𝒕 = 𝐺 −1 𝒘 , 𝜇 ⋅ 𝒕′ + 𝒆
 𝒄, 𝒕 = 𝐺
= 𝜇 ⋅ 𝐺 −1 𝒘 × 𝐺 × 𝒕 + 𝐺 −1 𝑤 , 𝒆
= 𝜇 ⋅ 𝒘, 𝒕 + 𝐺 −1 𝒘 , 𝒆 = 𝝁 ⋅ 𝒒/𝟐 + small (𝒎𝒐𝒅 𝒒)


GSE. 𝐷𝑒𝑐𝒕′ 𝐶 :

Compute 𝑧 ≔ 𝒄, 𝒕
𝑞,
output 𝑀𝑆𝐵 𝑧 =
0: 𝑧
1: 𝑧
𝑞
≤
4
𝑞
>
4
How Complex Is Decryption?
𝜇 = 𝑀𝑆𝐵

𝒄, 𝒕
𝑞
Depth is linear in dim 𝒕 + 𝑞 = 𝑛 + log 𝑞
 If
q is small enough (polynomial in the security param) then
decryption is in NC1 (log-depth circuits).

But wait – isn’t 𝑞 really large?
grows with the Eval capacity of the scheme
 Ideally, we would like the complexity of Dec to be
independent of the Eval capacity.
𝑞
Modulus Reduction Magic Trick

Suppose 𝒄 encrypts μ – that is, 𝜇 = 𝑀𝑆𝐵

Can we make 𝑞 smaller?
 Pick
′
𝑝 < 𝑞, set 𝒄 = 𝑟𝑜𝑢𝑛𝑑
 Before
 Now
𝑝
𝑞
𝒄, 𝒕
𝑝
𝑞
⋅𝒄 = ⋅𝒄+𝝐
𝑞
2
we had 𝒄, 𝒕 = 𝜇 ⋅ + 𝒆 + 𝜅 ⋅ 𝑞 for some 𝜅
we have
𝒄′ , 𝒕
𝑝
𝑞
= ⋅ 𝒄, 𝒕 + 𝝐, 𝒕
𝑝 𝑝
= 𝜇 ⋅ + ⋅ 𝒆 + 𝝐, 𝒕 + 𝜅 ⋅ 𝑝
2 𝑞
If 𝝐, 𝒕 is small
𝑛𝑒𝑤 𝑛𝑜𝑖𝑠𝑒 𝒆′
enough, then 𝒄′
encrypts the same μ
𝑞
.
Modulus Reduction Magic Trick, Notes

[ACPS 2009] proved LWE hard even if 𝒕 is small:
𝒕
chosen from the same distribution as the noise e
 With
coefficients of size poly in the security parameter.
 For
𝒕 of polynomial size, we can modulus reduce to a
modulus p of polynomial size, before bootstrapping.

Bottom Line: After some processing, decryption for
LWE-based encryption schemes (like GSW) is in NC1.
 Complexity
of Dec is independent of Eval capacity.
Evaluating NC1 Circuits in GSW


Naïve way: Just do log levels of NAND
Each level multiplies noise by polynomial factor.
𝐶 𝑁𝐴𝑁𝐷 × 𝒕 = 𝐺 − 𝐺 −1 𝐶1 × 𝐶2 × 𝒕
= 1 − 𝜇1 𝜇2 ⋅ 𝒕′ − 𝜇2 ⋅ 𝒆𝟏 + 𝐺 −1 𝐶1 × 𝒆𝟐

𝑑 levels multiplies noise by ≤ 𝑚 + 1
𝑑
to use 𝑞 = 𝑝𝑜𝑙𝑦 𝜆 𝑑 = 𝜆𝑂(log 𝜆)
 Security is based on LWE with quasi-polynomial factor
 Need
Evaluating NC1 Circuits in GSW


Can get polynomial factor using asymmetry in noise
Use special circuits where all multiplications have
fresh ciphertexts on the right
 E.g.,

implementing branching programs
After each multiplication:
|new-noise|≤ |𝜇 ⋅old-noise| + m⋅|fresh-noise|
 After 𝑇 multiplications: |noise| ≤ 𝑇 ⋅|fresh-noise|
|Total noise| ≤ |𝐶| ⋅ |fresh-noise| = 𝑝𝑜𝑙𝑦(𝜆)
Extra: Multi-key HE from LWE
Multi-Key Homomorphic Encryption

Computing on data encrypted under multiple keys
𝑠𝑘𝑖 , 𝑝𝑘𝑖 ← 𝐾𝑒𝑦𝐺𝑒𝑛 $ , 𝑖 = 1,2, … , 𝑛
 𝑐𝑖 ← 𝐸𝑛𝑐𝑝𝑘 𝑥𝑖
𝑖

𝑐
∗
← 𝑀𝑢𝑙𝑡𝑖𝐸𝑣𝑎𝑙 𝑝𝑘𝑖 𝑖 (𝑓, 𝑐𝑖 𝑖 )
 M𝑢𝑙𝑡𝑖𝐷𝑒𝑐 𝑠𝑘
𝑖 𝑖

[Lopez-Alt,Tromer,Vaikuntanathan’12] from NTRU
 Can

𝑐 ∗ = 𝑓(𝑥1 , … , 𝑥𝑛 )
do LWE for constant #, RLWE for log # of players
Here: LWE-based for poly # of players
 Follows [Clear,McGoldrick’14, Mukherjee,Wichs’15]
A Variation of GSW

Recall: 𝐶 = GSW. 𝐸𝑛𝑐𝐵 𝜎 ← 𝑅 × 𝐵 + 𝜎 ⋅ 𝐺
𝐵
∈ 𝑍𝑞𝑚×𝑛 is the public key, 𝐵 × 𝑡 = small
𝑅
∈ 0,1
 We

⊂ 𝑍𝑞𝑚×𝑚
have 𝐶 × 𝑡 = 𝜇 ⋅ 𝐺 × 𝑡 + small
Can we add, multiply 𝐶𝑖 ’s relative to different 𝐵𝑖 ’s?
 Not

𝑚×𝑚
directly
Idea: include with each 𝐶𝑖 ’s some extra information,
to enable computing on them jointly
 Specifically,
element-wise encryption of 𝑅𝑖
Step 1: Algebraic Trick

Easier to see for the “1st try” from before:
𝐶 = 𝑅 × 𝐵 + 𝜇 ⋅ 𝐼 ∈ 𝑍𝑞𝑛×𝑛 (𝐶 × 𝑡 = 𝜇 ⋅ 𝑡 + 𝒆)
𝑡
 𝑡 = 1, 𝑠 , so 1st row of 𝐶 satisfies 𝑐, 𝑡 = 𝜇 + 𝑒
 Assume

Let 𝐶𝑖,𝑗 be encryption of the entry 𝑟𝑖,𝑗 = 𝑅[𝑖, 𝑗]
 𝑐𝑖,𝑗

is 1st row of 𝐶𝑖,𝑗 , so 𝑐𝑖,𝑗 , 𝑡 = 𝑟𝑖,𝑗 + 𝑒
For any vector 𝑣 = (𝑣1 , … , 𝑣𝑛 ) and any 𝑖 ∈ [𝑛],
let 𝒘𝒊 = 𝒋 𝒗𝒋 ⋅ 𝒄𝒊,𝒋

𝑤𝑖 , 𝑡 =
=
𝑗 𝑣𝑗
⋅ 𝑐𝑖,𝑗 , 𝑡
𝑗 𝑣𝑗 𝑟𝑖,𝑗
+
𝑗 𝑣𝑗 𝑒𝑖,𝑗
𝑒𝑖′
= 𝑅 𝑖, − , 𝑣 + 𝑒𝑖 ′
Step 1: Algebraic Trick

For 𝒗 = (𝑣1 , … , 𝑣𝑛 ) let
𝑾=


𝑤1
𝑤2
⋮
𝑤𝑛
𝑗 𝑣𝑗
=
⋅ 𝑐1,𝑗
𝑗 𝑣𝑗 ⋅ 𝑐2,𝑗
⋮
𝑗 𝑣𝑗 ⋅ 𝑐𝑛,𝑗
Then 𝑊 × 𝑡 = 𝑅 × 𝑣 + 𝑒 ′
From Enc(𝑅) and plaintext 𝑣, can generate such 𝑊
Fixing the Algebraic Trick

This was for the “1st try”, not the real GSW scheme
 And


it only works for small 𝑣 (else 𝑒𝑖′ is large)
To fix, use the same 𝐺, 𝐺 −1 (⋅)
Denote 𝑣𝑗 = (𝑣𝑗 , 0, … , 0)
 Before
′
𝑣
×
𝐶
,
error
𝑒
𝑖,𝑗
𝑗 𝑗
𝑖 =
we had 𝑤𝑖 =
𝑍𝑞𝑛


The new error is 𝑒𝑖′ =
𝑗
𝑣𝑗 , 𝑒𝑖,𝑗
𝑍𝑞𝑛×𝑛
Now we set 𝑤𝑖 = 𝐺 −1 𝑣𝑗 × 𝐶𝑖,𝑗
𝑍𝑞𝑚
𝑗
𝑍𝑞𝑚×𝑛
𝐺 −1 𝑣𝑗 , 𝑒𝑖,𝑗
“real” GSW
ciphertext
Summary So Far: Algebraic Trick

Given:
 element-wise
encryption of 𝑅 ∈ 0,1
𝑚
 any vector 𝑣 ∈ 𝑍𝑞 ,
𝑚×𝑚
under 𝑡,
We can compute a matrix 𝑊 ∈ 𝑍𝑞𝑚×𝑛 s.t.
𝑊 × 𝑡 = 𝑅 × 𝑣 + 𝑒′
for small 𝑒 ′
Step 2: Related Public Keys

Use a “common reference string” 𝐴

To get a new (pk,sk) key pair:
 choose
a secret 𝑠 ∈ 𝑍𝑞𝑛−1
 compute
 Set

𝑏 = 𝐴 × 𝑠 + 𝑒 (for small error 𝑒)
PK: B = (−𝑏|𝐴), SK: 𝑡 = 1, 𝑠
 Then
𝑚×(𝑛−1)
∈𝑅 𝑍𝑞
𝑡
𝐵 × 𝑡 = −𝑏 + 𝐴 × 𝑠 = 𝑒 = small, as needed
All public keys share the same 𝐴
only in 1st column
 Security is unaffected (if 𝐴 is chosen randomly)
 Differ
Step 3: “Masking Scheme” for GSW

Key-generation uses CRS
 Public

Encryption outputs 𝐶 = 𝑅 × 𝐵 + 𝜎 ⋅ 𝐺 as before,
but also GSW-encryption of the entries of 𝑅
𝑈

key 𝐵 = (−𝑏|𝐴), all share the same 𝐴
= 𝐺𝑆𝑊. 𝐸𝑛𝑐𝐵 𝑟𝑖,𝑗
𝑖,𝑗
Given public keys 𝐵, 𝐵′ (wrt 𝑡, 𝑡 ′ ) and 𝐶, 𝑈
encrypting 𝜇 under 𝑡, compute 𝑊 ∈ 𝑍𝑞𝑚×𝑛 s.t.
𝑪 × 𝒕′ − 𝑾 × 𝒕 = 𝝁 ⋅ 𝑮 × 𝒕′ + 𝒆′
Mult 𝐶 by
wrong 𝑡′
Correction
factor
Get the right answer
Step 3: “Masking Scheme” for GSW

Recall, 𝐵 = −𝑏 𝐴 , 𝐵′ = −𝑏′ 𝐴 , let 𝛿 = 𝑏 ′ − 𝑏

Use 𝑈 to compute 𝑊 such that 𝑊 × 𝑡 = 𝑅 × 𝛿 + 𝑒

Note 𝑅 × 𝐵 − 𝐵′ × 𝑡 ′ = 𝑅 × (𝛿|0) ×

𝐶 × 𝑡′ − 𝑊 × 𝑡
=
1
𝑠′
=𝑅×𝛿
𝑅 × 𝐵 + 𝜇 ⋅ 𝐺 × 𝑡′ − 𝑅 × 𝛿 + 𝑒
= 𝜇 ⋅ 𝐺 × 𝑡 ′ + 𝑅 × 𝐵 × 𝑡 ′ − 𝑅 × 𝐵 − 𝐵′ × 𝑡 ′ − 𝑒
= 𝜇 ⋅ 𝐺 × 𝑡 ′ + 𝑅 × 𝐵′ × 𝑡 ′ − 𝑒
= 𝜇 ⋅ 𝐺 × 𝑡′ − 𝑒′
Step 4: Multi-Key HE

Given public keys 𝐵, 𝐵′ (wrt 𝑡, 𝑡 ′ ) and 𝐶, 𝑈 ,
𝐶 ′ , 𝑈 ′ , encrypting 𝜇, 𝜇′ under 𝑡, 𝑡 ′ :
 Denote

𝑡=
𝑡
′
𝑡, 𝑡 ,
𝐺=
𝐺
0
0
𝐺
Compute 𝑊 s.t. 𝐶 × 𝑡 ′ − 𝑊 × 𝑡 = 𝜇 ⋅ 𝐺 × 𝑡 ′ + 𝑒,
𝐶
0
and let 𝐶 =
−𝑊 𝐶
′
𝑒
𝐶
𝑡
𝐺
𝑡
𝐶×𝑡 =
=𝜇⋅
+ ′′
′
′
𝑒
𝐶𝑡 − 𝑊𝑡
𝐺𝑡
=𝜇⋅𝐺×𝑡+𝑒
Step 4: Multi-Key HE

Given public keys 𝐵, 𝐵′ (wrt 𝑡, 𝑡 ′ ) and 𝐶, 𝑈 ,
𝐶 ′ , 𝑈 ′ , encrypting 𝜇, 𝜇′ under 𝑡, 𝑡 ′ :
 Denote

𝑡=
𝑡
′
𝑡, 𝑡 ,
𝐺=
𝐺
0
0
𝐺
Compute 𝑊 s.t. 𝐶 × 𝑡 ′ − 𝑊 × 𝑡 = 𝜇 ⋅ 𝐺 × 𝑡 ′ + 𝑒,
and 𝑊 ′ s.t. 𝐶 ′ × 𝑡 − 𝑊 ′ × 𝑡 ′ = 𝜇′ ⋅ 𝐺 × 𝑡 + 𝑒 ′
′ −𝑾′
𝑪
𝟎
𝑪
 let 𝑪 =
and 𝑪′ =
, then
′
−𝑾 𝑪
𝟎
𝑪
𝑪 × 𝒕 = 𝝁 ⋅ 𝑮 × 𝒕 + 𝒆 and 𝑪′ × 𝒕 = 𝝁′ ⋅ 𝑮 × 𝒕 + 𝒆

Now 𝐶, 𝐶′ encrypt 𝜇, 𝜇′ under the key 𝑡 = 𝑡, 𝑡
′ 𝑡
Step 4: Multi-Key HE

The construction extends naturally to many keys
 Encryption
under the concatenation of the keys
 Dimension, noise grow linearly with the number of keys

This gives multi-key SWHE
 Can

be extended to multi-key FHE using bootstrapping
Decryption with the concatenation of all keys
 Mukherjee
& Wichs show a 1-round “threshold
decryption” protocol
 i’th player just multiplies by its key and add noise
What We Covered Today


SWHE/FHE is useful, interesting
SWHE with security under LWE
 Parameter

size, LWE-approximation factor, 𝜆𝑂(𝑑𝑒𝑝𝑡ℎ)
Get FHE with bootstrapping
 Must
assume circular security
 Can get LWE-approximation factor 𝑝𝑜𝑙𝑦(𝜆)

Can even get multi-key SWHE/FHE
 Still
with the same WE-approximation factors
Things That We Didn’t Cover

Better efficiency/flexibility
 Use
low-dimension vectors over large extension rings
instead of high-dimension vectors over 𝑍
 “Pack” many plaintext elements in each ciphertext
 Other schemes, larger plaintext spaces (not just 𝑍2 )

HE with extra features
 Identity-based

HE, Attribute-based HE, etc.
Information-theoretic HE
 Does
it exist? We have info-theoretic PIR (with multiple
servers), why not info-theoretic FHE?
Questions?