Background
FHE scheme
Key Generation Methods
Results
Improved Key Generation in
Gentry’s Fully Homomorphic Encryption
Scheme
Peter Scholl and Nigel Smart
Department of Computer Science
University of Bristol
13th IMA Conference on Cryptography & Coding, 2011
Summary
Background
FHE scheme
Key Generation Methods
Background – Fully Homomorphic Encryption (1)
What is a FHE scheme?
Want operations ⊕, ⊗ on ciphertexts satisfying:
Dec(c1 ⊕ c2 ) = Dec(c1 ) + Dec(c2 )
Dec(c1 ⊗ c2 ) = Dec(c1 ) · Dec(c2 )
Results
Summary
Background
FHE scheme
Key Generation Methods
Results
Summary
Background – Fully Homomorphic Encryption (2)
With add and multiply, arbitrary functions can be computed
on encrypted data, without knowing the secret key.
c
Compute c = Enc(m)
Recover f(m) = Dec( f(c) )
does long computation, f
f(c)
Applications: secure database access, advertising, medical records,
etc.
Background
FHE scheme
Key Generation Methods
Results
Summary
Background – Fully Homomorphic Encryption (3)
In 2009, Gentry solved the long-standing problem of creating a
FHE scheme.
The general idea:
Start with a somewhat homomorphic encryption scheme.
Allows a limited number of add/multiply operations.
After this, the ciphertext is too ‘dirty’ to decrypt properly.
Add a bootstrapping stage.
Store an encryption of the secret key with the public key.
A ciphertext can then be decrypted homomorphically.
Used to ‘clean up’ a dirty ciphertext, so it becomes fresh again.
Background
FHE scheme
Key Generation Methods
Results
Background – Fully Homomorphic Encryption (4)
Gentry’s scheme suffered performance issues in two vital
areas:
Key generation
Bootstrapping
Gentry & Halevi proposed an efficient key generation
technique for certain parameter choices.
Smart & Vercauteren devised techniques to perform parallel
homomorphic operations and thus improve bootstrapping.
However, the G-H key generation trick didn’t work for their
parameter requirements.
Summary
Background
FHE scheme
Key Generation Methods
Results
Summary
Our contributions
Implement and test existing key generation methods for the
Smart-Vercauteren variant.
Generalize Gentry & Halevi’s technique to arbitrary parameter
choices.
Can achieve a speed-up of up to an order of magnitude on
existing techniques.
Next: some details! (Nothing too scary though...)
Background
FHE scheme
Key Generation Methods
Background – Polynomials
The m-th cyclotomic polynomial is given by:
Φm (x) =
m−1
Y
(x − ωk )
k=0
gcd(k,m)=1
2πik
where ωk = e − m is an m-th root of unity.
Note that the degree of Φm (x) is φ(m).
Write that
g (x) = h(x)
mod f (x)
if g (x) = h(x) whenever x is a root of f .
Results
Summary
Background
FHE scheme
Key Generation Methods
Results
Summary
Key Generation
Parameters: dimension m and bit length t.
Setup: f (x) = Φm (x), N := φ(m).
Choose random v (x) ∈ Z[x] of degree N − 1, with coefficients
≤ 2t .
Compute w (x)∈ Z[x], d∈ Z, such that
v (x) · w (x) = d
sk = w
pk = (d, α := w0 /w1 mod d)
mod f (x).
Background
FHE scheme
Key Generation Methods
Results
Encryption and Decryption
Encryption of m ∈ {0, 1}: choose a random polynomial r and
compute:
c = 2 · r (α) + m mod d
Decryption:
m = c · w0
mod d
(mod 2)
Homomorphic operations:
c1 + c2 = 2(r1 + r2 )(α) + (m1 + m2 )
c1 · c2 = 2(m1 r2 + m2 r1 + 2r1 r2 )(α) + m1 · m2
So, provided the noise r does not grow too much, the scheme is
additively and multiplicatively homomorphic.
Summary
Background
FHE scheme
Key Generation Methods
Results
Key Generation
Can compute inverse of a polynomial using the extended
Euclidean (XGCD) algorithm.
Computationally infeasible for reasonable parameter choices!
However, we are working with cyclotomic polynomials, and
their nice properties can be exploited...
Gentry & Halevi gave an efficient method for when m = 2r .
Smart & Vercauteren proposed using FFTs for more general
m.
Summary
Background
FHE scheme
Key Generation Methods
Results
FFT Method
The Fast Fourier Transform (FFT) of v (x) computes v (ωi ) for all
of the m-th roots of unity, ω0 , . . . , ωm−1 in O(m log m) time.
Can invert these values and then interpolate w (x) with an inverse
FFT.
v ← FFT(v (x))
Q
d ← gcd(i,m)=1 vi
wi ← d/vi
w (x) ← FFT−1 (w)
(since d = Resultant(v , f ))
Summary
Background
FHE scheme
Key Generation Methods
Results
Summary
FFT Method – Difficulties
Typical parameter choices: bit length t ≈ 400; polynomial
degree m ≈ 4000.
Leads to coefficients of w of around 2m·t , which is millions of
bits.
So need to compute FFTs with million bit (possibly floating
point) numbers.
The parameter m should be flexible.
Requires general length FFT algorithms.
Can’t just pad to a power of 2!
FFTs have a high hidden constant factor in their running time.
Result: key generation is feasible, but still very slow – several
hours.
Background
FHE scheme
Key Generation Methods
Results
Our method
Part I
Instead of computing FFT(v ), just need to compute 2
coefficients of 2 polynomials, g (x) and h(x).
If m has many repeated prime factors, e.g. m = p r or
m = p r q s for small p, q:
Much easier than FFT.
Gentry & Halevi did this for powers of 2 only.
When m is not so nice, must do FFT.
Summary
Background
FHE scheme
Key Generation Methods
Results
Summary
Our method
Part II
Given 2 coefficients of g (x), h(x), can create a set of
simultaneous equations in the coefficients of w (x).
Solve equations by inverting a special matrix, C :
C ·w =x
x depends on the computed coefficients, while C depends only
on m!
C −1 can be precomputed for fixed m.
In fact, C turns out to be very easy to invert anyway.
Background
FHE scheme
Key Generation Methods
Results
Summary
Computational Results (1)
m
FFT Method
New Method
% Improvement
4391
(prime)
274
164
40%
5555
(= 5 · 11 · 101)
137
67
51%
6561
(= 38 )
204
30
85%
10125
(= 34 · 53 )
451
123
72%
Table: Comparison of methods for various choices of m, with input bit
size t = 400. Times in minutes.
Background
FHE scheme
Key Generation Methods
Results
Summary
Computational Results (2)
FFT method
m = 4391
m = 5555
m = 6561
m = 10125
New Method:
m = 4391
m = 5555
m = 6561
m = 10125
Time taken (min)
500
400
300
200
100
0
100
200
400
Bit size t
600
Background
FHE scheme
Key Generation Methods
Results
Summary
Summary
Implemented and tested FFT based key generation for the
Smart-Vercauteren scheme.
Created new key generation method that performs up to an
order of magnitude faster than FFT method.
Outlook
Fully Homomorphic Encryption still has a long way to go.
Implementations fuel progress and provide an important reality
check.
Background
FHE scheme
Key Generation Methods
Questions?
Results
Summary