Gentry’s Fully Homomorphic Encryption Scheme
Under Guidance of Prof. Manindra Agrawal
Rishabh Gupta
Sanjari Srivastava
Email: [email protected]
Email: [email protected]
Abstract— This report presents a description and analysis
of the fully homomorphic scheme proposed by Craig Gentry
in his Ph.D thesis, Fully Homomorphic Encryption Using Ideal
Lattices [1]. We hope that others can find it useful if they want
an introduction to Gentry’s first FHE scheme.
I. INTRODUCTION
Craig Gentry proposed the first solution to the open
probem of generating a fully homomorphic encryption. The
aim is to create a scheme ε with a function, Evaluateε
which, for a circuit C, a key pair (pk, sk), an m-tuple of
valid ciphertexts (ψ1 , ..., ψm ) where ψi ← Encryptε (pk, πi )
, satisfies
the decryption homomorphically without providing the secret
key explicitly, is what the idea behind bootstrapping is.
By including Decryptε (D ) in Cε , we would be able to
achieve the following. For keys (pk1 ,sk1 ), another public key
pk2 and plaintext π, encrypt the bits of the secret key itself,
and do,
ψ1 ← Encryptε (pk1 , π)
sk1 ← Encryptε (pk2 , sk1 )
ψ1 ← Encryptε (pk2 , ψ1)
Output,
Decryptε (sk, Evaluateε (pk, C, ψ1 , ..., ψm )) = C(π1 , ...πm )
Basically, Evaluateε allows us to compute a circuit C
directly on ciphertexts and returns the encryption of what
would have been the output had we applied C on the
corresponding plaintexts. This is useful when we want, say,
a server to perform an operation on encrypted data, without
giving it the secret key.
Let Evaluateε satisfy the above property for all C belonging to a set of circuit Cε . Scheme ε is said to be fully
homomorphic, when Cε contains all possible circuits.
Basic RSA is only a multiplicatively homomorphic
scheme. Clearly, the first step to building a fully homomorphic scheme is that it should be homomorphic to both
addition and multiplication atleast. How then, to make it
work for all possible circuits C from there, is what was
shown in the following theorem.
II. BOOTSTRAPPABILITY THEOREM
A fully homomorphic scheme is problematic to generate
for the following reason: Say we have an encryption scheme
that is homomorphic over addition and multiplication. Since
any circuit would be composed of only these two types of
gates, this would have been enough for full homomorphism.
But, let us assume the ciphertext associated with Encrypt
has a small error which gets obliterated during decryption.
If we apply Evaluateε on these ciphertexts, the associated
error gets larger. For a d-level circuit, the error might get so
large that applying Decryptε results in a decryption error.
As the implicit error becomes large during evaluation, we
would like to ”refresh” the ciphertext, so that it encrypts
the same thing but the error gets reduced. Decrypting the
ciphertext using the secret key and encrypting it again using
another public key is a way of ’refreshing’. However, to do
ψ2 ← Evaluateε (pk2 , D , (sk1 , ψ1 ))
In other words, we obtain a new ”refreshed” ciphertext
that encrypts the same π but under pk2 instead of pk1 . This
is a motivation to begin by ensuring that Dε belongs to Cε
to make ε fully homomorphic.
But we want to perform operations and not just refresh the
encryptions of the same plaintext. If we can also evaluate a
NAND augmentation of the decryption circuit (D NAND
D ), then we can generate an encryption of (π1 NAND π2 )
under pk2 using the similar method as above and keep doing
this recursively for all d-depth circuits. (explained in detail
ahead). [ Note: For any gate g, a g-augmented decryption
circuit will refer to two copies of Dε joined by gate g ]
A. Definitions
Definition 1: (Leveled Fully Hom. Encryption): A family
of schemes ε(d) : d ∈ Z+ is leveled fully homomorphic if
they all use the same decryption circuit such that ε(d) is
homomorphic for all circuits of depth at most d (consisting
of NAND gates).[1]
Definition 2: Bootstrappability: Let Cε be the set of
circuits Evaluateε can work on. If Cε contains just two
circuits: Dε and NAND augmented Dε (i.e., a NAND gate
connecting two copies of Dε ), where Dε is the circuit
associated to the decryption algorithm, ε is said to be
bootstrappable.[1]
Theorem 1: : A leveled fully homomorphic encryption
can be constructed from a bootstrappable encryption.
(a) m1 , m2 are initially encrypted under pkA in input (figuratively,
put inside pink box). Running Evaluate on input further encrypted under pkB (figuratively, put in blue box) generates ”fresh” ciphertext of
m1 NAND m2 under key pkB . Circuit Decrypt-NAND-Decrypt itself,
would have taken (skA, Encrypt(m1,pkA)) and (skA, Encrypt(m2,pkA))
(b) Recursively running Evaluate on circuit (m1 NAND m2 ) NAND
as input and returned m1 NAND m2.
(m3 NAND m4 )
Fig. 1: Source: Lecture slides, 5359-aut13,Ten H. Lai,Ohio State University, Columbus [7]
B. Bootstrappable Encryption
Let Σ = (KeyGen, Encrypt, Decrypt, Evaluate) be an
encryption scheme.
Let τ be a set of gates including identity gate, with
input/output in plaintext space P and DΣ (τ ) be the set of
g-augmented Decrypt circuits, g ∈ τ .
Σ is said to be bootstrappable with respect to
τ if DΣ (τ ) ∈ CΣ . Given a Σ bootstrappable
w.r.t. a set of gates τ , we construct Σ(d)
=
(KeyGen(d) , Encrypt(d) , Decrypt(d) , Evaluate(d) )
,where
Σ(d) will be homomorphic for circuits of depth ≤ d
Else, Evaluate(δ) consists of two steps:
• Augment: Let’s call the input receiving layer of Cδ
as layer δ and accordingly, there are layers till layer
number 1. Augment decryption circuits Dε to the gates
+
of level δ. Let’s call this modified circuit Cδ−1
.
+
Input to Cδ−1
: Replace each input ψ ∈ Ψδ , by
hhskδj i, hψj ii, (subscript j denotes bit-wise encryption),
where ψj ← Encryptδ−1 (pk (δ−1) , ψ). Note that this
input is encrypted under pkδ−1 now.
0
•
1) KeyGen(d) (λ, d): : Takes as input security parameter
λ and integer d. Generate d+1 key pairs, using KeyGen,
(pki , ski ) ← KeyGen(λ) for i ∈ {0..d}
If ski is represented as sequence of plaintext elements, ski =
(ski1 , .., skil ),
skij ← Encrypt(pki−1 , skij ) for i ∈ {1..d}, j ∈ {1..l}
Output, secret key sk (d) ← sk0 and public key
pk (d) ← hpki i0≤i≤d , hskij i1≤i≤d .
Reduce: To every sub-circuit C giving output in
0
+
wire W between level δ and δ − 1 of Cδ−1
(C
: δ level gate augmented with D circuits), apply
0
0
0
0
Evaluate(pkδ−1 , C , ψ ), where ψ is the input to C
0
and replace C with output of Evaluate.
These steps reduce Cδ to Cδ−1 . New input to Cδ−1 is
encrypted under pkδ−1 .
Recursively, call Evaluate(δ−1) (pk (δ−1) , Cδ−1 , Ψδ−1 ).
(See, Figure (2))
For pk (δ) or sk (δ) , δ ≤d, range of i becomes 0 ≤ i ≤ δ.
2) Encrypt(d) (pk (d) , π): : Takes input pk (d) and π ∈ P.
Output ciphertext ψ ← Encrypt(pkd , π)
3) Decrypt(d) (sk (d) , ψ): : ψ must be an output of
Evaluate(d) (which only returns ciphertext encrypted under
pk0 ).
Output π ← Decrypt(sk0 , ψ)
4) Evaluate(δ) (pk (δ) , Cδ , Ψδ ): : This is a recursive procedure and the first call will be Evaluate(d) (pk (d) , Cd , Ψd ).
Cδ is a circuit with gates in τ and a depth δ. Any circuit
of depth less than δ can be extended to depth δ by adding
identity gates. Ψδ is a sequence of ciphertext inputs to Cδ
which are encrypted under pkδ .
Base Case: For δ = 0, return Ψ0 (this is why input to
Decrypt(δ) was encrypted under pk0 ).
Fig. 2: Evaluate(δ) (pk (δ) , Cδ , Ψδ ).
C. Correctness
Since NAND is a universal gate, let us assume all the gates
in circuit Cδ are NAND gates. For correctness of Theorem
1, it is enough to look at what happens at a particular NAND
gate at a level δ in Cδ . Say input to this NAND would have
been π1 and π2 . Output of this gate would have been (π1
NAND π2 ). But we have with us ciphertexts ψ1δ and ψ2δ ,
which are encryptions of π1 and π2 under pkδ respectively.
After augmentation step, this subcircuit becomes (D NAND
D ). An input (skδ , ψ1δ ) and (skδ , ψ2δ ) to this modified
subcircuit would still have given desired output π1 NAND
π2 . But since we want to execute the modified subcircuit
under Evaluate, we encrypt (skδ , ψ1δ ) and (skδ , ψ2δ ) under
pkδ−1 and receive as output of sub-circuit π1 NAND π2
encrypted under pkδ−1 . In this way, bootstrappibility ensures
that Evaluate works for modified subcircuit. (See, figure(1a))
III. GGH ENCRYPTION SCHEME
We discuss the lattice based cryptosystem proposed by
Goldreich-Goldwasser-Halev [2] on which Gentry’s scheme
was based. For an n-dimensional lattice, L, and its basis
B = (b1 , b2 , ..., bn ), say, we obtain B ∗ = (b∗1 , b∗2 , ..., b∗n )
after applying Gram-Schmidt Orthoganiation [5] on B. We
define [3],
1
ρB = min kb∗i k
2
A good basis is ”fat” with a large ρ while a bad basis
is skewed with a small ρ. We choose two bases of the
lattice Bpk (bad) and Bsk (good), as the public and secret
key respectively with the property that ρpk is much smaller
than ρsk . ρ will be large for nearly orthogonal bases.
A. Encryption Scheme
1) KeyGen(L): : For lattice L, generate a good basis Bsk .
Set Bpk = HNF(Bsk ) [3], where HNF is the Hermite
Normal Form of the basis. Hermite Normal Form gives
skewed bases and it is not possible to retrieve Bpk back
from Bsk . [3]
Output (pk, sk) ← (Bpk , Bsk )
2) Encrypt(m,Bpk )*: : To encrypt message m, encode it
into a short vector e, such that e ∈ P (Bsk ) where P (B)
refers to the centered parallelepiped generate by a lattice
basis B. (This can be ensured by ensuring that kek < ρsk ,
as a sphere of radius ρsk will be the largest sphere inscribing
P (Bsk ))
Output c ← e mod Bpk
For any vector t,
t mod B = t − B · dB−1 tc,
where d·c denotes rounding off to the closest integer.
(*modified by self)
3) Decrypt(c,Bsk ): : To decrypt, do the following and
retrieve m back from e,
Output e ← c mod Bsk
B. Correctness
For any vector t, t mod B can be written as t+x for some
x ∈ lattice L, for a basis B of lattice L. Therefore we can
write ciphertext c as e + x for some x ∈ L, or c = e + αBsk
for some integer vector α.
−1
c mod Bsk = c − dc · Bsk
cBsk
−1
−1
= αBsk + e − dαBsk · Bsk
+ e · Bsk
cBsk
−1
= αBsk + e − dα + e · Bsk
cBsk
−1
= αBsk + e − αBsk − de · Bsk
cBsk
= e mod Bsk
Now, since e ∈ P (Bsk ), e =
n
P
αi bi for some
i=1
(b1 , b2 , . . . , bn ). For all
αi ∈
(−1/2, 1/2) where Bsk =
αi ∈
(−1/2, 1/2), dαi c = 0, as 0 will be the closest integer.
Therefore,
−1
e mod Bsk = e − de · Bsk
cBsk = e − 0 = e
Hence, the scheme decrypts correctly. c mod Bpk does not
give back e because kek can be greater than ρpk which is
smaller than ρsk , that is, e might lie outside P (Bpk ) and
above argument won’t hold then.
IV. ABSTRACT CONSTRUCTION
We now discuss the abstract construction of the encryption
scheme. We begin by describing the assumptions taken for
the construction as well as the mathematical constructs used
for constructing the abstract scheme that will be defined
later while discussing the concrete scheme. Then, we give
the abstract encryption scheme and lastly we discuss the
correctness of the abstract scheme. A part of this scheme
is based on GGH’s scheme, due to which GGH’s scheme
was discussed above.
A. Assumptions and Definitions
We use a ring R, a fixed basis BI of an ideal I ⊂ R,
an algorithm IdealGen(R, BI ) which outputs public and
secret bases BJpk and BJsk of some ideal J ⊂ R and another
algorithm Samp(x, BI , R, BJ ) that samples from the coset
x + I. We use the notation R mod BM to denote the set
of distinguished representatives of r + M over r ∈ R, with
respect to the basis BM of ideal M (effectively, the coset
representations). We also have a circuit C which is a mod-BI
circuit which means that its gates perform operations modulo
BI .
Now we state few definitions that will be useful when we
discuss the correctness of the abstract scheme.
• (Generalized Circuit): Let C be a mod-BI circuit.
We form a generalized circuit g(C) by replacing C’s
AddBI and MultBI operations with addition ’+’ and
multiplication ’×’ in the ring R.
• (XEnc and XDec ): Let XEnc be the image (range)
of algorithm Samp. Let XDec equal R mod BJsk , the
distinguished representatives of cosets of J w.r.t. secret
basis BJsk .
•
Since, C ∈ Cε
(Permitted Circuits): Let
for, (π1 + i1 , . . . , πt + it ) ∈ XtEnc
Cε = {C : ∀ (x1 , . . . , xt ) ∈ XtEnc ,
=⇒ g(C)(π1 + i1 , . . . , πt + it ) ∈ XDec
g(C)(x1 , . . . , xt ) ∈ XDec }
In other words, Cε is a set of permitted circuits for
which the generalization circuit when provided with
inputs that belong to XEnc , the output lies in XDec .
B. Encryption Scheme
1) KeyGen (R, BI ): We generate 2 bases BJsk and BJpk
using the algorithm IdealGen(R, BI ).
R
Public Key, pk ≡ {R, BI , BJpk , Samp}
Secret Key, sk ≡ pk ∪ BJsk
Hence, g(C)(π1 + i1 , . . . , πt + it ) mod BJsk =
g(C)(π1 + i1 , . . . , πt + it )
Decrypt(sk, Evaluate(pk, C, Ψ))
= g(C)(π1 + i1 , . . . , πt + it ) mod BI
= (g(C)(π1 , . . . , πt ) + i0 ) mod BI , for some i0 ∈ I
Output : (pk, sk)
2) Encrypt (pk, π): The plaintext space P ⊆ R mod BI .
The input π ∈ P.
ψ 0 ← Samp(π, BI , R, BJpk )
Output ψ ← ψ mod
If, x ∈ R mod BJsk , x mod BJsk = x
Therefore,
(BJsk , BJpk ) ←
− IdealGen(R, BI )
0
=⇒ g(C)(π1 + i1 , . . . , πt + it ) ∈ R mod BJsk
= g(C)(π1 , . . . , πt ) mod BI
= C(π1 , . . . , πt )
Hence, the encryption scheme is correct.
BJpk
V. CONCRETE CONSTRUCTION
3) Decrypt (sk, ψ): ψ is a ciphertext.
Output π ← (ψ mod BJsk ) mod BI
4) Evaluate (pk,C, Ψ): Here, circuit C ∈ Cε . Also Ψ
is a set of ciphertexts. For every gate AddBI and MultBI
in circuit C, the operation that Evaluate performs is ring
addition modulo BJpk (Add) and ring multiplication modulo
BJpk (M ult) respectively for the set of inputs.
The Ideal based encryption scheme is instantiated in the
following way:
• Choose R = Z[x]/(f (x)), where f (x) is a monic ndegree polynomial. R is isomorphic to an n-dimensional
integer lattice, i.e, a polynonial in R can be treated as
an n-dimensional integer vector.
(f (x)) = {f (x) · g(x) : ∀ g(x) ∈ Z[x]}
Add(ψ1 , ψ2 , BJpk ) : Output is ψ1 + ψ2 mod BJpk
M ult(ψ1 , ψ2 , BJpk ) : Output is ψ1 × ψ2 mod BJpk
•
Therefore, effectively the output is g(C)(Ψ) mod BJpk .
•
Choose vector s ∈ R, set I = (s) (principal ideal
generated by s).
Set BI = {s0 , s1 , .., sn−1 } to be rotation basis of I,
C. Correctness
si = s × xi mod f (x)
Proof: For Ψ = {ψ1 , . . . , ψt } where ψk = πk + ik + jk
and πk ∈ P, ik ∈ I, jk ∈ J and πk + ik ∈ XEnc ,
the encryption scheme is correct if
•
•
•
Decrypt(sk, Evaluate(pk, C, Ψ)) = C(π1 , . . . , πt )
Set f (x) = xn ± 1 so that BI is a nice rotated basis.
Plaintext space P ⊆ P (BI )
Range of Samp ⊆ B(lSamp ) , where B(r) denotes a
sphere of radius r centered on origin.
∆
∆
We know, XEnc = Samp(BI , P) and XDec = R mod
Bjsk
Decrypt(sk, Evaluate(pk, C, Ψ))
∆
Let rEnc = smallest radius s.t. XEnc ⊆ B(rEnc ) and
∆
rDec = largest radius s.t. B(rDec ) ⊆ XEnc
= ((g(C)(π1 + i1 + j1 , . . . , πt + it + jt ) mod BJpk )
mod BJsk ) mod BI
= (((g(C)(π1 + i1 , . . . , πt + it ) + j 0 ) mod BJpk )
mod BJsk ) mod BI ,
Then we have to ensure,
for some j 0 ∈ J
= ((g(C)(π1 + i1 , . . . , πt + it ) mod BJpk )
mod BJsk ) mod BI , as j 0 mod BJpk = 0 for j 0 ∈
= ((g(C)(π1 + i1 , . . . , πt + it )) + j 00 ) mod BJsk )
mod BI , as x mod BJpk = x + j 00 ( J) for any x
= (g(C)(π1 + i1 , . . . , πt + it ) mod BJsk ) mod BI
∀x1 , ..xt ∈ B(rEnc ), g(C)(x1 , ..xt ) ∈ B(rDec )
By triangle inequality, for vectors u,v ∈ R,
J
ku + vk ≤ kuk + kvk
∈ R
ku × vk ≤ γmult · kuk · kvk
where γmult depends on R.
Lemma: If input vectors are in B(r), after 2-fan in multiplication or m-fan in addition, output vector will be in B(mr2 ),
where m = γmult (R).
After k levels of 2-fan in multiplication or m-fan in addik
k
2k
tion, output vector is in B(m2 −1 · rEnc
) ⊆ B((m · rEnc )2 )
Therefore,
k
(m · rEnc )2 ≤ rDec
equal to t·E by introducing an error vector whose modulus
is less than some value l. Consider,
v1 ∈ t · E + B(l), where t ≥ 4nlγmult (R)
Let BJsk = rotation basis of v1
BJsk = (v1 , . . . , vn ) where vi = v1 × xi−1 mod f (x)
Let zj = vj − t · ej
kzj k = kvj − t · ej k
=⇒ k ≤ loglog(rDec ) − loglog(mrEnc )
= k(v1 − t · e1 ) × xj−1 k
The proposed scheme works for circuits of depth k. We
want to maximize k so that our scheme is large enough to
encompass the decryption circuit and its augmentations. This
is achieved in the following three sections [8].
For f (x) = xn ± 1 and R = Z[x]/(f (x)),
γmult (R) ≤
n
≤ γmult (R) · l · 1
kzj k ≤ l · γmult (R)
Consider aP
point ’a’ on the surface of BJsk , then
1
aj vi , where |aj | ≤ 12
a = ± 2 vi +
A. Minimizing γmult (R)
√
≤ γmult (R) · kv1 − t · e1 k · kxj−1 k
j6=i
(1)
kak ≥ |ha, ei i|
X
1
kak ≥ |h vi , ei i +
aj hvj , ei i|
2
B. Minimizing rEnc
j6=i
BI = {s0 , s1 , .., sn−1 } is the rotation basis of I.
Let kBI k = max{ksi k} where i = 0, . . . , n − 1.
Also,
hvi , ei i = hzi + t · ei , ei i = hzi , ei i + t
Samp(BI , x) = x + I
hvj , ei i = hzj + t · ej , ei i = hzi , ei i
= x + r × s, where r ∈ R
= x + Samp1 (R) × s
kak
r ← Samp1 (R)
j6=i
=⇒ krk ≤ lSamp1
substituting all aj =
where Samp1 (R) ∈ B(lSamp1 )
1
1
≥ | t + hzi , ei i +
2
2
∆
Samp(BI , x) = XEnc ⊆ B(rEnc )
=⇒ rEnc = max{kx + r√× sk : x ∈ P, r ← Samp1 (R)}
=⇒ rEnc ≤ n · kBI k + n · lSamp1 · kBI k
Since we want to minimize, we would like to minimize
kBI k. So, we can choose s = e1 but that would make the
ideal I and ring R equal. So, we choose s = 2e1 . Therefore,
kBI k = 2.
Size of lSamp1 is a security constraint. It should be
sufficiently large and is chosen to be equal to n.
=⇒ rEnc ≤ 2n + 2n1.5
X
1
1
≥ | t + hzi , ei i +
aj hzj , ei i|
2
2
(2)
C. Maximizing rDec
∆
B(rDec ) ⊆ XDec = P (BJsk )
If we want large rDec , P (BJsk ) should be as fat as possible.
P (BJsk ) will be fattest for a BJsk of the form
t · E = (t · e1 , . . . , t · en ).
But if we set BJsk = t · E, HNF(BJsk ) = BJsk which can’t be
chosen as the public key basis as we want it to be a skewed
basis. So, we choose Bsk
J to be very close to t·E, but not
≥
≥
≥
≥
kak
≥
t
2
t
2
t
2
t
2
t
4
1
2
X1
j6=i
2
hzj , ei i|
− |nhzj , ei i|
− nkzj k
− n · l · γmult (R)
−
t
4
t
, where t ≥ 4nlγmult (R)
4
VI. SQUASHING
=⇒ rDec ≥
(3)
Thus, we see that rDec can be made as large as possiDec
ble according to Equation(3). However rrEnc
must be subexponential for BDDP to be hard. Choosing values of l, t
and rDec accordingly to maximize k, the maximum depth
of circuit permitted by scheme becomes c · log(n) for some
constant c < 1. However, during decryption, the computation
involves the addition of n vectors atleast during the matrix
multiplication steps, which can be performed by circuits of
depth of O(log(n)) but the constant coefficient of log(n)
will be greater than 1. This makes the encryption fall just
short of achieving bootstrappibility.
To reduce complexity of the decryption circuit, Gentry
introduced the idea of ”squashing the decryption circuit” [1]
the details of which aren’t discussed in this report.
Performing this step, leads to a bootstrappable scheme
ultimately.
R EFERENCES
[1] Gentry, Craig. A fully homomorphic encryption scheme. Diss. Stanford University, 2009.
[2] Goldreich, Oded, Shafi Goldwasser, and Shai Halevi. ”Public-key
cryptosystems from lattice reduction problems.” Annual International
Cryptology Conference. Springer Berlin Heidelberg, 1997.
[3] Micciancio, Daniele. ”Improving lattice based cryptosystems using the
Hermite normal form.” Cryptography and Lattices. Springer Berlin
Heidelberg, 2001. 126-145.
[4] http://www.boazbarak.org/cs127/chap15 FHE.pdf
[5] http://web.cse.ohio-state.edu/∼lai/5359-aut13/03.lattices.pdf
[6] https://people.csail.mit.edu/shaih/lattices-and-HE-class/notes/GentrysSWHE.pdf
[7] http://web.cse.ohio-state.edu/∼lai/5359-aut13/02.Gentry-FHEbootstrapping.pdf
[8] http://web.cse.ohio-state.edu/∼lai/5359-aut13/05.Gentry-FHEconcrete-scheme.pdf