Bootstrapping of FHE over the Integers with Large Message Space

Zhizhu Lian,Baocang Wang,Yupu Hu,Hu Chen

doi:10.1155/2018/6520258

Zhizhu Lian, Baocang Wang + Show 2 more

Open Access

https://doi.org/10.1155/2018/6520258

Copy DOI

Abstract

For the decryption of the fully homomorphic encryption (FHE) over the integers with the message space ZQ, Nuida and Kurosawa proposed a Q4λ-multiplicative-degree circuit to compute it at Eurocrypt 2015, where λ is the security parameter and the message size Q is a constant. Since the degree of the decryption circuit is polynomial in Q, the range of the message size Q is limited. In this work, we solve this open problem as long as Q is large enough (larger than λ). We represent the decryption circuit as a arithmetic polynomial of multiplicative degree 108·λ log3λ, which is independent of the message size Q except a constraint Q>λ. Moreover, the bootstrapping process requires only O(λ·log⁡λ) number of multiplications to implement the decryption circuit, which is significantly lower than O(λ4) of Nuida and Kurosawa’s work. We also show the efficiency of the FHE scheme with message space ZQ compared to the FHE scheme with binary message space. As a result, we have that the former is preferable.

Highlights

In 1978, Rivest, Adleman, and Dertouzos introduced the notion of fully homomorphic encryption (FHE) which can compute any circuit on encrypted data without decryption [1]
The goal we describe in this subsection is to emphasize that our work in the last subsection reduces the multiplicative degree of decryption circuit from O(λ3) to O(λ log3λ)
We propose an FHE scheme over the integers with message space ZQ for any prime Q > θ

Summary

Introduction

In 1978, Rivest, Adleman, and Dertouzos introduced the notion of fully homomorphic encryption (FHE) which can compute any circuit on encrypted data without decryption [1]. In the FHE scheme, the ciphertext associated with the large prime message space needs a low-degree decryption circuit. The usual technique for squashing the decryption circuit amounts to homomorphically evaluating a large integer sum of the form ∑Θi=1 sizi, where the si are secret bits and the zi are public constants computed from the original ciphertexts and public parameters. It is easy to simulate the second circuit by applying the three-for-two trick over ZQ It will cost some additional multiplicative degree, since we need an arithmetic polynomial of degree 2 to compute the XOR operation. To state the efficiency of CLTQ with our bootstrapping procedure, we compare it with the scheme Conkert-CLT2 converting the mod-Q arithmetic circuit to binary and evaluating all the operation using the scheme CLT2 with binary message space.

Preliminaries

Bootstrapping the Decryption

FHE Scheme CLTQ with Our Bootstrapping Procedure

Conclusion