Implementing Gentry s Fully-Homomorphic Encryption Scheme Preliminary Report

Transcription

1 Implementing Gentry s Fully-Homomorphic Encryption Scheme Preliminary Report Craig Gentry Shai Halevi August 5, 2010 Abstract We escribe a working implementation of a variant of Gentry s fully homomorphic encryption scheme (STOC 2009), similar to the variant use in an earlier implementation effort by Smart an Vercauteren (PKC 2010). Smart an Vercauteren implemente the unerlying somewhat homomorphic scheme, but were not able to implement the bootstrapping functionality that is neee to get the complete scheme to work. We show a number of optimizations that allow us to implement all aspects of the scheme, incluing the bootstrapping functionality. We teste our implementation with lattices of several imensions, corresponing to several security levels. From a toy setting in imension 512, to small, meium, an large settings in imensions 2048, 8192, an 32768, respectively. The public-key size ranges in size from 70 Megabytes for the small setting to 2.3 Gigabytes for the large setting. The time to run one bootstrapping operation (on a 1-CPU 64-bit machine with large memory) ranges from 30 secons for the small setting to 30 minutes for the large setting. 1 Introuction Encryption schemes that support operations on encrypte ata (aka homomorphic encryption) have a very wie range of applications in cryptography. This concept was introuce by Rivest et al. shortly after the iscovery of public key cryptography [13], an many known public-key cryptosystems support either aition or multiplication of encrypte ata. However, supporting both at the same time seems harer, an until very recently all the attempts at constructing so-calle fully homomorphic encryption turne out to be insecure. In 2009, Gentry escribe the first plausible construction of a fully homomorphic cryptosystem [4]. Gentry s construction consists of several steps: We first construct a somewhat homomorphic scheme that supports evaluating low-egree polynomials on the encrypte ata, next we nee to squash the ecryption proceure so that it can be expresse as a low-egree polynomial which is supporte by the scheme, an finally we can apply a bootstrapping transformation to obtain a fully homomorphic scheme. The crucial point in this process is to obtain a scheme that can evaluate polynomials of high-enough egree, an at the same time has ecryption proceure that can be expresse as a polynomial of low-enough egree. Once the egree of polynomials that can be evaluate by the scheme excees the egree of the ecryption polynomial (times two), the scheme is calle bootstrappable an it can then be converte into a fully homomorphic scheme. Towar a bootstrappable scheme, Gentry escribe in [4] a somewhat homomorphic scheme, which is roughly a GGH-type scheme [8, 10] over ieal lattices. Gentry later prove [5] that with 1

2 an appropriate key-generation proceure, the security of that scheme can be (quantumly) reuce to the worst-case harness of some lattice problems in ieal lattices. This somewhat homomorphic scheme is not yet bootstrappable, so Gentry escribe in [4] a transformation to squash the ecryption proceure, reucing the egree of the ecryption polynomial. This is one by aing to the public key an aitional hint about the secret key, in the form of a sparse subset-sum problem (SSSP). Namely the public key is augmente with a big set of vectors, such that there exists a very sparse subset of them that as up to the secret key. A ciphertext of the unerlying scheme can be post-processe using this aitional hint, an the post-processe ciphertext can be ecrypte with a low-egree polynomial, thus obtaining a bootstrappable scheme. Stehlé an Steinfel escribe in [17] two optimizations to Gentry s scheme, one that reuces the number of vectors in the SSSP instance, an another that can be use to reuce the egree of the ecryption polynomial (at the expense of introucing a small probability of ecryption errors). We mention that in our implementation we use the first optimization but not the secon The Smart-Vercauteren implementation The first attempt to implement Gentry s scheme was mae in 2010 by Smart an Vercauteren [16]. They chose to implement a variant of the scheme using principal-ieal lattices, an moreover require that the eterminant of the lattice be a prime number. Specifically, the key-generation proceure repeately chooses ranom principal ieals until the corresponing lattice has a prime eterminant. Such lattices can be represente implicitly by just two integers (regarless of their imension), an moreover Smart an Vercauteren escribe a ecryption metho where the secret key is represente by a single integer. Smart an Vercauteren were able to implement the unerlying somewhat homomorphic scheme, but they were not able to support large enough parameters to make Gentry s squashing technique go through. As a result they coul not obtain a bootstrappable scheme or a fully homomorphic scheme. One obstacle in the Smart-Vercauteren implementation was the complexity of key generation for the somewhat homomorphic scheme: For one thing, since they require that their lattices have prime eterminant they must generate very many caniates before they fin one whose eterminant is prime. (One may nee to try as many as n 1.5 caniates when working with lattices in imension n.) An even after fining one, the complexity of computing the secret key that correspons to this lattice is at least Θ(n 3.5 ) for lattices in imension n. For both of these reasons, they were not able to generate keys in imensions n > Moreover, Smart an Vercauteren estimate that the squashe ecryption polynomial will have egree of a few hunres, an that to support this proceure with their parameters they nee to use lattices of imension at least n = 2 27 ( ), which is well beyon the capabilities of the key-generation proceure. 1.2 Our implementation We continue in the same irection of the Smart-Vercauteren implementation an escribe optimizations that allow us to implement also the squashing part, thereby obtaining a bootstrappable 1 The reason we o not use the secon optimization is that the ecryption error probability is too high for our parameter settings. 2

3 scheme an a fully homomorphic scheme. For key-generation, we eliminate the requirement that the eterminant of the lattice be prime, an also present a faster algorithm for computing the secret key. We also present many simplifications an optimizations for the squashe ecryption proceure, an as a result our ecryption polynomial has egree only fifteen. Finally, our choice of parameters is somewhat more aggressive than Smart an Vercauteren (which we complement by analyzing the complexity of known attacks). Differently from [16], we ecouple the imension n from the size of the integers that we choose uring key generation. 2 Decoupling these two parameters lets us ecouple functionality from security. Namely, we can obtain bootstrappable schemes in any given imension, but of course the schemes in low imensions will not be secure. Our (rather crue) analysis suggests that the scheme may be practically secure at imension n = 2 15, an we put this analysis to the test by publishing a few challenges in imensions ranging from 2048 up to Organization This report is organize in two parts, after some backgroun in Section 2. In Part I we escribe our implementation of the unerlying somewhat homomorphic encryption scheme, an in Part II we escribe our optimizations that are specific to the bootstrapping functionality. To ai reaing, we list here all the optimizations that are escribe in this report, with pointers to the sections where they are presente. Somewhat-homomorphic scheme. 1. We replace the Smart-Vercauteren requirement [16] that the lattice has prime eterminant, by the much weaker requirement that the Hermite normal form (HNF) of the lattice has a particular form, as explaine in Step 3 of Section 3. We also provie a simple criterion for checking for this special form. 2. We ecrypt using a single coefficient of the secret inverse polynomial (similarly to Smart- Vercauteren [16]), but using moular arithmetic rather than rational ivision. See Section We use a highly optimize algorithm for computing the resultant an inverse of a given polynomial v(x) with respect to f(x) = x 2m ± 1, see Section We use batch techniques to spee-up encryption. Specifically, we use an efficient algorithm for batch evaluation of many polynomials with small coefficients on the same point. See Section 5. Our algorithm, when specialize to evaluating a single polynomial, is essentially the same as Avanzi s trick [1], which itself is similar to the algorithm of Paterson an Stockmeyer [11]. The time to evaluate k polynomials is only O( k) more than evaluating a single polynomial. Fully homomorphic scheme. 5. The secret key in our implementation is a binary vector of length S 1000, with only s = 15 bits set to one, an the others set to zero. We get significant speeup by representing the secret key in s groups of S bits each, such that each group has a single 1-bit in it. See Section The latter parameter is enote t in this report. It is the logarithm of the parameter η in [16]. 3

4 6. The public key of the bootstrappable scheme contains an instance of the sparse-subset-sum problem, an we use instances that have a very space-efficient representation. Specifically, we erive our instances from geometric progressions. See Section Similarly, the public key of the fully homomorphic scheme contains an encryption of all the secret-key bits, an we use a space-time traeoff to optimize the space that it takes to store all these ciphertexts without paying too much in running time. See Section 9.2. Finally, our choice of parameters is presente in Section 10, an some performance numbers are given in Section Backgroun Notations. Throughout this report we use to enote scalar multiplication an to enote any other type of multiplication. For integers z,, we enote the reuction of z moulo by either [z] or z. We use [z] when the operation maps integers to the interval [ /2, /2), an use z when the operation maps integers to the interval [0, ). We use the generic z mo when the specific interval oes not matter (e.g., mo 2). For example we have [13] 5 = 2 vs = 3, but [9] 7 = 9 7 = 2. For a rational number q, we enote by q the rouning of q to the nearest integer, an by [q] we enote the istance between q an the nearest integer. That is, if q = a ef b then [q] = [a] b b an q ef = q [q]. For example, 13 5 = 3 an [ 13 5 ] = 2 5. These notations are extene to vectors in the natural way: for example if q = q 0, q 1,..., q n 1 is a rational vector then rouning is one coorinate-wise, q = q 0, q 1,..., q n Lattices A full-rank n-imensional lattice is a iscrete subgroup of R n, concretely represente as the set of all integer linear combinations of some basis B = ( b 1,..., b n ) R n of linearly inepenent vectors. Viewing the vectors b i as the rows of a matrix B R n n, we have: L = L(B) = { y B : y Z n } Every lattice has an infinite number of lattice bases. If B 1 an B 2 are two lattice bases of L, then there is some unimoular matrix U (i.e., U has integer entries an et(u) = ±1) satisfying B 1 = U B 2. Since U is unimoular, et(b i ) is invariant for ifferent bases of L. Since it is invariant, we may refer to et(l). This value is precisely the size of the quotient group Z n /L if L is an integer lattice. To basis B of lattice L we associate the half-open parallelepipe P(B) { n i=1 x i b i : x i [ 1/2, 1/2)}. The volume of P(B) is precisely et(l). For c R n an basis B of L, we use c mo B to enote the unique vector c P(B) such that c c L. Given c an B, c mo B can be compute efficiently as c c B 1 B = [ c B 1 ] B. (Recall that means rouning to the nearest integer an [ ] is the fractional part.) Every lattice has a unique Hermite normal form (HNF) basis where b i,j = 0 for all i < j (lowertriangular), b j,j > 0 for all j, an for all i > j b i,j [ b j,j /2, +b j,j /2). Given any basis B of L, one can compute HNF(L) efficiently via Gaussian elimination. The HNF is in some sense the least revealing basis of L, an thus typically serves as the public key representation of the lattice [10]. 4

5 Short vectors an Boune Distance Decoing. The shortest nonzero vector in a lattice L is enote λ 1 (L), an Minkowski s theorem says that for any n-imensional lattice L we have λ 1 (L) < n et(l) 1/n. Heuristically, for ranom lattices the quantity et(l) 1/n serves as a threshol: for t et(l) 1/n we on t expect to fin any nonzero vectors in L of size t, but for t et(l) 1/n we expect to fin exponentially many vectors in L of size t. In the boune istance ecoing problem (BDDP), one is given a basis B of some lattice L, an a vector c that is very close to some lattice point of L, an the goal is to fin the point in L nearest to c. In the promise problem γ-bddp, we have a parameter γ > 1 an the promise that ist(l, c) ef = min v L { c v } et(l) 1/n /γ. (BDDP is often efine with respect to λ 1 rather than with respec to et(l) 1/n /γ, but the current efinition is more convinient in our case.) Gama an Nguyen conucte extensive experiments with lattices in imensions [2], an conclue that for those imensions it is feasible to solve γ-bddp when γ > 1.01 n 2 n/70. More generally, the best algorithms for solving the γ-bddp in n-imensional lattices takes time exponential in n/ log γ. Specifically, in time 2 k currently known algorithms can solve γ-bddp in imension n up to γ = 2 µn k/ log k, where µ is a parameter that epens on the exact etails of the algorithm. (Extrapolating from the Gama-Nguyen experiments, we expect something like µ [0.1, 0.2].) 2.2 Ieal Lattices Let f(x) be an integer monic irreucible polynomial of egree n. In this paper, we use f(x) = x n +1, where n is a power of 2. Let R be the ring of integer polynomials moulo f(x), R ef = Z[x]/(f(x)). Each element of R is a polynomial of egree n 1, an thus is associate to a coefficient vector in Z n. In this way, we can view each element of R as being both a polynomial an a vector. For v(x), we let v be the Eucliean norm of its coefficient vector. For every ring R, there is an associate expansion factor γ Mult (R) such that u v γ Mult (R) u v, where enotes multiplication in the ring. When f(x) = x n + 1, γ Mult (R) is n. However, for ranom vectors u, v the expansion factor is typically much smaller, an our experiment suggest that we typically have u v u v. Let I be an ieal of R that is, a subset of R that is close uner aition an multiplication by elements of R. Since I is aitively close, the coefficient vectors associate to elements of I form a lattice. We call I an ieal lattice to emphasize this object s ual nature as an algebraic ieal an a lattice. 3 Ieals have aitive structure as lattices, but they also have multiplicative structure. The prouct IJ of two ieals I an J is the aitive closure of the set { v w : v I, w J}, where is ring multiplication. To simplify things, we will use principal ieals of R i.e., ieals with a single generator. The ieal ef ( v) generate by v R correspons to the lattice generate by the vectors { v i = v x i mo f(x) : i [0, n 1]}; we call this the rotation basis of the ieal lattice ( v). Let K be a fiel containing the ring R (in our case K = Q[x]/(f(x))). The inverse of an ieal I R is I 1 = { w K : v I, v w R}. The inverse of a principal ieal ( v) is given by ( v 1 ), where the inverse v 1 is taken in the fiel K = Q(x)/(f(x)). We say that ieal I ivies ieal J if JI 1 R. I is a prime ieal if I iviing AB implies I ivies A or B. The ieal I 1 or JI 1 is sometimes calle a fractional ieal, particularly when it is not a subset of R. 3 Alternative representations of an ieal lattice are possible e.g., see [12, 9]. 5

6 2.3 GGH-type Cryptosystems We briefly recall here the cleane-up version of GGH cryptosystems [8], as escribe by Micciancio [10]. The secret an public keys of a GGH-type cryptosystem are simply goo an ba bases of some lattice L. More specifically, the key-holer generates a goo basis by choosing B sk to be a basis of short, nearly orthogonal vectors. Then it sets the public key to be the Hermite normal ef form of the same lattice, B pk = HNF(L(B sk )). A ciphertext in a GGH-type cryptosystem is a vector c close to the lattice L(B pk ), an the message which is encrypte in this ciphertext is somehow embee in the istance from c to the nearest lattice vector. To encrypt a message m, the sener chooses a short error vector e that encoes m, an then computes the ciphertext as c e mo B pk. Note that if e is short enough (i.e., less than λ 1 (L)/2), then it is inee the istance between c an the nearest lattice point. To ecrypt, the key-holer uses its goo basis B sk to recover e by setting e c mo B sk, an then recovers m from e. The reason ecryption works is that, if the parameters are chosen correctly, then the parallelepipe P(B sk ) of the secret key will be a plump parallelepipe that contains a sphere of raius bigger than e, so that e is the point insie P(B sk ) that equals c moulo L. On the other han, the parallelepipe P(B pk ) of the public key will be very skewe, an will not contain a sphere of large raius, making it useless for solving BDDP instances. 2.4 Gentry s Somewhat-Homomorphic Cryptosystem Gentry s somewhat homomorphic encryption scheme [4] can be seen as a GGH-type scheme over ieal lattices. The public key consists of a ba basis B pk of an ieal lattice J, along with some basis B I of a small ieal I (which is use to embe messages into the error vectors). For example, the small iea I can be taken to be I = (2), the set of vectors with all even coefficients. A ciphertext in Gentry s scheme is a vector close to a J-point, with the message being embee in the istance to the nearest lattice point. More specifically, the plaintext space is (some subset of) R/I = {0, 1} n, for a message m {0, 1} n we set e = 2 r + m for a ranom small vector r, an then output the ciphertext c e mo B pk. The secret key in Gentry s scheme (that plays the role of the goo basis of J) is just a short vector w J 1. Decryption involves computing the fractional part [ w c]. This fractional part happens to equal [ w e] since c = j + e for some j J, an therefore w c = w j + w e. But w j is in R an thus an integer vector, so w c an w e have the same fractional part. If w an e are short enough in particular, if we have the guarantee that all of the coefficients of w e have magnitue less than 1/2 then [ w e] equals w e exactly. From w e, the ecryptor can multiply by w 1 to recover e, an then recover m e mo 2. The actual ecryption proceure from [4] is slightly ifferent, however. Specifically, w is tweake so that ecryption can be implemente as m c [ w c] mo 2 (when I = (2)). The reason that this scheme is somewhat homomorphic is that for two ciphertexts c 1 = j 1 + e 1 an c 2 = j 2 + e 2, their sum is j 3 + e 3 where j 3 = j 1 + j 2 J an e 3 = e 1 + e 2 is small. Similarly, their prouct is j 4 + e 4 where j 4 = j 1 ( j 2 + e 2 ) + e 1 j 2 J an e 4 = e 1 e 2 is still small. If fresh encrypte ciphertexts are very very close to the lattice, then it is possible to a an multiply ciphertexts for a while before the error grows beyon the ecryption raius of the secret key. 6

7 2.4.1 The Smart-Vercauteren Variant Smart an Vercauteren [16] work over the ring R = Z[x]/f n (x), where f n (x) = x n + 1 an n is a power of two. The ieal J is set as a principle ieal by choosing a vector v at ranom from some n-imensional cube, subject to the conition that the eterminant of ( v) is prime, an then setting J = ( v). It is known that such ieals can be implicitly represente by only two integers, namely the eterminant = et(j) an a root r of f n (x) moulo. (An easy proof of this fact from first principles can be erive from our Lemma 1 below.) Specifically, the Hermite normal form of this ieal lattice is r [r 2 ] HNF(J) = [r 3 ] (1)... [r n 1 ] It is easy to see that reucing a vector a moulo HNF(J) consists of evaluating the associate polynomial a(x) at the point r moulo, then outputting the vector [a(r)], 0, 0,..., 0 (see Section 5). Hence encryption of a bit m {0, 1} can be one by choosing a ranom small polynomial u(x) an evaluating it at r, then outputting the integer c [2u(r) + m]. Smart an Vercauteren also escribe a ecryption proceure that uses a single integer w as the secret key, setting m (c cw/ ) mo 2. Jumping ahea, we note that our ecryption proceure from Section 6 is very similar, except that we replace the rational ivision cw/ by moular multiplication [cw]. 2.5 Gentry s Fully-Homomorphic Scheme As explaine above, Gentry s somewhat-homomorphic scheme can evaluate low-egree polynomials but not more. Once the egree (or the number of terms) is too large, the error vector e grows beyon the ecryption capability of the private key. Gentry solve this problem using bootstrapping. He observe in [4] that a scheme that can homomorphically evaluate its own ecryption circuit plus one aitional operation can be transforme into a fully-homomorphic encryption. In more etails, fix two ciphertexts c 1, c 2 an consier the functions DA c1, c 2 (sk) ef = Dec sk ( c 1 ) + Dec sk ( c 2 ) an DMul c1, c 2 (sk) ef = Dec sk ( c 1 ) Dec sk ( c 2 ). A somewhat-homomorphic scheme is calle bootstrappable if it is capable of homomorphically evaluating the functions DA c1, c 2 an DMul c1, c 2 for any two ciphertexts c 1, c 2. Given a bootstrappable scheme that is also circular secure, it can be transforme into a fully-homomorphic scheme by aing to the public key an encryption of the secret key, c Enc pk (sk). Then given any two ciphertexts c 1, c 2, the aition/multiplication of these two ciphertexts can be compute by homomorphically evaluating the functions DA c1, c 2 ( c ) or DMul c1, c 2 ( c ). Note that the error oes not grow, since we always evaluate these functions on the fresh ciphertext c from the public key. Unfortunately, the somewhat-homomorphic scheme from above is not bootstrappable. Although it is capable of evaluating low-egree polynomials, its ecryption function, when expresse as a polynomial in the secret key bits, has egree which is too high. To overcome this problem Gentry 7

8 shows how to squash the ecryption circuit, transforming the original somewhat-homomorphic scheme E into a scheme E that can correctly evaluate any circuit that E can, but where the complexity of E s ecryption circuit is much less than E s. In the original somewhat-homomorphic scheme E, the secret key is a vector w. In the new scheme E, the public key inclues an aitional hint about w namely, a big set of vectors S = { x i : i = 1, 2,..., S} that have a hien sparse subset T that as up to w. The secret key of E is the characteristic vector of the sparse subset T, which is enote σ = σ 1, σ 2,..., σ S. Whereas ecryption in the original scheme involve computing m c [ w c] mo 2, in the new scheme the ciphertext c is post-processe by computing the proucts y i = x i c for all of the vectors x i S. Obviously, then, the ecryption in the new scheme can be one by computing c [ j σ j y j ] mo 2. Using some aitional tricks, this computation can be expresse as a polynomial in the σ i s of egree roughly the size of the sparse subset T. (The unerlying algorithm is simple grae-school aition a up the least significant column, bring a carry bit over to the next column if necessary, an so on.) With appropriate setting of the parameters, the subset T can be mae small enough to get a bootstrappable scheme. Part I The Somewhat Homomorphic Scheme 3 Key generation We aopt the Smart-Vercauteren approach [16], in that we also use principal-ieal lattices in the ring of polynomials moulo f n (x) ef = x n + 1 with n a power of two. Differently from [16], however, we o not require that these principal-ieal lattices have prime eterminant. Instea, we only nee the Hermite normal form to have the same form as in Equation (1), which is a much weaker requirement. During key-generation we choose v at ranom in some cube, verify that the HNF has the right form, an work with the principal ieal ( v). We have two parameters: the imension n, which must be a power of two, an the bit-size t of coefficients in the generating polynomial. Key-generation consists of the following steps: 1. Choose a ranom n-imensional integer lattice v, where each entry v i is chosen at ranom as a t-bit (signe) integer. With this vector v we associate the formal polynomial v(x) ef = n 1 v ix i, as well as the rotation basis: v 0 v 1 v 2 v n 1 v n 1 v 0 v 1 v n 2 V = v n 2 v n 1 v 0 v n 3 (2)... v 1 v 2 v 3 v 0 The i th row is a cyclic shift of v by i positions to the right, with the overflow entries negate. Note that the i th row correspons to the coefficients of the polynomial v i (x) = v(x) x i (mo f n (x)). Note that just like V itself, the entire lattice L(V ) is also close uner rotation : Namely, for any vector u 0, u 1,..., u n 1 L(V ), also the vector u n 1, u 0,..., u n 2 is in L(V ). 8

9 2. Next we compute the scale inverse of v(x) moulo f n (x), namely an integer polynomial w(x) of egree at most n 1, such that w(x) v(x) = constant (mo f n (x)). Specifically, this constant is the eterminant of the lattice L(V ), which must be equal to the resultant of the polynomials v(x) an f n (x) (since f n is monic). Below we enote the resultant by, an enote the coefficient-vector of w(x) by w = w 0, w 1,..., w n 1. It is easy to check that the matrix W = w 0 w 1 w 2 w n 1 w n 1 w 0 w 1 w n 2 w n 2 w n 1 w 0 w n 3... w 1 w 2 w 3 w 0 is the scale inverse of V, namely W V = V W = I. One way to compute the polynomial w(x) is by applying the extene Eucliean-GCD algorithm (for polynomials) to v(x) an f n (x). See Section 4 for a more efficient metho of computing w(x). 3. Next we check that this is a goo generating polynomial. We consier v to be goo if the Hermite-Normal-form of V has the same form as in Equation (1), namely all except the leftmost column equal to the ientity matrix. In our experiments we observe that for a ranomly chosen v, this conition was met with probability roughly 0.5, irrespective of the imension an bit length. (The failure cases are usually ue to the eterminant of V being even.) Hence the expecte number of vectors v that we nee to choose before fining one that works is about two. In Lemma 1 below we prove that v is goo if an only if the lattice L(V ) contains a vector of the form r, 1, 0,..., 0. Namely, if an only if there exists an integer vector y an another integer r such that y V = r, 1, 0,..., 0 Multiplying the last equation on the right by W, we get the equivalent conition y V W = r, 1, 0..., 0 W (4) y (I) = y = r w 0, w 1, w 2,..., w n 1 + w n 1, w 0, w 1,..., w n 2 In other wors, there must exists an integer r such that taking the secon row of W minus r times the first row yiels a vector of integers that are all ivisible by : r w 0, w 1, w 2,..., w n 1 + w n 1, w 0, w 1,..., w n 2 = 0 (mo ) r w 0, w 1, w 2,..., w n 1 = w n 1, w 0, w 1,..., w n 2 (mo ) The last conition can be checke easily: We compute r := w 0 /w 1 mo (assuming that w 1 has an inverse moulo ), then check that r w i+1 = w i (mo ) hols for all i = 1,..., n 2 an also r w 0 = w n 1 (mo ). Note that this means in particular that r n = 1 (mo ). (3) 9

10 Lemma 1. The Hermite normal form of the matrix V from Equation (2) is equal to the ientity matrix in all but the leftmost column, if an only if the lattice spanne by the rows of V contains a vector of the form r = r, 1, 0..., 0. Proof. Let B be the Hermite normal form of V. Namely, B is lower triangular matrix with nonnegative iagonal entries, where the rows of B span the same lattice as the rows of V, an the absolute value of every entry uner the iagonal in B is no more than half the iagonal entry above it. This matrix B can be obtaine from V by a sequence of elementary row operations, an it is unique. It is easy to see that the existence of a vector r of this form is necessary: inee the secon row of B must be of this form (since B is equal the ientity in all except the leftmost column). We now prove that this conition is also sufficient. It is clear that the vector e 1 =, 0,..., 0 belongs to L(V ): in particular we know that w 0, w 1,..., w n 1 V =, 0,..., 0. Also, by assumption we have r = r e 1 + e 2 L(V ), for some integer r. Note that we can assume without loss of generality that /2 r < /2, since otherwise we coul subtract from r multiples of the vector e 1 until this conition is satisfie: r κ = [ r] ef For i = 1, 2,..., n 1, enote r i = [r i ]. Below we will prove by inuction that for all i = 1, 2,..., n 1, the lattice L(V ) contains the vector: r i ef = r i e 1 + e i+1 = r i, , 1, }{{} 1 in the i+1 st position Placing all these vectors r i at the rows of a matrix, we got exactly the matrix B that we nee: r B = r (5)... r n B is equal to the ientity except in the leftmost column, its rows are all vectors in L(V ) (so they span a sub-lattice), an since B has the same eterminant as V then it cannot span a proper sub-lattice, it must therefore span L(V ) itself. ef It is left to prove the inuctive claim. For i = 1 we set r 1 = r an the claim follow from our assumption that r L(V ). Assume now that it hols for some i [1, n 2] an we prove for i + 1. Recall that the lattice L(V ) is close uner rotation, an since r i = r i e 1 + e i+1 L(V ) then the ef right-shifte vector s i+1 = r i e 2 + e i+2 is also in L(V ). 4 Hence L(V ) contains also the vector s i+1 + r i r = ( r i e 2 + e i+2 ) + r i ( r e 1 + e 2 ) = = r i r e 1 + e i+2 4 This is really a circular shift, since i n 2 an hence the rightmost entry in r i is zero. 10

11 We can now reuce the first entry in this vector moulo, by aing/subtracting the appropriate multiple of e 1 (while still keeping it in the lattice), thus getting the lattice vector This conclues the proof. [ r r i ] e 1 + e i+2 = [r i+1 ] e 1 + e i+2 = r i+1 L(V ) Remark 1. Note that the proof of Lemma 1 shows in particular that if the Hermite normal form of V is equal to the ientity matrix in all but the leftmost column, then it must be of the form specifie in Equation (5). Namely, the first column is, r 1, r 2,..., r n 1 t, with r i = [r i ] for all i. Hence this matrix can be represente implicitly by the two integers an r. 3.1 The public an secret keys In principle the public key is the Hermite normal form of V, but as we explain in Remark 1 an Section 5 it is enough to store for the public key only the two integers, r. Similarly, in principle the secret key is the pair ( v, w), but as we explain in Section 6.1 it is sufficient to store only a single (o) coefficient of w an iscar v altogether. 4 Inverting the polynomial v(x) The fastest known methos for inverting the polynomial v(x) moulo f n (x) = x n + 1 are base on FFT: We can evaluate v(x) at all the roots of f n (x) (either over the complex fiel or over some finite fiel), then compute w (ρ) = 1/v(ρ) (where inversion is one over the corresponing fiel), an then interpolate w = v 1 from all these values. If the resultant of v an f n has N bits, then this proceure will take O(n log n) operations over O(N)-bit numbers, for a total running time of Õ(nN). This is close to optimal in general, since just writing out the coefficients of the polynomial w takes time O(nN). However, in Section 6.1 we show that it is enough to use for the secret key only one of the coefficients of w = w (where = resultant(v, f n )). This raises the possibility that we can compute this one coefficient in time quasi-linear in N (rather than quasi-linear in nn). Below we escribe a metho for oing just that. Our metho relies heavily on the special form of f n (x) = x n + 1, with n a power of two. Let ρ 0, ρ 1,..., ρ n 1 be roots of f n (x) over the complex fiel: That is, if ρ is some primitive 2n th root of unity then ρ i = ρ 2i+1. Note that the roots r i satisfy that ρ i+ n = ρ 2 i for all i, an more generally for every inex i (with inex arithmetic moulo n) an every j = 0, 1,..., log n, if we ef enote n j = n/2 j then it hols that ( ) 2 j ρ i+ nj /2 = ( ρ 2i+n j+1 ) 2 j = ( ρ 2i+1) 2 j ρ n = (ρ 2j i ) (6) The metho below takes avantage of Equation (6), as well as a connection between the coefficients of the scale inverse w an those of the formal polynomial g(z) ef = n 1 ( v(ρi ) z ). We invert v(x) mo f n (x) by computing the lower two coefficients of g(z), then using them to recover both the resultant an (one coefficient of) the polynomial w(x), as escribe next. 11

12 Step one: the polynomial g(z). Note that although the polynomial g(z) it is efine via the complex numbers ρ i, the coefficients of g(z) are all integers. We begin by showing how to compute the lower two coefficients of g(z), namely the polynomial g(z) mo z 2. We observe that since ρ i+ n = ρ i then we can write g(z) as 2 g(z) = = = n 2 1 (v(ρ i ) z)(v( ρ i ) z) n 2 1 ( ) v(ρ i )v( ρ i ) z(v(ρ }{{} i ) + v( ρ i )) + z 2 }{{} a(ρ i ) b(ρ i ) n 2 1 ( a(ρ i ) zb(ρ i ) ) (mo z 2 ) We observe further that for both the polynomials a(x) = v(x)v( x) an b(x) = v(x) + v( x), all the o powers of x have zero coefficients. Moreover, the same equalities as above hol if we use A(x) = a(x) mo f n (x) an B(x) = b(x) mo f n (x) instea of a(x) an b(x) themselves (since we only evaluate these polynomials in roots of f n ), an also for A, B all the o powers of x have zero coefficients (since we reuce moulo f n (x) = x n + 1 with n even). Thus we can consier the polynomials ˆv, ṽ that have half the egree an only use the nonzero coefficients of A, B, respectively. Namely they are efine via ˆv(x 2 ) = A(x) an ṽ(x 2 ) = B(x). Thus we have reuce the task of computing the n-prouct involving the egree-n polynomial v(x) to computing a prouct of only n/2 terms involving the egree-n/2 polynomials ˆv(x), ṽ(x). Repeating this process recursively, we obtain the polynomial g(z) mo z 2. In more etails, we enote U 0 (x) 1 an V 0 (x) = v(x), an for j = 0, 1,..., log n we enote n j = n/2 j. We procee in m = log n steps to compute the polynomials U j (x), V j (x) (j = 1, 2,..., m), such that the egrees of U j, V j are at most n j 1, an moreover: g j (z) ef = n j 1 ( ) V j (ρ 2j i ) zu j (ρ 2j i ) = g(z) (mo z 2 ). (7) Equation (7) hols for j = 0 by efinition. Assume that we compute U j, V j for some j < m such that Equation (7) hols, an we show how to compute U j+1 an V j+1. From Equation (6) we know that ( ) 2 j ρ i+nj /2 = ρ 2 j i, so we can express g j as g j (z) = = n j /2 1 n j /2 1 ( ) ( ) V j (ρ 2j i ) zu j (ρ 2j i ) V j ( ρ 2j i ) zu j ( ρ 2j i ) ( V j (ρ 2j i )V j ( ρ 2j i ) z ( ) ) U j (ρ 2j i )V j ( ρ 2j i ) + U j ( ρ 2j i )V j (ρ 2j i ) (mo z 2 ) }{{}}{{} =A j (ρ 2j i ) =B j (ρ 2j i ) Denoting f nj (x) ef = x n j + 1 an observing that ρ 2j i is a root of f nj for all i, we next consier the 12

13 polynomials: A j (x) B j (x) ef = V j (x)v j ( x) mo f nj (x) (with coefficients a 0,..., a nj 1 ) ef = U j (x)v j ( x) + U j ( x)v j (x) mo f nj (x) (with coefficients b 0,..., b nj 1 ) an observe the following: Since ρi 2j is a root of f nj, then the reuction moulo f nj makes no ifference when evaluating A j, B j on ρi 2j. Namely we have A j (ρ 2j i ) = V j(ρ 2j i )V j( ρ 2j i ) an similarly B j(ρ 2j i ) = U j (ρ 2j i )V j( ρ 2j i ) + U j( ρ 2j i )V j(ρ 2j i ) (for all i). The o coefficients of A j, B j are all zero. For A j this is because it is obtaine as V j (x)v j ( x) an for B j this is because it is obtaine as R j (x)+r j ( x) (with R j (x) = U j (x)v j ( x)). The reuction moulo f nj (x) = x n j + 1 keeps the o coefficients all zero, because n j is even. We therefore set U j+1 (x) ef = n j /2 1 t=0 b 2t x t, an V j+1 (x) ef = n j /2 1 t=0 a 2t x t, so the secon bullet above implies that U j+1 (x 2 ) = B j (x) an V j+1 (x 2 ) = A j (x) for all x. Combine with the first bullet, we have that g j+1 (z) ef = = n j /2 1 n j /2 1 ( ) V j+1 (ρ 2j+1 i ) z U j+1 (ρ 2j+1 i ) ( ) A j (ρ 2j i ) z B j (ρ 2j i ) = g j (z) (mo z 2 ). By the inuction hypothesis we also have g j (z) = g(z) (mo z 2 ), so we get g j+1 (z) = g(z) (mo z 2 ), as neee. Step two: recovering an w 0. Using the proceure above for computing the first two coefficients of g(z), we now show how to compute = resultant(v, f n ) an the free term of the scale inverse w = v 1 (mo f n ). Recall that if v(x) is square free then resultant(v, f n ) = n 1 v(ρ i), which is exactly the free term of g(z), g 0 = n 1 v(ρ i). Recall also that the linear term in g(z) has coefficient g 1 = n 1 j i v(ρ i). We next show that the free term of w(x) is w 0 = g 1 /n. To see that, we efine a sequence of polynomials Ŵ0, Ŵ1,... Ŵm (with m = log n) as follows: Ŵ 0 = w, an for any j = 1,..., m we efine Ŵj as a polynomial of egree n j 1, whose coefficients are the even coefficients of Ŵj 1. For example, if n = 8 (so Ŵ0 has egree-7 with eight coefficients w 0, w 1, w 2, w 3, w 4, w 5, w 6, w 7 ), then Ŵ1 has egree-3 with the four coefficients w 0, w 2, w 4, w 6, Ŵ 2 has egree-1 with the two coefficients w 0, w 4, an Ŵ3 is the constant polynomial Ŵ 3 w 0. More generally, let w 0, w 1,..., w n 1 be the coefficients of w(x), then Ŵ j (x) ef = n j 1 t=0 w 2 j t x t, 13

14 an in particular Ŵm is the constant polynomial Ŵ m w 0. Note that these polynomials were efine so that for all x an all j it hols that Ŵj(x) + Ŵj( x) = 2Ŵj+1(x 2 ). We next argue that for every j = 0, 1,..., m, it hols that n 1 w ( ) ρ i = 2 j n j 1 ( ) Ŵ j ρ 2 j i. (8) Equation (8) clearly hols for j = 0, so now assume that it hols for some j < m an we prove for ( ) 2 j j + 1. From Equation (6) we have that ρ i+nj /2 = ρ 2j i, so we get n 1 w ( ) ρ i = 2 j n j 1 n ( ) j /2 1 Ŵ j ρ 2 j i = 2 j Ŵ j ( ρi 2j ) ( + Ŵj ρ 2j i ) n j+1 1 = 2 j+1 ( ) Ŵ j+1 ρ 2 j+1 i where the last equality hols since n j+1 = n j /2 an Ŵj(x) + Ŵj( x) = 2Ŵj+1(x 2 ) for all x. Now that we prove Equation (8), we can use it to complete the proof. On one han, it implies in particular that n 1 w(ρ i) = nŵn( 1) = nw 0. On the other han, recalling that w(x), v(x) yiel scale inverses when evaluate at the roots of f n, namely w(ρ i ) = /v(ρ i ), we have w 0 = 1 n n 1 w ( n 1 ) 1 ρ i = n v ( ) = 1 n 1 n 1 j=0 v(ρ j) ρ i n v(ρ i ) n 1 = 1 n j i v(ρ j ) = g 1 /n. Step three: recovering the rest of w. We can now use the same technique to recover all the other coefficients of w: Note that since we work moulo f n (x) = x n + 1, then the coefficient w i is the free term of the scale inverse of x i v (mo f n ). In our case we only nee to recover the first two coefficients, however, since we are only intereste in the case where w 1 /w 0 = w 2 /w 1 = = w n 1 /w n 2 = w 0 /w n 1 (mo ), where = resultant(v, f n ). After recovering w 0, w 1 an = resultant(v, f n ), we therefore compute the ratio r = w 1 /w 0 mo an verify that r n = 1 (mo ). Then we recover as many coefficient of w as we nee (via w i+1 = [w i r] ), until we fin one coefficient which is an o integer, an that coefficient is the secret key. 5 Encryption To encrypt a bit b {0, 1} with the public key B (which is implicitly represente by the two integers, r), we first choose a ranom 0-1 noise vector u ef = u 0, u 1,..., u n 1, with each entry chosen as 0 with some probability q an as ±1 with probability (1 q)/2 each. We then set a ef = 2 u + b e 1 = 2u 0 + b, 2u 1,..., 2u n 1, an the ciphertext is the vector c = a mo B = a ( a B 1 B ) = [ a B 1 ] }{{} [ ] is fractional part B 14

15 We now show that also c can be represente implicitly by just one integer. Recall that B (an therefore also B 1 ) are of a special form B = r [r 2 ] [r 3 ] [r n 1 ] , an B 1 = r [r 2 ] [r 3 ] [r n 1 ] Denote a = a 0, a 1,..., a n 1, an also enote by a( ) the integer polynomial a(x) ef = n 1 a ix i. Then we have a B 1 = s, a 1,..., a n 1 for some integer s that satisfies s = a(r) (mo ). Hence the fractional part of a B 1 is [ a B 1] = [a(r)], 0,..., 0, an the ciphertext vector is c = [a(r)], 0,..., 0 B = [a(r)], 0,..., 0. Clearly, this vector can be represente implicitly by the integer c ef = [ a(r) ] = [ b + 2 n 1 i=1 u ir i]. Hence, to encrypt the bit b, we only nee to evaluate the 0-1 noise-polynomial u( ) at the point r, then multiply by two an a the bit b (everything moulo ). We now escribe an efficient proceure for oing that. 5.1 An efficient encryption proceure The most expensive operation uring encryption is evaluating the egree-(n 1) polynomial u at the point r. Polynomial evaluation using Horner s rule takes n 1 multiplications, but it is known that for 0-1 coefficients we can reuce the number of multiplications to only O( n), see [1, 11]. Moreover, we observe that it is possible to batch this fast evaluation algorithm, an evaluate k 0-1 polynomials in time O( kn). We begin by noting that evaluating many 0-1 polynomials at the same point x can be one about as fast as a naive evaluation of a single polynomial. Inee, once we compute all the powers (1, x, x 2,..., x n 1 ) then we can evaluate each polynomial just by taking a subset-sum of these powers. As aition is much faster than multiplication, the ominant term in the running time will be the computation of the powers of x, which we only nee to o once for all the polynomials. Next, we observe that evaluating a single egree-(n 1) polynomial at a point x can be one quickly given a subroutine that evaluates two egree-(n/2 1) polynomials at the same point x. Namely, given u(x) = n 1 u ix i, we split it into a bottom half u bot (x) = n/2 1 u i x i an a top half u top (x) = n/2 1 u i+ /2 x i. Evaluating these two smaller polynomials we get y bot = u bot (x) an y top = u top (x), an then we can compute y = u(x) by setting y = x n/2 y top + y bot. If the subroutine for evaluating the two smaller polynomials also returns the value of x n/2, then we nee just one more multiplication to get the value of y = u(x). These two observations suggest a recursive approach to evaluating the 0-1 polynomial u of egree n 1. Namely, we repeately cut the egree in half at the price of oubling the number of polynomials, an once the egree is small enough we use the trivial implementation of just computing all the powers of x. Analyzing this approach, let us enote by M(k, n) the number of multiplications that it takes to evaluate k polynomials of egree (n 1). Then we have M(k, n) = min(n 1, M(2k, n/2) + k + 1). 15

16 To see the boun M(k, n) M(2k, n/2) + k + 1, note that once we evaluate the top- an bottomhalves of all the k polynomials, we nee one multiplication per polynomial to put the two halves together, an one last multiplication to compute x n (which is neee in the next level of the recursion) from x n/2 (which was compute in the previous level). Obviously, making the recursive call takes less multiplications than the trivial implementation whenever n 1 > (n/2 1)+k +1. Also, an easy inuctive argument shows that the trivial implementation is better when n 1 < (n/2 1) + k + 1. We thus get the recursive formula M(k, n) = { M(2k, n/2) + k + 1 when n/2 > k + 1 n 1 otherwise. Solving this formula we get M(k, n) min(n 1, 2kn). In particular, the number of multiplications neee for evaluating a single egree-(n 1) polynomial is M(1, n) 2n. We comment that this more efficient batch proceure relies on the assumption that we have enough memory to keep all these partially evaluate polynomials at the same time. In our experiments we were only able to use it in imensions up to n = 2 15, trying to use it in higher imension resulte in the process being kille after it ran out of memory. A more sophisticate implementation coul take the available amount of memory into account, an stop the recursion earlier to preserve space at the expense of more running time. An alternative approach, of course, is to store partial results to isk. More experiments are neee to etermine what approach yiels better performance for which parameters. 5.2 The Eucliean norm of fresh ciphertexts When choosing the noise vector for a new ciphertext, we want to make it as sparse as possible, i.e., increase as much as possible the probability q of choosing each entry as zero. The only limitation is that we nee q to be boune sufficiently below 1 to make it har to recover the original noise vector from c. There are two types of attacks that we nee to consier: lattice-reuction attacks that try to fin the closest lattice point to c, an exhaustive-search/birthay attacks that try to guess the coefficients of the original noise vector. The lattice-reuction attacks shoul be thwarte by working with lattices with high-enough imension, so we concentrate here on exhaustive-search attacks. Roughly, if the noise vector has l bits of entropy, then we expect birthay-type attacks to be able to recover it in 2 l/2 time, so we nee to ensure that the noise has at least 2λ bits of entropy for security parameter λ. Namely, for imension n we nee to choose q sufficiently smaller than one so that 2 (1 q)n ( n qn) > 2 2λ. For our setting of parameters, the number of nonzero entries in the noise vector is always between 15 an Decryption The ecryption proceure takes the ciphertext c (which implicitly represents the vector c = c, 0,..., 0 ) an in principle it also has the two matrices V, W. It recovers the vector a = 2 u+b e 1 that was use uring encryption as a c mo V = c ( c V}{{} 1 ) [ ] V = c W/ V, }{{} =W/ [ ] is fractional part 16

17 an then outputs the least significant bit of the first entry of a, namely b := a 0 mo 2. The reason that this ecryption proceure works is that the rows of V (an therefore also of W ) are close to being orthogonal to each other, an hence the operator infinity-norm of W is small. Namely, for any vector x, the largest entry in x W (in absolute value) is not much larger than the largest entry in x itself. Specifically, the proceure from above succees when all the entries of a W are smaller than /2 in absolute value. To see that, note that a is the istance between c an some point in the lattice L(V ), namely we can express c as c = y V + a for some integer vector y. Hence we have [ c W/ ] V = [ y V W/ + a W/ ] ( ) = [ a W/ ] V where the equality ( ) follows since y V W/ is an integer vector. The vector [ a W/ ] V is suppose to be a itself, namely we nee [ a W/ ] V = a = ( a W/ ) V. But this last conition hols if an only if [ a W/ ] = ( a W/), i.e., a W/ is equal to its fractional part, which means that every entry in a W/ must be less than 1/2 in absolute value. 6.1 An optimize ecryption proceure We next show that the encrypte bit b can be recovere by a significantly cheaper proceure: Recall that the (implicitly represente) ciphertext vector c is ecrypte to the bit b when the istance from c to the nearest vector in the lattice L(V ) is of the form a = 2 u + b e 1, an moreover all the entries in a W are less than /2 in absolute value. As we sai above, in this case we have [ c W/] = [ a W/] = a W/, which is equivalent to the conition Recall now that c = c, 0,..., 0, hence [ c W ] = [ a W ] = a W. [ c W ] = [c w 0, w 1,..., w n 1 ] = [cw 0 ], [cw 1 ],..., [cw n 1 ]. On the other han, we have [ c W ] = a W = 2 u W + b e 1 W = 2 u W + b w 0, w 1,..., w n 1. Putting these two equations together, we get that any ecryptable ciphertext c must satisfy the relation [cw 0 ], [cw 1 ],..., [cw n 1 ] = b w 0, w 1,..., w n 1 (mo 2) In other wors, for every i we have [c w i ] = b w i (mo 2). It is therefore sufficient to keep only one of the w i s (which must be o), an then recover the bit b as b := [c w i ] mo 2. 7 How Homomorphic is This Scheme? We run some experiments to get a hanle on the egree an number of monomials that the somewhat homomorphic scheme can hanle, an to help us choose the parameters. In these experiments we 17

18 generate key pairs for parameters n (imension) an t (bit-length), an for each key pair we encrypte many bits, evaluate on the ciphertexts many elementary symmetric polynomials of various egrees an number of variables, ecrypte the results, an checke whether or not we got back the same polynomials in the plaintext bits. More specifically, for each key pair we teste polynomials on 64 to 256 variables. For every fixe numbre of variables m we ran 12 tests. In each test we encrypte m bits, evaluates all the elementary symmetric polynomials in these variables (of egree up to m), ecrypte the results, an compare them to the results of applying the same polynomials to the plaintext bits. For each setting of m, we recore the highest egree for which all 12 tests were ecrypte to the correct value. We call this the largest supporte egree for those parameters. In these experiments we use fresh ciphertexts of expecte Eucleean length roughly , regarless of the imension. This was one by choosing each entry of the noise vector u as 0 with probability n, an as ±1 with probability n each. With that choise, the egree of polynomials that the somewhat-homomorphic scheme coul evaluate i not epen on the imension n: We teste various imensions from 128 to 2048 with a few settings of t an m, an the largest supporte egree was nearly the same in all these imensions. Thereafter we teste all the other settings only in imension n = 128. The results are escribe in Figure 1. As expecte, the largest supporte egree grows linearly with the bit-length parameter t, an ecreases slowly with the number of variables (since more variables means more terms in the polynomial). These results can be more or less explaine by the assumptions that the ecryption raius of the secret key is roughly 2 t, an that the noise in an evaluate ciphertext is roughly c egree #-of-monomials, where c is close to the Eucliean norm of fresh ciphertexts (i.e., c 9). For elementary symmetric polynomials, the number of monomials is exactly ( m eg). Hence to hanle polynomials of egree eg with m variables, we nee to set t large enough so that 2 t c eg ( m eg), in orer for the noise in the evaluate ciphertexts to still be insie the ecryption raius of the secret key. Trying to fit the ata from Figure 1 to this expression, we observe that c is not really a constant, rather it gets slightly smaller when t gets larger. For t = 64 we have c [9.14, 11.33], for t = 128 we have c [7.36, 8.82], for t = 256 we get c [7.34, 7.92], an for t = 384 we have c [6.88, 7.45]. We speculate that this small eviation stems from the fact that the norm of the iniviual monomials is not exactly c eg but rather has some istribution aroun that size, an as a result the norm of the sum of all these monomials iffers somewhat from #-of-monomials times the expecte c eg. Part II A Fully Homomorphic Scheme 8 Squashing the Decryption Proceure Recall that the ecryption routine of our somewhat homomorphic scheme ecrypts a ciphertext c Z using the secret key w Z by setting b [wc] mo 2. Unfortunately, viewing c, as constants an consiering the ecryption function D c, (w) = [wc] mo 2, the egree of D c, (as a polynomial in the secret key bits) is higher than what our somewhat-homomorphic scheme can 18