1. FHE Introduction
Nigel Smart
Avoncrypt 2015

2. Homomorphic Encryption
Some encryption schemes are multiplicative homomorphic
(M1 M2)e = (M1e) * (M2e)
Some encryption schemes are additively homomorphic
(Gm+n * Hr+s ) = (Gm * Hr ) * (Gn * Hs )
Problem is to come up with schemes which are both

3. Additively Homomorphic Schemes
Schemes which support addition
e.g. Paillier, ElGamal in exponent, ElGamal in Paillier group etc
have wide application
Electronic voting protocols
Key splitting protocols
These are practical and deployed in various situations.

4. Mult+Add + + + + + * x * y * * *
Every function can be represented by a sequence of additions and multiplications over a ring R
So called arithmetic circuit description * + + + x * + + y * * *

5. Mult+Add
Suppose we have an encryption scheme which can support homomorphic encryption and multiplication
Denote encryption via a box [x], then we have the equations
[x +y] = [x] + [y]
[x * y] = [x] * [y]
We could then evaluate the circuit

6. Mult + Add Assume data, x, is in some finite ring R
A ciphertext, [x], also lives in a ring C
The plaintext operations + and * are on elements in R.
The ciphertext operations + and * are on elements in C.
Big Idea: If we could do this we could compute on encrypted data and outsource computation.

7. Require Fully Homomorphic Encryption (FHE)
Data
Owner
Server a b
F(X,Y)
[a]
[b]
F(X,Y)
DECRYPT
[F(a,b)]
F(a,b)
We want the computation of F(a,b) to be done on the server without interation
Require Fully Homomorphic Encryption (FHE)
i.e. the encryption algorithm supports operations ⊕ and ⊗
This is very slow!
Data is placed on the server
Server performs some computation
Ciphertext returned to the data owner
Data owner then decrypts.

8. The process of given [a] and [b] and F and producing [F(a,b)] we call Eval.
So if F is a function with one input we would have
Eval(F,[x]) = [F(x)]
We require that the size of the output ciphertext [F(x)] does not depend on F.
Otherwise trivial solution is output (F,[x])
The only thing which depends on F is the complexity of performing the Eval operation

9. Practical Instantiations
All encryption schemes supporting addition AND multiplications are based on lattices.
All systems have the following property
A ciphertext has an implicit noise quantity N.
A fresh (newly encrypted ciphertext) has a small value of N.
Adding ciphertexts with noise N and N’ produces one with noise N+N’
Multiplying ciphertexts with noise N and N’ produces one with noise M(N,N’) for some function M.
Exact M depends on the scheme

10. Somewhat Homomorphic Encryption
When noise gets too big a ciphertext will not decrypt correctly.
This implies a bound on the complexity of the circuit a scheme can evaluate.
Such schemes are called “Somewhat” homomorphic as opposed to “Fully” homomorphic.
SHE vs FHE
We can (sometimes) produce a FHE scheme from an SHE scheme using a process called bootstrapping.

11. Bootstrapping Let D(s,c) be the decryption function of the scheme.
Now think of D(s,c) as a function of the secret key s only.
So for each c we define a new function Dc(s)
Suppose Dc(s) is simple enough to be evaluated by the SHE scheme (with a little more room afterwards).
Publish an encryption of s, i.e. Output [s]

12. Eval(Dc(.), [s]) = [Dc(s)] = [m] = c’
Bootstrapping
Recall
Eval(F, [x]) = [F(x)]
Take a ciphertext c=[m] encrypting a message m.
So take F(x)= Dc(x) then and use the encrypted secret key [s] to obtain
Eval(Dc(.), [s]) = [Dc(s)] = [m] = c’
So Eval produces a new encryption of m.
We “gain” if the noise in c’ is less than the noise in c.

13. Bootstrapping This works when the “circuit” for decryption is simple.
Most lattice schemes have low decryption circuit complexity.
Thus this is where we find FHE schemes living
Also lattices allow easy creation of SHE schemes to start with as well.

14. Example Scheme (BGV) We keep a high level view, and hide many details
Let R be a ring of polynomials over the integers
R=Z[X]/F(X)
Let Rq denote the same ring but also reduced mod q, for a prime q.
Rq =Zq [X]/F(X)
Let plaintext space be Rp for a prime p ≠ q
Let secret key be a small element s in Rq

15. Example Scheme (BGV) To encrypt we
Pick a small “noise” value e in Rq
Pick a random element a in Rq
Set b = m + p*e + a*s
As described this is a symmetric key scheme, but we are keeping things simple.
To decrypt we compute
b-a*s mod q = m + p*e
and then take the result modulo p.

16. B-A*s = p*(e+e’) + (m+m’)
Example Scheme (BGV)
Take two ciphertexts (a,b) and (a’,b’)
b=a*s+p*e+m
b’=a’*s+p*e’+m’
Clearly additively homomorphic:
A=a+a’
B=b+b’
B-A*s = p*(e+e’) + (m+m’)
Noise is additive e+e’

17. C – B*s + A*s2 = (b-a*s)*(b’-a’*s)
Example Scheme (BGV)
Multiplication more complex, basically take tensors of ciphertexts and decrypt under the tensor secret key
A=a*a’
B=a*b’+a’*b
C=b*b’
Then
C – B*s + A*s2 = (b-a*s)*(b’-a’*s)
= m*m’ + p* noise
Noise is multiplicative noise ≈ e*e’

18. C – B*s + A*s2 = (b-a*s)*(b’-a’*s)
Example Scheme (BGV)
C – B*s + A*s2 = (b-a*s)*(b’-a’*s)
We can “relinearize” (A,B,C) to get back a two element ciphertext (A’,B’) such that
B- A *s = m*m’ + p * noise
This is a process called “key switching”
Details not given here

19. In Practice
We have practical and efficient SHE schemes for reasonable size values of plaintext moduli p.
Depth is limited really to small values(<10)
Mainly focused on multiplicative depth as this is where the main noise comes from
Making efficient bootstrapping impossible.

20. In Practice Some application can be enabled using low depth SHE
Statistical calculations : std-dev.
Fourier Transforms + Masking.
Preprocessing for MPC (SPDZ protocol).
EU project HEAT looking into practical use-cases for low depth SHE based systems.

21. Questions?