1. Simons Institute, Cryptography Boot Camp
Homomorphic Encryption (Part II):
Bootstrapping, FHE, and More
Shai Halevi
* Many slides taken from Craig Gentry
May 18, 2015
Simons Institute, Cryptography Boot Camp

2. Fully Homomorphic Encryption (FHE)
A FHE scheme can evaluate unbounded depth circuits
Not limited by bound specified at Setup
Parameters (like size of ciphertext) do not depend on evaluated depth
So far, GSW can evaluate only depth log 𝑚+1 𝑞
How do we make it fully homomorphic?
Bootstrapping: A way to get FHE…

3. A Digression into Philosophy…
Can the human mind understand itself?
Or, as a mind becomes more complex, does the task of understanding also become more complex, so that self- understanding it always just out of reach?
Self-reference can sometimes be proven impossible
Godel’s incompleteness theorem
Turing’s Halting Problem

4. Philosophy Meets Cryptography
Can a homomorphic encryption scheme decrypt itself?
We can try to plug the decryption function Dec(·,·) into Eval.
If we run Evalpk(Dec(·,·), c), does it work?
Suppose our HE scheme can Eval depth-d circuits, can we make Dec(·,·) fit in a depth-d circuit (or less)?
Recryption = the process of running Eval on Dec(·,·).

5. So Far: Bounded Processing
We can evaluate bounded-depth circuits f:
We get a noisy “evaluated ciphertext” y
Can still be decrypted
But eval f’(y) will increase noise too much f μ1 μ2 …
f(μ1, μ2 ,…, μt) μt

6. Recryption: Refreshing a Ciphertext
August 16, 2011
Recryption: Refreshing a Ciphertext
For ciphertext c, consider the function Dc(·) = Dec(·,c)
Suppose we can Eval depth d, but Dc(·) has depth d-1.
Include in the public key also Encpk(sk) c y
Must assume “circular security” Dc
sk1
sk2
skn …
sk1
sk2
skn …
New encryption of y, with less noise.
c' =
Dc(sk)
= Dec(sk,c) = y
Homomorphic computation applied only to the “fresh” encryption of sk.

7. Bootstrapping Theorem (Informal)
Suppose Ɛ is a HE scheme
that can evaluate arithmetic circuits of depth d
whose decryption algorithm is a circuit of depth d-1
Call Ɛ a “bootstrappable” HE scheme
Thm: From a bootstrappable somewhat homomorphic scheme, we can construct a fully homomorphic scheme.
Technique: Refresh noisy ciphertexts by evaluating the decryption circuit homomorphically (Recryption)

8. Recryption for GSW GSW.𝐷𝑒 𝑐 𝒕 𝐶 : Let 𝒘=(𝑞/2,0,…,0), so 𝒘,𝒕 𝑞 =𝑞/2
Compute 𝒛≔ 𝐶×𝒕 𝒒 , output 0 𝑖𝑓 𝒛 𝑖𝑠 𝑐𝑙𝑜𝑠𝑒𝑟 𝑡𝑜 𝟎 𝑖𝑓 𝒛 𝑖𝑠 𝑐𝑙𝑜𝑠𝑒𝑟 𝑡𝑜 𝒕 ′ =𝐺×𝒕
Let 𝒘=(𝑞/2,0,…,0), so 𝒘,𝒕 𝑞 =𝑞/2
Denote 𝒄= 𝐺 −1 𝒘 ×𝐶
𝒄,𝒕 = 𝐺 −1 𝒘 ×𝐶×𝒕= 𝐺 −1 𝒘 ,𝜇⋅ 𝒕 ′ +𝒆 = 𝜇⋅𝐺 −1 𝒘 ×𝐺×𝒕+ 𝐺 −1 𝑤 ,𝒆 =𝜇⋅ 𝒘,𝒕 + 𝐺 −1 𝒘 ,𝒆 =𝝁⋅𝒒/𝟐+ small (𝒎𝒐𝒅 𝒒)
GSE.𝐷𝑒 𝑐 𝒕 ′ 𝐶 :
Compute 𝑧≔ 𝒄,𝒕 𝑞 , output 𝑀𝑆𝐵 𝑧 = 0: 𝑧 ≤ 𝑞 4 1: 𝑧 > 𝑞 4

9. How Complex Is Decryption?
𝜇=𝑀𝑆𝐵 𝒄,𝒕 𝑞
Depth is linear in dim 𝒕 + 𝑞 =𝑛+log 𝑞
If q is small enough (polynomial in the security param) then decryption is in NC1 (log-depth circuits).
But wait – isn’t 𝑞 really large?
𝑞 grows with the Eval capacity of the scheme
Ideally, we would like the complexity of Dec to be independent of the Eval capacity.

10. Modulus Reduction Magic Trick
Suppose 𝒄 encrypts μ – that is, 𝜇=𝑀𝑆𝐵 𝒄,𝒕 𝑞 .
Can we make 𝑞 smaller?
Pick 𝑝<𝑞, set 𝒄 ′ =𝑟𝑜𝑢𝑛𝑑 𝑝 𝑞 ⋅𝒄 = 𝑝 𝑞 ⋅𝒄+𝝐
Before we had 𝒄,𝒕 =𝜇⋅ 𝑞 2 +𝒆+𝜅⋅𝑞 for some 𝜅
Now we have 𝒄 ′ ,𝒕 = 𝑝 𝑞 ⋅ 𝒄,𝒕 + 𝝐,𝒕 =𝜇⋅ 𝑝 𝑝 𝑞 ⋅𝒆+ 𝝐,𝒕 𝑛𝑒𝑤 𝑛𝑜𝑖𝑠𝑒 𝒆 ′ +𝜅⋅𝑝
If 𝝐,𝒕 is small enough, then 𝒄 ′ encrypts the same μ

11. Modulus Reduction Magic Trick, Notes
[ACPS 2009] proved LWE hard even if 𝒕 is small:
𝒕 chosen from the same distribution as the noise e
With coefficients of size poly in the security parameter.
For 𝒕 of polynomial size, we can modulus reduce to a modulus p of polynomial size, before bootstrapping.
Bottom Line: After some processing, decryption for LWE-based encryption schemes (like GSW) is in NC1.
Complexity of Dec is independent of Eval capacity.

12. Evaluating NC1 Circuits in GSW
Naïve way: Just do log levels of NAND
Each level multiplies noise by polynomial factor.
𝐶 𝑁𝐴𝑁𝐷 ×𝒕= 𝐺− 𝐺 −1 𝐶 1 × 𝐶 2 ×𝒕
= 1− 𝜇 1 𝜇 2 ⋅ 𝒕 ′ − 𝜇 2 ⋅ 𝒆 𝟏 + 𝐺 −1 𝐶 1 × 𝒆 𝟐
𝑑 levels multiplies noise by ≤ 𝑚+1 𝑑
Need to use 𝑞=𝑝𝑜𝑙𝑦 𝜆 𝑑 = 𝜆 𝑂( log 𝜆)
Security is based on LWE with quasi-polynomial factor

13. Evaluating NC1 Circuits in GSW
Can get polynomial factor using asymmetry in noise
Use special circuits where all multiplications have fresh ciphertexts on the right
E.g., implementing branching programs
After each multiplication: |new-noise|≤ |𝜇⋅old-noise| + m⋅|fresh-noise|
 After 𝑇 multiplications: |noise| ≤𝑇⋅|fresh-noise|
|Total noise| ≤|𝐶|⋅ |fresh-noise| = 𝑝𝑜𝑙𝑦(𝜆)

14. Extra: Multi-key HE from LWE

15. Multi-Key Homomorphic Encryption
Computing on data encrypted under multiple keys
𝑠 𝑘 𝑖 ,𝑝 𝑘 𝑖 ←𝐾𝑒𝑦𝐺𝑒𝑛 $ , 𝑖=1,2, …,𝑛
𝑐 𝑖 ←𝐸𝑛 𝑐 𝑝 𝑘 𝑖 𝑥 𝑖
𝑐 ∗ ←𝑀𝑢𝑙𝑡𝑖𝐸𝑣𝑎 𝑙 𝑝 𝑘 𝑖 𝑖 (𝑓, 𝑐 𝑖 𝑖 )
M𝑢𝑙𝑡𝑖𝐷𝑒 𝑐 𝑠 𝑘 𝑖 𝑖 𝑐 ∗ =𝑓( 𝑥 1 ,…, 𝑥 𝑛 )
[Lopez-Alt,Tromer,Vaikuntanathan’12] from NTRU
Can do LWE for constant #, RLWE for log # of players
Here: LWE-based for poly # of players
Follows [Clear,McGoldrick’14, Mukherjee,Wichs’15]

16. A Variation of GSW Recall: 𝐶=GSW.𝐸𝑛 𝑐 𝐵 𝜎 ←𝑅×𝐵+𝜎⋅𝐺
𝐵∈ 𝑍 𝑞 𝑚×𝑛 is the public key, 𝐵× 𝑡 = small
𝑅∈ 0,1 𝑚×𝑚 ⊂𝑍 𝑞 𝑚×𝑚
We have 𝐶× 𝑡 =𝜇⋅𝐺× 𝑡 + small
Can we add, multiply 𝐶 𝑖 ’s relative to different 𝐵 𝑖 ’s?
Not directly
Idea: include with each 𝐶 𝑖 ’s some extra information, to enable computing on them jointly
Specifically, element-wise encryption of 𝑅 𝑖

17. Step 1: Algebraic Trick Easier to see for the “1st try” from before:
Assume 𝐶=𝑅×𝐵+𝜇⋅𝐼∈ 𝑍 𝑞 𝑛×𝑛 (𝐶× 𝑡 =𝜇⋅ 𝑡 + 𝒆 )
𝑡 = 1, 𝑠 𝑡 , so 1st row of 𝐶 satisfies 𝑐 , 𝑡 =𝜇+𝑒
Let 𝐶 𝑖,𝑗 be encryption of the entry 𝑟 𝑖,𝑗 =𝑅[𝑖,𝑗]
𝑐 𝑖,𝑗 is 1st row of 𝐶 𝑖,𝑗 , so 𝑐 𝑖,𝑗 , 𝑡 = 𝑟 𝑖,𝑗 +𝑒
For any vector 𝑣 =( 𝑣 1 ,…, 𝑣 𝑛 ) and any 𝑖∈[𝑛], let 𝒘 𝒊 = 𝒋 𝒗 𝒋 ⋅ 𝒄 𝒊,𝒋
𝑤 𝑖 , 𝑡 = 𝑗 𝑣 𝑗 ⋅ 𝑐 𝑖,𝑗 , 𝑡
= 𝑗 𝑣 𝑗 𝑟 𝑖,𝑗 𝑗 𝑣 𝑗 𝑒 𝑖,𝑗 𝑒 𝑖 ′ = 𝑅 𝑖,− , 𝑣 + 𝑒 𝑖 ′

18. Step 1: Algebraic Trick
For 𝒗=( 𝑣 1 ,…, 𝑣 𝑛 ) let 𝑾= 𝑤 𝑤 2 ⋮ 𝑤 𝑛 = 𝑗 𝑣 𝑗 ⋅ 𝑐 1,𝑗 𝑗 𝑣 𝑗 ⋅ 𝑐 2,𝑗 ⋮ 𝑗 𝑣 𝑗 ⋅ 𝑐 𝑛,𝑗
Then 𝑊× 𝑡 =𝑅× 𝑣 + 𝑒 ′
From Enc(𝑅) and plaintext 𝑣 , can generate such 𝑊

19. Fixing the Algebraic Trick
This was for the “1st try”, not the real GSW scheme
And it only works for small 𝑣 (else 𝑒 𝑖 ′ is large)
To fix, use the same 𝐺, 𝐺 −1 (⋅)
Denote 𝑣 𝑗 =( 𝑣 𝑗 ,0,…,0)
Before we had 𝑤 𝑖 = 𝑗 𝑣 𝑗 𝑍 𝑞 𝑛 × 𝐶 𝑖,𝑗 𝑍 𝑞 𝑛×𝑛 , error 𝑒 𝑖 ′ = 𝑗 𝑣 𝑗 , 𝑒 𝑖,𝑗
Now we set 𝑤 𝑖 = 𝐺 −1 𝑣 𝑗 𝑍 𝑞 𝑚 × 𝐶 𝑖,𝑗 𝑍 𝑞 𝑚×𝑛
The new error is 𝑒 𝑖 ′ = 𝑗 𝐺 −1 𝑣 𝑗 , 𝑒 𝑖,𝑗
“real” GSW ciphertext

20. Summary So Far: Algebraic Trick
Given:
element-wise encryption of 𝑅∈ 0,1 𝑚×𝑚 under 𝑡 ,
any vector 𝑣 ∈ 𝑍 𝑞 𝑚 ,
We can compute a matrix 𝑊∈ 𝑍 𝑞 𝑚×𝑛 s.t. 𝑊× 𝑡 =𝑅× 𝑣 + 𝑒 ′ for small 𝑒 ′

21. Step 2: Related Public Keys
Use a “common reference string” 𝐴 ∈ 𝑅 𝑍 𝑞 𝑚×(𝑛−1)
To get a new (pk,sk) key pair:
choose a secret 𝑠 ∈ 𝑍 𝑞 𝑛−1
compute 𝑏 =𝐴× 𝑠 + 𝑒 (for small error 𝑒 )
Set PK: B=(− 𝑏 |𝐴), SK: 𝑡 = 1, 𝑠 𝑡
Then 𝐵× 𝑡 =− 𝑏 +𝐴× 𝑠 = 𝑒 = small, as needed
All public keys share the same 𝐴
Differ only in 1st column
Security is unaffected (if 𝐴 is chosen randomly)

22. Step 3: “Masking Scheme” for GSW
Key-generation uses CRS
Public key 𝐵=(− 𝑏 |𝐴), all share the same 𝐴
Encryption outputs 𝐶=𝑅×𝐵+𝜎⋅𝐺 as before, but also GSW-encryption of the entries of 𝑅
𝑈 = 𝐺𝑆𝑊.𝐸𝑛 𝑐 𝐵 𝑟 𝑖,𝑗 𝑖,𝑗
Given public keys 𝐵, 𝐵 ′ (wrt 𝑡 , 𝑡 ′ ) and 𝐶, 𝑈 encrypting 𝜇 under 𝑡 , compute 𝑊∈ 𝑍 𝑞 𝑚×𝑛 s.t.
𝑪× 𝒕 ′ −𝑾×𝒕=𝝁⋅𝑮× 𝒕 ′ + 𝒆 ′
Mult 𝐶 by wrong 𝑡 ′
Get the right answer
Correction
factor

23. Step 3: “Masking Scheme” for GSW
Recall, 𝐵= − 𝑏 𝐴 , 𝐵 ′ = − 𝑏 ′ 𝐴 , let 𝛿 = 𝑏 ′ − 𝑏
Use 𝑈 to compute 𝑊 such that 𝑊× 𝑡 =𝑅× 𝛿 + 𝑒
Note 𝑅× 𝐵− 𝐵 ′ × 𝑡 ′ =𝑅×( 𝛿 |0)× 1 𝑠 ′ =𝑅× 𝛿
𝐶× 𝑡′ −𝑊× 𝑡
= 𝑅×𝐵+𝜇⋅𝐺 × 𝑡 ′ − 𝑅× 𝛿 + 𝑒
=𝜇⋅𝐺× 𝑡 ′ +𝑅×𝐵× 𝑡 ′ −𝑅× 𝐵− 𝐵 ′ × 𝑡 ′ − 𝑒
=𝜇⋅𝐺× 𝑡 ′ +𝑅× 𝐵 ′ × 𝑡 ′ − 𝑒
=𝜇⋅𝐺× 𝑡 ′ − 𝑒 ′

24. Step 4: Multi-Key HE
Given public keys 𝐵, 𝐵 ′ (wrt 𝑡 , 𝑡 ′ ) and 𝐶, 𝑈 , 𝐶 ′ , 𝑈 ′ , encrypting 𝜇,𝜇′ under 𝑡 , 𝑡 ′ :
Denote 𝑡 = 𝑡 , 𝑡 ′ 𝑡 , 𝐺 = 𝐺 0 0 𝐺
Compute 𝑊 s.t. 𝐶× 𝑡 ′ −𝑊× 𝑡 =𝜇⋅𝐺× 𝑡 ′ + 𝑒 , and let 𝐶 = 𝐶 0 −𝑊 𝐶
𝐶 × 𝑡 = 𝐶 𝑡 𝐶 𝑡 ′ −𝑊 𝑡 =𝜇⋅ 𝐺 𝑡 𝐺 𝑡 ′ 𝑒 ′ 𝑒 ′′
=𝜇⋅ 𝐺 × 𝑡 + 𝑒

25. Step 4: Multi-Key HE
Given public keys 𝐵, 𝐵 ′ (wrt 𝑡 , 𝑡 ′ ) and 𝐶, 𝑈 , 𝐶 ′ , 𝑈 ′ , encrypting 𝜇,𝜇′ under 𝑡 , 𝑡 ′ :
Denote 𝑡 = 𝑡 , 𝑡 ′ 𝑡 , 𝐺 = 𝐺 0 0 𝐺
Compute 𝑊 s.t. 𝐶× 𝑡 ′ −𝑊× 𝑡 =𝜇⋅𝐺× 𝑡 ′ + 𝑒 , and 𝑊 ′ s.t. 𝐶 ′ × 𝑡 − 𝑊 ′ × 𝑡 ′ = 𝜇 ′ ⋅𝐺× 𝑡 + 𝑒 ′
let 𝑪 = 𝑪 𝟎 −𝑾 𝑪 and 𝑪 ′ = 𝑪 ′ − 𝑾 ′ 𝟎 𝑪 ′ , then 𝑪 × 𝒕 =𝝁⋅ 𝑮 × 𝒕 + 𝒆 and 𝑪 ′ × 𝒕 = 𝝁 ′ ⋅ 𝑮 × 𝒕 + 𝒆
Now 𝐶 , 𝐶 ′ encrypt 𝜇,𝜇′ under the key 𝑡 = 𝑡 , 𝑡 ′ 𝑡

26. Step 4: Multi-Key HE The construction extends naturally to many keys
Encryption under the concatenation of the keys
Dimension, noise grow linearly with the number of keys
This gives multi-key SWHE
Can be extended to multi-key FHE using bootstrapping
Decryption with the concatenation of all keys
Mukherjee & Wichs show a 1-round “threshold decryption” protocol
i’th player just multiplies by its key and add noise

27. What We Covered Today SWHE/FHE is useful, interesting
SWHE with security under LWE
Parameter size, LWE-approximation factor, 𝜆 𝑂(𝑑𝑒𝑝𝑡ℎ)
Get FHE with bootstrapping
Must assume circular security
Can get LWE-approximation factor 𝑝𝑜𝑙𝑦(𝜆)
Can even get multi-key SWHE/FHE
Still with the same WE-approximation factors

28. Things That We Didn’t Cover
Better efficiency/flexibility
Use low-dimension vectors over large extension rings instead of high-dimension vectors over 𝑍
“Pack” many plaintext elements in each ciphertext
Other schemes, larger plaintext spaces (not just 𝑍 2 )
HE with extra features
Identity-based HE, Attribute-based HE, etc.
Information-theoretic HE
Does it exist? We have info-theoretic PIR (with multiple servers), why not info-theoretic FHE?

29. Questions? ?
Enough HE for one day ?

30. Switch to Larger Rings
Instead of high-dimension vectors over 𝑍, use low- dimension vectors over extension rings
𝑅=𝑍 𝑋 /𝐹(𝑋) for “appropriate 𝐹”
Elements 𝑥∈𝑅 represented by 𝑍-vectors
Similarly 𝑅 𝑞 =𝑅/𝑞𝑅 represented by 𝑍 𝑞 -vectors
For “appropriate 𝐹’s”, addition & multiplication of “short elements” yield other “short elements”
LWE is believed hard also over such 𝑅’s
Dubbed “Ring-LWE” (RLWE)

31. Switch to Larger Rings
Instead of high-dimension vectors over 𝑍, use low- dimension vectors over extension rings
Why?
Efficiency: faster to multiply 2×2 matrices over degree-𝑛 extension than 𝑛×𝑛 matrices over 𝑍
Other useful algebraic properties (we’ll see later)

32. GSW Over Extension Rings
“Gadget matrix” 𝐺, associated 𝐺 −1 , still the same
Secret key is a short 𝒕= 1,𝑠 𝑡 ∈ 𝑅 2
Encryption of 𝜇∈𝑅 is a matrix 𝐶∈ 𝑅 𝑞 𝑚×1 s.t.
𝐶×𝒕=𝜇⋅ (𝐺×𝒕) 𝒕 ′ +𝑒
Addition: 𝐶 + = 𝐶 1 + 𝐶 2 (noise 𝒆 + = 𝒆 𝟏 + 𝒆 𝟐 )
Multiplication: 𝐶 × = 𝐺 −1 ( 𝐶 1 )× 𝐶 2
Noise 𝒆 × = 𝜇 2 ⋅𝒆 𝟏 + G −1 C 1 ×𝒆 𝟐
We must keep 𝜇 2 small

33. Application: Homomorphic Accumulators (based on [AP14, DM15])
“Special-purpose” homomorphism:
Encrypting 𝑍 𝑞 elements
Homomorphic mod-𝑞 addition
𝐸𝑛𝑐 𝑎 ⊞𝐸𝑛𝑐 𝑏 =𝐸𝑛𝑐(𝑎+𝑏)
Homomorphic MSB extraction
msbEX(𝐸𝑛𝑐(𝑎))= 𝐸𝑛 𝑐 ′ 0 𝑖𝑓 𝑎 ≤𝑞/4 𝐸𝑛 𝑐 ′ 1 𝑖𝑓 𝑎 >𝑞/4
Useful for bootstrapping ( 𝜇=𝑚𝑠𝑏( 𝒄,𝒕 𝑞 ) )
Can be efficiently implemented using GSW
𝐸𝑛 𝑐 ′ may be different
from 𝐸𝑛𝑐, but it should
be “Regev-like”

34. GSWAccumulators Use ring 𝑅 with short 𝑞’th roots of unity
𝑅=𝑍 𝑋 / Φ 𝑚 (𝑋), 𝑚 divisible by 𝑞
Let 𝜁∈𝑅 be a (principal) root of unity
Plaintext space is 𝜁 ={ 𝜁 𝑖 :0≤𝑖<𝑞}
Note: size of plaintext 𝜁 𝑖 is always 1
To encrypt 𝑎∈ 𝑍 𝑞 , use 𝐶=𝐸𝑛 𝑐 𝑔𝑠𝑤 ( 𝜁 𝑎 )
Use GSW-mult for additive homomorphism 𝐶 1 ⊞ 𝑎𝑐𝑐 𝐶 2 = 𝐺 −1 𝐶 1 × 𝐶 2 =𝐸𝑛 𝑐 𝑔𝑠𝑤 ( 𝜁 𝑎 1 + 𝑎 2 )

35. MSB-Extraction Use a representation trick for the ring 𝑅
Recall: 𝐸𝑛 𝑐 𝑎𝑐𝑐 𝑎 = 𝐶 0 + 𝜁 𝑎 𝐺 (s.t. 𝐶 0 ×𝒕= small)
Mult-by-const in 𝑅 𝑞 is a 𝑍 𝑞 -linear operation, so we can get a matrix equation over 𝑍 𝑞 :
𝐸𝑛 𝑐 𝑎𝑐𝑐 𝑎 = 𝐶 𝜁 𝑎 × 𝐺
𝑋 means “representation-of-𝑋”
And we have 𝐶 0 × 𝒕 = small

36. MSB-Extraction
Representation trick: there exists a short vector 𝒖 such that for all 𝑎∈ 𝑍 𝑞 (and some unit vector 𝒆 𝒊 )
𝒖× 𝜁 𝑎 = − 𝒆 𝒊 𝑖𝑓 0≤𝑎≤𝑞/2 𝒆 𝒊 𝑖𝑓 𝑞/2<𝑎≤𝑞
Set 𝒛:=𝒖× 𝐸𝑛 𝑐 𝑎𝑐𝑐 𝑎 =𝒖× 𝐶 0 ± 𝒆 𝒊 × 𝐺
So 𝒛,𝒕 =𝒖× 𝐶 0 ×𝒕± 𝒆 𝒊 , 𝒕 ′ = small ± 𝒆 𝒊 , 𝒕 ′
𝒆 𝒊 , 𝒕 ′ is “big” (close to 𝑞/4)
Big difference between the two cases
It is left to “shift” the difference to 0 vs. q/2
Adding 𝒆 𝒊 , 𝒕 ′ to 1st entry in 𝒛, we get 𝒛’ such that
𝒛 ′ ,𝒕 =𝑞/2⋅ msb(a)+ small