Third-Generation FHE

In 2013, Gentry, Sahai, and Waters (hereafter GSW) [GSW13] proposed an interesting LWE-based FHE scheme that has some unique and advantageous properties. For example, homomorphic multiplication does not require any key-switching step, and the scheme can be made identity-based. Moreover, as shown in [BV14, AP14], the GSW scheme can be used to bootstrap with only a smallpolynomial-factor growth in the error rate, as opposed to quasi-polynomialλΘ(logλ)growth for the system described above. This yields unbounded FHE based on LWE with just an inverse-polynomialn−O(1)error rate (plus a circular-security assumption). We describe these results in some detail next.

Homomorphic trapdoors. The GSW scheme is presented most simply in terms of the gadget-based trap- doors described in Section 5.4.3. (The presentation here has evolved through [BGG+14, AP14, GVW15b].) At the heart of GSW are the following additive and multiplicative homomorphisms fortagsandtrapdoors. LetA¯ ∈Znq×m¯ be arbitrary, and fori= 1,2let

Ai =xiG−AR¯ i (6.1.4) for some integerxi and short integer matrixRi. In other words,

_Ri

I

is a trapdoor with tagxi (or more accurately, tagxiI) for the matrix[ ¯A|Ai].

Applying Equation (6.1.4), it is easy to verify that

A1+A2 = (x1+x2)G−A¯(R1+R2), (6.1.5) and A1·G−1(A2) = (x1G−AR¯ 1)·G−1(A2) =x1A2−A¯ ·R1G−1(A2) =x1x2G−A¯ (R1G−1(A2) +x1R2) | {z } R . (6.1.6) In other words,R1+R2 I

is a trapdoor with tagx1+x2for the matrix[ ¯A|A1+A2], and

_R

I

is a trapdoor with tagx1x2 for the matrix[ ¯A | A1·G−1(A2)]. Note that in the latter case, we needx1 to be asmall integer in order to get a good-quality trapdoor.

One very important property of homomorphic multiplication is that the growth of the resulting trapdoor matrixRisasymmetricandquasi-additive: whileR1is expanded by some polynomial factor due to the multiplication byG−1(A2), theR2 term is only multiplied byx1. We discuss the implications of this below. Fully homomorphic encryption. The GSW FHE scheme works as follows. As in prior systems, the public key is a matrixA¯ ∈Zqn×m¯ whose columns are LWE samples with some secret¯s∈Zn−1, i.e.,

stA¯ ≈0 (6.1.7)

wheres= (−¯s,1)is the secret key. An encryption of an integerxis amatrix

for some sufficiently short randomR. As usual, semantic security follows by a lossiness argument: encrypting under a uniformly random (“malformed”) public keyA¯ statistically hides the message, because[ ¯A|AR¯ ]is very close to uniformly distributed.

To decrypt a ciphertextAusing the secret keys, one just computes

stA≈x·stG,

where the approximation holds by Equation (6.1.7), and becauseRis short. Since it is easy to solve LWE with respect toG, we can recoverx·stand hencex(moduloq). In fact, ifxis known to be just a bit, then because one of the rightmost entries ofstGis far from zero moduloq, we can recoverxsimply by testing whetherst_{·a≈0for an appropriate columnaofA.}

To homomorphically add or multiply ciphertextsA1,A2that encrypt small messages, one just computes

A1+A2orA1·G−1(A2), respectively. As shown above in Equations (6.1.5) and (6.1.6), the resulting ciphertext is a valid encryption for the sum or product of the messages, respectively. Because it is important for noise growth that messages remain small integers, we typically only use operations that maintain the messages as{0,1}-values. For example, the binary NAND operation, which is sufficient for expressing arbitrary computations, can be written as(x1NANDx2) = 1−x1x2.

Bootstrapping. As first shown by Brakerski and Vaikuntanathan [BV14], the asymmetric and quasi- additive growth of the trapdoor matrices under homomorphic multiplication allows certain computations—in particular, decryption for the purpose ofbootstrapping—to be performed with rather small error growth. The first main observation is that by Equation (6.1.6), any polynomial-length chain of homomorphic bit- multiplications on fresh ciphertexts, if done in aright-associativemanner, incurs only polynomial error growth. The same also holds when multiplying a sequence ofpermutationmatrices (or more generally, orthonormal integer matrices), where each matrix is encrypted entry-wise.

The second main idea is that by using Barrington’s Theorem [Bar86], any depth-dcircuit can be converted into a length-4dbranching program of permutation matrices. In particular, theO(logλ)-depth decryption circuit can be computed homomorphically in polynomial time and with polynomial error growth, albeit for rather large polynomials. The subsequent work of Alperin-Sheriff and Peikert [AP14] significantly improved the runtime and growth to small polynomials, by avoiding Barrington’s Theorem and instead expressing decryption as anarithmeticfunction that can be embedded directly into permutation matrices. Ducas and Micciancio [DM15] devised and implemented a version of this method incorporating additional ideas, yielding a system that evaluates a complete “bootstrapped NAND gate” in less than a second on standard desktop hardware.

Fully homomorphic signatures. Gorbunov, Vaikuntanathan, and Wichs [GVW15b] showed how homo- morphic trapdoors can also be used to obtain fully homomorphicsignatures(FHS). The precise model and security goals for FHS are beyond the scope of this survey, but the basic idea is the following: the signer signs some initial datax∈ {0,1}`under its public key, producing a signatureσx. Then, given only the public key,x, andσx, an untrusted worker can apply an arbitrary functionf toxand compute a corresponding signatureσf,yfor the valuey=f(x). A verifier, given only the public key,f,y, andσf,y(but notxitself!), can verify thatyis indeed the value off on some dataxthat the signer originally signed.

Fully homomorphic signatures arise quite naturally from the above homomorphic trapdoors.3 The public key is a uniformly randomA¯, along with`more uniformly random matricesAi, one for each bit of the

3

Indeed, this construction can be seen as a direct analogue of the GSW encryption scheme and a related attribute-based encryption scheme of Bonehet al.[BGG+14], described below in Section 6.2.2.

original data to be signed. The secret key is a trapdoor forA¯. To sign datax∈ {0,1}`, the signer uses the trapdoor to sample a Gaussian-distributedRisatisfyingAi=xiG−AR¯ i, and the signature is the collection of all theseRi.

Homomorphic operations on signatures, and signature verification, are defined as follows. For any predicatef:{0,1}` → {0,1}, expressed without loss of generality as an arithmetic circuit of addition and multiplication gates, we define a matrixAf which is computed recursively as follows:

• Iff(x) =xifor somei, defineAf =Ai.

• Iff(x) =f1(x) +f2(x)for some predicatesf1, f2, letAf =Af1 +Af2.

• Otherwise,f(x) =f1(x)·f2(x)for some predicatesf1, f2; letAf =Af1·G

−1_(A f2).

Given somex and the corresponding signature componentsRi, to homomorphically derive a signature attesting that f(x) = y for some predicate f, one just computes Af along with, via Equations (6.1.5) and (6.1.6), a shortRf,ythat satisfiesAf =yG−AR¯ f,y. The verifier likewise computesAf from theAi andf alone (without needing to knowx), and can verify that the presentedRf,yis sufficiently short and satisfies the above relation.