Finding and evaluating parameters for BGV. (English) Zbl 1531.94073
El Mrabet, Nadia (ed.) et al., Progress in cryptology – AFRICACRYPT 2023. 14th international conference on cryptology in Africa, Sousse, Tunisia, July 19–21, 2023. Proceedings. Cham: Springer. Lect. Notes Comput. Sci. 14064, 370-394 (2023).
Summary: Fully Homomorphic Encryption (FHE) is a groundbreaking technology that allows for arbitrary computations to be performed on encrypted data. State-of-the-art schemes such as Brakerski Gentry Vaikuntanathan (BGV) are based on the Learning with Errors over rings (RLWE) assumption where each ciphertext has an associated error that grows with each homomorphic operation. For correctness, the error needs to stay below a certain threshold, requiring a trade-off between security and error margin for computations in the parameters. Choosing the parameters accordingly, for example, the polynomial degree or the ciphertext modulus, is challenging and requires expert knowledge specific to each scheme.
In this work, we improve the parameter generation across all steps of its process. We provide a comprehensive analysis for BGV in the Double Chinese Remainder Theorem (DCRT) representation providing more accurate and better bounds than previous work on the DCRT, and empirically derive a closed formula linking the security level, the polynomial degree, and the ciphertext modulus. Additionally, we introduce new circuit models and combine our theoretical work in an easy-to-use parameter generator for researchers and practitioners interested in using BGV for secure computation.
Our formula results in better security estimates than previous closed formulas while our DCRT analysis results in reduced prime sizes of up to 42% compared to previous work.
For the entire collection see [Zbl 1529.94003].
In this work, we improve the parameter generation across all steps of its process. We provide a comprehensive analysis for BGV in the Double Chinese Remainder Theorem (DCRT) representation providing more accurate and better bounds than previous work on the DCRT, and empirically derive a closed formula linking the security level, the polynomial degree, and the ciphertext modulus. Additionally, we introduce new circuit models and combine our theoretical work in an easy-to-use parameter generator for researchers and practitioners interested in using BGV for secure computation.
Our formula results in better security estimates than previous closed formulas while our DCRT analysis results in reduced prime sizes of up to 42% compared to previous work.
For the entire collection see [Zbl 1529.94003].
MSC:
| 94A60 | Cryptography |
Keywords:
fully homomorphic encryption; BGV scheme; parameter generation; RLWE security; DCRT representationCitations:
Zbl 1290.94051References:
| [1] | Acar, A.; Aksu, H.; Uluagac, AS; Conti, M., A survey on homomorphic encryption schemes: theory and implementation, ACM Comput. Surv. (CSUR), 51, 4, 1-35 (2018) · doi:10.1145/3214303 |
| [2] | Albrecht, MR; Coron, J-S; Nielsen, JB, On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL, Advances in Cryptology - EUROCRYPT 2017, 103-129 (2017), Cham: Springer, Cham · Zbl 1415.94402 · doi:10.1007/978-3-319-56614-6_4 |
| [3] | Albrecht, M.R., et al.: Homomorphic encryption security standard. Technical report. Toronto, Canada (2018). https://HomomorphicEncryption.org |
| [4] | Albrecht, MR; Cid, C.; Faugere, JC; Fitzpatrick, R.; Perret, L., On the complexity of the BKW algorithm on LWE, Des. Codes Crypt., 74, 2, 325-354 (2015) · Zbl 1331.94051 · doi:10.1007/s10623-013-9864-x |
| [5] | Albrecht, MR; Player, R.; Scott, S., On the concrete hardness of learning with errors, J. Math. Crypt., 9, 3, 169-203 (2015) · Zbl 1352.94023 · doi:10.1515/jmc-2015-0016 |
| [6] | Badawi, A.A., et al.: OpenFHE: open-source fully homomorphic encryption library. Cryptology ePrint Archive, Paper 2022/915 (2022). https://eprint.iacr.org/2022/915 |
| [7] | Bergerat, L., et al.: Parameter Optimization & Larger Precision for (T) FHE. Cryptology ePrint Archive (2022) |
| [8] | Biasioli, B., Marcolla, C., Calderini, M., Mono, J.: Improving and Automating BFV Parameters Selection: An Average-Case Approach. Cryptology ePrint Archive (2023) |
| [9] | Brakerski, Z.; Vaikuntanathan, V.; Rogaway, P., Fully homomorphic encryption from ring-LWE and security for key dependent messages, Advances in Cryptology - CRYPTO 2011, 505-524 (2011), Heidelberg: Springer, Heidelberg · Zbl 1290.94051 · doi:10.1007/978-3-642-22792-9_29 |
| [10] | Chen, H.; Kim, M.; Razenshteyn, I.; Rotaru, D.; Song, Y.; Wagh, S.; Moriai, S.; Wang, H., Maliciously secure matrix multiplication with applications to private deep learning, Advances in Cryptology - ASIACRYPT 2020, 31-59 (2020), Cham: Springer, Cham · Zbl 1511.94070 · doi:10.1007/978-3-030-64840-4_2 |
| [11] | Costache, A.; Laine, K.; Player, R.; Chen, L.; Li, N.; Liang, K.; Schneider, S., Evaluating the effectiveness of heuristic worst-case noise analysis in FHE, Computer Security - ESORICS 2020, 546-565 (2020), Cham: Springer, Cham · doi:10.1007/978-3-030-59013-0_27 |
| [12] | Costache, A., Nürnberger, L., Player, R.: Optimizations and trade-offs for helib. Cryptology ePrint Archive (2023) · Zbl 1522.94052 |
| [13] | Costache, A.; Smart, NP; Sako, K., Which ring based somewhat homomorphic encryption scheme is best?, Topics in Cryptology - CT-RSA 2016, 325-340 (2016), Cham: Springer, Cham · Zbl 1334.94070 · doi:10.1007/978-3-319-29485-8_19 |
| [14] | Damgård, I.; Pastro, V.; Smart, N.; Zakarias, S.; Safavi-Naini, R.; Canetti, R., Multiparty computation from somewhat homomorphic encryption, Advances in Cryptology - CRYPTO 2012, 643-662 (2012), Heidelberg: Springer, Heidelberg · Zbl 1296.94104 · doi:10.1007/978-3-642-32009-5_38 |
| [15] | Di Giusto, A., Marcolla, C.: Breaking the power-of-two barrier: noise estimation for BGV in NTT-friendly rings. Cryptology ePrint Archive, Paper 2023/783 (2023) |
| [16] | Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptology ePrint Archive (2012) |
| [17] | Gama, N.; Nguyen, PQ; Smart, N., Predicting lattice reduction, Advances in Cryptology - EUROCRYPT 2008, 31-51 (2008), Heidelberg: Springer, Heidelberg · Zbl 1149.94314 · doi:10.1007/978-3-540-78967-3_3 |
| [18] | Gentry, C., A Fully Homomorphic Encryption Scheme (2009), Stanford: Stanford university, Stanford · Zbl 1304.94059 |
| [19] | Gentry, C.; Halevi, S.; Smart, NP; Safavi-Naini, R.; Canetti, R., Homomorphic evaluation of the AES circuit, Advances in Cryptology - CRYPTO 2012, 850-867 (2012), Heidelberg: Springer, Heidelberg · Zbl 1296.94117 · doi:10.1007/978-3-642-32009-5_49 |
| [20] | Halevi, S.; Polyakov, Y.; Shoup, V.; Matsui, M., An improved RNS variant of the BFV homomorphic encryption scheme, Topics in Cryptology - CT-RSA 2019, 83-105 (2019), Cham: Springer, Cham · Zbl 1448.94203 · doi:10.1007/978-3-030-12612-4_5 |
| [21] | Halevi, S., Shoup, V.: Design and implementation of HElib: a homomorphic encryption library. Cryptology ePrint Archive (2020) |
| [22] | Iliashenko, I.: Optimisations of fully homomorphic encryption (2019) |
| [23] | Kim, A.; Polyakov, Y.; Zucca, V.; Tibouchi, M.; Wang, H., Revisiting homomorphic encryption schemes for finite fields, Advances in Cryptology - ASIACRYPT 2021, 608-639 (2021), Cham: Springer, Cham · Zbl 1514.94108 · doi:10.1007/978-3-030-92078-4_21 |
| [24] | Lindner, R.; Peikert, C.; Kiayias, A., Better key sizes (and attacks) for LWE-based encryption, Topics in Cryptology - CT-RSA 2011, 319-339 (2011), Heidelberg: Springer, Heidelberg · Zbl 1284.94088 · doi:10.1007/978-3-642-19074-2_21 |
| [25] | Lyubashevsky, V.; Peikert, C.; Regev, O.; Gilbert, H., On ideal lattices and learning with errors over rings, Advances in Cryptology - EUROCRYPT 2010, 1-23 (2010), Heidelberg: Springer, Heidelberg · Zbl 1279.94099 · doi:10.1007/978-3-642-13190-5_1 |
| [26] | Marcolla, C.; Sucasas, V.; Manzano, M.; Bassoli, R.; Fitzek, FH; Aaraj, N., Survey on fully homomorphic encryption, theory, and applications, Proc. IEEE, 110, 10, 1572-1609 (2022) · doi:10.1109/JPROC.2022.3205665 |
| [27] | Martins, P.; Sousa, L.; Mariano, A., A survey on fully homomorphic encryption: an engineering perspective, ACM Comput. Surv. (CSUR), 50, 6, 1-33 (2017) · doi:10.1145/3124441 |
| [28] | Micciancio, D.; Regev, O.; Bernstein, DJ; Buchmann, J.; Dahmen, E., Lattice-based cryptography, Post-Quantum Cryptography, 147-191 (2009), Heidelberg: Springer, Heidelberg · Zbl 1161.81324 · doi:10.1007/978-3-540-88702-7_5 |
| [29] | PALISADE (2022). https://palisade-crypto.org |
| [30] | Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, pp. 84-93 (2005) · Zbl 1192.94106 |
| [31] | Schnorr, CP; Euchner, M., Lattice basis reduction: improved practical algorithms and solving subset sum problems, Math. Program., 66, 1-3, 181-199 (1994) · Zbl 0829.90099 · doi:10.1007/BF01581144 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
