Lattice Cryptography

Which Ring-Based SHE Scheme is best?
Anamaria Costache and Nigel P. Smart
University of Bristol
Which Ring-Based SHE Scheme is best? Slide 1

Fully Homomorphic Encryption
Homomorphic encryption allows to compute on encrypted data.
Allows to outsource computation to an untrusted server.
Signal processing satellite applications.
Analysing data (e.g. medical data) without compromising
conﬁdential information.

A (fully) homomorphic encryption scheme E comprises of four
algorithms: KeyGen, Enc, Dec and Evaluate.
For (sk, pk) ← KeyGen(λ), plaintext message m with
corresponding ciphertext c and circuit C , we say that E is
correct if
Dec(sk, Evaluate(pk, C, c)) = C(m).
E is
Fully Homomorphic if it is correct for all circuits C.
Somewhat Homomorphic if it is correct for some circuits C.

RSA encryption is multiplicatively homomorphic [Rivest Shamir
Adleman 77].
Paillier is additively homomorphic [Paillier 99].
A scheme both additively and multiplicatively homomorphic is
more powerful, but also harder to obtain.

A History of Homomorphic Encryption
First Generation: Gentry’s ﬁrst FHE scheme, bootstrappable
[Gentry 09]
Second Generation: Ring-Based leveled Somewhat
Homomorphic Schemes, smaller ciphertexts. Use double-CRT
to achieve a SIMD system and enhance efﬁciency. [Gentry
Halevi Smart 11]
Third Generation: Schemes such as [Gentry Sahai Waters 13].
Integer-based schemes, but slower computations and
somewhat impractical.

The problem
Different applications call for different parameters. For example
plaintext spaces vary, or depth of the circuit we want to
evaluate.
Ideally we want an unbounded scheme, but not all applications
require this.
Even when restricted to a certain form of HE, there are many
schemes available.

We pick four of the most used Ring-Based schemes, BGV, FV,
NTRU and YASHE and compare them against each other.
On the face of it, YASHE and FV should be more efﬁcient since
they are scale-invariant, which should save in computation time.
Similarly, NTRU and YASHE have fewer ring elements in the
ciphertexts.
What effect do the above have on the efﬁciency of the scheme?

A Noise Problem
All messages are encrypted by adding a noise factor to a
multiple of the original message.
Enc(pk, m) = c = α · m + e( mod q).
But then c · c has noise 2 · α · m + e2:
c · c = (α · m + e) · (α · m + e) = α2 · m2 + 2 · α · m + e2.
This grows quickly, implying a need for a noise-management
control.

A Noise Management Technique: SwitchModulus
We use a chain of primes p0 < p1 < · · · < pL−1 and let
qt = t
i=0 pi.
This gives a chain of moduli q0 < q1 < · · · < qL−1 such that
qi | qi+1.

qt qt−1 · · · q1

The four schemes; DecBGV
pk (c)
Decryption of a ciphertext ((c0, c1), t) at level t is performed by
setting
m ← [c0 − sk · c1]qt ,
and outputting
m mod p.

The four schemes; DecYASHE
pk (c)
Decryption of a ciphertext (c, t) at level t is performed by setting
m ←
p
qt
· [c · sk]qt ,
and outputting
m mod p.

How do we compare the four schemes?
We follow the security analysis in [Gentry Halevi Smart 13],
which itself follows on from Lindner-Peikert [Lindner Peikert 10].
We assume that we encrypt, perform ζ additions, one
multiplication, ζ additions, one multiplication and so on. We
perform a SwitchKey operation and a Scale after each
multiplication.
We measure efﬁciency by the size of a ciphertext in kBytes.

Analysis
Decryption is done by either modular reduction or a rounding
operation. Thus if the noise is too large, we could decrypt
erroneously.
To ensure correct decryption, we require
4 · cm · B∗
scale = 2 · cm · B <



p0 For BGV and NTRU
p0
p For FV and YASHE.
(1)
This gives us a lower bound on our bottom modulus.

Top modulus
We want to ﬁnd the sizes of the primes used in moduli. We start
with the top level and calculate the primes we need with correct
decryption in mind.
We start off with a fresh ciphertext. We perform a number of
additions, one multiplication and one scale operation, and
calculate a noise bound B2 on the resulting ciphertext.
We require
pL−1 ≈ B2
B∗
scale
.

Middle moduli
For the middle moduli, we use the same methodology. The only
difference is that that we do not start off with a fresh ciphertext,
so the initial noise will be different.
We call this bound B (t), and we require
pt ≈
B (t)
B∗
scale
.
We can then iterate downwards, using
log2 qt = log2 qt+1 − log2 pt+1.

Results; L = 5 and varying plaintext modulus size
log2(p)
0 50 100 150 200 250
6
8
10
12
14
16
log2(p)
log2(|c|)kBytes
BGV FV
NTRU YASHE
We see that the BGV scheme quickly takes over all other values.

Results; L = 5 and varying plaintext modulus size
log2(p)
0 2 4 6 8 10 12 14
4.5
5
5.5
6
6.5
7
log2(p)
log2(|c|)kBytes
BGV FV NTRU YASHE
For small values of p, YASHE is indeed preferable. But as seen in
the previous slide, BGV is better overall.

Results; plaintext modulus p = 2, for varying depth L
5 10 15 20 25 30
2
4
6
8
10
12
L
log2(|c|)kBytes
BGV FV NTRU YASHE
As previously, YASHE wins for small p...

Results; plaintext modulus p = 232
, for varying depth L
5 10 15 20 25 30
4
6
8
10
12
14
16
L
log2(|c|)kBytes
BGV
FV
NTRU
YASHE
... and BGV for large p. In fact, the size of L has no impact on the
schemes’ performance.

Open questions
We have done a crude security analysis, in order to examine
how the scheme parameters are affected by scaling the
plaintext modulus p and the depth required of the scheme.
A stricter security analysis would contribute to the survey. This
would need to take into account attacks such as [Albrecht Bai
Ducas 16].

Thank you!
Any questions?

Introduction NFLlib Applications : Ideal Lattice Cryptography Application : PIR Conclusion
CT-RSA Conference 2016
NFLlib
NTT-based Fast Lattice Library
Carlos Aguilar-Melchor1
Joris Barrier2
Serge Guelton3
Adrien Guinet3
Marc-Olivier Killijian2
Tancrède Lepoint4
1
Université de Toulouse, CNRS, France, carlos.aguilar@enseeiht.fr
2
Université de Toulouse, CNRS, France, {joris.barrier,marco.killijian}@laas.fr
3
Quarkslab, France, {sguelton,aguinet}@quarkslab.com
4
CryptoExperts, France, tancrede.lepoint@cryptoexperts.com
February 23, 2016
Carlos Aguilar-Melchor, Joris Barrier, Serge Guelton, Adrien Guinet, Marc-Olivier Killijian, Tancrède Lepoint | NFLlib : NTT-based Fast Lattice Library 1/16

Outline
1 Introduction
2 NFLlib
What is in the box ?
Specific Modulus
NTT form
CRT Representation
Gaussian Random Generator
3 Applications : Ideal Lattice Cryptography
High Performance Key Exchange
Somewhat Fully Homomorphic Encryption
4 Application : PIR
5 Conclusion

A Brief Overview
A Library…
NFLlib is a homemade C++ library to efficiently deal with polynomials.
…Specialized
Indeed, NFLlib works exclusively with polynomials usually considered in (ideal) lattice-based
cryptography.
polynomials of fixed degree (a power of two),
with coefficient of fixed size (modular operations).
P(X) = a0 + a1X + a2X2
+ · · · + an−1Xn−1
+ anXn

How to use NFLlib : Practice example
1 /* Set polynomial type with T the native type used
2 * such as uint16_t, uint32_t, uint64_t */
3 using poly_t = nfl::poly_from_modulus<T, degree, modulus>;
4 poly_t p1, p2, p3, p_res;
5
6 /*Fill polynomials with noise using different noise generators */
7 p1 = poly_t(nfl::uniform); //or p1 = nfl::uniform;
8 p2 = poly_t(nfl::gaussian<poly_t>(prng_instance));
9 p3 = poly_t(nfl::bounded(bound));
10
11 /*Overloaded operators for an easy use */
12 p_res = (p1 * p2) + p3 - p1;

NFLlib
1 Introduction
2 NFLlib
Specific Modulus
NTT form
CRT Representation
4 Application : PIR
5 Conclusion

Enabled Optimizations
NFLlib is a C++ library with state of the art optimizations :
Specific modulus ;
NTT polynomial representation ;
CRT representation to use big modulus ;
NTT and iNTT optimized algorithm ;
SSE and AVX2 processor instructions.
Remark : HElib
This kind of optimizations are implemented in HElib in the DoubleCRT class.

Modulus Optimizations
We choose our primes such as for an integer 1 ≤ s0 ≤ s − 1, a chosen prime p verifies ( Note
that all our 62-bit primes verify Eq. 1) :
(1 + 1/23s0
) · β/(2s0
+ 1) < p < β/2s0
(1)
Algorithm 1: Modular reduction with a modulus verifying Eq. 1
Input: u = u1,u0 ∈ [0,p2
), p verifying Eq. (1), v0 = β2
/p mod β, 1 ≤ s0 ≤ s − 1 margin
bits
Output: r = u mod p
1 q ← v0 · u1 + 2s0
· u mod β2
2 r ← u − q/β · p mod β
3 if r ≥ p then r ← r − p
4 return r
Algo. 1 is a significantly improvement from Moller, N., Granlund, T., “Improved division by invariant integers”. IEEE Trans.
Computers (2011).

NTT form
Polynomials representation
In NFLlib polynomials are represented and handled in an evaluated form using the Number
Theoretic Transform (Discrete Fourrier Transform).
Advantages
By the book, polynomials multiplication is in O(n2
). In the NTT form, the multiplication is an
element-to-element multiplication in (obviously) O(n).
→ Great performance improvement

CRT Representation
Motivation
For performance reason we do not use specialized libraries to handle moduli that do not fit in
native types when working directly with polynomials. However, we don’t want to limit too
strictly moduli sizes. So we use Chinese Theorem Representation (CRT) to deal with big
moduli by splitting them in smaller integers.
Recover
To recover big moduli we call an external library because we cannot do a better implementation.
HElib
Note that in HElib they use FFT representation for big modulus instead of CRT.

Description
unsigned int sigma = 20;
unsigned int security = 128;
unsigned int sample = 1 << 14;
FastGaussianNoise<uint8_t, T, 2> fg_prng(sigma, security, sample);
Distribution Uniform D3·19 D300
cycles / bit generated1
0.4 1.39 3.43
1We implement a constant time algorithm with a ×4 overhead

Applications : Key Exchange & SFHE
1 Introduction
2 NFLlib
Specific Modulus
NTT form
CRT Representation
4 Application : PIR
5 Conclusion

Key Exchange Protocol
To illustrate the performances of our library in a concrete setting we implement an equivalent
of the key transport protocol RSASVE of NIST SP 800 56B. The client chooses a random
message and encrypts it with the server public key then, the server decrypts this random value
that is used to derivate (with a hashing function) a common secret.
Protocol 80 bits 128 bits 256 bits
RSA 7.95 Kops/s 0.31 Kops/s N/A
ECDH 7.01 Kops/s 5.93 Kops/s 1.61 Kops/s
RLWE/NFLlib 2
N/A 1020 Kops/s 508 Kops/s
2Enabled forward secrecy divides performances by 2

SFHE
We modified the open-source implementation of the somewhat homomorphic encryption
scheme of Fan and Vercauteren from [1] and directly replaced flint by NFLlib .
Encrypt Decrypt Hom. Add. Hom. Mult.
[1] with flint 26.7ms 13.3ms 1.1ms 91.2ms
[1] with NFLlib 0.9ms 0.9 ms 0.01ms 17.2ms
Gain ×30 ×15 ×110 ×5.5
1. Tancrède Lepoint and Michael Naehrig. “A Comparison of the Homomorphic Encryption Schemes FV and YASHE”

Application : PIR
1 Introduction
2 NFLlib
Specific Modulus
NTT form
CRT Representation
4 Application : PIR
5 Conclusion

Private Information Retrieval
Computational Private Information Retrieval (PIR)
A PIR scheme is a protocol in which a user retrieves a record from a database while hiding
which from the database administrators. A computational PIR protocol requires that the
database server executes an homomorphic cryptography based algorithm over all the database
content.
Protocol [2] [3] [4]
Throughput 0.5 Gb/s 1 Gb/s 20 Gb/s
2. J. T. Trostle and A. Parrish, “Eﬃcient computationally private information retrieval from anonymity or trapdoor groups,” in
ISC 2010
3. C. Aguilar Melchor and P. Gaborit, “A Fast Private Information Retrieval Protocol,” in ISIT’08
4. cPIR based on Lipmaa scheme using lattice based cryptography implemented with NFLlib

Conclusion
NFLlib is an optimized and efficient library designed to handle
polynomials over polynomials rings Zp[x]/(xn
+ 1) in NTT form.
It can be used as a building block for ideal lattice based
cryptography that can be more efficient than existing
implementations based on NTL or ﬂint .
Code available at : https://github.com/quarkslab/NFLlib

Lattice Cryptography

More Related Content

What's hot (20)

Viewers also liked (16)

Similar to Lattice Cryptography (20)

More from Priyanka Aash (20)

Recently uploaded (20)

Lattice Cryptography