PET BOOTCAMP

LECTURE 5:
(DISTRIBUTED) HOMOMORPHIC ENCRYPTION
PET BOOTCAMP – COURSE TIMELINE
We are here

Lectures Holiday!

1 2 3 4 5 6 7 8 9 10

Assignments
CTF
Exam
PET BOOTCAMP – LECTURE OVERVIEW
Intro & overview,
Anonymization & Secure multi-party Secure multi-party
PET applications, and
pseudomization tech computation (SMPC) computation (SMPC)
privacy-enhanced
Differential privacy [session 1] [session 2]
communication

Dr. Maarten Everts Dr. Jasper Goseling Prof.dr.ir. Thijs Veugen Prof.dr.ir. Thijs Veugen

Partially & fully Privacy-preserving More PET

homomorphic Zero-knowledge
machine learning & applications &
encryption proofs & zk-SNARKS
federated learning practice

Dr. Florian Hahn Dr. Florian Hahn Dr. Maarten Everts Dr. Maarten Everts Prof.dr.ir. Thijs Veugen
QUESTIONS ABOUT
THE PREVIOUS
LECTURE?
ANY FEEDBACK
ALREADY ABOUT THE
COURSE?
PARTIALLY & FULLY
HOMOMORPHIC ENCRYPTION
IN THE MULTIPARTY SETTING
CONTENTS

1. Brief problem introduction

2. Partially Homomorphic Encryption: Paillier

3. Example Application: Beaver Triplets

4. Brief Idea of Distributed (Threshold) PHE

5. Fully Homomorphic Encryption: BFV

6. Multiparty FHE: Threshold BFV

PARTIALLY HOMOMORPHIC ENCRYPTION

Like a “normal” public key encryption scheme

• 𝐺𝑒𝑛 1𝜆 : Generate and output public key 𝑝𝑘 and secret key 𝑠𝑘.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): Encrypt message 𝑚 using public key 𝑝𝑘 and output ciphertext 𝑐 = [𝑚]

• 𝐷𝑒𝑐(𝑠𝑘, 𝑐): Decrypt ciphertext 𝑐 = 𝑚 using secret key 𝑠𝑘 and output plaintext 𝑚

We can compute with ciphertexts and get “meaningful” results:

• 𝐷𝑒𝑐 𝑠𝑘, 𝑚1 ] ⋆ [𝑚2 = 𝑚1 ∘ 𝑚2

COMPUTING AVERAGE AGE

52 + 46 + 31 = [129]

Alice
52 46
[52] [46] Bob

[31]

Carol
31
PALLIER CRYPTOSYSTEM
𝐺𝑒𝑛 1𝜅 Carmichael Theorem:
• Like for RSA, pick two 𝜅-bit primes 𝑝, 𝑞 and let n = 𝑝 ⋅ 𝑞
For any element w ∈ ℤ∗𝑛2 it holds that
• Set 𝜆 = 𝑙𝑐𝑚 𝑝 − 1, 𝑞 − 1 𝑤 𝜆 ≡ 1 𝑚𝑜𝑑 𝑛
𝑤 𝑛 𝜆 ≡ 1 𝑚𝑜𝑑 𝑛2
• Set 𝑔 = 1 + 𝑛

• Output 𝑝𝑘 = 𝑛, 𝑔 and 𝑠𝑘 = 𝜆
PALLIER CRYPTOSYSTEM
𝐺𝑒𝑛 1𝜅 𝑔 has order 𝑛 mod 𝑛2 ; it generates a subgroup of order 𝑛 in ℤ∗𝑛2
• Like for RSA, pick two 𝜅-bit primes 𝑝, 𝑞 and let n = 𝑝 ⋅ 𝑞
• 1 + 𝑛 = 1 + 𝑛 𝑚𝑜𝑑 𝑛2
• Set 𝜆 = 𝑙𝑐𝑚 𝑝 − 1, 𝑞 − 1 • 1 + 𝑛 2 = 1 + 2n + n2 ≡ 1 + 2𝑛 𝑚𝑜𝑑 𝑛2
• 1 + 𝑛 3 = 1 + 3𝑛 + 3𝑛2 + 𝑛3 ≡ 1 + 3𝑛 𝑚𝑜𝑑 𝑛2
• Set 𝑔 = 1 + 𝑛 • …
• 1 + 𝑛 𝑖 ≡ 1 + 𝑖𝑛 𝑚𝑜𝑑 𝑛2
• Output 𝑝𝑘 = 𝑛, 𝑔 and 𝑠𝑘 = 𝜆 • …
• Finally, 1 + 𝑛 𝑛 ≡ 1 + 𝑛 𝑛 𝑚𝑜𝑑 𝑛2 ≡ 1 𝑚𝑜𝑑 𝑛2
PALLIER CRYPTOSYSTEM
𝐺𝑒𝑛 1𝜅 The random sampled 𝑟 makes the scheme probabilistic
• Like for RSA, pick two 𝜅-bit primes 𝑝, 𝑞 and let n = 𝑝 ⋅ 𝑞 • IND-CPA secure
• Set 𝜆 = 𝑙𝑐𝑚 𝑝 − 1, 𝑞 − 1
• Set 𝑔 = 1 + 𝑛
• Output 𝑝𝑘 = (𝑛, 𝑔) and 𝑠𝑘 = 𝜆 What about IND-CCA security?

𝐸𝑛𝑐 𝑝𝑘, 𝑚
• On input of message 𝑚 ∈ ℤ𝑛

• Select random 𝑟 ∈ ℤ𝑛

• Output 𝑚 = 𝑐 = 𝑔𝑚 ⋅ 𝑟 𝑛 𝑚𝑜𝑑 𝑛2
PALLIER CRYPTOSYSTEM
𝐺𝑒𝑛 1𝜅 𝑐 𝜆 𝑚𝑜𝑑 𝑛2 = 𝑔𝑚 ⋅ 𝑟 𝑛 𝜆 = 𝑔𝑚𝜆 𝑟 𝑛𝜆 𝑚𝑜𝑑 𝑛2
• Like for RSA, pick two 𝜅-bit primes 𝑝, 𝑞 and let n = 𝑝 ⋅ 𝑞 • 𝑟 𝑛𝜆 𝑚𝑜𝑑 𝑛2 ≡ 1 𝑚𝑜𝑑 𝑛2
• Set 𝜆 = 𝑙𝑐𝑚 𝑝 − 1, 𝑞 − 1 • 1 + 𝑛 𝑚𝜆 ≡ 1 + 𝑛𝑚𝜆 𝑚𝑜𝑑 𝑛2
• Set 𝑔 = 1 + 𝑛
• Output 𝑝𝑘 = (𝑛, 𝑔) and 𝑠𝑘 = 𝜆
𝑔𝜆 = 1 + 𝑛 𝜆 ≡ 1 + 𝑛𝜆 𝑚𝑜𝑑 𝑛2
𝐸𝑛𝑐 𝑝𝑘, 𝑚
• On input of message 𝑚 ∈ ℤ𝑛
• Select random 𝑟 ∈ ℤ𝑛
• Output 𝑚 = 𝑐 = 𝑔𝑚 ⋅ 𝑟 𝑛 𝑚𝑜𝑑 𝑛2 𝐿 𝑐 𝜆 𝑚𝑜𝑑 𝑛2 𝑛𝑚𝜆
𝜆 2
= =𝑚
𝐿(𝑔 𝑚𝑜𝑑 𝑛 ) 𝑛𝜆
𝐷𝑒𝑐 𝑠𝑘, 𝑐
• On input of ciphertext 𝑐 = 𝑚 = 𝑔𝑚 ⋅ 𝑟 𝑛 𝑚𝑜𝑑 𝑛2 ∈ ℤ𝑛2
𝐿 𝑐 𝜆 𝑚𝑜𝑑 𝑛2 𝑥−1
• Decrypt as 𝑚 = 𝑚𝑜𝑑 𝑛 where 𝐿 𝑥 =
𝐿(𝑔𝜆 𝑚𝑜𝑑 𝑛2 ) 𝑛
PALLIER CRYPTOSYSTEM
Addition of two ciphertexts
𝐺𝑒𝑛 1𝜅 • 𝑐1 = 𝑔𝑚1 ⋅ 𝑟1𝑛
• Like for RSA, pick two 𝜅-bit primes 𝑝, 𝑞 and let n = 𝑝 ⋅ 𝑞
• Set 𝜆 = 𝑙𝑐𝑚 𝑝 − 1, 𝑞 − 1 • 𝑐2 = 𝑔𝑚2 ⋅ 𝑟2𝑛
• Set 𝑔 = 1 + 𝑛
• Output 𝑝𝑘 = (𝑛, 𝑔) and 𝑠𝑘 = 𝜆
• 𝑐1 ⋅ 𝑐2 = 𝑔𝑚1 +𝑚2 ⋅ 𝑟1 ⋅ 𝑟2 𝑛

𝐸𝑛𝑐 𝑝𝑘, 𝑚
• On input of message 𝑚 ∈ ℤ𝑛
• Select random 𝑟 ∈ ℤ𝑛
• Output 𝑚 = 𝑐 = 𝑔𝑚 ⋅ 𝑟 𝑛 𝑚𝑜𝑑 𝑛2 We can always re-randomize by “adding zero”:
• 𝑐 ′ = 𝑐 + 0 = 𝑔𝑚 ⋅ 𝑟1𝑛 ⋅ 𝑟2𝑛 = 𝑔𝑚 ⋅ 𝑟1 ⋅ 𝑟2 𝑛

𝐷𝑒𝑐 𝑠𝑘, 𝑐
• On input of ciphertext 𝑐 = 𝑚 = 𝑔𝑚 ⋅ 𝑟 𝑛 𝑚𝑜𝑑 𝑛2 ∈ ℤ𝑛2
𝐿 𝑐 𝜆 𝑚𝑜𝑑 𝑛2 𝑥−1
• Decrypt as 𝑚 = 𝑚𝑜𝑑 𝑛 where 𝐿 𝑥 =
𝐿(𝑔𝜆 𝑚𝑜𝑑 𝑛2 ) 𝑛

Addition of two ciphertexts 𝑐1 ⋅ 𝑐2 𝑚𝑜𝑑 𝑛2 = [𝑚1 + 𝑚2 ]

PALLIER CRYPTOSYSTEM
Multiplication with known constant
𝐺𝑒𝑛 1𝜅 • 𝑐 𝑘 = 𝑔𝑚𝑘 ⋅ 𝑟 𝑛𝑘
• Like for RSA, pick two 𝜅-bit primes 𝑝, 𝑞 and let n = 𝑝 ⋅ 𝑞
• Set 𝜆 = 𝑙𝑐𝑚 𝑝 − 1, 𝑞 − 1
• Set 𝑔 = 1 + 𝑛
• Output 𝑝𝑘 = (𝑛, 𝑔) and 𝑠𝑘 = 𝜆

𝐸𝑛𝑐 𝑝𝑘, 𝑚
• On input of message 𝑚 ∈ ℤ𝑛
• Select random 𝑟 ∈ ℤ𝑛
• Output 𝑚 = 𝑐 = 𝑔𝑚 ⋅ 𝑟 𝑛 𝑚𝑜𝑑 𝑛2

𝐷𝑒𝑐 𝑠𝑘, 𝑐
• On input of ciphertext 𝑐 = 𝑚 = 𝑔𝑚 ⋅ 𝑟 𝑛 𝑚𝑜𝑑 𝑛2 ∈ ℤ𝑛2
𝐿 𝑐 𝜆 𝑚𝑜𝑑 𝑛2 𝑥−1
• Decrypt as 𝑚 = 𝑚𝑜𝑑 𝑛 where 𝐿 𝑥 =
𝐿(𝑔𝜆 𝑚𝑜𝑑 𝑛2 ) 𝑛

Addition of two ciphertexts 𝑐1 ⋅ 𝑐2 𝑚𝑜𝑑 𝑛2 = 𝑚1 + 𝑚2

Multiplication with known constant: 𝑐 𝑘 𝑚𝑜𝑑 𝑛2 = [𝑚 ⋅ 𝑘]

 APPLICATION: GENERATE MULTIPLICATION TRIPLET
Recall from MPC lecture:
(Pre)compute <x>, <y> and <z>, such that z = x * y (Beaver triplet)

• Assume shares:
• 𝑥1 + 𝑥2 = 𝑥
• 𝑦1 + 𝑦2 = 𝑦
Alice Bob
• 𝑥 ∗ 𝑦 = 𝑥1 𝑦1 + 𝑥1𝑦2 + 𝑥2 𝑦1 + 𝑥2𝑦2 =
𝑥1 , 𝑦1 𝑥1 𝑦2 𝑦1 𝑥2 [−𝑟]
= 𝑧1 + 𝑧2 = 𝑧
for random 𝑥1, 𝑦1 for random 𝑟, x2 , y2

𝐷𝑒𝑐( 𝑥1 𝑦2 𝑦1 𝑥2 [−𝑟])
= 𝑥1 𝑦2 + 𝑦1 𝑥2 − 𝑟

𝑧1 = 𝑥1 𝑦1 + 𝑥1𝑦2 + 𝑥2 𝑦1 − 𝑟 𝑧2 = 𝑥2𝑦2 + 𝑟
COMPUTING THE AVERAGE AGE – WITHOUT CENTRAL PARTY
[52]
Issues with this construction?

How could we distribute the key?

52 46
Alice Bob

[129] 52 ⊕ 46 =
52 + 46 = [98]

Carol
31

98 ⊕ 31
= [129]
 COMPUTING THE AVERAGE AGE – WITHOUT CENTRAL PARTY
[52]

Alice Bob Carol

46 [129]
52 Bob Carol
Bob Alice
Alice
[129]
MPC 52 ⊕ 46 =
52 + 46 = [98] MPC
31

98 ⊕ 31
129 129 129
= [129]
Carol
OUTLOOK: FULLY HOMOMORPHIC ENCRYPTION

Like a “normal” public key encryption scheme

• 𝐺𝑒𝑛 1𝜆 : Generate and output public key 𝑝𝑘 and secret key 𝑠𝑘.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): Encrypt message 𝑚 using public key 𝑝𝑘 and output ciphertext 𝑐 = [𝑚]

• 𝐷𝑒𝑐(𝑠𝑘, 𝑐): Decrypt ciphertext 𝑐 = [𝑚] using secret key 𝑠𝑘 and output plaintext 𝑚

We can compute with ciphertexts and get “meaningful” results:

• 𝐷𝑒𝑐 𝑠𝑘, 𝑚1 ] ⋆ [𝑚2 = 𝑚1 ∘ 𝑚2

• 𝐷𝑒𝑐 𝑠𝑘, 𝑚1 ]☼ [𝑚2 = 𝑚1 □𝑚2

BREAK
PRELIMINARIES FOR FULLY HOMOMORPHIC ENCRYPTION
Examples for n = 4, q = 7
We will use quotient ring 𝑅𝑞 = ℤ𝑞 𝑋 /(𝑋 𝑛 + 1) 𝑃1 = 6 ∗ 𝑋 3 + 2 ∗ 𝑋 2 + 𝑋 + 4
• Polynomials with degree 𝑛 − 1 𝑃2 = 2 ∗ 𝑋 3 + 3 ∗ 𝑋 2 + 5 ∗ 𝑋 + 4
• Each coefficient modulo 𝑞
We can add them:
𝑃1 + 𝑃2 = 8𝑋 3 + 5𝑋 2 + 6𝑋 + 8
… but we live in ℤ7, hence modulo 7
𝑋 3 + 5𝑋 2 + 6𝑋 + 1

We can also multiply:

𝑃1 ∗ 𝑃2 = 12𝑋 6 + 22𝑋 5 + 38𝑋 4 + 45𝑋 3 + 25𝑋 2 + 24𝑋 + 16
… but we live in 𝑋 4 + 1, hence modulo 𝑋 4 + 1
45𝑋 3 + 13𝑋 2 + 2𝑋 − 22
… and we live in ℤ7 , hence modulo 7
3𝑋 3 + 6𝑋 2 + 2𝑋 + 6
PRELIMINARIES FOR FULLY HOMOMORPHIC ENCRYPTION

We will use quotient ring 𝑅𝑞 = ℤ𝑞 𝑋 /(𝑋 𝑛 + 1) We can think about ℤ𝑞 in different ways:
• Polynomials with degree 𝑛 − 1 0, 1, … , 𝑞 − 2, 𝑞 − 1
• Each coefficient modulo 𝑞
but also
𝑞−1 𝑞−1
− , … , −1, 0, 1, … ,
2 2
Similarly, we use quotient ring 𝑅3 = ℤ3 𝑋 /(𝑋 𝑛 + 1)
• Polynomials with degree 𝑛 − 1
• Each coefficient value from {−1, 0, 1}
PRELIMINARIES FOR FULLY HOMOMORPHIC ENCRYPTION

We will use quotient ring 𝑅𝑞 = ℤ𝑞 𝑋 /(𝑋 𝑛 + 1)

• Polynomials with degree 𝑛 − 1
• Each coefficient modulo 𝑞

Similarly, we use quotient ring 𝑅3 = ℤ3 𝑋 /(𝑋 𝑛 + 1)

• Polynomials with degree 𝑛 − 1
• Each coefficient value from {−1, 0, 1}

We draw from an error distribution 𝜒, such that polynomial Gauss parameters mean and standard deviation depend on crypto
𝑒 ← 𝜒 has coefficients drawn from a discrete Gaussian instantiations.
distribution
DECISIONAL RING LEARNING WITH ERRORS (INFORMAL)
Given a uniformly random 𝑎 ← 𝑅𝑞 , a secret
𝑠 ← 𝑅3 and an error term 𝑒 ← 𝜒, it is
computationally hard for an adversary who does
not know 𝑠 and 𝑒 to distinguish between:
(𝑎𝑠 + 𝑒, 𝑎)
and
(𝑏, 𝑎)
for another uniformly random 𝑏 ← 𝑅𝑞 .
We will use quotient ring 𝑅𝑞 = ℤ𝑞 𝑋 /(𝑋 𝑛 + 1)
• Polynomials with degree 𝑛 − 1
• Each coefficient modulo 𝑞
Similarly, we use quotient ring 𝑅3 = ℤ3 𝑋 /(𝑋 𝑛 + 1)
• Polynomials with degree 𝑛 − 1
• Each coefficient value from {−1, 0, 1}
We can draw from an error distribution 𝜒, such that polynomial
𝑒 ← 𝜒 has coefficients drawn from a discrete Gaussian
distribution
BFV: HOMOMORPHIC ENCRYPTION
We will use quotient ring 𝑅𝑞 = ℤ𝑞 𝑋 /(𝑋 𝑛 + 1)
KeyGen: • Polynomials with degree 𝑛 − 1
• Each coefficient modulo 𝑞
• Sample 𝑠 ← 𝑅3

• Sample 𝑎 ← 𝑅𝑞
Similarly, we use quotient ring 𝑅3 = ℤ3 𝑋 /(𝑋 𝑛 + 1)
• Polynomials with degree 𝑛 − 1
• Sample 𝑒 ← 𝜒
• Each coefficient value from {−1, 0, 1}
• Output 𝑠𝑘 = 𝑠
We can draw from an error distribution 𝜒, such that polynomial
• Output 𝑝𝑘 = 𝑝𝑘0 , 𝑝𝑘1 = − 𝑎𝑠 + 𝑒 , 𝑎 𝑒 ← 𝜒 has coefficients drawn from a discrete Gaussian
distribution
BFV: HOMOMORPHIC ENCRYPTION
𝑞
Scaling factor W =
𝑝
• Transform 𝑀 from 𝑅𝑝 into 𝑅𝑞 (coefficients from ℤ𝑝 to ℤ𝑞 )
KeyGen:
• Sample 𝑠 ← 𝑅3 Similar to ElGamal, 𝑢 is a unique random mask to make encryption
• Sample 𝑎 ← 𝑅𝑞 probabilistic
• Sample 𝑒 ← 𝜒
• Output 𝑠𝑘 = 𝑠 Error terms 𝑒1 , 𝑒2 hide the information (as in the RLWE
• Output 𝑝𝑘 = 𝑝𝑘0 , 𝑝𝑘1 = − 𝑎𝑠 + 𝑒 , 𝑎
assumption)
Encrypt(pk, M):
• Message 𝑀 is element in 𝑅𝑝 with p < 𝑞
• Sample two error polynomials 𝑒1 , 𝑒2 ← χ
• Sample small polynomial 𝑢 ← 𝑅3
𝑞
• Set W = 𝑝

• Calculate c0 = 𝑊𝑀 + 𝑝𝑘0 𝑢 + 𝑒1
• Calculate c1 = 𝑝𝑘1 𝑢 + 𝑒2
• Output 𝑐 = 𝑐0 , 𝑐1
BFV: HOMOMORPHIC ENCRYPTION
Decryption from inner to outer steps:

𝑐0 + 𝑐1𝑠 = 𝑊𝑀 − 𝑎𝑠𝑢 − 𝑒𝑢 + 𝑒1 + 𝑎𝑠𝑢 + 𝑠𝑒2

KeyGen: 𝑊𝑀 − 𝑒𝑢 + 𝑒1 + 𝑠𝑒2 = 𝑊𝑀 + 𝜀
• Output 𝑠𝑘 = 𝑠
• Output 𝑝𝑘 = 𝑝0, 𝑝1 = − 𝑎𝑠 + 𝑒 , 𝑎 𝑝
Scale back by multiplying with
𝑞
Encrypt(pk, M):
• Calculate c0 = 𝑊𝑀 + 𝑝𝑘0 𝑢 + 𝑒1 𝑝 𝑞 𝑝
• Calculate c1 = 𝑝𝑘1 𝑢 + 𝑒2 𝑀+ 𝜀
• Output 𝑐 = 𝑐0 , 𝑐1 𝑞 𝑝 𝑞

Dec(sk, c): p
Remove noise by rounding to next integer ⋅
• Compute q
𝑐0 + 𝑐1 𝑠 𝑚𝑜𝑑 𝑞 mod p

Transform back to plaintext space 𝑅𝑝

Polynomial-ception!

𝑐0 and 𝑐1 are coefficients of polynomial

𝑐𝑡 𝑋 ; for decryption we evaluate 𝑐𝑡 𝑠 .
BFV: HOMOMORPHIC ADDITION OF CIPHERTEXTS
Addition of ciphertexts:𝛼 + 𝛽 = 𝛾 KeyGen:
𝛼 = 𝛼0 , 𝛼1 Output 𝑠𝑘 = 𝑠
• 𝛼0 = 𝑊𝑀1 + 𝑝𝑘0 𝑢 + 𝑒1 Output 𝑝𝑘 = 𝑝0 , 𝑝1 = − 𝑎𝑠 + 𝑒 , 𝑎
• 𝑎1 = 𝑝𝑘1 𝑢 + 𝑒2
𝛽 = 𝛽0 , 𝛽1 Encrypt(pk, M):
• 𝛽0 = 𝑊𝑀2 + 𝑝𝑘0 𝑢෤ + 𝑒෥1 Calculate c0 = 𝑊𝑀 + 𝑝𝑘0 𝑢 + 𝑒1
• 𝛽1 = 𝑝𝑘1 𝑢෤ + 𝑒෦
2
Calculate c1 = 𝑝𝑘1 𝑢 + 𝑒2
𝛾 = 𝛾0, 𝛾1 , with Output 𝑐 = 𝑐0 , 𝑐1
• 𝛾0 = 𝛼0 + 𝛽0
• 𝛾0 = 𝑊 𝑀1 + 𝑀2 + 𝑝𝑘0 𝑢 + 𝑢෤ + 𝑒1 + 𝑒෥1 Dec(sk, c):
and p
Compute q 𝑐0 + 𝑐1 𝑠 𝑚𝑜𝑑 𝑞 mod p
• 𝛾1 = 𝛼1 + 𝛽1
• 𝛾1 = 𝑝𝑘1 𝑢 + 𝑢෤ + 𝑒2 + 𝑒෥2

Polynomial-ception!

For decryption, 𝛾 represents coefficients of a

polynomial still of degree 1 evaluated at point 𝑠.
BFV: HOMOMORPHIC ADDITION OF CIPHERTEXTS
𝛾 = 𝛾0 , 𝛾1 , with Dec(sk, c):
p
• 𝛾0 = 𝛼0 + 𝛽0 Compute q 𝑐0 + 𝑐1 𝑠 𝑚𝑜𝑑 𝑞 mod p
• 𝛾0 = 𝑊 𝑀1 + 𝑀2 + 𝑝𝑘0 𝑢 + 𝑢෤ + 𝑒1 + 𝑒෥1
and
• 𝛾1 = 𝛼1 + 𝛽1 Remove noise by rounding to next integer ⋅
• 𝛾1 = 𝑝𝑘1 𝑢 + 𝑢෤ + 𝑒2 + 𝑒෥2
Transform back to plaintext space 𝑅𝑝
Correct decryption?
• 𝛾0 + 𝛾1 𝑠
• 𝑊 𝑀1 + 𝑀2 − 𝑎𝑠𝑢ො − 𝑒𝑢ො + eෝ1 + 𝑎𝑠𝑢ො + 𝑠𝑒ෝ2 =
• = 𝑊 𝑀1 + 𝑀2 + 𝜀Ƹ

𝑝 𝑞 𝑝
• 𝑞 𝑝
𝑀 + 𝑞 𝜀Ƹ

➢ Works only if all noise coefficients are lower than 𝑞/2𝑝

BFV: HOMOMORPHIC MULTIPLICATION OF CIPHERTEXTS
Multiplication of ciphertexts:𝛼 ⋅ 𝛽 = 𝛾 KeyGen:
𝛼 = 𝛼0 , 𝛼1 Output 𝑠𝑘 = 𝑠
• 𝛼0 = 𝑊𝑀1 + 𝑝𝑘0 𝑢 + 𝑒1 Output 𝑝𝑘 = 𝑝0 , 𝑝1 = − 𝑎𝑠 + 𝑒 , 𝑎
• 𝑎1 = 𝑝𝑘1 𝑢 + 𝑒2
Encrypt(pk, M):
𝛽 = 𝛽0 , 𝛽1 Calculate c0 = 𝑊𝑀 + 𝑝𝑘0 𝑢 + 𝑒1
• 𝛽0 = 𝑊𝑀2 + 𝑝𝑘0𝑢෤ + 𝑒෥1
• 𝛽1 = 𝑝𝑘1 𝑢෤ + 𝑒෦ Calculate c1 = 𝑝𝑘1 𝑢 + 𝑒2
2
Output 𝑐 = 𝑐0 , 𝑐1
𝛾 = (𝛾0, 𝛾1 , 𝛾2)
• 𝛾0 = 𝛼0 ⋅ 𝛽0 Dec(sk, c):
• 𝛾1 = 𝛼0 ⋅ 𝛽1 + 𝛼1 ⋅ 𝛽0 p
• 𝛾2 = 𝛼1 ⋅ 𝛽1 Compute q 𝑐0 + 𝑐1 𝑠 𝑚𝑜𝑑 𝑞 mod p

Polynomial-ception!

For decryption, 𝛾 represents coefficients of a

polynomial now of degree 𝟐 evaluated at point 𝑠.
BFV: HOMOMORPHIC MULTIPLICATION OF CIPHERTEXTS
𝛾 = (𝛾0, 𝛾1 , 𝛾2) 𝛾𝑐𝑡 𝑠 = 𝛾0 + 𝛾1 𝑠 + 𝛾2 𝑠 2
• 𝛾0 = 𝛼0 ⋅ 𝛽0
• 𝛾1 = 𝛼0 ⋅ 𝛽1 + 𝛼1 ⋅ 𝛽0 find new polynomial 𝛿𝑐𝑡 𝑠 = 𝛿0 + 𝛿1 𝑠 + 𝑟 such that
• 𝛾2 = 𝛼1 ⋅ 𝛽1

For decryption, 𝛾 is now a polynomial of degree 2 evaluated at 𝛾0 + 𝛾1𝑠 + 𝛾2𝑠 2 = 𝛿0 + 𝛿1𝑠 + 𝑟

evaluated at 𝑠.
point 𝑠:
• 𝛾𝑐𝑡[𝑠] = 𝛾0 + 𝛾1 𝑠 + 𝛾2 𝑠 2
𝛿0 = 𝛾0 + 𝑟𝑙𝑘0𝛾2
Re-linearization key 𝑟𝑙𝑘 = 𝑟𝑙𝑘0 , 𝑟𝑙𝑘1 𝛿1 = 𝛾1 + 𝑟𝑙𝑘1 𝛾2
• 𝑟𝑙𝑘0 = − 𝑎0 𝑠 + 𝑒0 + 𝑠 2 𝑚𝑜𝑑 𝑞
• 𝑟𝑙𝑘1 = 𝑎0

Polynomial-ception!

Can we find new polynomial with degree 1 again,

that for decryption, can be evaluated in 𝑠?
BFV: HOMOMORPHIC MULTIPLICATION OF CIPHERTEXTS
𝛾 = (𝛾0, 𝛾1 , 𝛾2) 𝛾𝑐𝑡 𝑠 = 𝛾0 + 𝛾1 𝑠 + 𝛾2 𝑠 2
• 𝛾0 = 𝛼0 ⋅ 𝛽0
• 𝛾1 = 𝛼0 ⋅ 𝛽1 + 𝛼1 ⋅ 𝛽0 find new polynomial 𝛿𝑐𝑡 𝑠 = 𝛿0 + 𝛿1 𝑠 + 𝑟 such that
• 𝛾2 = 𝛼1 ⋅ 𝛽1
𝛾0 + 𝛾1𝑠 + 𝛾2𝑠 2 = 𝛿0 + 𝛿1𝑠 + 𝑟
Re-linearization key 𝑟𝑙𝑘 = 𝑟𝑙𝑘0 , 𝑟𝑙𝑘1 evaluated at 𝑠.
• 𝑟𝑙𝑘0 = − 𝑎0 𝑠 + 𝑒0 + 𝑠 2 𝑚𝑜𝑑 𝑞
• 𝑟𝑙𝑘1 = 𝑎0

After multiplication, re-linearize 𝛾 = (𝛾0 , 𝛾1 , 𝛾2 )

Output 𝛿 = 𝛿0 , 𝛿1
• 𝛿0 = 𝛾0 + 𝑟𝑙𝑘0 𝛾2
• 𝛿1 = 𝛾1 + 𝑟𝑙𝑘1 𝛾2
BFV: ENCRYPTION WITH NOISE
Dec(sk, c):
p
Compute 𝑐0 + 𝑐1 𝑠 𝑚𝑜𝑑 𝑞 mod p
Operations over encryption cumulate noise: q

• Addition adds little noise

• Remove noise by rounding to next integer ⋅
• Multiplication adds noise
• Re-linearisation adds noise • Transform back to plaintext space 𝑅𝑝

Decryption error for ciphertexts with too much noise

➢ Limited number of operations possible • 𝑐0 + 𝑐1𝑠 = 𝑊𝑀 − 𝑎𝑠𝑢 − 𝑒𝑢 + 𝑒1 + 𝑎𝑠𝑢 + 𝑠𝑒2 =
= 𝑊𝑀 − 𝑒𝑢 + 𝑒1 + 𝑠𝑒2 = 𝑊𝑀 + 𝜀
Bootstrapping for homomorphic encryption:
• Refresh ciphertext (without decrypting) to reduce noise
 MULTIPARTY HOMOMORPHIC ENCRYPTION

BFV-Enc
[𝑎]
Alice [𝑦] Alice
𝑦 = [𝑓(𝑎, 𝑏, 𝑐)]
MPC [𝑏] MPC
BFV-KeyGen BFV-Enc BFV-Eval
[𝑦] BFV-Decrypt

Bob Bob
[𝑐]
[𝑦]
BFV-Enc
𝑦
Carol Carol
MHE – KEY SWITCHING

Carol

[𝑦] Alice Alice 𝑝𝑘𝑐𝑎𝑟𝑜𝑙

Alice

[𝑦]
KeySwitch PubKeySwitch

Bob Bob

𝑦 𝐴𝑙𝑖𝑐𝑒,𝐶𝑎𝑟𝑜𝑙
𝑦 𝐶𝑎𝑟𝑜𝑙
Carol Carol
Carol
MHE – BRIDGING TO MPC

𝑦 𝐴
𝑦 𝐴
[𝑦] Alice
Alice Alice

𝑦 𝐵 𝑦 𝐵
[𝑦]
Enc2Share Share2Enc

Bob Bob Bob

𝑦 𝐶 𝑦 𝐶

Carol Carol Carol

MHE – COLLECTIVE BOOTSTRAPPING

[𝑦]

𝑦 Collective Bootstrapping
𝐴
𝑦 𝐴
Alice

𝑦 𝑦 𝐵
[𝑦]
𝐵
Enc2Share Share2Enc

Bob
𝑦 𝐶 𝑦 𝐶

Carol
MHE – COLLECTIVE BOOTSTRAPPING

[𝑦]

𝑦 Collective Bootstrapping
𝐴
𝑦 𝐴
Alice

𝑦 𝑦 𝐵
[𝑦]
𝐵
Enc2Share Share2Enc

Bob
𝑦 𝐶 𝑦 𝐶

Carol
 MULTIPARTY HE – INPUT SELECTION EXAMPLE

End-to-end latency Communication per party

MB
sec

#Parties #Parties
CONCLUSION

Different constructions for different system settings

• Default homomorphic encryption

• LSSS for small number of computing parties

• Trust required into these computing parties

• MHE allows for fine-grained access structures

• Trust can be spread over more parties
END OF LECTURE 5

QUESTIONS?