^{1}

^{1}

^{1}

With the rapid development of Internet of Things (IoT), grave questions of privacy protection are raised. This greatly impacts the large-scale applications of IoT. Fully homomorphic encryption (FHE) can provide privacy protection for IoT. But, its efficiency needs to be greatly improved. Nowadays, Gentry’s bootstrapping technique is still the only known method of obtaining a “pure” FHE scheme. And it is also the key for the low efficiency of FHE scheme due to the complexity homomorphic decryption. In this paper, the bootstrapping technique of Halevi and Shoup (EUROCRYPT 15) is improved. Firstly, by introducing a definition of “load capacity”, we optimize the parameter range for which their bootstrapping technique works. Next we generalize their ciphertext modulus from closing to a power of two to more general situations. This enables the method to be applied in a larger number of situations. Moreover, this paper also shows how to introduce SIMD homomorphic computation techniques into the new method, to improve the efficiency of recryption.

Nowadays, the IoT is becoming an attractive system paradigm to drive a substantive leap on goods and services through physical, cyber, and social spaces. It covers from traditional equipment to general household equipment, which bring more efficiency and convenience to the users and change current ways of life greatly [

IoT architecture.

However, the application of IoT involves mass private information about users, such as healthcare, location, etc. For the users, they want service providers to process the data accurately and efficiently and extract the contained valuable information with keeping user data unknown by others (including themselves). All these problems are difficult to achieve by traditionally encryption schemes. Homomorphic encryption technology is a good choice to solve all these problems [

FHE permits a worker to perform arbitrarily complex programs on encrypted data without knowing the secret key [

Since bootstrapping technology is the essential technology to obtain a “pure” FHE at present. Meanwhile, it is also the main bottleneck in any practical implementation due to the complexity homomorphic decryption. It is very meaningful to improve the efficiency of bootstrapping, which mainly refers to fast low-circuit implementation of decryption function. Without loss of generality, the decryption function for LWE- (Learning with Errors-) based FHE can be computed by evaluating some linear operation between ciphertext and secret key, then reducing the result modulo a big odd modulus

The past few years have seen an intensive study of bootstrapping technique. In the original bootstrapping technique of Gentry [

Gentry, Halevi, and Smart (GHS, PKC2012) reached a major milestone of a bootstrapping algorithm concentrating on the BGV ring-LWE-based scheme (ideal lattice-based FHE) [

In another line of work, [

The starting point of this paper is the HS’s work [

Let

Suppose that

It can be found that

We start by introducing the HS recryption procedure [

Let

If

If

Lemma

Let

Next Theorem

Let

if

if

It starts with the odd-

Next we discuss how to choose the value of

The load capacity on the span length of

It can be easily seen from Figure

Let

If

If

The conclusion is obvious; the proof is omitted here.

Note that, when

The parameter of low-circuit implementation of modular reduction on HS and our work.

Scheme | | | load capacity |
---|---|---|---|

HS’ work [ | | | |

Our work ( | | | |

As seen from Table

In this section, it extends HS recryption procedure to have a wider choice of ciphertext modulus. The specifics are in Theorem

Let

if

if

where “

We begin with the odd-

The proof for the

Next we discuss how to choose the value of

It is easy to get that

Then Corollary

Let

Then

if

if

The conclusion is obvious; the proof is omitted here.

To get a homomorphic implementation of the simple decryption formula from above, firstly a homomorphic bit-extraction procedure (Algorithm

Then Algorithm

In this section, an implementation of BGV ring-LWE-based scheme is made, since it offers nearly the most efficient homomorphic operations. This scheme is defined over a ring

First, several groups

Experimental results for our batched bootstrapping and HS.

cyclotomic ring | plaintext space | number of slots | security level | total recrypt (sec) | space usage (GB) | ||
---|---|---|---|---|---|---|---|

Our work | HS’ work | Our work | HS’ work | ||||

| | 1024 | 76 | 97 | 172 | 2.3 | 3.0 |

| | 720 | 110 | 168 | 235 | 2.6 | 3.2 |

| | 1000 | 106 | 1475 | 2037 | 11.2 | 13.8 |

| | 1296 | 161 | 984 | 1461 | 31.7 | 36.4 |

The first column gives cyclotomic ring m and its factorization into prime powers. The second column gives the plaintext space, i.e., the field/ring that is embedded in each slot. The third column gives the number of slots packed into a single ciphertext. The fourth column gives the effective security level, computed using the formula that is used in HElib taken from [

As seen from Table

Up to now, Gentry’s bootstrapping technique is still the only known method of obtaining a “pure” FHE scheme. Meanwhile it is also the key for the low efficiency of FHE scheme. It is very meaningful to improve the efficiency of bootstrapping, which mainly refers to lower-depth circuit implementation of decryption function. In this paper, it improves the “load capacity” of HS’s work with a better efficiency for bootstrapping and to generalize

The data used to support the findings of this study are available from the corresponding author upon request.

The authors declare that there are no conflicts of interest regarding the publication of this paper.

This work was sponsored in part by the National Natural Science Foundation of China (Grants nos. 61272041, 61202491, 61272488, and 61601515) and was also supported by the Foundation of Science and Technology on Information Assurance Laboratory (no. KJ-15-006).