Keywords

1 Introduction

Fully homomorphic encryption (FHE) allows to perform arbitrary computations directly over encrypted data. The first FHE scheme has been proposed by Gentry [16]. The construction relies on a technique called bootstrapping, which handles noise increase in FHE ciphertexts. This construction theoretically enables to execute any computation directly over encrypted data but remains slow in practice. Several works ([6, 15, 18, 19, 22] for example) followed Gentry’s initial proposal and contributed to further improve FHE efficiency.

Fully homomorphic encryption schemes are divided in two types of constructions. The first one is based on Gentry’s initial proposal, where basically the bootstrapping procedure consists of the evaluation of the decryption circuit at gate level. In this case, the operations remain slow but their design allows to pack data efficiently using batching techniques. The second one is based on the Gentry, Sahai and Waters Somewhat homomorphic scheme [17] proposed in 2013 which supports branching programs with polynomial noise overhead and deterministic automata logic. Alperin-Sheriff and Peikert [3] improved the bootstrapping by implementing an efficient homomorphic arithmetic function, showing that boolean function and Barighton circuit can be avoided in bootstrapping. In 2015, Ducas and Micciancio [14] gave a construction of bootstrapping with NAND gate evaluation, named FHEW, and suggested extension for larger gates. They provided an implementation for their scheme taking less than a second per bootstrapping on a single core. Biasse and Riuz [4] adapted the FHEW construction for arbitrary gates. Recently, Chillotti, Gama, Georgieva and Izabachène [10, 12] also improved the bootstrapping procedure and provided a construction named TFHE. Their implementation [13] runs in less than 13ms for any binary gate and 26 ms for the MUX gate. They also proposed new techniques for the TFHE toolbox which allow to pack data and compose bootstrapped gates in a leveled mode with a new procedure they called circuit bootstrapping. Recently, Bonnoron, Ducas, and Fillinger [5] introduced a FHEW-based type scheme which allows to perform more computation per bootstrapping call. They implemented their method for the evaluation of a 6-to-6 bit LUT in about 10 s.

Our multi-value bootstrapping is built from the same line of scheme as the FHEW bootstrapping. In order to explain our contribution, we first review its basic construction and give later a more detailed description. The FHEW-based boostrapping algorithms are implemented via an homomorphic accumulator which evaluates the linear part of decryption function followed by a non-linear part. Given an LWE ciphertext of m and GSW encryptions of the secret key, we want to homomorphically evaluate a known arbitrary function f on m where \(f:\mathbb {Z}_t\rightarrow \mathbb {Z}_t\). We define \(F=f\circ r\) where r is the rounding function which corresponds to the final non-linear step of the ciphertext \(\mathbf {c}\) decryption function. We write \(F:\mathbb {Z}_T\rightarrow \mathbb {Z}_T\). To be as clear as possible, we depict the bootstrapping algorithm in three steps: Setp (1) the input ciphertext of m is rescaled modulo T and the operations are mapped over a cyclic group \(\mathcal {G}\). We explain later how \(\mathcal {G}\) is constructed; Step (2) the accumulator \(\mathsf {ACC}\) is computed using blind shift operations in \(\mathcal {G}\) which uses encryptions of the secret key; Step (3) a test polynomial \(\mathsf {TV}_F\) is then applied to \(\mathsf {ACC}\) and an LWE ciphertext of f(m) is extracted. Here \(\mathsf {TV}_F\) encodes the possible output values of the function f, i.e. the correspondence between the message m encoded in the input ciphertext and the output ciphertext of f(m). Note that the test polynomial \(\mathsf {TV}_F\) can also be applied before the blind shift operations.

Our Contribution. In this work, we show how to construct and chose \(\mathsf {TV}_F\) in order to optimize the evaluation of arbitrary functions in one bootstrapping call. In order to do so, we analyze the structure of FHEW-based bootstrapping algorithms and make a comparison in term of noise overhead output and modularity, i.e. the functions they allow to evaluate. To be efficient, our solution should output a small noise while being able to ‘statistically’ encode all the possible values of the function. As a first proof concept and for sake of comparison, we implement a 6-to-6 LUT which runs in 1.6 s for a concrete security of about 128 bits (asserted using the estimator from [1]) compared to a timing of about 10 s at a security level of about 100 bits for the implementation of [5]. Our construction makes it possible to evaluate several arbitrary functions on the same set of inputs by calling only once the main subroutine of the TFHE bootstrapping. The name multi-value is derived from many-valued logic which is a propositional calculus with more than two values. We give examples of possible applications of our procedure in this paper: we explain how to efficiently compose homomorphic LUTs and we give an idea on how to optimize the circuit bootstrapping proposed in Sect. 4 of [12] which can be used to compose circuits in a leveled mode. We finally show an application to the homomorphic evaluation of a neural network where the linear part is evaluated using a generalization of the key-switching procedure and the non-linear part is evaluated with our multi-value bootstrapping.

Our Technique and Comparisons to Other Works. In previous constructions, except [13], test polynomial \(\mathsf {TV}_F\) is integrated at the end, after the accumulator is computed, we have \(\mathsf {ACC}\cdot \mathsf {TV}_F\)Footnote 1. In the TFHE gate bootstrapping of [13], the test polynomial \(\mathsf {TV}_F\) is embedded in the accumulator from the very start when the accumulator is still noiseless and, at step 2 the accumulator is \(\mathsf {TV}_F \cdot \mathsf {ACC}\). This allows to save a factor \(\sqrt{N}\), where N is the dimension. On the other end, they are only able to encode two possible values in TFHE gate bootstrapping. A naive idea for computing multi-value input function f would be to decompose f into p \(\mathtt {Mux}\) gate functions and then combine the results of the p gate bootstrapping calls, but this method is quite inefficient. To optimize this naive construction, we define a common factor \(\mathsf {TV}_F^{(0)}\) which is shared between all the p calls. The most expensive part is made once for the p calls. Then the specification with respect to the 2-value functions is made at the end using a second test polynomial \(\mathsf {TV}_F^{\left( 1\right) }\). This last step consists only of a multiplication by constant polynomial, which is much cheaper than p blind rotations. We manage to decrease the output ciphertext noise by choosing a low-norm second-stage test polynomials when compared to previous methods integrating the test polynomial at the end.

Organization of the Paper. We first describe the high level structure of FHEW based bootstrapping algorithms and provide a comparison between the different scheme in the literature. Then, our preliminary section reviews the mathematical backgrounds for LWE and GSW encryption over the torus and gives the building blocks from the TFHE framework [13] used in our constructions. In Sect. 3, we present the optimized multi-value bootstrapping together with test polynomial factorization. In Sect. 4, we present applications to the homomorphic evaluation of arbitrary functions and describe our implementation results for the case of a 6-to-6 LUT function. Finally, we explain how to apply the multi-value bootstrapping and extended keyswitching to optimize the circuit bootstrapping from [12] and to evaluate a encrypted neural network system.

2 Preliminaries

Notation. The set \(\{0,1\}\) is written as \(\mathbb {B}\). The set of vectors of size n in E is denoted \(E^n\), and the set of \(n\times m \) matrices with entries in E is noted \(\mathcal {M}_{n,m}(E)\). The real torus \(\mathbb {R}~\mod ~1\) is denoted \(\mathbb {T}\). \(\mathbb {T}_N[X]\) denotes the \(\mathbb {Z}\)-module \(\mathbb {R}[X]/(X^N+1) \mod 1\) of torus polynomials, here N is a fixed power of 2 integer. The ring \(\mathbb {Z}[X]/(X^N+1)\) is denoted \(\mathfrak {R}\). The set of polynomials with binary coefficients is denoted \(\mathbb {B}_N[X]\).

2.1 High Level Structure of FHEW-based Bootstrapping

We first describe the high level structure of the FHEW-based bootstrapping algorithms. The procedure can be split in three steps we detail below. We explain later how schemes in this line can be instanciated using this formalism. Figure 1 gives a schematic overview of the bootstrapping steps.

  1. 1.

    In the first step, the coefficients \((\mathbf {a},b)\) of input LWE ciphertext \(\mathbf {c}=(\mathbf {a},b)\) are mapped to \(\mathbb {Z}_T\). A cyclic multiplicative group \(\mathcal {G}\), where \(\mathbb {Z}_T \simeq \mathcal {G}\), is used for an equivalent representation of \(\mathbb {Z}_T\) elements. The group \(\mathcal {G}\) contains all the powers of X: \(X^0,\ldots ,X^{T-1}\) and T is defined as the smallest integer verifying \(X^T \mod \varPhi (X)=1\) where \(\varPhi (X)\) is the quotient polynomial defining the input Ring-LWE scheme. Most of the times \(\varPhi (X)\) is the \(T\text {-th}\) cyclotomic polynomial.

  2. 2.

    In this step, the message m encrypted as \(\mathbf {c}=(\mathbf {a},b)\) is transformed to an intermediary GSW encryption of \(X^m\). Message \(m\in \mathbb {Z}_T\) is obtained from \(\mathbf {c}=(\mathbf {a},b)\) using the linear transformation \(b-\mathbf {a}\cdot \mathbf {s}\equiv m\) (i.e. the linear part of the decryption algorithm). Given encryptions of \(X^{s_i}\) one can homomorphically apply linear mapping \(\varphi \) to \(\mathbf {c}\). We obtain the so-called accumulator \(\mathsf {ACC}\) which contains an encryption of \(X^{\varphi (\mathbf {c})}\in \mathcal {G}\).

  3. 3.

    At the third step, a test polynomial \(\mathsf {TV}_F\in \mathcal {G}\) is multiplied to \(\mathsf {ACC}\). The test polynomial encodes output values of a function F for each possible input message \(m\in \mathbb {Z}_T\). Here F is a function from \(\mathbb {Z}_T\) to \(\mathbb {Z}_T\). It finally extracts an LWE encryption of F(m) from \(\mathsf {TV}_F \cdot \mathsf {ACC}\) (or from \(\mathsf {ACC}\cdot \mathsf {TV}_F\) if \(\mathsf {TV}_F\) is applied after computing the accumulator) with a modified noise. As input message m is a noised version of the actual message encrypted in \(\mathbf {c}=(\mathbf {a},b)\) function F is a composition of a ‘payload’ function \(f:\mathbb {Z}_t\rightarrow \mathbb {Z}_t\) and a rounding function \(r:\mathbb {Z}_T\rightarrow \mathbb {Z}_t\).

For example, in [5], step (1) corresponds to a modulus switching from Q to \(T=pq\), step (2) computes the accumulator operation in the groups \(\mathcal {G}=\{1,\dots ,X^{p}-1\}\) and \(\mathcal {G}=\{1,\dots ,Y^{q}-1\}\) for primes p and q and recomposes the result in the circulant ring \(\mathbb {Z}[Z]/(Z^{pq}-1)\); at step (3), a test polynomial (encoding \(F(x)=f(\lfloor t x /pq \rceil )\) where f is an arbitrary function) is applied to the accumulator and a LWE ciphertext of f(m) is extracted, where the extraction is implemented by the trace function. In [13], \(\mathcal {G}\) is the multiplicative group \(\{1,X,\dots ,X^{2N-1}\}\) where N is a power of 2. Function f implements a rounding (i.e. torus most significant bit extraction); step (1) does the rounding from \(\mathbb {T}\) to \(\mathbb {Z}_{2N}\) and the test polynomial is applied before the computation of the accumulator \(\mathsf {ACC}\); step (2) computes \(\mathsf {ACC}\in \mathcal {G}\) with a blind rotation; step (3) extracts \(\mathsf {LWE}(f(m))\) by extracting the constant coefficient of \(\mathsf {TV}_F \cdot \mathsf {ACC}\). Our multi-value bootstapping is instanciated using [13].

Fig. 1.
figure 1

Structure of the bootstrapping Algorithm. Setp (1): The ciphertext of m is rescaled modulo T and the operations are mapped over the cyclic group \(\mathcal {G}\) where \(\mathcal {G}=\langle X \rangle \) is the group of \(T\text {-th}\) roots of unity associated to the cyclotomic polynomial \(\varPhi _T(X)\) (for example). Step (2): the accumulator \(\mathsf {ACC}\) is computed using blind shift operations in \(\mathcal {G}\) which uses encryptions of the secret key in the powers of X. Step (3): a test polynomial is applied to \(\mathsf {ACC}\), it can also be applied before blind shift operations, and an LWE ciphertext of f(m) is extracted from \(\mathsf {ACC}\) using the encoding of an alternative representation of f over \(\mathbb {Z}_T\).

Full size image

2.2 Backgrounds on TFHE

In this work, we will use the torus representation from [10] of the LWE encryption scheme introduced by Regev [21] and the ring variant of Lyubashevsky et al. [20].

Distance, Norm and Concentrated Distribution. We use the \(\ell _p\) distance for torus elements. By abuse of notation, we denote as \(\left\| \varvec{x}\right\| _p\) the p-norm of the representative of \(\varvec{x}\in \mathbb {T}^k\) with all its coefficients in . For a torus polynomial P(X) modulo \(X^N+1\), we take the norm of its unique representative of degree \(\le N-1\). A distribution on the torus is concentrated iff its support is included in a ball of radius \(\frac{1}{4}\) of \(\mathbb {T}\) except with negligible probability. In this case, we can define the usual notion of expectation and variance over \(\mathbb {T}\). Let \(\mathcal {N}(0,\sigma ^2)\) be a normal distribution centered in 0 and of variance \(\sigma ^2\). We denote \(\kappa (\varepsilon )=\min _k \{ \Pr _{X\leftarrow \mathcal {N}(0,\sigma ^2)}\left[ |X|> k \cdot \sigma \right] < \varepsilon \}\). In this case, we have \(\Pr _{X\leftarrow \mathcal {N}(0,\sigma ^2)}\left[ |X|> k \cdot \sigma \right] =\mathrm {erf}(k/\sqrt{2})\). For example, for \(\varepsilon =2^{-64}\) (this paper), we can take \(\kappa (\varepsilon )>9.16\) and for \(\epsilon =2^{-32}\), we can take \(\kappa (\varepsilon )> 6.33\).

A real distribution X is said \(\sigma \)-subgaussian iff for all \(t\in \mathbb {R}\), \(\mathbb {E}(\mathsf {exp}(tX)) \le \mathsf {exp}(\sigma ^2 t^2/2)\). If X and \(X'\) are two independent \(\sigma \) and \(\sigma '\) subgaussian variables, then for all \(\alpha , \gamma \in \mathbb {R}\), \(\alpha X + \gamma X'\) is \(\sqrt{\alpha ^2\sigma ^2 + \gamma ^2\sigma '^2}\)-subgaussian. All the errors in this document will follow subgaussian distributions. In what follows, we review TFHE for encryption of torus polynomial elements.

TRLWE Samples. To encrypt a message \(\mu \in \mathbb {T}_N[X]\), one picks a Gaussian approximation of the preimage of \(\varphi _s^{-1}(\mu )\) over the \(\varOmega \)-probability space of all possible choices of Gaussian noise. If the Gaussian noise \(\alpha \) is small, we can define the expectation and the variance over the torus. The expectation of \(\varphi _s(c)\) is equal to \(\mu \) and its variance is equal to the variance of \(\alpha \). We refer to [10] for a more complete definition of the \(\varOmega \)-probability space.

Definition 2.1

(TRLWE). Let \(\mathcal {M}\) be a discrete subspace of \(\mathbb {T}_N[X]\) and \(\mu \in \mathcal {M}\) a message. Let \(\varvec{s}\in \mathbb {B}_N[X]^k\) a \(\mathsf {TRLWE}\) secret key, where each coefficient is chosen uniformly at random. A \(\mathsf {TRLWE}\) sample is a vector \(\mathbf {c} = (\mathbf {a},b)\) of \(\mathbb {T}_N[X]^{k+1}\) which can be either :

  • A trivial sample: \(\mathbf {a} = 0\) and \(b = \mu \). Note that this ciphertext is independent of the secret key.

  • A fresh \(\mathsf {TRLWE}\) sample of \(\mu \) of standard deviation \(\alpha \): \(\mathbf {a}\) is uniformly chosen in \(\mathbb {T}_N[X]^k\) and b follows a continuous Gaussian distribution of standard deviation \(\alpha \) centered in \(\mu + \mathbf {s}\cdot \mathbf {a}\) and of variance \(\alpha ^2\).

  • Linear combination of fresh or trivial \(\mathsf {TRLWE}\) samples.

We define the phase \(\varphi _{\varvec{s}}(\varvec{c})\) of a sample \(\varvec{c}=(\varvec{a},b)\in \mathbb {T}_N[X]^{k}\times \mathbb {T}_N[X]\) under key \(\varvec{s}\in \mathbb {B}_N[X]^k\) as . Note that the phase function is a linear \((kN+1)\)-lipschitzian function from \(\mathbb {T}_N[X]^{k+1}\) to \(\mathbb {T}_N[X]\). We say that \(\varvec{c}\) is a valid \(\mathsf {TRLWE}\) sample iff there exists a key \(\varvec{s}\in \mathbb {B}_N[X]^k\) such that the distribution of the phase \(\varphi _{\varvec{s}}(\varvec{c})\) is concentrated over the \(\varOmega \)-space around the message \(\mu \), i.e. included in a ball of radius \(<\frac{1}{4}\) around \(\mu \). Note that \(\mathbf {c} = \sum _{j=1}^{p} r_j\cdot \mathbf {c}_j\) is a valid \(\mathsf {TRLWE}\) sample if \(\mathbf {c}_1,\dots ,\mathbf {c}_p\) are valid \(\mathsf {TRLWE}\) samples (under the same key) and \(r_1,\dots ,r_p \in \mathfrak {R}\). We also use the function \(\textsf {msg}()\) defined as the expectation of the phase over the \(\varOmega \)-space. If \(\mu \) is in \(\mathcal {M}\), one can decrypt a \(\mathsf {TRLWE}\) sample \(\mathbf {c}\) under secret key \(\mathbf {s}\) with small noise (smaller that the packing radius) by rounding its phase to the nearest element of the discrete message space \(\mathcal {M}\). We also use the function error \(\textsf {Err}(\cdot )\) of a sample defined as the difference between the phase and the message of the sample. We write \(\textsf {Var}(\textsf {Err}(X))\) the variance of the error of X and \(\left\| \textsf {Err}(X)\right\| _\infty \) its amplitude. When X is a normal distribution we have \(\left\| \textsf {Err}(X)\right\| _\infty \le \kappa (\varepsilon )\cdot \textsf {Var}(\textsf {Err}(X))\) with probability \(1-\varepsilon \).

Given p valid and independent \(\mathsf {TRLWE}\) samples \(c_1,\dots ,c_p\) under key s, if \(c = \sum _{i=1}^{p} e_i\cdot c_i\), then \(\textsf {msg}(c) = \sum _{i=1}^{p} e_i \cdot \textsf {msg}(c_i) \) with \(\Vert \textsf {Err}(c) \Vert _\infty \le \sum _{i=1}^{p} \Vert e_i\Vert _1 \cdot \Vert \textsf {Err}(c_i)\Vert \) and \(\textsf {Var}(\textsf {Err}(c)) = \sum _{i=1}^p \Vert e_i\Vert ^2_2 \cdot \textsf {Var}(\textsf {Err}(c_i))\).

The \(\mathsf {TRLWE}\) problem consists of distinguishing \(\mathsf {TRLWE}\) encryptions of \(\mathbf {0}\) from random samples in \(\mathbb {T}_N[X]^k \times \mathbb {T}_N[X]\). When \(N=1\) and k is large, the \(\mathsf {TRLWE}\) problem is the Scalar LWE problem over the torus and the \(\mathsf {TRLWE}\) encryption is the LWE encryption over the torus. We denote it \(\mathsf {TLWE}\). When N is large and \(k=1\), the \(\mathsf {TRLWE}\) problem is the LWE problem over torus polynomials with binary secrets. In addition, the \(\mathsf {TLWE}\) and the \(\mathsf {TRLWE}\) correspond to the Scale invariant variants defined in [7, 9, 11] and to the Ring-LWE from [20]. We refer to Sect. 6 of [10] for more details on security estimates on the LWE problem of the torus.

TRGSW Samples. We define a gadget matrix that will be used to decompose over ring elements and to reverse back. Other choices of gadget basis are also possible.

figure a

A vector \(v\in \mathbb {T}_N[X]^{k+1}\) can approximately be decomposed as \(Dec_{H, \beta , \epsilon }(\varvec{v})=\varvec{u}\) where \(\varvec{u} \in \mathfrak {R}^{(k+1)\ell }\), s.t. \(\left\| \varvec{u}\right\| _\infty \le \beta \) and \(\left\| \varvec{u}\cdot H - \varvec{v}\right\| _\infty \le \epsilon \). We call \(\beta \in \mathbb {R}_{>0}\) the quality parameter and \(\epsilon \in \mathbb {R}_{>0}\) the precision of the decomposition. In this paper, we use the gadget H where the decomposition in base \(B_g\) is a power of 2. We take \(\beta =B_g/2\) and \(\epsilon =1/2B_g^\ell \).

Definition 2.2

(TRGSW Sample). Let \(\ell \) and \(k\ge 1\) be two integers and \(\alpha \ge 0\) be a noise parameter. Let \(\mathbf {s} \in \mathbb {B}_N[X]^k\) be a \(\mathsf {TRLWE}\) key, we say that \(\mathbf {C} \in \mathcal {M}_{(k+1)\ell , k+1}(\mathbb {T}_N[X])\) is a fresh \(\mathsf {TGSW}\) sample of \(\mu \in \mathfrak {R}/\mathbf {H}^\perp \) with standard deviation \(\alpha \) iff \(\mathbf {C} = \mathbf {Z} + \mu \cdot \mathbf {H}\) where each row of \(\mathbf {Z} \in \mathcal {M}_{(k+1)\ell ,k+1}(\mathbb {T}_N[X])\) is a \(\mathsf {TRLWE}\) sample of \(\mathbf {0}\) with Gaussian standard deviation \(\alpha \). Reciprocally, we say that an element \(\mathbf {C} \in \mathcal {M}_{(k+1)\ell ,k+1}(\mathbb {T}_N[X])\) is a valid \(\mathsf {TRGSW}\) sample iff there exists a unique polynomial \(\mu \in \mathfrak {R}/\mathbf {H}^\perp \) and a unique key \(\mathbf {s}\) such that each row of \(\mathbf {C} - \mu \cdot \mathbf {H}\) is a valid \(\mathsf {TRLWE}\) sample of 0 under the key \(\mathbf {s}\). We call the polynomial \(\mu \) the message of \(\mathbf {C}\).

Since a \(\mathsf {TRGSW}\) sample consists of \((k+1)\ell \) \(\mathsf {TRLWE}\) under the same secret key, the definition of the phase, message, error, norm and variance and the result on the sum of \(\mathsf {TRLWE}\) samples can easily be extended for \(\mathsf {TRGSW}\) samples.

External Product. We review the module multiplication of the messages of \(\mathsf {TRGSW}\) and \(\mathsf {TRLWE}\) samples from [8, 10]. This operation is called external product operation and is defined as: \(\boxdot :~ \mathbb {T}_N[X]^{k+1} \times \mathcal {M}_{(k+1)\ell ,k+1}(\mathbb {T}_N[X]) \rightarrow \mathbb {T}_N[X]^{k+1}\). The operation \(\boxdot \) has the following property:

Theorem 2.3

(Homomorphic module multiplication). If A is a valid \(\mathsf {TRGSW}\) sample of \(\mu _A\) and b is a valid \(\mathsf {TRLWE}\) sample of \(\mu _b\). Then, if \(\Vert Err(A\boxdot b)\Vert _\infty \le \frac{1}{4}\), \(A\boxdot b\) is a valid \(\mathsf {TRLWE}\) sample of \(\mu _A \cdot \mu _b\).

We have \(\textsf {Var}(\textsf {Err}(A\boxdot b)) \le (k+1)\ell N\beta ^2 \textsf {Var}(\textsf {Err}(A))+(1+kN)\Vert \mu _A\Vert ^2_2\epsilon ^2 + \Vert \mu _A\Vert _2^2 \textsf {Var}(\textsf {Err}(b))\) where \(\beta \) and \(\epsilon \) are the parameters used in the decomposition \(Dec_{h,\beta ,\epsilon }(\dot{)}\).

Assumption 2.4

(Independence heuristic). All the previous results rely on the Gaussian Heuristic: all the error coefficients of \(\mathsf {TRLWE}\) or \(\mathsf {TRGSW}\) samples of the linear combinations we consider are independent and concentrated. In particular, we assume that they are \(\sigma \)-subgaussian where \(\sigma \) is the square-root of their variance.

2.3 TFHE Gate Bootstrapping

We review the TFHE gate bootstrapping and the key-switching procedure from [10, 12]. The TFHE gate bootstrapping changes the noise of the LWE input to bring it to a fix noise; it can also change the dimension of the ciphertexts. We specify with an under-bar the input parameters and with an upper-bar the output parameters when needed.

Definition 2.5

Let \(\underline{\mathfrak {K}}\in \mathbb {B}^n\), \(\bar{\mathfrak {K}}\in \mathbb {B}_N^k\) and \(\alpha \) be a noise parameter. We define the bootstrapping key \(\mathsf {BK}_{\underline{\mathfrak {K}}\rightarrow \bar{\mathfrak {K}},\alpha }\) as the sequence of n \(\mathsf {TGSW}\) samples \(\mathsf {BK}_i\in \mathsf {TGSW}_{\bar{\mathfrak {K}},\alpha }(\underline{\mathfrak {K}}_i)\).

TFHE Gate Bootstrapping. The ternary \(\mathtt {Mux}\) gate takes three boolean values \(c,d_0,d_1\) and returns \(\mathtt {Mux}(c,d_0,d_1)= (c\wedge d_1) \oplus ((1-c) \wedge d_0)\). We also write \(\mathtt {Mux}(c,d_0,d_1)= c?d_1:d_0\).

The controlled \(\mathtt {Mux}\) gate, \(\mathtt {CMux}\) takes in input samples \(\mathbf {d}_0, \mathbf {d_1}\) of messages \(\mu _0, \mu _1\), a \(\mathsf {TRGSW}\) sample \(\mathbf {C}\) of a message bit m and returns a \(\mathsf {TRLWE}\) sample of message \(\mu _0\) if \(m = 0\) and \(\mu _1\) if \(m = 1\). Lemma 2.6 gives the error propagation of \(\mathtt {CMux}\).

Lemma 2.6

Let \(\mathbf {d}_0,\mathbf {d}_1\) be \(\mathsf {TRLWE}\) samples and \(\mathbf {C}\in \mathsf {TRGSW}_{\mathbf {s}}(m)\) where message m \(\in \{0,1\}\). Then, \(\textsf {msg}(\mathtt {CMux}(\mathbf {C},\mathbf {d}_1,\mathbf {d}_0)) = \textsf {msg}(\mathbf {C})?\textsf {msg}(\mathbf {d}_1):\textsf {msg}(\mathbf {d}_0) \) and we have: \( \textsf {Var}(\textsf {Err}(\mathtt {CMux}(\mathbf {C},\mathbf {d}_1,\mathbf {d}_0))) \le \max (\textsf {Var}(\textsf {Err}(\mathbf {d}_0)) ,\textsf {Var}(\textsf {Err}(\mathbf {d}_1))) + \vartheta (\mathbf {C}) \) where \(\vartheta (\mathbf {C}) = (k+1)\ell N\beta ^2 \textsf {Var}(\textsf {Err}(\mathbf {C}))+ (1+kN)\epsilon ^2\).

The gate bootstrapping from [12] also uses the \(\mathsf {BlindRotate}\) algorithm. Assuming \(\mathbf {c}=(a_1,\dots ,a_p,b)\) is a LWE ciphertext under secret key \(\mathbf {s}\), Algorithm 1 computes the blind rotation of v by the phase of c.

figure b

Theorem 2.7

Let \(\alpha > 0 \in \mathbb {R}\) be a noise parameter, \(\mathfrak {K} \in \mathbb {B}^n\) be a \(\mathsf {TLWE}\) secret key and \(K \in \mathbb {B}_N[X]^k\) be its \(\mathsf {TRLWE}\) interpretation. Given one sample \(\mathbf {c} \in \mathsf {TRLWE}_{K}(v)\) with \(v \in \mathbb {T}_N[X]\), \(p+1\) integers \(a_1,\dots ,a_p,b \in \mathbb {Z}/2N\mathbb {Z}\), and p \(\mathsf {TRGSW}\) ciphertexts \(\mathbf {C}_1,\dots ,\mathbf {C}_p\) where each \(\mathbf {C}_i \in \mathsf {TRGSW}_{K,\alpha }(s_i)\) for \(s_i \in \mathbb {B}\) the \(\mathsf {BlindRotate}\) algorithm outputs a sample \(\mathsf {ACC}\in \mathsf {TRLWE}_{K}(X^{-\rho }\cdot v)\) where \(\rho =b-\sum _{i=1}^p a_i s_i\) such that \(\textsf {Var}(\textsf {Err}(\mathsf {ACC}))\le \textsf {Var}(\textsf {Err}(\mathbf {c})) + p(k+1)\ell N\beta ^2 \vartheta _C +p(1+kN)\epsilon ^2\) where \(\vartheta _C=\alpha ^2\).

\(\mathsf {TRLWE}\)-to-\(\mathsf {TLWE}\) Sample Extraction. Given one \(\mathsf {TRLWE}\) sample of message \(\mu \in \mathbb {T}_N[X]\) the \(\mathsf {SampleExtract}\) procedure allows to extract a \(\mathsf {TLWE}\) sample of a single coefficient of polynomial \(\mu \). Indeed, a \(\mathsf {TRLWE}\) ciphertext of message \(\mu \in \mathbb {T}_N[X]\) of dimension k under a secret key \(K \in \mathbb {B}_N[X]\) can alternatively be seen as N \(\mathsf {TLWE}\) ciphertexts whose messages are the coefficients of \(\mu \). It is of dimension \(n=kN\) and the secret key \(\mathbf {\mathfrak {K}}\) is in \(\mathbb {B}^n\), where \(K_i = \sum _{j=0}^{N-1} \mathbf {\mathfrak {K}}_{N(i-1)+j+1} X^j\).

Functional Key-Switching. The functional key-switching procedure allows to switch between different parameter sets and between scalar and polynomial message space. It allows to homomorphically evaluate a morphism from \(\mathbb {Z}\)-module \(\mathbb {T}^p\) to \(\mathbb {T}_N[X]\). We recall in Algorithm 2 the functional keyswitching algorithm (from Sect. 2.2 of [12]) where the morphism f is public; we adapt its definition to be able to use other decomposition basis of the key than the decomposition in base 2.

figure c

Theorem 2.8

(Public functional key-switch). Given p \(\mathsf {TLWE}\) samples \(\varvec{\mathfrak {c}}^{(z)}\) under the same key \(\mathfrak {K}\) of \(\mu _z\) with \(z=1,\dots ,p\), a public R-lipschitzian morphism f from \(\mathbb {T}^p\) to \(\mathbb {T}_{{N}}[X]\), and a family of samples \(\mathsf {KS}_{i,j}\in \mathsf {TRLWE}_{{K},{\gamma }}(\frac{\mathfrak {K}_i}{\mathsf {base}^j})\) with standard deviation \({\gamma }\) and where \(\mathsf {base}\) is an integer, Algorithm 2 outputs a \(\mathsf {TRLWE}\) sample \(\varvec{c} \in \mathsf {TRLWE}_{{K}}(f(\mu _1,\dots ,\mu _p))\) with \(\textsf {Var}(\textsf {Err}(\varvec{c})) \le R^2 \textsf {Var}(\textsf {Err}(\varvec{\mathfrak {c}})) + n t N \vartheta _{\mathsf {KS}} + n N \mathsf {base}^{-2(t+1)}\), where \(\vartheta _\mathsf {KS}=\gamma ^2\) is the variance of the error of \(\mathsf {KS}\).

For \(p=1\) and f the identity function, we retrieve the classical key-switching where the \(\mathsf {KS}_{i,j}\) is a sample \(\mathsf {TLWE}_{\varvec{s},\gamma }(\mathfrak {c}_i \cdot \mathsf {base}^{-j} )\) for \(i\in [\![1,n ]\!]\) and \(j\in [\![1,t\)]]. In this case, the output is a \(\mathsf {TLWE}\) sample \(\mathbf {c}\) of the same input message \(\mu _1\) and secret \(\varvec{s}\), with \(\textsf {Var}(\textsf {Err}(\mathbf {c})) \le \textsf {Var}(\textsf {Err}(\varvec{\mathfrak {c}})) + n t\gamma ^2 +n \mathsf {base}^{-2(t+1)} \).

We are now ready to recall the TFHE gate bootstrapping in Algorithm 3. The TFHE gate bootstrapping algorithm takes as inputs a constant \(\mu \in \mathbb {T}\), a \(\mathsf {TLWE}\) sample of \(x\cdot \frac{1}{2}\) with \(x \in \mathbb {B}\), a bootstrapping key and returns a \(\mathsf {TLWE}\) sample of \(x\cdot \mu \) with a controlled error.

figure d

Lines 1 to 4 compute a \(\mathsf {TRLWE}\) sample of message \(X^{\varphi }\cdot v\) where \(\varphi \) is the phase of \(\mathbf {\underline{\mathfrak {c}}}\) (actually an approximated phase because of rescaling in line 2). The \(\mathsf {SampleExtract}\) extracts its constant coefficient (\(\hat{\mu }\) if \(x=1\) and \(-\hat{\mu }\) if \(x=0\)) encrypted in a \(\mathsf {TLWE}\) sample. The final addition allows to either obtain a \(\mathsf {TLWE}\) sample of 0 or a \(\mathsf {TLWE}\) sample of \(2\cdot \hat{\mu } = \mu \). The error of the output ciphertext is obtained from the combination of the output error of Theorem 2.7 and the error of the \(\mathsf {SampleExtract}\) procedure. An internal cumulated error \(\delta \) is introduced in line 2 by the rescaling. We have \(\delta \le \frac{h+1}{4N}\) where h is the number of non-zero coefficients of \(\mathsf {TLWE}\) secret key \(\underline{\mathfrak {K}}\) and 4N comes from the rescaling by 2N and rounding of \((\underline{\mathbf {\mathfrak {a}}},\underline{\mathfrak {b}})\) coefficients. This error does not influence the output.

Theorem 2.9

(TFHE gate boostrapping). Let \(\underline{\mathfrak {K}}\in \mathbb {B}^{{n}}\) and \(\bar{\mathfrak {K}} \in \mathbb {B}^{k N}\) be two \(\mathsf {TLWE}\) secret keys, \(\bar{K} \in \mathbb {B}_{N}[X]^{k}\) be the \(\mathsf {TRLWE}\) interpretation of \(\bar{\mathfrak {K}}\) and \(\alpha > 0 \in \mathbb {R}\) a noise parameter. Let \(\mathsf {BK}_{\underline{\mathfrak {K}}\rightarrow \bar{\mathfrak {K}},\alpha }\) be a bootstrapping key, i.e n samples \(\mathsf {BK}_i \in \mathsf {TRGSW}_{\bar{K},\alpha }(\underline{\mathfrak {K}}_i)\) for \(i\in [\![1, n]\!]\). Given a constant \(\mu \in \mathbb {T}\) and a sample \(\underline{\mathbf {\mathfrak {c}}} \in \mathbb {T}^{n+1}\), Algorithm 3 outputs a \(\mathsf {TLWE}\) sample \(\bar{\mathbf {\mathfrak {c}}}\in \mathsf {TLWE}_{\bar{\mathfrak {K}}}(\bar{\mu })\) where \(\bar{\mu } = 0\) if \(|\varphi _{\underline{\mathfrak {K}}}(\underline{\mathbf {\mathfrak {c}}})|<\frac{1}{4} - \delta \) and \(\bar{\mu } =\mu \) if \(|\varphi _{\underline{\mathfrak {K}}}(\underline{\mathbf {\mathfrak {c}}})|>\frac{1}{4}+\delta \). We have \(\textsf {Var}(\textsf {Err}(\bar{\mathbf {\mathfrak {c}}})) \le n(k+1)\ell N \beta ^2 \vartheta _{BK}+ n(1+k N)\epsilon ^2\) where \(\vartheta _{BK}\) is \(\textsf {Var}(\textsf {Err}(\mathsf {BK}_{\underline{\mathfrak {K}}\rightarrow \bar{\mathfrak {K}},\alpha })) = \alpha ^2\).

3 Multi-value Bootstrapping

In the previous section, we recall the bootstrapping procedures based on an auxiliary \(\mathsf {GSW}\) scheme. Instead of the bootstrapping procedures where only a ‘re-encryption’ of input ciphertext is made, we explain here how to bootstrapp an arbitrary function of the input message. For example in [10] the arbitrary function was the rounding (or modulus switching) of ciphertext decryption function. Recall, \(\mathcal {G}=\left\langle X\right\rangle \) is the group of powers of X where X is a \(2N\text {-th}\) root of unity. This corresponds to the cyclotomic polynomial \(\varPhi _{2N}\left( X\right) =X^N+1\) defining the \(\mathsf {TRLWE}\) ciphertext polynomials. The bootstrapping procedure consists of a linear step where an approximate phase \(m\in \mathbb {Z}_{2N}\) of the input ciphertext \(\mathbf {c}\) is computed followed by a non-linear step described by the following relation, here \(R(X)\in \mathbb {Z}_N[X]\) is a polynomial with zero-degree coefficient equal to zero:

$$\begin{aligned} \mathsf {TV}_F\left( X\right) \cdot X^m \equiv F\left( m\right) + R(X) \mod \varPhi _{2N}\left( X\right) \end{aligned}$$
(1)

To ease the exposition, only the plaintext counterpart is presented. The \(\mathsf {BlindRotate}\) procedure is used to obtain \(\mathsf {ACC}\) which encrypts the phase m in the form of a power of X. This new representation is then multiplied by a test polynomial \(TV_F\), for a function \(F:\mathbb {Z}_{2N}\rightarrow \mathbb {Z}_{2N}\). In the zero-degree coefficient of the resulting polynomial the evaluation of function F in point m is obtained. Several possibilities to evaluate relation (1) exist. Hereafter we present 3 different ways to perform this evaluation and discuss their advantages and drawbacks.

\({\mathbf {\mathsf{{TV}}}}_{{\varvec{F}}}\left( {{\varvec{X}}}\right) \cdot {{\varvec{X}}}^{{\varvec{m}}}\) – The first one is to start the \(\mathsf {BlindRotate}\) procedure with \(\mathsf {TV}_F\) already encoded in \(\mathsf {ACC}\). The main advantage is that the output noise is independent of the test polynomial and is the lowest possible. The drawback is that only one function can be computed per bootstrapping procedure. This is how \(\mathsf {TV}_F\) is encoded in the bootstrapping of [10].

\({{\varvec{X}}}^{{\varvec{m}}} \cdot {\mathbf {\mathsf{{TV}}}}_{{\varvec{F}}}\left( {{\varvec{X}}}\right) \) – Another possibility is to integrate \(\mathsf {TV}_F\) after the \(\mathsf {BlindRotate}\) procedure is performed. In this case, one can use several test polynomials and thus, compute several functions in the same input. This is how \(\mathsf {TV}_F\) is encoded in the bootstrapping of [4, 5, 14]. The main drawback is that output ciphertext noise depends on test polynomial coefficient values.

\({\mathbf {\mathsf{{TV}}}}^{\left( \mathbf 0 \right) }\left( {{\varvec{X}}}\right) \cdot {{\varvec{X}}}^{{\varvec{m}}} \cdot {\mathbf {\mathsf{{TV}}}}_{{\varvec{F}}}^{\left( \mathbf 1 \right) }\left( {{\varvec{X}}}\right) \) – Finally, we can split test polynomial \(\mathsf {TV}_F\) into two factors, with a first-phase factor \(TV^{\left( 0\right) }\) and a second-phase factor \(\mathsf {TV}_F^{\left( 1\right) }\left( X\right) \) test polynomials. The first-phase factor \(\mathsf {TV}^{\left( 0\right) }\) does not depend on the evaluated function F. Thus, as in the previous case, using different second-phase test polynomials we are able to evaluate several functions on the same input. Another condition when performing the factorization is to obtain the second-phase factors with low-norm coefficients. This is needed in order to obtain small noise increase in output ciphertexts. We conclude that this new evaluation technique allows to leverage the best of the first two possibilities.

The test polynomial is specific to a function f we want to evaluate. As the phase m is a noised version of the message of the input \(\mathbf {c}\), it should be rounded before function f is applied to. We have \(F=f\circ \texttt {round}\), where the function F is a composition of a rounding function and the “payload” function.

In the next subsection, we give a possible way to factorize test polynomials. Afterwards, we examine an updated version of Algorithm 3 which implements a bootstrapping procedure where the test polynomials are split.

3.1 Test Polynomial Factorization

Hereafter, we examine the conditions a function F should verify and we introduce a “half-circle” factorization of the test polynomial.

Theorem 3.1

Let \(F:\mathbb {Z}_{2N}\rightarrow \mathbb {Z}_{2N}\) be a function to be evaluated in a bootstrapping procedure using relation (1). Function F must satisfy relation \(F(m+N) = -F(m)\) for \(0\le m<N\).

Proof

Let P(X) be a polynomial from \(\mathbb {Z}_N[X]\). Multiplying it by \(X^N\) gives the initial polynomial with negated coefficients, i.e. \(P(X)\cdot X^N\equiv -P(X)\in \mathbb {Z}_N[X]\). This is due to relation \(X^N=-1\) defining cyclotomic polynomial \(\varPhi _{2N}\left( X\right) \), i.e. the negacyclic property of the ring \(\mathbb {Z}_N[X]\). If we apply this observation to the left-hand side of Eq. (1) we have:

$$\begin{aligned} {\mathbf {\mathsf{{TV}}}}_F\left( X\right) \cdot X^{(m+N)} \equiv -TV_F\left( X\right) \cdot X^m \mod \varPhi _{2N}\left( X\right) ,~0\le m<N \end{aligned}$$

Respectively, the right-hand side must satisfy the condition \(F(m+N) = -F(m)\) for \(0\le m<N\).

In what follows we restrict Eq. (1) to values of m belonging to \(\mathbb {Z}_N\). In this way, the condition \(F(m+N) = -F(m)\) is automatically verified.

Half-Circle Polynomial Bootstrapping. Let \(\mathsf {TV}_F\) be a test polynomial defined as \(\mathsf {TV}_F=\sum _{i=0}^{N-1}t_i X^i\), where \(t_0=F(0)\) and \(t_{i}=-F(N-i)\) for \(1\le i< N\). Thus, \(\mathsf {TV}_F\) equals to \(F(0)-\sum _{i=1}^{N-1}F(i)\cdot X^{N-i}\). It is straightforward to see that the relation \(\mathsf {TV}_F\cdot X^m = F(m) + R(X) \mod \varPhi _{2N}\left( X\right) \) is satisfied for any \(0\le m<N\).

The test polynomial \(\mathsf {TV}_F\) must be factored into two polynomials such that the first one \(\mathsf {TV}^{(0)}\) does not depend on the evaluated function F. We did not mentioned earlier but the factorization can be fractional. Let \(\tau \) denote the least common multiple of the factorization such that \(TV^{(0)},TV^{(1)}_F\in \mathbb {Z}_N[X]\):

$$\begin{aligned} \tau \cdot TV^{(0)}\cdot TV^{(1)}_F \equiv TV_F \mod \varPhi _{2N}\left( X\right) \end{aligned}$$

We define the first-phase test polynomial as \(TV^{(0)}=\sum _{i=0}^{N-1}X^{i}\) and .

Let second-phase test polynomial be \(TV^{(1)}_F=\sum _{i=0}^{N-1} t'_{i}\cdot X^{i}\). Polynomials \(\mathsf {TV}^{(0)}\) and \(\mathsf {TV}^{(1)}_F\) being factors of \(\mathsf {TV_F}\) we have:

Using the fact that \(X^N=-1\), we obtain the following system of linear equations with N unknowns \(t'_i,~0\le i<N\):

$$\begin{aligned} \sum _{0\le i\le k} t'_i - \sum _{k<i<N} t'_i = 2 t_k,~0\le k<N \end{aligned}$$
(2)

Theorem 3.2

The system of linear equation (2) admits an analytical solution given by: \(t'_0 = t_0+t_{N-1}\) and \(t'_k = t_k-t_{k-1}\) for \(k\ge 1\).

Proof

Observe that two consecutive \(t_{k-1}\) and \(t_k\) differ only by \(t'_k\) element sign. Computing their difference, we have \(2\cdot \left( t_k-t_{k-1}\right) = \sum _{0\le i\le k} t'_i - \sum _{k<i<N} t'_i - \sum _{0\le i\le k-1} t'_i + \sum _{k-1<i<N} t'_i = 2 t'_k\). The case for \(t'_0\) is equivalently proved except that for \(t_0\) and \(t_{N-1}\) only the sign of \(t'_0\) is the same.

Property 1

Suppose that function F has the same output value for consecutive points \(N-k\) and \(N-k+1\), thus \(F(N-k)=F(N-k+1)\). Observe that \(t'_k = t_k-t_{k-1} = -F(N-k) - F(N-k+1) = 0\). We deduce that the second-phase test polynomial coefficient \(t'_k\) is zero in this case. More generally, this test polynomial has exactly s non-zero coefficients where s is the number of transitions of function F, i.e. \(s = \left| \left\{ F(k)\ne F(k+1) : 0 \le k < N \right\} \right| \).

The test polynomial factorization introduced earlier can be graphically interpreted as follows:

  1. 1.

    The first-phase test polynomial divides the torus in two parts. The bootstrapping with test polynomial \(\tau \cdot TV^{(0)}\) returns \(+\tau \) for first half-circle of torus and \(-\tau \) for the other part.

  2. 2.

    The second-phase test polynomial builds a linear combination of such half-circles, thus the half-circles from step 1 are rotated by \(X^i\) and scaled by \(t'_i\).

Example. We give in Fig. 2 an example over \(\mathbb {T}\) of the previously explained procedure. We ignore the coefficient \(\tau \) in this illustration. On the top torus circle are denoted values returned by the first-phase test polynomial, i.e. test polynomial values projected on torus circle. The second-phase test polynomial has 3 terms and is equal to \(t'_a X^a + t'_b X^b + t'_c X^c\). The 3 bottom torus circles denote the linear mapping performed by each monomial of the second-phase test polynomial. Summing up these terms gives a torus circle values illustrated on the rightmost part of the figure. Observe the negacyclic property of cyclotomic polynomial \(X^N+1\) on the torus circles from the fact that symmetric output values are negated.

Fig. 2.
figure 2

Illustration of the high-level strategy for the multi-value bootstrapping

Full size image

Function Evaluation with Rounding. Let f be a function from \(\mathbb {Z}_t\) to \(\mathbb {Z}_{q}\) for \(t<2N\) and \(q\le 2N\). Let r be a rounding function which takes as input a message from \(\mathbb {Z}_{2N}\) and outputs a rounded message belonging to \(\mathbb {Z}_t\). Function r is defined as . This function corresponds to the rounding performed on \(\mathsf {TLWE}\) ciphertext phase in order to obtain the plaintext message.

Test polynomial \(TV_{f\circ r}=\sum _{i} t_i\) for the composed function \(f\circ r\) is defined as: \(t_0=f\circ r(0)\) and \(t_k = -f\circ r(N-k)\) for \(1\le k < N\). Building the system of linear equation (2) and using explicit solution given in Theorem 3.2 we can deduce the coefficients for second-phase test polynomial.

Proposition 1

(Second-phase test polynomial norm). Let f be a function from \(\mathbb {Z}_s\) to \(\mathbb {Z}_q\) and let \(TV^{(1)}_{f\circ r}\) be the corresponding second-phase test polynomial. The squared norm of this polynomial is given by: \(\left\| TV^{(1)}_{f\circ r} \right\| _2^2 \le s\cdot \left( q-1\right) ^2\).

Proof

(Number of non-zero coefficients) From the definition of the rounding function r we have \(r(k)=l\) for any k such that . Without loss of generality we suppose here that t divides 2N. Composed function \(f\circ r\), denoted by F, has the same output value for consecutive input messages from \(\mathbb {Z}_{2N}\), i.e. \(F(k)=f\circ r(k)=f(l)\) for . Using Property 1 we deduce that the \(TV^{(1)}_{f\circ r}\) polynomial is sparse and has exactly s non-zero coefficients. Let S, \(\left| S\right| =s\), be the set of indexes of non-zero coefficients, we have \(TV^{(1)}_{f\circ r}=\sum _{i\in S} t'_i X^i\).

(Coefficient range) Each non-zero coefficient \(t'_i\), \(i\in S\), is defined as the difference between consecutive output values of function \(f\circ r\), or equivalently function f. Refer to Theorem 3.2 and \(TV_{f\circ r}\) definition. We have \(\left( t'_i\right) ^2\le \left( f(k)-f(k')\right) ^2\) for any \(k,k'\in \mathbb {Z}_t\). As function f is defined over \(\mathbb {Z}_q\) relation \(0\le f(.) \le q-1\) is verified. We deduce \(\left( t'_i\right) ^2 \le (q-1)^2\). Combining these results we obtain the bound expression:

$$\begin{aligned} \left\| TV^{(1)}_{f\circ r} \right\| _2^2= \left\| \sum _{i\in S} t'_i X^i \right\| _2^2= \sum _{i\in S} \left( t'_i \right) ^2 \le s\cdot (q-1)^2 \end{aligned}$$

3.2 Optimized Multi-value Bootstrapping

In this subsection we focus on multi-value bootstrapping procedure for Torus FHE where the \(2N\text {-th}\) cyclotomic polynomial \(X^N+1\) defines \(\mathsf {TRLWE}\) samples. We assume that first and second phase test polynomials, \(TV^{(0)},TV^{(1)}_F\in \mathbb {Z}_{N}[X]\), together with scale factor \(\tau \) verifying condition (3) are given.

$$\begin{aligned} \tau \cdot TV^{(0)}\left( X\right) \cdot X^m \cdot TV^{(0)}_F\left( X\right) \equiv F\left( m\right) + R(X) \mod \varPhi _{2N}\left( X\right) \end{aligned}$$
(3)

Algorithm 4 illustrates the steps of optimized bootstrapping procedure using split test polynomials. It takes as input a ciphertext encrypting a message , \(m\in \mathbb {Z}_{2N}\), and outputs a ciphertext encrypting \(F\left( m\right) \in \mathbb {Z}_{2N}\). Test polynomial \(TV^{(0)}\) belongs to \(\mathbb {Z}_{N}[X]\). It is mapped to \(\mathbb {T}_{N}[X]\) by multiplication with and with scale factor \(\tau \) (algorithm step 2). There is not need to map second-phase test polynomial to \(\mathbb {T}_{N}[X]\) because in step 4 a linear transformation of \(\mathsf {ACC}\) by \(TV^{(1)}_F\) is performed.

figure e

Theorem 3.3

Given a \(\mathsf {TLWE}\) input ciphertext \(\mathbf {\underline{c}}\) of message , \(m\in \mathbb {Z}_{2N}\), first-phase \(\mathsf {TV}^{\left( 0\right) }\in \mathbb {Z}_{N}[X]\), second-phase \(\mathsf {TV}_F^{\left( 1\right) }\in \mathbb {Z}_{N}[X]\) test polynomials, factorization factor \(\tau \) verifying condition (3) and a valid bootstrapping key \(\textsc {BK}_{\underline{\mathfrak {K}}\rightarrow \bar{\mathfrak {K}},\alpha } = \left( \mathsf {BK}_i \right) _{i \in [\![1, n ]\!]}\), Algorithm 4 outputs a valid \(\mathsf {TLWE}\) ciphertext \(\mathbf {\bar{c}}\) of message with error distribution variance verifying: \( \textsf {Var}(\textsf {Err}(\mathbf {\overline{c}})) \le \left\| \mathsf {TV}_F^{\left( 1\right) }\right\| _{2}^{2} \left( n(k+1)\ell N \beta ^2 \vartheta _\mathsf {BK}+n(1+kN)\epsilon ^2 \right) \) where \(\vartheta _\mathsf {BK}\) is the variance of bootstrapping key \(\textsf {Var}(\textsf {Err}(\mathsf {BK}_{\underline{\mathfrak {K}}\leftarrow \bar{\mathfrak {K}},\alpha })) = \alpha ^2\).

Proof

(Correctness) The first 3 lines of Algorithm 4 compute a \(\mathsf {TRLWE}\) ciphertext of message . Line 4 applies a linear transformation to it and message is obtained. Input message \({\mu }\) is a multiple of on the torus so we have \(b-a\underline{\mathfrak {K}}={\mu }\cdot 2N\). Recall that \(\tau \cdot TV^{\left( 0\right) } \cdot TV^{\left( 1\right) }_F \cdot X^{m} \equiv F\left( {m}\right) + \ldots \) for any \({m}\in \mathbb {Z}_{2N}\) and \(m={\mu }\cdot 2N\). Thus, \(\mathsf {ACC}\) at line 5 contains an encryption of a polynomial whose zero-degree coefficient is . The \(\mathsf {SampleExtract}\) function from the last line extracts from \(\mathsf {ACC}\) a \(\mathsf {TLWE}\) sample of message .

(Error Analysis) The error analysis for this method follows from the error analysis of the TFHE gate bootstrapping. It adds one multiplication by a constant polynomial \(TV^{(1)}_F\) and gives the following variation of error distribution: \( \textsf {Var}(\textsf {Err}(\mathbf {\overline{c}})) \le \left\| TV_F^{\left( 1\right) }\right\| _{2}^{2} \left( n(k+1) \ell N \beta ^2 \vartheta _{\mathsf {BK}} +n(1+kN) \epsilon ^2 \right) \).

Theorem 3.4

Under the same hypothesis as in Theorems 2.8 and 3.3, when given a correct input ciphertext \(\underline{\varvec{c}}\) of message \({\mu }\), \(m={\mu }\cdot 2N \in \mathbb {Z}_{2N}\), the multi-value bootstrapping of Algorithm 4 followed by the classical key-switching outputs a ciphertext \(\bar{\varvec{c}}\) of message with error distribution variance:

(4)

where \(\vartheta _\mathsf {BK}\) and \(\vartheta _{\mathsf {KS}}\) are respectively the variances of bootstrapping and key-switching keys error distributions.

Multi-output Version. In many cases one needs to evaluate several functions over the same encrypted message. The naive way is to execute bootstrapping Algorithm 4 several times for each function. Remark that for equal first-phase test polynomials \(TV^{\left( 0\right) }\) Algorithm 4 performs the same computations up to line 3. Thus, until second-phase test polynomial integration into the accumulator. By repeating steps 4–5 for several second-phase test polynomials \(\mathsf {TV}^{(1)}_{F_1},\ldots ,\mathsf {TV}^{(1)}_{F_q}\) the bootstrapping algorithm outputs encryptions of messages \(F_1(m),\ldots ,F_q(m)\). Figure 3 is a schematic view of the bootstrapping procedure which evaluates several functions over same input message.

Fig. 3.
figure 3

Multiple output multi-value bootstrapping overview. Test polynomials \(\mathsf {TV}^{(1)}_{F_1},\ldots ,\mathsf {TV}^{(1)}_{F_q}\) correspond to q functions evaluated over message \(\underline{\mu }\) encrypted in the input ciphertext.

Full size image

4 Homomorphic LUT

In this section, we show how to use the multi-value bootstrapping introduced earlier to homomorphically evaluate \(r\text {-bit}\) LUT functions over encrypted data.

4.1 Homomorphic LUT Evaluation

A boolean LUT is a function defined as \(f:\mathbb {Z}_2^r\rightarrow \mathbb {Z}_2^q\). At first we focus on single-output LUTs, i.e. the case \(q=1\). Afterwards we show how to efficiently evaluate multi-output LUTs. It is straightforward to see an equivalent formulation for f over the ring of integers modulo \(2^r\) using \(F:\mathbb {Z}_{2^r}\rightarrow \mathbb {Z}_2\) and the linear mapping \(\phi \left( m_0,\dots ,m_{r-1}\right) =\sum _{j=0}^{r-1}m_j \cdot 2^j\) from \(\mathbb {Z}_2^r\) to \(\mathbb {Z}_{2^r}\). We have \(F\circ \phi \left( m_0,\dots ,m_{r-1}\right) \equiv f\left( m_0,\dots ,m_{r-1}\right) \) for any \(\left( m_0,\dots ,m_{r-1}\right) \in \mathbb {Z}_2^r\). The multi-value bootstrapping is used to evaluate LUT function F as follows. We encode integers over the torus as multiples of . Only the first half-circle of torus is used for input and output message spaces. In this way any function can be evaluated using bootstrapping procedure - refer to restrictions from Theorem 3.1. Full message space is used for the input for \(j\in \mathbb {Z}_{2^r}\) and only the first 2 elements are used for the output messages for \(j\in \mathbb {Z}_2\). Test polynomial factorization described in previous section is used. Recall, the first-phase test polynomial \(\mathsf {TV}^{(0)}\) is \(\sum _{i} X^i\) and scaling factor is . The second-phase test polynomial is computed using Theorem 3.2 for LUT function F composed with a rounding function. From Proposition 1 this test polynomial norm verifies relation \(\left\| TV^{(1)}_{F\circ r} \right\| _2^2 \le 2^r\).

4.2 LUT Circuits

A naive solution for multi-output LUT evaluation is to map \(\mathbb {Z}_2^q\) to \(\mathbb {Z}_{2^q}\). Doing so, we would be able evaluate functions \(F:\mathbb {Z}_{2^r}\rightarrow \mathbb {Z}_{2^q}\) where \(q\le r\). The drawback of this method appears when we need to compose LUTs into a circuit and evaluate it. A reverse mapping from \(\mathbb {Z}_{2^q}\) to \(\mathbb {Z}_2^q\) would be needed. It will be an overkill to use another function to extract bits from \(\mathbb {Z}_{2^q}\) messages, because it implies to use another multi-value bootstrapping. Let \(F^{\left( \ell \right) }:\mathbb {Z}_{2^r}\rightarrow \mathbb {Z}_2\) be a multi-value input function computing the \(\ell \text {-th}\) output bit of LUT function \(f:\mathbb {Z}_2^r\rightarrow \mathbb {Z}_2^q\), \(\ell =1,\ldots ,q\). Each of these functions, \(F^{(1)},\ldots ,F^{(q)}\), is evaluated as described previously. Note that the expensive blind rotate part from the bootstrapping is performed once. Only the multiplication by second-phase test vector and sample extract is done for each evaluated function. Figure 4 illustrates intermediary steps for interfacing LUTs. Firstly, ciphertexts encrypting messages \(m_1,\ldots ,m_r\in \mathbb {B}\) obtained from several bootstrapping procedures are combined together into a multi-value message m using the linear transformation \(\phi \). Note that this transformation is performed in the output key space of the bootstrapping procedure under the secret key \(\overline{\mathfrak {K}}\). Next, a key-switching procedure is performed and a ciphertext of the same message m under the secret \(\underline{\mathfrak {K}}\) is obtained. This ciphertext is fed into the next bootstrapping and the process can be repeated. It is possible to reorder the linear mapping evaluation and the key-switching, i.e. perform key-switching directly after the bootstrapping and evaluate the linear mapping afterwards. Besides the fact that r times more key-switching procedures are performed the noise increase will also be larger. Actually, the linear map evaluation noise increase is multiplicative compared to the additive key-switching noise. In the next subsection, we describe implementation in more details.

Fig. 4.
figure 4

LUT composition into circuits. On top are shown executed algorithms and at the bottom obtained ciphertexts.

Full size image

4.3 Implementation Details and Performance

We implement the previous method for \(r=6\). The parameters of samples are:

  • \(\mathsf {TLWE}\)\(n=803\), noise standard deviation \(2^{-20}\) and \(h=63\) (\(\mathsf {TLWE}\) key non-zero coefficient count),

  • \(\mathsf {TRLWE}\)\(N=2^{14}\) and noise standard deviation \(2^{-50}\),

  • \(\mathsf {TRGSW}\) – decomposition parameters \(\ell =2^3\) and \(B_g = 2^6\).

To estimate the security, we used the lwe-estimator scriptFootnote 2 from [1] which includes the recent attacks on small LWE secrets [2]. We found that our instances achieve at least 128 bits of security which is better than to the concrete security level (about 100 bits) of the 6-to-6 LUT implementation of [5]. The key-switch parameters are \(t=4\) and decomposition base \(2^4\). We have implemented the multi-value bootstrapping technique proposed above on-top of the TFHE library [13] and a test implementation is available in the torus_generic branch. Several modifications were performed in order to support \(64\text {-bit}\) precision torus. Approximate sample sizes are: \(\mathsf {TLWE}\) 6.3 kB, \(\mathsf {TRLWE}\) 256 kB and the \(\mathsf {TRGSW}\) 2 MB. As for the keys we have: multi-value bootstrapping key \({<}2\text {GB}\) and the switching key \({\approx }6\text {GB}\). The key sizes can be reduced using a pseudo-random number generator as in [10]. Our experimental protocol consisted in: (i) a 6 bit multi-value message is encrypted, (ii) parameters (i.e. second-phase test polynomials) for several LUTs are generated randomly, (iii) the multi-value bootstrapping is executed on this encrypted message (several ciphertexts encrypting boolean messages are obtained), (iv) a weighted sum is used to build a new multi-value message ciphertext from 6 of the output boolean messages obtained previously, (v) finally a key-switching procedure is performed in order to regain the bootstrapping input parameter space. We executed the algorithms on a single core of an Intel Xeon E3-1240 processor running at 3.50 GHz. The bootstrapping and switching keys are generated in approximatively 66 s. Multi-value bootstrapping on 6 bit words with 6 boolean outputs runs in \(\approx \)1.57 s with the bit combination plus key-switching phase and in under 1.5 sec. without the key-switching. For comparison the gate bootstrapping from TFHE library takes 15 ms on the same machine. We did not observed a significant increase in the execution time when the number of LUT outputs augments. For example computing 128 different functions on the same input message increased the execution time only by 0.05 s, almost for free! We shall note that the combination and key-switching was performed a single time in this last experiment.

4.4 Further Applications

We present here possible applications of the multi-value bootstrapping. We do not implement them but give a brief overview on the multi-bootstrapping could be used and leave the model analysis and teh implementation for a future independent work. The first one concerns the optimization of the circuit bootstrapping from [12, Sec. 4.1] which allows to compose circuits in a leveled mode by turning a \(\mathsf {TLWE}\) sample into a \(\mathsf {TRGSW}\) sample. The first step of the circuit bootstrapping consists to \(\ell \) TFHE gate bootstrapping calls on the same \(\mathsf {TLWE}\) input sample. Here each bootstrapping call is associated to a different test polynomial. We can apply the multi-value bootstrapping to optimize this step: since the LWE input sample is the same, the idea is to perform Algorithm 1 only once for the \(\ell \) bootstrapping calls, and to adapt the output using corresponding test polynomials \(\mathsf {TV}_F^{\left( 1\right) }\) as in Subsect. 3.2. We then obtain the \(\ell \) desired outputs. This allows to save a factor \(\ell \) in one of the circuit bootstrapping phases. The second one relates to homomorphic evaluation of neural networks. Our multi-value bootstrapping can also be used to homomorphically evaluate a neural network. Assume neurons \(x_1,\dots ,x_p\) inputs and output y are encrypted as \(\mathsf {TLWE}\) ciphertexts. The computational neuron network functionality is defined by two functions, a linear function \(f: \mathbb {T}^p \mapsto \mathbb {T}\) and an activation function \(g: \mathbb {T} \mapsto \mathbb {T}\). The result is a \(\mathsf {TLWE}\) sample of \(y=g(f(x_1,\dots ,x_p))\). Function f is usually implemented as an inner-product. We can compute the inner-product between p neuron inputs and a fixed weight vector using a functional key-switch, and afterwards extract the \(\mathsf {TLWE}\) encryption from the \(\mathsf {TRLWE}\) key-switch output. Note that the public functional key-switch allows to compute up to N inner-products. Thus, using a single key-switch procedure we can compute all the linear functions of a whole neural network layer! Afterwards, using our multi-value bootstrapping, we compute a \(\mathsf {TLWE}\) sample of g(.) which is not an arbitrary function. Usually a threshold function is used for g. In this particular case, the multi-value bootstrapping can be more efficiently instantiated than for an arbitrary function.

5 Conclusion

We introduced a bootstrapping procedure based on TFHE scheme with split test polynomials which can be used to evaluate multi-value functions and increase the evaluation efficiency of multi-output functions. We notice that this method (the test polynomial split trick) can be easily adapted to other FHEW-based bootstrapping algorithms. We show how to apply the multi-value bootstrapping to execute arbitrary LUT functions on encrypted data and implement the evaluation of a 6-to-6 LUT which takes under 1.6 s; the evaluation of additional outputs on the same input comes at virtually no cost.