Overview of Fully Homomorphic Encryption (FHE) System (Beginner Edition)

Homomorphic Encryption Definition

Suppose there is a scenario where the user has a set of private data that is encrypted and stored on a third-party cloud platform. Now, the user wants to perform some processing on this set of data, but the processing process and results are not allowed to be seen by the third-party cloud platform. arrive. Of course, users can choose to download the data, encrypt and upload it after processing, but if the amount of this group of data is large, it will inevitably consume a lot of traffic. At this time, fully homomorphic encryption is very useful. Users do not need to download and process the data before uploading, but can directly process the data on the cloud platform. Users can directly download the processed results and then decrypt them. Can get the desired result.
insert image description here
It can be understood as follows: through the homomorphic encryption algorithm, users can perform some kind of secure proxy computing (Secure Delegated Computation) with an untrusted remote server (cloud). Users can entrust their sensitive privacy input to the cloud through homomorphic encryption technology, and then the cloud can perform a certain degree of calculation on the encrypted data, and finally get the encrypted result that the user wants, and return it to user. Finally, the user can use the decryption key to open the obtained result. Throughout the protocol, the principal (cloud) cannot see any useful information related to private input.

Two special properties of homomorphisms: additive homomorphisms and multiplicative homomorphisms.
Additive homomorphism means that if the ciphertexts are added together, we can obtain the new ciphertext after adding the original texts and encrypting them. The multiplicative homomorphism is, if the ciphertext generated by a multiplicative homomorphic algorithm is multiplied, and then the ciphertext corresponding to the result of multiplying the original text is obtained.

insert image description here

Some Problems

Why is it possible to achieve fully homomorphic encryption by implementing any number of additions and multiplications?
Answer: In the circuit model, high and low levels are transmitted, that is, 0 and 1. This is similar to the operation on the field modulo 2, in $\mathbb{Z_2}$ In , modulo 2 addition is equal to an XOR circuit, and modulo 2 multiplication is equal to an AND circuit. These two circuits can realize any circuit, thus forming a complete set.
Why Circuit Models?
All schemes in cryptography need to rely on a mathematical problem, the measure of which is computational complexity, and the circuit model is a computational model of computational complexity, which can be used to measure the resources (time, storage) required to solve the problem wait. Under the circuit calculation model, it is measured by the number of gates and the depth of the circuit.
The circuit calculation model needs to "touch" all the input data without leaking information. Therefore, traditional security calculations use circuit models.

four stages of development

respectively

Partially Homomorphic Encryption: Functions that can be operated can only be formed by either addition/linear combination or multiplication. For example, RSA encryption (multiplicative homomorphism), ElGamal encryption (additive homomorphism)
Somewhat Homomorphic Encryption: It has incomplete homomorphic properties. Such as pairing-based cyclic group encryption algorithm (additive homomorphism + a small amount of multiplicative homomorphism)
Leveled Fully Homomorphic Encryption (Leveled Fully Homomorphic Encryption): Any form of function can be operated homomorphically, but the complexity of the circuit converted from the function cannot exceed the upper limit, otherwise the noise will be too large and information will be lost. (noise can be controlled by bootstrapping)
Fully Homomorphic Encryption:
Functions of any complexity can be calculated, and the noise can be perfectly controlled within a controllable range.

Recap history

In 2009, PhD Craig Gentry, who was studying at Stanford, suddenly had a flash of inspiration and broke through the difficulties of the FHE algorithm. In his doctoral dissertation, he gave a reasonable and secure fully homomorphic encryption system for the first time! This system is based on the assumption of an ideal lattice. The fully homomorphic system proposed by Gentry09 is often called the first generation fully homomorphic encryption system.

In Gentry's paper, he also mentioned a crucial concept called Bootstrapping. Bootstrapping is a special processing technique for ciphertext. After processing, it can "refresh" a ciphertext with noise close to the critical value into a new ciphertext with low noise. Through Bootstrapping, the noise of a finite series system can never exceed the critical value, thus becoming a fully homomorphic system. In this way, we can homomorphically calculate any size.

After Gentry's major breakthrough, the entire cryptosphere fell into madness again, and everyone began to scramble to find a more efficient and versatile fully homomorphic system based on Gentry's ideas.

In 2011, the two bigwigs Brakerski and Vaikuntanathan proposed a new fully homomorphic encryption system, which is based on Learning With Errors (LWE), another assumption of lattice encryption. In the same year, Brakerski, Gentry and Vaikuntanathan completed the system together and officially published it. The fully homomorphic system they invented is called the BGV system for short. The BGV system is a homomorphic encryption system with limited series, but it can be turned into a fully homomorphic system through Bootstrapping. Compared with the system proposed by Gentry09, the BGV system uses a more realistic LWE assumption. Generally speaking, we call the BGV system the second-generation fully homomorphic encryption system.

In 2013, Gentry made a comeback. Gentry, Sahai and Waters have launched a new GSW fully homomorphic encryption system. Similar to BGV, the GSW system itself has a finite series of fully homomorphic properties, based on the simpler LWE assumption, and can be fully homomorphic through Bootstrapping. We generally refer to the GSW system as the third-generation fully homomorphic encryption system.

Summary
The first generation of fully homomorphic encryption schemes all follow Gentry's complex construction method. Essentially these schemes are based on the ideal of various rings, first construct a partial (somewhat) homomorphic encryption scheme (that is, the scheme can only perform low-degree polynomial calculations), and then "compress" the decryption circuit (depending on the sparse subset and problem Assumption), so as to execute its own decryption function for homomorphic decryption, to achieve the purpose of controlling the growth of ciphertext noise, and finally obtain a fully homomorphic encryption scheme under the assumption of cycle security. Although homomorphic decryption is the cornerstone of fully homomorphic encryption, the efficiency of homomorphic decryption is very low

The construction method of the second-generation fully homomorphic encryption scheme is simple. Based on the assumption of LWE (ring-LWE), its security can be reduced to the standard difficult problem on the general lattice, which breaks the original Gentry construction of a fully homomorphic encryption scheme. frame. Firstly, a partial homomorphic encryption scheme is constructed. After the ciphertext is calculated, the key exchange technique is used to control the dimension expansion of the ciphertext vector , and then the modulus exchange technique is used to control the noise growth of the ciphertext calculation . Through the above method, a hierarchical fully homomorphic encryption scheme can be obtained without the need for homomorphic decryption technology, that is, the scheme can implement polynomial-level deep circuits, which can meet most applications. In order to obtain a "pure" fully homomorphic encryption scheme, it is still necessary to rely on homomorphic decryption technology. However, homomorphic decryption technology is inefficient and needs to rely on the assumption of cycle safety, which is not considered in practice.

The third-generation scheme is a fully homomorphic encryption scheme based on approximate eigenvectors proposed by Gentry et al. in 2013, which can realize a hierarchical fully homomorphic encryption scheme without key exchange technology and modulo exchange technology. The security of this scheme is based on the LWE problem. The calculation of ciphertext is the addition and multiplication of matrices, so it is a very natural fully homomorphic encryption scheme.

FHE system formally defined

Four Basic Algorithms

A complete fully homomorphic encryption system has four basic algorithms:

Key generation algorithm $Key G e n will generate the keys that other FHE algorithms$ will use.
It is used to generate public key and private key, and another public key $E v k$ , the public key is used for ciphertext calculation, and its form is directly related to the fully homomorphic encryption algorithm used. like,
- If fully homomorphic encryption is obtained through homomorphic decryption, then $E v k$ is the ciphertext generated after encrypting each bit of the key. Typical representatives are Gentry's ideal lattice scheme and subsequent integer schemes.
- If key exchange and module exchange are used to obtain fully homomorphism, $E v k$ is $L - 1$ matrix (not needed for the first time), this matrix is used for key exchange, where $L$ is the circuit depth. After each ciphertext calculation, you need to use $E v k$ to transform the dimensionally expanded ciphertext into a normal one.
In addition, the third-generation scheme, that is, the scheme of approximate eigenvectors, does not require $E v k$ , which is why it can produce IBHE and ABHE.
Encryption Algorithm $E n c$ can encrypt user input and output ciphertext.
Decryption Algorithm $D e c$ can restore the ciphertext to the original plaintext. But the decryption here must not only decrypt the ciphertext, but also decrypt the calculated ciphertext. However, there will be noise in the ciphertext calculation. When the noise reaches a certain limit, it cannot be decrypted correctly. Therefore, the key to homomorphic encryption is to control the noise.
Algorithm $E v a l$ can perform arbitrary functional operations based on the input ciphertext, and finally get the encrypted result. The ciphertext calculation here is in the circuit, and the circuit is layered. The deeper the depth and the more layers, the more ciphertext calculations can be performed. Note that the circuit depth $d$ and ciphertext calculation times $The relation of n$ is $d=\lceil \log_2 n \rceil$ , the number of ciphertext calculations is the power of ciphertext multiplication. The reason to scale by multiplication is that the noise increases faster. The general operation algorithm will have three parameters, namely the public key $E v k$ , the calculation function $f$ , ciphertext $C$ 。

Three attributes

Correctness: An FHE system must be correct. Specifically, the encrypted ciphertext can be successfully decrypted, and the ciphertext output by the operation can also be successfully decrypted back to the original text.
Semantic Security: The ciphertext output by the FHE system must be indistinguishable. Specifically, if a network eavesdropper sees all the ciphertexts, the eavesdropper cannot tell which ciphertext corresponds to which original text.
Compactness: The length of the ciphertext output by the FHE algorithm must be independent of the size of the circuit corresponding to the function. This property means that even if the operation function is complex, the output ciphertext is still within a controllable length range, which ensures the practicability of the FHE system.

Mainstream Research Program

Fully homomorphic encryption has developed to this day, and two branches have emerged. One branch is based on computational arithmetic circuits (BFV, BGV, CKKS), and hierarchical homomorphic encryption (LHE) based on RLWE. Generally speaking, it supports polynomial packaging technology. , can calculate (addition and multiplication) multiple data at one time, which is more efficient, but LHE currently has a relatively high Bootstrapping overhead, and generally speaking, it is only used as a homomorphic encryption method that supports a limited number of operations.

The other is mainly based on computational Boolean circuits (FHEW, TFHE), based on efficient bootstrapping (Bootstrapping) technology, which is not friendly to polynomial packaging.
The characteristics of the following schemes:
FHEW, TFHE, and GSW are implemented on Boolean circuits, and their characteristics

quick comparison
Supports arbitrary Boolean circuits
Fast bootstrapping (noise refresh process, reduce the noise generated by ciphertext calculation, and reduce the possibility of failure)

BGV and BFV are implemented on arithmetic circuits, and their characteristics

Efficient SIMD computations on vectors of integers (using batching)
Fast high-precision integer arithmetic
Fast vector scalar multiplication
Leveled design (usually without bootstrapping)

CKKS was only proposed in 2017, and its characteristics

Fast Polynomial Approximation Computation
Relatively fast reciprocal and discrete Fourier transform
Deep approximate computing, such as logistic regression learning
Efficient SIMD computations on vectors of real numbers (using batching)
Leveled design (usually without bootstrapping)

Frontier Research

After 2013, the cryptosphere basically blossomed. Based on the original three-generation fully homomorphic system, various new designs have emerged to optimize and accelerate the operating efficiency of the BGV and GSW systems.
Current Mainstream Frontier Research

Security issues of CKKS
Combination of FHEW type and RLWE type homomorphic encryption
Fast Bootstrapping
Combining RLWE-type homomorphic encryption with MPC, and implementing Bootstrapping through MPC

insert image description here