 Hello, my name is Ilder Vitor Lumapeirae, I'm going to present the Paper Bootstrapping fully homomorphic encryption over the integers in less than one second, and now I am a post-doctor researcher at Kozik, KU Leuven, but this paper was basically written while I was working at the University of Luxembourg. So as you may know, there are basically two main families of fully homomorphic encryption schemes. The scheme is based on the learning with errors problem, which we call LWE, and the scheme is based on the approximate greatest common divisor problem, which we call AGCD, and the schemes based on this problem are the ones that we call FHE over the integers. The LWE problem is well known, so basically we have a secret, which is a vector, mod Q, and we sample uniformly random vectors, and then noise terms, usually they are following a discrete Gaussian distribution, and then we compute the inner product of this uniform vector by the secret, and we add the noise term, then given many of these samples, AIBI, we have to find the secret S. There is also the ring version of the LWE problem in which we basically replace vectors by polynomials. So for the AGCD problem, the secret is just an integer P. We also sample uniform elements, but they are not vectors, just integers, and noise terms, and then we multiply this uniform element by the secret, and we add the noise, and then this Xi is what we call an AGCD sample, and then given many of these AGCD samples, we have to find P. So we have these two families of homomorphic schemes, and every time one technique was proposed to improve the schemes based on one of these two problems, this technique was quickly adapted to the schemes based on the other problems. So for instance, we have modular switching for schemes based on the LWE problem and on the AGCD problem. We also have batching encryption for both hardness assumptions. We have schemes with quasi-dative noise growth also based on these two problems. However, these new fast-boost-strapping methods that run in less than one second only exist for schemes based on the LWE problem. So we can ask ourselves if it's possible to adapt these fast-boost-strapping methods that run in less than one second to FAT over the integers. And that's the question that we answer in this paper. But how these fast-boost-strapping procedures work? So in general, the bootstrapping is the evaluation of the decryption function homomorphically, so that at the end we generate a new ciphertext encrypting the same message, but with a smaller noise. So we have this base scheme, which is the scheme that we want to bootstrap. It's a simple scheme that encrypts bits into vectors modq, and it has this important property that the encryption is done in two steps, and the first step is a linear one in which we compute the inner product of this vector, which is the ciphertext, with this other vector, which is the secret key. And we get the message multiplied by some scaling vector plus the noise. And then the second step of the decryption is just extracting the most significant bit of this value that we computed. So since this step is computed modq, it's natural to use a scheme whose message space is aq. So the scheme we use to bootstrap the base scheme is the GSW scheme because the noise grows slowly with this scheme. Message space of GSW is actually a ring of polynomials, so it's not zq, but what we do is we select an element y, which is actually a power of x, such that the order of y is equal to q in this ring. Then we see that because the order is q, when we multiply two powers of y, we're actually adding the exponent's module q. So this means that we can use the homomorphic multiplication of GSW to compute linear functions in the exponent of y. In particular, we can compute this first step, which is linear. So few in TFHE use the homomorphic multiplication of GSW to compute this inner product modq in the exponent of y. So they start with the encryption of m that belongs to the base scheme and has large noise. And then they obtain a GSW encryption of y to the power of this inner product, which is actually just the noise plus the message. And this ciphertext has a small noise itself, although e is large. Then they have this final step in which they transform a GSW encryption of a power of y that depends on m into a base scheme encryption of m. And then the noise of this final ciphertext is just slightly bigger than the noise of this GSW encryption, so it's a small noise. So what happens when we try to replace the LWE by the AGCD problem in this bootstrapping framework? Well, essentially we have three problems. So the first problem is that we need a GSW scheme based on the AGCD problem and the existing schemes are not practical, especially when we try to use them to encrypt polynomials. The second problem is inherent to FAT over the integers. So here we have to work module P. So we have a base scheme ciphertext with this format and the first thing we want to do is to reduce c module P so that we get the scaled message plus the noise. But this means that the message space of the GSW scheme has to contain a power of x of order P. For the LWE problem, this works fine because here we have q and q is small and public. But in our case, this implies that n is exponentially large in Lambda because P is exponentially large in Lambda. So you can see that in this case even adding two polynomials already takes exponential time. So this will not work. And also, in our case, P is actually the secret key. So the bootstrapping cannot leak these modules. But if we choose n such that we have a power of x of order P in this ring, then actually n is leaking information of P. Third problem, even if we can perform this reduction mod P on the exponent of y, at the end we still have a GSW encryption of a power of y. And we have to transform this into a basic scheme ciphertext encrypting m. To solve the first problem, let's construct a GSW scheme that can work natively with polynomials. So consider a cyclotomic polynomial ring r and then we can sample a random polynomial k from this ring. Now given n AGCD samples, ci, so each ci is an integer, it's clear that we can multiply each ci by a power of x and add all of them. And then we will obtain a polynomial c that can be written in this format. And then it's clear that having n of these AGCD samples or just having c, it's the same, right? Now we can randomize this polynomial c by multiplying it by this hidden random polynomial k and then we will obtain a polynomial c bar. Now we ask you to find p and k. So we call this the r AGCD problem. And here we see that c is just equivalent to the AGCD basically. And then we are randomizing the AGCD problem here. So this r AGCD problem cannot be easier than the original AGCD problem. With this we can encrypt polynomials in two types of ciphertexts. The first one is the escalar ciphertext. In this case we take a polynomial m and to encrypt it we multiply by a scaling vector. We sample two polynomials r and q and we multiply q by the secret integer p. We add all these three terms and we randomize them with the secret polynomial k. So we are encrypting a polynomial m into another polynomial. The second type is the vector ciphertext. In this case r and q are vectors of polynomials, g is just this special vector here. So it's just a vector with powers of some integer, for instance it can be 2. And then instead of the scaling vector we are multiplying m by this vector and we are randomizing all of this with the secret polynomial k. So we are encrypting a polynomial m into a vector of l polynomials. Then we define this mixed homomorphic product in which we take a scalar ciphertext, a vector ciphertext, then we decompose the scalar ciphertext in base b so that we have l polynomials with small coefficients and then we just have to compute the inner product of this vector times the vector ciphertext itself. So this is the inner product so of course at the end we have a scalar again. And just like for the TFHE scheme which has this external product, using this mixed homomorphic product is more efficient than simply using the GSW homomorphic application. With this we solved the first problem. So now we have a GSW-like scheme that operate homomorphically on polynomials. Now we are going to solve the problem related to the size and the secretness of p. So we have this base scheme ciphertext that has this format. And the problem here is p because p is secret and it's too big. So maybe one idea would be to apply a modular switching like the one described in this paper so that we replace p by n and then we have this new ciphertext c prime. In this case we can define y as x square and then it's clear that in this ring since x to the n is minus 1, x square to the n is equal to 1. So the order of y is n. And then we could define the bootstrapping keys as GSW encryptions of these powers of y. So what we put in the exponent are powers of 2 multiplied by 0 or by 1. Then given this ciphertext c prime we can compute the binary decomposition of c prime and then we have these bits and we use the bits to select the bootstrapping keys that we want to multiply homomorphically. So we multiply these bootstrapping keys homomorphically and you see that if you replace b by ci here and we multiply all of them we are actually adding the exponents. So what we have at the end is this summation in the exponent of y but this summation is exactly c prime because the ci is here are just the binary decomposition of c prime. So what we get at the end is y to the power of c prime but module n because the order of y is n. So c prime module n is exactly the message times a scaling factor plus the noise. And this is exactly what we want in the exponent. Well, but things are not that simple and what we did here is simply not secure. So the problem is that this module switching is intended to switch the secret key p to another secret key. But we replaced p by n and n is public. So it's clear that if you have c prime and you have n you can simply decrypt c prime to recover the message m. Okay but maybe we can switch from p to n in a hidden way maybe using the homomorphic corporations of JSW scheme so that the c prime is only produced in an encrypted way. And having an encryption of c prime then is safe. But how can we do this? So we have the base scheme ciphertext with this format. And it's clear that if we simply multiply c by n and divide by p we are replacing p by n and then the noise and the scaling factor will be multiplied by n over p. But this is okay because then it means that we just have a new noise term and a new scaling factor. Moreover if we consider this module n then this term disappears and what we have is the new noise plus the message times the scaling factor. So considering this we can try to include this n over p in the bootstrapping keys so that this information that is performing the module switching is hidden is encrypted in the bootstrapping keys. So for instance instead of just using powers of 2 in the exponent of y we can use powers of 2 multiplied by n over p and then we can compute the binary decomposition of c itself not of c prime and use these bits to select the bootstrapping keys that we want to multiply homomorphically as we did before. So now when we multiply this bootstrapping keys again we are adding the exponents so what we have at the end is n over p which is a common factor times this summation. But this summation is simply c so we have n over p times c module n because the order of y is n and then this is simply the noise plus the message times some scaling factor. So this is exactly what we want to have. Oh wait but we have a problem again so the problem now is that the bootstrapping keys are not well defined. So here the problem is that these fractionals that we are trying to encrypt in the exponent they are not integral they are really rational values so we cannot encrypt these powers of y in this way but something that we can do for sure is rounding these fractions. So we can define the bootstrapping keys using the same fractions here the powers of 2 multiplied by n divided by p but rounded and then we know that for n value x when we round x what we get actually is the value itself plus some epsilon that is smaller than one half. So if we do the same sequence of homomorphic multiplications as before so we take the basis chem ciphertext c we compute a binary decomposition of it and we use the bits c i to select the keys and we multiply the keys what we will be doing then we will be summing the same values as before plus the small epsilons so as before we will have c times n divided by p module n this is simply the the scale of noise plus the message times delta prime and the sum of all these epsilons so we have a new epsilon term here which is a smaller than gamma over 2 right gamma is the number of terms in this product and over 2 because each one is a smaller than one half so this is okay right this we can simply consider that this r prime plus epsilon is the new noise term so we are really getting something in the format that we wanted the scaled message plus some noise and this time it's secure because c prime is just being produced in the exponent of y so it's encrypted and everything is well defined because we are just using integers here so with this we solved the first two problems now we have a GSW like a scheme that works with polynomials and we also solved the problem related to p now we still need the way to transform this GSW encryption of this power of y into a base scheme encryption of m to solve the third problem we propose a functional key switching procedure so let's consider two rings r1 and r2 each each ring is defined by these integers n1 and n2 so let's also consider two secret keys each key is composed of the integer and the secret polynomial then given the two keys and also one function f we can generate a public key it's actually the key used to perform the key switching procedure this key is essentially one encryption of sk1 times the truth table of f under the secret key sk2 then using this key switching key we can take an encryption of a message m under the first key and we can produce an encryption of f of m under the second key also this first encryption belongs to r1 and the second encryption belongs to r2 so this means that we can also switch the rings if we choose r1 different of r2 in particular if we set n1 as an integer n and n2 as simply one then the first ring is a polynomial ring and the second ring is actually just the integers so this means that when we switch from r1 to r2 we are actually switching from the ragcd problem to the original agcd problem because now we have something over the integers then this also means that we can we are taking a ciphertext of the gsw and we are producing a ciphertext of the basis scheme also because we know some bounds to this value e and we know that delta is bigger than e we can easily choose this function f such that f of this power of y is equal to m so if we put all of this together we see that using the functional key switching procedure we can actually switch from a gsw encryption of some power of y of this format to an encryption of m a basic scheme encryption of m and then this encryption does not depend on e so we have removed the original noise that we had before and the noise in this encryption is just slightly bigger than the noise in this gsw encryption which is small so our bootstrapping procedure works like this at the end we start with an agcd encryption of m with large noise then we use the mixed homomorphic multiplication of our gsw scheme to switch the modulus from p to n and perform the reduction module n then this produces an encryption of a power of y under the agcd problem and then we use the functional key switching procedure to transform this encryption of power of y in a basic scheme encryption of m with small noise so we have adapted this bootstrapping framework from fio and tfat to full homomorph encryption over the integers and we implemented the proof of concept in c++ and we showed that we can also perform the bootstrapping less than one second and the source code is available on github and if you have any questions or comments please just contact me and i will be for sure happy to discuss