Paper 2024/1898

NTRU-based Bootstrapping for MK-FHEs without using Overstretched Parameters

Binwu Xiang, Institute of Information Engineering, CAS
Jiang Zhang, State Key Laboratory of Cryptology
Kaixing Wang, State Key Laboratory of Cryptology
Yi Deng, Institute of Information Engineering, CAS
Dengguo Feng, State Key Laboratory of Cryptology
Abstract

Recent attacks on NTRU lattices given by Ducas and van Woerden (ASIACRYPT 2021) showed that for moduli $q$ larger than the so-called fatigue point $n^{2.484+o(1)}$, the security of NTRU is noticeably less than that of (ring)-LWE. Unlike NTRU-based PKE with $q$ typically lying in the secure regime of NTRU lattices (i.e., $q<n^{2.484+o(1)}$), the security of existing NTRU-based multi-key FHEs (MK-FHEs) requiring $q=O(n^k)$ for $k$ keys could be significantly affected by those attacks. In this paper, we first propose a (matrix) NTRU-based MK-FHE for super-constant number $k$ of keys without using overstretched NTRU parameters. Our scheme is essentially a combination of two components following the two-layer framework of TFHE/FHEW: - a simple first-layer matrix NTRU-based encryption that naturally supports multi-key NAND operations with moduli $q=O(k\cdot n^{1.5})$ only linear in the number $k$ of keys; -and a crucial second-layer NTRU-based encryption that supports an efficient hybrid product between a single-key ciphertext and a multi-key ciphertext for gate bootstrapping. Then, by replacing the first-layer with a more efficient LWE-based multi-key encryption, we obtain an improved MK-FHE scheme with better performance. We also employ a light key-switching technique to reduce the key-switching key size from the previous $O(n^2)$ bits to $O(n)$ bits. A proof-of-concept implementation shows that our two MK-FHE schemes outperform the state-of-the-art TFHE-like MK-FHE schemes in both computation efficiency and bootstrapping key size. Concretely, for $k=8$ at the same 100-bit security level, our improved MK-FHE scheme can bootstrap a ciphertext in {0.54s} on a laptop and only has a bootstrapping key of size {13.89}MB,which are respectively 2.2 times faster and 7.4 times smaller than the MK-FHE scheme (which relies on a second-layer encryption from the ring-LWE assumption) due to Chen, Chillotti and Song (ASIACRYPT 2019).

Note: full version

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision. ASIACRYPT 2024
Keywords
NTRU;MK-FHE;Bootstrapping
Contact author(s)
xiangbinwu @ iie ac cn
History
2024-11-25: approved
2024-11-22: received
See all versions
Short URL
https://ia.cr/2024/1898
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1898,
      author = {Binwu Xiang and Jiang Zhang and Kaixing Wang and Yi Deng and Dengguo Feng},
      title = {{NTRU}-based Bootstrapping for {MK}-{FHEs} without using Overstretched Parameters},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1898},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1898}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.