Paper 2024/451

Towards Verifiable FHE in Practice: Proving Correct Execution of TFHE's Bootstrapping using plonky2

Louis Tremblay Thibault, Zama
Michael Walter, Zama
Abstract

In this work we demonstrate for the first time that a full FHE bootstrapping operation can be proven using a SNARK in practice. We do so by designing an arithmetic circuit for the bootstrapping operation and prove it using plonky2. We are able to prove the circuit on an AWS Hpc7a instance in under 20 minutes. Proof size is about 200kB and verification takes less than 10ms. As the basis of our bootstrapping operation we use TFHE's programmable bootstrapping and modify it in a few places to more efficiently represent it as an arithmetic circuit (while maintaining full functionality and security). In order to achieve our results in a memory-efficient way, we take advantage of the structure of the computation and plonky2's ability to efficiently prove its own verification circuit to implement a recursion-based IVC scheme. Lastly, we present a security proof in the UC model that captures active attacks in real world applications of verifiable FHE and augment our prototype to fit such applications.

Note: Added benchmarks for Hpc7a instance, security proof in UC model and augmented prototype to fit applications proven secure.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
Verifiable FHESNARKTFHEplonky2
Contact author(s)
louis tremblay thibault @ zama ai
michael walter @ zama ai
History
2024-10-03: last of 5 revisions
2024-03-15: received
See all versions
Short URL
https://ia.cr/2024/451
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/451,
      author = {Louis Tremblay Thibault and Michael Walter},
      title = {Towards Verifiable {FHE} in Practice: Proving Correct Execution of {TFHE}'s Bootstrapping using plonky2},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/451},
      year = {2024},
      url = {https://eprint.iacr.org/2024/451}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.