Paper 2024/665

Homomorphic Evaluation of LWR-based PRFs and Application to Transciphering

Amit Deo, Zama
Marc Joye, Zama
Benoit Libert, Zama
Benjamin R. Curtis, Zama
Mayeul de Bellabre, Zama
Abstract

Certain applications such as FHE transciphering require randomness while operating over encrypted data. This randomness has to be obliviously generated in the encrypted domain and remain encrypted throughout the computation. Moreover, it should be guaranteed that independent-looking random coins can be obliviously generated for different computations. In this work, we consider the homomorphic evaluation of pseudorandom functions (PRFs) with a focus on practical lattice-based candidates. In the homomorphic PRF evaluation setting, given a fully homomorphic encryption of the PRF secret key $\vec{s}$, it should be possible to homomorphically compute encryptions of PRF evaluations $\{ \text{PRF}_{\vec{s}}(x_i) \}_{i=1}^M$ for public inputs $\{ x_i\}_{i=1}^M$. We consider this problem for PRF families based on the hardness of the Learning-With-Rounding (LWR) problem introduced by Banerjee, Peikert and Rosen (Eurocrypt '12). We build on the random-oracle variant of a PRF construction suggested by Banerjee et al. and demonstrate that it can be evaluated using only two sequential programmable bootstraps in the TFHE homomorphic encryption scheme. We also describe several modifications of this PRF---which we prove as secure as the original function---that support homomorphic evaluations using only one programmable bootstrap per slot. Numerical experiments were conducted using practically relevant FHE parameter sets from the TFHE-rs library. Our benchmarks show that a throughput of about $1000$ encrypted pseudorandom bits per second (resp. $900$ encrypted pseudorandom bits per second) can be achieved on an AWS hpc7a.96xlarge machine (resp. on a standard laptop with an Apple M2 chip), on a single thread. The PRF evaluation keys in our experiments have sizes roughly $40\%$ and $60\%$ of a bootstrapping key. Applying our solution to transciphering enables important bandwidth savings, typically trading $64$-bit values for $4$-bit values per transmitted ciphertext.

Note: Correction/update to related work

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint.
Keywords
Fully homomorphic encryptionPseudorandom functionsLearning-with-roundingOblivious randomness generation
Contact author(s)
amit deo @ zama ai
marc @ zama ai
benoit libert @ zama ai
ben curtis @ zama ai
mayeul debellabre @ zama ai
History
2024-07-25: last of 2 revisions
2024-04-30: received
See all versions
Short URL
https://ia.cr/2024/665
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/665,
      author = {Amit Deo and Marc Joye and Benoit Libert and Benjamin R. Curtis and Mayeul de Bellabre},
      title = {Homomorphic Evaluation of {LWR}-based {PRFs} and Application to Transciphering},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/665},
      year = {2024},
      url = {https://eprint.iacr.org/2024/665}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.