[Resource Topic] 2024/665: Homomorphic Evaluation of LWR-based PRFs and Application to Transciphering

Welcome to the resource topic for 2024/665

Title:
Homomorphic Evaluation of LWR-based PRFs and Application to Transciphering

Authors: Amit Deo, Marc Joye, Benoit Libert, Benjamin R. Curtis, Mayeul de Bellabre

Abstract:

Certain applications such as FHE transciphering require randomness while operating over encrypted data. This randomness has to be obliviously generated in the encrypted domain and remain encrypted throughout the computation. Moreover, it should be guaranteed that independent-looking random coins can be obliviously generated for different computations.

In this work, we consider the homomorphic evaluation of pseudorandom functions (PRFs) with a focus on practical lattice-based candidates. In the homomorphic PRF evaluation setting, given a fully homomorphic encryption of the PRF secret key \vec{s}, it should be possible to homomorphically compute encryptions of PRF evaluations \{ \text{PRF}_{\vec{s}}(x_i) \}_{i=1}^M for public inputs \{ x_i\}_{i=1}^M. We consider this problem for PRF families based on the hardness of the Learning-With-Rounding (LWR) problem introduced by Banerjee, Peikert and Rosen (Eurocrypt '12). We build on the random-oracle variant of a PRF construction suggested by Banerjee et al. and demonstrate that it can be evaluated using only two sequential programmable bootstraps in the TFHE homomorphic encryption scheme. We also describe several modifications of this PRF—which we prove as secure as the original function—that support homomorphic evaluations using only one programmable bootstrap per slot.

Numerical experiments were conducted using practically relevant FHE parameter sets from the TFHE-rs library. Our benchmarks show that a throughput of about 1000 encrypted pseudorandom bits per second (resp. 900 encrypted pseudorandom bits per second) can be achieved on an AWS hpc7a.96xlarge machine (resp. on a standard laptop with an Apple M2 chip), on a single thread. The PRF evaluation keys in our experiments have sizes roughly 40\% and 60\% of a bootstrapping key. Applying our solution to transciphering enables important bandwidth savings, typically trading 64-bit values for 4-bit values per transmitted ciphertext.

ePrint: https://eprint.iacr.org/2024/665

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .