Improved Key Generation Algorithm for Gentry’s Fully Homomorphic Encryption Scheme

Abstract

At EUROCRYPT 2011, Gentry and Halevi implemented a variant of Gentry’s fully homomorphic encryption scheme. The core part in their key generation is to generate an odd-determinant ideal lattice having a particular type of Hermite Normal Form. However, they did not give a rigorous proof for the correctness. We present a better key generation algorithm, improving their algorithm from two aspects.

• We show how to deterministically generate ideal lattices with odd determinant, thus increasing the success probability close to 1.

• We give a rigorous proof for the correctness. To be more specific, we present a simpler condition for checking whether the ideal lattice has the desired Hermite Normal Form. Furthermore, our condition can be checked more efficiently.

As a result, our key generation is about 1.5 times faster. We also give experimental results supporting our claims. Our optimizations are based on the properties of ideal lattices, which might be of independent interests.

A Appendix

1.1 A.1 Proof of Lemma 1

Proof

Note that

$$Sylv(g(x),f(x))=\begin{bmatrix} g(x) \\ \vdots \\ x^{n-1}g(x) \\ f(x) \\ \vdots \\ x^{m-1}f(x) \end{bmatrix} = \begin{bmatrix} g_{0}&g_1&\cdots&g_{m}&&\\&g_{0}&g_1&\cdots&g_{m}&&\\&\ddots&&\ddots&\\&&g_{0}&g_1&\cdots&g_{m}\\ f_{0}&\cdots&f_{n}&&\\&\ddots&&\ddots&\\&f_{0}&\cdots&&f_{n} \end{bmatrix}.$$

Since \(f_n=1\), the Sylvester matrix can always be transformed unimodularly into the following (block-triangular) form by adding proper multiples of rows in the lower half to each row on the top half,

$$\begin{bmatrix}&\varvec{B}_{n\times n}&&\varvec{0}&\\ \hline f_{0}&\cdots&f_{n}&&\\&\ddots&&\ddots&\\&f_{0}&\cdots&&f_{n} \end{bmatrix}=\begin{bmatrix} g(x) \mod f(x) \\ \vdots \\ x^{n-1}g(x) \mod f(x)\\\hline f(x) \\ \vdots \\ x^{m-1}f(x) \end{bmatrix}.$$

It follows that \(Res(g,f) = f_n^m\det (\varvec{B})=\det (\varvec{B})\).

Since g(x) is relatively prime to f(x), \(\mathcal {L}\) is a full-rank lattice with basis \(\varvec{B}\). Therefore, \(\det (\mathcal {L})= |\det (\varvec{B})| = |Res(g,f)| = |Res(f,g)|.\)    \(\square \)

1.2 A.2 Proof of Lemma 2

Proof

We prove the lemma by induction on i.

For \(i=1\), it is trivial.

For \(i=2\), consider the first row, which corresponds to the constant polynomial \(h_{1,1}\). Since \(\mathcal {L}\) is an ideal lattice, the vector \((0,h_{1,1},0\cdots ,0)\), which corresponds to the polynomial \(h_{1,1}x\), is also in \(\mathcal {L}\).

It’s obvious that \((0,h_{1,1},0\cdots ,0)=x_{1}\varvec{H}_{1}+x_{2}\varvec{H}_{2}\) for some \(x_{1},x_{2} \in \mathbb {Z}.\) Then \(h_{1,1}=x_{2}h_{2,2}\), \(x_{1}h_{1,1}+x_{2}h_{2,1}=0\). Hence \(h_{2,2}|h_{1,1},h_{2,2}|h_{2,1}\), which completes the proof for \(i=2\).

Assume the result holds for \(i\le k \le n-1\), \(h_{i,i}|h_{j,l}, \) where \(1\le l \le j\le i\le k.\) We show that for \(i=k+1\), \(h_{k+1,k+1}|h_{j,l}\).

Consider the k-th row. The corresponding polynomial of k-th row is

$$h_{k,k}x^{k-1}+h_{k,k-1}x^{k-2}+\cdots +h_{k,2}x+h_{k,1}.$$

After multiplying x, we get a vector \( (0,h_{k,1},\cdots ,h_{k,k},0,\cdots ,0),\) which is a linear combination of \(\varvec{H}_{1},\cdots ,\varvec{H}_{k+1}\) with integer coefficients, i.e.

$$\begin{aligned} (0,h_{k,1},\cdots ,h_{k,k},0,\cdots ,0) = {\mathop {\sum }\nolimits _{i=1}^{k+1}} y_{i}\varvec{H}_{i}, \end{aligned}$$

where \(y_{i} \in \mathbb {Z}\), for \(i=1,\cdots ,k+1.\)

So

$$\begin{aligned} {\left\{ \begin{array}{ll} h_{k,k}&{}=y_{k+1}h_{k+1,k+1}\\ h_{k,k-1}&{}=y_{k}h_{k,k}+y_{k+1}h_{k+1,k}\\ &{}\vdots \\ h_{k,1}&{}={\mathop {\sum }\nolimits _{i=2}^{k+1}} y_{i}h_{i,2}\\ 0&{}={\mathop {\sum }\nolimits _{i=1}^{k+1}} y_{i}h_{i,1} \end{array}\right. }. \end{aligned}$$

(2)

From the first equation, we get \(y_{k+1}=\frac{h_{k,k}}{h_{k+1,k+1}}\) and

$$\begin{aligned} {\left\{ \begin{array}{ll} h_{k+1,k}&{}=\frac{h_{k,k-1}-y_{k}h_{k,k}}{h_{k,k}}h_{k+1,k+1}\\ h_{k+1,k-1}&{}=\frac{h_{k,k-2}-y_{k-1}h_{k-1,k-1}-y_{k}h_{k,k-1}}{h_{k,k}}h_{k+1,k+1}\\ &{}\vdots \\ h_{k+1,2}&{}=\frac{h_{k,1}-\sum _{i=2}^{k}{y_{i}h_{i,2}}}{h_{k,k}}h_{k+1,k+1}\\ h_{k+1,1}&{}=\frac{-\sum _{i=1}^{k}{y_{i}h_{i,1}}}{h_{k,k}}h_{k+1,k+1} \end{array}\right. }. \end{aligned}$$

From the induction hypothesis, we have \(h_{k,k}|h_{j,l}\) for \(1\le l\le j\le k \le n.\) So the coefficient of \(h_{k+1,k+1}\) in each equation is in fact an integer, therefore \(h_{k+1,k+1}|h_{k+1,l}\), \(1\le l\le k+1.\) Since \(h_{k+1,k+1}|h_{k,k}\), we know \(h_{k+1,k+1}|h_{j,l}\), where \(1\le l \le j \le k+1 \le n.\) Thus, the result holds for \(i=k+1\).

By the principle of induction, the lemma follows.    \(\square \)

1.3 A.3 Proof of Lemma 3

Proof

We prove the first equality by induction on i.

For \(i=2\), by the definition of \(\beta ,\) \(H_{2}(\beta )=0\mod h_{1,1}.\)

Assume \(H_{i}(\beta )=0\mod \frac{h_{1,1}h_{i,i}}{h_{2,2}},\) for \(i\le k,\) where \(2\le k \le n-1.\) From Eq. 2, we have

$$\begin{aligned} {\left\{ \begin{array}{ll} h_{k,k}x^{k}&{}=y_{k+1}h_{k+1,k+1}x^{k}\\ h_{k,k-1}x^{k-1}&{}=y_{k}h_{k,k}x^{k-1}+y_{k+1}h_{k+1,k}x^{k-1}\\ &{}\vdots \\ h_{k,1}x&{}={\mathop {\sum }\nolimits _{i=2}^{k+1}} y_{i}h_{i,2}x\\ 0&{}={\mathop {\sum }\nolimits _{i=1}^{k+1}} y_{i}h_{i,1} \end{array}\right. }. \end{aligned}$$

Sum the equations up,

$$y_{k+1}H_{k+1}(x)+y_{k}H_{k}(x)+y_{k-1}H_{k-1}(x)+\cdots +y_{1}H_{1}(x)=xH_{k}(x),$$

Set \(x=\beta \),

$$y_{k+1}H_{k+1}(\beta )+(y_{k}-\beta )H_{k}(\beta )+y_{k-1}H_{k-1}(\beta )+\cdots +y_{1}H_{1}(\beta )=0.$$

Note that \(H_{1}(x)=h_{1,1},\ H_{1}(\beta )=0\mod \frac{h_{1,1}h_{k,k}}{h_{2,2}}. \) By induction hypothesis, \(H_{i}(\beta )=0\mod \frac{h_{1,1}h_{i,i}}{h_{2,2}}\) and \(\frac{h_{1,1}h_{i+1,i+1}}{h_{2,2}}|\frac{h_{1,1}h_{i,i}}{h_{2,2}}\), \(y_{k+1}H_{k+1}(\beta )=0\mod \frac{h_{1,1}h_{k,k}}{h_{2,2}}.\) Since \(y_{k+1}=\frac{h_{k,k}}{h_{k+1,k+1}},\) we have

$$H_{k+1}(\beta )=0\mod \frac{h_{1,1}h_{k+1,k+1}}{h_{2,2}}.$$

Therefore for \(i=k+1\), the equality also holds. Thus \(H_{i}(\beta ) = 0 \mod \frac{h_{1,1}h_{i,i}}{h_{2,2}}\), \(\forall i \ge 2\).

For the second equality, note that \(xH_{n}(x)\mod f(x)=xH_{n}(x)- h_{n,n}f(x)\). Since the vector corresponding to \(xH_{n}(x)-h_{n,n} f(x)\) is a lattice vector, there exist integers \(z_1\cdots z_n \in \mathbb {Z}\), \(xH_{n}(x)-h_{n,n} f(x)=\sum _{i=1}^{n}z_{i}H_{i}(x)\).

Set \(x=\beta \),

$$\beta H_{n}(\beta )-h_{n,n} f(\beta )=\sum _{i=1}^{n}z_{i}H_{i}(\beta ).$$

Since \(h_{n,n}|h_{i,i}\) for all i, \(H_{i}(\beta )\) =0 \(\mod \frac{h_{1,1}h_{n,n}}{h_{2,2}}\), \(\forall i \ge 2\). Also \(H_{1}(\beta )\) =0 \(\mod \frac{h_{1,1}h_{n,n}}{h_{2,2}}\). Then \(h_{n,n} f(\beta )=0\mod \frac{h_{1,1}h_{n,n}}{h_{2,2}}\) and

$$f(\beta )=0\mod \frac{h_{1,1}}{h_{2,2}}.$$

   \(\square \)

1.4 A.4 Proof of Proposition 2

Proof

Since we only concern the parity of the determinant, we work over \(\mathbb {F}_{2}\). Denote

$$\varvec{P}=\left[ {\begin{array}{*{20}{c}} 0&{}1&{}{}&{}0&{}0\\ 0&{}0&{}{}&{}0&{}0\\ {}&{}{}&{} \ddots &{}{}&{}{}\\ 0&{}0&{}{}&{}0&{}1\\ 1&{}0&{}{}&{}0&{}0 \end{array}} \right] .$$

Then

$$\begin{aligned} \varvec{V}=\begin{bmatrix} v_{0}&v_{1}&v_{2}&v_{n-1} \\ -v_{n-1}&v_{0}&v_{1}&v_{n-2} \\ -v_{n-2}&-v_{n-1}&v_{0}&v_{n-3} \\&&\ddots&\\ -v_{1}&-v_{2}&-v_{3}&v_{0} \end{bmatrix} = {v_{0}}\varvec{I} + \cdots + {v_{n-1}}{\varvec{P}^{n - 1}} = v(\varvec{P}) \text{ over } \mathbb {F}_{2}. \end{aligned}$$

Now we compute the eigenvalues of \(\varvec{P}\).

Since \(\varvec{P}\) is a cyclic shift matrix, \(\varvec{P}^n=\varvec{I}\). Note that \(x^n+1=(x+1)^n\) over \(\mathbb {F}_{2}\) (n is a power of 2), then all the eigenvalues of \(\varvec{P}\) are 1. All the eigenvalues of \(\varvec{V}\) are thus \(v(1)=v_{0}+v_{1}+\cdots +v_{n-1}\). Hence,

$$\det (\mathcal {L})\equiv (v_{0}+v_{1}+\cdots +v_{n-1})^n \equiv v_{0}+v_{1}+\cdots +v_{n-1}\mod 2. $$

   \(\square \)

1.5 A.5 Proof of Proposition 3

Proof

 

• (1)\(\Leftrightarrow \)(2) The equivalence between the two conditions was proved in [7].

• (2)\(\Rightarrow \)(3) Assuming first that \(\varvec{r}=(-r,1,0,\cdots ,0) \in \mathcal {L}\). Then there exists \(y(x) \in \mathbb {Z}[x]/\left\langle f(x)\right\rangle \), such that \(y(x)v(x)=r(x)\mod f(x)\). Therefore,

  $$y(x)v(x)w(x)=r(x)w(x)\mod f(x).$$
  $$dy(x)=r(x)w(x)\mod f(x).$$

  Note that \(f(x)=x^n+1\), we have

  $$(-w_{n-1},\cdots ,w_{n-3},w_{n-2})-r(w_{0},\cdots ,w_{n-2},w_{n-1})=0\ \mod \ d.$$

  So \(w_{0}r=-w_{n-1} \mod d\) and \(w_{i+1}r=w_{i} \mod d\), for \(0\le i \le n-2\).

  We prove by contradiction that \(\exists \ 0\le i \le n-1\), \(\gcd (w_{i},d)=1\).

  If for arbitrary \(0\le i \le n-1\), \(\gcd (w_{i},d)\ne 1\), let \(\mu =\gcd (w_{0}, d) > 1\). From the relations among the \(w_i\)’s, we know \(\mu \) divides all the \(w_i\)’s. Therefore, \(\mu | \gcd (w_0, \cdots , w_{n-1}, d)\). Hence \(\frac{d}{\mu }=\frac{w(x)}{\mu } v(x) \mod f(x)\) is a lattice vector, which means the first diagonal of the HNF is a proper factor of d. So the second diagonal can’t be 1, otherwise the determinant is \(\frac{d}{\mu }\) rather than d. This is a contradiction. Therefore \(\exists \ 0\le i \le n-1\), \(\gcd (w_{i},d)=1\).

• (3)\(\Rightarrow \)(4) Assume \(\exists \ 0\le i \le n-1\), \(\gcd (w_{i},d)=1\), fix i. We also prove by contradiction. Suppose there exists a \(0\le j \le n-1\) such that \(\mu =\gcd (w_{j}, d)> 1\).

  Due to Lemma 2, we can assume the second row of HNF is \((-\alpha r,\alpha ,0,\cdots ,0)\), for some \(\alpha \in \mathbb {N^{+}}\). Then \(\alpha ^2|\alpha h_{1,1}|d\) and \(\gcd (\alpha , w_i)=1\). Similar to previous proof,

  $$\alpha (-w_{n-1},\cdots ,w_{n-3},w_{n-2})-\alpha r(w_{0},\cdots ,w_{n-2},w_{n-1})=0\ \mod \ d.$$

  Hence

  $$(-w_{n-1},\cdots ,w_{n-3},w_{n-2})-r(w_{0},\cdots ,w_{n-2},w_{n-1})=0\ \mod \ \frac{d}{\alpha }.$$

  According to the steps above, \(w_{i+1}r=w_{i} \mod \frac{d}{\alpha }\), for \(i \le n-2\) and \(w_{0}r=-w_{n-1} \mod \frac{d}{\alpha }\). Since \(\alpha ^2|d\), \(\frac{d}{\alpha }\) and d share exactly the same prime factors, hence \(\gcd (w_{j},\frac{d}{\alpha })=\mu '>1\) . Similar to the previous proof, we have \(\mu '\) divides all the coefficients of w(x). Specifically, \(\mu '|w_{i}\). Hence \(\mu '|\gcd (w_{i},d)\), a contradiction. Thus \(\gcd (w_{i},d)=1\) for any \(0\le i \le n-1\).

• (4)\(\Rightarrow \)(2) Assume for any \(0\le i \le n-1,\ \gcd (w_{i},d)=1\). Since \(d=w(x)v(x)\mod f(x)\), \(\gcd (w_0,\cdots ,w_{n-1})|d\). Hence \(\gcd (w_0,\cdots ,w_{n-1})=1\). Then \((d,0,\cdots ,0)\) is a primitive lattice vector in \(\mathcal {L}\). According to Remark 2, it’s the first row of the HNF of \(\mathcal {L}\), which means all the other diagonals in the HNF are 1. Thus, \(\mathcal {L}\) contains a vector (the second row of its HNF) of the form \(\varvec{r}=(-r,1,0,\cdots ,0)\).

   \(\square \)

1.6 A.6 Proof of Proposition 4

Proof

From the assumptions and the proof for Proposition 3, we know that \((-r,1,0,\cdots ,0)\) is in \(\mathcal {L}\). According to Lemma 3, r is a root of \(f(x)=0\mod d\). Therefore \(r^n = -1\mod d\).    \(\square \)