Bootstrapping Fully Homomorphic Encryption with Ring Plaintexts Within Polynomial Noise

Despite a great deal of progress in resent years, efficiency of fully homomorphic encryption (FHE) is still a major concern. Specifically, the bootstrapping procedure is the most costly part of a FHE scheme. FHE schemes with ring element plaintexts, such as the ring-LWE based BGV scheme, are the most efficient ones, since they can not only encrypt a ring element instead of a single bit in one ciphertext, but also support CRT-based ciphertext packing techniques. Thanks to homomorphic operations in a SIMD fashion (Single Instruction Multiple Data), the ring-LWE BGV scheme can achieve a nearly optimal homomorphic evaluation. However, the BGV scheme, as implemented in HElib, can only bootstrap within super-polynomial noise so far. Note that such a noise rate for a ring-LWE based scheme is less safe and more costly, because one has to choose larger dimensions to ensure security. On the other hand, existing polynomial noise bootstrapping techniques can only be applied to FHE schemes with bit plaintexts. In this paper, we provide a polynomial noise bootstrapping method for the BGV scheme with ring plaintexts. Specifically, our bootstrapping method allows users to choose any plaintext modulus p > 1 and any modulus polynomial Phi(X) for the BGV scheme. Our bootstrapping method incurs only polynomial error O(n(3)).B for lattice dimension n and noise bound B comparing to (B . poly(n)) ((O) over tilde (log(n))) for previous best methods. Concretely, to achieve 70 bit security, the dimension of the lattice that we use is no more than 2(12), while previous methods in HElib need about 2(14) to 2(16).