What homomorphic cryptographic scheme should I use to perform modular reduction?
I want an encryption scheme along with an operation $\otimes$ such that
$$c = Enc(m) \otimes Enc(d) \Rightarrow Dec(c) = m \bmod d.$$
Asked
Active
Viewed 598 times
1 Answers
2
Since the plaintext domain of of the HE scheme FV (https://eprint.iacr.org/2012/144) is $\mathbb{Z}_t$, it will by default return $m \ \text{mod} \ t$.
However if your aim is to compute the reduction modulo $Q$ for an arbitrary $Q$, then you need to express your modular reduction as a circuit of additions and multiplications (or other operations supported by the HE scheme you use).
This what is done for example in the bootstrapping of the HE scheme HEAAN (https://eprint.iacr.org/2018/153), where the reduction modulo $Q$ (i.e. $f(m + K \cdot Q) \approx m$, for $K$ in a given bound) is expressed as $f(x) = \frac{Q}{2\pi}\sin(\frac{2\pi x}{Q})$, for $x \ll Q$ (about 10 bits smaller than $Q$), and is approximated with a polynomial of small degree (which can be done just with multiplications and additions).
All in all, since the reduction modulo $Q$ is not a continuous function, it is hard to approximate and there is no (known) good way to do it homomorphically, it is currently a subject of research.
user51428
- 121
- 6