|Authors||C. Cid, J. P. Indrøy and H. Raddum|
|Title||FASTA – a stream cipher for fast FHE evaluation|
|Publication Type||Proceedings, refereed|
|Year of Publication||2022|
|Conference Name||Topics in Cryptology - CT-RSA 2022 - Cryptographers' Track at the RSA Conference 2022|
|Place Published||Lecture Notes in Computer Science|
|Keywords||Homomorphic Encryption, Hybrid Encryption, secret-key cryptography, Stream Ciphers|
In this paper we propose Fasta, a stream cipher design optimised for implementation over popular fully homomorphic encryption schemes. A number of symmetric encryption ciphers have been recently proposed for FHE applications, e.g. the block cipher LowMC, and the stream ciphers Rasta (and variants), FLIP and Kreyvium. The main design criterion employed in these ciphers has typically been to minimise the multiplicative complexity of the algorithm. However, other aspects affecting their efficient evaluation over common FHE libraries are often overlooked, compromising their real-world performance. Whilst Fasta may also be considered as a variant of Rasta, it has its parameters and linear layer especially chosen to allow efficient implementation over the BGV scheme, particularly as implemented in the HElib library. This results in a speedup by a factor of 25 compared to the most efficient publicly available implementation of Rasta. Fasta’s target is BGV, as implemented in HElib. However the design ideas introduced in the cipher could also be potentially employed to achieve improvements in the homomorphic evaluation in other popular FHE schemes/libraries. We do consider such alternatives in this paper (e.g. BFV and BGVrns, as implemented in SEAL and PALISADE), but argue that, unlike BGVin HElib, it is more challenging to make use of their parallelism in a Rasta-like stream cipher design.