a590003

In the computation of the AES round function we use several constants. Some constants are used in
the S-box lookup phase to implement the AES bit-affine transformation, these are denoted γ and γ 2 j for
j = 0, . . . , 7. In the row-shift/col-mix part we use a constant C slct that has 1 in slots corresponding to t · g i
for i = 0, 4, 8, 12, and 0 in all the other slots of the form t · g i . (Here slot t is where we put the first AES
byte.) We also use ’X’ to denote the constant that has the element X in all the slots.
4.1 Homomorphic Evaluation of the Basic Operations
We now examine each AES operation in turn, and describe how it is implemented homomorphically. For
each operation we denote the plaintext polynomial underlying a given input ciphertext c by a, and the
corresponding content of the l plaintext slots are denoted as an l-vector (α i ) l i=1 , with each α i ∈ F 2 8.
4.1.1 AddKey and SubBytes
The AddKey is just a simple addition of ciphertexts, which yields a 4 × 4 matrix of bytes in the input to
the SubBytes operation. We place these 16 bytes in plaintext slots tg i for i = 0, 1, . . . , 15, using columnordering
to decide which byte goes in what slot, namely we have
a ≈ [α 00
α 10
α 20
α 30
α 01
α 11
α 21
α 31
α 02
α 12
α 22
α 32
α 03
α 13
α 23
α 33
],
encrypting the input plaintext matrix
A = ( α ij
)i,j
=
⎛
⎜
⎝
⎞
α 00 α 01 α 02 α 03
α 10 α 11 α 12 α 13
α 20 α 21 α 22 α 23
α 30 α 31 α 32 α 33
⎟
⎠ .
During S-box lookup, each plaintext byte α ij should be replaced by β ij = S(α ij ), where S(·) is a fixed
permutation on the bytes. Specifically, S(x) is obtained by first computing y = x −1 in F 2 8 (with 0 mapped
to 0), then applying a bitwise affine transformation z = T (y) where elements in F 2 8 are treated as bit strings
with representation polynomial G(X) = x 8 + x 4 + x 3 + x + 1.
We implement F 2 8 inversion followed by the F 2 affine transformation using the Frobenius automorphisms,
X −→ X 2j . Recall that for a power of two k = 2 j , the transformation κ k (a(X)) = (a(X k ) mod
Φ m (X)) is applied separately to each slot, hence we can use it to transform the vector (α i ) l i=1 into (αk i )l i=1 .
We note that applying the Frobenius automorphisms to ciphertexts has almost no influence on the noise
magnitude, and hence it does not consume any levels. 4
Inversion over F 2 8 is done using essentially the same procedure as Algorithm 2 from [25] for computing
β = α −1 = α 254 . This procedure takes only three Frobenius automorphisms and four multiplications,
arranged in a depth-3 circuit (see details below.) To apply the AES F 2 affine transformation, we use the fact
that any F 2 affine transformation can be computed as a F 2 8 affine transformation over the conjugates. Thus
there are constants γ 0 , γ 1 , . . . , γ 7 , δ ∈ F 2 8 such that the AES affine transformation T AES (·) can be expressed
as T AES (β) = δ + ∑ 7
j=0 γ j · β 2j over F 2 8. We therefore again apply the Frobenius automorphisms to compute
eight ciphertexts encrypting the polynomials κ k (b) for k = 1, 2, 4, . . . , 128, and take the appropriate
linear combination (with coefficients the γ j ’s) to get an encryption of the vector (T AES (αi
−1 )) l i=1 . For our
parameters, a multiplication-by-constant operation consumes roughly half a level in terms of added noise.
4 It does increase the noise magnitude somewhat, because we need to do key switching after these automorphisms. But this is
only a small influence, and we will ignore it here.
10
5. Homomorphic Evaluation of the AES Circuit