Paper 2025/282

Transistor: a TFHE-friendly Stream Cipher

Jules Baudrin, French Institute for Research in Computer Science and Automation, UCLouvain, Belgium
Sonia Belaïd, CryptoExperts (France)
Nicolas Bon, CryptoExperts (France), French Institute for Research in Computer Science and Automation, DIENS, École Normale Supérieure - PSL
Christina Boura, IRIF, Université Paris Cité
Anne Canteaut, French Institute for Research in Computer Science and Automation
Gaëtan Leurent, French Institute for Research in Computer Science and Automation
Pascal Paillier, CryptoExperts (France), Zama
Léo Perrin, French Institute for Research in Computer Science and Automation
Matthieu Rivain, CryptoExperts (France)
Yann Rotella, Versailles Saint-Quentin-en-Yvelines University
Samuel Tap, Zama
Abstract

Fully Homomorphic Encryption (FHE) allows computations on encrypted data without requiring decryption, ensuring data privacy during processing. However, FHE introduces a significant expansion of ciphertext sizes compared to plaintexts, which results in higher communication. A practical solution to mitigate this issue is transciphering, where only the master key is homomorphically encrypted, while the actual data is encrypted using a symmetric cipher, usually a stream cipher. The server then homomorphically evaluates the stream cipher to convert the encrypted data into a homomorphically encrypted form. We introduce Transistor, a stream cipher specifically designed for efficient homomorphic evaluation within the TFHE scheme, a widely-used FHE framework known for its fast bootstrapping and ability to handle low-precision data. Transistor operates on $\mathbb{F}_{17}$ which is chosen to optimize TFHE performances. Its components are carefully engineered to both control noise growth and provide strong security guarantees. First, a simple TFHE-friendly implementation technique for LFSRs allows us to use such components to cheaply increase the state size. At the same time, a small Finite State Machine is the only part of the state updated non-linearly, each non-linear operation corresponding in TFHE to a rather expensive Programmable Bootstrapping. This update is done using an AES-round-like transformation. But, in contrast to other stream ciphers like SNOW or LEX, our construction comes with information-theoretic security arguments proving that an attacker cannot obtain any information about the secret key from three or fewer consecutive keystream outputs. These information-theoretic arguments are then combined with a thorough analysis of potential correlations to bound the minimal keystream length required for recovering the secret key. Our implementation of Transistor significantly outperforms the state of the art of TFHE transciphering, achieving a throughput of over 60 bits/s on a standard CPU, all while avoiding the need for an expensive initialization process.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
Stream CipherTFHELinear cryptanalysis
Contact author(s)
jules baudrin @ inria fr
sonia belaid @ cryptoexperts com
nicolas bon @ cryptoexperts com
christina boura @ irif fr
anne canteaut @ inria fr
gaetan leurent @ inria fr
pascal @ zama ai
leo perrin @ inria fr
matthieu rivain @ cryptoexperts com
yann rotella @ uvsq fr
samuel tap @ zama ai
History
2025-02-19: approved
2025-02-18: received
See all versions
Short URL
https://ia.cr/2025/282
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/282,
      author = {Jules Baudrin and Sonia Belaïd and Nicolas Bon and Christina Boura and Anne Canteaut and Gaëtan Leurent and Pascal Paillier and Léo Perrin and Matthieu Rivain and Yann Rotella and Samuel Tap},
      title = {Transistor: a {TFHE}-friendly Stream Cipher},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/282},
      year = {2025},
      url = {https://eprint.iacr.org/2025/282}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.