A Full RNS Variant of Approximate Homomorphic Encryption Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University) Miran Kim (UTHealth), Yongsoo Song (UC San Diego) SAC 2018
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A Full RNS Variant ofApproximate Homomorphic Encryption
Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University)
Miran Kim (UTHealth), Yongsoo Song (UC San Diego)
SAC 2018
A Full RNS Variant ofApproximate Homomorphic Encryption
Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University)
Miran Kim (UTHealth), Yongsoo Song (UC San Diego)
SAC 2018
Residue Number System (a.k.a. CRT)
Background
Secure Computation
q Differential Privacy
q (Secure) Multi-Party Computation
q (Fully) Homomorphic Encryption§ Semantic security.
§ Non-interactive.
§ Reusable.
§ Long-term storage, Unlimited sources.
!
"# $%&'(), "#)
)(!)
$," -."
)(⋅)
$%&'( ),⋅ )
02 / 35Landscape of HE Schemes
Scheme Word Encryption Bit Encryption Approximate Encryption
Scheme(Library)
PlaintextSpace
Operation
02 / 35Landscape of HE Schemes
Scheme Word Encryption Bit Encryption Approximate Encryption
Scheme(Library)
BGV (HElib)B/FV (SEAL, NFLlib)
PlaintextSpace
Finite field+ Packing
OperationAddition,
Multiplication
02 / 35Landscape of HE Schemes
Scheme Word Encryption Bit Encryption Approximate Encryption
Scheme(Library)
BGV (HElib)B/FV (SEAL, NFLlib)
FHEW, TFHE
PlaintextSpace
Finite field+ Packing
Single Bit
OperationAddition,
MultiplicationBinary Gate
+ Bootstrapping
02 / 35Landscape of HE Schemes
Scheme Word Encryption Bit Encryption Approximate Encryption
Scheme(Library)
BGV (HElib)B/FV (SEAL, NFLlib)
FHEW, TFHE HEAAN
PlaintextSpace
Finite field+ Packing
Single BitReal / Complex
+ Packing
OperationAddition,
MultiplicationBinary Gate
+ Bootstrapping
Addition, Multiplication,
Rounding
Approximate HE (HEAAN, 慧眼)
q Design§ Homomorphic Encryption for Arithmetic of Approximate Numbers [CKKS (AC'17)]
§ Bootstrapping [CHKKS (EC'18)]
Approximate HE (HEAAN, 慧眼)
q Design§ Homomorphic Encryption for Arithmetic of Approximate Numbers [CKKS (AC'17)]
§ Bootstrapping [CHKKS (EC'18)]
qApplications in Machine Learning
Approximate HE (HEAAN, 慧眼)
q Design§ Homomorphic Encryption for Arithmetic of Approximate Numbers [CKKS (AC'17)]
§ Bootstrapping [CHKKS (EC'18)]
qApplications in Machine Learning§ Training of Logistic Regression Model
[KSW+ (JMI'18), KSK+ (iDASH'17, BMC'18), CKKS (IEEE Access'18)]
Approximate HE (HEAAN, 慧眼)
q Design§ Homomorphic Encryption for Arithmetic of Approximate Numbers [CKKS (AC'17)]
§ Bootstrapping [CHKKS (EC'18)]
qApplications in Machine Learning§ Training of Logistic Regression Model
[KSW+ (JMI'18), KSK+ (iDASH'17, BMC'18), CKKS (IEEE Access'18)]
§ Matrix Computation & Evaluation of Neural Networks [ JKLS (CCS'18) ]
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678 = 1234 × 5678 ⋅ 10)1
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678 = 1234 × 5678 ⋅ 10)1
= 7006652 ⋅ 10)1
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678 = 1234 × 5678 ⋅ 10)1
= 7006652 ⋅ 10)1 ↦ 7007 ⋅ 10)* = 7.007.
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678 = 1234 × 5678 ⋅ 10)1
= 7006652 ⋅ 10)1 ↦ 7007 ⋅ 10)* = 7.007.
§ Division by scaling factor + (a.k.a. Rounding operation).
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6 ≈ % ⋅ !.
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6 ≈ % ⋅ !.
qApproximate Homomorphic Operations§ 89:(: )*' #< , )*' #= ↦ )*'(# ≈ #<#= ≈ %= ⋅ !<!=).
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6 ≈ % ⋅ !.
qApproximate Homomorphic Operations§ 89:(: )*' #< , )*' #= ↦ )*'(# ≈ #<#= ≈ %= ⋅ !<!=).§ @19*2: )*' # #12 34 ↦ )*' #A ≈ %B< ⋅ # (#12 34B<) for % = ⁄34 34B<.
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6 ≈ % ⋅ !.
qApproximate Homomorphic Operations§ 89:(: )*' #< , )*' #= ↦ )*'(# ≈ #<#= ≈ %= ⋅ !<!=).§ @19*2: )*' # #12 34 ↦ )*' #A ≈ %B< ⋅ # (#12 34B<) for % = ⁄34 34B<.§ Leveled Structure : 3D = %D > 3DB< = %DB< > ⋯ > (3< = %).
Main Result
Motivation
Ring structure !" = ⁄ℤ" & &' + 1 .
Expensive operation & High-precision library (log . = 250~800).
Motivation
Ring structure !" = ⁄ℤ" & &' + 1 .
Expensive operation & High-precision library (log . = 250~800).Residue Number System (RNS) : ℤ" ≅ ℤ67×ℤ69×⋯ × ℤ6; .
Motivation
Ring structure !" = ⁄ℤ" & &' + 1 .
Expensive operation & High-precision library (log . = 250~800).Residue Number System (RNS) : ℤ" ≅ ℤ67×ℤ69×⋯ × ℤ6; .
Scheme Word Encryption Approximate Encryption
Representation HElib (Double-CRT) [GHS12b]
Homo. Operations Full RNS B/FV Variants [BEHZ17, HPS18]
Library SEAL (v2.3)
Motivation
Ring structure !" = ⁄ℤ" & &' + 1 .
Expensive operation & High-precision library (log . = 250~800).Residue Number System (RNS) : ℤ" ≅ ℤ67×ℤ69×⋯ × ℤ6; .
Scheme Word Encryption Approximate Encryption
Representation HElib (Double-CRT) [GHS12b]This Work
Homo. Operations Full RNS B/FV Variants [BEHZ17, HPS18]
Library SEAL (v2.3) RNS HEAAN
Idea1 : Approx RNS Basis
q Rounding Operation
§ !"# $ $%& '( ⟼ !"# *(+, ⋅ $ $%& '(+, for *( = ⁄'( '(+,.
Idea1 : Approx RNS Basis
q Rounding Operation
§ !"# $ $%& '( ⟼ !"# *(+, ⋅ $ $%& '(+, for *( = ⁄'( '(+,.
What if we don't use the same * = *( for all 0?
Idea1 : Approx RNS Basis
q Rounding Operation
§ !"# $ $%& '( ⟼ !"# *(+, ⋅ $ $%& '(+, for *( = ⁄'( '(+,.
What if we don't use the same * = *( for all 0?'1 = *,*2 …*1 for approximate basis *( ≈ *.
!"# *(+, ⋅ $ ≈ !"# *+, ⋅ $ (w/ approximation error)
Idea1 : Approx RNS Basis
q Rounding Operation
§ !"# $ $%& '( ⟼ !"# *(+, ⋅ $ $%& '(+, for *( = ⁄'( '(+,.
What if we don't use the same * = *( for all 0?'1 = *,*2 …*1 for approximate basis *( ≈ *.
!"# *(+, ⋅ $ ≈ !"# *+, ⋅ $ (w/ approximation error)
567 ≅ 59:×59<×⋯ × 597 for '1 = *,*2 …*1.
Idea1 : Approx RNS Basis
q Polynomial Arithmetic§ Number Theoretic Transformation (NTT): !"# → ℤ"#&
Idea1 : Approx RNS Basis
q Polynomial Arithmetic§ Number Theoretic Transformation (NTT): !"# → ℤ"#&§ Should be a prime number with '( ≡ 1 (,-. 20).
Idea1 : Approx RNS Basis
q Polynomial Arithmetic§ Number Theoretic Transformation (NTT): !"# → ℤ"#&§ Should be a prime number with '( ≡ 1 (,-. 20).
q Example (' = 233, 0 = 253)'5 = 80000000080001, '8 = 80000000130001, ': = 7FFFFFFFE90001,…
!"@×!"B×⋯ × !"D ≅ ℤ"@& × ℤ"B& × … × ℤ"D& .
Idea2 : Approx Modulus Switching
q Non-Polynomial Algorithms§ Key-switching process (e.g. Homomorphic multiplication)
Idea2 : Approx Modulus Switching
q Non-Polynomial Algorithms§ Key-switching process (e.g. Homomorphic multiplication)
§ Mod Raising : !"# → !∆ & "# , ' ↦ '.
§ Mod Reduction : !∆ & "# → !"# , ) ↦ ) ∕ ∆ = ⁄) − ) ∆ ∆.
Idea2 : Approx Modulus Switching
q Non-Polynomial Algorithms§ Key-switching process (e.g. Homomorphic multiplication)
§ Mod Raising : !"# → !∆ & "# , ' ↦ '.
§ Mod Reduction : !∆ & "# → !"# , ) ↦ ) ∕ ∆ = ⁄) − ) ∆ ∆.
§ RNS(23,25,…,2#)(') = '8 8 ∈[;].
Idea2 : Approx Modulus Switching
q Non-Polynomial Algorithms§ Key-switching process (e.g. Homomorphic multiplication)
§ Mod Raising : !"# → !∆ & "# , ' ↦ '.
§ Mod Reduction : !∆ & "# → !"# , ) ↦ ) ∕ ∆ = ⁄) − ) ∆ ∆.
§ RNS(23,25,…,2#)(') = '8 8 ∈[;].
Alternative algorithms without RNS conversions?
Idea2 : Approx Modulus Switching
RNS$%&'()*) ≡ ∑* )* . /0*&' $%. /0* (123 45) for /0* = ⁄45 0*.
∑* )* . /0*&' $%. /0* = 45 . 8 + ) for a small 8.
Idea2 : Approx Modulus Switching
q Our Approx Mod Raising Algorithm (from !" to ∆ $ !")%&'×⋯× %&* → %&'×⋯×%&* × %∆'×⋯ × %∆, ,
RNS&012(45) ≡ ∑5 45 $ 9:512 &0$ 9:5 (;<= !") for 9:5 = ⁄!" :5.
∑5 45 $ 9:512 &0$ 9:5 = !" $ @ + 4 for a small @.
Idea2 : Approx Modulus Switching
q Our Approx Mod Raising Algorithm (from !" to ∆ $ !")%&'×⋯× %&* → %&'×⋯×%&* × %∆'×⋯ × %∆, ,
-., … , -" ↦ -., … , -" , 2., … , 23
RNS&78.(-:) ≡ ∑: -: $ >?:8. &7$ >?: (@AB !") for >?: = ⁄!" ?:.
∑: -: $ >?:8. &7$ >?: = !" $ E + - for a small E.
2G = ∑: -: $ >?:8. &7$ >?: (@AB ∆G).
Idea2 : Approx Modulus Switching
q Our Approx Mod Raising Algorithm (from !" to ∆ $ !")%&'×⋯× %&* → %&'×⋯×%&* × %∆'×⋯ × %∆, ,
-., … , -" ↦ -., … , -" , 2., … , 23 = RNS&8,∆9(!" $ ; + -).
RNS&8>.(-?) ≡ ∑? -? $ BC?
>.&8$ BC? (DEF !") for BC? = ⁄!" C?.
∑? -? $ BC?>.
&8$ BC? = !" $ ; + - for a small ;.
2H = ∑? -? $ BC?>.
&8$ BC? (DEF ∆H).
Idea2 : Approx Modulus Switching
q Our Approx Mod Raising Algorithm (from !" to ∆ $ !")%&'×⋯× %&* → %&'×⋯×%&* × %∆'×⋯ × %∆, ,
-., … , -" ↦ -., … , -" , 2., … , 23 = RNS&8,∆9(!" $ ; + -).
RNS&8>.(-?) ≡ ∑? -? $ BC?
>.&8$ BC? (DEF !") for BC? = ⁄!" C?.
∑? -? $ BC?>.
&8$ BC? = !" $ ; + - for a small ;.
2H = ∑? -? $ BC?>.
&8$ BC? (DEF ∆H).
RNS Friendly Computation & Correctness of Homo Operations(w/ additional noise)
Summary
q Idea 1: Approximate Basis§ !" = $%$& …$" with $" ≈ $ for RNS decomposition.
§ Approximate error ( $)*%+ ≈ $*%+ ) of the Rounding algorithm.
Summary
q Idea 1: Approximate Basis§ !" = $%$& …$" with $" ≈ $ for RNS decomposition.
§ Approximate error ( $)*%+ ≈ $*%+ ) of the Rounding algorithm.
q Idea 2: Full-RNS Variant§ Approximate modulus-switching algorithms ,-. ↔ ,∆ 1 -. .§ Additional noise.
Summary
q Idea 1: Approximate Basis§ !" = $%$& …$" with $" ≈ $ for RNS decomposition.
§ Approximate error ( $)*%+ ≈ $*%+ ) of the Rounding algorithm.
q Idea 2: Full-RNS Variant§ Approximate modulus-switching algorithms ,-. ↔ ,∆ 1 -. .§ Additional noise.
Efficiency & Convenience of Implementation (GMP, NTL free)
Summary
q Idea 1: Approximate Basis§ !" = $%$& …$" with $" ≈ $ for RNS decomposition.
§ Approximate error ( $)*%+ ≈ $*%+ ) of the Rounding algorithm.
q Idea 2: Full-RNS Variant§ Approximate modulus-switching algorithms ,-. ↔ ,∆ 1 -. .§ Additional noise.
Efficiency & Convenience of Implementation (GMP, NTL free)
vs Precision loss of computation
HEAAN vs RNS HEAAN
- 8x ~ 12x speed up
HEAAN vs RNS HEAAN
HEAAN- 14 bits precision
RNS HEAAN- 32 bits precision
https://github.com/HanKyoohyung/HEAAN-dev
Questions?
Related Documents
![Homomorphic Encryption for Arithmetic of Approximate … · Homomorphic Encryption for Arithmetic of Approximate ... Homomorphic multiplications of BGV ... 25, 33, 19] have a decryption](https://static.cupdf.com/doc/110x72/5b3dde2a7f8b9a560a8e5085/homomorphic-encryption-for-arithmetic-of-approximate-homomorphic-encryption.jpg)
