practical (f)he shai halevi 1 october 2015fhe+mmaps summer school, paris part i - bgv basics part ii...
DESCRIPTION
Using FHE in “Real World” Settings October 2015FHE+MMAPs Summer School, Paris 3TRANSCRIPT
PRACTICAL (F)HEShai Halevi
1October 2015 FHE+MMAPs Summer School, Paris
Part I - BGV BasicsPart II - Packed CiphertextsPart III - Bootstrapping
Using FHE in “Real World” Settings• Example1: Check for some genetic trait in an encrypted genomic data• String comparison or substring-match or Hamming/Edit-distance
• E.g., • # of positions in which differ
October 2015 FHE+MMAPs Summer School, Paris 2
Using FHE in “Real World” Settings• Example2: I have , want to compute on this data (without decrypting)• Possible solution: include together with e also
• Then compute homomorphically the function
• Computed homonorphically on , the AES-encrypted is only used to define the function to be computed
• Get • Can now compute on
October 2015 FHE+MMAPs Summer School, Paris 3
Using FHE in “Real World” Settings• Example2: I have , want to compute on this data (without decrypting)• Possible solution: include together with e also
• Then compute homomorphically the function
• Computed homonorphically on , the AES-encrypted is only used to define the function to be computed
• Get • Can now compute on
October 2015 FHE+MMAPs Summer School, Paris 4
Useful to compute AES.dec
homomorphically
How to Implement?• Large parameters to ensure security• Encrypt message bit-by-bit?
• Represent each bit by a large matrixHugh plaintext-to-ciphertext expansion Very slow
• How to do better?• Work over rings • Optimize, optimize, optimize, …
October 2015 FHE+MMAPs Summer School, Paris 5
• 1G. First plausible candidate in [Gen’09]• Ciphertext is “noisy”, noise grows with computation, once too noisy, the “signal” is lost
• log(Noise-magnitude) proportional to the degree of the evaluated functionParameters must be huge, to allow large noise
• 2G. [BV’11, BGV’12,…]: Better noise control• Noise grows linearly with degree• “Ciphertext packing” with many plaintext elements
Three Generations of HE Schemes
6
• 1G. Fast accumulation of noise• 2G. Better noise management + packing• 3G. [GSW13,…]: “Asymmetric” noise growth
• Very slow noise growth for some circuits• But slow noise growth in 3G is incompatible with ciphertext-packing (as far as we know)
• For efficiency, we have a choice:• 2G+packing (faster asymptotically)• or 3G+small-noise (sometimes faster in practice)
Three Generations of HE Schemes
7
Here: 2nd Generation Scheme [BGV’12]• Native plaintext space is
• p is a prime or prime-power (often )• is m’th cyclotomic polynomial, deg=• are co-prime
• Ciphertexts, secret-keys are 2-vectors over (for some )• is a short vector
• Decryption formula is • Below we assume that
October 2015 FHE+MMAPs Summer School, Paris 8
Homomorphic Operations• Additive Homomorphism is easy
• Multiplicative homomorphism is harder1. Basic multiplication via tensoring2. “Key-switching gadget” to reduce dimension3. Modulus switching to reduce the noise
October 2015 FHE+MMAPs Summer School, Paris 9
How to Multiply• Step 1: Tensor Product
• If then
• Error is • So encrypts relative to the secret key
• But the dimension squares on multiply
October 2015 FHE+MMAPs Summer School, Paris 10
How to Multiply• Step 2: Dimension Reduction (1st try)
• “Key-switching gadget”, wrt wrt • Essentially an encryption of under
• matrix W s.t. • Given , compute
• If only was small, but
October 2015 FHE+MMAPs Summer School, Paris 11
How to Multiply• Step 2: Dimension Reduction (1st try)
• “Key-switching gadget”, wrt wrt • Essentially an encryption of under
• matrix W s.t. • Given , compute
• If only was small, but
October 2015 FHE+MMAPs Summer School, Paris 12
• Use bit-decomposition?• This works, but we do
something else here
How to Multiply• Step 2: Dimension Reduction (better try)
• “Key-switching gadget”, wrt wrt • Essentially an encryption of under
• matrix W s.t. • Given , compute
• 𝑞′=1(𝑚𝑜𝑑𝑝)
⟨𝒆∗ ,𝒄 ⟩ ≈𝑞⋅ |𝒆∗ |≪𝑞𝑞′
October 2015 FHE+MMAPs Summer School, Paris 13
How to Multiply• Step 3: Modulus switching (from to )
• From to
• Just scale by and round “appropriately”,
• If for some k, then • so for the same k
October 2015 FHE+MMAPs Summer School, Paris 14
this is small
How to Multiply• Step 3: Modulus switching (from to )
• If for some k,then for the same k
• If in addition we have and set via rounding, then
• Hence where
October 2015 FHE+MMAPs Summer School, Paris 15
Noise Growth for Multiplication• have noise magnitude • Tensor has noise
• Wrt secret key and modulus • After key-switching, with noise
• Wrt secret key and modulus • After mod-switching back to , we get with noise wrt modulus (and )• But we can mod-switch farther down, to get with noise wrt modulus
October 2015 FHE+MMAPs Summer School, Paris 16
How Does Modulus-Switching Help?• Example:
October 2015 17
Using mod-switching Without mod-switching
Noise Modulus Noise Modulus
Fresh ciphertexts
Level-1, degree=2Level-2, degree=4
decryptionerrors
FHE+MMAPs Summer School, Paris
The Moduli Chain• Parameters are chosen to allow depth • Fresh ciphertexts are encrypted relative to a large modulus
• Mod-switch down from to after each level• After mod-switching, noise is kept below
• Once we hit the smallest modulus , cannot multiply anymore
October 2015 FHE+MMAPs Summer School, Paris 18
The BGV Multiplication Procedure• Start from wrt modulus • Tensor them to get wrt • Key-switch to get wrt • Mod-switch to get wrt
October 2015 FHE+MMAPs Summer School, Paris 19
Implementation Details• Choosing the moduli• Ciphertext representation for different ops• Tradeoffs and optimizations
• Key-switching: large vs. breaking to digits• Mod-switching: doing less FFTs
• Slightly changing the decryption invariant• When to mod-switch (and how far down)
• By maintaining a noise estimate with each ciphertext
October 2015 FHE+MMAPs Summer School, Paris 20
Moduli and Ciphertext Representation• Choose small primes
• , exists a primitive -th root of unity mod so • Define • Each can be represented by a matrix
• Both integer and polynomial CRT (DoubleCRT)• (Similarly define )
October 2015 FHE+MMAPs Summer School, Paris 21
Ciphertext Operations• Addition, multiplication over computed element-wise on the DoubleCRT matrix
• Other ops require switching representation• Key-switching takes , lifts it to • Modulus-switching needs scaling/rounding• Use the decoding basis for these operations, needs to convert back and forth (FFT+CRT)
October 2015 FHE+MMAPs Summer School, Paris 22
Operation Cost• Cost measured in time, added-noise
October 2015 FHE+MMAPs Summer School, Paris 23
Operation Time NoiseAdd / Add-Const Cheap CheapMult-by-Const Cheap ModerateMult+KeySwitch Expensive Expensive
Tradeoffs• Almost all tradeoffs are time-vs-noise:slower operations that add less noisevs. faster ones that add more noise• More noise larger parameters slower
• Parameter growth happens in “jumps”• Because ’s must have algebraic properties• In most cases increasing is a bad idea, better to use slower ops that lets you keep smaller
October 2015 FHE+MMAPs Summer School, Paris 24
Changing the Decryption Invariant• Instead of , use
• Must keep track of the extra factor on encryption, decryption, multiplication
• Does not change much, but makes modulus switching easier (see next slide)
October 2015 FHE+MMAPs Summer School, Paris 25
FHE+MMAPs Summer School, Paris 27
Mod-Switching Optimization• Switching to ,
• Need to divide by then round s.t. • More efficient to first round, then divide
• Round to s.t. • Then set
• If then
October 2015
FHE+MMAPs Summer School, Paris 28
Mod-Switching Optimization• Switching to ,
1. Let // one row of the DCRT matrix• Convert to decoding basis• Add/subtract multiples of to the coefficients,
to make them divisible by • Result is divisible by , and
2. // 3. // multiply the th DCRT row by
//
October 2015
1 iFFT
FFTs
FHE+MMAPs Summer School, Paris 29
Mod-Switching Optimization• This method takes only FFTs• Naïve method would have been FFTs
• also requires integer CRT calculation and big-integer division
October 2015
Key-Switching Optimization• We lift from to to get • The key-switching matrix includes RLWE instances wrt large modulus
• If then for the same security level, RLWE wrt needs dimension about twice that of RLWE wrt
October 2015 FHE+MMAPs Summer School, Paris 30
Key-Switching Optimization• We lift from to to get
• So we need larger dimension• We could instead break into bits/digits
• , each • Key-switching time grows with
• Do both: break to few digits, use smaller • “Sweet spot” is usually breaking into 3-4 digits
October 2015 FHE+MMAPs Summer School, Paris 31
When to Mod-Switch?• Mod-switching only reduces noise when done prior to multiplication• Resulting noise is the product of noises, reducing noises by reduces the resulting noise by • Upto the additional noise term for mod-switching
• No noise advantage in any other case• Suggests lazy strategy
• Only mod-switch before multiplication
October 2015 FHE+MMAPs Summer School, Paris 32
When to Mod-Switch?• Nose considerations suggest lazy strategy• But larger Q than needed wastes time
• Must keep, manipulate more DCRT rows• Also better to mod-switch before fan-out:
• modSwitch(), copy to ,vs.copy to , modSwitch()
• Optimization problem: for a given arithmetic circuit, where to put the mod-switch ops
October 2015 FHE+MMAPs Summer School, Paris 33
How Far to Mod-Switch?• Roughly, until the noise after mod-switching is dominated by the added noise term
• Maintain noise estimates with ciphertexts, use estimates to make these decisions• Estimate must be somewhat conservative, small under-estimation will lead to wrong mod-switch decisions, escalating quickly
October 2015 FHE+MMAPs Summer School, Paris 34
Some Numbers (March 2015)• Numbers are just a sample, not all taken on the same machine, some are extrapolated
Timing in seconds
October 2015 FHE+MMAPs Summer School, Paris 35
KeyGen Enc Dec Add Mult-Const
Multilpy
Depth=10
4 0.07 0.03 0.0004 0.007 0.1
Depth=20
11 0.21 0.1 0.001 0.016 0.3
Depth=56
102 1.37 0.16 0.01 0.06 1.5
Some Numbers (March 2015)
October 2015 FHE+MMAPs Summer School, Paris 36
Memory
Depth=10
<2GB
Depth=20
3.6GB
Depth=56
23GB
TIME FOR A BREAK
October 2015 FHE+MMAPs Summer School, Paris 37