real-heaan: approximate homomorphic encryption over the ... · homomorphic encryption (he): an...
TRANSCRIPT
![Page 1: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/1.jpg)
Real-HEAAN: Approximate Homomorphic Encryption over the Conjugate-invariant Ring
Duhyeong Kim Yongsoo Song!Seoul National University (SNU)
"University of California, San Diego (UCSD)
Nov 28, 2018
1 2
![Page 2: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/2.jpg)
¡ An approximate Homomorphic Encryption of which the plaintext space is (purely) real number field
⟹ NO waste of the plaintext space for real-number arithmetic contrary to HEAAN
⟹ Prevent the potential problem of HEAAN
¡ Real-HEAAN supports twice more parallel computations compared to HEAAN under the same security level, speed, and memory (with new NTT method)
Contributions of Real-HEAAN
![Page 3: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/3.jpg)
An Approxmiate HE SchemeHEAAN
![Page 4: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/4.jpg)
HEAAN: Homomorphic Encryption for Arithmetic over Approximate Numbers
¡ Proposed by Cheon-Kim-Kim-Song in Asiacrypt’17
¡ Natural fit in real-world applications which require approximate computations of real numbers
¡ Abandoning exact computations, it gains a lot of advantages in efficiency:
Ctxt/Ptxt expansion ratio, # Ptxt slots, rounding operation (for free)
HEAAN: an Approximate HE scheme
![Page 5: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/5.jpg)
¡ Secret Key: sk = (−#, 1) ∈ ()* where () = ,) - /(-/ + 1)
HEAAN: an Approximate HE scheme
![Page 6: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/6.jpg)
¡ Secret Key: sk = (−#, 1) ∈ ()* where () = ,) - /(-/ + 1)
¡ Public Key: pk = 1, 2 = 1 ⋅ # + 4 ∈ ()*
HEAAN: an Approximate HE scheme
![Page 7: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/7.jpg)
¡ Secret Key: sk = (−#, 1) ∈ ()* where () = ,) - /(-/ + 1)
¡ Public Key: pk = 1, 2 = 1 ⋅ # + 4 ∈ ()*
¡ Ciphertext of 5 ∈ (:= ,[-]/(-/ + 1): ct = 9 ⋅ 1 + 4:, 9 ⋅ 2 + 4* + 5 ∈ ()*
HEAAN: an Approximate HE scheme
![Page 8: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/8.jpg)
¡ Secret Key: sk = (−#, 1) ∈ ()* where () = ,) - /(-/ + 1)
¡ Public Key: pk = 1, 2 = 1 ⋅ # + 4 ∈ ()*
¡ Ciphertext of 5 ∈ (:= ,[-]/(-/ + 1): ct = 9 ⋅ 1 + 4:, 9 ⋅ 2 + 4* + 5 ∈ ()*
⟨ct, sk⟩ = 5 + 4=(≈ 5)
HEAAN: an Approximate HE scheme
![Page 9: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/9.jpg)
¡ Secret Key: sk = (−#, 1) ∈ ()* where () = ,) - /(-/ + 1)
¡ Public Key: pk = 1, 2 = 1 ⋅ # + 4 ∈ ()*
¡ Ciphertext of 5 ∈ (:= ,[-]/(-/ + 1): ct = 9 ⋅ 1 + 4:, 9 ⋅ 2 + 4* + 5 ∈ ()*
⟨ct, sk⟩ = 5 + 4=(≈ 5)
The Decryption Circuit!(No Additional Modulo Operation)
HEAAN: an Approximate HE scheme
![Page 10: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/10.jpg)
¡ Secret Key: sk = (−#, 1) ∈ ()* where () = ,) - /(-/ + 1)
¡ Public Key: pk = 1, 2 = 1 ⋅ # + 4 ∈ ()*
¡ Ciphertext of 5 ∈ (:= ,[-]/(-/ + 1): ct = 9 ⋅ 1 + 4:, 9 ⋅ 2 + 4* + 5 ∈ ()*
⟨ct, sk⟩ = 5 + 4=(≈ 5)
HEAAN: an Approximate HE scheme
Evaluation error + Decryption error
![Page 11: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/11.jpg)
Then how are the complex numbers packed into an element of ! = #[%]/(%) + +)?
¡ Let - be an isomorphism (induced by canonical embedding) from C/0 to R[2]/(23 + 1)
(C and R denote complex/real number fields resp.)
¡ Given 35
complex numbers 67, 65, … , 6/0
and a scaling factor Δ > 0,
=>? @+, … , @)/A; C = C ⋅ E @+,… , @)/A ≔ G
¡ The decoding process is very simple, just evaluating a half of m-th primitive root of unities
H>? I;C = +C⋅ J KLMN+
OPMQ)/A
¡ The scaling factor controls the Encoding/Decoding error
Encoding/Decoding of HEAAN
![Page 12: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/12.jpg)
Then how are the complex numbers packed into an element of ! = #[%]/(%) + +)?
¡ Let - be an isomorphism (induced by canonical embedding) from C/0 to R[2]/(23 + 1)
(C and R denote complex/real number fields resp.)
¡ Given 35
complex numbers 67, 65, … , 6/0
and a scaling factor Δ > 0,
=>? @+, … , @)/A; C = C ⋅ E @+,… , @)/A ≔ G
¡ The decoding process is very simple, just evaluating a half of m-th primitive root of unities
H>? I;C = +C⋅ J KLMN+
OPMQ)/A
¡ The scaling factor controls the Encoding/Decoding error
Encoding/Decoding of HEAAN
![Page 13: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/13.jpg)
Then how are the complex numbers packed into an element of ! = #[%]/(%) + +)?
¡ Let - be an isomorphism (induced by canonical embedding) from C/0 to R[2]/(23 + 1)
(C and R denote complex/real number fields resp.)
¡ Given 35
complex numbers 67, 65, … , 6/0
and a scaling factor Δ > 0,
=>? @+, … , @)/A; C = C ⋅ E @+,… , @)/A ≔ G
¡ The decoding process is very simple, just evaluating a half of m-th primitive roots of unities
H>? I;C = +C⋅ J KLMN+
OPMQ)/A
¡ The scaling factor controls the Encoding/Decoding error
Encoding/Decoding of HEAAN
![Page 14: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/14.jpg)
iDASH Privacy & Security Workshop
¡ A Privacy & Security workshop holding competitions on secure genome analysis
¡ One of 3 tasks: secure genome analysis based on HE (e.g., Logistic Regression, GWAS,…)
Impact of HEAAN to real-world
![Page 15: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/15.jpg)
iDASH Privacy & Security Workshop
¡ A Privacy & Security workshop holding competitions on secure genome analysis
¡ One of 3 tasks: secure genome analysis based on HE (e.g., Logistic Regression, GWAS,…)
¡ HEAAN-based solutions won the 1st place both on 2017 and 2018
¡ All the submitted solutions of HE-based secure GWAS computation used HEAAN!
Impact of HEAAN to real-world
![Page 16: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/16.jpg)
Some Limitations of HEAAN
![Page 17: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/17.jpg)
1. The Waste of the Plaintext Space
¡ The Plaintext space of HEAAN is
R " /("% + 1) ≃ C+,
where - and . denote the real / complex number field respectively.
Limitations of HEAAN
![Page 18: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/18.jpg)
1. The Waste of the Plaintext Space
¡ The Plaintext space of HEAAN is
R " /("% + 1) ≃ C+, ⊃ R
+,
where . and / denote the real / complex number field respectively.
¡ In real-number applications, we only use the subring R+, of the plaintext space C
+, !
Limitations of HEAAN
![Page 19: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/19.jpg)
2. The Complex Explosion Problem
¡ In real-number applications, we only care about the real part of a plaintext.
¡ However, the complex part of a plaintext is “internally growing up” in every operation!
Limitations of HEAAN
![Page 20: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/20.jpg)
2. The Complex Explosion Problem
¡ In real-number applications, we only care about the real part of a plaintext.
¡ However, the complex part of a plaintext is “internally growing up” in every operation!
! + #$ % + &$ = !% − #& + !& + #% $
Limitations of HEAAN
The new cplx part after a multiplication
![Page 21: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/21.jpg)
2. The Complex Explosion Problem
¡ In real-number applications, we only care about the real part of a plaintext.
¡ However, the complex part of a plaintext is “internally growing up” in every operation!
! + #$ % + &$ = !% − #& + !& + #% $
Limitations of HEAAN
The new cplx part after a multiplication
Let !, % ≈ 2, and #, & ≈ 2- for . ≪ 0.
⟹ 23 ,
45 ≈ 2-6, & 3472535624 ≈ 2-6,78
![Page 22: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/22.jpg)
2. The Complex Explosion Problem
¡ In real-number applications, we only care about the real part of a plaintext.
¡ However, the complex part of a plaintext is “internally growing up” in every operation!
! + #$ % + &$ = !% − #& + !& + #% $
Limitations of HEAAN
The new cplx part after a multiplication
Let !, % ≈ 2, and #, & ≈ 2- for . ≪ 0.
⟹ 23 ,
45 ≈ 2-6, & 3472535624 ≈ 2-6,78
¡ The complex part essentially explodes in large-depth circuit evaluations
![Page 23: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/23.jpg)
Real-HEAAN
![Page 24: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/24.jpg)
Use the subring of the cyclotomic ring!
¡ The plaintext space of original HEAAN
R " /("% + 1) ≃ C+,
The core idea of Real-HEAAN
![Page 25: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/25.jpg)
Use the subring of the cyclotomic ring!
¡ The plaintext space of original HEAAN
R " /("% + 1) ≃ C+,
¡ The NEW plaintext space
R+,
The core idea of Real-HEAAN
∪
![Page 26: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/26.jpg)
Use the subring of the cyclotomic ring!
¡ The plaintext space of original HEAAN
R " /("% + 1) ≃ C+,
¡ The NEW plaintext space
R " + "-. /("% + 1) ≃ R+,
Here "-. ≔ −"%-. denotes the inverse of " modulo "% + 1
The core idea of Real-HEAAN
∪∪
![Page 27: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/27.jpg)
¡ Let !" ≔ $ % + %'( /(%+ + 1)
The core idea of Real-HEAAN
![Page 28: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/28.jpg)
¡ Let !" ≔ $ % + %'( /(%+ + 1)
¡ Every element of Real-HEAAN is built over !′ instead of ! = Z % /(%+ + 1)l Secret Key: sk = (−2, 1) ∈ !5"6 where !5" = $5 % + %'( /(%+ + 1)
l Public Key: pk = 7, 8 = 7 ⋅ 2 + : ∈ !5"6
l Ciphertext of ; ∈ !′: ct = < ⋅ 7 + :(, < ⋅ 8 + :6 + ; ∈ !5"6
The core idea of Real-HEAAN
![Page 29: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/29.jpg)
Then how are the real numbers packed into an element of !′ = $[& + &()]/(&- + ))?
¡ Let / be an isomorphism (induced by canonical embedding) from R12 to R[3 + 3(4]/(35 + 1)
(Note that / is just a simple domain-restriction of 7 ⟹ / = 7|:1/2)
¡ Given 5
;real numbers <4, <;, … , <1
2and a scaling factor Δ > 0,
BCD E), … , E-/F; H = H ⋅ J E), … , E-/F ≔ L
¡ The decoding process is exactly same with HEAAN:
MCD N;H =)
H⋅ O PQRS)
TURV-/F
Encoding/Decoding of Real-HEAAN
![Page 30: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/30.jpg)
Then how are the real numbers packed into an element of !′ = $[& + &()]/(&- + ))?
¡ Let / be an isomorphism (induced by canonical embedding) from R12 to R[3 + 3(4]/(35 + 1)
(Note that / is just a simple domain-restriction of 7 ⟹ / = 7|:1/2)
¡ Given 5
;real numbers <4, <;, … , <1
2and a scaling factor Δ > 0,
BCD E), … , E-/F; H = H ⋅ J E), … , E-/F ≔ L
¡ The decoding process is exactly same with HEAAN:
MCD N;H =)
H⋅ O PQRS)
TURV-/F
Encoding/Decoding of Real-HEAAN
![Page 31: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/31.jpg)
Then how are the real numbers packed into an element of !′ = $[& + &()]/(&- + ))?
¡ Let / be an isomorphism (induced by canonical embedding) from R12 to R[3 + 3(4]/(35 + 1)
(Note that / is just a simple domain-restriction of 7 ⟹ / = 7|:1/2)
¡ Given 5
;real numbers <4, <;, … , <1
2and a scaling factor Δ > 0,
BCD E), … , E-/F; H = H ⋅ J E), … , E-/F ≔ L
¡ The decoding process is exactly same with HEAAN:
MCD N;H =)
H⋅ O PQRS)
TURV-/F
Encoding/Decoding of Real-HEAAN
![Page 32: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/32.jpg)
Real-HEAAN vs HEAAN
![Page 33: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/33.jpg)
Our Claim
Real-HEAAN over ! " + "$% /("() + 1) ≈ HEAAN over ! " /(") + 1)w.r.t. Security, Ring operation speed, and memory
#Ptxt Slots: - vs -/2 ⟹ twice more Parallel Computations!
Real-HEAAN vs HEAAN
![Page 34: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/34.jpg)
[Security Reduction] Real-HEAAN is IND-CPA secure under the hardness assumption of RLWE overthe number field ! ≔ Q[% + %'(]/(%,- + 1) (of which the extension degree !:1 = 3)
[Cryptanalysis] RLWE over the number field ! resists all known algebraic attacks on RLWE so thatthe best known attack is essentially the general attacks on LWE of dimension 3
Security of Real-HEAAN
![Page 35: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/35.jpg)
1.Memory
¡ Every element of !"′ = %"[' + ')*]/('./ + 1) is express as 2 ' = 23 + ∑56*/)* 25 ('5−'./)5) for 25 ∈ %"⟹ : ⋅ log ? bits are required to store each element
2. Speed
¡ Number Theoretical Transform (NTT): mapping between %" ' /('@ − 1) ≃ %"@ with B C logC complexity
¡ Current best NTT method for !" = %"[']/('/ + 1) asymptotically requires B : log : complexity
¡ Our new NTT method for !"′ = %"[' + ')*]/('./ + 1) also requires B : log : complexity!
Efficiency of Real-HEAAN
![Page 36: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/36.jpg)
§ Assume ! is a prime
Trivial Approach:
"#$ = &# ' + ')* /('-. + 1)embedding &# ' /('8. − 1)
.
"#$ = &# ' + ')* /('-. + 1) &# ' /('8. − 1)
NTT method for "#$
Mod '-. + 1
NTT of dim :;
Inverse NTT of dim :;
(Computations over .)
![Page 37: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/37.jpg)
§ Assume ! is a prime
Trivial Approach:
"#$ = &# ' + ')* /('-. + 1)embedding &# ' /('8. − 1)
.
"#$ = &# ' + ')* /('-. + 1) &# ' /('8. − 1)
NTT method for "#$
Mod '-. + 1
NTT of dim :;
Inverse NTT of dim :;
(Computations over .)Requires
NTT of dimension 4=!
![Page 38: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/38.jpg)
Our NewApproach:
¡ Find a “simply computable” invertible linear transformation from !"# to $" % /(%( − 1)
!"#,-./01 23./456708
9-:86;.6/$" % /(%( − 1)
< % = <> + ∑ABC(DC <A (%A−%E(DA) F<(%) = ∑AB>
(DC G<A%A
where H<> = <> and G<A = <A ⋅ JA + <(DA ⋅ JAD( for 1 ≤ L ≤ M − 1 (J: 4M-th prim. root of unity mod O)
¡ The inverse mapping is also simply computable with P(M) complexity
NTT method for !"#
![Page 39: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/39.jpg)
Our New Approach:
!"# = %" & + &() /(&,- + 1)012345 672389:;4<
=1><:?2:3 %" & /(&- − 1)
%"-
!"# = %" & + &() /(&,- + 1) %" & /(&A- − 1)
NTT method for !"#
Mod &,- + 1
NTT of dim B
Inverse NTT of dim CB
(Computations over %"-)
![Page 40: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/40.jpg)
Our New Approach:
!"# = %" & + &() /(&,- + 1)012345 672389:;4<
=1><:?2:3 %" & /(&- − 1)
%"-
!"# = %" & + &() /(&,- + 1) %" & /(&A- − 1)
NTT method for !"#
Mod &,- + 1
NTT of dim B
Inverse NTT of dim CB
(Computations over %"-)Requires
NTT of dimension D!
![Page 41: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/41.jpg)
Conclusion
¡ Real-HEAAN provides twice more parallel computations compared to the original HEAAN while preserving the same level of security, ring operation speed, and memory.
¡ In other words, with the same number of parallel computations, Real-HEAAN is asymptotically twice faster than the original HEAAN.
¡ Moreover, Real-HEAAN prevents the complex explosion problem of HEAAN.
¡ The generalization of our new NTT method would be very interesting open topic!
![Page 42: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/42.jpg)
![Page 43: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/43.jpg)
Homomorphic Encryption
![Page 44: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/44.jpg)
Homomorphic Encryption (HE) : An Encryption scheme which allows computations on encrypted data
Homomorphic Encryption
![Page 45: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/45.jpg)
Homomorphic Encryption (HE) : An arbitrary circuit over encrypted data can be evaluated w/o decryption!
Ciphering: Gentry's system allows encrypted data to be analyzed in the cloud. In this example, we wish to add 1 and 2. The data is encrypted so that 1 becomes 33 and 2 becomes 54. The encrypted data is sent to the cloud and processed: the result (87) can be downloaded from the cloud and decrypted to provide the final answer (3). Credit: Steve Moors
Homomorphic Encryption
Selected as 10 Emerging Technologies (MIT Technical Review 2011)
![Page 46: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/46.jpg)
¡ Pros
- HE allows us to evaluate an arbitrary circuit (w/ bootstrapping)
- Data Leakage Prevention against hackers (w/o decryption key)
- Various Real-World Applications: Statistical Analysis, Searching, Machine Learning (over encrypted data)
¡ Cons
- Large Ciphertext/Plaintext Expansion ratio (40 ~ 1000 for FHE)
- Evaluation Speed: more than hundreds of times slower than one on unencrypted state
⟹ Individualized Optimization is going on for each operation!
Pros / Cons of HE
![Page 47: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/47.jpg)
Scheme Plaintext Good Bad Library
Wordwise Encryption- Brakerski-Gentry-Vaikuntanathan’12- Gentry-Halevi-Smart’12a,b,c- Brakerski’12, Fan-Vercauteren’12- Halevi-Shoup’13,14,15
GF(pd) (Zp)Polylog overhead(Amortized time& Expansion rate)
BootstrappingHElibSEAL
…
Linear Error growth & Quad. Ctxt size- Gentry-Sahai-Waters’13
Z, Z[X] ({0,1}) Toolkit for FHEW Inefficient -
Bitwise Encryption- Ducas-Micciancio’15- Chillotti-Gama-Georgieva-Izabachene’16,17
{0,1}, ({0,1}*)Evaluation withBootstrapping
Latency
Amortized time& Expansion rate
FHEWTFHE
Various Lattice-based HE schemes
![Page 48: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/48.jpg)
“Homomorphic Encryption” in ePrint and IEEE Xplore
Machine Learning: 11 (2018/233,202,139,074, 2017/979,715.SSCI, IEEE Access, IEEE Journal, ICCV, SMARTCOMP)
Neural Network: 2 (2018/073, 2017/1114)Genomic Data: 7 (2017/955,770,294,228. EUSIPCO, SMARTCOMP, IEEE Journal)Health Data: 2 (IBM Journal, IEEE Journal)Biometric Data: 2 (IEEE Access, IEEE Conference)Energy Management: 3 (2017/1212. IEEE Big Data, IET Journal)Big Data: 1 (ICBDA)Advertising: 1 (WIFS)Internet of Things: 1 (IWCMC)Election: 1 (2017/166)
Application Researches on HE (2017 ~ Mar. 2018)
![Page 49: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/49.jpg)
Idea 1: Every number contains an Approximation Error (from the unknown true value).
⟹ Consider the error " of a ciphertext # as a part of the approximation error
# = Enc()) if #, sk (mod 1) = ) + " ≈ )
Simple Example:
1.234 ⇒ (scale-up by : = 10<) ⇒ 12,340.
⇒ (Encrypt) ⇒ ⟨#, sk⟩ ? = 12,344 ≈ 1.234 ×10< ⇒ (scale-down by :) ⇒ 1.234
The Construction of HEAAN
(= )∗)
![Page 50: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/50.jpg)
The Construction ofHEAAN
![Page 51: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/51.jpg)
Idea 1: Every number contains an Approximation Error (from the unknown true value).
⟹ Consider the error " of a ciphertext # as a part of the approximation error
# = Enc()) if #, sk (mod 1) = ) + " ≈ )
Simple Example:
1.234 ⇒ (scale-up by : = 10<) ⇒ 12,340.
⇒ (Encrypt) ⇒ ⟨#, sk⟩ ? = 12,344 ≈ 1.234 ×10< ⇒ (scale-down by :) ⇒ 1.234
The Construction of HEAAN
(= )∗)
The Decryption Circuit!(No Additional Modulo Operation)
![Page 52: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/52.jpg)
Idea 2: Approximate Rounding (ReScaling; RS) for (almost) Free!
- Assume that the secret key sk has sufficiently small coefficients.
- For a ciphertext # of the message $, define #% = ⌈()* ⋅ #⌋.- Then, it holds that
#, sk mod 1 = $∗
⟹ #′, sk mod p)*1 ≈ ()*$∗ (an approximate rounding of $∗)
- Rounding of a ciphertext directly derives an approximate rounding of the message!
The Construction of HEAAN
![Page 53: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/53.jpg)
Q1)What is the main problem of previous wordwise HEs in computation of real numbers?
Real Number Computations in HEs
![Page 54: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/54.jpg)
Q1)What is the main problem of previous wordwise HEs in computation of real numbers?
Ans)The exponential growth of the plaintext size (millions of bits after 20-depth multiplications)
¡ Ctxt size ≈ " 2$ , or other new techniques are required (% : level parameter)
¡ One solution is to extract MSBs and store them, but very expensive!
Real Number Computations in HEs
![Page 55: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/55.jpg)
Q2) How about bitwise HE schemes?
Real Number Computations in HEs
![Page 56: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/56.jpg)
Q2) How about bitwise HE schemes?
Ans)Too many gates required to represent an operation between large-precision numbers! ¡ 0.06 sec for (2-to-1) gate, 10 sec for (6-to-6) circuit.
¡ 75 gates for an operation between 4-bit strings.
¡ Then, how many gates for 16-bit / 32-bit precision multiplication?
Real Number Computations in HEs
![Page 57: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/57.jpg)
Q3) Then, how does it work in HEAAN?
Real Number Computations in HEAAN
![Page 58: Real-HEAAN: Approximate Homomorphic Encryption over the ... · Homomorphic Encryption (HE): An arbitrary circuit over encrypteddatacan be evaluated w/o decryption! Ciphering:Gentry's](https://reader035.vdocuments.us/reader035/viewer/2022063015/5fd1d854d39f8734da1844e1/html5/thumbnails/58.jpg)
Q3) Then, how does it work in HEAAN?
¡ Imitating the procedure of approximate arithmetic on computer system
¡ No additional cost for the “rounding”(RS) process!
¡ Ctxt size ≈ "($) ($ : level parameter), since HEAAN only stores most significant bits
Real Number Computations in HEAAN