1 / 35

Practical (F)HE Part III – Bootstrapping

Practical (F)HE Part III – Bootstrapping. Shai Halevi. Reminder: Operation Cost. Cost measured in time, added-noise. * “Moderate ” noise even for multiplying by a 0-1 constant vector. Recryption for BGV [GHS’12c, AP’13,HS’15]. Decryption formula is

travisjames
Télécharger la présentation

Practical (F)HE Part III – Bootstrapping

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FHE+MMAPs Summer School, Paris Practical (F)HE Part III – Bootstrapping Shai Halevi

  2. FHE+MMAPs Summer School, Paris Reminder: Operation Cost • Cost measured in time, added-noise * “Moderate” noise even for multiplying by a 0-1 constant vector

  3. FHE+MMAPs Summer School, Paris Recryption for BGV [GHS’12c, AP’13,HS’15] • Decryption formula is • Observation: For close to a large -power, this formula can be simplified • Roughly if then

  4. FHE+MMAPs Summer School, Paris Simplified Decryption • Notations: for an integer in base-p encoding • is the thdigit, an integer in • are digits through ,in • Lemma: Forplaintext space mod and modulus with , let be an integer with , , then • For odd we have, • For we have,

  5. FHE+MMAPs Summer School, Paris Simplified Decryption • The term for is only needed to handle negative in ’s complement • Proof (for , positive ): • for small • and are small, so no carry bits from 1 to •  the same bit is added to and to • Also, bit of is zero • 

  6. FHE+MMAPs Summer School, Paris Recryption for BGV • Assume for now , no packing • Choose |noise| • Simplified decryption process is • Store wrt plaintext space • Computing homomorphically is easy • Harder to extraction homomorphically

  7. FHE+MMAPs Summer School, Paris Homomorphic Bit-Extraction • We have (wrtptxt space mod-) • Want to compute for • Is there an arithmetic circuit modulo that transforms to ? • Not really, the output LBS in mod- arithmetic circuit depends only on the input LSBs • We could do it with divide-by-2 gates • But can we implement them homomorphically?

  8. FHE+MMAPs Summer School, Paris Homomorphic “Restricted Division” • With plaintext space mod , consider a ciphertext, encrypting some plainetxt • Suppose we know that is divisible by • Let , then • encypts wrt plaintext space mod

  9. FHE+MMAPs Summer School, Paris [GHS12c] Homomorphic Bit-Extraction • We can divide-by-2 homomorphically if we know that the plaintext is even • Observation: squaring times keep LSB, zero-out the bits above it • then • is even and • Setting , we have • divisible by 4 and • Setting , we have • Etc.

  10. FHE+MMAPs Summer School, Paris [AP13] Homomorphic Bit-Extraction • We have integer , want to extract • // invariant: • For to : • For to // remove low bits, one by one • // is even • // we are left with the ’th bit • Output

  11. FHE+MMAPs Summer School, Paris Homomorphic Digit-Extraction () • We have integer , want to extract • // invariant: • For to : • For to // remove low digits • ?? • // • // we are left with the ’th digit • Output This does not work

  12. FHE+MMAPs Summer School, Paris [HS15] Homomorphic Digit-Extraction () • We have integer , want to extract • // invariant: • For to : • For to // remove low digits • // • // we are left with the ’th digit • Output Exists degree- polynomial that works

  13. FHE+MMAPs Summer School, Paris [HS15] Homomorphic Digit-Extraction () • We have integer , want to extract • // invariant: • For to : • For to // remove low digits • // • // we are left with the ’th digit • Output • We use a variant of the Paterson-Stockmeyerprocedure for efficient evaluation of plaintext polynomial on a ciphertext

  14. FHE+MMAPs Summer School, Paris Recryption of Non-Packed Ciphertext • Store wrt plaintext space • Recryption process computes: • For we have another term

  15. FHE+MMAPs Summer School, Paris Recryptionof Packed Ciphertexts • We still want to use the same procedure • (assuming =1) • , what are ? • is represented in the decoding basis by a vector of coefficienct from • represented by the LSB’s of all these coefficients • Similarly for • We use the decoding basis here since we need the coefficients to be small

  16. FHE+MMAPs Summer School, Paris Packed Homomorphic Digit-extraction • We have want • Need to apply the digit-extraction procedure homomorphically to the coefficients of • But operations on are applied to the message slots in , not its coefficients • E.g., computing doesn’t square the individual coefficients separately

  17. FHE+MMAPs Summer School, Paris Packed Homomorphic Digit-extraction • We have want • The [GHS12c] procedure: • Lin1: Move the coefficients of to plaintext slots • Nonlin: Apply digit-extraction in slots • Lin2: Move the coefficients back to get result • The non-linear step is exactly as before • Efficient implementation of the linear transformations is a challenge

  18. FHE+MMAPs Summer School, Paris Packed Homomorphic MSB-extraction • “Generic linear transformation” for Lin1, Lin2? • Work quadratic in , inefficient • The [AP13] optimizations: • Decompose Lin1, Lin2 to FFT-like sparse transformations (using “ring switching”) • Work , mult-by-const depth • The [HS15] implementation • Similar decomposition (no “ring switching”) • Concrete depth 2-3, work ~

  19. FHE+MMAPs Summer School, Paris • Another basis of • Similar to the decoding basis, geometry a bit worse • A bit easier to understand and explain • Let s.t. the ’s are co-prime • Then Using the “Powerful Basis” [LPR14]

  20. FHE+MMAPs Summer School, Paris Using the “Powerful Basis” [LPR14] • An element represented as • Equivalently as a univariate polynomial using • with • Move the ’s to the slots and back

  21. FHE+MMAPs Summer School, Paris • is an ’th root of unity in • We have • We use the following isomorphism between and : • Let be a representative set for • , contains one element from each coset • Then Recall the Plaintext Slots

  22. FHE+MMAPs Summer School, Paris • Input: with the ’s in the slots • I.e., the vector includes all the coefficients • Note that for each , so it describes of the coefficients of • The mapping is one-to-one • The order in which the ’s are packed in the slots of is up to us to decide The Lin2 Transformation

  23. FHE+MMAPs Summer School, Paris • Input: with the ’s in the slots • Output: the element itself • The slots containing • The transformation that we compute on the slots is multi-point polynomial-evaluation • Input: coefficients of • Output: evaluation of in the roots of unity The Lin2 Transformation

  24. FHE+MMAPs Summer School, Paris Our Linear Transformations • Lin2 is a multi-point polynomial evaluation • Decompose Lin2 into 1D transforms by viewing as multi-variate polynomial • For each , this is multi-point evaluation over all the assignments • Computing for all the ’s in parallel,one for every column in the hypercube

  25. FHE+MMAPs Summer School, Paris Our Linear Transformations • Lin2 is a multi-point polynomial evaluation • Decompose Lin2 into 1D transforms by viewing as multi-variate polynomial • For each , this is multi-point evaluation over all the assignments • Computing for all the ’s in parallel, one for every column in the hypercube • We choose the representatives T such thatonly ranges over elements mod • even though • Implies some constraints on (and a careful choice of )

  26. FHE+MMAPs Summer School, Paris Our Linear Transformations • Lin2 is a multi-point poly-eval • Decompose into 1D transforms along the different dimensions of the hypercube • Each is itself a multi-point polynomial-evaluation • Typically 2-3 such 1D transforms • Multi-by-constant depth of 2-3 (rather than 1) • # of 1D-rotations “in spirit” is or (vs. ) • In practice we save a factor of ~50 • Lin1 is the inverse of Lin2

  27. FHE+MMAPs Summer School, Paris Our Linear Transformations • Lin2 is a multi-point poly-eval • Decompose into 1D transforms along the different dimensions of the hypercube • Some of these transformations are -linear but not -linear • Our homomorphic operations act on slots • How to implement -linear transofmrations?

  28. FHE+MMAPs Summer School, Paris Implementing -Linear Functions • Use Frobeniusautomorphism • We can implement for any • Most ’s rotate the slots, but acts on each slot separately as Frobeniusmap • If and then • Similarly, denote , then

  29. FHE+MMAPs Summer School, Paris Linearized Polynomials • Let be -linear, then there exists constants s.t. • In our case, we need a combination of slot-rotations (as per our “generic linear map”) and -linear transformations on the slots • Denote rotate-slots-by- by

  30. FHE+MMAPs Summer School, Paris Implementing Our -Linear Maps • We need • is some -linear map on the slots • Can be implemented as • automorphisms (expensive) • mult-by-const and additions (cheap) • Depth 1 mult-by-constant

  31. FHE+MMAPs Summer School, Paris A Better Implementation • Compute rotations, • Then inner products, • Then automorphism, • Only automorphism, not

  32. FHE+MMAPs Summer School, Paris Packed Homomorphic Digit-extraction • We have want • Lin1: Move the coefficients of to plaintext slots • Nonlin: Apply digit-extraction in slots • Lin2: Move the coefficients back to get result • Lin1, Lin2 implemented via sparse decomposition into 1D transforms • The non-linear step is exactly as before efficient bootstrapping of packed ciphertexts

  33. FHE+MMAPs Summer School, Paris • Tested our implementation in many settings • Targeted 10 remaining levels after recryption Performance (Feb 2015)

  34. FHE+MMAPs Summer School, Paris • Tested our implementation in many settings • Targeted 10 remaining levels after recryption Performance (Feb 2015) • Recryption takes as little as 10-12 levels • - Requires a very sparse key, is this safe?

  35. FHE+MMAPs Summer School, Paris C'est Tout

More Related