Faster Homomorphic Function Evaluation using Non-Integral Base Encoding

Transcription

1 Faster Homomorhic Function Evaluation using Non-Integral Base Encoding Charlotte Bonte 1, Carl Bootland 1, Joe W. Bos, Wouter Castryck 1,3, Ilia Iliashenko 1, and Frederik Vercauteren 1,4 1 imec-cosic, Det. Electrical Engineering, KU Leuven NXP Semiconductors 3 Laboratoire Paul Painlevé, Université de Lille-1 4 Oen Security Research Abstract. In this aer we resent an encoding method for xed-oint numbers tailored for homomorhic function evaluation. The choice of the degree of the olynomial modulus used in all oular somewhat homomorhic encrytion schemes is dominated by security considerations, while with the current encoding techniques the correctness requirement allows for much smaller values. We introduce a generic encoding method using exansions with resect to a non-integral base, which exloits this large degree at the benet of reducing the growth of the coecients when erforming homomorhic oerations. In ractice this allows one to choose a smaller laintext coecient modulus which results in a signicant reduction of the running time. We illustrate our aroach by alying this encoding in the setting of homomorhic electricity load forecasting for the smart grid which results in a seed-u by a factor 13 comared to revious work, where encoding was done using balanced ternary exansions. 1 Introduction The crytograhic technique which allows an untrusted entity to erform arbitrary comutation on encryted data is known as fully homomorhic encrytion. The rst such construction was based on ideal lattices and was resented by Gentry in 9 [19]. When the algorithm alied to the encryted data is known in advance one can use a somewhat homomorhic encrytion SHE) scheme which only allows to erform a limited number of comutational stes on the encryted data. Such schemes are signicantly more ecient in ractice. In all oular SHE schemes, the laintext sace is a ring of the form R t = Z t [X]/fX)), where t is a small integer called the coecient modulus, and fx) Z[X] is a monic irreducible degree d olynomial called the olynomial This work was suorted by the Euroean Commission under the ICT rogramme with contract H-ICT HEAT, and through the Euroean Research Council under the FP7/7-13 rogramme with ERC Grant Agreement 6157 MOTMELSUM. The second author is also suorted by a PhD fellowshi of the Research Foundation - Flanders FWO).

2 modulus. Usually one lets fx) be a cyclotomic olynomial, where for reasons of erformance the most oular choices are the ower-of-two cyclotomics X d + 1 where d = k for some ositive integer k, which are maximally sarse. In this case arithmetic in R t can be erformed eciently using the fast Fourier transform, which is used in many lattice-based constructions e.g. [6,7,8,3]) and most imlementations e.g. [3,4,5,,1,5,7]). One interesting roblem relates to the encoding of the inut data of the algorithm such that it can be reresented as elements of R t and such that one obtains a meaningful outcome after the encryted result is decryted and decoded. This means that addition and multilication of the inut data must agree with the corresonding oerations in R t u to the deth of the envisaged SHE comutation. An active research area investigates dierent such encoding techniques, which are often alication-secic and deendent on the tye of the inut data. For the sake of exosition we will concentrate on the articularly interesting and oular setting where the inut data consists of nite recision real numbers θ, even though our discussion below is fairly generic. The main idea, going back to Dowlin et al. [16] see also [17,3,6]) and analyzed in more detail by Costache et al. [14], is to exand θ with resect to a base b θ = a r b r + a r 1 b r a 1 b + a + a 1 b 1 + a b + + a s b s 1) using integer digits a i, after which one relaces b by X to end u inside the Laurent olynomial ring Z[X, X 1 ]. One then reduces the digits a i modulo t and alies the ring homomorhism to R t dened by { ι : Z t [X, X 1 X X, ] R t : X 1 gx) f) 1, where we write fx) = XgX) + f) and it is assumed that f) is invertible modulo t; this is always true for cyclotomic olynomials, or for factors of them. The quantity r + s will sometimes be referred to as the degree of the encoding where we assume that a r, a s ). Remark 1. For ower-of-two-cyclotomics the homomorhism ι amounts to letting X 1 X d 1, so that the encoding of 1) is given by a r X r + a r 1 X r a 1 X + a a 1 X d 1 a X d a s X d s. In fact in [14] it is mentioned that inverting X is only ossible in the owerof-two cyclotomic case, but this seems to be overcareful. In articular, contrary to what is claimed there, the above construction is comatible with the SIMD comutations described in [16,9]. Decoding is then erformed by alying the inverse of the restricted ma ι Zt[X,X 1 ] [ l,m] where Z t [X, X 1 ] [ l,m] = { a m X m + a m 1 X m a l X l a i Z t for all i }

3 Z[X, X 1 ]-lane t 1)/ Z-axis X l m X X-axis t 1)/ Fig. 1. Box in which to stay during comutation, where l + m + 1 = d. is a subset of Laurent olynomials whose monomials have bounded exonents. If l+m+1 = d then this restriction of ι is indeed invertible as a Z t -linear ma. The recise choice of l, m deends on the data encoded. After alying this inverse, one relaces the coecients by their reresentants in { t 1)/,..., t 1)/ } to end u with an exression in Z[X, X 1 ], and evaluates the result at X = b. Ensuring that decoding is correct to a given comutational deth laces constraints on the arameters t and d, in order to avoid ending u outside the box deicted in Figure 1 if the comutation were to be carried out directly in Z[X, X 1 ]. In terms of R t we will often refer to this event as the `wraing around' of the encoded data modulo t or fx), although we note that this is an abuse of language. In the case of ower-of-two cyclotomics, ending u above or below the box does indeed corresond to wraing around modulo t, but ending u at the left or the right of the box corresonds to a mix-u of the high degree terms and the low degree terms. The recise constraints on t and d not only deend on the comlexity of the comutation, but also on the tye of exansion 1) used in the encoding. Dowlin et al. suggest to use balanced b-ary exansions with resect to an odd base b Z 3, which means that the digits are taken from { b 1)/,..., b 1)/}. Such exansions have been used for centuries going back at least to Colson 176) and Cauchy 184) in the quest for more ecient arithmetic. If we x a recision, then for smaller b the balanced b-ary exansions are longer but the coecients are smaller, this imlies the need for a larger d but smaller t. Similarly for larger bases the exansions become shorter but have larger coecients leading to smaller d but larger t. For the alication to somewhat homomorhic encrytion considered in [4,14] the security requirements ask for a very large d, so that the best choice is to use as small a base as ossible, namely b = 3, with digits in {±1, }. Even for this smallest choice the resulting lower bound on t is very large and the bound on d is much smaller than that coming from the crytograhic requirements. To illustrate this, we recall the concrete gures from the aer [4], which uses the Fan-Vercauteren FV) somewhat homomorhic encrytion scheme [18] for rivacy-friendly rediction of electricity consumtion in the setting of the smart grid. Here the authors use d = 496 for crytograhic reasons, which is an otimistic choice that leads to 8-bit security only and maybe even slightly less [1]). On the other hand using 3

4 Z-axis log -scale) 41 Z-axis log -scale) X X X-axis X X X-axis balanced ternary NIBNAF Fig.. Comarison between the amount of laintext sace which is actually used in the setting of [4], where d = 496. More recise gures to be found in Section 4. balanced ternary exansions, correct decoding is guaranteed as soon as d 368, which is even a conservative estimate. This eventually leads to the huge bound t 17, which is overcome by decomosing R t into 13 factors according to the Chinese Remainder Theorem CRT). This is then used to homomorhically forecast the electricity usage for the next half hour for a small aartment comlex of 1 households in about half a minute, using a sequential imlementation. The discreancy between the requirements coming from correct decoding and those coming from security considerations suggests that other ossible exansions may be better suited for use with SHE. In this aer we introduce a generic encoding technique, using very sarse exansions having digits in {±1, } with resect to a non-integral base b w > 1, where w is a sarseness measure. These exansions will be said to be of `non-integral base non-adjacent form' with window size w, abbreviated to w-nibnaf. Increasing w makes the degrees of the resulting Laurent olynomial encodings grow and decreases the growth of the coecients when erforming oerations; hence lowering the bound on t. Our encoding technique is esecially useful when using xed-oint real numbers, but could also serve in dealing with xed-oint comlex numbers or even with integers, desite the fact that b w is non-integral this would require a careful recision analysis which is avoided here). We demonstrate that this technique results in signicant erformance increases by re-doing the exeriments from [4]. Along with a more careful recision analysis which is tailored for this secic use case, using 95-NIBNAF exansions we end u with the dramatically reduced bound t 33. It is not entirely honest to comare this to t 17 because of our better recision analysis; as exlained in Section 4 it makes more sense to comare the new bound to t 4, but the reduction remains huge. As the reader can see in Figure this is exlained by the fact that the data is sread more evenly across laintext sace during comutation. As a consequence we avoid the need for CRT decomosition and thus reduce the running time by a factor 13, showing that the same homomorhic forecasting can be done in only.5 seconds. Remark. An alternative recent roosal for encoding using a non-integral base can be found in [13], which targets ecient evaluation of the discrete Fourier 4

5 transform on encryted data. Here the authors work exclusively in the ower-oftwo cyclotomic setting fx) = X d + 1, and the inut data consists of comlex numbers θ which are exanded with resect to the base b = ζ, where ζ is a rimitive d-th root of unity, i.e. a root of fx). One nice feature of this aroach is that the correctness of decoding is not aected by wraing around modulo fx). To nd a sarse exansion they use the LLL algorithm [4], but unfortunately for arbitrary comlex inuts the digits become rather large, at least when comared to w-nibnaf. An alternative viewoint on this method is to nd an element of R t having small coecients which under the canonical embedding has one known comonent that aroximates θ. In this sense the method is very similar to that from [1] where they use cihertext acking and encode d comlex numbers into a single element of R t which under the canonical embedding returns the given comlex numbers, u to a redetermined scalar. But again, to achieve this, the coecients must be in general quite large. Encoding data using w-nibnaf.1 The non-adjacent form with window size w One rst aroach to try to reduce the lower bound on t is by using encodings for which many of the coecients are zero. One way to achieve this is by using the non-adjacent form NAF) reresentation which was introduced by Reitweisner in 196 for seeding u early multilication algorithms [8]. Denition 1. The non-adjacent form NAF) reresentation of a real number θ is an exansion of θ to the base b = with coecients in { 1,, 1} such that any two adjacent coecients are not both non-zero. Note that NAF reresentations always exist and are unique, modulo eriodic innite exansion issues such as = This reresentation can be generalized, for an integer w 1 called the `window size') one can ensure that in any window of w consecutive coecients at most one of them is non-zero. This is ossible to base b = but for w > one requires larger coecients. This generalization is called w-naf and was rst considered by Cohen et al. [11]. Denition. Let w 1 be an integer. A w-naf reresentation of a real number θ is an exansion of θ with base and whose non-zero coecients are odd and less that w 1 in absolute value such that for every set of w consecutive coecients at most one of them is non-zero. Just as for NAF reresentations, the w-naf reresentation is essentially unique. Further, we see that NAF is just the secial case of w-naf for w =. Unfortunately, due to the fact that the coecients are taken from a much larger set, using w-naf encodings in the SHE setting actually gives larger bounds on both t and d for increasing w. This is not useful in the setting of SHE when the goal is to reduce the arameter sizes and the running time of the algorithm. 5

6 . The non-integral base when comuting a non-adjacent form with window size w Ideally, we want the coecients in our exansions to be members of {±1, } with many equal to, as this would lead to the slowest growth in coecient sizes, allowing us to use smaller values for t. This would come at the exense of using longer encodings, but remember that we have a lot of manoeuvring sace on the d side. One way to achieve this is to use a non-integral base b > 1 when comuting a non-adjacent form. We rst give the denition of a non-integral base non-adjacent form with window size w w-nibnaf) reresentation and then exlain where this recise formulation comes from. Denition 3. A sequence a, a 1,..., a n,... is a w-balanced ternary sequence if it has a i { 1,, 1} for i Z and satises the roerty that each set of w consecutive terms has no more than one non-zero term. Denition 4. Let θ R and w Z >. Dene b w to be the unique ositive real root of the olynomial F w x) = x w+1 x w x 1. A w-balanced ternary sequence a r, a r 1,..., a 1, a, a 1,... is a w-nibnaf reresentation of θ if θ = a r b r w + a r 1 b r 1 w + + a 1 b w + a + a 1 b 1 w +. Of course, a riori it may be ossible that a given θ has no such w-nibnaf reresentation or it may have innitely) many of them. We will show that every θ has at least one such w-nibnaf reresentation and rovide an algorithm to nd such a reresentation. However, let us rst state a lemma which shows that b w is well-dened for w 1. Lemma 1. For an integer w 1 the olynomial F w x) = x w+1 x w x 1 has a unique ositive real root b w > 1. The sequence b 1, b,... is strictly decreasing and the limit as w tends to innity of b w is 1. Further, x + 1) F w x) for w 3 mod 4. The roof is straightforward and given in Aendix A. We give the rst few values of b w and note that b 3 is the golden ratio φ: b 1 = , b , b 3 = ) , b , b , b Since we are using a non-integral base, a w-nibnaf reresentation of a xed-oint number has innitely many non-zero terms in general. Obviously, this is not ractical since one needs to store each non-zero coecient. In order to overcome this roblem one can aroximate the xed-oint number by terminating the w-nibnaf reresentation after some ower of the base. We denote 6

7 such a terminated sequence an aroximate w-nibnaf reresentation. There are two straightforward ways of achieving this: either the ower of the base used to determine the termination is chosen in advance which gives an easy bound on the maximal ossible error created, or we choose a maximal allowed error in advance and terminate after the rst ower which gives error less than or equal to this re-determined value..3 Encoding and decoding using w-nibnaf The rocess of encoding works as described in the introduction, i.e. we follow the aroach from [14,16] excet we use an aroximate w-nibnaf reresentation instead of the balanced ternary reresentation. That is, to encode a xed-oint number θ we nd an aroximate w-nibnaf reresentation of θ with small enough error and relace each occurrence of b w by X, after which we aly the ma ι to end u with an element of the laintext sace R t. Decoding is almost the same as well, only that after inverting ι and lifting the coecients to Z we evaluate the resulting Laurent olynomial at X = b w rather than X = 3, comuting the value only to the required recision. Rather than evaluating directly it is best to reduce the Laurent olynomial modulo F w X) or modulo the olynomial F w X)/X +1) if w 3 mod 4) so that we only have to comute owers of b w u to w resectively w ). As we encode using aroximate reresentations, there can be many encodings which decode, within a certain recision, to the same value. Let us rove that every θ R has a w-nibnaf reresentation: Algorithm 1 roduces such a reresentation. Algorithm 1 is a greedy algorithm which chooses the closest signed ower of the base to θ and then iteratively nds a reresentation of the dierence. Excet when θ can be written as θ = hb w )/b q w, for some olynomial h with coecients in {±1, } and q Z, any w-nibnaf reresentation is innitely long. Hence, we must terminate Algorithm 1 once the iterative inut is smaller than some re-determined recision ɛ >. We now rove that the algorithm works as required. Lemma. Algorithm 1 roduces an aroximate w-nibnaf reresentation of θ with an error of at most ɛ. Proof. Assuming that the algorithm terminates, the outut clearly reresents θ to within an error of at most size ɛ. First we show that the outut is w-nibnaf. Suose that the outut, on inut θ, b w, ɛ, has at least two non-zero terms, the rst being a d. This imlies either that b d w θ < b d+1 w and b d+1 w θ > θ b d w or b d 1 w < θ b d w and b d w θ θ bw d 1. These conditions can be written as b d w θ < 1 bd w1 + b w ) and 1 bd 1 w 1 + b w ) θ b d w resectively. This shows that θ b d w < max { b d w 1 bd 1 1 w 1 + b w ), bd w1 + b w ) b d } w = 1 bd wb w 1). The algorithm subsequently chooses the closest ower of b w to this smaller value, suose it is b l w. By the same argument with θ relaced by θ b d w we have that 7

8 Algorithm 1: GreedyReresentation Inut: θ the xed-oint number to be reresented, b w the w-nibnaf base to be used in the reresentation, ɛ the recision to which the reresentation is determined. Outut: An aroximate w-nibnaf reresentation a r, a r 1,... of θ with error less than ɛ, where a i = if not otherwise secied. while θ > ɛ do σ sgnθ) t σθ r log bw t) if b r w t > t b r 1 w then r r 1 a r σ θ θ σb r w Return a i). either b l w θ b d w or 1 bl 1 w 1 + b w ) θ b d w and since b l w is larger than 1 1+b w ) the maximal ossible value of l, which we denote by l w d), satises bl 1 w l w d) = max { l Z 1 bl 1 w 1 + b w ) < 1 bd wb w 1) }. The condition on l can be rewritten as b l w < b d+1 w b w 1)/b w + 1) which imlies that l < d log bw b w 1)/b w + 1)) and thus ) bw 1 l w d) = d + log bw b w + 1 so that the smallest ossible dierence is indeendent of d and equal to ) ) bw 1 bw + 1 sw) := d l w d) = log bw = log b w + 1 bw. b w 1 We thus need to show that sw) w. As w is an integer this is equivalent to ) bw + 1 log bw w b w w b w + 1 b w 1 b w 1, b w+1 w b w w b w 1 which holds for all w since F w b w ) =. We oint out that our algorithm works correctly and deterministically because when θ is exactly half-way between two owers of b w we choose the larger ower. This shows that the outut is of the required form. Finally, to show that the algorithm terminates we note that the k'th successive dierence is bounded above by 1 bd k 1)sw) w b w 1) and this tends to as k tends to innity. Therefore after a nite number of stes at most d logbw ɛ/b w 1)) /sw) + 1) the dierence is smaller than or equal to ɛ and the algorithm terminates. 8

9 In the limit as ɛ tends to zero we reach a w-nibnaf reresentation of θ hence we have roven that any real number indeed admits a w-nibnaf reresentation. Clearly we can also use this algorithm to encode θ by instead returning i a ix i, this gives an encoding of θ with maximal error ɛ. Since the inut θ of the algorithm can get arbitrarily close to but larger than ɛ, the nal term in the encoding can be ±X h where h = log bw ɛ/1 + b w )) + 1. If we are to ensure that the smallest ower of the base to aear in any aroximate w-nibnaf reresentation is b s w then we require that if bw s 1 is the nearest ower of b w to the inut θ then θ ɛ so that we must have 1 bs 1 w 1 + b w ) ɛ which imlies the smallest recision we can achieve is ɛ = bw s b w )/. In articular if we want `olynomial' encodings then the best recision ossible using the greedy algorithm is 1 + b 1 w )/ < 1. Remark 3. If in Algorithm 1 one relaces b w by a smaller base b > 1 then it still roduces a w-nibnaf exansion to the desired recision: this follows easily from the roof of Lemma. The distinguishing feature of b w is that it is maximal with resect to this roerty, so that the resulting exansions become as short as ossible. 3 Analysis of coecient growth when comuting with encodings After encoding the inut data it is ready for homomorhic comutations. This increases both the number of non-zero coecients as well as the size of these coecients. Since we are working in the ring R t there is a risk that our data wras around modulo t as well as modulo fx), in the sense exlained in the introduction, which we should avoid since this leads to erroneous decoding. Therefore we need to understand the coecient growth more thoroughly. We simlify the analysis in this section by only considering multilications and what constraint this uts on t, it is then not hard to generalize this to include additions. 3.1 Worst case coecient growth for w-nibnaf encodings Here we analyze the maximal ossible size of a coecient which could occur from comuting with w-nibnaf encodings. As fresh w-nibnaf encodings are just aroximate w-nibnaf reresentations written as elements of R t we consider nite w-balanced ternary sequences and the multilication endowed on them from R t or from Z t [X, X 1 ]. Further, as we ensure in ractice that there is no wra around modulo fx) this can be ignored in our analysis. To start the worst case analysis we have the following lower bound. Lemma 3. A lower bound on the maximal absolute size of a term that can be roduced by taking the roduct of arbitrary w-balanced ternary sequences of length d + 1 is d/w / / d/w +1) ) ) 1 + d/w / k d/w k B w d, ) := 1) k. k 1 k= 9

10 A full roof of this lemma is given in Aendix A but the main idea is to look at the largest coecient of m where m has the maximal number of non-zero coecients, d/w + 1, all being equal to 1 and with exactly w 1 zero coecients between each air of adjacent non-zero coecients. We note that the w-nibnaf encoding, using the greedy algorithm with recision 1, d+w d mod w) of bw b w 1)/ is m so in ractice this lower bound is achievable although unlikely to occur. We exect that this lower bound is tight, indeed we were able to rove the following lemma, the roof is also given in Aendix A. Lemma 4. Suose w divides d, then B w d, ) equals the maximal absolute size of a term that can be roduced by taking the roduct of arbitrary w-balanced ternary sequences of length d + 1. We thus make the following conjecture which we assume to be true. Conjecture 1 The lower bound B w d, ) given in Lemma 3 is exact for all d, that is the maximal absolute term size which can occur after multilying arbitrary w-balanced ternary sequences of length d + 1 is B w d, ). This conjecture seems very lausible since as soon as one multilicand does not have non-zero coecients exactly w laces aart the non-zero coecients start to sread out and decrease in value. 3. Aroximating B w d, ) To aroximate B w d, ) for xed dene n := d/w + 1, then for suitably large n so that the variable k varies over a range only deendent on ) we can exand the exression for B w d, ) as a `olynomial' in n of degree 1, see Aendix B for the details. The exressions we nd are in fact valid for all n, the rst few are: B w d, 1) = 1; B w d, ) = n; B w d, 3) = 1 8 6n + 1) 1)n 8 ; B w d, 4) = 1 3 n3 + n); B w d, 5) = n4 + 7n + 7) 1)n 384 3n + 7); B w d, 6) = 1 11n5 + 5n 3 + 4n); B w d, 7) = n n n + 115) 1)n n n + 115) B w d, 8) = n7 + 7n n n). Denoting the coecient of n 1 in these exressions by l, it can be shown see [] or Aendix B) that lim l = 6/π and hence we have lim log B w d, )) 1) log n) + 1 log π ) 6 = 1

11 #{-1,,1}-coeff in an encoding as function of w 1 coeff -1 coeff coeff 1 log#coeff) w Fig. 3. Plot of log #coe) on the vertical axis against w on the horizontal axis for w-nibnaf encodings of random integers in [ 4, 4]. or equivalently B w d, ) 6/πn 1. Thus we have the aroximation log B w d, )) 1) log n) 1 log π ) 6 which for large enough n exerimentally we found for n > /) is an uer bound for >. For a guaranteed uer bound when > we have the result B w d, ) 6/πn 1))n. 3.3 Statistical analysis of the coecient growth Based on the w-nibnaf encodings of random numbers in N [ 4, 4], we try to get an idea of the amount of 1, and 1 coecients in a fresh encoding without fractional art, obtained by running Algorithm 1 to recision 1+b 1 w )/. We also analyze how these roortions change when we erform multilications. We lot this for dierent values of w to illustrate the ositive eects of using sarser encodings. We know from the denition of a w-nibnaf exansion that at least w 1 among each block of w consecutive coecients of the exansion will be, so we exect for big w that the coecient occurs a lot more than 1 or 1. This is clearly visible in Figure 3. In addition we see an increasing number of coecients and decreasing number of 1 and 1 coecients for increasing w. Hence we can conclude that both the absolute and the relative sarseness of our encodings increase as w increases. Since the balanced ternary encoding of [14,16] and the -NAF encoding [8], only have coecients in { 1,, 1} it is interesting to comare them to 1-NIBNAF and -NIBNAF resectively. We comare them by comuting the ercentage of coecients which are equal to 1, and 1 resectively, in 1 encodings of random integers N in [ 4, 4]. We comute this ercentage u to an accuracy of 1 4 and consider for our counts all coecients u to and including the 11

12 balanced ternary 1-NIBNAF -NAF -NIBNAF ercentage of 1s ercentage of s ercentage of 1s Table 1. Comarison between the revious encoding techniques and w-nibnaf w= 1 w= w= 3 log #coeff) log #coeff) log #coeff) coeff w= coeff w= coeff w= 15 5 log #coeff) log #coeff) log #coeff) coeff coeff coeff Fig. 4. Plot of log #coe) on the vertical axis against the resective value of the coecient on the horizontal axis for the result of a multilication of two w-nibnaf encodings of random numbers between [ 4, 4]. leading coecient, further zero coecients are not counted. When we comare the ercentages of 1, and 1 coecients occurring in 1-NIBNAF and balanced ternary in Table 1 we see that for the balanced ternary reresentation, the occurrences of 1, and 1 coecients are aroximately the same, while for 1-NIBNAF the occurrence of coecients is bigger than the occurrence of 1 and 1 coecients. Hence we can conclude that the encodings with this new base will be sarser than the balanced ternary encodings even though the window size is equal. For -NIBNAF we also see an imrovement in terms of sarseness of the encoding comared to -NAF. The next ste is to investigate what haens to the coecients when we multily two encodings. From Figure 4 we see that when w increases the maximal size of the resulting coecients becomes smaller. So the lots conrm the exected result that sarser encodings lead to a reduction in the size of the resulting coecients after one multilication. 1

13 15 1 mult mult 3 mult 4 mult 5 mult mult mult 3 mult 4 mult 5 mult mult mult 3 mult 4 mult 5 mult mult mult 3 mult 4 mult 5 mult mult mult 3 mult 4 mult 5 mult mult mult 3 mult 4 mult 5 mult 4 6 Plot of the log of the maximum of the absolute value of the coe cient of xi on the vertical axis against i on the horizontal axis. Fig. 5. Next, we investigate the behaviour for an increasing amount of multilications. In Figure 5 one observes that for a xed number of multilications the maximum coe cient, considering all coe cients in the resulting olynomial, decreases as w increases and the maximum degree of the olynomial increases as w increases. This con rms that increasing the degree of the olynomial, in order to make it more sarse, has the desirable e ect of decreasing the size of the coe cients. Figure 5 also shows that based on the result of one multilication we can even estimate the maximum value of the average coe cients of xi for a seci c number of multilications by scaling the result for one multilication. To summarize, we lot the number of bits of the maximum coe cient of the olynomial that is the result of a certain xed amount of multilications as a function of w in Figure 6. From this gure we clearly see that the maximal coe cient decreases when w increases and hence the original encoding olynomial is sarser. In addition we see that the e ect of the sarseness of the encoding on the size of the resulting maximal coe cient is bigger when the amount of multilications increases. However the gain of sarser encodings decreases as w becomes bigger. Furthermore, Figure 6 shows that the bound given in Lemma 3 is much bigger than the average uer bound we get from 1 samles. Remark 4. Since the w-nibnaf encodings roduced by Algorithm 1 alied to N and N are obtained from one another by changing all the signs, the coe cients 1 and 1 must be distributed evenly, as we indeed observe. This is good, because it tyically leads to the maximal amount of cancellation ossible during comutation. While this does not a ect our worst case analysis from Section 3.1, in ractice where the worst cases are extremely unlikely, this allows for a considerable reduction of the size of the coe cient modulus t. This is 13

14 log maxcoefficients)) average coeff 1 mult uer bound coeff 1 mult average coeff mult uer bound coeff mult average coeff 3 mult uer bound coeff 3 mult average coeff 4 mult uer bound coeff 4 mult average coeff 5 mult uer bound coeff 5 mult w Fig. 6. Plot of the log of the maximum coecient of the resulting olynomial on the vertical axis against w on the horizontal axis. imlicitly used in the next section. If in some alication the inut encodings haen to be biased towards 1 or 1 then it might hel to work with resect to the negative base b w < 1, by switching the signs of all the digits that aear at an odd index. 4 Practical imact The size of the laintext modulus might have a signicant imact on the erformance of a homomorhic algorithm. In this section we demonstrate that switching to using w-nibnaf encodings enhances the ractical erformance of a homomorhic forecasting algorithm by a factor 13. Being evaluated homomorhically any arithmetic circuit encounters the following constraints while using olynomial encodings of real numbers. The rst constraint comes from the correctness requirement of an underlying SHE scheme. Namely, the noise inside the cihertext should not exceed some level during the comutations, otherwise decrytion fails. In this context, an increase to the laintext modulus exands the noise and this laces an uer bound on the ossible t which can be used. The second constraint does not relate to SHE but to the circuit itself. After any arithmetic oeration the olynomial coecients tend to grow. Given that fact, one should take a big enough laintext modulus in order to revent or mitigate ossible wraing around modulo t. This determines the lower bound on range of ossible values of t. In ractice, for dee enough circuits these two constraints do not juxtaose, i.e. there is no interval where t can be chosen. However, the laintext sace R t can be slit into smaller rings R t1,..., R tk with t = k i=1 t i using the Chinese 14

15 Remainder Theorem CRT). This technique [6] allows us to take the modulus big enough for correct evaluation of the circuit and then erform k threads of the homomorhic algorithm over {R ti } i. As a result, these k outut olynomials will be combined into the nal outut, again by CRT. This aroach needs k times more memory and time than the case of a single modulus. Hence, the roblem is how to reduce the number of factors of t. The laintext modulus can be dened for any arithmetic circuit using the worst case scenario in which the nal outut has the maximal ossible coecient. However, this case occurs in ractice with a negligible robability that decreases for circuits of a bigger multilicative deth. In this section we show that for ractical alications one can take t to be smaller than that given by the worst case. This is based on the fact that for a given t one can aroximate the robability of a circuit evaluating incorrectly. This robability becomes negligible for a large enough laintext modulus. Moreover, we can allow some coecients to wra around modulo t with no harm to the nal results as long as they are one of the least signicant coecients of the fractional art. One of the exerimental environments recently studied in the SHE setting [4,9,17] is that of articial neural networks ANNs). Being a statistical tool, ANNs often deal with real numbers. Thus, for homomorhic evaluation they need to convert real inut values and internal arameters into elements of the laintext sace of an underlying SHE scheme. The main obstacle to the SHEfriendly use of ANNs consists in the highly non-linear functions inherent within their structure. One way to overcome this roblem is to relace those non-linear functions with quadratic olynomials [17] such that the resulting network will be exressed by a olynomial with a reasonable degree. Proosed in 197 [], the grou method of data handling GMDH) addresses the tting task as well. In addition, it has a simler structure than ANNs avoiding many additions during evaluation. Recently this method was alied in the homomorhic setting together with the balanced ternary exansion [4] in order to forecast electricity consumtion using smart meters. Due to the fact that 8 ercent of electricity meter devices in the Euroean Union should be relaced with smart meters by, this alication may mitigate some emerging rivacy and eciency issues. 4.1 The grou method of data handling GMDH) The basic version of the GMDH algorithm consists in creating a neural networklike structure see Figure 7) where each node contains a bivariate quadratic olynomial ν ij : R R : x, y) b ij + b ij1 x + b ij y + b ij3 xy + b ij4 x + b ij5 y. Indeed, each node has only two inut arameters which is the main simlication in comarison with conventional ANNs. The outut node is exressed by a olynomial that aroximates the target function deending on data oints x 1,..., x n. Henceforth, we refer to such a structure as the GMDH network. 15

16 x 1 ν 11 ν 1... ν r1 x. x n ν 1. ν 1n1 ν. ν n... ν r layer r outut node ν r+1,1) ol. of degree r+1 layer 1 layer Fig. 7. GMDH network. The learning algorithm constructs the GMDH network layer by layer in the following way. Before starting the learning rocess one should set u the number of nodes n i for each layer and an error function that will hel to sort nodes. Those rerequisites are often called hyerarameters. Then the learning algorithm looks for olynomial coecients b ijk of each node of the next layer using the outut of the revious one. For the rst layer the algorithm constructs nodes corresonding to all airs of inut values. Each node reresents the linear regression roblem determined by the equation O = ba + e, where A = 1, x, y, xy, x, y ), b = b ij, b ij1, b ij, b ij3, b ij4, b ij5 ), O is the exected outut and e is a random noise. The coecient vector b can be found with standard statistical tools, e.g. the least squares method. As a result, every node has an assigned outut of its olynomial together with the corresonding error estimation. According to this error one excludes the worst n i 1 ) ni nodes to build the layer. As already stated, this rocedure is then reeated for the next layer. 4. Exerimental setu To erform exeriments we followed the same framework as in [4]. We use real world measurements obtained from the smart meter electricity trials erformed in Ireland [1]. This dataset [1] contains observed electricity consumtion over 5 residential and commercial buildings during 3 minute intervals. We used aggregated consumtion data of 1 buildings. Given revious consumtion data with some additional information, the GMDH network has the goal of redicting electricity demand for the next time eriod. In articular, it requires 51 inut arameters: the 48 revious measurements lus the day of the week, the month and the temerature. The number of hidden layers r is equal to 3 with 8, 4, nodes, resectively as secied and used in [4]). A single outut node rovides the electricity consumtion rediction for the next half hour. We encode the inut data, given as xed-oint numbers, using aroximate w-nibnaf reresentations with a xed number of integer and fractional digits. When increasing the window size w one should take into account that the 16

17 recision of the corresonding encodings changes as well. To maintain the same accuracy of the algorithm it is imortant to kee the recision xed, hence for bigger w's the smaller base b w may cause an overow in the number of integer digits needed for an encoding. Thus, one should increase the number of coecients used by an encoding. Starting with the balanced ternary exansion BTE) and NAF exansions, for any w >, the numbers lw) i and lw) f of integer and fractional digits should be exanded according to the following formula lw) i = lbte) i 1) log bw 3 + 1, lw) f = log bw e f, where e f is the maximal error of an aroximate w-nibnaf reresentation such that the rediction algorithm reserves the same accuracy. Emirically we found that the GMDH network demonstrates reasonable absolute and relative errors when lbte) in i = 4 and e in f = 1 for the inut and lbte) ol i = and e ol f =.3 for olynomial coecients of ν ij. Finally, we set the olynomial ring R t = Z t [X]/X ) according to the security level 8 of the underlying SHE scheme in this case the scheme due to Fan and Vercauteren [18] is used). The degree of the ring constrains the multilicative deth of the algorithm. In articular, the integer and fractional arts may juxtaose because the maximal osition of a non-zero integer and fractional coecients come closer together after each multilication. Once the integer and fractional arts have started to overla it is no longer ossible to decode correctly. 4.3 Results The results reorted in this section are obtained running the same software and hardware as in [4]: namely, FV-NFLlib software library [15] running on a lato equied with an Intel Core i5-347u CPU running at 1.8GHz). We erformed 856 runs of the GMDH algorithm with BTE, NAF and 95-NIBNAF. The last exansion is with the maximal ossible w such that the resulting outut olynomial still has discernible integer and fractional arts. Correct evaluation of the rediction algorithm requires the laintext modulus to be bigger than the maximal coecient of the resulting olynomial. This lower bound for t can be deduced either from the maximal coecient aearing after any run or, in case of known distribution of coecient values, from the mean and the standard deviation. In both cases increasing window sizes reduce the bound as deicted in Figure 8. Since negative encoding coecients are used, 95-NIBNAF demands a laintext modulus of 7 bits which is almost 6 times smaller than for BTE and NAF. As exected, w-nibnaf encodings have longer exansions for bigger w's and that disruts the decoding rocedure in [4,14]. Namely, they naively slit the resulting olynomial into two arts of equal size. As one can observe in Figure 8, using 95-NIBNAF, decoding in this manner will not give correct 17

18 binary bits 41 9 integer art fractional art BTE mean NAF mean 95-NIBNAF mean BTE max NAF max 95-NIBNAF max ,, 3, 4,95 coefficient index Fig. 8. The mean and the maximal size er coecient of the resulting olynomial. results. Instead, the slitting index i s should be shifted towards zero, i.e. to 385. To be secic, i s lies in the following interval imlied by [4, Lemma 1] where d i = r+1 lw) in i lw) ol f d i + 1, d d f ) + lw) ol i ) lw) ol i and d f = r+1 lw) in f + lw) ol f ). Indeed, this is the worst case estimation which results in the maximal w = 74 for the current network conguration. One can notice that the imact of lower coecients of the fractional art might be much smaller than the recision required by an alication. In our use case the rediction value should be recise u to e in f = 1. We denote the aggregated sum of lower coecients multilied by corresonding owers of the w-nibnaf base as Lj) = i s i=j 1 a ib i w. Then the omitted fractional coecients a i should satisfy Li c ) < 1, where i c is the index after which coecients are ignored. To nd i c we comuted Lj) for every index j of the fractional art and stored those sums for each run of the algorithm. For xed j the distribution of Lj) is bimodal with mean µ Lj) and standard deviation σ Lj) see Figure 9). Desite the fact that this unknown distribution is not normal, we naively aroximate the rediction interval [µ Lj) 6σ Lj), µ Lj) +6σ Lj) ] that will contain the future observation with high robability. It seems to be a lausible guess in this alication because all observed Lj) fall into that region with a big overestimate according to Figure 9. Therefore i c is equal to the maximal j that satises τj) < 1, where τj) = max µ Lj) 6σ Lj), µ Lj) + 6σ Lj) ). As Figure 1 shows, i c is equal to Thus, the recision setting allows an overow in any fractional coecient a j for j < The nal goal is to rovide the bound on t which is bigger than any a j for j Since the exlicit distributions of coecients are unknown and seem to vary among dierent 18

19 3 4 occurrences 1 [ 1 1 L35) ] τj) 3 1 3,1 3,388 3,7 j Fig. 9. The distribution of L35) over 856 runs of the GMDH algorithm and an aroximation of its rediction interval in red. Fig. 1. The exected recision loss after ignoring fractional coecients less than j. t CRT factors timing for one run 95-NIBNAF s BTE this aer) s BTE [4] s Table. GMDH imlementation with 95-NIBNAF and BTE [4] indices, we rely in our analysis on the maximal coecients occurring among all runs. Hence, the laintext modulus should be bigger than max j 3388 {a j } over all resulting olynomials. Looking back at Figure 8, one can nd t. As mentioned in the beginning of Section 4, t is constrained in two ways: from the circuit and SHE correctness requirements. Now we bound the modulus according to SHE. In our setu, the FV scheme with 8 bits of security, the ring degree 496 and the standard deviation of noise 1 requires t 396 [4]. We comare our aroach to the revious GMDH imlementation in Table. As one can notice, 95-NIBNAF with the choed fractional art does not need a CRT trick and requires a single modulus which reduces the timings in the sequential mode by 13 times. In the arallel mode it imlies a 13 times smaller amount of memory is needed to hold the encryted results. Additionally, these laintext moduli are much smaller than the worst case estimation from Section 3.1. For 95-NIBNAF we take d [54, 81] according to the encoding degrees of inut data and network coecients. Any such encoding contains only one non-zero coecient. Consequently, any roduct of those encodings has only one non-zero coecient which is equal to 1. When all monomials of the GMDH olynomial result in an encoding with the same index of a non-zero coecient, the maximal ossible coecient of the outut encoding will occur. In this case the maximal coecient is equal to the evaluation of the GMDH network with all inut data and network coecients being just 1. It leads to t =

20 5 Conclusions We have resented a generic technique to encode xed-oint numbers using a non-integral base. This encoding technique is esecially suitable for use when evaluating homomorhic functions since it utilizes the large degree of the dening olynomial imosed by the security requirements. This leads to a considerably smaller growth of the coecients and allows one to reduce the size of the laintext modulus signicantly, resulting in faster imlementations. We show that in the setting studied in [4], where somewhat homomorhic function evaluation is used to achieve a rivacy-reserving electricity forecast algorithm, the laintext modulus can be reduced from 13 when using a balanced ternary exansion encoding, to when using the encoding method introduced in this aer non-integral base non-adjacent form with window size w), see Table. This smaller laintext modulus means a factor 13 decrease in the running time of this rivacy-reserving forecasting algorithm: closing the ga even further to making this aroach suitable for industrial alications in the smart grid. References 1. M. R. Albrecht. On dual lattice attacks against small-secret LWE and arameter choices in HElib and SEAL. Crytology eprint Archive, Reort 17/47, 17. htt://erint.iacr.org/17/47.. I. Aliev. Siegel's lemma and sum-distinct sets. Discrete Comut. Geom., 391-3):5966, E. Alkim, L. Ducas, T. Pöelmann, and P. Schwabe. Post-quantum key exchange a new hoe. In Proceedings of the 5th USENIX Security Symosium. USENIX Association, J. W. Bos, W. Castryck, I. Iliashenko, and F. Vercauteren. Privacy-friendly forecasting for the smart grid using homomorhic encrytion and the grou method of data handling to aear). In M. Joye and A. Nitaj, editors, Africacryt 17, LNCS. Sringer, J. W. Bos, C. Costello, M. Naehrig, and D. Stebila. Post-quantum key exchange for the TLS rotocol from the ring learning with errors roblem. In 15 IEEE Symosium on Security and Privacy SP, ages IEEE Comuter Society, J. W. Bos, K. Lauter, J. Loftus, and M. Naehrig. Imroved security for a ringbased fully homomorhic encrytion scheme. In M. Stam, editor, Crytograhy and Coding 13, volume 838 of Lecture Notes in Comuter Science, ages Sringer, Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Leveled) fully homomorhic encrytion without bootstraing. In S. Goldwasser, editor, ITCS 1, ages ACM, Jan Z. Brakerski and V. Vaikuntanathan. Fully homomorhic encrytion from ring-lwe and security for key deendent messages. In P. Rogaway, editor, CRYPTO 11, volume 6841 of LNCS, ages Sringer, Heidelberg, Aug H. Chabanne, A. de Wargny, J. Milgram, C. Morel, and E. Prou. Privacyreserving classication on dee neural network. Crytology eprint Archive, Reort 17/35, 17. htt://erint.iacr.org/17/35.

21 1. J. H. Cheon, A. Kim, M. Kim, and Y. Song. Homomorhic encrytion for arithmetic of aroximate numbers. Crytology eprint Archive, Reort 16/41, 16. htt://erint.iacr.org/16/ H. Cohen, A. Miyaji, and T. Ono. Ecient Ellitic Curve Exonentiation Using Mixed Coordinates. In K. Ohta and D. Pei, editors, Advances in Crytology ASIACRYPT '98, volume 1514 of LNCS, ages Sringer, Commission for Energy Regulation. Electricity smart metering customer behaviour trials CBT) ndings reort. Technical Reort CER118a, 11. htt://www. cer.ie/docs/34/cer118a)i).df. 13. A. Costache, N. P. Smart, and S. Vivek. Faster homomorhic evaluation of Discrete Fourier Transforms. IACR Crytology eprint Archive, A. Costache, N. P. Smart, S. Vivek, and A. Waller. Fixed oint arithmetic in SHE schemes. In Selected Areas in Crytograhy SAC 16, LNCS. Sringer, CrytoExerts. FV-NFLlib. htts://github.com/crytoexerts/fv-nfllib, N. Dowlin, R. Gilad-Bachrach, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing. Manual for using homomorhic encrytion for bioinformatics. Technical reort, Technical reort MSR-TR-15-87, Microsoft Research, N. Dowlin, R. Gilad-Bachrach, K. Laine, K. E. Lauter, M. Naehrig, and J. Wernsing. Crytonets: Alying neural networks to encryted data with high throughut and accuracy. In M. Balcan and K. Q. Weinberger, editors, International Conference on Machine Learning, volume 48, ages 11. JMLR.org, J. Fan and F. Vercauteren. Somewhat ractical fully homomorhic encrytion. IACR Crytology eprint Archive, 1:144, C. Gentry. Fully homomorhic encrytion using ideal lattices. In M. Mitzenmacher, editor, 41st ACM STOC, ages ACM Press, May / June 9.. N. Göttert, T. Feller, M. Schneider, J. Buchmann, and S. A. Huss. On the design of hardware building blocks for modern lattice-based encrytion schemes. In E. Prou and P. Schaumont, editors, CHES 1, volume 748 of LNCS, ages Sringer, Heidelberg, Set T. Güneysu, T. Oder, T. Pöelmann, and P. Schwabe. Software seed records for lattice-based signatures. In P. Gaborit, editor, PQCryto 13, volume 793 of LNCS, ages 678. Sringer, 13.. A. Ivakhnenko. Heuristic self-organization in roblems of engineering cybernetics. Automatica, 6):7 19, K. E. Lauter, A. Lóez-Alt, and M. Naehrig. Private comutation on encryted genomic data. In D. F. Aranha and A. Menezes, editors, LATINCRYPT 14, volume 8895 of LNCS, ages 37. Sringer, Heidelberg, Set A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring olynomials with rational coecients. MATH. ANN, 61:515534, V. Lyubashevsky, D. Micciancio, C. Peikert, and A. Rosen. SWIFFT: A modest roosal for FFT hashing. In K. Nyberg, editor, FSE 8, volume 586 of LNCS, ages 547. Sringer, Heidelberg, Feb M. Naehrig, K. E. Lauter, and V. Vaikuntanathan. Can homomorhic encrytion be ractical? In C. Cachin and T. Ristenart, editors, ACM Cloud Comuting Security Worksho CCSW, ages ACM, T. Pöelmann and T. Güneysu. Towards ractical lattice-based ublic-key encrytion on recongurable hardware. In T. Lange, K. Lauter, and P. Lisonek, editors, SAC 13, volume 88 of LNCS, ages Sringer, Heidelberg, Aug