Fixed-Point Arithmetic in SHE Schemes

Size: px

Start display at page:

Download "Fixed-Point Arithmetic in SHE Schemes"

Jeffrey O’Brien’
5 years ago
Views:

1 Fixed-Point Arithmetic in SHE Schemes Anamaria Costache 1, Nigel P. Smart 1, Srinivas Vivek 1, Adrian Waller 2 1 University of Bristol 2 Thales UK Research & Technology July 6, 2016

2 Outline Motivation Encoding integers and fixed-point numbers Lower bounds on ring parameters Application to homomorphic image processing Conclusion

3 Motivation

4 Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.

5 Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.

6 Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.

7 Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.

8 Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.

9 Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.

10 Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.

11 Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),

12 Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),

13 Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),

14 Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),

15 Problem 1: Encoding data types

16 Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.

17 Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.

18 Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.

19 Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.

20 Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.

21 Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.

22 Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.

23 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

24 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

25 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

26 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

27 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

28 Encoding fixed-point numbers: Scaled integer encoding Fixed-point number encoded as an integer scaled down by a power of a base B. y = y +.y (q(x ), i), y = q(b) B i, where the integer itself is represented by a balanced base-b encoding. Example: = (X 3 X 2 + 1, 1), when bal. base B = 3.

29 Encoding fixed-point numbers: Scaled integer encoding Fixed-point number encoded as an integer scaled down by a power of a base B. y = y +.y (q(x ), i), y = q(b) B i, where the integer itself is represented by a balanced base-b encoding. Example: = (X 3 X 2 + 1, 1), when bal. base B = 3.

30 Encoding fixed-point numbers: Scaled integer encoding Addition +: (q(x ), i) + (q (X ), i ) =: (Q, I ). (q + q X i i, i) if i > i (Q, I ) = (q + q X i i, i ) if i i. Multiplication : (q(x ), i) (q (X ), i ) = (q(x ) q (X ), i + i ).

31 Encoding fixed-point numbers: Scaled integer encoding Addition +: (q(x ), i) + (q (X ), i ) =: (Q, I ). (q + q X i i, i) if i > i (Q, I ) = (q + q X i i, i ) if i i. Multiplication : (q(x ), i) (q (X ), i ) = (q(x ) q (X ), i + i ).

32 Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation

33 Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation

34 Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation

35 Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation

36 Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).

37 Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).

38 Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).

39 Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).

40 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

41 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

42 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

43 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

44 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

45 Problem 2: bounding size of coefficients

46 Upper bounds on coefficients Problem: compute max. size of coefficients in encodings given circuit description, bounds on input numbers Our contribution: efficient computational procedure to bound arbitrary circuits precisely determining max. values can be very expensive, closed form upper bounds for regular circuits.

47 Upper bounds on coefficients Problem: compute max. size of coefficients in encodings given circuit description, bounds on input numbers Our contribution: efficient computational procedure to bound arbitrary circuits precisely determining max. values can be very expensive, closed form upper bounds for regular circuits.

48 Upper bounds on coefficients Two cases: balanced base-3 integer encoding scaled integer encoding, fractional encoding (modulo X n + 1) for fixed-point numbers.

49 Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i

50 Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i

51 Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i

52 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,

53 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,

54 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,

55 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,

56 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.

57 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.

58 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.

59 Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x x d i ) e i. i=1

60 Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x x d i ) e i. i=1

61 Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x x d i ) e i. i=1

62 Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x x d i ) e i. i=1

63 Bounding integer-valued arithmetic circuits Upper bound is of the form L P = e 1,...,e t a [(d1,e 1 ),...,(d t,e t)] c [(d1,e 1 ),...,(d t,e t)],

64 Bounding integer-valued arithmetic circuits Compute the bounds iteratively L P = a [(d1,e 1 ),...,(d t,e t)] c [(d1,e 1 ),...,(d t,e t)], e 1,...,e t L P = a [(d1,e 1 ),...,(dt,e t )] c [(d1,e 1 ),...,(dt,e t )], e 1,...,e t

65 Bounding integer-valued arithmetic circuits Compute the bounds iteratively L P+P = L P + L P, L P P = e 1,...,e t,e 1,...,e t (a [(d1,e 1 ),...,(d t,e t)] a [(d1,e 1 ),...,(dt,e t )] ) ) (c [(d1,e 1 +e 1 ),...,(dt,et+e t )]

66 Bounding integer-valued arithmetic circuits Iteratively bounding c [(d1,e 1 ),...,(d t,e t)] = using the relation t (1 + x + x x d i ) e i. i=1 c [(d1,e 1 ),...,(d t,e t)] (d k e k + 1) c dk,e k c [(d1,e 1 ),...,(dt,e t )], where e i = e i except that e k = 0. Partial order: d i e i (d i+1 e i+1 ).

67 Bounding integer-valued arithmetic circuits Iteratively bounding c [(d1,e 1 ),...,(d t,e t)] = using the relation t (1 + x + x x d i ) e i. i=1 c [(d1,e 1 ),...,(d t,e t)] (d k e k + 1) c dk,e k c [(d1,e 1 ),...,(dt,e t )], where e i = e i except that e k = 0. Partial order: d i e i (d i+1 e i+1 ).

68 Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.

69 Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.

70 Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.

71 Bounding integer-valued arithmetic circuits They also show that e cd,e lim e (d + 1) e = 6 π d (d + 2).

72 Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, B M,A = c d,2 M 2 A(2M+1 2),

73 Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, 6 M B M,A < π 2 M (d + 1)2 2 A(2 M+1 2). d(d + 2) For an SHE scheme p > 2 B M,A, deg(r) > 2 M d.

74 Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, 6 M B M,A < π 2 M (d + 1)2 2 A(2 M+1 2). d(d + 2) For an SHE scheme p > 2 B M,A, deg(r) > 2 M d.

75 Bounding integer-valued arithmetic circuits Concrete bounds for p (in bits) and deg(r) for 20-bit inputs: M A = A = A = A = A = A = deg(r)

76 Application: homomorphic image processing

77 Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.

78 Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.

79 Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.

80 Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.

81 Homomorphic image processing We use mixed Fourier transform instead of FFT tradeoff: depth vs. number of scalar multiplications, greater depth means longer modulus chain in SHE scheme and hence slower.

82 Homomorphic image processing Concrete parameters for the FFT-Hadamard-iFFT pipeline: FFT B = 1 B = n NFT B = n log 2 p deg(r) log 2 p deg(r) log 2 p deg(r) n

83 Homomorphic image processing Timing results (in sec) using HElib running on a 6-core cluster: HElib Amortization CPU Amortized n B deg(r) log 2 q Levels Amount Time Time

84 Conclusion

85 Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.

86 Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.

87 Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.

88 Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.

89 Future Work Improve the current bounds for coefficient growth. SIMD implementation of FFT-Hadamard product-ifft pipeline for scaled integer encoding.

90 Future Work Improve the current bounds for coefficient growth. SIMD implementation of FFT-Hadamard product-ifft pipeline for scaled integer encoding.

91 Thank You!

Faster Homomorphic Evaluation of Discrete Fourier Transforms

Faster Homomorphic Evaluation of Discrete Fourier Transforms Anamaria Costache, Nigel P. Smart, and Srinivas Vivek University of Bristol, Bristol, UK Abstract. We present a methodology to achieve low latency