Practical Bootstrapping in Quasilinear Time

Transcription

1 Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April / 21

2 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE lets you do this: µ Eval ( ) f, µ f(µ) where f(µ) and decryption time don t depend on f. A cryptographic holy grail with tons of applications. 2 / 21

3 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE lets you do this: µ Eval ( ) f, µ f(µ) where f(µ) and decryption time don t depend on f. A cryptographic holy grail with tons of applications. Naturally occurring schemes are somewhat homomorphic (SHE): they can only evaluate functions of an a priori bounded depth. ( ) µ Eval f, µ f(µ) ( ) Eval g, f(µ) g(f(µ)) 2 / 21

4 Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ 3 / 21

5 Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). 3 / 21

6 Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). Intensive study, many techniques [G 09,GH 11a,GH 11b,GHS 12b], but still very inefficient the main bottleneck in FHE, by far. 3 / 21

7 Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). Intensive study, many techniques [G 09,GH 11a,GH 11b,GHS 12b], but still very inefficient the main bottleneck in FHE, by far. The asymptotically most efficient methods on packed ciphertexts [GHS 12a,GHS 12b] are very complex, and appear practically worse than asymptotically slower methods. 3 / 21

8 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime 4 / 21

9 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts 4 / 21

10 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. 4 / 21

11 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? 4 / 21

12 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure 4 / 21

13 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure Log-depth mod-φ m (X) circuit is complex, w/large hidden constants. 4 / 21

14 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure Log-depth mod-φ m (X) circuit is complex, w/large hidden constants. [GHS 12a] compiler is very complex, w/large polylog overhead factor. 4 / 21

15 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 5 / 21

16 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). 5 / 21

17 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 5 / 21

18 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: 5 / 21

19 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. 5 / 21

20 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. 5 / 21

21 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. Special purpose, completely algebraic description no circuits. 5 / 21

22 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. Special purpose, completely algebraic description no circuits. Completely decouples the algebraic structure of SHE plaintext ring from that needed for bootstrapping. 5 / 21

23 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) 6 / 21

24 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. 6 / 21

25 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. 6 / 21

26 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). 6 / 21

27 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). 6 / 21

28 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). Unpacked plaintext µ Z 2 R 2, i.e., just a constant polynomial. 6 / 21

29 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). Unpacked plaintext µ Z 2 R 2, i.e., just a constant polynomial. Packed plaintext uses more of R 2, e.g., multiple slots [SV 11]. 6 / 21

30 Warm-Up: Bootstrapping Unpacked Ciphertexts 7 / 21

31 Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) 8 / 21

32 Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) v 0 + v 1 X + v 2 X 2 + v k 1 X k 1 Z q [X]/(X k + 1) v 0 + 0X + v 2 X 2 + 0X k 1 Z q [X 2 ]/(X k + 1) v 0 + v k/4 X k/4 + + v 3k/4 X 3k/4 Z q [X k/4 ]/(X k + 1) v 0 + v k/2 X k/2 Z q [X k/2 ]/(X k + 1) v 0 Z q 8 / 21

33 Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) v 0 + v 1 X + v 2 X 2 + v k 1 X k 1 Z q [X]/(X k + 1) v 0 + 0X + v 2 X 2 + 0X k 1 Z q [X 2 ]/(X k + 1) v 0 + v k/4 X k/4 + + v 3k/4 X 3k/4 Z q [X k/4 ]/(X k + 1) v 0 + v k/2 X k/2 Z q [X k/2 ]/(X k + 1) v 0 Z q 2 Homomorphically round v 0 Z q to the message bit 2 q v 0 Z 2. 8 / 21

34 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. 9 / 21

35 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. 9 / 21

36 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: 9 / 21

37 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: ζk 2 = ζ k/2 O k = O k/2 [ζ k ] O k/2 -basis B k = {1, ζ k} ζ 2 8 = ζ 4 O 8 = O 4 [ζ 8 ] O 4 -basis B 8 = {1, ζ 8} ζ 2 4 = ζ 2 O 4 = O 2 [ζ 4 ] O 2 -basis B 4 = {1, ζ 4} ζ 2 2 = 1 O 2 = Z[ζ 2 ] = Z Z-basis B 2 = {1} 9 / 21

38 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: ζk 2 = ζ k/2 O k = O k/2 [ζ k ] O k/2 -basis B k = {1, ζ k} ζ 2 8 = ζ 4 O 8 = O 4 [ζ 8 ] O 4 -basis B 8 = {1, ζ 8} ζ 2 4 = ζ 2 O 4 = O 2 [ζ 4 ] O 2 -basis B 4 = {1, ζ 4} ζ 2 2 = 1 O 2 = Z[ζ 2 ] = Z Z-basis B 2 = {1} Product Z-basis of O k : B k := B k B k/2 = B k B k/2 B 2 = {1, ζ, ζ 2,..., ζ k/2 1 }. 9 / 21

39 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζ 2 i = ζ i/2. 10 / 21

40 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. 10 / 21

41 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. 10 / 21

42 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: 10 / 21

43 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i 10 / 21

44 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i Tr Oi/O i (O i ) = deg(o i /O i ) O i. 10 / 21

45 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i Tr Oi/O i (O i ) = deg(o i /O i ) O i. Tr Oi/Z(v) = i 2 v 0, where v 0 Z is the coeff of ζ 0 i = / 21

46 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R / 21

47 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext v = q q v + 0 = c 0 + c 1 s R q. Plaintext ring is now R q, not R 2! 11 / 21

48 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 11 / 21

49 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 11 / 21

50 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 3 Round: homomorphically evaluate v 0 = µ Z 2. Uses algebraic procedure of depth lg(q/2) & size lg 2 (q/2) [GHS 12b] 11 / 21

51 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 3 Round: homomorphically evaluate v 0 = µ Z 2. Uses algebraic procedure of depth lg(q/2) & size lg 2 (q/2) [GHS 12b] Now have an encryption of v 0 = µ. Done! 11 / 21

52 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. 12 / 21

53 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z. 12 / 21

54 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) 12 / 21

55 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space 12 / 21

56 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. 12 / 21

57 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. 12 / 21

58 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. Detail #1: ciphertexts are over R R, so use automorphisms of R that coincide with those of O i /O i/2. 12 / 21

59 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. Detail #1: ciphertexts are over R R, so use automorphisms of R that coincide with those of O i /O i/2. Detail #2: each Tr(O i ) = 2O i/2, so lift to plaintext modulus 2q, then halve result. 12 / 21

60 Main Result: Bootstrapping Packed Ciphertexts 13 / 21

61 Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 14 / 21

62 Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 14 / 21

63 Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 3 Batch-round: homom ly apply on all Z q -slots at once [SV 11]: vj c j S q v j c j S / 21

64 Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 3 Batch-round: homom ly apply on all Z q -slots at once [SV 11]: vj c j S q v j c j S 2. 4 Homomorphically reverse-map Z 2 -slots back to B-coeffs: vj c j S 2 v j b j = µ R 2. (Akin to homomorphic DFT 1.) 14 / 21

65 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. 15 / 21

66 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O / 21

67 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism / 21

68 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 2 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S / 21

69 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 2 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S 2. Can factor C i = C i C i 1: let c k = 1 (mod p,k), = 0 (mod p, k ). 15 / 21

70 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S 2. Can factor C i = C i C i 1: let c k = 1 (mod p,k), = 0 (mod p, k ). Similarly for S q = j (S/plg q j ) / 21

71 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. 16 / 21

72 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. 16 / 21

73 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21

74 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21

75 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R... but only for a subring R R. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21

76 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R... but only for a subring R R. Goal for Remainder of Talk Extend ring-switching to (efficiently) handle Z-linear maps L: R S. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21

77 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). 17 / 21

78 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d 17 / 21

79 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. 17 / 21

80 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. Easy Lemma For any E-linear L: R S, there is an S-linear L: T S that agrees with L on R. 17 / 21

81 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. Easy Lemma For any E-linear L: R S, there is an S-linear L: T S that agrees with L on R. Proof: define L by L(r s) = L(r) s S. 17 / 21

82 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. 18 / 21

83 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z 18 / 21

84 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 18 / 21

85 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! 18 / 21

86 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! Problem: degree of T is quadratic, therefore so is runtime & space. 18 / 21

87 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! Problem: degree of T is quadratic, therefore so is runtime & space. This is inherent if we treat L as a generic Z-linear map! 18 / 21

88 Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. 19 / 21

89 Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. Gradually map B to C through a sequence of hybrid rings H (i), via E (i) -linear functions that each send a factor of B to one of C. B R = H (0) embed T (1) E (1) -linear (induced) H (1) embed T (2) E (2) -linear (induced) H (2) = S C E (1) E (2) 19 / 21

90 Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. Gradually map B to C through a sequence of hybrid rings H (i), via E (i) -linear functions that each send a factor of B to one of C. Ensure small compositums T (i) = H (i 1) + H (i) via large gcd s: replace prime factors of k with those of l, one at a time. B R = H (0) embed T (1) E (1) -linear (induced) H (1) embed T (2) E (2) -linear (induced) H (2) = S C E (1) E (2) 19 / 21

91 Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. 20 / 21

92 Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. 20 / 21

93 Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. B 8 B 4 O 8 B 8 C 7 fix B 4 B 4 C 7 O 4 7 B 4 C 91 fix C 7 C 7 C 91 O 7 13 O 4 O 7 20 / 21

94 Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. B 8 B 4 O 8 B 8 C 7 fix B 4 B 4 C 7 O 4 7 B 4 C 91 fix C 7 C 7 C 91 O 7 13 O 4 O 7 In general, switch through log(deg(r/z)) = log(λ) hybrid rings, one for each prime factor of k. 20 / 21

95 Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. 21 / 21

96 Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. 21 / 21

97 Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. Practical implementation and evaluation are underway. 21 / 21

98 Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. Practical implementation and evaluation are underway. Thanks! 21 / 21