A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme

Size: px

Start display at page:

Download "A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme"

Douglas McGee
6 years ago
Views:

1 A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme Presented by: Vincent Zucca 1 Joint work with: Jean-Claude Bajard 1, Julien Eynard 2 and Anwar Hasan 2 1 Sorbonne Universités, UPMC Univ. Paris 06, CNRS, LIP6 UMR 7606, France 2 Dept. of Electrical and Computer Engineering, University of Waterloo, Canada April 24th 2017 Vincent Zucca (UPMC) FV RNS April 24th / 17

2 Context Homomorphic Encryption (HE): Enc pkpm 1 q Enc pkpm 1 m 2 q Dec m 1 m 2 Enc pkpm 2 q p P t`, ˆuq sk Noisy encryption Each ciphertext contains a noise. After each homomorphic operation the noise grows. Decryption remains correct until the noise reaches a certain bound. ùñ Limited number of operations. ùñ Somewhat Homomorphic Encryption (SHE). Problem: not practical enough yet. Vincent Zucca (UPMC) FV RNS April 24th / 17

3 Context Homomorphic Encryption (HE): Enc pkpm 1 q Enc pkpm 1 m 2 q Dec m 1 m 2 Enc pkpm 2 q p P t`, ˆuq sk Noisy encryption Each ciphertext contains a noise. After each homomorphic operation the noise grows. Decryption remains correct until the noise reaches a certain bound. ùñ Limited number of operations. ùñ Somewhat Homomorphic Encryption (SHE). Goal: arithmetical optimization of a certain type of SHE schemes. Vincent Zucca (UPMC) FV RNS April 24th / 17

4 Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Vincent Zucca (UPMC) FV RNS April 24th / 17

5 Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Residue Number Systems Large x P r0, qq X Z Ø k small residues px mod q 1,..., x mod q k q. Parallel, carry-free arithmetic `,, ˆ, on residues. Non positional number system. Vincent Zucca (UPMC) FV RNS April 24th / 17

6 Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Residue Number Systems Large x P r0, qq X Z Ø k small residues px mod q 1,..., x mod q k q. Parallel, carry-free arithmetic `,, ˆ, on residues. Non positional number system. Base extensions B q tq 1,..., q k u Ñ B tm 1,..., m l u Fast approximate base extension: x in B q Ñ x q ` αq in B ù Fast but q-overflow α P r0, kq X Z If needed, add an extra modulus m sk to B q to correct α efficiently Vincent Zucca (UPMC) FV RNS April 24th / 17

7 Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Vincent Zucca (UPMC) FV RNS April 24th / 17

8 Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Common optimizations for arithmetic on......coefficients: Residue Number Systems q free of form: choose q q 1... q k (small prime moduli q i ) Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Vincent Zucca (UPMC) FV RNS April 24th / 17

9 Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Common optimizations for arithmetic on......coefficients: Residue Number Systems q free of form: choose q q 1... q k (small prime moduli q i ) Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z...polynomials: Number Theoretic Transform Optimized polynomial product (n a power of 2): Opn log 2 pnqq Ñ matches with RNS representation Vincent Zucca (UPMC) FV RNS April 24th / 17

10 Overview of RNS and FV Ladder of representations Cost to climb up/down Integers Polynomials Main purposes positional coefficient comparison, division, round-off on coeff. Opn log 2 pqq 2 q Opkn log 2 pnqq RNS coefficient optimized integer arithmetic RNS NTT optimized polynomial arithmetic

11 Overview of RNS and FV Ladder of representations Cost to climb up/down used in Dec and Mult Opn log 2 pqq 2 q Opkn log 2 pnqq Integers Polynomials Main purposes positional RNS RNS coefficient coefficient NTT comparison, division, round-off on coeff. optimized integer arithmetic optimized polynomial arithmetic

12 Overview of RNS and FV Ladder of representations Cost to climb up/down Integers Polynomials Main purposes This work positional coefficient comparison, division, round-off on coeff. Opn log 2 pqq 2 q Dec and Mult Opkn log 2 pnqq RNS coefficient optimized integer arithmetic RNS NTT optimized polynomial arithmetic Vincent Zucca (UPMC) FV RNS April 24th / 17

13 Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Vincent Zucca (UPMC) FV RNS April 24th / 17

14 Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Vincent Zucca (UPMC) FV RNS April 24th / 17

15 Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Encryption rms t P R t to be encrypted, public key pk, 1 sample pe 1, e 2, uq Ð pχ err q 2 ˆ U 2 output pc 0, c 1 q pr rms t ` p 0 u ` e 1 s q, rp 1 u ` e 2 s q q p t q t uq Vincent Zucca (UPMC) FV RNS April 24th / 17

16 Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Encryption rms t P R t to be encrypted, public key pk, 1 sample pe 1, e 2, uq Ð pχ err q 2 ˆ U 2 output pc 0, c 1 q pr rms t ` p 0 u ` e 1 s q, rp 1 u ` e 2 s q q p t q t uq rc 0 ` c 1 ss q rms t ` v (mod q) with v: fresh noise Vincent Zucca (UPMC) FV RNS April 24th / 17

17 Full RNS variant of FV decryption The original decryption process pc 0, c 1 q encrypting rms t with noise v: rc 0 ` c 1 ss q rms t ` v ` qr 1 scale-down: t q rc 0 ` c 1 ss q rms t ` v 1 q ` tr 2 round-off: t t q rc 0 ` c 1 ss q s rms t ` t v 1 q s ` tr If }v} 8 maxp v i q ă B dec ñ t v 1 q s 0 Decpc, skq rt t q rc 0 ` c 1 ss q ss t rrms t ` trs t rms t. Vincent Zucca (UPMC) FV RNS April 24th / 17

18 Full RNS variant of FV decryption The original decryption process pc 0, c 1 q encrypting rms t with noise v: rc 0 ` c 1 ss q rms t ` v ` qr 1 scale-down: t q rc 0 ` c 1 ss q rms t ` v 1 q ` tr 2 round-off: t t q rc 0 ` c 1 ss q s rms t ` t v 1 q s ` tr If }v} 8 maxp v i q ă B dec ñ t v 1 q s 0 Decpc, skq rt t q rc 0 ` c 1 ss q ss t rrms t ` trs t rms t. Issue for RNS (non positional) representation How to compute pt t q xs mod tq in RNS? Vincent Zucca (UPMC) FV RNS April 24th / 17

19 Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Vincent Zucca (UPMC) FV RNS April 24th / 17

20 Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Remark: since tx cancels modulo t, only compute p tx q`αqq q mod t. Vincent Zucca (UPMC) FV RNS April 24th / 17

21 Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Remark: since tx cancels modulo t, only compute p tx q`αqq q mod t. An error occurs Need to correct the error E for a correct decryption. Vincent Zucca (UPMC) FV RNS April 24th / 17

22 Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E Vincent Zucca (UPMC) FV RNS April 24th / 17

23 Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: Now comes the trick tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E If gap ε ą 0 ( q 2 ` ε ď rtxs q ď q 1 2 ε) then if γε ě k ` 2 we have: Z ˇ γ rtxs V q E q ˇ ă γ 2 U Y U ù compute Yγ tq x E ıγ E gives exactly the error γ rtxsq q Vincent Zucca (UPMC) FV RNS April 24th / 17

24 Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: Now comes the trick tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E If gap ε ą 0 ( q 2 ` ε ď rtxs q ď q 1 2 ε) then if γε ě k ` 2 we have: Z ˇ γ rtxs V q E q ˇ ă γ 2 U Y U ù compute Yγ tq x E ıγ E gives exactly the error Strategy γ rtxsq q 1 Compute tγ t q xs modulo t and γ 2 Use centered remainder modulo γ to correct the error Vincent Zucca (UPMC) FV RNS April 24th / 17

25 Full RNS variant of FV decryption Dec RNS ppc 0, c 1 q, s, γq Require: pc 0, c 1 q an encryption of rms t, and s the secret key, both in base q; an integer γ coprime to t and q Ensure: rms t 1: for m P tt, γu do 2: s pmq Ð FastBconvp γtpc 0 ` c 1 sq, q, tmuq q 1 m 3: end for 4: s pγq Ð rs pγq s γ 5: m ptq Ð rps ptq s pγq q ˆ γ 1 t s t 6: return m ptq Vincent Zucca (UPMC) FV RNS April 24th / 17

26 Full RNS variant of FV decryption Dec RNS ppc 0, c 1 q, s, γq Require: pc 0, c 1 q an encryption of rms t, and s the secret key, both in base q; an integer γ coprime to t and q Ensure: rms t 1: for m P tt, γu do 2: s pmq Ð FastBconvp γtpc 0 ` c 1 sq, q, tmuq q 1 m 3: end for 4: s pγq Ð rs pγq s γ 5: m ptq Ð rps ptq s pγq q ˆ γ 1 t s t 6: return m ptq Results Better asymptotic complexity: Opn 3 q Ñ Opn 2 log 2 pnqq. Very flexible in terms of parallelization. Modified bound for noise: }v} 8 ă q t 2 k γ. (although no significant consequence in practice) Vincent Zucca (UPMC) FV RNS April 24th / 17

27 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc0 1, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c0 1, c 0c1 1 ` c1 0 c 1, c 1 c1 1 q over Z Vincent Zucca (UPMC) FV RNS April 24th / 17

28 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q Vincent Zucca (UPMC) FV RNS April 24th / 17

29 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Vincent Zucca (UPMC) FV RNS April 24th / 17

30 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Vincent Zucca (UPMC) FV RNS April 24th / 17

31 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Vincent Zucca (UPMC) FV RNS April 24th / 17

32 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Vincent Zucca (UPMC) FV RNS April 24th / 17

33 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Smaller noise growth }pb 0, b 1,..., b l q ÝÑ e } 8 ă lω ˆ nb err Vincent Zucca (UPMC) FV RNS April 24th / 17

34 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c0 1, c 0c1 1 ` c1 0 c 1, c 1 c1 1 q over Z (lift) 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Smaller noise growth }pb 0, b 1,..., b l q ÝÑ e } 8 ă lω ˆ nb err Issues for RNS representation Lift in Z, division and rounding, using positional system in radix ω... Vincent Zucca (UPMC) FV RNS April 24th / 17

35 Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Vincent Zucca (UPMC) FV RNS April 24th / 17

36 Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Problem 2: division and round-off ĉ i t t q c is in RNS. Ñ Solution: flooring instead of rounding in B sk, 1 FastBconvp c i, q, B sk q and computation of flooring in B sk ; 2 ĉ i Ð FastBconvSKp c i, B sk, qq (no extra multiple of B). Vincent Zucca (UPMC) FV RNS April 24th / 17

37 Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Problem 2: division and round-off ĉ i t t q c is in RNS. Ñ Solution: flooring instead of rounding in B sk, 1 FastBconvp c i, q, B sk q and computation of flooring in B sk ; 2 ĉ i Ð FastBconvSKp c i, B sk, qq (no extra multiple of B). Problem 3: decompose ĉ 2 in radix ω in base q. ÑSolution: decompose ĉ 2 in an RNS way, 1 ĉ 2 ĉ 2 q1 q q 1,, ĉ 2 qk q qk ; 2 evk RNS ˆ s 2 q q 1 q,, s 2 q q k q ` ÝÑ e ` ÝÑ ı a s q, ÝÑ a. Vincent Zucca (UPMC) FV RNS April 24th / 17

38 Full RNS variant of FV multiplication Results Prior costly operations over Z ù fast RNS base extensions. Fairly equivalent noise growth. Same number of polynomial products ñ same asymptotic complexity. Better complexity for operations on coefficients. Well suited for parallelization. Vincent Zucca (UPMC) FV RNS April 24th / 17

39 Experiments Software implementation C++, NFLlib (dedicated to RNS polynomial arith. in R with NTT), compared with a standard approach with NFLlib + GMP 6.1.0, laptop under Fedora 22 with i7-4810mq 2.80GHz, g , Hyper-Threading and Turbo Boost turned off. a Vincent Zucca (UPMC) FV RNS April 24th / 17

40 Experiments - Speed-up factors ν bit-size of moduli log 2 pnq k k t 2 10 γ 2 8 (sufficient; practical) Decryption ν 30 ν 62 4 Multiplication ν 30 ν log 2 pnq log 2 pnq n Õñ NTT s dominate computational effort ñ speed-up Œ. Vincent Zucca (UPMC) FV RNS April 24th / 17

41 Conclusion and perspectives Optimization of arithmetic on polynomials at the coefficient level. Benefits to SHE scheme like FV. No more need of any positional system: only RNS. Greater noise growth, but not significant in practice. Opens the door to highly competitive parallel implementation of homomorphic encryption on accelerator cards such as GPUs and FPGAs, to take full advantage of the parallelization potential offered by RNS and NTT representation. Jean Claude Bajard, Julien Eynard, Anwar Hasan and Vincent Zucca. A Full RNS Variant of FV like Somewhat Homomorphic Encryption Scheme. Selected Areas of Cryptography Vincent Zucca (UPMC) FV RNS April 24th / 17

42 Thank you for your attention, any question? Vincent Zucca (UPMC) FV RNS April 24th / 17

High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA

High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail