A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme

Similar documents
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA

Implementation and Performance Evaluation of RNS Variants of the BFV Homomorphic Encryption Scheme

A Full RNS Variant of FV like Somewhat Homomorphic Encryption Schemes

Parameter selection in Ring-LWE-based cryptography

An Improved RNS Variant of the BFV Homomorphic Encryption Scheme

Lecture 16: Public Key Encryption:II

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

An RNS variant of fully homomorphic encryption over integers

Chosen-Ciphertext Security (I)

Public-Key Encryption

4.4 Solving Congruences using Inverses

Carmen s Core Concepts (Math 135)

Babai round-off CVP method in RNS: application to latice based cryptographic protocols

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

Fully Homomorphic Encryption and Bootstrapping

Manual for Using Homomorphic Encryption for Bioinformatics

Computing with Encrypted Data Lecture 26

Fully Homomorphic Encryption

Homomorphic Evaluation of the AES Circuit

Multikey Homomorphic Encryption from NTRU

Practical Bootstrapping in Quasilinear Time

High-Precision Arithmetic in Homomorphic Encryption

Subring Homomorphic Encryption

COMP4109 : Applied Cryptography

Exam 2 Solutions. In class questions

COMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Shai Halevi IBM August 2013

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Chapter 11 : Private-Key Encryption

arxiv: v1 [math.nt] 3 May 2017

Lecture Notes, Week 6

Bootstrapping for Approximate Homomorphic Encryption

Packing Messages and Optimizing Bootstrapping in GSW-FHE

Computer Architecture 10. Residue Number Systems

Mathematics of Cryptography

Introduction to Public-Key Cryptosystems:

MATH3302 Cryptography Problem Set 2

Computing Generator in Cyclotomic Integer Rings

Weaknesses in Ring-LWE

Joseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia

Single-Database Private Information Retrieval

Hardness and advantages of Module-SIS and Module-LWE

Modular Multiplication in GF (p k ) using Lagrange Representation

Report Fully Homomorphic Encryption

Public Key Cryptography

Fully Homomorphic Encryption over the Integers

Public-Key Encryption: ElGamal, RSA, Rabin

ETIKA V PROFESII PSYCHOLÓGA

Efficient Leak Resistant Modular Exponentiation in RNS

Introduction to Modern Cryptography. Benny Chor

Algorithms for integer factorization and discrete logarithms computation

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Approximation in the Zygmund Class

HOMEWORK 11 MATH 4753

For example, p12q p2x 1 x 2 ` 5x 2 x 2 3 q 2x 2 x 1 ` 5x 1 x 2 3. (a) Let p 12x 5 1x 7 2x 4 18x 6 2x 3 ` 11x 1 x 2 x 3 x 4,

Représentation RNS des nombres et calcul de couplages

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

10 Public Key Cryptography : RSA

Keywords Homomorphic encryption, pairing-based cryptography, elliptic curves, low depth circuits.

Fully Homomorphic Encryption from LWE

Modular Arithmetic Investigation

Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems

On principal eigenpair of temporal-joined adjacency matrix for spreading phenomenon Abstract. Keywords: 1 Introduction

CRYPTANALYSIS OF COMPACT-LWE

Local behaviour of Galois representations

Some multilinear algebra

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Fully Homomorphic Encryption

Fully Homomorphic Encryption - Part II

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

16 Fully homomorphic encryption : Construction

1 Number Theory Basics

Random Variables. Andreas Klappenecker. Texas A&M University

Chapter 8 Public-key Cryptography and Digital Signatures

Classical hardness of the Learning with Errors problem

The security of RSA (part 1) The security of RSA (part 1)

CPSC 467b: Cryptography and Computer Security

Gentry s SWHE Scheme

FULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research

Low-Weight Polynomial Form Integers for Efficient Modular Multiplication

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Fully Homomorphic Encryption

Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

LA PRISE DE CALAIS. çoys, çoys, har - dis. çoys, dis. tons, mantz, tons, Gas. c est. à ce. C est à ce. coup, c est à ce

MTH 505: Number Theory Spring 2017

1. Examples. We did most of the following in class in passing. Now compile all that data.

Exercise Sheet Cryptography 1, 2011

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Elliptic Curve Cryptography and Security of Embedded Devices

Number Theory & Modern Cryptography

Classical hardness of Learning with Errors

Transcription:

A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme Presented by: Vincent Zucca 1 Joint work with: Jean-Claude Bajard 1, Julien Eynard 2 and Anwar Hasan 2 1 Sorbonne Universités, UPMC Univ. Paris 06, CNRS, LIP6 UMR 7606, France 2 Dept. of Electrical and Computer Engineering, University of Waterloo, Canada April 24th 2017 Vincent Zucca (UPMC) FV RNS April 24th 2017 1 / 17

Context Homomorphic Encryption (HE): Enc pkpm 1 q Enc pkpm 1 m 2 q Dec m 1 m 2 Enc pkpm 2 q p P t`, ˆuq sk Noisy encryption Each ciphertext contains a noise. After each homomorphic operation the noise grows. Decryption remains correct until the noise reaches a certain bound. ùñ Limited number of operations. ùñ Somewhat Homomorphic Encryption (SHE). Problem: not practical enough yet. Vincent Zucca (UPMC) FV RNS April 24th 2017 2 / 17

Context Homomorphic Encryption (HE): Enc pkpm 1 q Enc pkpm 1 m 2 q Dec m 1 m 2 Enc pkpm 2 q p P t`, ˆuq sk Noisy encryption Each ciphertext contains a noise. After each homomorphic operation the noise grows. Decryption remains correct until the noise reaches a certain bound. ùñ Limited number of operations. ùñ Somewhat Homomorphic Encryption (SHE). Goal: arithmetical optimization of a certain type of SHE schemes. Vincent Zucca (UPMC) FV RNS April 24th 2017 2 / 17

Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Vincent Zucca (UPMC) FV RNS April 24th 2017 3 / 17

Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Residue Number Systems Large x P r0, qq X Z Ø k small residues px mod q 1,..., x mod q k q. Parallel, carry-free arithmetic `,, ˆ, on residues. Non positional number system. Vincent Zucca (UPMC) FV RNS April 24th 2017 3 / 17

Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Residue Number Systems Large x P r0, qq X Z Ø k small residues px mod q 1,..., x mod q k q. Parallel, carry-free arithmetic `,, ˆ, on residues. Non positional number system. Base extensions B q tq 1,..., q k u Ñ B tm 1,..., m l u Fast approximate base extension: x in B q Ñ x q ` αq in B ù Fast but q-overflow α P r0, kq X Z If needed, add an extra modulus m sk to B q to correct α efficiently Vincent Zucca (UPMC) FV RNS April 24th 2017 3 / 17

Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Vincent Zucca (UPMC) FV RNS April 24th 2017 4 / 17

Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Common optimizations for arithmetic on......coefficients: Residue Number Systems q free of form: choose q q 1... q k (small prime moduli q i ) Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Vincent Zucca (UPMC) FV RNS April 24th 2017 4 / 17

Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Common optimizations for arithmetic on......coefficients: Residue Number Systems q free of form: choose q q 1... q k (small prime moduli q i ) Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z...polynomials: Number Theoretic Transform Optimized polynomial product (n a power of 2): Opn log 2 pnqq Ñ matches with RNS representation Vincent Zucca (UPMC) FV RNS April 24th 2017 4 / 17

Overview of RNS and FV Ladder of representations Cost to climb up/down Integers Polynomials Main purposes positional coefficient comparison, division, round-off on coeff. Opn log 2 pqq 2 q Opkn log 2 pnqq RNS coefficient optimized integer arithmetic RNS NTT optimized polynomial arithmetic

Overview of RNS and FV Ladder of representations Cost to climb up/down used in Dec and Mult Opn log 2 pqq 2 q Opkn log 2 pnqq Integers Polynomials Main purposes positional RNS RNS coefficient coefficient NTT comparison, division, round-off on coeff. optimized integer arithmetic optimized polynomial arithmetic

Overview of RNS and FV Ladder of representations Cost to climb up/down Integers Polynomials Main purposes This work positional coefficient comparison, division, round-off on coeff. Opn log 2 pqq 2 q Dec and Mult Opkn log 2 pnqq RNS coefficient optimized integer arithmetic RNS NTT optimized polynomial arithmetic Vincent Zucca (UPMC) FV RNS April 24th 2017 5 / 17

Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Vincent Zucca (UPMC) FV RNS April 24th 2017 6 / 17

Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Vincent Zucca (UPMC) FV RNS April 24th 2017 6 / 17

Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Encryption rms t P R t to be encrypted, public key pk, 1 sample pe 1, e 2, uq Ð pχ err q 2 ˆ U 2 output pc 0, c 1 q pr rms t ` p 0 u ` e 1 s q, rp 1 u ` e 2 s q q p t q t uq Vincent Zucca (UPMC) FV RNS April 24th 2017 6 / 17

Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Encryption rms t P R t to be encrypted, public key pk, 1 sample pe 1, e 2, uq Ð pχ err q 2 ˆ U 2 output pc 0, c 1 q pr rms t ` p 0 u ` e 1 s q, rp 1 u ` e 2 s q q p t q t uq rc 0 ` c 1 ss q rms t ` v (mod q) with v: fresh noise Vincent Zucca (UPMC) FV RNS April 24th 2017 6 / 17

Full RNS variant of FV decryption The original decryption process pc 0, c 1 q encrypting rms t with noise v: rc 0 ` c 1 ss q rms t ` v ` qr 1 scale-down: t q rc 0 ` c 1 ss q rms t ` v 1 q ` tr 2 round-off: t t q rc 0 ` c 1 ss q s rms t ` t v 1 q s ` tr If }v} 8 maxp v i q ă B dec ñ t v 1 q s 0 Decpc, skq rt t q rc 0 ` c 1 ss q ss t rrms t ` trs t rms t. Vincent Zucca (UPMC) FV RNS April 24th 2017 7 / 17

Full RNS variant of FV decryption The original decryption process pc 0, c 1 q encrypting rms t with noise v: rc 0 ` c 1 ss q rms t ` v ` qr 1 scale-down: t q rc 0 ` c 1 ss q rms t ` v 1 q ` tr 2 round-off: t t q rc 0 ` c 1 ss q s rms t ` t v 1 q s ` tr If }v} 8 maxp v i q ă B dec ñ t v 1 q s 0 Decpc, skq rt t q rc 0 ` c 1 ss q ss t rrms t ` trs t rms t. Issue for RNS (non positional) representation How to compute pt t q xs mod tq in RNS? Vincent Zucca (UPMC) FV RNS April 24th 2017 7 / 17

Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Vincent Zucca (UPMC) FV RNS April 24th 2017 8 / 17

Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Remark: since tx cancels modulo t, only compute p tx q`αqq q mod t. Vincent Zucca (UPMC) FV RNS April 24th 2017 8 / 17

Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Remark: since tx cancels modulo t, only compute p tx q`αqq q mod t. An error occurs Need to correct the error E for a correct decryption. Vincent Zucca (UPMC) FV RNS April 24th 2017 8 / 17

Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E Vincent Zucca (UPMC) FV RNS April 24th 2017 9 / 17

Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: Now comes the trick tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E If gap ε ą 0 ( q 2 ` ε ď rtxs q ď q 1 2 ε) then if γε ě k ` 2 we have: Z ˇ γ rtxs V q E q ˇ ă γ 2 U Y U ù compute Yγ tq x E ıγ E gives exactly the error γ rtxsq q Vincent Zucca (UPMC) FV RNS April 24th 2017 9 / 17

Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: Now comes the trick tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E If gap ε ą 0 ( q 2 ` ε ď rtxs q ď q 1 2 ε) then if γε ě k ` 2 we have: Z ˇ γ rtxs V q E q ˇ ă γ 2 U Y U ù compute Yγ tq x E ıγ E gives exactly the error Strategy γ rtxsq q 1 Compute tγ t q xs modulo t and γ 2 Use centered remainder modulo γ to correct the error Vincent Zucca (UPMC) FV RNS April 24th 2017 9 / 17

Full RNS variant of FV decryption Dec RNS ppc 0, c 1 q, s, γq Require: pc 0, c 1 q an encryption of rms t, and s the secret key, both in base q; an integer γ coprime to t and q Ensure: rms t 1: for m P tt, γu do 2: s pmq Ð FastBconvp γtpc 0 ` c 1 sq, q, tmuq q 1 m 3: end for 4: s pγq Ð rs pγq s γ 5: m ptq Ð rps ptq s pγq q ˆ γ 1 t s t 6: return m ptq Vincent Zucca (UPMC) FV RNS April 24th 2017 10 / 17

Full RNS variant of FV decryption Dec RNS ppc 0, c 1 q, s, γq Require: pc 0, c 1 q an encryption of rms t, and s the secret key, both in base q; an integer γ coprime to t and q Ensure: rms t 1: for m P tt, γu do 2: s pmq Ð FastBconvp γtpc 0 ` c 1 sq, q, tmuq q 1 m 3: end for 4: s pγq Ð rs pγq s γ 5: m ptq Ð rps ptq s pγq q ˆ γ 1 t s t 6: return m ptq Results Better asymptotic complexity: Opn 3 q Ñ Opn 2 log 2 pnqq. Very flexible in terms of parallelization. Modified bound for noise: }v} 8 ă q t 2 k γ. (although no significant consequence in practice) Vincent Zucca (UPMC) FV RNS April 24th 2017 10 / 17

Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc0 1, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c0 1, c 0c1 1 ` c1 0 c 1, c 1 c1 1 q over Z Vincent Zucca (UPMC) FV RNS April 24th 2017 11 / 17

Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q Vincent Zucca (UPMC) FV RNS April 24th 2017 11 / 17

Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Vincent Zucca (UPMC) FV RNS April 24th 2017 11 / 17

Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Vincent Zucca (UPMC) FV RNS April 24th 2017 11 / 17

Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Vincent Zucca (UPMC) FV RNS April 24th 2017 11 / 17

Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Vincent Zucca (UPMC) FV RNS April 24th 2017 11 / 17

Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Smaller noise growth }pb 0, b 1,..., b l q ÝÑ e } 8 ă lω ˆ nb err Vincent Zucca (UPMC) FV RNS April 24th 2017 11 / 17

Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c0 1, c 0c1 1 ` c1 0 c 1, c 1 c1 1 q over Z (lift) 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Smaller noise growth }pb 0, b 1,..., b l q ÝÑ e } 8 ă lω ˆ nb err Issues for RNS representation Lift in Z, division and rounding, using positional system in radix ω... Vincent Zucca (UPMC) FV RNS April 24th 2017 11 / 17

Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Vincent Zucca (UPMC) FV RNS April 24th 2017 12 / 17

Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Problem 2: division and round-off ĉ i t t q c is in RNS. Ñ Solution: flooring instead of rounding in B sk, 1 FastBconvp c i, q, B sk q and computation of flooring in B sk ; 2 ĉ i Ð FastBconvSKp c i, B sk, qq (no extra multiple of B). Vincent Zucca (UPMC) FV RNS April 24th 2017 12 / 17

Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Problem 2: division and round-off ĉ i t t q c is in RNS. Ñ Solution: flooring instead of rounding in B sk, 1 FastBconvp c i, q, B sk q and computation of flooring in B sk ; 2 ĉ i Ð FastBconvSKp c i, B sk, qq (no extra multiple of B). Problem 3: decompose ĉ 2 in radix ω in base q. ÑSolution: decompose ĉ 2 in an RNS way, 1 ĉ 2 ĉ 2 q1 q q 1,, ĉ 2 qk q qk ; 2 evk RNS ˆ s 2 q q 1 q,, s 2 q q k q ` ÝÑ e ` ÝÑ ı a s q, ÝÑ a. Vincent Zucca (UPMC) FV RNS April 24th 2017 12 / 17

Full RNS variant of FV multiplication Results Prior costly operations over Z ù fast RNS base extensions. Fairly equivalent noise growth. Same number of polynomial products ñ same asymptotic complexity. Better complexity for operations on coefficients. Well suited for parallelization. Vincent Zucca (UPMC) FV RNS April 24th 2017 13 / 17

Experiments Software implementation C++, NFLlib (dedicated to RNS polynomial arith. in R with NTT), compared with a standard approach with NFLlib + GMP 6.1.0, laptop under Fedora 22 with i7-4810mq CPU @ 2.80GHz, g++ 5.3.1, Hyper-Threading and Turbo Boost turned off. a https://github.com/cryptoexperts/fv-nfllib Vincent Zucca (UPMC) FV RNS April 24th 2017 14 / 17

Experiments - Speed-up factors ν bit-size of moduli log 2 pnq 11 12 13 14 15 30 k 3 6 13 26 53 62 k 1 3 6 12 25 t 2 10 γ 2 8 (sufficient; practical) 20 15 Decryption ν 30 ν 62 4 Multiplication ν 30 ν 62 3 10 5 2 11 12 13 14 15 11 12 13 14 15 log 2 pnq log 2 pnq n Õñ NTT s dominate computational effort ñ speed-up Œ. Vincent Zucca (UPMC) FV RNS April 24th 2017 15 / 17

Conclusion and perspectives Optimization of arithmetic on polynomials at the coefficient level. Benefits to SHE scheme like FV. No more need of any positional system: only RNS. Greater noise growth, but not significant in practice. Opens the door to highly competitive parallel implementation of homomorphic encryption on accelerator cards such as GPUs and FPGAs, to take full advantage of the parallelization potential offered by RNS and NTT representation. Jean Claude Bajard, Julien Eynard, Anwar Hasan and Vincent Zucca. A Full RNS Variant of FV like Somewhat Homomorphic Encryption Scheme. Selected Areas of Cryptography 2016. Vincent Zucca (UPMC) FV RNS April 24th 2017 16 / 17

Thank you for your attention, any question? Vincent Zucca (UPMC) FV RNS April 24th 2017 17 / 17

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback