Fixed-Point Arithmetic in SHE Schemes

Similar documents
Faster Homomorphic Evaluation of Discrete Fourier Transforms

Homomorphic Evaluation of the AES Circuit

COMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION

High-Precision Arithmetic in Homomorphic Encryption

Practical Bootstrapping in Quasilinear Time

Homomorphic Encryption for Arithmetic of Approximate Numbers

Bootstrapping for HElib

Shai Halevi IBM August 2013

Better Bootstrapping in Fully Homomorphic Encryption

Practical Bootstrapping in Quasilinear Time

Multikey Homomorphic Encryption from NTRU

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Computing with Encrypted Data Lecture 26

Better Bootstrapping in Fully Homomorphic Encryption

Bootstrapping for Approximate Homomorphic Encryption

Packing Messages and Optimizing Bootstrapping in GSW-FHE

Homomorphic Encryption

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Parameter selection in Ring-LWE-based cryptography

Gentry s SWHE Scheme

Subring Homomorphic Encryption

Fully Homomorphic Encryption

FULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research

Gentry s Fully Homomorphic Encryption Scheme

The RSA Cipher and its Algorithmic Foundations

CPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication

Mathematics of Cryptography

TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION

CPSC 467: Cryptography and Computer Security

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Fast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

Finite Fields. Mike Reiter

CPSC 518 Introduction to Computer Algebra Asymptotically Fast Integer Multiplication

Bootstrapping for Approximate Homomorphic Encryption

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

CPSC 467b: Cryptography and Computer Security

Discrete Mathematics GCD, LCM, RSA Algorithm

Compact Ring LWE Cryptoprocessor

Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3

Faster Fully Homomorphic Encryption

Manual for Using Homomorphic Encryption for Bioinformatics

Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain

High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA

Galois theory (Part II)( ) Example Sheet 1

Fully Homomorphic Encryption and Bootstrapping

Elliptic Curve Cryptography

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Section 18 Rings and fields

HOMEWORK 11 MATH 4753

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

Lattice-Based Non-Interactive Arugment Systems

Lattice Reduction Attack on the Knapsack

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Mathematical Foundations of Public-Key Cryptography

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

NOTES ON FINITE FIELDS

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Homomorphic SIM 2 D Operations: Single Instruction Much More Data

Doing Real Work with FHE: The Case of Logistic Regression

Numbers. Çetin Kaya Koç Winter / 18

Cryptography IV: Asymmetric Ciphers

FFT-Based Key Recovery for the Integral Attack

15. Polynomial rings Definition-Lemma Let R be a ring and let x be an indeterminate.

Floating-Point Homomorphic Encryption

Somewhat Practical Fully Homomorphic Encryption

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Advanced Cryptography Quantum Algorithms Christophe Petit

Field Switching in BGV-Style Homomorphic Encryption

Linear Ciphers. Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D Mainz

Sieving for Shortest Vectors in Ideal Lattices:

Exercise Sheet Cryptography 1, 2011

Linear Multi-Prover Interactive Proofs

The security of RSA (part 1) The security of RSA (part 1)

Public-key Cryptography and elliptic curves

Solution to Problem Set 3

Some security bounds for the DGHV scheme

Homomorphic SIM 2 D Operations: Single Instruction Much More Data

Implementing Ring-LWE cryptosystems

An introduction to the algorithmic of p-adic numbers

Toward High Performance Matrix Multiplication for Exact Computation

Computational algebraic number theory tackles lattice-based cryptography

Galois groups with restricted ramification

Overdrive: Making SPDZ Great Again

Public Key Encryption

Ideal Lattices and NTRU

RSA RSA public key cryptosystem

Cryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC

New and Improved Key-Homomorphic Pseudorandom Functions

Physics ; CS 4812 Problem Set 4

Classical Cryptography

Elliptic Curve Cryptography

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Homomorphic AES Evaluation Using the Modified LTV Scheme

CPSC 467b: Cryptography and Computer Security

Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes

Constructing Abelian Varieties for Pairing-Based Cryptography

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Fully Homomorphic Encryption over the Integers

Transcription:

Fixed-Point Arithmetic in SHE Schemes Anamaria Costache 1, Nigel P. Smart 1, Srinivas Vivek 1, Adrian Waller 2 1 University of Bristol 2 Thales UK Research & Technology July 6, 2016

Outline Motivation Encoding integers and fixed-point numbers Lower bounds on ring parameters Application to homomorphic image processing Conclusion

Motivation

Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since 2009. Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.

Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since 2009. Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.

Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since 2009. Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.

Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.

Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.

Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.

Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.

Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),

Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),

Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),

Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),

Problem 1: Encoding data types

Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.

Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.

Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.

Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.

Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.

Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.

Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.

Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.

Encoding fixed-point numbers: Scaled integer encoding Fixed-point number encoded as an integer scaled down by a power of a base B. y = y +.y (q(x ), i), y = q(b) B i, where the integer itself is represented by a balanced base-b encoding. Example: 6.33... = 19 3 1 (X 3 X 2 + 1, 1), when bal. base B = 3.

Encoding fixed-point numbers: Scaled integer encoding Fixed-point number encoded as an integer scaled down by a power of a base B. y = y +.y (q(x ), i), y = q(b) B i, where the integer itself is represented by a balanced base-b encoding. Example: 6.33... = 19 3 1 (X 3 X 2 + 1, 1), when bal. base B = 3.

Encoding fixed-point numbers: Scaled integer encoding Addition +: (q(x ), i) + (q (X ), i ) =: (Q, I ). (q + q X i i, i) if i > i (Q, I ) = (q + q X i i, i ) if i i. Multiplication : (q(x ), i) (q (X ), i ) = (q(x ) q (X ), i + i ).

Encoding fixed-point numbers: Scaled integer encoding Addition +: (q(x ), i) + (q (X ), i ) =: (Q, I ). (q + q X i i, i) if i > i (Q, I ) = (q + q X i i, i ) if i i. Multiplication : (q(x ), i) (q (X ), i ) = (q(x ) q (X ), i + i ).

Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation

Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation

Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation

Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation

Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).

Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).

Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).

Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).

Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, 6.33... X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, 6.33... X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, 6.33... X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, 6.33... X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, 6.33... X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?

Problem 2: bounding size of coefficients

Upper bounds on coefficients Problem: compute max. size of coefficients in encodings given circuit description, bounds on input numbers Our contribution: efficient computational procedure to bound arbitrary circuits precisely determining max. values can be very expensive, closed form upper bounds for regular circuits.

Upper bounds on coefficients Problem: compute max. size of coefficients in encodings given circuit description, bounds on input numbers Our contribution: efficient computational procedure to bound arbitrary circuits precisely determining max. values can be very expensive, closed form upper bounds for regular circuits.

Upper bounds on coefficients Two cases: balanced base-3 integer encoding scaled integer encoding, fractional encoding (modulo X n + 1) for fixed-point numbers.

Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i

Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i

Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i

Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,

Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,

Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,

Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,

Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.

Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.

Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.

Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x 2 +... + x d i ) e i. i=1

Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x 2 +... + x d i ) e i. i=1

Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x 2 +... + x d i ) e i. i=1

Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x 2 +... + x d i ) e i. i=1

Bounding integer-valued arithmetic circuits Upper bound is of the form L P = e 1,...,e t a [(d1,e 1 ),...,(d t,e t)] c [(d1,e 1 ),...,(d t,e t)],

Bounding integer-valued arithmetic circuits Compute the bounds iteratively L P = a [(d1,e 1 ),...,(d t,e t)] c [(d1,e 1 ),...,(d t,e t)], e 1,...,e t L P = a [(d1,e 1 ),...,(dt,e t )] c [(d1,e 1 ),...,(dt,e t )], e 1,...,e t

Bounding integer-valued arithmetic circuits Compute the bounds iteratively L P+P = L P + L P, L P P = e 1,...,e t,e 1,...,e t (a [(d1,e 1 ),...,(d t,e t)] a [(d1,e 1 ),...,(dt,e t )] ) ) (c [(d1,e 1 +e 1 ),...,(dt,et+e t )]

Bounding integer-valued arithmetic circuits Iteratively bounding c [(d1,e 1 ),...,(d t,e t)] = using the relation t (1 + x + x 2 +... + x d i ) e i. i=1 c [(d1,e 1 ),...,(d t,e t)] (d k e k + 1) c dk,e k c [(d1,e 1 ),...,(dt,e t )], where e i = e i except that e k = 0. Partial order: d i e i (d i+1 e i+1 ).

Bounding integer-valued arithmetic circuits Iteratively bounding c [(d1,e 1 ),...,(d t,e t)] = using the relation t (1 + x + x 2 +... + x d i ) e i. i=1 c [(d1,e 1 ),...,(d t,e t)] (d k e k + 1) c dk,e k c [(d1,e 1 ),...,(dt,e t )], where e i = e i except that e k = 0. Partial order: d i e i (d i+1 e i+1 ).

Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x 2 +... + x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.

Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x 2 +... + x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.

Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x 2 +... + x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.

Bounding integer-valued arithmetic circuits They also show that e cd,e lim e (d + 1) e = 6 π d (d + 2).

Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, B M,A = c d,2 M 2 A(2M+1 2),

Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, 6 M B M,A < π 2 M (d + 1)2 2 A(2 M+1 2). d(d + 2) For an SHE scheme p > 2 B M,A, deg(r) > 2 M d.

Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, 6 M B M,A < π 2 M (d + 1)2 2 A(2 M+1 2). d(d + 2) For an SHE scheme p > 2 B M,A, deg(r) > 2 M d.

Bounding integer-valued arithmetic circuits Concrete bounds for p (in bits) and deg(r) for 20-bit inputs: M 1 2 3 4 5 A = 0 5 12 26 55 114 A = 1 7 18 40 85 176 A = 2 9 24 54 115 238 A = 3 11 30 68 145 300 A = 4 13 36 82 175 362 A = 5 15 42 96 205 424 deg(r) 24 48 96 192 384

Application: homomorphic image processing

Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.

Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.

Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.

Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.

Homomorphic image processing We use mixed Fourier transform instead of FFT tradeoff: depth vs. number of scalar multiplications, greater depth means longer modulus chain in SHE scheme and hence slower.

Homomorphic image processing Concrete parameters for the FFT-Hadamard-iFFT pipeline: FFT B = 1 B = n NFT B = n log 2 p deg(r) log 2 p deg(r) log 2 p deg(r) n 16 54 190 37 118 25 46 64 74 248 49 146 29 44 256 93 298 61 170 33 42 1024 112 340 72 190 37 40

Homomorphic image processing Timing results (in sec) using HElib running on a 6-core cluster: HElib Amortization CPU Amortized n B deg(r) log 2 q Levels Amount Time Time 16 1 32768 710 33 172 188 1.09 16 4 32768 451 19 277 147 0.53 16 16 16384 192 9 356 106 0.3 64 8 32768 622 30 224 1500 6.69 64 64 16384 192 10 372 1582 4.25 256 256 16384 278 11 390 34876 89.4

Conclusion

Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.

Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.

Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.

Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.

Future Work Improve the current bounds for coefficient growth. SIMD implementation of FFT-Hadamard product-ifft pipeline for scaled integer encoding.

Future Work Improve the current bounds for coefficient growth. SIMD implementation of FFT-Hadamard product-ifft pipeline for scaled integer encoding.

Thank You!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback