Practical Bootstrapping in Quasilinear Time

Similar documents
Practical Bootstrapping in Quasilinear Time

Shai Halevi IBM August 2013

Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3

Homomorphic Evaluation of the AES Circuit

TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Bootstrapping for HElib

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

Fully Homomorphic Encryption from LWE

Fully Homomorphic Encryption and Bootstrapping

Better Bootstrapping in Fully Homomorphic Encryption

Better Bootstrapping in Fully Homomorphic Encryption

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Some security bounds for the DGHV scheme

Packing Messages and Optimizing Bootstrapping in GSW-FHE

Fixed-Point Arithmetic in SHE Schemes

Faster Bootstrapping with Polynomial Error

High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Subring Homomorphic Encryption

Field Switching in BGV-Style Homomorphic Encryption

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Computing with Encrypted Data Lecture 26

Bootstrapping for Approximate Homomorphic Encryption

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

Homomorphic Encryption for Arithmetic of Approximate Numbers

Report Fully Homomorphic Encryption

Optimizing Fully Homomorphic Encryption

Fully Homomorphic Encryption over the Integers

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

On Ideal Lattices and Learning with Errors Over Rings

Classical hardness of Learning with Errors

On Homomorphic Encryption and Secure Computation

Weaknesses in Ring-LWE

Introduction to Cybersecurity Cryptography (Part 5)

A Toolkit for Ring-LWE Cryptography

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

An RNS variant of fully homomorphic encryption over integers

Lattice-Based Non-Interactive Arugment Systems

New and Improved Key-Homomorphic Pseudorandom Functions

Implementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields

Ideal Lattices and NTRU

The security of RSA (part 1) The security of RSA (part 1)

Classical hardness of the Learning with Errors problem

Open problems in lattice-based cryptography

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Bootstrapping for Approximate Homomorphic Encryption

Fully Homomorphic Encryption

Mathematics of Cryptography

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Floating-Point Homomorphic Encryption

Fully Homomorphic Encryption

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

UNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.

Carmen s Core Concepts (Math 135)

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

COMP4109 : Applied Cryptography

Functional Lattice Cryptography

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

1 Number Theory Basics

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

Faster Homomorphic Evaluation of Discrete Fourier Transforms

Gentry s SWHE Scheme

Cryptology. Scribe: Fabrice Mouhartem M2IF

High-Precision Arithmetic in Homomorphic Encryption

Implementing Ring-LWE cryptosystems

Classical hardness of Learning with Errors

Homomorphic AES Evaluation Using the Modified LTV Scheme

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lattice Based Crypto: Answering Questions You Don't Understand

Multi-key fully homomorphic encryption report

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

FULLY HOMOMORPHIC ENCRYPTION

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems

Evaluating 2-DNF Formulas on Ciphertexts

Public-Key Cryptosystems CHAPTER 4

A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes

Multikey Homomorphic Encryption from NTRU

Manipulating Data while It Is Encrypted

Between a Rock and a Hard Place: Interpolating Between MPC and FHE

10 Concrete candidates for public key crypto

6.892 Computing on Encrypted Data September 16, Lecture 2

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Parameter selection in Ring-LWE-based cryptography

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Fully Homomorphic Encryption over the Integers

16 Fully homomorphic encryption : Construction

Public Key Cryptography

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture Notes, Week 6

Manual for Using Homomorphic Encryption for Bioinformatics

CIS 551 / TCOM 401 Computer and Network Security

Practical Fully Homomorphic Encryption without Noise Reduction

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Batch Fully Homomorphic Encryption over the Integers

Transcription:

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21

Fully Homomorphic Encryption [RAD 78,Gen 09] FHE lets you do this: µ Eval ( ) f, µ f(µ) where f(µ) and decryption time don t depend on f. A cryptographic holy grail with tons of applications. 2 / 21

Fully Homomorphic Encryption [RAD 78,Gen 09] FHE lets you do this: µ Eval ( ) f, µ f(µ) where f(µ) and decryption time don t depend on f. A cryptographic holy grail with tons of applications. Naturally occurring schemes are somewhat homomorphic (SHE): they can only evaluate functions of an a priori bounded depth. ( ) µ Eval f, µ f(µ) ( ) Eval g, f(µ) g(f(µ)) 2 / 21

Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ 3 / 21

Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). 3 / 21

Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). Intensive study, many techniques [G 09,GH 11a,GH 11b,GHS 12b], but still very inefficient the main bottleneck in FHE, by far. 3 / 21

Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). Intensive study, many techniques [G 09,GH 11a,GH 11b,GHS 12b], but still very inefficient the main bottleneck in FHE, by far. The asymptotically most efficient methods on packed ciphertexts [GHS 12a,GHS 12b] are very complex, and appear practically worse than asymptotically slower methods. 3 / 21

Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime 4 / 21

Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts 4 / 21

Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. 4 / 21

Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? 4 / 21

Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure 4 / 21

Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure Log-depth mod-φ m (X) circuit is complex, w/large hidden constants. 4 / 21

Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure Log-depth mod-φ m (X) circuit is complex, w/large hidden constants. [GHS 12a] compiler is very complex, w/large polylog overhead factor. 4 / 21

Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 5 / 21

Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). 5 / 21

Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 5 / 21

Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: 5 / 21

Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. 5 / 21

Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. 5 / 21

Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. Special purpose, completely algebraic description no circuits. 5 / 21

Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. Special purpose, completely algebraic description no circuits. Completely decouples the algebraic structure of SHE plaintext ring from that needed for bootstrapping. 5 / 21

Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) 6 / 21

Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. 6 / 21

Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. 6 / 21

Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). 6 / 21

Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). 6 / 21

Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). Unpacked plaintext µ Z 2 R 2, i.e., just a constant polynomial. 6 / 21

Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). Unpacked plaintext µ Z 2 R 2, i.e., just a constant polynomial. Packed plaintext uses more of R 2, e.g., multiple slots [SV 11]. 6 / 21

Warm-Up: Bootstrapping Unpacked Ciphertexts 7 / 21

Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) 8 / 21

Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) v 0 + v 1 X + v 2 X 2 + v k 1 X k 1 Z q [X]/(X k + 1) v 0 + 0X + v 2 X 2 + 0X k 1 Z q [X 2 ]/(X k + 1) v 0 + v k/4 X k/4 + + v 3k/4 X 3k/4 Z q [X k/4 ]/(X k + 1) v 0 + v k/2 X k/2 Z q [X k/2 ]/(X k + 1) v 0 Z q 8 / 21

Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) v 0 + v 1 X + v 2 X 2 + v k 1 X k 1 Z q [X]/(X k + 1) v 0 + 0X + v 2 X 2 + 0X k 1 Z q [X 2 ]/(X k + 1) v 0 + v k/4 X k/4 + + v 3k/4 X 3k/4 Z q [X k/4 ]/(X k + 1) v 0 + v k/2 X k/2 Z q [X k/2 ]/(X k + 1) v 0 Z q 2 Homomorphically round v 0 Z q to the message bit 2 q v 0 Z 2. 8 / 21

Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. 9 / 21

Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. 9 / 21

Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: 9 / 21

Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: ζk 2 = ζ k/2 O k = O k/2 [ζ k ] O k/2 -basis B k = {1, ζ k} ζ 2 8 = ζ 4 O 8 = O 4 [ζ 8 ] O 4 -basis B 8 = {1, ζ 8} ζ 2 4 = ζ 2 O 4 = O 2 [ζ 4 ] O 2 -basis B 4 = {1, ζ 4} ζ 2 2 = 1 O 2 = Z[ζ 2 ] = Z Z-basis B 2 = {1} 9 / 21

Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: ζk 2 = ζ k/2 O k = O k/2 [ζ k ] O k/2 -basis B k = {1, ζ k} ζ 2 8 = ζ 4 O 8 = O 4 [ζ 8 ] O 4 -basis B 8 = {1, ζ 8} ζ 2 4 = ζ 2 O 4 = O 2 [ζ 4 ] O 2 -basis B 4 = {1, ζ 4} ζ 2 2 = 1 O 2 = Z[ζ 2 ] = Z Z-basis B 2 = {1} Product Z-basis of O k : B k := B k B k/2 = B k B k/2 B 2 = {1, ζ, ζ 2,..., ζ k/2 1 }. 9 / 21

Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζ 2 i = ζ i/2. 10 / 21

Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. 10 / 21

Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v 0 1 + v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. 10 / 21

Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v 0 1 + v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: 10 / 21

Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v 0 1 + v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i 10 / 21

Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v 0 1 + v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i Tr Oi/O i (O i ) = deg(o i /O i ) O i. 10 / 21

Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v 0 1 + v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i Tr Oi/O i (O i ) = deg(o i /O i ) O i. Tr Oi/Z(v) = i 2 v 0, where v 0 Z is the coeff of ζ 0 i = 1. 10 / 21

Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 11 / 21

Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext v = q q v + 0 = c 0 + c 1 s R q. Plaintext ring is now R q, not R 2! 11 / 21

Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 11 / 21

Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 11 / 21

Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 3 Round: homomorphically evaluate v 0 = µ Z 2. Uses algebraic procedure of depth lg(q/2) & size lg 2 (q/2) [GHS 12b] 11 / 21

Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 3 Round: homomorphically evaluate v 0 = µ Z 2. Uses algebraic procedure of depth lg(q/2) & size lg 2 (q/2) [GHS 12b] Now have an encryption of v 0 = µ. Done! 11 / 21

Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. 12 / 21

Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z. 12 / 21

Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) 12 / 21

Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space 12 / 21

Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. 12 / 21

Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. 12 / 21

Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. Detail #1: ciphertexts are over R R, so use automorphisms of R that coincide with those of O i /O i/2. 12 / 21

Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. Detail #1: ciphertexts are over R R, so use automorphisms of R that coincide with those of O i /O i/2. Detail #2: each Tr(O i ) = 2O i/2, so lift to plaintext modulus 2q, then halve result. 12 / 21

Main Result: Bootstrapping Packed Ciphertexts 13 / 21

Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 14 / 21

Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 14 / 21

Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 3 Batch-round: homom ly apply on all Z q -slots at once [SV 11]: vj c j S q v j c j S 2. 14 / 21

Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 3 Batch-round: homom ly apply on all Z q -slots at once [SV 11]: vj c j S q v j c j S 2. 4 Homomorphically reverse-map Z 2 -slots back to B-coeffs: vj c j S 2 v j b j = µ R 2. (Akin to homomorphic DFT 1.) 14 / 21

Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. 15 / 21

Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 2 15 / 21

Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. 2 15 / 21

Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 2 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S 2. 15 / 21

Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 2 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S 2. Can factor C i = C i C i 1: let c k = 1 (mod p,k), = 0 (mod p, k ). 15 / 21

Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S 2. Can factor C i = C i C i 1: let c k = 1 (mod p,k), = 0 (mod p, k ). Similarly for S q = j (S/plg q j ). 2 15 / 21

Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. 16 / 21

Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. 16 / 21

Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21

Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21

Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R... but only for a subring R R. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21

Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R... but only for a subring R R. Goal for Remainder of Talk Extend ring-switching to (efficiently) handle Z-linear maps L: R S. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21

Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). 17 / 21

Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d 17 / 21

Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. 17 / 21

Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. Easy Lemma For any E-linear L: R S, there is an S-linear L: T S that agrees with L on R. 17 / 21

Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. Easy Lemma For any E-linear L: R S, there is an S-linear L: T S that agrees with L on R. Proof: define L by L(r s) = L(r) s S. 17 / 21

Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. 18 / 21

Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z 18 / 21

Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 18 / 21

Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! 18 / 21

Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! Problem: degree of T is quadratic, therefore so is runtime & space. 18 / 21

Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! Problem: degree of T is quadratic, therefore so is runtime & space. This is inherent if we treat L as a generic Z-linear map! 18 / 21

Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. 19 / 21

Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. Gradually map B to C through a sequence of hybrid rings H (i), via E (i) -linear functions that each send a factor of B to one of C. B R = H (0) embed T (1) E (1) -linear (induced) H (1) embed T (2) E (2) -linear (induced) H (2) = S C E (1) E (2) 19 / 21

Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. Gradually map B to C through a sequence of hybrid rings H (i), via E (i) -linear functions that each send a factor of B to one of C. Ensure small compositums T (i) = H (i 1) + H (i) via large gcd s: replace prime factors of k with those of l, one at a time. B R = H (0) embed T (1) E (1) -linear (induced) H (1) embed T (2) E (2) -linear (induced) H (2) = S C E (1) E (2) 19 / 21

Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. 20 / 21

Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. 20 / 21

Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. B 8 B 4 O 8 B 8 C 7 fix B 4 B 4 C 7 O 4 7 B 4 C 91 fix C 7 C 7 C 91 O 7 13 O 4 O 7 20 / 21

Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. B 8 B 4 O 8 B 8 C 7 fix B 4 B 4 C 7 O 4 7 B 4 C 91 fix C 7 C 7 C 91 O 7 13 O 4 O 7 In general, switch through log(deg(r/z)) = log(λ) hybrid rings, one for each prime factor of k. 20 / 21

Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. 21 / 21

Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. 21 / 21

Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. Practical implementation and evaluation are underway. 21 / 21

Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. Practical implementation and evaluation are underway. Thanks! 21 / 21

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback