approximate homomorphic encryption
play

Approximate Homomorphic Encryption and Privacy Preserving Machine - PowerPoint PPT Presentation

Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU, CryptoLab) Thanks to YongSoo Song, Kiwoo Lee, Andrey KIM Outline 1. Homomorphic Encryption 2. HEAAN 3. Bootstrapping of HEAAN 4. Toolkit for


  1. Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU, CryptoLab) Thanks to YongSoo Song, Kiwoo Lee, Andrey KIM

  2. Outline 1. Homomorphic Encryption 2. HEAAN 3. Bootstrapping of HEAAN 4. Toolkit for Homomorphic Computation

  3. Homomorphic Encryption  Integer-based HE scheme - RAD PH [1] β€’ (Secret Key, Operation Key) = (a large prime π‘ž , π‘œ = π‘žπ‘Ÿ 0 ) β€’ Encryption: πΉπ‘œπ‘‘ 𝑛 = 𝑛 + π‘žπ‘Ÿ 𝑛𝑝𝑒 π‘œ β€’ Decryption: πΉπ‘œπ‘‘ 𝑛 𝑛𝑝𝑒 π‘ž = 𝑛 But, INSECURE! β€’ πΉπ‘œπ‘‘ 𝑛 1 + πΉπ‘œπ‘‘ 𝑛 2 = 𝑛 1 + π‘žπ‘Ÿ 1 + 𝑛 2 + π‘žπ‘Ÿ 2 = 𝑛 1 + 𝑛 2 + π‘ž π‘Ÿ 1 + π‘Ÿ 2 = πΉπ‘œπ‘‘ 𝑛 1 + 𝑛 2 - DGHV HE scheme (on β„€ 2 ) [2] 2 100 𝑓 1 𝑛 1 X β€’ πΉπ‘œπ‘‘(𝑛 ∈ π‘Ž 2 100 ) = 𝑛 + 2100𝑓 + π‘žπ‘Ÿ 2 100 𝑓 2 𝑛 2 β€’ SECURE against quantum computing β€’ Use a polynomial ring 𝑆 π‘Ÿ = β„€ π‘Ÿ [𝑦]/(π‘¦π‘œ + 1) 2 200 𝑓 1 𝑓 2 + 2 100 𝑛 1 𝑓 2 + 𝑛 2 𝑓 1 + 𝑛 1 𝑛 2

  4. Fully Homomorphic Encryption - On Polynomials (RingLWE) β€’ [Gen09] ideal lattice β€’ NTRU: LTV12 β€’ Ring-LWE: BV11b, GHS13, BLLN13, HEAAN etc - On Integers (AGCD) β€’ [DGHV10] FHE over the Integers. Eurocrypt 2010 β€’ CMNT11, CNT12, CCKLLTY13, CLT14, etc - On Matrices (LWE) β€’ [BV11a] Efficient FHE from (Standard) LWE. FOCS11 β€’ Bra12, BGV12, GSW13

  5. Summary of Progress in HE 1. 2009~2012: Plausibility and Scalable for Large Circuits β€’ [GH11] A single bit bootstrapping takes 30 minutes β€’ [GHS12b] 120 blocks of AES-128 (30K gates) in 36 hours 2. 2012~2015: Depth-Linear Construction β€’ [BGV12] Modulus/Key Switching β€’ [Bra12] Scale Invariant Scheme β€’ [HS14] IBM's open-source library Helib: AES evaluation in 4 minutes 3. 2015~Today: Usability β€’ Various schemes with different advantages (HEAAN, TFHE) β€’ Real-world tasks: Big data analysis, Machine learning β€’ Competitions for Private Genome Computation (iDash, 2014~) β€’ HE Standardization meetings (2017~) Continued on next page

  6. Standardization: HomomorphicEncryption.org Mar 2018 in MIT Jul 2017 in Microsoft, Redmond Oct 2018 in Toronto 1 st Workshop (2017.7.13-14) 2 nd Workshop (2018.3.15-16) 3 rd Workshop (2018.10.20)

  7. Homomorphic Encryption  Best Performing HE Schemes Type Classical HE Fast Bootstrapping Approximate Computation [BGV12] BGV [DM15] FHEW Scheme [CKKS17] HEAAN [Bra12, FV12] B/FV [CGGI16] TFHE Finite Field Real/Complex numbers Plaintext Binary string Packing Packing Operation Addition, Multiplication Look-up table & bootstrapping Fixed-point Arithmetic HElib (IBM) TFHE Library SEAL (Microsoft Research) HEAAN (SNU) (Inpher, Gemalto, etc.) Palisade (Duality inc.)

  8. 2. HEAAN: Approximate Homomorphic Encryption

  9. Exact Multiplication 1.23 5.6088 4.56 3.98112624 0.78 0.7098 0.91 108.2456382397886496 2.34 13.2678 5.67 16 27.18970254 8.91 2.0493 0.23 8 4 2 - The plaintext size is doubled after a multiplication.

  10. Approximate Multiplication 1.23 5.6188 4.56 3.98112624 0.78 0.7198 0.91 108.2556382397886496 2.34 13.2778 2 5.67 27.19970254 8.91 2.0593 0.23 2 HEAAN [CKKS17] 2 2 β€’ Rescale after a multiplication β€’ Tracing # of significands β€’ Most data is processed approximately in Data analysis or ML

  11. HEAAN = ζ…§ηœΌ = Insightful Minds [CKKS, AC17] Homomorphic Encryption for Arithmetic of Approximate Numbers https://eprint.iacr.org/2016/421.pdf

  12. Approximate Computation  Numerical Representation - Encode 𝑛 into an integer 𝑛 β‰ˆ π‘žπ‘¦ for a scaling factor π‘ž : 2 ↦ 1412 β‰ˆ 2 β‹… 10 3 - Fixed – Point Multiplication Compute 𝑛 = 𝑛 1 𝑛 2 and extract its significant digits 𝑛 β€² β‰ˆ π‘ž βˆ’1 β‹… 𝑛 β€’ 5678 β‹… 10 βˆ’3 = 7006652 β‹… 10 βˆ’6 ↦ 7007 β‹… 10 βˆ’3 = 7.007 : 1.234 Γ— 5.678 = 1234 β‹… 10 βˆ’3 Γ—  Previous HE on LWE problem (Regev, 2005) ct = Enc sk 𝑛 , ct, sk = π‘Ÿ β€’ 𝑒 𝑛 + 𝑓 mod π‘Ÿ 𝑓 β€’ Modulo 𝑒 plaintext vs Rounding operation 𝑛 𝑒 π‘Ÿ/𝑒

  13. HEAAN 𝜈 1 = π‘žπ‘› 1 + 𝑓 1  A New Message Encoding β€’ ct = Enc sk 𝑛 , ct, sk = π‘žπ‘› + 𝑓 mod π‘Ÿ π‘Ÿ β€’ Consider 𝑓 as part of approximation error 𝜈 2 = π‘žπ‘› 2 + 𝑓 2  Homomorphic Operations 𝜈 = π‘ž 2 𝑛 1 𝑛 2 + 𝑓 Input 𝜈 1 β‰ˆ π‘žπ‘› 1 , 𝜈 2 β‰ˆ π‘žπ‘› 2 Addition 𝜈 1 + 𝜈 2 β‰ˆ π‘ž β‹… (𝑛 1 + 𝑛 2 ) 𝜈 = 𝜈 1 𝜈 2 β‰ˆ π‘ž 2 β‹… 𝑛 1 𝑛 2 Multiplication 𝜈 β€² = π‘ž β‹… 𝑛 1 𝑛 2 + 𝑓′ 𝜈 β€² β‰ˆ π‘ž βˆ’1 β‹… 𝜈 β‰ˆ π‘ž β‹… 𝑛 1 𝑛 2 Rounding π‘Ÿ/π‘ž  Support for the (approximate) fixed-point arithmetic - Leveled HE : π‘Ÿ = π‘ž 𝑀

  14. HEAAN Packed Ciphertext  Construction over the ring β€’ A single ctx can encrypt a vector of plaintext values 𝑨 = (𝑨 1 , 𝑨 2 , … , 𝑨 β„“ ) β€’ Parallel computation in a SIMD manner 𝑨 βŠ— π‘₯ = (𝑨 1 π‘₯ 1 , 𝑨 2 π‘₯ 2 , … , 𝑨 β„“ π‘₯ β„“ ) Continued on next page

  15. RLWE-based HEAAN π‘Œ π‘œ + 1 and 𝑆 π‘Ÿ = 𝑆 mod π‘Ÿ = β„€ π‘Ÿ π‘Œ π‘œ + 1  Let 𝑆 = β„€ π‘Œ π‘Œ β€’ A ciphertext can encrypt a polynomial 𝑛 π‘Œ ∈ 𝑆 β€’ Note (m 0 +m 1 X+ … ) ( m 0 ’ +m 1 ’ X + … )= m 0 m 0 ’ +(m 0 m 1 ’ +m 0 ’m 1 ) X+… β€’ Decoding/Encoding function π‘Œ π‘œ + 1 βŠ† ℝ π‘Œ π‘œ + 1 β†’ β„‚ π‘œ/2 𝑆 = β„€ π‘Œ π‘Œ 𝑛 π‘Œ ↦ 𝑨 = 𝑨 1 , … , 𝑨 π‘œβˆ•2 , 𝑨 𝑗 = 𝜈 πœ‚ 𝑗 , w here π‘Œ π‘œ + 1 = π‘Œ βˆ’ πœ‚ 1 βˆ’1 β‹― π‘Œ βˆ’ πœ‚ βˆ’1 βˆ’1 π‘Œ βˆ’ πœ‚ 1 π‘Œ βˆ’ πœ‚ 2 π‘Œ βˆ’ πœ‚ 2 π‘Œ βˆ’ πœ‚ π‘œ 2 π‘œ 2 β€’ Example: π‘œ = 4 , πœ‚ 1 = π‘“π‘¦π‘ž(πœŒπ‘—/4) , πœ‚ 2 = π‘“π‘¦π‘ž(5πœŒπ‘—/4) 𝑨 = 1 βˆ’ 2𝑗, 3 + 4𝑗 ↦ 𝑛 π‘Œ = 2 βˆ’ 2 2 π‘Œ + π‘Œ 2 βˆ’ 2 π‘Œ 3 β€’ ↦ 𝜈 π‘Œ = 2000 βˆ’ 2828π‘Œ + 1000π‘Œ 2 βˆ’ 1414 π‘Œ 3 β€’ β€’ 𝜈 πœ‚ 1 β‰ˆ 1000.15 βˆ’ 1999.55 𝑗 , 𝜈 πœ‚ 2 β‰ˆ 2999.85 + 3999.55 𝑗

  16. 3. Bootstrapping of HEAAN

  17. Bootstrapping Input πΉπ‘œπ‘‘(𝑑) β€’ Old Ciphertext with large noise Safe Box β€’ c = πΉπ‘œπ‘‘ 𝑙 (𝑛; 𝑠) Encrypted Secret Key Process πΉπ‘œπ‘‘ 𝑙 (𝐿) Decryption 𝐿 β€’ Evaluate Decrypt circuit 𝑛 Output β€’ New ciphertext with small noise πΉπ‘œπ‘‘ 𝑙 𝑛; 𝑠 β€² , 𝑠 β€² : small [1] Cheon-Han-Kim-Kim-Song: Bootstrapping for Approximate Homomorphic Encryption. EUROCRYPT 2018

  18. Bootstrapping β€’ Ciphertexts of a leveled HE have a limited lifespan β€’ Refresh a ciphertext ct = Enc sk 𝑛 by evaluating the decryption circuit homomorphically : Dec sk ct = 𝑛 ⟺ 𝐺 ct sk = 𝑛 where 𝐺 ct βˆ— = Dec βˆ— ct β€’ Bootstrapping key BK = Enc sk (sk) : 𝐺 ct BK = 𝐺 ct Enc sk sk = Enc sk 𝐺 ct sk = Enc sk (𝑛) β€’ Homomorphic operations introduce errors  Fine : 𝐺 ct BK = 𝐺 ct Enc sk sk = Enc sk 𝐺 ct sk + 𝑓 = Enc sk (𝑛 + 𝑓) β€’ How to evaluate the decryption circuit (efficiently)? : Dec sk ct = ct, sk (mod π‘Ÿ)

  19. Approximate Decryption 𝑒 π‘Ÿ = 𝜈 , 𝐸𝑓𝑑 𝑑𝑙 𝑑𝑒 ↦ 𝑒 = 𝑑𝑒, 𝑑𝑙 ↦ 𝑒 = π‘Ÿπ½ + 𝜈 for some 𝐽 < 𝐿 β€’ Na Γ― ve solution: polynomial interpolation on [βˆ’πΏπ‘Ÿ, πΏπ‘Ÿ] β€’ Huge depth, complexity & inaccurate result

  20. Approximate Decryption 𝑒 π‘Ÿ = 𝜈 , 𝐸𝑓𝑑 𝑑𝑙 𝑑𝑒 ↦ 𝑒 = 𝑑𝑒, 𝑑𝑙 ↦ 𝑒 = π‘Ÿπ½ + 𝜈 for some 𝐽 < 𝐿 β€’ Idea1 : Restriction of domain 𝜈 β‰ͺ π‘Ÿ

  21. Approximate Decryption 𝑒 π‘Ÿ = 𝜈 , 𝐸𝑓𝑑 𝑑𝑙 𝑑𝑒 ↦ 𝑒 = 𝑑𝑒, 𝑑𝑙 ↦ 𝑒 = π‘Ÿπ½ + 𝜈 for some 𝐽 < 𝐿 β€’ Idea1 : Restriction of domain 𝜈 β‰ͺ π‘Ÿ Idea 2 : Sine approximation 𝜈 β‰ˆ π‘Ÿ 2𝜌 β€’ 2𝜌 sin πœ„ for πœ„ = π‘Ÿ 𝑒 (period: π‘Ÿ , slope at 0=1) 1 π‘Ÿ

  22. Bootstrapping of HEAAN  Sine Evaluation

  23. Bootstrapping of HEAAN  Sine Evaluation - Direct Taylor approximation β€’ Huge depth & complexity

  24. Bootstrapping of HEAAN 0  Sine Evaluation - Direct Taylor approximation β€’ Huge depth & complexity - Idea 1 : Low-degree approx. near 0 βˆ’1 𝑙 πœ„ 2 𝑠 2𝑙 β‰ˆ cos 𝑒 πœ„ 2 𝑠 β€’ 𝐷 0 πœ„ = 𝑙=0 2𝑙 ! βˆ’1 𝑙 πœ„ 2 𝑠 2𝑙+1 β‰ˆ sin( 𝑒 πœ„ 2 𝑠 ) β€’ 𝑇 0 πœ„ = 𝑙=0 2𝑙+1 !

  25. Bootstrapping of HEAAN 1  Sine Evaluation - Direct Taylor approximation β€’ Huge depth & complexity - Idea 1 : Low-degree approx. near 0 βˆ’1 𝑙 πœ„ 2 𝑠 2𝑙 β‰ˆ cos 𝑒 πœ„ 2 𝑠 β€’ 𝐷 0 πœ„ = 𝑙=0 2𝑙 ! βˆ’1 𝑙 πœ„ 2 𝑠 2𝑙+1 β‰ˆ sin( 𝑒 πœ„ 2 𝑠 ) β€’ 𝑇 0 πœ„ = 𝑙=0 2𝑙+1 ! - Idea 2: Iterate by double-angle formula 2 πœ„ βˆ’ 𝑇 𝑙 2 πœ„ , 𝑇 𝑙+1 πœ„ = 2𝑇 𝑙 πœ„ β‹… 𝐷 𝑙 πœ„ β€’ 𝐷 𝑙+1 πœ„ = 𝐷 𝑙

  26. Bootstrapping of HEAAN 2  Sine Evaluation - Direct Taylor approximation β€’ Huge depth & complexity - Idea 1 : Low-degree approx. near 0 βˆ’1 𝑙 πœ„ 2 𝑠 2𝑙 β‰ˆ cos 𝑒 πœ„ 2 𝑠 β€’ 𝐷 0 πœ„ = 𝑙=0 2𝑙 ! βˆ’1 𝑙 πœ„ 2 𝑠 2𝑙+1 β‰ˆ sin( 𝑒 πœ„ 2 𝑠 ) β€’ 𝑇 0 πœ„ = 𝑙=0 2𝑙+1 ! - Idea 2: Iterate by double-angle formula 2 πœ„ βˆ’ 𝑇 𝑙 2 πœ„ , 𝑇 𝑙+1 πœ„ = 2𝑇 𝑙 πœ„ β‹… 𝐷 𝑙 πœ„ β€’ 𝐷 𝑙+1 πœ„ = 𝐷 𝑙

Recommend


More recommend