Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU, CryptoLab) Thanks to YongSoo Song, Kiwoo Lee, Andrey KIM
Outline 1. Homomorphic Encryption 2. HEAAN 3. Bootstrapping of HEAAN 4. Toolkit for Homomorphic Computation
Homomorphic Encryption οΆ Integer-based HE scheme - RAD PH [1] β’ (Secret Key, Operation Key) = (a large prime π , π = ππ 0 ) β’ Encryption: πΉππ π = π + ππ πππ π β’ Decryption: πΉππ π πππ π = π But, INSECURE! β’ πΉππ π 1 + πΉππ π 2 = π 1 + ππ 1 + π 2 + ππ 2 = π 1 + π 2 + π π 1 + π 2 = πΉππ π 1 + π 2 - DGHV HE scheme (on β€ 2 ) [2] 2 100 π 1 π 1 X β’ πΉππ(π β π 2 100 ) = π + 2100π + ππ 2 100 π 2 π 2 β’ SECURE against quantum computing β’ Use a polynomial ring π π = β€ π [π¦]/(π¦π + 1) 2 200 π 1 π 2 + 2 100 π 1 π 2 + π 2 π 1 + π 1 π 2
Fully Homomorphic Encryption - On Polynomials (RingLWE) β’ [Gen09] ideal lattice β’ NTRU: LTV12 β’ Ring-LWE: BV11b, GHS13, BLLN13, HEAAN etc - On Integers (AGCD) β’ [DGHV10] FHE over the Integers. Eurocrypt 2010 β’ CMNT11, CNT12, CCKLLTY13, CLT14, etc - On Matrices (LWE) β’ [BV11a] Efficient FHE from (Standard) LWE. FOCS11 β’ Bra12, BGV12, GSW13
Summary of Progress in HE 1. 2009~2012: Plausibility and Scalable for Large Circuits β’ [GH11] A single bit bootstrapping takes 30 minutes β’ [GHS12b] 120 blocks of AES-128 (30K gates) in 36 hours 2. 2012~2015: Depth-Linear Construction β’ [BGV12] Modulus/Key Switching β’ [Bra12] Scale Invariant Scheme β’ [HS14] IBM's open-source library Helib: AES evaluation in 4 minutes 3. 2015~Today: Usability β’ Various schemes with different advantages (HEAAN, TFHE) β’ Real-world tasks: Big data analysis, Machine learning β’ Competitions for Private Genome Computation (iDash, 2014~) β’ HE Standardization meetings (2017~) Continued on next page
Standardization: HomomorphicEncryption.org Mar 2018 in MIT Jul 2017 in Microsoft, Redmond Oct 2018 in Toronto 1 st Workshop (2017.7.13-14) 2 nd Workshop (2018.3.15-16) 3 rd Workshop (2018.10.20)
Homomorphic Encryption οΆ Best Performing HE Schemes Type Classical HE Fast Bootstrapping Approximate Computation [BGV12] BGV [DM15] FHEW Scheme [CKKS17] HEAAN [Bra12, FV12] B/FV [CGGI16] TFHE Finite Field Real/Complex numbers Plaintext Binary string Packing Packing Operation Addition, Multiplication Look-up table & bootstrapping Fixed-point Arithmetic HElib (IBM) TFHE Library SEAL (Microsoft Research) HEAAN (SNU) (Inpher, Gemalto, etc.) Palisade (Duality inc.)
2. HEAAN: Approximate Homomorphic Encryption
Exact Multiplication 1.23 5.6088 4.56 3.98112624 0.78 0.7098 0.91 108.2456382397886496 2.34 13.2678 5.67 16 27.18970254 8.91 2.0493 0.23 8 4 2 - The plaintext size is doubled after a multiplication.
Approximate Multiplication 1.23 5.6188 4.56 3.98112624 0.78 0.7198 0.91 108.2556382397886496 2.34 13.2778 2 5.67 27.19970254 8.91 2.0593 0.23 2 HEAAN [CKKS17] 2 2 β’ Rescale after a multiplication β’ Tracing # of significands β’ Most data is processed approximately in Data analysis or ML
HEAAN = ζ §ηΌ = Insightful Minds [CKKS, AC17] Homomorphic Encryption for Arithmetic of Approximate Numbers https://eprint.iacr.org/2016/421.pdf
Approximate Computation οΆ Numerical Representation - Encode π into an integer π β ππ¦ for a scaling factor π : 2 β¦ 1412 β 2 β 10 3 - Fixed β Point Multiplication Compute π = π 1 π 2 and extract its significant digits π β² β π β1 β π β’ 5678 β 10 β3 = 7006652 β 10 β6 β¦ 7007 β 10 β3 = 7.007 : 1.234 Γ 5.678 = 1234 β 10 β3 Γ οΆ Previous HE on LWE problem (Regev, 2005) ct = Enc sk π , ct, sk = π β’ π’ π + π mod π π β’ Modulo π’ plaintext vs Rounding operation π π’ π/π’
HEAAN π 1 = ππ 1 + π 1 οΆ A New Message Encoding β’ ct = Enc sk π , ct, sk = ππ + π mod π π β’ Consider π as part of approximation error π 2 = ππ 2 + π 2 οΆ Homomorphic Operations π = π 2 π 1 π 2 + π Input π 1 β ππ 1 , π 2 β ππ 2 Addition π 1 + π 2 β π β (π 1 + π 2 ) π = π 1 π 2 β π 2 β π 1 π 2 Multiplication π β² = π β π 1 π 2 + πβ² π β² β π β1 β π β π β π 1 π 2 Rounding π/π οΆ Support for the (approximate) fixed-point arithmetic - Leveled HE : π = π π
HEAAN Packed Ciphertext οΆ Construction over the ring β’ A single ctx can encrypt a vector of plaintext values π¨ = (π¨ 1 , π¨ 2 , β¦ , π¨ β ) β’ Parallel computation in a SIMD manner π¨ β π₯ = (π¨ 1 π₯ 1 , π¨ 2 π₯ 2 , β¦ , π¨ β π₯ β ) Continued on next page
RLWE-based HEAAN π π + 1 and π π = π mod π = β€ π π π + 1 οΆ Let π = β€ π π β’ A ciphertext can encrypt a polynomial π π β π β’ Note (m 0 +m 1 X+ β¦ ) ( m 0 β +m 1 β X + β¦ )= m 0 m 0 β +(m 0 m 1 β +m 0 βm 1 ) X+β¦ β’ Decoding/Encoding function π π + 1 β β π π + 1 β β π/2 π = β€ π π π π β¦ π¨ = π¨ 1 , β¦ , π¨ πβ2 , π¨ π = π π π , w here π π + 1 = π β π 1 β1 β― π β π β1 β1 π β π 1 π β π 2 π β π 2 π β π π 2 π 2 β’ Example: π = 4 , π 1 = ππ¦π(ππ/4) , π 2 = ππ¦π(5ππ/4) π¨ = 1 β 2π, 3 + 4π β¦ π π = 2 β 2 2 π + π 2 β 2 π 3 β’ β¦ π π = 2000 β 2828π + 1000π 2 β 1414 π 3 β’ β’ π π 1 β 1000.15 β 1999.55 π , π π 2 β 2999.85 + 3999.55 π
3. Bootstrapping of HEAAN
Bootstrapping Input πΉππ(π) β’ Old Ciphertext with large noise Safe Box β’ c = πΉππ π (π; π ) Encrypted Secret Key Process πΉππ π (πΏ) Decryption πΏ β’ Evaluate Decrypt circuit π Output β’ New ciphertext with small noise πΉππ π π; π β² , π β² : small [1] Cheon-Han-Kim-Kim-Song: Bootstrapping for Approximate Homomorphic Encryption. EUROCRYPT 2018
Bootstrapping β’ Ciphertexts of a leveled HE have a limited lifespan β’ Refresh a ciphertext ct = Enc sk π by evaluating the decryption circuit homomorphically : Dec sk ct = π βΊ πΊ ct sk = π where πΊ ct β = Dec β ct β’ Bootstrapping key BK = Enc sk (sk) : πΊ ct BK = πΊ ct Enc sk sk = Enc sk πΊ ct sk = Enc sk (π) β’ Homomorphic operations introduce errors ο¨ Fine : πΊ ct BK = πΊ ct Enc sk sk = Enc sk πΊ ct sk + π = Enc sk (π + π) β’ How to evaluate the decryption circuit (efficiently)? : Dec sk ct = ct, sk (mod π)
Approximate Decryption π’ π = π , πΈππ π‘π ππ’ β¦ π’ = ππ’, π‘π β¦ π’ = ππ½ + π for some π½ < πΏ β’ Na Γ― ve solution: polynomial interpolation on [βπΏπ, πΏπ] β’ Huge depth, complexity & inaccurate result
Approximate Decryption π’ π = π , πΈππ π‘π ππ’ β¦ π’ = ππ’, π‘π β¦ π’ = ππ½ + π for some π½ < πΏ β’ Idea1 : Restriction of domain π βͺ π
Approximate Decryption π’ π = π , πΈππ π‘π ππ’ β¦ π’ = ππ’, π‘π β¦ π’ = ππ½ + π for some π½ < πΏ β’ Idea1 : Restriction of domain π βͺ π Idea 2 : Sine approximation π β π 2π β’ 2π sin π for π = π π’ (period: π , slope at 0=1) 1 π
Bootstrapping of HEAAN οΆ Sine Evaluation
Bootstrapping of HEAAN οΆ Sine Evaluation - Direct Taylor approximation β’ Huge depth & complexity
Bootstrapping of HEAAN 0 οΆ Sine Evaluation - Direct Taylor approximation β’ Huge depth & complexity - Idea 1 : Low-degree approx. near 0 β1 π π 2 π 2π β cos π π 2 π β’ π· 0 π = π=0 2π ! β1 π π 2 π 2π+1 β sin( π π 2 π ) β’ π 0 π = π=0 2π+1 !
Bootstrapping of HEAAN 1 οΆ Sine Evaluation - Direct Taylor approximation β’ Huge depth & complexity - Idea 1 : Low-degree approx. near 0 β1 π π 2 π 2π β cos π π 2 π β’ π· 0 π = π=0 2π ! β1 π π 2 π 2π+1 β sin( π π 2 π ) β’ π 0 π = π=0 2π+1 ! - Idea 2: Iterate by double-angle formula 2 π β π π 2 π , π π+1 π = 2π π π β π· π π β’ π· π+1 π = π· π
Bootstrapping of HEAAN 2 οΆ Sine Evaluation - Direct Taylor approximation β’ Huge depth & complexity - Idea 1 : Low-degree approx. near 0 β1 π π 2 π 2π β cos π π 2 π β’ π· 0 π = π=0 2π ! β1 π π 2 π 2π+1 β sin( π π 2 π ) β’ π 0 π = π=0 2π+1 ! - Idea 2: Iterate by double-angle formula 2 π β π π 2 π , π π+1 π = 2π π π β π· π π β’ π· π+1 π = π· π
Recommend
More recommend