FHE over the Integers and Modular Arithmetic Circuits Eunkyung Kim 1 - PowerPoint PPT Presentation

FHE over the Integers and Modular Arithmetic Circuits Eunkyung Kim 1 Mehdi Tibouchi 2 1 Ewha Womans University, South Korea 2 NTT Secure Platform Laboratories, Japan WHEAT 2016, 2016–07–06 1/27 ⃝ 2016 NTT Secure Platform Laboratories c

Outline Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod- Q multiplication 2/27 ⃝ 2016 NTT Secure Platform Laboratories c

Outline Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod- Q multiplication 3/27 ⃝ 2016 NTT Secure Platform Laboratories c

FHE and binary message spaces ▶ Most FHE schemes introduced with message space Z / 2 Z ▶ Support the homomorphic evaluation of Boolean circuits ▶ In particular, in FHE “over the integers” [vDGHV10,. . . ], ciphertexts usually look like: c = pq + 2 r + m , m ∈ { 0 , 1 } ▶ Some variants with multiple slots (message space ( Z / 2 Z ) m ) or extension fields ( GF (2 m )), but still binary 4/27 ⃝ 2016 NTT Secure Platform Laboratories c

How about non-binary message spaces? ▶ Could we replace 2 by some other value Q ? (odd prime, say) ▶ We would then evaluate mod- Q arithmetic circuits instead of Boolean ones ▶ The most naive way works somewhat ▶ E.g. for FHE over the integers, use ciphertexts of the form: c = pq + Qr + m , m ∈ { 0 , . . . , Q − 1 } ▶ Addition and multiplication work fine mod Q : can evaluate low-degree polynomials mod Q on ciphertexts ▶ Can you get fully homomorphic encryption that way? 5/27 ⃝ 2016 NTT Secure Platform Laboratories c

The bootstrapping problem ▶ To get FHE from somewhat homomorphic encryption, we use bootstrapping: homomorphic evaluation of the decryption circuit ▶ Decryption (for ciphertexts above) looks like: m = ( c mod p ) mod Q ▶ This has to be expressed as a low-depth mod- Q arithmetic circuit (squashing). Main hurdle: division c mod p ▶ In binary: write 1 / p ≈ ∑ s i y i ( y i fixed precision public reals, all but one pseudorandom; s i random secret bits). Division then becomes a large iterated addition: ∑ s i ( cy i ) 6/27 ⃝ 2016 NTT Secure Platform Laboratories c

The Nuida–Kurosawa approach ▶ Squashing mod Q : need to write a low-depth mod- Q arithmetic circuit for precise enough iterated addition ▶ Looked like a daunting task, so nobody touched it for many years, until Nuida–Kurosawa (EUROCRYPT 2015) ▶ They gave explicit mod- Q circuits for iterated addition; deduced an FHE scheme over the integers with message space Z / Q Z ▶ Only works for small Q (otherwise, squashed decryption circuit depth too large for bootstrappability) 7/27 ⃝ 2016 NTT Secure Platform Laboratories c

Outline Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod- Q multiplication 8/27 ⃝ 2016 NTT Secure Platform Laboratories c

Boolean circuits vs. arithmetic circuits ▶ Mod- Q arithmetic circuits can be efficiently simulated by Boolean circuits (size expansion factor polylogarithmic in Q ) [vzGS91] ▶ In particular, easy to homomorphically evaluate mod- Q arithmetic circuits using FHE with binary message space: 1. encrypt m ∈ Z / Q Z bit by bit, as log 2 Q ciphertexts c i 2. convert the mod- Q arithmetic circuit to Boolean, by replacing + and × gates by Boolean subcircuits doing those operations ▶ Therefore, FHE with non-binary message space at most an optimization 9/27 ⃝ 2016 NTT Secure Platform Laboratories c

Is the optimization worth it? ▶ So we asked ourselves the following question: is the mod- Q scheme in [NK15] ( NK Q ) a good optimization compared to using Boolean circuits? ▶ For large Q , impossible: ▶ overhead of NK Q (in terms of ciphertext size & cost of bootstrapping) is poly ( Q ) ▶ converting a mod- Q circuit to Boolean, the overhead is only polylog ( Q ) ▶ It could be worth it for small Q , though. Let’s compare. ▶ For a level playing field, we compared NK Q to its own binary version: Convert-NK 2 10/27 ⃝ 2016 NTT Secure Platform Laboratories c

Outline Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod- Q multiplication 11/27 ⃝ 2016 NTT Secure Platform Laboratories c

A new FHE Convert-NK 2 with M = Z / Q Z Let NK 2 be NK FHE with M = Z / 2 Z , then Convert-NK 2 scheme is described as follow: ▶ KeyGen(1 λ ): (pk , sk) ← NK 2 . KeyGen(1 λ ) ▶ Enc(pk , m ): for m ∈ M = Z / Q Z , write m = ( m n − 1 , · · · , m 0 ) ( n = ⌈ log( Q + 1) ⌉ ) and encrypt m bitwise ⃗ c = ( c n − 1 , · · · , c 0 ) with c i ← NK 2 . Enc(pk , m i ) ▶ Dec(sk ,⃗ c ): m i ← NK 2 . Dec(sk , c i ) and return n − 1 ∑ m i 2 i m = i =0 ▶ Eval: Use Boolean circuits which compute mod- Q addition and mod- Q multiplication 12/27 ⃝ 2016 NTT Secure Platform Laboratories c

In this work We compared Convert-NK 2 vs NK Q ; which is better? 13/27 ⃝ 2016 NTT Secure Platform Laboratories c

Convert-NK 2 vs NK Q : Criteria for Comparison 1. Ciphertext size ▶ γ Q : N Q ∈ [1 , 2 γ Q ) ∩ Z ▶ γ ′ 2 ≈ γ 2 log Q : ciphertext of Convert-NK 2 is n -tuple of ciphertexts of NK 2 2. Time complexity to execute one mod- Q multiplication ▶ T Q : time complexity of a single ciphertext refresh operation in NK Q , ▶ T ′ 2 : time complexity of carrying out a multiplication mod Q in Convert-NK 2 14/27 ⃝ 2016 NTT Secure Platform Laboratories c

Outline Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod- Q multiplication 15/27 ⃝ 2016 NTT Secure Platform Laboratories c

Figure : Conditions on parameters from [NK15] 16/27 ⃝ 2016 NTT Secure Platform Laboratories c

Choice of parameters in NK FHE Q is treated as constant ▶ ρ = Θ( λ log log log λ ): size of noise ▶ η = Θ( λ 2 log log λ ): size of secret prime ▶ γ = Θ( λ 4 log 2 λ ): size of ciphertexts ▶ L = ⌈ log Q λ ⌉ + 2: the number of precision after Q -ary point in z i ▶ Θ = Θ(( λ log λ ) 4 ): the number of sparse elements s i In a nutshell, we want to compare the case Q > 2 with Q = 2, so it is important not to ignore Q as constant. 17/27 ⃝ 2016 NTT Secure Platform Laboratories c

Choice of parameters in NK FHE Q is treated as constant ▶ ρ = Θ( λ log log log λ ): size of noise ▶ η = Θ( λ 2 log log λ ): size of secret prime ▶ γ = Θ( λ 4 log 2 λ ): size of ciphertexts ▶ L = ⌈ log Q λ ⌉ + 2: the number of precision after Q -ary point in z i ▶ Θ = Θ(( λ log λ ) 4 ): the number of sparse elements s i In a nutshell, we want to compare the case Q > 2 with Q = 2, so it is important not to ignore Q as constant. 17/27 ⃝ 2016 NTT Secure Platform Laboratories c

Dependence of parameters on Q ▶ In NK Q . KeyGen, we have v i = pq i + Qr i + s i and log | v i mod p | = log | Qr i + s i | ≤ log Q + ρ = O ( ρ ) ▶ Squashed decryption circuit can be computed within in degree Q L Q +2 ≈ Q 3 λ ( L Q ≈ log Q λ ) In order to make NK Q . Eval(pk , NK Q . Dec , v i , c ) works correctly, η Q = (noise size) · Θ(degree of Dec) = Θ( ρ Q 3 λ ) Thus, η ∝ Q 3 , and hence γ ∝ Q 6 since γ ∝ η 2 18/27 ⃝ 2016 NTT Secure Platform Laboratories c

Choice of parameters with consideration of Q We have parameters depending on Q ▶ η Q = Θ( Q 3 λ 2 log log λ ): size of secret prime ▶ γ Q = Θ( Q 6 λ 4 log 2 λ ): size of ciphertexts ▶ L Q = ⌈ log Q λ ⌉ + 2: the number of precision after Q -ary point in z i and not depending on Q ▶ ρ = Θ( λ log log log λ ): size of noise ▶ Θ = Θ(( λ log λ ) 4 ): the number of sparse elements s i 19/27 ⃝ 2016 NTT Secure Platform Laboratories c

Ciphertext size of Convert-NK 2 is smaller than NK Q ▶ γ Q : ciphertext size of NK Q ▶ γ ′ 2 : ciphertext size of Convert-NK 2 Proposition For a given security parameter λ and odd prime Q > 2 , we have γ ′ ( log Q ) 2 = Θ Q 6 γ Q 20/27 ⃝ 2016 NTT Secure Platform Laboratories c

Sketch of proof ▶ Ciphertext space of NK Q is Z / N Q Z and N Q ∈ [1 , 2 γ Q ) ∩ Z ▶ γ Q = Θ( Q 6 λ 4 log 2 λ ) ▶ Ciphertext space of Convert-NK 2 is ( Z / N 2 Z ) log Q 2 = log Q · Θ(2 6 λ 4 log 2 λ ) = Θ(log Q λ 4 log 2 λ ) ▶ γ ′ = Θ(log Q λ 4 log 2 λ ) ▶ γ ′ ( log Q ) 2 = Θ Θ( Q 6 λ 4 log 2 λ ) Q 6 γ Q 21/27 ⃝ 2016 NTT Secure Platform Laboratories c

Outline Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod- Q multiplication 22/27 ⃝ 2016 NTT Secure Platform Laboratories c

Basic binary operation ▶ k bit + k bit : 2 AND for each carry, and total 2 k AND ▶ k bit × l bit for ( k ≤ l ): 2 l ( k + l ) AND using so-called “two-out-of-three” technique 23/27 ⃝ 2016 NTT Secure Platform Laboratories c