Homomorphic Encryption for Arithmetic of Approximate Numbers Jung - PowerPoint PPT Presentation

Homomorphic Encryption for Arithmetic of Approximate Numbers Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon ⋆ , Andrey Kim ⋆ , Miran Kim † , Yongsoo Song ⋆ ⋆ Seoul National University † University of California - SD 2017. 07. 12. 1 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Table of contents Motivation 1 Main idea 2 New Decryption Structure Rounding of Plaintext Packing Method Evaluation of Circuits & Applications 3 Typical Circuits Applications Implementation 2 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Motivation Homomorphic Encryption c 1 ← Enc ( m 1 ) , . . . , c t ← Enc ( m t ). c ∗ ← Eval ( f , c 1 , . . . , c t ) , Dec ( c ∗ ) = f ( m 1 , . . . , m t ). 3 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Motivation Applications Cloud Computing Medical Applications (Private data, Public functions) Financial Applications Advertising and Pricing Data Mining Biometric Authentication 4 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Motivation History 5 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Motivation Previous Homomorphic Encryption An encryption c has a decryption structure � c , sk � = ˆ m (mod q ) for a random encoding ˆ m of message m . mod p ◮ BGV style: ˆ m = m + pe − − − − → m ⌊ p q ·⌉ ◮ FV style: ˆ m = q p m + e − − − → m Support operations over finite characteristic plaintext spaces. ◮ Z p , Z p [ X ] / Φ M ( X ) ◮ GF ( p d ) Somewhat practical implementations based on Ring structure ◮ HElib (IBM), SEAL (Microsoft Research). ◮ Theoretically every Boolean circuit can be evaluated in a polynomial time. 6 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Motivation Limitation Many of real-world data belong to continuous spaces (e.g. R N , C N ). They should be discretized (quantized) to an approximate value to be stored and used in computer systems. 7 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Motivation Limitation Current HE schemes are not adequate to the approximate arithmetic. Floating-point operation ◮ x = ± ( significand ) ∗ ( base ) ( exponent ) ◮ Remove some inaccurate LSBs of significand after operations ◮ e.g. (2 . 313 ∗ 10 4 ) ∗ (3 . 127 ∗ 10 − 7 ) = 7 . 232751 ∗ 10 − 3 ≈ 7 . 233 ∗ 10 − 3 Approximate arithmetic in HE 1 Extraction of MSBs: huge depth or expensive cost 2 Exact operations: ◮ Evaluation of depth L circuit with η = log p -bit inputs requires a large plaintext space ( ≈ p 2 L ) and ciphertext modulus of log q = Ω(2 L L · η ). 8 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Motivation BGV style multiplication � c i , sk � = m i + pe i (mod q ). � c mult , sk � = ( m 1 + pe 1 )( m 2 + pe 2 ) + pe mult = [ m 1 m 2 ] p + pe The MSBs of m 1 ∗ m 2 is destroyed by ciphertext error. 9 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Motivation FV style multiplication � c i , sk � = ( q / p ) · m i + e i (mod q ) = ⇒ � c i , sk � = q · I i + ( q / p ) · m i + e i . p � c mult , sk � = q ( q · I 1 + ( q / p ) · m 1 + e 1 )( q · I 2 + ( q / p ) · m 2 + e 2 ) + e mult = q · I + ( q / p ) · [ m 1 m 2 ] p + e . The MSBs of m 1 ∗ m 2 is destroyed by ciphertext error. 10 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea Section 2 Main idea 11 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea New Decryption Structure Idea 1: Embracing Noise An encryption of significand m satisfies � c , sk � = m + e (mod q ) for some small error e . Consider the error added to the plaintext for security to be part of the error that occurred during approximate computations. The decryption structure ˆ m = m + e itself is an approximate value of the original message m . If | e | is small enough not to destroy the significand of m , the precision is almost preserved (e.g. m = 1 . 23 ∗ 10 4 , e = − 17. ˆ m = 12283 ≈ m ). 12 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea New Decryption Structure HE Operations and Noise Estimation Homomorphic operations between ciphertexts can be done by known techniques such as key-switching. An encryption c of m has a relative error β if � c , sk � = m · (1 ± β ). ◮ m 1 · (1 ± β 1 ) + m 2 · (1 ± β 2 ) = ( m 1 + m 2 ) · (1 ± max i β i ). ◮ m 1 · (1 ± β 1 ) ∗ m 2 · (1 ± β 2 ) + e mult ≈ m 1 m 2 · (1 ± ( β 1 + β 2 )). Bit size of required modulus still increases exponentially on depth: evaluation of depth L circuit with η -bit inputs requires log q = Ω(2 L · η ). 13 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea Rounding of Plaintext Idea 2: Rescaling Process Send a ciphertext (mod q large ) to a smaller modulus q small = q large / p . Rescale ( c ) = ⌊ c / p ⌉ If � c , sk � = m + e (mod q large ), then we have � Rescale ( c ) , sk � = ( m / p ) + e ′ (mod q small ) for some e ′ = ( e / p ) + e scale ≈ e / p . The relative error of ciphertext is almost preserved. 14 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea Rounding of Plaintext Rescaling after Multiplication Rescaling procedure results in rounding of plaintext. 15 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea Rounding of Plaintext Leveled HE scheme Suppose that m ≈ p . Given an encryption of m , we compute ( m d / p d − 1 ) in level log d within (log d + 1) bits of precision loss. Size of ciphertext modulus grows linearly on depth L ◮ log q : O ( L · η ) vs Ω(2 L L · η ) 16 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea Packing Method Idea 3: Batching Technique Encrypt a message vector in a single ciphertext for SIMD operation. RLWE-based construction over a cyclotomic ring R = Z [ X ] / Φ M ( X ). ◮ Let N = φ ( M ). ◮ Previous method: Use the factorization Φ M ( X ) = � ℓ i =1 F i ( X ) (mod p ) � ℓ � ℓ i =1 GF ( p d ) R p → i =1 Z p [ X ] / ( F i ( X )) → m ( X ) �→ ( m ( X ) (mod F i ( X ))) 1 ≤ i ≤ ℓ �→ ( m ( α i )) 1 ≤ i ≤ ℓ ◮ Evaluation at non-conjugate roots ( α 1 , . . . , α ℓ ) of Φ M ( X ) over Z p . ◮ Cannot be applied to the characteristic zero plaintext spaces. 17 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea Packing Method Idea 3: Batching Technique Roughly, a plaintext space is the set of small polynomials in R . Canonical embedding map σ : Q [ X ] / (Φ M ( X )) → C N defined by a ( X ) �→ ( a ( ζ j )) j ∈ Z ∗ M where ζ = exp( − 2 π i / M ). ◮ Cannonical embedding norm || a || can ∞ = || σ ( a ) || ∞ . ◮ An image of σ is contained in the subring H = { ( z j ) j ∈ Z ∗ M : z − j = z j } . ◮ Let S ≤ Z ∗ M be a subgroup such that Z ∗ M / S = {± 1 } . Our method: Adapt the complex canonical embedding (isometric ring homomorphism) preserving the error size. σ ι H ≤ C N C N / 2 R = Z [ x ] / (Φ M ( X )) − − − − → − − − − → ( m ( ζ j )) j ∈ S m ( X ) �− → σ ( m ) �− → 18 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea Packing Method Encoding/Decoding and Rounding Error σ ι C N / 2 H ≤ C N R = Z [ x ] / (Φ M ( X )) − − − − → − − − − → ( m ( ζ j )) j ∈ S m ( X ) �− → σ ( m ) �− → Encoding: z ( X ) = σ − 1 ◦ ι − 1 ( � z = ( z j ) j ∈ S ∈ Z [ i ] N / 2 � �− → z ) ∈ R [ X ] / (Φ M ( X )) �− → m ( X ) = ⌊ ∆ · z ( X ) ⌉ ∈ Z [ X ] / (Φ M ( X )) for a scaling factor ∆ and rounding ⌊·⌉ w.r.t. ||·|| can ∞ . Decoding: m = ( m ( ζ j )) j ∈ S ∈ C N / 2 m ( X ) ∈ Z [ X ] / (Φ M ( X )) �− → � z = ⌊ ∆ − 1 · � m ⌉ ∈ Z [ i ] N / 2 . �− → � Encoding/Decoding preserves the size of errors. Rounding error is relatively small. 19 / 30

Homomorphic Encryption for Arithmetic of Approximate Numbers Main idea Packing Method Example of Encoding & Encryption Suppose that M = 8 (Φ M ( x ) = x 4 + 1) and ∆ = 64. Then ζ 2 ζ 3  1 ζ   1 1 1 1  ζ 3 ζ 6 ζ 7 ζ 5 ζ 3 M = 1 M = 1 1 ζ ζ  , C − 1   4 C T   C M =  ζ 5 ζ 2 ζ 7   ζ 6 ζ 2 ζ 6 ζ 2  1 4    ζ 7 ζ 6 ζ 5 ζ 5 ζ 7 ζ 1 ζ 3 1 √ where ζ = exp( − 2 π i / 8) = (1 + i ) / 2. ι − 1 ( � z = (3 + 4 i , 2 − i ) � �→ z ) = (3 + 4 i , 2 − i , 2 + i , 3 − 4 i ) √ √ 2 X + 10 X 2 + 2 z ( X ) = 1 2 X 3 ) �→ 4 (10 + 4 m ( X ) = 160 + 91 X + 160 X 2 + 45 X 3 . �→ m ( ζ ) = 64(3 . 0082 .. + i ∗ 4 . 0026 .. ) , m ( ζ 3 ) = 64(1 . 9918 .. − i ∗ 0 . 9974 .. ). Enc ( m ) = ( b + m , a ) for b = as + e enc . Dec ( m ) = 64 · z ( X ) + e enc + e rd . (About log || e enc || can ∞ bits of precision loss.) 20 / 30