Homomorphic SIM 2 D operations: Single Instruction Much More Data - PowerPoint PPT Presentation

Homomorphic SIM 2 D operations: Single Instruction Much More Data Wouter Castryck Ilia Iliashenko Frederik Vercauteren

Homomorphic encryption 𝐷 𝐷 cryp 175.2 §ç{à#£*°|

Homomorphic encoding real-world data plaintext ciphertext 𝐷 𝐷 𝐷 cryp 2𝑦 1023 + 𝑦 2 + 7𝑦 + 5 175.2 §ç{à#£*°|

Plaintext space 𝐚[𝑦] Typically a ring of the form 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) where 𝑢 ∈ 𝐚 ≥2 and 𝑔 𝑦 ∈ 𝐚[𝑦] is monic irreducible of degree 𝑒 . We represent this by a box: 𝑏𝑦 𝑗 𝑏 𝑢 -direction Polynomials of degree < 𝑒 𝑗 and coefficients in [0, 𝑢) . 𝑒 -direction

𝑒 -direction Homomorphic encoding 𝑢 -direction How to encode real-world input 𝜄 ? General principle: find an integer-digit expansion 𝜄 ≈ 𝑏 𝑠 𝑐 𝑠 + 𝑏 𝑠−1 𝑐 𝑠−1 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 for some base 𝑐 ∈ 𝐃 . Then encode as 𝑏 𝑠 𝑦 𝑠 + 𝑏 𝑠−1 𝑦 𝑠−1 + ⋯ + 𝑏 1 𝑦 + 𝑏 0 . Decoding: evaluate in 𝑦 = 𝑐 . Works well if no overflow .

𝑒 -direction Homomorphic encoding 𝑢 -direction How to encode real-world input 𝜄 ? General principle: find an integer-digit expansion 𝜾 = 𝟑 𝟕 + 𝟑 𝟓 + 𝟑 𝟒 + 𝟑 + 𝟐 𝜄 ≈ 𝑏 𝑠 𝑐 𝑠 + 𝑏 𝑠−1 𝑐 𝑠−1 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 for some base 𝑐 ∈ 𝐃 . Then encode as 𝑏 𝑠 𝑦 𝑠 + 𝑏 𝑠−1 𝑦 𝑠−1 + ⋯ + 𝑏 1 𝑦 + 𝑏 0 . Decoding: evaluate in 𝑦 = 𝑐 . Works well if no overflow .

𝑒 -direction Homomorphic encoding 𝑢 -direction How to encode real-world input 𝜄 ? General principle: find an integer-digit expansion 𝜾 = 𝟑 𝟕 + 𝟑 𝟓 + 𝟑 𝟒 + 𝟑 + 𝟐 𝜄 ≈ 𝑏 𝑠 𝑐 𝑠 + 𝑏 𝑠−1 𝑐 𝑠−1 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 for some base 𝑐 ∈ 𝐃 . Then encode as 𝑏 𝑠 𝑦 𝑠 + 𝑏 𝑠−1 𝑦 𝑠−1 + ⋯ + 𝑏 1 𝑦 + 𝑏 0 . Decoding: evaluate in 𝑦 = 𝑐 . Works well if no overflow .

𝑒 -direction Homomorphic encoding 𝑢 -direction How to encode real-world input 𝜄 ? General principle: find an integer-digit expansion 𝜾 = 𝟑 𝟕 + 𝟑 𝟓 + 𝟑 𝟒 + 𝟑 + 𝟐 𝜄 ≈ 𝑏 𝑠 𝑐 𝑠 + 𝑏 𝑠−1 𝑐 𝑠−1 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 for some base 𝑐 ∈ 𝐃 . Then encode as 𝑏 𝑠 𝑦 𝑠 + 𝑏 𝑠−1 𝑦 𝑠−1 + ⋯ + 𝑏 1 𝑦 + 𝑏 0 . Decoding: evaluate in 𝑦 = 𝑐 . Works well if no overflow .

𝑒 -direction Homomorphic encoding 𝑢 -direction How to encode real-world input 𝜄 ? General principle: find an integer-digit expansion 𝜾 = 𝟑 𝟕 + 𝟑 𝟓 + 𝟑 𝟒 + 𝟑 + 𝟐 𝜄 ≈ 𝑏 𝑠 𝑐 𝑠 + 𝑏 𝑠−1 𝑐 𝑠−1 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 for some base 𝑐 ∈ 𝐃 . Then encode as 𝑏 𝑠 𝑦 𝑠 + 𝑏 𝑠−1 𝑦 𝑠−1 + ⋯ + 𝑏 1 𝑦 + 𝑏 0 . Decoding: evaluate in 𝑦 = 𝑐 . Works well if no overflow .

Fractional encoding Encoding fractional expansions 𝜄 ≈ 𝑏 𝑠 𝑐 𝑠 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 + 𝑏 −1 𝑐 −1 + ⋯ + 𝑏 −𝑡 𝑐 −𝑡 ? If 𝑔(𝑦) = 𝑦 𝑒 + 1 then 𝑦 −𝑗 ≡ −𝑦 𝑒−𝑗 , so: [Dowlin et al., ‘15] put fractional part at the high powers, with negated sign. 𝜾 = 𝟑 𝟕 + 𝟑 𝟓 + 𝟑 𝟒 + 𝟑 + 𝟐 + 𝟑 −𝟐 + 𝟑 −𝟒 𝑢 -direction Works as long as high powers 𝑒 -direction and low powers do not overflow each other.

Fractional encoding Encoding fractional expansions 𝜄 ≈ 𝑏 𝑠 𝑐 𝑠 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 + 𝑏 −1 𝑐 −1 + ⋯ + 𝑏 −𝑡 𝑐 −𝑡 ? If 𝑔(𝑦) = 𝑦 𝑒 + 1 then 𝑦 −𝑗 ≡ −𝑦 𝑒−𝑗 , so: [Dowlin et al., ‘15] put fractional part at the high powers, with negated sign. 𝜾 = 𝟑 𝟕 + 𝟑 𝟓 + 𝟑 𝟒 + 𝟑 + 𝟐 + 𝟑 −𝟐 + 𝟑 −𝟒 𝑢 -direction Works as long as high powers 𝑒 -direction and low powers do not overflow each other.

Fractional encoding Encoding fractional expansions 𝜄 ≈ 𝑏 𝑠 𝑐 𝑠 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 + 𝑏 −1 𝑐 −1 + ⋯ + 𝑏 −𝑡 𝑐 −𝑡 ? If 𝑔(𝑦) = 𝑦 𝑒 + 1 then 𝑦 −𝑗 ≡ −𝑦 𝑒−𝑗 , so: [Dowlin et al., ‘15] put fractional part at the high powers, with negated sign. 𝜾 = 𝟑 𝟕 + 𝟑 𝟓 + 𝟑 𝟒 + 𝟑 + 𝟐 + 𝟑 −𝟐 + 𝟑 −𝟒 𝑢 -direction Works as long as high powers 𝑒 -direction and low powers do not overflow each other.

SIMD

SIMD

SIMD

SIMD Batch encoding is possible thanks to CRT [Smart- Vercauteren, ‘14] : 𝐚[𝑦] 𝐚[𝑦] 𝐚[𝑦] 𝐚 𝑦 ≅ 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) ՜ 1 𝑦 , 𝑢) × 2 𝑦 , 𝑢) × ⋯ × (𝑔 (𝑔 𝑔 𝑠 𝑦 , 𝑢 where the 𝑔 𝑗 (𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢 .

SIMD Batch encoding is possible thanks to CRT [Smart- Vercauteren, ‘14] : 𝐚[𝑦] 𝐚[𝑦] 𝐚[𝑦] 𝐚 𝑦 ≅ 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) ՜ 1 𝑦 , 𝑢) × 2 𝑦 , 𝑢) × ⋯ × (𝑔 (𝑔 𝑔 𝑠 𝑦 , 𝑢 where the 𝑔 𝑗 (𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢 .

SIMD Batch encoding is possible thanks to CRT [Smart- Vercauteren, ‘14] : 𝐚[𝑦] 𝐚[𝑦] 𝐚[𝑦] 𝐚 𝑦 ≅ 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) ՜ 1 𝑦 , 𝑢) × 2 𝑦 , 𝑢) × ⋯ × (𝑔 (𝑔 𝑔 𝑠 𝑦 , 𝑢 where the 𝑔 𝑗 (𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢 .

SIMD Batch encoding is possible thanks to CRT [Smart- Vercauteren, ‘14] : 𝐚[𝑦] 𝐚[𝑦] 𝐚[𝑦] 𝐚 𝑦 ≅ 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) ՜ 1 𝑦 , 𝑢) × 2 𝑦 , 𝑢) × ⋯ × (𝑔 (𝑔 𝑔 𝑠 𝑦 , 𝑢 where the 𝑔 𝑗 (𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢 .

SIMD 𝐷 cryp SIMD i Single Instruction, Multiple Data Batch encoding is possible thanks to CRT [Smart- Vercauteren, ‘14] : 𝐚[𝑦] 𝐚[𝑦] 𝐚[𝑦] 𝐚 𝑦 ≅ 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) ՜ 1 𝑦 , 𝑢) × 2 𝑦 , 𝑢) × ⋯ × (𝑔 (𝑔 𝑔 𝑠 𝑦 , 𝑢 where the 𝑔 𝑗 (𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢 .

Contributions  SIMD seems incompatible with fractional encoding, because most factors of 𝑦 𝑒 + 1 modulo 𝑢 are not of that form. We give a very general fractional encoding method which does not require that 𝒈 𝒚 = 𝒚 𝒆 + 𝟐 .  The CRT allows for more fine-grained decompositions by also incorporating factorizations of 𝑢 . We show that this enables more flexible and denser data packing.

Fractional encoding revisited Write 𝑔 𝑦 = 𝑦 ⋅ 𝑕 𝑦 + 𝑔 0 . First encode 𝑏 𝑠 𝑐 𝑠 + ⋯ + 𝑏 1 𝑐 + 𝑏 0 + 𝑏 −1 𝑐 −1 + ⋯ + 𝑏 −𝑡 𝑐 −𝑡 as a Laurent polynomial in 𝐚[𝑦 ±1 ] by substituting 𝑦 for 𝑐 .

Fractional encoding revisited mild requirement: Write 𝑔 𝑦 = 𝑦 ⋅ 𝑕 𝑦 + 𝑔 0 . 𝒈(𝟏) invertible mod 𝒖 First encode 𝑏 𝑠 𝑦 𝑠 + ⋯ + 𝑏 1 𝑦 + 𝑏 0 + 𝑏 −1 𝑦 −1 + ⋯ + 𝑏 −𝑡 𝑦 −𝑡 as a Laurent polynomial in 𝐚[𝑦 ±1 ] by substituting 𝑦 for 𝑐 . Then apply: mod 𝑢 𝐚 𝑢 𝑦 ±1 𝑦 ↦ 𝑦 𝜃 𝑔 𝐚 𝑦 ±1 𝑆 𝑢 where 𝜃 𝑔 : ቊ 𝑦 −1 ↦ −𝑔 0 −1 𝑕(𝑦)

Decoding Visually: looks like a mess, 𝑢 -direction seems to overflow from the start! 𝑒 -direction

Decoding Visually: looks like a mess, 𝑢 -direction seems to overflow from the start! 𝑒 -direction

Decoding Visually: looks like a mess, 𝑢 -direction seems to overflow from the start! Algebraically, much cleaner. 𝑒 -direction If 𝑛 − ℓ + 1 = 𝑒 then the restricted map 𝜃 𝑔 ≤𝑛 𝐚 𝑢 𝑦 ±1 𝑆 𝑢 ≥ℓ is an isomorphism of free 𝐚 𝑢 -modules of rank 𝑒 .

Bounding box Suppose we know that the evaluation of 𝐷 when carried out in 𝐚[𝑦 ±1 ] ends up in a certain box , and that some shifted plaintext space covers this box . 𝐚 -axis height 𝑢 𝑛 ℓ 𝑦 -axis width 𝑛 − ℓ + 1 = 𝑒 ≤𝑛 mod 𝑢 𝐚 𝑢 𝑦 ±1 𝜃 𝑔 ≤𝑛 𝐚 𝑦 ±1 𝑆 𝑢 . Decoding = inverting ≥ℓ ≥ℓ

Decomposing plaintext space The CRT decomposition used in [Smart- Vercauteren, ‘14] 𝐚[𝑦] 𝐚[𝑦] 𝐚[𝑦] 𝐚 𝑦 ≅ 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) ՜ 1 𝑦 , 𝑢) × 2 𝑦 , 𝑢) × ⋯ × (𝑔 (𝑔 𝑔 𝑠 𝑦 , 𝑢 can be viewed as a vertical slicing of plaintext space: Each individual slice should cover the bounding box of the corresponding entry.

Decomposing plaintext space We generalize this discussion: suppose 𝑠 𝑗 𝑢 = 𝑢 1 𝑢 2 𝑢 3 ⋯ 𝑢 𝑡 𝑔 𝑦 = ෑ 𝑔 𝑗𝑘 (𝑦) mod 𝑢 𝑗 and 𝑗=1 are factorizations into coprimes. Then: 𝐚[𝑦] 𝐚 𝑦 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) ≅ × 𝑔 𝑦 , 𝑢 1 ⋮ 𝐚 𝑦 × 𝑔 𝑦 , 𝑢 𝑡

Decomposing plaintext space We generalize this discussion: suppose 𝑠 𝑗 𝑢 = 𝑢 1 𝑢 2 𝑢 3 ⋯ 𝑢 𝑡 𝑔 𝑦 = ෑ 𝑔 𝑗𝑘 (𝑦) mod 𝑢 𝑗 and 𝑗=1 are factorizations into coprimes. Then: 𝐚[𝑦] 𝐚 𝑦 𝐚 𝑦 𝐚 𝑦 𝑆 𝑢 = (𝑔 𝑦 , 𝑢) ≅ × × ⋯ × × 𝑔 11 𝑦 , 𝑢 1 𝑔 12 𝑦 , 𝑢 1 𝑔 1𝑠 1 𝑦 , 𝑢 1 ⋮ 𝐚 𝑦 𝐚 𝑦 𝐚 𝑦 × × × ⋯ × 𝑔 𝑡1 𝑦 , 𝑢 𝑡 𝑔 𝑡2 𝑦 , 𝑢 𝑡 𝑔 𝑡𝑠 𝑡 𝑦 , 𝑢 𝑡