practical bootstrapping in quasilinear time jacob alperin
play

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff - PowerPoint PPT Presentation

Jan 19, 2023 •366 likes •1.36k views

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD78,Gen09] FHE lets you do this:

  1. Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21

  2. Fully Homomorphic Encryption [RAD’78,Gen’09] ◮ FHE lets you do this: � � µ Eval f , µ f ( µ ) where | f ( µ ) | and decryption time don’t depend on | f | . A cryptographic “holy grail” with tons of applications. 2 / 21

  3. Fully Homomorphic Encryption [RAD’78,Gen’09] ◮ FHE lets you do this: � � µ Eval f , µ f ( µ ) where | f ( µ ) | and decryption time don’t depend on | f | . A cryptographic “holy grail” with tons of applications. ◮ Naturally occurring schemes are “somewhat homomorphic” (SHE): they can only evaluate functions of an a priori bounded depth. � � � � µ Eval f, µ f ( µ ) Eval g, f ( µ ) g ( f ( µ )) 2 / 21

  4. Bootstrapping: SHE → FHE [Gen’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � µ Eval f ( x ) = Dec x ( µ ) , sk sk 3 / 21

  5. Bootstrapping: SHE → FHE [Gen’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � µ Eval f ( x ) = Dec x ( µ ) , sk sk ⋆ The only known way of obtaining unbounded FHE. ⋆ Goal: Efficiency! Minimize depth d and size s of decryption “circuit.” ⋆ Best SHEs [BGV’12] can evaluate in time ˜ O ( d · s · λ ) . 3 / 21

  6. Bootstrapping: SHE → FHE [Gen’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � µ Eval f ( x ) = Dec x ( µ ) , sk sk ⋆ The only known way of obtaining unbounded FHE. ⋆ Goal: Efficiency! Minimize depth d and size s of decryption “circuit.” ⋆ Best SHEs [BGV’12] can evaluate in time ˜ O ( d · s · λ ) . ◮ Intensive study, many techniques [G’09,GH’11a,GH’11b,GHS’12b] , but still very inefficient – the main bottleneck in FHE, by far. 3 / 21

  7. Bootstrapping: SHE → FHE [Gen’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � µ Eval f ( x ) = Dec x ( µ ) , sk sk ⋆ The only known way of obtaining unbounded FHE. ⋆ Goal: Efficiency! Minimize depth d and size s of decryption “circuit.” ⋆ Best SHEs [BGV’12] can evaluate in time ˜ O ( d · s · λ ) . ◮ Intensive study, many techniques [G’09,GH’11a,GH’11b,GHS’12b] , but still very inefficient – the main bottleneck in FHE, by far. ◮ The asymptotically most efficient methods on “packed” ciphertexts [GHS’12a,GHS’12b] are very complex, and appear practically worse than asymptotically slower methods. 3 / 21

  8. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime 4 / 21

  9. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts 4 / 21

  10. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . 4 / 21

  11. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . [GHS’12b]: ˜ O ( λ ) runtime, for “packed” plaintexts. Declare victory? 4 / 21

  12. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . [GHS’12b]: ˜ O ( λ ) runtime, for “packed” plaintexts. Declare victory? Dec circuit [GHS’12a] Bootstrapping compiler Procedure mod Φ m ( X ) 4 / 21

  13. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . [GHS’12b]: ˜ O ( λ ) runtime, for “packed” plaintexts. Declare victory? Dec circuit [GHS’12a] Bootstrapping compiler Procedure mod Φ m ( X ) ✗ Log-depth mod- Φ m ( X ) circuit is complex, w/large hidden constants. 4 / 21

  14. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . [GHS’12b]: ˜ O ( λ ) runtime, for “packed” plaintexts. Declare victory? Dec circuit [GHS’12a] Bootstrapping compiler Procedure mod Φ m ( X ) ✗ Log-depth mod- Φ m ( X ) circuit is complex, w/large hidden constants. ✗✗ [GHS’12a] compiler is very complex, w/large polylog overhead factor. 4 / 21

  15. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 5 / 21

  16. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). 5 / 21

  17. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 5 / 21

  18. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: 5 / 21

  19. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: ⋆ Based on a substantial enhancement of “ring-switching” [GHPS’12] to non-subrings. 5 / 21

  20. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: ⋆ Based on a substantial enhancement of “ring-switching” [GHPS’12] to non-subrings. ✔ Appears quite practical, avoids both main inefficiencies of [GHS’12b] : no homomorphic reduction modulo Φ m ( X ) , no generic compilation. 5 / 21

  21. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: ⋆ Based on a substantial enhancement of “ring-switching” [GHPS’12] to non-subrings. ✔ Appears quite practical, avoids both main inefficiencies of [GHS’12b] : no homomorphic reduction modulo Φ m ( X ) , no generic compilation. ✔ Special purpose, completely algebraic description – no “circuits.” 5 / 21

  22. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: ⋆ Based on a substantial enhancement of “ring-switching” [GHPS’12] to non-subrings. ✔ Appears quite practical, avoids both main inefficiencies of [GHS’12b] : no homomorphic reduction modulo Φ m ( X ) , no generic compilation. ✔ Special purpose, completely algebraic description – no “circuits.” ✔ Completely decouples the algebraic structure of SHE plaintext ring from that needed for bootstrapping. 5 / 21

  23. Setting the Stage: Decryption in SHE [LPR’10,BV’11,BGV’12] ◮ Let R = Z [ X ] / ( X k/ 2 + 1) , for k a power of 2. (The k th cyclotomic ring.) 6 / 21

  24. Setting the Stage: Decryption in SHE [LPR’10,BV’11,BGV’12] ◮ Let R = Z [ X ] / ( X k/ 2 + 1) , for k a power of 2. (The k th cyclotomic ring.) Let R q = R/qR = Z q [ X ] / ( X k/ 2 + 1) for any integer q . 6 / 21

  25. Setting the Stage: Decryption in SHE [LPR’10,BV’11,BGV’12] ◮ Let R = Z [ X ] / ( X k/ 2 + 1) , for k a power of 2. (The k th cyclotomic ring.) Let R q = R/qR = Z q [ X ] / ( X k/ 2 + 1) for any integer q . ◮ Plaintext ring is R 2 , ciphertext ring is R q for q ≫ 2 . Can assume k, q = ˜ O ( λ ) by ring- and modulus-switching. 6 / 21

Recommend

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech CRYPTO 2014 19 August 2014 1 / 10 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval (

1.03k views • 50 slides
Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com

Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com

Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com http://streamhacker.com http://text-processing.com https://github.com/japerk/nltk-trainer @japerk Problem you want to do NLProc many proven supervised

901 views • 31 slides
Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen

LinuxDay/Cagliari 2005: Practical Office Automation Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen <sparre@crs4.it> Questions are welcome at any time during the talk. p. 1

435 views • 17 slides
Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen sparre@crs4.it LinuxDay/Cagliari 2005: Practical Office Automation http://edb.jacob-sparre.dk/foredrag/OOo/ p. 1 Ouverture Subject: This talk is

310 views • 17 slides
Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech Oberwolfach Crypto Workshop 29 July 2014 1 / 22 Agenda 1 A homomorphic encryption tool: ring switching 2 An application: (practical!) bootstrapping

1.11k views • 98 slides
The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta

The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta

The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta Sp ath Bergische Universit at Wuppertal June 12th, 2019 The Alperin-McKay conjecture Notation: G a finite group and a prime with |

580 views • 27 slides
Bootstrapping without the Boot We like minimally supervised learning (bootstrapping).

Bootstrapping without the Boot We like minimally supervised learning (bootstrapping).

Executive Summary (if youre not an executive, you may stay for the rest of the talk) What: Bootstrapping without the Boot We like minimally supervised learning (bootstrapping). Lets convert it to unsupervised learning

344 views • 7 slides
Some classes of solutions to quasilinear elliptic equations of p -Laplace type I. E. Verbitsky

Some classes of solutions to quasilinear elliptic equations of p -Laplace type I. E. Verbitsky

Some classes of solutions to quasilinear elliptic equations of p -Laplace type I. E. Verbitsky University of Missouri, Columbia Singular Problems Associated to Quasilinear Equations Shanghai, China, June 13, 2020 In honor of Marie-Fran

1.01k views • 38 slides
Prelude to Parting After the birth of Rachels first child and his 11 th son Jacob

Prelude to Parting After the birth of Rachels first child and his 11 th son Jacob

The Prospering of Jacob This final part of chapter 30 proceeds in 2-stages Stage 1 is the prelude to parting in vv. 25-36, which we just read Jacob recognizes its time to return to Canaan Which Laban, quite expectedly resists T o which

281 views • 10 slides
Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater

Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater

Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater Jacob Eisenstein School of Informatics University of Edinburgh School of Interactive Technology Georgia Institute of Technology July 9, 2012

560 views • 36 slides
Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag,

Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag,

BIBLIOGRAPHIE 245 Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag, 1995. [2] J org Arndt. Algorithms for programmers. 2002. [3] Michael Artin. Algebra . Prentice Hall, 1991. [4] David H. Bailey.

151 views • 3 slides
Ethics Practical impacts of Ethics in your Cities Jacob G. Horowitz, City Attorney Michael C.

Ethics Practical impacts of Ethics in your Cities Jacob G. Horowitz, City Attorney Michael C.

Ethics Practical impacts of Ethics in your Cities Jacob G. Horowitz, City Attorney Michael C. Cernech, City Manager TAMARAC Solid Middle Class Community or Hotbed of Corruption? Your Role in creating an ethical organization Are ethical

587 views • 29 slides
Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob,

Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob,

Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob, Dept. of Mathematics, bjacob@math.toronto.edu NA seminar, University of Toronto 23 january 2009 Eigen is co-developed with Ga el Guennebaud

490 views • 28 slides
QUASILINEAR PREFERENCES Utility additive, y and linear in y : U ( x, y ) = F ( x ) + y , Example:

QUASILINEAR PREFERENCES Utility additive, y and linear in y : U ( x, y ) = F ( x ) + y , Example:

ECO 305 FALL 2003 October 7 QUASILINEAR PREFERENCES Utility additive, y and linear in y : U ( x, y ) = F ( x ) + y , Example: F ( x ) = x 1 / 2 Indi ff . curves vertically parallel y = u F ( x ) for any constant u Measure prices

510 views • 4 slides
Parametric Bootstrapping 18.05 Spring 2017 Parametric bootstrapping Use the estimated parameter

Parametric Bootstrapping 18.05 Spring 2017 Parametric bootstrapping Use the estimated parameter

Parametric Bootstrapping 18.05 Spring 2017 Parametric bootstrapping Use the estimated parameter to estimate the variation of estimates of the parameter! Data: x 1 , . . . , x n drawn from a parametric distribution F ( ). Estimate by a

63 views • 5 slides
Norma Chhab Alperin World Bank-ECLAC May 2018 Relevance of ICP results depend on their

Norma Chhab Alperin World Bank-ECLAC May 2018 Relevance of ICP results depend on their

Norma Chhab Alperin World Bank-ECLAC May 2018 Relevance of ICP results depend on their frequent and timely availability Recommendation: a frequency of at least every two or three years with extrapolations to annual results Global

675 views • 29 slides
Parallel-in-Time Optimization with the General-Purpose XBraid Package Stefanie Gnther, Jacob

Parallel-in-Time Optimization with the General-Purpose XBraid Package Stefanie Gnther, Jacob

Parallel-in-Time Optimization with the General-Purpose XBraid Package Stefanie Gnther, Jacob Schroder , Robert Falgout, Nicolas Gauger 7th Workshop on Parallel-in-Time methods Wednesday, May 3 rd , 2018 LLNL-PRES-750301 This work was performed

609 views • 26 slides
Discussion of Anomaly Time Boone Bowles, Adam V. Reed, Matthew C. Ringgenberg, Jacob R.

Discussion of Anomaly Time Boone Bowles, Adam V. Reed, Matthew C. Ringgenberg, Jacob R.

Discussion of Anomaly Time Boone Bowles, Adam V. Reed, Matthew C. Ringgenberg, Jacob R. Thornock PRESENTER Patricia M. Dechow, University of Southern California, Marshall School of Business Anomaly Time Early Bird Gets The Worm

582 views • 37 slides
Global local conjectures and the Bonnaf eDatRouquier Morita equivalence Lucas Ruhstorfer

Global local conjectures and the Bonnaf eDatRouquier Morita equivalence Lucas Ruhstorfer

Global local conjectures and the Bonnaf eDatRouquier Morita equivalence Lucas Ruhstorfer Bergische Universit at Wuppertal June 12th, 2019 Motivation: The Alperin-McKay conjecture Notation: 2 / 8 Motivation: The Alperin-McKay

369 views • 33 slides
INF5210 Information Infrastructure Class #11 Bootstrapping & Gateways Ben Eaton Dan Truong

INF5210 Information Infrastructure Class #11 Bootstrapping & Gateways Ben Eaton Dan Truong

INF5210 Information Infrastructure Class #11 Bootstrapping & Gateways Ben Eaton Dan Truong Le 30/10/2013 Discuss this weeks reading for class discussion Hanseth & Aanestad (2003) - Design as bootstrapping Hanseth (2002)

1.39k views • 26 slides
Improved Bootstrapping Approach in Multichannel Cognitive Radio Ad Hoc Networks The 4th Workshop

Improved Bootstrapping Approach in Multichannel Cognitive Radio Ad Hoc Networks The 4th Workshop

Improved Bootstrapping Approach in Multichannel Cognitive Radio Ad Hoc Networks The 4th Workshop of COST Action IC0902 October 9-11, 2013 Oleksandr (Alex) Artemenko, Paulo M. R. dos Santos Improved Bootstrapping Approach in Multichannel

287 views • 16 slides
Time and Space Complexity For practical solutions to computational problems available time, and

Time and Space Complexity For practical solutions to computational problems available time, and

Time and Space Complexity For practical solutions to computational problems available time, and Computability and Complexity available memory are two main considerations. Lecture 14 We have already studied time complexity, now we will focus

360 views • 3 slides
Explorations in Bootstrapping Guided Search 8th Language and Computation Day Deirdre Lungley

Explorations in Bootstrapping Guided Search 8th Language and Computation Day Deirdre Lungley

Research Overview Interactive Experimentation Bootstrapping Experimentation Going Forward Explorations in Bootstrapping Guided Search 8th Language and Computation Day Deirdre Lungley dmlung@essex.ac.uk October 8, 2009 Deirdre Lungley

437 views • 28 slides
SFU NatLangLab Bootstrapping via Graph Propagation Max Whitney Anoop Sarkar Simon Fraser

SFU NatLangLab Bootstrapping via Graph Propagation Max Whitney Anoop Sarkar Simon Fraser

SFU NatLangLab Bootstrapping via Graph Propagation Max Whitney Anoop Sarkar Simon Fraser University Natural Language Laboratory http://natlang.cs.sfu.ca Bootstrapping Semi-supervised (vs supervised) Single domain (vs domain

1.58k views • 155 slides

More recommend