practical (f)he shai halevi 1 october 2015fhe+mmaps summer school, paris part i - bgv basics part ii...

PRACTICAL (F)HEShai Halevi

1October 2015 FHE+MMAPs Summer School, Paris

Part I - BGV BasicsPart II - Packed CiphertextsPart III - Bootstrapping

Using FHE in “Real World” Settings• Example1: Check for some genetic trait in an encrypted genomic data• String comparison or substring-match or Hamming/Edit-distance

• E.g., • # of positions in which differ

October 2015 FHE+MMAPs Summer School, Paris 2

Using FHE in “Real World” Settings• Example2: I have , want to compute on this data (without decrypting)• Possible solution: include together with e also

• Then compute homomorphically the function

• Computed homonorphically on , the AES-encrypted is only used to define the function to be computed

• Get • Can now compute on


Using FHE in “Real World” Settings• Example2: I have , want to compute on this data (without decrypting)• Possible solution: include together with e also

• Then compute homomorphically the function

• Computed homonorphically on , the AES-encrypted is only used to define the function to be computed

• Get • Can now compute on


Useful to compute AES.dec

homomorphically

How to Implement?• Large parameters to ensure security• Encrypt message bit-by-bit?

• Represent each bit by a large matrixHugh plaintext-to-ciphertext expansion Very slow

• How to do better?• Work over rings • Optimize, optimize, optimize, …


• 1G. First plausible candidate in [Gen’09]• Ciphertext is “noisy”, noise grows with computation, once too noisy, the “signal” is lost

• log(Noise-magnitude) proportional to the degree of the evaluated functionParameters must be huge, to allow large noise

• 2G. [BV’11, BGV’12,…]: Better noise control• Noise grows linearly with degree• “Ciphertext packing” with many plaintext elements

Three Generations of HE Schemes

6

• 1G. Fast accumulation of noise• 2G. Better noise management + packing• 3G. [GSW13,…]: “Asymmetric” noise growth

• Very slow noise growth for some circuits• But slow noise growth in 3G is incompatible with ciphertext-packing (as far as we know)

• For efficiency, we have a choice:• 2G+packing (faster asymptotically)• or 3G+small-noise (sometimes faster in practice)

Three Generations of HE Schemes

7

Here: 2nd Generation Scheme [BGV’12]• Native plaintext space is

• p is a prime or prime-power (often )• is m’th cyclotomic polynomial, deg=• are co-prime

• Ciphertexts, secret-keys are 2-vectors over (for some )• is a short vector

• Decryption formula is • Below we assume that


Homomorphic Operations• Additive Homomorphism is easy

• Multiplicative homomorphism is harder1. Basic multiplication via tensoring2. “Key-switching gadget” to reduce dimension3. Modulus switching to reduce the noise


How to Multiply• Step 1: Tensor Product

• If then

• Error is • So encrypts relative to the secret key

• But the dimension squares on multiply


How to Multiply• Step 2: Dimension Reduction (1st try)

• “Key-switching gadget”, wrt wrt • Essentially an encryption of under

• matrix W s.t. • Given , compute

• If only was small, but


How to Multiply• Step 2: Dimension Reduction (1st try)



• If only was small, but


• Use bit-decomposition?• This works, but we do

something else here

How to Multiply• Step 2: Dimension Reduction (better try)



• 𝑞′=1(𝑚𝑜𝑑𝑝)

⟨𝒆∗ ,𝒄 ⟩ ≈𝑞⋅ |𝒆∗ |≪𝑞𝑞′


How to Multiply• Step 3: Modulus switching (from to )

• From to

• Just scale by and round “appropriately”,

• If for some k, then • so for the same k


this is small

How to Multiply• Step 3: Modulus switching (from to )

• If for some k,then for the same k

• If in addition we have and set via rounding, then

• Hence where


Noise Growth for Multiplication• have noise magnitude • Tensor has noise

• Wrt secret key and modulus • After key-switching, with noise

• Wrt secret key and modulus • After mod-switching back to , we get with noise wrt modulus (and )• But we can mod-switch farther down, to get with noise wrt modulus


How Does Modulus-Switching Help?• Example:

October 2015 17

Using mod-switching Without mod-switching

Noise Modulus Noise Modulus

Fresh ciphertexts

Level-1, degree=2Level-2, degree=4

decryptionerrors

FHE+MMAPs Summer School, Paris

The Moduli Chain• Parameters are chosen to allow depth • Fresh ciphertexts are encrypted relative to a large modulus

• Mod-switch down from to after each level• After mod-switching, noise is kept below

• Once we hit the smallest modulus , cannot multiply anymore


The BGV Multiplication Procedure• Start from wrt modulus • Tensor them to get wrt • Key-switch to get wrt • Mod-switch to get wrt


Implementation Details• Choosing the moduli• Ciphertext representation for different ops• Tradeoffs and optimizations

• Key-switching: large vs. breaking to digits• Mod-switching: doing less FFTs

• Slightly changing the decryption invariant• When to mod-switch (and how far down)

• By maintaining a noise estimate with each ciphertext


Moduli and Ciphertext Representation• Choose small primes

• , exists a primitive -th root of unity mod so • Define • Each can be represented by a matrix

• Both integer and polynomial CRT (DoubleCRT)• (Similarly define )


Ciphertext Operations• Addition, multiplication over computed element-wise on the DoubleCRT matrix

• Other ops require switching representation• Key-switching takes , lifts it to • Modulus-switching needs scaling/rounding• Use the decoding basis for these operations, needs to convert back and forth (FFT+CRT)


Operation Cost• Cost measured in time, added-noise


Operation Time NoiseAdd / Add-Const Cheap CheapMult-by-Const Cheap ModerateMult+KeySwitch Expensive Expensive

Tradeoffs• Almost all tradeoffs are time-vs-noise:slower operations that add less noisevs. faster ones that add more noise• More noise larger parameters slower

• Parameter growth happens in “jumps”• Because ’s must have algebraic properties• In most cases increasing is a bad idea, better to use slower ops that lets you keep smaller


Changing the Decryption Invariant• Instead of , use

• Must keep track of the extra factor on encryption, decryption, multiplication

• Does not change much, but makes modulus switching easier (see next slide)


FHE+MMAPs Summer School, Paris 27

Mod-Switching Optimization• Switching to ,

• Need to divide by then round s.t. • More efficient to first round, then divide

• Round to s.t. • Then set

• If then

October 2015


Mod-Switching Optimization• Switching to ,

1. Let // one row of the DCRT matrix• Convert to decoding basis• Add/subtract multiples of to the coefficients,

to make them divisible by • Result is divisible by , and

2. // 3. // multiply the th DCRT row by

//

October 2015

1 iFFT

FFTs


Mod-Switching Optimization• This method takes only FFTs• Naïve method would have been FFTs

• also requires integer CRT calculation and big-integer division

October 2015

Key-Switching Optimization• We lift from to to get • The key-switching matrix includes RLWE instances wrt large modulus

• If then for the same security level, RLWE wrt needs dimension about twice that of RLWE wrt


Key-Switching Optimization• We lift from to to get

• So we need larger dimension• We could instead break into bits/digits

• , each • Key-switching time grows with

• Do both: break to few digits, use smaller • “Sweet spot” is usually breaking into 3-4 digits


When to Mod-Switch?• Mod-switching only reduces noise when done prior to multiplication• Resulting noise is the product of noises, reducing noises by reduces the resulting noise by • Upto the additional noise term for mod-switching

• No noise advantage in any other case• Suggests lazy strategy

• Only mod-switch before multiplication


When to Mod-Switch?• Nose considerations suggest lazy strategy• But larger Q than needed wastes time

• Must keep, manipulate more DCRT rows• Also better to mod-switch before fan-out:

• modSwitch(), copy to ,vs.copy to , modSwitch()

• Optimization problem: for a given arithmetic circuit, where to put the mod-switch ops


How Far to Mod-Switch?• Roughly, until the noise after mod-switching is dominated by the added noise term

• Maintain noise estimates with ciphertexts, use estimates to make these decisions• Estimate must be somewhat conservative, small under-estimation will lead to wrong mod-switch decisions, escalating quickly


Some Numbers (March 2015)• Numbers are just a sample, not all taken on the same machine, some are extrapolated

Timing in seconds


KeyGen Enc Dec Add Mult-Const

Multilpy

Depth=10

4 0.07 0.03 0.0004 0.007 0.1

Depth=20

11 0.21 0.1 0.001 0.016 0.3

Depth=56

102 1.37 0.16 0.01 0.06 1.5

Some Numbers (March 2015)


Memory

Depth=10

<2GB

Depth=20

3.6GB

Depth=56

23GB

TIME FOR A BREAK


practical (f)he shai halevi 1 october 2015fhe+mmaps summer school, paris part i - bgv basics part ii...

Documents