Efficient Homomorphic Comparison Methods with Optimal Complexity

Comparison of two numbers is one of the most frequently used operations, but it has been a challenging task to efficiently compute the comparison function in homomorphic encryption (HE) which basically support addition and multiplication. Recently, Cheon et al. (Asiacrypt 2019) introduced a new approximate representation of the comparison function with a rational function, and showed that this rational function can be evaluated by an iterative algorithm. Due to this iterative feature, their method achieves a logarithmic computational complexity compared to previous polynomial approximation methods; however, the computational complexity is still not optimal, and the algorithm is quite slow for large-bit inputs in HE implementation. In this work, we propose new comparison methods with optimal asymptotic complexity based on composite polynomial approximation. The main idea is to systematically design a constant-degree polynomial $f$ by identifying the \emph{core properties} to make a composite polynomial $f\circ f \circ \cdots \circ f$ get close to the sign function (equivalent to the comparison function) as the number of compositions increases. We additionally introduce an acceleration method applying a mixed polynomial composition $f\circ \cdots \circ f\circ g \circ \cdots \circ g$ for some other polynomial $g$ with different properties instead of $f\circ f \circ \cdots \circ f$. Utilizing the devised polynomials $f$ and $g$, our new comparison algorithms only require $\Theta(\log(1/\epsilon)) + \Theta(\log\alpha)$ computational complexity to obtain an approximate comparison result of $a,b\in[0,1]$ satisfying $|a-b|\ge \epsilon$ within $2^{-\alpha}$ error. The asymptotic optimality results in substantial performance enhancement: our comparison algorithm on encrypted $20$-bit integers for $\alpha = 20$ takes $1.43$ milliseconds in amortized running time, which is $30$ times faster than the previous work

Integer Functions Suitable for Homomorphic Encryption over Finite Fields

Fully Homomorphic Encryption (FHE) gives the ability to evaluate any function over encrypted data. However, despite numerous improvements during the last decade, the computational overhead caused by homomorphic computations is still very important. As a consequence, optimizing the way of performing the computations homomorphically remains fundamental. Several popular FHE schemes such as BGV and BFV encode their data, and thus perform their computations, in finite fields. In this work, we study and exploit algebraic relations occurring in prime characteristic allowing to speed-up the homomorphic evaluation of several functions over prime fields. More specifically we give several examples of unary functions: modulo , is power of $b$ , Hamming weight and Mod2\u27 whose homomorphic evaluation complexity over $\mathbb{F}_p$ can be reduced from the generic bound $\sqrt{2p} + \mathcal{O}(\log(p))$ homomorphic multiplications, to $\sqrt{p} + \mathcal{O}(\log(p))$, $\mathcal{O}(\log (p))$, $\mathcal{O}(\sqrt{p/\log (p)})$ and $\mathcal{O}(\sqrt{p/\log (p)})$ respectively. Additionally we provide a proof of a recent claim regarding the structure of the polynomial interpolation of the less-than bivariate function which confirms that this function can be evaluated in $2p-6$ homomorphic multiplications instead of $3p-5$ over $\mathbb{F}_p$ for $p\geq 5$

Optimizing HE operations via Level-aware Key-switching Framework

In lattice-based Homomorphic Encryption (HE) schemes, the key-switching procedure is a core building block of non-linear operations but also a major performance bottleneck. The computational complexity of the operation is primarily determined by the so-called gadget decomposition, which transforms a ciphertext entry into a tuple of small polynomials before being multiplied with the corresponding evaluation key. However, the previous studies such as Halevi et al. (CT-RSA 2019) and Han and Ki (CT-RSA 2020) fix a decomposition function in the setup phase which is applied commonly across all ciphertext levels, resulting in suboptimal performance. In this paper, we introduce a novel key-switching framework for leveled HE schemes. We aim to allow the use of different decomposition functions during the evaluation phase so that the optimal decomposition method can be utilized at each level to achieve the best performance. A naive solution might generate multiple key-switching keys corresponding to all possible decomposition functions, and sends them to an evaluator. However, our solution can achieve the goal without such communication overhead since it allows an evaluator to dynamically derive other key-switching keys from a single key-switching key depending on the choice of gadget decomposition. We implement our framework at a proof-of-concept level to provide concrete benchmark results. Our experiments show that we achieve the optimal performance at every level while maintaining the same computational capability and communication costs

Accelerating HE Operations from Key Decomposition Technique

Lattice-based homomorphic encryption (HE) schemes are based on the noisy encryption technique, where plaintexts are masked with some random noise for security. Recent advanced HE schemes rely on a decomposition technique to manage the growth of noise, which involves a conversion of a ciphertext entry into a short vector followed by multiplication with an evaluation key. Prior to this work, the decomposition procedure turns out to be the most time-consuming part, as it requires discrete Fourier transforms (DFTs) over the base ring for efficient polynomial arithmetic. In this paper, an expensive decomposition operation over a large modulus is replaced with relatively cheap operations over a ring of integers with a small bound. Notably, the cost of DFTs is reduced from quadratic to linear with the level of a ciphertext without any extra noise growth. We demonstrate the implication of our approach by applying it to the key-switching procedure. Our experiments show that the new key-switching method achieves a speedup of 1.2--2.3 or 2.1--3.3 times over the previous method, when the dimension of a base ring is $2^{15}$ or $2^{16}$, respectively

Homomorphically Encrypted Linear Contextual Bandit

Contextual bandit is a general framework for online learning in sequential decision-making problems that has found application in a large range of domains, including recommendation system, online advertising, clinical trials and many more. A critical aspect of bandit methods is that they require to observe the contexts -- i.e., individual or group-level data -- and the rewards in order to solve the sequential problem. The large deployment in industrial applications has increased interest in methods that preserve the privacy of the users. In this paper, we introduce a privacy-preserving bandit framework based on asymmetric encryption. The bandit algorithm only observes encrypted information (contexts and rewards) and has no ability to decrypt it. Leveraging homomorphic encryption, we show that despite the complexity of the setting, it is possible to learn over encrypted data. We introduce an algorithm that achieves a $\widetilde{O}(d\sqrt{T})$ regret bound in any linear contextual bandit problem, while keeping data encrypted

BCH 부호를 이용한 FrodoKEM의 성능 개선 및 동형 비교를 위한 합성함수에 의한 부호 함수의 미니맥스 근사

학위논문 (박사) -- 서울대학교 대학원 : 공과대학 전기·정보공학부, 2020. 8. 노종선.In this dissertation, two main contributions are given as; Performance improvement of FrodoKEM using Gray and error-correcting codes (ECCs). Optimal minimax polynomial approximation of sign function by composite polynomial for homomorphic comparison. First, modification of FrodoKEM using Gray codes and ECCs is studied. Lattice-based scheme is one of the most promising schemes for post-quantum cryptography (PQC). Among many lattice-based cryptosystems, FrodoKEM is a well-known key-encapsulation mechanism (KEM) based on (plain) learning with errors problems and is advantageous in that the hardness is based on the problem of unstructured lattices. Many lattice-based cryptosystems adopt ECCs to improve their performance, such as LAC, Three Bears, and Round5 which were presented in the NIST PQC Standardization Round 2 conference. However, for lattice-based cryptosystems that do not use ring structures such as FrodoKEM, it is difficult to use ECCs because the number of transmitted symbols is small. In this dissertation, I propose a method to apply Gray and ECCs to FrodoKEM by encoding the bits converted from the encrypted symbols. It is shown that the proposed method improves the security level and/or the bandwidth of FrodoKEM, and 192 message bits, 50\% more than the original 128 bits, can be transmitted using one of the modified Frodo-640's. Second, an optimal minimax polynomial approximation of sign function by a composite polynomial is studied. The comparison function of the two numbers is one of the most commonly used operations in many applications including deep learning and data processing systems. Several studies have been conducted to efficiently evaluate the comparison function in homomorphic encryption schemes which only allow addition and multiplication for the ciphertext. Recently, new comparison methods that approximate sign function using composite polynomial in the homomorphic encryption, called homomorphic comparison operation, were proposed and it was proved that the methods have optimal asymptotic complexity. In this dissertation, I propose new optimal algorithms that approximate the sign function in the homomorphic encryption by using composite polynomials of the minimax approximate polynomials, which are constructed by the modified Remez algorithm. It is proved that the number of required non-scalar multiplications and depth consumption for the proposed algorithms are less than those for any methods that use a composite polynomial of component polynomials with odd degree terms approximating the sign function, respectively. In addition, an optimal polynomial-time algorithm for the proposed homomorphic comparison operation is proposed by using dynamic programming. As a result of numerical analysis, for the case that I want to minimize the number of non-scalar multiplications, the proposed algorithm reduces the required number of non-scalar multiplications and depth consumption by about 33% and 35%, respectively, compared to those for the previous work. In addition, for the case that I want to minimize the depth consumption, the proposed algorithm reduces the required number of non-scalar multiplications and depth consumption by about 10% and 47%, respectively, compared to those for the previous work.이 학위 논문에서는, 다음 두 가지 내용이 연구되었다. FrodoKEM을 그레이 부호 및 오류정정부호를 사용하여 개선 동형 비교 연산을 위해 합성 다항식을 사용한 부호 함수의 최적 미니맥스 다항식 근사 먼저, 그레이 부호 및 오류정정부호를 사용하여 FrodoKEM을 변형시키는 방법이 연구되었다. 격자기반암호는 가장 유망한 포스트 양자 암호 스킴이다. 많은 격자기반암호 시스템 중에서 FrodoKEM은 learning with errors (LWE) 문제에 기반을 둔 잘 알려진 키-캡슐화 메커니즘 (KEM) 이며 구조를 갖지 않은 격자 문제에 기반을 둔 어려움을 가진다는 장점이 있다. NIST 포스트 양자 암호 표준화 라운드 2에 발표된 LAC, Three Bears, Round5와 같이 성능 개선을 위해 오류정정부호를 사용하는 많은 암호 시스템들이 있다. 그러나 FrodoKEM과 같이 링 구조를 사용하지 않는 격자기반 암호 시스템에서는 전송되는 심볼 개수가 작기 때문에 오류정정부호를 사용하기 어렵다. 나는 암호화된 심볼로부터 변환된 비트들을 부호화하여 오류정정부호와 그레이 부호를 FrodoKEM에 적용하는 방법을 제안하였다. 제안한 알고리즘은 FrodoKEM의 보안성 레벨 혹은 데이터전송량을 향상하고 기존 128비트보다 50\% 많은 192비트가 변형된 Frodo-640에서 전송될 수 있음을 보여주었다. 두 번째로, 합성 다항식을 사용한 부호 함수의 최적 미니맥스 다항식 근사가 연구되었다. 두 숫자의 비교 함수는 딥러닝 및 데이터 처리 시스템을 포함한 많은 응용에서 가장 많이 사용되는 연산 중 하나이다. 암호문 상에서의 덧셈과 곱셈만 지원하는 동형 암호에서 비교 함수를 효율적으로 계산하는 몇몇 연구가 진행되었다. 동형 암호에서 합성 다항식을 사용하여 부호 함수를 근사하는 비교 방법은 동형 비교 연산이라고 불리는데 최근 새로운 동형 비교 연산 방법이 제안되었고 그 방법이 최적 점근적 복잡도를 가진다는 것이 증명되었다. 본 논문에서 나는 미니맥스 근사다항식의 합성함수를 사용하여 동형암호에서 부호 함수를 근사하는 새로운 최적 알고리즘을 제안한다. 미니맥스 근사 다항식은 modified Remez 알고리즘에 의해 얻을 수 있다. 제안하는 알고리즘은 임의의 부호 함수를 근사하는 홀수 차수 항들을 가진 다항식의 합성 다항식을 사용하는 방법보다 더 적은 넌스칼라 곱 및 뎁스 소모를 사용한다는 것이 증명되었다. 또한, 제안한 동형 비교 연산에 대한 다이나믹 프로그래밍을 사용한 최적 다항시간 알고리즘이 제안되었다. 수치 분석 결과, 넌스칼라 곱 개수를 최소로 할 때, 제안하는 알고리즘은 필요한 넌스칼라 곱 개수와 뎁스 소모를 기존 방법의 필요한 넌스칼라 곱 개수 및 뎁스 소모보다 각각 33%, 35%정도 감소시킨다. 또한, 뎁스 소모를 최소로 할 때, 제안하는 알고리즘은 필요한 넌스칼라 곱 개수와 뎁스 소모를 기존 방법의 필요한 넌스칼라 곱 개수 및 뎁스 소모보다 각각 10%, 47%정도 감소시킨다.1 Introduction 1 1.1 Background 1 1.2 Overview of Dissertation 3 1.3 Notations 5 2 Preliminaries 6 2.1 NIST Post-Quantum Cryptography Standardization 6 2.1.1 Background 6 2.1.2 Categories for Security Level 7 2.1.3 List of Algorithms in NIST PQC Round 2 8 2.2 Public-Key Encryption and Key-Encapsulation Mechanism 10 2.3 Lattice-Based Cryptogaphy 13 2.3.1 Learning with Errors Problem 13 2.3.2 Overview of FrodoPKE Algorithm 14 2.3.3 Parameters of FrodoKEM 17 2.4 BCH and Gray Codes 18 2.5 Fully Homomorphic Encryption 20 2.5.1 Homomorphic Encryption 20 2.5.2 Comparison Operation in Fully Homomorphic Encryption 21 2.6 Approximation Theory 22 2.7 Algorithms for Minimax Approximation 24 3. Improvement of FrodoKEM Using Gray and BCH Codes 29 3.1 Modification of FrodoKEM with Gray and Error-Correcting Codes 33 3.1.1 Viewing FrodoPKE as a Digital Communication System 33 3.1.2 Error-Correcting Codes for FrodoPKE 34 3.1.3 Gray Coding 36 3.1.4 IND-CCA Security of Modified FrodoKEM 38 3.1.5 Evaluation of DFR 40 3.1.6 Error Dependency 43 3.2 Performance Improvement of FrodoKEM Using Gray and BCH Codes 43 3.2.1 Improving the Security Level of FrodoKEM 43 3.2.2 Increasing the Message Size of Frodo-640 47 3.2.3 Reducing the Bandwidth of Frodo-640 50 4. Homomorphic Comparison Using Optimal Composition of Minimax Approximate Polynomials 54 4.1 Introduction 54 4.1.1 Previous Works 55 4.1.2 My Contributions 56 4.2 Approximation of Sign Function by Using Optimal Composition of Minimax Approximate Polynomials 58 4.2.1 New Approximation Method for Sine Function Using Composition of the Minimax Approximate Polynomials 58 4.2.2 Optimality of Approximation of the Sign Function by a Minimax Composite Polynomial 64 4.2.3 Achieving Polynomial-Time Algorithm for New Approximation Method by Using Dynamic Programming 68 4.3 Numerical Results 80 4.3.1 Computation of the Required Non-Scalar Multiplications and Depth Consumption 81 4.3.2 Comparisons 81 5. Conclusions 88 Abstract (In Korean) 97Docto

PEGASUS: Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption

Homomorphic encryption (HE) is considered as one of the most important primitives for privacy-preserving applications. However, an efficient approach to evaluate both polynomial and non-polynomial functions on encrypted data is still absent, which hinders the deployment of HE to real-life applications. To address this issue, we propose a practical framework PEGASUS. PEGASUS can efficiently switch back and forth between a packed CKKS ciphertext and FHEW ciphertexts without decryption, allowing us to evaluate arithmetic functions efficiently on the CKKS side, and to evaluate look-up tables on FHEW ciphertexts. Our FHEW ! CKKS conversion algorithm is more practical than the existing methods. We improve the computational complexity from linear to sublinear. Moreover, the size of our conversion key is significantly smaller, e.g., reduced from 80 gigabytes to 12 megabytes. We present extensive benchmarks of PEGASUS, including sigmoid/ReLU/min/max/division, sorting and max-pooling. To further demonstrate the capability of PEGASUS, we developed two more applications. The first one is a private decision tree evaluation whose communication cost is about two orders of magnitude smaller than the previous HE-based approaches. The second one is a secure K-means clustering that is able to run on thousands of encrypted samples in minutes that outperforms the best existing system by 14 – 20. To the best of our knowledge, this is the first work that supports practical K-means clustering using HE in a single server setting