Homomorphic Lower Digits Removal and Improved FHE Bootstrapping

Bootstrapping is a crucial operation in Gentry\u27s breakthrough work on fully homomorphic encryption (FHE), where a homomorphic encryption scheme evaluates its own decryption algorithm. There has been a couple of implementations of bootstrapping, among which HElib arguably marks the state-of-the-art in terms of throughput, ciphertext/message size ratio and support for large plaintext moduli. In this work, we apply a family of lowest digit removal polynomials to improve homomorphic digit extraction algorithm which is crucial part in bootstrapping for both FV and BGV schemes. If the secret key has 1-norm $h=l_1(s)$ and the plaintext modulus is $t = p^r$, we achieved bootstrapping depth $\log h + \log( \log_p(ht))$ in FV scheme. In case of the BGV scheme, we bring down the depth from $\log h + 2 \log t$ to $\log h + \log t$. We implemented bootstrapping for FV in the SEAL library. Besides the regular mode, we introduce another slim mode\u27 , which restrict the plaintexts to batched vectors in $\mathbb{Z}_{p^r}$. The slim mode has similar throughput as the regular mode, while each individual run is much faster and uses much smaller memory. For example, bootstrapping takes $6.75$ seconds for 7 bit plaintext space with 64 slots and $1381$ seconds for $GF(257^{128})$ plaintext space with 128 slots. We also implemented our improved digit extraction procedure for the BGV scheme in HElib

Integer Functions Suitable for Homomorphic Encryption over Finite Fields

Fully Homomorphic Encryption (FHE) gives the ability to evaluate any function over encrypted data. However, despite numerous improvements during the last decade, the computational overhead caused by homomorphic computations is still very important. As a consequence, optimizing the way of performing the computations homomorphically remains fundamental. Several popular FHE schemes such as BGV and BFV encode their data, and thus perform their computations, in finite fields. In this work, we study and exploit algebraic relations occurring in prime characteristic allowing to speed-up the homomorphic evaluation of several functions over prime fields. More specifically we give several examples of unary functions: modulo , is power of $b$ , Hamming weight and Mod2\u27 whose homomorphic evaluation complexity over $\mathbb{F}_p$ can be reduced from the generic bound $\sqrt{2p} + \mathcal{O}(\log(p))$ homomorphic multiplications, to $\sqrt{p} + \mathcal{O}(\log(p))$, $\mathcal{O}(\log (p))$, $\mathcal{O}(\sqrt{p/\log (p)})$ and $\mathcal{O}(\sqrt{p/\log (p)})$ respectively. Additionally we provide a proof of a recent claim regarding the structure of the polynomial interpolation of the less-than bivariate function which confirms that this function can be evaluated in $2p-6$ homomorphic multiplications instead of $3p-5$ over $\mathbb{F}_p$ for $p\geq 5$

OpenFHE: Open-Source Fully Homomorphic Encryption Library

Fully Homomorphic Encryption (FHE) is a powerful cryptographic primitive that enables performing computations over encrypted data without having access to the secret key. We introduce OpenFHE, a new open-source FHE software library that incorporates selected design ideas from prior FHE projects, such as PALISADE, HElib, and HEAAN, and includes several new design concepts and ideas. The main new design features can be summarized as follows: (1) we assume from the very beginning that all implemented FHE schemes will support bootstrapping and scheme switching; (2) OpenFHE supports multiple hardware acceleration backends using a standard Hardware Abstraction Layer (HAL); (3) OpenFHE includes both user-friendly modes, where all maintenance operations, such as modulus switching, key switching, and bootstrapping, are automatically invoked by the library, and compiler-friendly modes, where an external compiler makes these decisions. This paper focuses on high-level description of OpenFHE design, and the reader is pointed to external OpenFHE references for a more detailed/technical description of the software library

Homomorphic Encryption for Multiple Users with Less Communications

Keeping privacy for every entity in outsourced computation is always a crucial issue. For efficient secure computation, homomorphic encryption (HE) can be one of nice solutions. Especially, multikey homomorphic encryption (MKHE) which allows homomorphic evaluation on encrypted data under different keys can be one of the simplest solutions for a secure computation which handles multiple users\u27 data. However, the current main problem of MKHE is that the dimension of its evaluated ciphertext relies on the number of users. To solve this problem, there are several variants of multikey homomorphic encryption schemes to keep the size of ciphertext constant for a fixed number of users. However, users interact one another before computation to provide their inputs, which increases setup complexity. Moreover, all the existing MKHE schemes and their variants have unique benefits which cannot be easily achieved at the same time in one scheme. In other words, each type of scheme has a suitable computational scenario to put its best performance. In this paper, we suggest more efficient evaluation key generation algorithms (relinearization key and bootstrapping key) for the existing variants of MKHE schemes which have no ciphertext expansion for a fixed number of users. Our method only requires a very simple and minor pre-processing; distributing public keys, which is not counted as a round at all in many other applications. Regarding bootstrapping, we firstly provide an efficient bootstrapping for multiple users which is the same as the base single-key scheme thanks to our simplified key generation method without a communication. As a result, participants have less communication, computation, and memory cost in online phase. Moreover, we provide a practical conversion algorithm between the two types of schemes in order to \emph{efficiently} utilize both schemes\u27 advantages together in more various applications. We also provide detailed comparison among similar results so that users can choose a suitable scheme for their homomorphic encryption based application scenarios

Faster Homomorphic Linear Transformations in HElib

HElib is a software library that implements homomorphic encryption (HE), with a focus on effective use of packed ciphertexts. An important operation (which is used in bootstrapping, as well as in other applications) is applying a known linear map to a vector of encrypted data. In this paper, we describe several algorithmic improvements that significantly speed up this operation: in our experiments, our new algorithms were 30-75 times faster than those currently implemented in HElib for typical parameters. Our techniques also reduce the size of the large public evaluation key, often using 33%-50% less space than the previous HElib implementation. We also implemented a new tradeoff that enables a drastic reduction in size, maybe a 25x factor or more for some parameters, paying only a 2-4x factor in runtime (and giving up some parallelization opportunities)

Functional Bootstrapping for FV-style Cryptosystems

Fully Homomorphic Encryption (FHE) enables the computation of an arbitrary function over encrypted data without decrypting them. In particular, bootstrapping is a core building block of FHE which reduces the noise of a ciphertext thereby recovering the computational capability. This paper introduces a new bootstrapping framework for the Fan-Vercauteren (FV) scheme, called the functional bootstrapping, providing more generic and advanced functionality than the ordinary bootstrapping method. More specifically, the functional bootstrapping allows us to evaluate an arbitrary function while removing the error of an input ciphertext. Therefore, we achieve better depth consumption and computational complexity as the evaluation of a circuit can be integrated as part of the functional bootstrapping procedure. In particular, our approach extends the functionality of FV since it is even applicable to functions between different plaintext spaces. At the heart of our functional bootstrapping framework is a homomorphic Look-Up Table (LUT) evaluation method where we represent any LUT using only the operations supported by the FV scheme. Finally, we provide a proof-of-concept implementation and present benchmarks of the functional bootstrapping. In concrete examples, such as delta and sign functions, our functional bootstrapping takes about 46.5s or 171.4s for 9-bit or 13-bit plaintext modulus, respectively

SoK: Fully Homomorphic Encryption Accelerators

Fully Homomorphic Encryption~(FHE) is a key technology enabling privacy-preserving computing. However, the fundamental challenge of FHE is its inefficiency, due primarily to the underlying polynomial computations with high computation complexity and extremely time-consuming ciphertext maintenance operations. To tackle this challenge, various FHE accelerators have recently been proposed by both research and industrial communities. This paper takes the first initiative to conduct a systematic study on the 14 FHE accelerators -- cuHE/cuFHE, nuFHE, HEAT, HEAX, HEXL, HEXL-FPGA, 100$\times$, F1, CraterLake, BTS, ARK, Poseidon, FAB and TensorFHE. We first make our observations on the evolution trajectory of these existing FHE accelerators to establish a qualitative connection between them. Then, we perform testbed evaluations of representative open-source FHE accelerators to provide a quantitative comparison on them. Finally, with the insights learned from both qualitative and quantitative studies, we discuss potential directions to inform the future design and implementation for FHE accelerators

근사 연산에 대한 계산 검증 연구

학위논문(박사)--서울대학교 대학원 :자연과학대학 수리과학부,2020. 2. 천정희.Verifiable Computing (VC) is a complexity-theoretic method to secure the integrity of computations. The need is increasing as more computations are outsourced to untrusted parties, e.g., cloud platforms. Existing techniques, however, have mainly focused on exact computations, but not approximate arithmetic, e.g., floating-point or fixed-point arithmetic. This makes it hard to apply them to certain types of computations (e.g., machine learning, data analysis, and scientific computation) that inherently require approximate arithmetic. In this thesis, we present an efficient interactive proof system for arithmetic circuits with rounding gates that can represent approximate arithmetic. The main idea is to represent the rounding gate into a small sub-circuit, and reuse the machinery of the Goldwasser, Kalai, and Rothblum's protocol (also known as the GKR protocol) and its recent refinements. Specifically, we shift the algebraic structure from a field to a ring to better deal with the notion of ``digits'', and generalize the original GKR protocol over a ring. Then, we represent the rounding operation by a low-degree polynomial over a ring, and develop a novel, optimal circuit construction of an arbitrary polynomial to transform the rounding polynomial to an optimal circuit representation. Moreover, we further optimize the proof generation cost for rounding by employing a Galois ring. We provide experimental results that show the efficiency of our system for approximate arithmetic. For example, our implementation performed two orders of magnitude better than the existing system for a nested 128 x 128 matrix multiplication of depth 12 on the 16-bit fixed-point arithmetic.계산검증 기술은 계산의 무결성을 확보하기 위한 계산 복잡도 이론적 방법이다. 최근 많은 계산이 클라우드 플랫폼과 같은 제3자에게 외주됨에 따라 그 필요성이 증가하고 있다. 그러나 기존의 계산검증 기술은 비근사 연산만을 고려했을 뿐, 근사 연산 (부동 소수점 또는 고정 소수점 연산)은 고려하지 않았다. 따라서 본질적으로 근사 연산이 필요한 특정 유형의 계산 (기계 학습, 데이터 분석 및 과학 계산 등)에 적용하기 어렵다는 문제가 있었다. 이 논문은 반올림 게이트를 수반하는 산술 회로를 위한 효율적인 대화형 증명 시스템을 제시한다. 이러한 산술 회로는 근사 연산을 효율적으로 표현할 수 있으므로, 근사 연산에 대한 효율적인 계산 검증이 가능하다. 주요 아이디어는 반올림 게이트를 작은 회로로 변환한 후, 여기에 Goldwasser, Kalai, 및 Rothblum의 프로토콜 (GKR 프로토콜)과 최근의 개선을 적용하는 것이다. 구체적으로, 대수적 객체를 유한체가 아닌 ``숫자''를 보다 잘 처리할 수 있는 환으로 치환한 후, 환 위에서 적용 가능하도록 기존의 GKR 프로토콜을 일반화하였다. 이후, 반올림 연산을 환에서 차수가 낮은 다항식으로 표현하고, 다항식 연산을 최적의 회로 표현으로 나타내는 새롭고 최적화된 회로 구성을 개발하였다. 또한, 갈루아 환을 사용하여 반올림을 위한 증명 생성 비용을 더욱 최적화하였다. 마지막으로, 실험을 통해 우리의 근사 연산 검증 시스템의 효율성을 확인하였다. 예를 들어, 우리의 시스템은 구현 시, 16 비트 고정 소수점 연산을 통한 깊이 12의 반복된 128 x 128 행렬 곱셈의 검증에 있어 기존 시스템보다 약 100배 더 나은 성능을 보인다.1 Introduction 1 1.1 Verifiable Computing 2 1.2 Verifiable Approximate Arithmetic 3 1.2.1 Problem: Verification of Rounding Arithmetic 3 1.2.2 Motivation: Verifiable Machine Learning (AI) 4 1.3 List of Papers 5 2 Preliminaries 6 2.1 Interactive Proof and Argument 6 2.2 Sum-Check Protocol 7 2.3 The GKR Protocol 10 2.4 Notation and Cost Model 14 3 Related Work 15 3.1 Interactive Proofs 15 3.2 (Non-)Interactive Arguments 17 4 Interactive Proof for Rounding Arithmetic 20 4.1 Overview of Our Approach and Result 20 4.2 Interactive Proof over a Ring 26 4.2.1 Sum-Check Protocol over a Ring 27 4.2.2 The GKR Protocol over a Ring 29 4.3 Verifiable Rounding Operation 31 4.3.1 Lowest-Digit-Removal Polynomial over Z_{p^e} 32 4.3.2 Verification of Division-by-p Layer 33 4.4 Delegation of Polynomial Evaluation in Optimal Cost 34 4.4.1 Overview of Our Circuit Construction 35 4.4.2 Our Circuit for Polynomial Evaluation 37 4.4.3 Cost Analysis 40 4.5 Cost Optimization 45 4.5.1 Galois Ring over Z_{p^e} and a Sampling Set 45 4.5.2 Optimization of Prover's Cost for Rounding Layers 47 5 Experimental Results 50 5.1 Experimental Setup 50 5.2 Verifiable Rounding Operation 51 5.2.1 Effectiveness of Optimization via Galois Ring 51 5.2.2 Efficiency of Verifiable Rounding Operation 53 5.3 Comparison to Thaler's Refinement of GKR Protocol 54 5.4 Discussion 57 6 Conclusions 60 6.1 Towards Verifiable AI 61 6.2 Verifiable Cryptographic Computation 62 Abstract (in Korean) 74Docto

A Unified Framework of Homomorphic Encryption for Multiple Parties with Non-Interactive Setup

The standard Homomorphic Encryption (HE) poses an authority issue when multiple parties are involved, as the authority is concentrated solely to whom that owns the (single) secret key. To solve this issue, variants of HE have emerged in the context of multiple parties, resulting in the development of two different lines of HE schemes -- Multi-Party HE (MPHE) and Multi-Key HE (MKHE). MPHE schemes tend to be much more efficient; but require the interaction between parties in the key generation and the set of parties is fixed throughout the entire evaluation. On the other hand, MKHE schemes have poor scaling with the number of parties but allow us to add new parties to the joint computation anytime. In this work, we construct the first MPHE scheme that features a non-interactive key generation. We refactor the evaluation key to be nearly linear, allowing it to be computed by simple summation. As a result, our MPHE allows each party to independently and asynchronously broadcasts its key. In addition, we propose a new HE primitive, called Multi-Group HE (MGHE). Stated informally, an MGHE scheme provides seamless integration between MPHE and MKHE, and combines the best of both these primitives. In an MGHE scheme, a group of parties generates a public key jointly which results in compact ciphertexts and efficient homomorphic operations, similar to MPHE. However, unlike MPHE, it also supports computations on encrypted data under different keys, a property enjoyed by MKHE schemes. We present a construction of MGHE from the BFV scheme and provide a proof-of-concept implementation to demonstrate its concrete performance. Finally, we describe a general approach to construct a multi-party protocol from MGHE. We provide a proof-of-concept implementation of a logistic regression model where our MGHE interpolates between MPHE (where the training is performed) and MKHE (where the inference is performed)