35 research outputs found

    Parallel sparse interpolation using small primes

    Full text link
    To interpolate a supersparse polynomial with integer coefficients, two alternative approaches are the Prony-based "big prime" technique, which acts over a single large finite field, or the more recently-proposed "small primes" technique, which reduces the unknown sparse polynomial to many low-degree dense polynomials. While the latter technique has not yet reached the same theoretical efficiency as Prony-based methods, it has an obvious potential for parallelization. We present a heuristic "small primes" interpolation algorithm and report on a low-level C implementation using FLINT and MPI.Comment: Accepted to PASCO 201

    Privacy-Preserving Ridge Regression on Distributed Data

    Get PDF
    Linear regression is an important statistical tool that models the relationship between some explanatory values and an outcome value using a linear function. In many current applications (e.g. predictive modelling in personalized healthcare), these values represent sensitive data owned by several different parties that are unwilling to share them. In this setting, training a linear regression model becomes challenging and needs specific cryptographic solutions. In this work, we propose a new system that can train a linear regression model with 2-norm regularization (i.e. ridge regression) on a dataset obtained by merging a finite number of private datasets. Our system is composed of two phases: The first one is based on a simple homomorphic encryption scheme and takes care of securely merging the private datasets. The second phase is a new ad-hoc two-party protocol that computes a ridge regression model solving a linear system where all coefficients are encrypted. The efficiency of our system is evaluated both on synthetically generated and real-world datasets

    Convex geometry and Erd\H{o}s-Ginzburg-Ziv problem

    Full text link
    Denote by s(Fpd){\mathfrak s}({\mathbb F}_p^d) the Erd{\H o}s--Ginzburg--Ziv constant of Fpd{\mathbb F}_p^d, that is, the minimum number ss such that among any ss (not necessarily distinct) vectors in Fpd{\mathbb F}_p^d one can find pp vectors whose sum is zero. Denote by w(Fpd){\mathfrak w}({\mathbb F}_p^d) the weak Erd\H{o}s--Ginzburg--Ziv constant, namely, the maximum number of vectors v1,…,vs∈Fpdv_1, \ldots, v_s \in {\mathbb F}_p^d such that for any non-negative integers Ξ±1,…,Ξ±s\alpha_1, \ldots, \alpha_s whose sum is pp we have Ξ±1v1+…+Ξ±svs=0\alpha_1 v_1 + \ldots + \alpha_s v_s = 0 if and only if Ξ±i=p\alpha_i = p for some ii. The main result of this paper is that for any fixed dd and pβ†’βˆžp \rightarrow \infty we have s(Fpd)∼w(Fpd)p{\mathfrak s}({\mathbb F}_p^d) \sim {\mathfrak w}({\mathbb F}_p^d) p. We also show that for any pp and dd we have w(Fpd)≀(2dβˆ’1d)+1{\mathfrak w}({\mathbb F}_p^d) \le {2d-1 \choose d}+1. Together with the upper bound on w(Fpd){\mathfrak w}({\mathbb F}_p^d) our result implies that s(Fpd)≀4dp{\mathfrak s}({\mathbb F}_p^d) \le 4^d p for fixed dd and all sufficiently large pp. In order to prove the main result, we develop a framework of convex flags which are a certain generalization of convex polytopes. In particular, we obtain analogues of Helly Theorem and of Centerpoint Theorem in this new setting. In particular, our results generalize the Integer Helly Theorem of Doignon.Comment: 45 pages, 2 figure

    λ™ν˜•μ•”ν˜Έμ™€ ν”„λ‘œκ·Έλž¨ λΉ„λ°€ 뢄석

    Get PDF
    ν•™μœ„λ…Όλ¬Έ (박사)-- μ„œμšΈλŒ€ν•™κ΅ λŒ€ν•™μ› : μˆ˜λ¦¬κ³Όν•™λΆ€, 2015. 8. μ²œμ •ν¬.λ™ν˜• μ•”ν˜ΈλŠ” λ³΅ν˜Έν™” 과정을 κ±°μΉ˜μ§€ μ•Šκ³  μ•”ν˜Έν™” 된 μƒνƒœμ—μ„œ μ•”ν˜Έλ¬ΈλΌλ¦¬ 연산을 톡해 λ°μ΄ν„°μ˜ 자료 처리λ₯Ό κ°€λŠ₯ν•˜κ²Œ ν•˜λŠ” μ•”ν˜Έ 기술둜 졜근 많이 μ‚¬μš©λ˜κ³  μžˆλŠ” ν΄λΌμš°λ“œ μ„œλΉ„μŠ€ ν™˜κ²½μ—μ„œ λ°œμƒ ν•  수 μžˆλŠ” λ³΄μ•ˆ λ¬Έμ œλ“€μ„ ν•΄κ²° ν•  수 μžˆλŠ” μ•”ν˜Έμ‹œμŠ€ν…œμœΌλ‘œ μ£Όλͺ© λ°›κ³  μžˆλ‹€. λ³Έ ν•™μœ„ λ…Όλ¬Έμ—μ„œλŠ” λ™ν˜• μ•”ν˜Έ μ‘μš© 기술 연ꡬ와 ν•¨κ»˜ μƒˆλ‘œμš΄ λ™ν˜•μ•”ν˜Έ μ•Œκ³ λ¦¬μ¦˜ κ°œλ°œμ— λŒ€ν•΄ μ—°κ΅¬ν•œλ‹€. μ‘μš©κΈ°μˆ  μ—°κ΅¬μ—μ„œλŠ” Naccache-Stern λ§μ…ˆ λ™ν˜• μ•”ν˜Έλ₯Ό μ΄μš©ν•˜μ—¬ ν”„λΌμ΄λ²„μ‹œλ₯Ό λ³΄μ‘΄ν•˜λŠ” 합집합 μ—°μ‚° ν”„λ‘œν† μ½œκ³Ό RLWE기반 BGV λ™ν˜•μ•”ν˜Έλ₯Ό μ΄μš©ν•˜μ—¬ λΉ„λ°€ ν”„λ‘œκ·Έλž¨ 정적 뢄석 방법을 μ œμ•ˆν•œλ‹€. 효율적인 합집합 연산을 μ§€μ›ν•˜κΈ° μœ„ν•΄, μ°Έμ—¬μžμ˜ μ§‘ν•©μ›μ†Œλ“€μ„ ν‘œν˜„ν•˜λŠ” νŠΉλ³„ν•œ 인코딩 ν•¨μˆ˜ μ œμ•ˆν•˜κ³ , μ œμ•ˆν•œ 인코딩 ν•¨μˆ˜λ₯Ό μ μš©ν•˜μ—¬ 유일 인수 λΆ„ν•΄ μ •μ—­(unique factorization domain)이 μ•„λ‹Œ κ³΅κ°„μ—μ„œλ„ λ‹€ν•­μ‹λ“€μ˜ 근을 효율적으둜 볡ꡬ ν•  수 μžˆλŠ” 방법을 μ œμ•ˆν•œλ‹€. 이λ₯Ό λ°”νƒ•μœΌλ‘œ, ν˜„μ‘΄ν•˜λŠ” κ°€μž₯ 효율적인 μƒμˆ˜λΌμš΄λ“œμ˜ 합집합 μ—°μ‚° ν”„λ‘œν† μ½œμ„ μ œμ•ˆν•œλ‹€. ν”„λ‘œκ·Έλž¨ λΉ„λ°€ λΆ„μ„μ—μ„œλŠ” λ™ν˜•μ•”ν˜Έλ₯Ό μ΄μš©ν•˜μ—¬ λΉ„λ°€ 포인터 뢄석방법을 μ œμ‹œν•œλ‹€. ν”„λ‘œκ·Έλž¨ λ³€μˆ˜μ˜ νƒ€μž… 정보λ₯Ό μ΄μš©ν•˜μ—¬, λ™ν˜•μ•”ν˜Έ μ—°μ‚°μ‹œ ν•„μš”ν•œ κ³± μ—°μ‚°μ˜ 횟수λ₯Ό O(m2log⁑m)O(m^2 \log m) μ—μ„œ O(log⁑m)O(\log m) 둜 획기적으둜 쀄일 수 μžˆλŠ” 방법을 μ œμ‹œν•˜κ³ , 이λ₯Ό λ°”νƒ•μœΌλ‘œ μ‹€μ œ μƒν™œμ— 이용 κ°€λŠ₯ν•œ μˆ˜μ€€μ˜ ν”„λ‘œκ·Έλž¨ λΉ„λ°€ 뢄석 방법을 μ œμ•ˆν•œλ‹€. 이λ₯Ό 톡해 λΆ„μ„κ°€λŠ” μ•”ν˜Έν™”λœ ν”„λ‘œκ·Έλž¨ 정보λ₯Ό μ΄μš©ν•˜μ—¬ ν”„λ‘œκ·Έλž¨μ— μžˆλŠ” 포인터 λ³€μˆ˜κ°€ μ‹€ν–‰ 쀑 μ–΄λŠ λ³€μˆ˜ ν˜Ήμ€ μ €μž₯ μž₯μ†Œλ₯Ό 가리킬 수 μžˆλŠ” 지에 λŒ€ν•œ 뢄석이 κ°€λŠ₯해진닀. λ§ˆμ§€λ§‰μœΌλ‘œ μƒˆλ‘œμš΄ μ•”ν˜Έν•™μ  λ‚œμ œμΈ 닀항식 κ·Όμ‚¬κ³΅μ•½μˆ˜ 문제λ₯Ό μ œμ•ˆν•˜κ³ , 이 λ¬Έμ œμ— κΈ°λ°˜ν•˜λŠ” μƒˆλ‘œμš΄ λ™ν˜•μ•”ν˜Έλ₯Ό μ œμ•ˆν•œλ‹€. μ œμ•ˆν•œ λ™ν˜•μ•”ν˜ΈλŠ” Djik 등이 μ œμ•ˆν•œ λ™ν˜•μ•”ν˜Έμ˜ 닀항식 λ²„μ „μœΌλ‘œ λ³Ό 수 있으며, 이에 따라 데이터 λ³‘λ ¬μ²˜λ¦¬λΏλ§Œ μ•„λ‹ˆλΌ 큰 μ •μˆ˜ μ—°μ‚° μ§€μ›ν•˜λŠ” νŠΉμ§•μ„ 가지고 μžˆλ‹€. Djik 등이 μ œμ•ˆν•œ λ™ν˜•μ•”ν˜Έκ³„μ—΄μ˜ μ™„μ „λ™ν˜•μ•”ν˜Έλ“€μ€ λΉ„λ°€ν‚€λ₯Ό λ‚˜λˆ„λŠ” 연산을 μ œκ³΅ν•˜κΈ° μœ„ν•΄ λΆ€λΆ„ν•© λ¬Έμ œκ°€ μ–΄λ ΅λ‹€λŠ” 가정을 μ‚¬μš©ν•˜λŠ” 반면, μ œμ•ˆν•œ λ™ν˜•μ•”ν˜ΈλŠ” λ³΅ν˜Έν™” κ³Όμ •μ—μ„œ λΉ„λ°€ 정보λ₯Ό λ‚˜λˆ„λŠ” 과정이 ν•„μš” μ—†κΈ° λ•Œλ¬Έμ— λΆ€λΆ„ν•© 문제의 가정을 ν•„μš”λ‘œ ν•˜μ§€ μ•ŠλŠ”λ‹€.Homomorphic encryption enables computing certain functions on encrypted data without decryption. Many cloud-based services need efficient homomorphic encryption schemes to provide security to the data in cloud computing. In this thesis, we focus on applications of homomorphic encryptions for set operation and program analysis, and we suggest a new construction of homomorphic encryption. First, we present a new privacy preserving set union protocol and a secure points-to analysis method as applications of homomorphic encryptions. Our set union protocol is based on the additive homomorphic encryption scheme by Naccache and Stern, whose message space is ZΟƒ\Z_{\sigma} which Οƒ\sigma is a product of small primes. We introduce a special polynomial representation such that if a polynomial is represented as this form, then it is factorized uniquely in ZΟƒ[X]\Z_\sigma[X]. From this representation, we obtain an efficient constant round set union protocol without honest majority assumption. We adopt a somewhat homomorphic encryption to perform static analysis on encrypted programs. In our method, a somewhat homomorphic encryption scheme of depth O(log⁑m)O(\log{m}) is able to evaluate Andersen's pointer analysis with O(log⁑m)O(\log{m}) homomorphic matrix multiplications, for the number mm of pointer variables when the maximal pointer level is bounded. Finally, we propose a somewhat homomorphic encryption scheme over the polynomial ring. The security of the proposed scheme is based on the polynomial approximate common divisor problem which can be seen as a polynomial analogous of a base problem of DGHV fully homomorphic encryption and its extension. Our scheme is conceptually simple and does not require a complicated re-linearization process. For this reason, our scheme is more efficient than RLWE-based homomorphic encryption over the polynomial ring when evaluating low degree polynomial of large integers. Furthermore, we convert this scheme to a leveled fully homomorphic encryption scheme, and the resulting scheme has features similar to the variant of van Dijk et al.s scheme by Coron et al. Our scheme, however, does not use the subset sum, which makes its design much simpler.Abstract i 1 Introduction 1 2 Private Set Union Protocol 6 2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Polynomial Representation of a Set . . . . . . . . . . . 8 2.1.2 Reversed Laurent Series . . . . . . . . . . . . . . . . . 9 2.1.3 Additive Homomorphic Encryption . . . . . . . . . . . 10 2.1.4 Root Finding Algorithms . . . . . . . . . . . . . . . . 12 2.2 New Polynomial Representation of a Set . . . . . . . . . . . . 12 2.2.1 New Invertible Polynomial Representation . . . . . . . 14 2.2.2 The Expected Number of Root Candidates . . . . . . . 17 2.2.3 The Proper Size of alphaalpha. . . . . . . . . . . . . . . . . . . 21 2.3 New Privacy-preserving Set Union Protocols . . . . . . . . . . 25 2.3.1 Application of Our Polynomial Representation . . . . . 25 2.3.2 Honest-But-Curious Model . . . . . . . . . . . . . . . 27 2.3.3 Malicious Model . . . . . . . . . . . . . . . . . . . . . 30 2.3.4 Extension to the Multi-set Union Protocol . . . . . . . 32 2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3 Secure Static Program Analysis 37 3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.1.1 Homomorphic Encryption . . . . . . . . . . . . . . . . 39 3.1.2 The BGV-type Cryptosystem . . . . . . . . . . . . . . 42 3.1.3 Security Model . . . . . . . . . . . . . . . . . . . . . . 43 3.2 A Basic Construction of a Pointer Analysis in Secrecy . . . . . 44 3.2.1 Inclusion-based Pointer Analysis . . . . . . . . . . . . 44 3.2.2 The Pointer Analysis in Secrecy . . . . . . . . . . . . . 45 3.3 Improvement of the Pointer Analysis in Secrecy . . . . . . . . 48 3.3.1 Problems of the Basic Approach . . . . . . . . . . . . 49 3.3.2 Overview of Improvement . . . . . . . . . . . . . . . . 49 3.3.3 Level-by-level Analysis . . . . . . . . . . . . . . . . . . 50 3.3.4 Ciphertext Packing . . . . . . . . . . . . . . . . . . . . 53 3.3.5 Randomization of Ciphertexts . . . . . . . . . . . . . . 56 3.4 Experimental Result . . . . . . . . . . . . . . . . . . . . . . . 56 3.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4 New Fully Homomorphic Encryption 63 4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.1.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.1.2 Chinese Remaindering for Polynomials over Composite Modulus . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1.3 Distributions . . . . . . . . . . . . . . . . . . . . . . . 67 4.2 Our Fully Homomorphic Encryption Scheme . . . . . . . . . . 68 4.2.1 Basic Parameters . . . . . . . . . . . . . . . . . . . . . 68 4.2.2 The Somewhat Homomorphic Encryption Scheme . . . 69 4.2.3 Leveled Fully Homomorphic Encryption Scheme . . . . 71 4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.3.1 The Polynomial ACD Problems . . . . . . . . . . . . . 76 4.3.2 Security Proof . . . . . . . . . . . . . . . . . . . . . . 77 4.4 Analysis of the Polynomial ACD Problems . . . . . . . . . . . 80 4.4.1 Distinguishing Attack . . . . . . . . . . . . . . . . . . 80 4.4.2 Chen-Nguyens Attack . . . . . . . . . . . . . . . . . . 82 4.4.3 Coppersmiths Attack . . . . . . . . . . . . . . . . . . 83 4.4.4 Extension of Cohn-Heningers Attack . . . . . . . . . . 85 4.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4.5.1 Public Key Compression . . . . . . . . . . . . . . . . . 90 4.5.2 Implementation Results . . . . . . . . . . . . . . . . . 92 4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5 Conclusions 96 Abstract (in Korean) 110Docto

    Privacy-Preserving Ridge Regression with only Linearly-Homomorphic Encryption

    Get PDF
    Linear regression with 2-norm regularization (i.e., ridge regression) is an important statistical technique that models the relationship between some explanatory values and an outcome value using a linear function. In many applications (e.g., predictive modelling in personalised health care), these values represent sensitive data owned by several different parties who are unwilling to share them. In this setting, training a linear regression model becomes challenging and needs specific cryptographic solutions. This problem was elegantly addressed by Nikolaenko et al. in S&P (Oakland) 2013. They suggested a two-server system that uses linearly-homomorphic encryption (LHE) and Yao’s two-party protocol (garbled circuits). In this work, we propose a novel system that can train a ridge linear regression model using only LHE (i.e., without using Yao’s protocol). This greatly improves the overall performance (both in computation and communication) as Yao’s protocol was the main bottleneck in the previous solution. The efficiency of the proposed system is validated both on synthetically-generated and real-world datasets

    Linear-Regression on Packed Encrypted Data in the Two-Server Model

    Get PDF
    Developing machine learning models from federated training data, containing many independent samples, is an important task that can significantly enhance the potential applicability and prediction power of learned models. Since single users, like hospitals or individual labs, typically collect data-sets that do not support accurate learning with high confidence, it is desirable to combine data from several users without compromising data privacy. In this paper, we develop a privacy-preserving solution for learning a linear regression model from data collectively contributed by several parties (``data owners\u27\u27). Our protocol is based on the protocol of Giacomelli et al. (ACNS 2018) that utilized two non colluding servers and Linearly Homomorphic Encryption (LHE) to learn regularized linear regression models. Our methods use a different LHE scheme that allows us to significantly reduce both the number and runtime of homomorphic operations, as well as the total runtime complexity. Another advantage of our protocol is that the underlying LHE scheme is based on a different (and post-quantum secure) security assumption than Giacomelli et al. Our approach leverages the Chinese Remainder Theorem, and Single Instruction Multiple Data representations, to obtain our improved performance. For a 1000 x 40 linear regression task we can learn a model in a total of 3 seconds for the homomorphic operations, compared to more than 100 seconds reported in the literature. Our approach also scales up to larger feature spaces: we implemented a system that can handle a 1000 x 100 linear regression task, investing minutes of server computing time after a more significant offline pre-processing by the data owners. We intend to incorporate our protocol and implementations into a comprehensive system that can handle secure federated learning at larger scales

    Garbled Neural Networks are Practical

    Get PDF
    We show that garbled circuits are a practical choice for secure evaluation of neural network classifiers. At the protocol level, we start with the garbling scheme of Ball, Malkin & Rosulek (ACM CCS 2016) for arithmetic circuits and introduce new optimizations for modern neural network activation functions. We develop fancy-garbling, the first implementation of the BMR16 garbling scheme along with our new optimizations, as part of heavily optimized garbled-circuits tool that is driven by a TensorFlow classifier description. We evaluate our constructions on a wide range of neural networks. We find that our approach is up to 100x more efficient than straight-forward boolean garbling (depending on the neural network). Our approach is also roughly 40% more efficient than DeepSecure (Rouhani et al., DAC 2018), the only previous garbled-circuit-based approach for secure neural network evaluation, which incorporates significant optimization techniques for boolean circuits. Furthermore, our approach is competitive with other non-garbled-circuit approaches for secure neural network evaluation
    corecore