35 research outputs found
Parallel sparse interpolation using small primes
To interpolate a supersparse polynomial with integer coefficients, two
alternative approaches are the Prony-based "big prime" technique, which acts
over a single large finite field, or the more recently-proposed "small primes"
technique, which reduces the unknown sparse polynomial to many low-degree dense
polynomials. While the latter technique has not yet reached the same
theoretical efficiency as Prony-based methods, it has an obvious potential for
parallelization. We present a heuristic "small primes" interpolation algorithm
and report on a low-level C implementation using FLINT and MPI.Comment: Accepted to PASCO 201
Privacy-Preserving Ridge Regression on Distributed Data
Linear regression is an important statistical tool that models the relationship between some explanatory values and an outcome value using a linear function.
In many current applications (e.g. predictive modelling in personalized healthcare), these values represent sensitive data owned by several different parties that are unwilling to share them. In this setting, training a linear regression model becomes challenging and needs specific cryptographic solutions. In this work, we propose a new system that can train a linear regression model with 2-norm regularization (i.e. ridge regression) on a dataset obtained by merging a finite number of private datasets. Our system is composed of two phases: The first one is based on a simple homomorphic encryption scheme and takes care of securely merging the private datasets. The second phase is a new ad-hoc two-party protocol that computes a ridge regression model solving a linear system where all coefficients are encrypted. The efficiency of our system is evaluated both on synthetically generated and real-world datasets
Convex geometry and Erd\H{o}s-Ginzburg-Ziv problem
Denote by the Erd{\H o}s--Ginzburg--Ziv
constant of , that is, the minimum number such that among
any (not necessarily distinct) vectors in one can find
vectors whose sum is zero. Denote by the
weak Erd\H{o}s--Ginzburg--Ziv constant, namely, the maximum number of vectors
such that for any non-negative integers
whose sum is we have if and only if for some . The main result
of this paper is that for any fixed and we have
. We also
show that for any and we have . Together with the upper bound on our result implies that for
fixed and all sufficiently large . In order to prove the main result, we
develop a framework of convex flags which are a certain generalization of
convex polytopes. In particular, we obtain analogues of Helly Theorem and of
Centerpoint Theorem in this new setting. In particular, our results generalize
the Integer Helly Theorem of Doignon.Comment: 45 pages, 2 figure
λνμνΈμ νλ‘κ·Έλ¨ λΉλ° λΆμ
νμλ
Όλ¬Έ (λ°μ¬)-- μμΈλνκ΅ λνμ : μ리과νλΆ, 2015. 8. μ²μ ν¬.λν μνΈλ 볡νΈν κ³Όμ μ κ±°μΉμ§ μκ³ μνΈν λ μνμμ μνΈλ¬ΈλΌλ¦¬ μ°μ°μ ν΅ν΄ λ°μ΄ν°μ μλ£ μ²λ¦¬λ₯Ό κ°λ₯νκ² νλ μνΈ κΈ°μ λ‘ μ΅κ·Ό λ§μ΄ μ¬μ©λκ³ μλ ν΄λΌμ°λ μλΉμ€ νκ²½μμ λ°μ ν μ μλ 보μ λ¬Έμ λ€μ ν΄κ²° ν μ μλ μνΈμμ€ν
μΌλ‘ μ£Όλͺ© λ°κ³ μλ€.
λ³Έ νμ λ
Όλ¬Έμμλ λν μνΈ μμ© κΈ°μ μ°κ΅¬μ ν¨κ» μλ‘μ΄ λνμνΈ μκ³ λ¦¬μ¦ κ°λ°μ λν΄ μ°κ΅¬νλ€. μμ©κΈ°μ μ°κ΅¬μμλ Naccache-Stern λ§μ
λν μνΈλ₯Ό μ΄μ©νμ¬ νλΌμ΄λ²μλ₯Ό 보쑴νλ ν©μ§ν© μ°μ° νλ‘ν μ½κ³Ό RLWEκΈ°λ° BGV λνμνΈλ₯Ό μ΄μ©νμ¬ λΉλ° νλ‘κ·Έλ¨ μ μ λΆμ λ°©λ²μ μ μνλ€.
ν¨μ¨μ μΈ ν©μ§ν© μ°μ°μ μ§μνκΈ° μν΄, μ°Έμ¬μμ μ§ν©μμλ€μ νννλ νΉλ³ν μΈμ½λ© ν¨μ μ μνκ³ , μ μν μΈμ½λ© ν¨μλ₯Ό μ μ©νμ¬ μ μΌ μΈμ λΆν΄ μ μ(unique factorization domain)μ΄ μλ 곡κ°μμλ λ€νμλ€μ κ·Όμ ν¨μ¨μ μΌλ‘ 볡ꡬ ν μ μλ λ°©λ²μ μ μνλ€. μ΄λ₯Ό λ°νμΌλ‘, νμ‘΄νλ κ°μ₯ ν¨μ¨μ μΈ μμλΌμ΄λμ ν©μ§ν© μ°μ° νλ‘ν μ½μ μ μνλ€.
νλ‘κ·Έλ¨ λΉλ° λΆμμμλ λνμνΈλ₯Ό μ΄μ©νμ¬ λΉλ° ν¬μΈν° λΆμλ°©λ²μ μ μνλ€. νλ‘κ·Έλ¨ λ³μμ νμ
μ 보λ₯Ό μ΄μ©νμ¬, λνμνΈ μ°μ°μ νμν κ³± μ°μ°μ νμλ₯Ό μμ λ‘ νκΈ°μ μΌλ‘ μ€μΌ μ μλ λ°©λ²μ μ μνκ³ , μ΄λ₯Ό λ°νμΌλ‘ μ€μ μνμ μ΄μ© κ°λ₯ν μμ€μ νλ‘κ·Έλ¨ λΉλ° λΆμ λ°©λ²μ μ μνλ€. μ΄λ₯Ό ν΅ν΄ λΆμκ°λ μνΈνλ νλ‘κ·Έλ¨ μ 보λ₯Ό μ΄μ©νμ¬ νλ‘κ·Έλ¨μ μλ ν¬μΈν° λ³μκ° μ€ν μ€ μ΄λ λ³μ νΉμ μ μ₯ μ₯μλ₯Ό κ°λ¦¬ν¬ μ μλ μ§μ λν λΆμμ΄ κ°λ₯ν΄μ§λ€.
λ§μ§λ§μΌλ‘ μλ‘μ΄ μνΈνμ λμ μΈ λ€νμ κ·Όμ¬κ³΅μ½μ λ¬Έμ λ₯Ό μ μνκ³ , μ΄ λ¬Έμ μ κΈ°λ°νλ μλ‘μ΄ λνμνΈλ₯Ό μ μνλ€. μ μν λνμνΈλ Djik λ±μ΄ μ μν λνμνΈμ λ€νμ λ²μ μΌλ‘ λ³Ό μ μμΌλ©°, μ΄μ λ°λΌ λ°μ΄ν° λ³λ ¬μ²λ¦¬λΏλ§ μλλΌ ν° μ μ μ°μ° μ§μνλ νΉμ§μ κ°μ§κ³ μλ€. Djik λ±μ΄ μ μν λνμνΈκ³μ΄μ μμ λνμνΈλ€μ λΉλ°ν€λ₯Ό λλλ μ°μ°μ μ 곡νκΈ° μν΄ λΆλΆν© λ¬Έμ κ° μ΄λ ΅λ€λ κ°μ μ μ¬μ©νλ λ°λ©΄, μ μν λνμνΈλ 볡νΈν κ³Όμ μμ λΉλ° μ 보λ₯Ό λλλ κ³Όμ μ΄ νμ μκΈ° λλ¬Έμ λΆλΆν© λ¬Έμ μ κ°μ μ νμλ‘ νμ§ μλλ€.Homomorphic encryption enables computing certain functions on encrypted data without decryption.
Many cloud-based services need efficient homomorphic encryption schemes to provide security to the data in cloud computing.
In this thesis, we focus on applications of homomorphic encryptions for set operation and program analysis, and we suggest a new construction of homomorphic encryption.
First, we present a new privacy preserving set union protocol and a secure points-to analysis method as applications of homomorphic encryptions.
Our set union protocol is based on the additive homomorphic encryption scheme by Naccache and Stern, whose message space is which is a product of small primes.
We introduce a special polynomial representation such that if a polynomial is represented as this form, then it is factorized uniquely in .
From this representation, we obtain an efficient constant round set union protocol without honest majority assumption.
We adopt a somewhat homomorphic encryption to perform static analysis on encrypted programs.
In our method, a somewhat homomorphic encryption scheme of depth is able to evaluate Andersen's pointer analysis with homomorphic matrix multiplications, for the number of pointer
variables when the maximal pointer level is bounded.
Finally, we propose a somewhat homomorphic encryption scheme over the polynomial ring.
The security of the proposed scheme is based on the polynomial approximate common divisor problem
which can be seen as a polynomial analogous of a base problem of DGHV fully homomorphic encryption and its extension.
Our scheme is conceptually simple and does not require a complicated re-linearization process.
For this reason, our scheme is more efficient than RLWE-based homomorphic encryption over the polynomial ring when evaluating low degree polynomial of large integers.
Furthermore, we convert this scheme to a leveled fully homomorphic encryption scheme, and the resulting scheme has features similar to the variant of van Dijk et al.s scheme by Coron et al. Our scheme, however, does not use the subset sum, which makes its design much simpler.Abstract i
1 Introduction 1
2 Private Set Union Protocol 6
2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 Polynomial Representation of a Set . . . . . . . . . . . 8
2.1.2 Reversed Laurent Series . . . . . . . . . . . . . . . . . 9
2.1.3 Additive Homomorphic Encryption . . . . . . . . . . . 10
2.1.4 Root Finding Algorithms . . . . . . . . . . . . . . . . 12
2.2 New Polynomial Representation of a Set . . . . . . . . . . . . 12
2.2.1 New Invertible Polynomial Representation . . . . . . . 14
2.2.2 The Expected Number of Root Candidates . . . . . . . 17
2.2.3 The Proper Size of . . . . . . . . . . . . . . . . . . . 21
2.3 New Privacy-preserving Set Union Protocols . . . . . . . . . . 25
2.3.1 Application of Our Polynomial Representation . . . . . 25
2.3.2 Honest-But-Curious Model . . . . . . . . . . . . . . . 27
2.3.3 Malicious Model . . . . . . . . . . . . . . . . . . . . . 30
2.3.4 Extension to the Multi-set Union Protocol . . . . . . . 32
2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3 Secure Static Program Analysis 37
3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.1.1 Homomorphic Encryption . . . . . . . . . . . . . . . . 39
3.1.2 The BGV-type Cryptosystem . . . . . . . . . . . . . . 42
3.1.3 Security Model . . . . . . . . . . . . . . . . . . . . . . 43
3.2 A Basic Construction of a Pointer Analysis in Secrecy . . . . . 44
3.2.1 Inclusion-based Pointer Analysis . . . . . . . . . . . . 44
3.2.2 The Pointer Analysis in Secrecy . . . . . . . . . . . . . 45
3.3 Improvement of the Pointer Analysis in Secrecy . . . . . . . . 48
3.3.1 Problems of the Basic Approach . . . . . . . . . . . . 49
3.3.2 Overview of Improvement . . . . . . . . . . . . . . . . 49
3.3.3 Level-by-level Analysis . . . . . . . . . . . . . . . . . . 50
3.3.4 Ciphertext Packing . . . . . . . . . . . . . . . . . . . . 53
3.3.5 Randomization of Ciphertexts . . . . . . . . . . . . . . 56
3.4 Experimental Result . . . . . . . . . . . . . . . . . . . . . . . 56
3.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4 New Fully Homomorphic Encryption 63
4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.1.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.1.2 Chinese Remaindering for Polynomials over Composite
Modulus . . . . . . . . . . . . . . . . . . . . . . . . 67
4.1.3 Distributions . . . . . . . . . . . . . . . . . . . . . . . 67
4.2 Our Fully Homomorphic Encryption Scheme . . . . . . . . . . 68
4.2.1 Basic Parameters . . . . . . . . . . . . . . . . . . . . . 68
4.2.2 The Somewhat Homomorphic Encryption Scheme . . . 69
4.2.3 Leveled Fully Homomorphic Encryption Scheme . . . . 71
4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.3.1 The Polynomial ACD Problems . . . . . . . . . . . . . 76
4.3.2 Security Proof . . . . . . . . . . . . . . . . . . . . . . 77
4.4 Analysis of the Polynomial ACD Problems . . . . . . . . . . . 80
4.4.1 Distinguishing Attack . . . . . . . . . . . . . . . . . . 80
4.4.2 Chen-Nguyens Attack . . . . . . . . . . . . . . . . . . 82
4.4.3 Coppersmiths Attack . . . . . . . . . . . . . . . . . . 83
4.4.4 Extension of Cohn-Heningers Attack . . . . . . . . . . 85
4.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.5.1 Public Key Compression . . . . . . . . . . . . . . . . . 90
4.5.2 Implementation Results . . . . . . . . . . . . . . . . . 92
4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5 Conclusions 96
Abstract (in Korean) 110Docto
Privacy-Preserving Ridge Regression with only Linearly-Homomorphic Encryption
Linear regression with 2-norm regularization (i.e., ridge regression) is an important statistical technique that models the relationship between some explanatory values and an outcome value using a linear function. In many applications (e.g., predictive modelling in personalised health care), these values represent sensitive data owned by several different parties who are unwilling to share them. In this setting, training a linear regression model becomes challenging and needs specific cryptographic solutions. This problem was elegantly addressed by Nikolaenko et al. in S&P (Oakland) 2013. They suggested a two-server system that uses linearly-homomorphic encryption (LHE) and Yaoβs two-party protocol (garbled circuits). In this work, we propose a novel system that can train a ridge linear regression model using only LHE (i.e., without using Yaoβs protocol). This greatly improves the overall performance (both in computation and communication) as Yaoβs protocol was the main bottleneck in the previous solution. The efficiency of the proposed system is validated both on synthetically-generated and real-world datasets
Linear-Regression on Packed Encrypted Data in the Two-Server Model
Developing machine learning models from federated training data, containing many independent samples, is an important task that can significantly enhance the potential applicability and prediction power of learned models. Since single users, like hospitals or individual labs, typically collect data-sets that do not support accurate learning with high confidence, it is desirable to combine data from several users without compromising data privacy.
In this paper, we develop a privacy-preserving solution for learning a linear regression model from data collectively contributed by several parties (``data owners\u27\u27). Our protocol is based on the protocol of Giacomelli et al. (ACNS 2018) that utilized two non colluding servers and Linearly Homomorphic Encryption (LHE) to learn regularized linear regression models. Our methods use a different LHE scheme that allows us to significantly reduce both the number and runtime of homomorphic operations, as well as the total runtime complexity. Another advantage of our protocol is that the underlying LHE scheme is based on a different (and post-quantum secure) security assumption than Giacomelli et al.
Our approach leverages the Chinese Remainder Theorem, and Single Instruction Multiple Data representations, to obtain our improved performance. For a 1000 x 40 linear regression task we can learn a model in a total of 3 seconds for the homomorphic operations, compared to more than 100 seconds reported in the literature. Our approach also scales up to larger feature spaces: we implemented a system that can handle a 1000 x 100 linear regression task, investing minutes of server computing time after a more significant offline pre-processing by the data owners. We intend to incorporate our protocol and implementations into a comprehensive system that can handle secure federated learning at larger scales
Garbled Neural Networks are Practical
We show that garbled circuits are a practical choice for secure evaluation of neural network classifiers. At the protocol level, we start with the garbling scheme of Ball, Malkin & Rosulek (ACM CCS 2016) for arithmetic circuits and introduce new optimizations for modern neural network activation functions. We develop fancy-garbling, the first implementation of the BMR16 garbling scheme along with our new optimizations, as part of heavily optimized garbled-circuits tool that is driven by a TensorFlow classifier description.
We evaluate our constructions on a wide range of neural networks. We find that our approach is up to 100x more efficient than straight-forward boolean garbling (depending on the neural network). Our approach is also roughly 40% more efficient than DeepSecure (Rouhani et al., DAC 2018), the only previous garbled-circuit-based approach for secure neural network evaluation, which incorporates significant optimization techniques for boolean circuits. Furthermore, our approach is competitive with other non-garbled-circuit approaches for secure neural network evaluation