Optimization of Bootstrapping in Circuits

In 2009, Gentry proposed the first Fully Homomorphic Encryption (FHE) scheme, an extremely powerful cryptographic primitive that enables to perform computations, i.e., to evaluate circuits, on encrypted data without decrypting them first. This has many applications, in particular in cloud computing. In all currently known FHE schemes, encryptions are associated to some (non-negative integer) noise level, and at each evaluation of an AND gate, the noise level increases. This is problematic because decryption can only work if the noise level stays below some maximum level $L$ at every gate of the circuit. To ensure that property, it is possible to perform an operation called _bootstrapping_ to reduce the noise level. However, bootstrapping is time-consuming and has been identified as a critical operation. This motivates a new problem in discrete optimization, that of choosing where in the circuit to perform bootstrapping operations so as to control the noise level; the goal is to minimize the number of bootstrappings in circuits. In this paper, we formally define the _bootstrap problem_, we design a polynomial-time $L$-approximation algorithm using a novel method of rounding of a linear program, and we show a matching hardness result: $(L-\epsilon)$-inapproximability for any $\epsilon>0$

Arithmetic PCA for Encrypted Data

Reducing the size of large dimensional data is a critical task in machine learning (ML) that often involves using principal component analysis (PCA). In privacy-preserving ML, data confidentiality is of utmost importance, and reducing data size is a crucial way to cut overall costs. This work focuses on minimizing the number of normalization processes in the PCA algorithm, which is a costly procedure in encrypted PCA. By modifying Krasulina\u27s algorithm, non-polynomial operations were eliminated, except for a single delayed normalization at the end. Our PCA algorithm demonstrated similar performance to conventional PCA algorithms in face recognition applications. We also implemented it using the CKKS (Cheon-Kim-Kim-Song) homomorphic encryption scheme and obtained the first 6 principal components of a 128$\times$128 real matrix in 7.85 minutes using 8 threads

Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

International audienceIn typical applications of homomorphic encryption, the first step consists for Alice to encrypt some plaintext m under Bob’s public key pk and to send the ciphertext c = HEpk(m) to some third-party evaluator Charlie. This paper specifically considers that first step, i.e. the problem of transmitting c as efficiently as possible from Alice to Charlie. As previously noted, a form of compression is achieved using hybrid encryption. Given a symmetric encryption scheme E, Alice picks a random key k and sends a much smaller ciphertext c′ = (HEpk(k), Ek(m)) that Charlie decompresses homomorphically into the original c using a decryption circuit CE−1 .In this paper, we revisit that paradigm in light of its concrete implemen- tation constraints; in particular E is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this context by Trivium, which belongs to the eSTREAM portfolio, and we also pro- pose a variant with 128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for over a decade, and the new variant Kreyvium have an excellent performance

Improving TFHE: faster packed homomorphic operations and efficient circuit bootstrapping

In this paper, we present several methods to improve the evaluation of homomorphic functions, both for fully and for leveled homomorphic encryption. We propose two packing methods, in order to decrease the expansion factor and optimize the evaluation of look-up tables and random functions in TRGSW-based homomorphic schemes. We also extend the automata logic, introduced in [19, 12], to the efficient leveled evaluation of weighted automata, and present a new homomorphic counter called TBSR, that supports all the elementary operations that occur in a multiplication. These improvements speed-up the evaluation of most arithmetic functions in a packed leveled mode, with a noise overhead that remains additive. We finally present a new circuit bootstrapping that converts TLWE into low-noise TRGSW ciphertexts in just 137ms, which makes the leveled mode of TFHE composable, and which is fast enough to speed-up arithmetic functions, compared to the gate-by-gate bootstrapping given in [12]. Finally, we propose concrete parameter sets and timing comparison for all our constructions

A multi-start heuristic for multiplicative depth minimization of boolean circuits

In this work we propose a multi-start heuristic which aims at minimizing the multiplicative depth of boolean circuits. The multiplicative depth objective is encountered in the field of homomorphic encryption where ciphertext size depends on the number of consecutive multiplications. The heuristic is based on rewrite operators for multiplicative depth-2 paths. Even if the proposed rewrite operators are simple and easy to understand the experimental results show that they are rather powerful. The multiplicative depth of the benchmarked circuits was hugely improved. In average the obtained multiplicative depths were lower by more than 3 times than the initial ones. The proposed rewrite operators are not limited to boolean circuits and can also be used for arithmetic circuits

Parameter Optimization & Larger Precision for (T)FHE

In theory, Fully Homomorphic Encryption schemes allow users to compute any operation over encrypted data. However in practice, one of the major difficulties lies into determining secure cryptographic parameters that minimize the computational cost of evaluating a circuit. In this paper, we propose a solution to solve this open problem. Even though it mainly focuses on TFHE, the method is generic enough to be adapted to all the current FHE schemes. TFHE is particularly suited, for small precision messages, from Boolean to 5-bit integers. It is possible to instantiate bigger integers with this scheme, however the computational cost quickly becomes unpractical. By studying the parameter optimization problem for TFHE, we observed that if one wants to evaluate operations on larger integers, the best way to do it is by encrypting the message into several ciphertexts, instead of considering bigger parameters for a single ciphertext. In the literature, one can find some constructions going in that direction, which are mainly based on radix and CRT representations of the message. However, they still present some limitations, such as inefficient algorithms to evaluate generic homomorphic lookup tables and no solution to work with arbitrary modulus for the message space. We overcome these limitations by proposing two new ways to evaluate homomorphic modular reductions for any modulo in the radix approach, by introducing on the one hand a new hybrid representation, and on the other hand by exploiting a new efficient algorithm to evaluate generic lookup tables on several ciphertexts. The latter is not only a programmable bootstrapping but does not require any padding bit, as needed in the original TFHE bootstrapping. We additionally provide benchmarks to support our results in practice. Finally, we formalize the parameter selection as an optimization problem, and we introduce a framework based on it enabling easy and efficient translation of an arithmetic circuit into an FHE graph of operation along with its optimal set of cryptographic parameters. This framework offers a plethora of features: fair comparisons between FHE operators, study of contexts that are favorable to a given FHE strategy/algorithm, failure probability selection for the entire use case, and so on

Boolean functions for homomorphic-friendly stream ciphers

The proliferation of small embedded devices having growing but still limited computing and data storage facilities, and the related development of cloud services with extensive storage and computing means, raise nowadays new privacy issues because of the outsourcing of data processing. This has led to a need for symmetric cryptosystems suited for hybrid symmetric-FHE encryption protocols, ensuring the practicability of the FHE solution. Recent ciphers meant for such use have been introduced, such as LowMC, Kreyvium, FLIP, and Rasta. The introduction of stream ciphers devoted to symmetric-FHE frameworks such as FLIP and its recent modification has in its turn posed new problems on the Boolean functions to be used in them as filter functions. We recall the state of the art in this matter and present further studies (without proof)

BCH 부호를 이용한 FrodoKEM의 성능 개선 및 동형 비교를 위한 합성함수에 의한 부호 함수의 미니맥스 근사

학위논문 (박사) -- 서울대학교 대학원 : 공과대학 전기·정보공학부, 2020. 8. 노종선.In this dissertation, two main contributions are given as; Performance improvement of FrodoKEM using Gray and error-correcting codes (ECCs). Optimal minimax polynomial approximation of sign function by composite polynomial for homomorphic comparison. First, modification of FrodoKEM using Gray codes and ECCs is studied. Lattice-based scheme is one of the most promising schemes for post-quantum cryptography (PQC). Among many lattice-based cryptosystems, FrodoKEM is a well-known key-encapsulation mechanism (KEM) based on (plain) learning with errors problems and is advantageous in that the hardness is based on the problem of unstructured lattices. Many lattice-based cryptosystems adopt ECCs to improve their performance, such as LAC, Three Bears, and Round5 which were presented in the NIST PQC Standardization Round 2 conference. However, for lattice-based cryptosystems that do not use ring structures such as FrodoKEM, it is difficult to use ECCs because the number of transmitted symbols is small. In this dissertation, I propose a method to apply Gray and ECCs to FrodoKEM by encoding the bits converted from the encrypted symbols. It is shown that the proposed method improves the security level and/or the bandwidth of FrodoKEM, and 192 message bits, 50\% more than the original 128 bits, can be transmitted using one of the modified Frodo-640's. Second, an optimal minimax polynomial approximation of sign function by a composite polynomial is studied. The comparison function of the two numbers is one of the most commonly used operations in many applications including deep learning and data processing systems. Several studies have been conducted to efficiently evaluate the comparison function in homomorphic encryption schemes which only allow addition and multiplication for the ciphertext. Recently, new comparison methods that approximate sign function using composite polynomial in the homomorphic encryption, called homomorphic comparison operation, were proposed and it was proved that the methods have optimal asymptotic complexity. In this dissertation, I propose new optimal algorithms that approximate the sign function in the homomorphic encryption by using composite polynomials of the minimax approximate polynomials, which are constructed by the modified Remez algorithm. It is proved that the number of required non-scalar multiplications and depth consumption for the proposed algorithms are less than those for any methods that use a composite polynomial of component polynomials with odd degree terms approximating the sign function, respectively. In addition, an optimal polynomial-time algorithm for the proposed homomorphic comparison operation is proposed by using dynamic programming. As a result of numerical analysis, for the case that I want to minimize the number of non-scalar multiplications, the proposed algorithm reduces the required number of non-scalar multiplications and depth consumption by about 33% and 35%, respectively, compared to those for the previous work. In addition, for the case that I want to minimize the depth consumption, the proposed algorithm reduces the required number of non-scalar multiplications and depth consumption by about 10% and 47%, respectively, compared to those for the previous work.이 학위 논문에서는, 다음 두 가지 내용이 연구되었다. FrodoKEM을 그레이 부호 및 오류정정부호를 사용하여 개선 동형 비교 연산을 위해 합성 다항식을 사용한 부호 함수의 최적 미니맥스 다항식 근사 먼저, 그레이 부호 및 오류정정부호를 사용하여 FrodoKEM을 변형시키는 방법이 연구되었다. 격자기반암호는 가장 유망한 포스트 양자 암호 스킴이다. 많은 격자기반암호 시스템 중에서 FrodoKEM은 learning with errors (LWE) 문제에 기반을 둔 잘 알려진 키-캡슐화 메커니즘 (KEM) 이며 구조를 갖지 않은 격자 문제에 기반을 둔 어려움을 가진다는 장점이 있다. NIST 포스트 양자 암호 표준화 라운드 2에 발표된 LAC, Three Bears, Round5와 같이 성능 개선을 위해 오류정정부호를 사용하는 많은 암호 시스템들이 있다. 그러나 FrodoKEM과 같이 링 구조를 사용하지 않는 격자기반 암호 시스템에서는 전송되는 심볼 개수가 작기 때문에 오류정정부호를 사용하기 어렵다. 나는 암호화된 심볼로부터 변환된 비트들을 부호화하여 오류정정부호와 그레이 부호를 FrodoKEM에 적용하는 방법을 제안하였다. 제안한 알고리즘은 FrodoKEM의 보안성 레벨 혹은 데이터전송량을 향상하고 기존 128비트보다 50\% 많은 192비트가 변형된 Frodo-640에서 전송될 수 있음을 보여주었다. 두 번째로, 합성 다항식을 사용한 부호 함수의 최적 미니맥스 다항식 근사가 연구되었다. 두 숫자의 비교 함수는 딥러닝 및 데이터 처리 시스템을 포함한 많은 응용에서 가장 많이 사용되는 연산 중 하나이다. 암호문 상에서의 덧셈과 곱셈만 지원하는 동형 암호에서 비교 함수를 효율적으로 계산하는 몇몇 연구가 진행되었다. 동형 암호에서 합성 다항식을 사용하여 부호 함수를 근사하는 비교 방법은 동형 비교 연산이라고 불리는데 최근 새로운 동형 비교 연산 방법이 제안되었고 그 방법이 최적 점근적 복잡도를 가진다는 것이 증명되었다. 본 논문에서 나는 미니맥스 근사다항식의 합성함수를 사용하여 동형암호에서 부호 함수를 근사하는 새로운 최적 알고리즘을 제안한다. 미니맥스 근사 다항식은 modified Remez 알고리즘에 의해 얻을 수 있다. 제안하는 알고리즘은 임의의 부호 함수를 근사하는 홀수 차수 항들을 가진 다항식의 합성 다항식을 사용하는 방법보다 더 적은 넌스칼라 곱 및 뎁스 소모를 사용한다는 것이 증명되었다. 또한, 제안한 동형 비교 연산에 대한 다이나믹 프로그래밍을 사용한 최적 다항시간 알고리즘이 제안되었다. 수치 분석 결과, 넌스칼라 곱 개수를 최소로 할 때, 제안하는 알고리즘은 필요한 넌스칼라 곱 개수와 뎁스 소모를 기존 방법의 필요한 넌스칼라 곱 개수 및 뎁스 소모보다 각각 33%, 35%정도 감소시킨다. 또한, 뎁스 소모를 최소로 할 때, 제안하는 알고리즘은 필요한 넌스칼라 곱 개수와 뎁스 소모를 기존 방법의 필요한 넌스칼라 곱 개수 및 뎁스 소모보다 각각 10%, 47%정도 감소시킨다.1 Introduction 1 1.1 Background 1 1.2 Overview of Dissertation 3 1.3 Notations 5 2 Preliminaries 6 2.1 NIST Post-Quantum Cryptography Standardization 6 2.1.1 Background 6 2.1.2 Categories for Security Level 7 2.1.3 List of Algorithms in NIST PQC Round 2 8 2.2 Public-Key Encryption and Key-Encapsulation Mechanism 10 2.3 Lattice-Based Cryptogaphy 13 2.3.1 Learning with Errors Problem 13 2.3.2 Overview of FrodoPKE Algorithm 14 2.3.3 Parameters of FrodoKEM 17 2.4 BCH and Gray Codes 18 2.5 Fully Homomorphic Encryption 20 2.5.1 Homomorphic Encryption 20 2.5.2 Comparison Operation in Fully Homomorphic Encryption 21 2.6 Approximation Theory 22 2.7 Algorithms for Minimax Approximation 24 3. Improvement of FrodoKEM Using Gray and BCH Codes 29 3.1 Modification of FrodoKEM with Gray and Error-Correcting Codes 33 3.1.1 Viewing FrodoPKE as a Digital Communication System 33 3.1.2 Error-Correcting Codes for FrodoPKE 34 3.1.3 Gray Coding 36 3.1.4 IND-CCA Security of Modified FrodoKEM 38 3.1.5 Evaluation of DFR 40 3.1.6 Error Dependency 43 3.2 Performance Improvement of FrodoKEM Using Gray and BCH Codes 43 3.2.1 Improving the Security Level of FrodoKEM 43 3.2.2 Increasing the Message Size of Frodo-640 47 3.2.3 Reducing the Bandwidth of Frodo-640 50 4. Homomorphic Comparison Using Optimal Composition of Minimax Approximate Polynomials 54 4.1 Introduction 54 4.1.1 Previous Works 55 4.1.2 My Contributions 56 4.2 Approximation of Sign Function by Using Optimal Composition of Minimax Approximate Polynomials 58 4.2.1 New Approximation Method for Sine Function Using Composition of the Minimax Approximate Polynomials 58 4.2.2 Optimality of Approximation of the Sign Function by a Minimax Composite Polynomial 64 4.2.3 Achieving Polynomial-Time Algorithm for New Approximation Method by Using Dynamic Programming 68 4.3 Numerical Results 80 4.3.1 Computation of the Required Non-Scalar Multiplications and Depth Consumption 81 4.3.2 Comparisons 81 5. Conclusions 88 Abstract (In Korean) 97Docto

Applying Fully Homomorphic Encryption: Practices and Problems

Fully homomorphic encryption (FHE) has been regarded as the "holy grail" of cryptography for its versatility as a cryptographic primitive and wide range of potential applications. Since Gentry published the first theoretically feasible FHE design in 2008, there has been a lot of new discoveries and inventions in this particular field. New schemes significantly reduce the computational cost of FHE and make practical deployment within reach. As a result, FHE schemes have come off the paper and been explored and tested extensively in practice. However, FHE is made possible with many new problems and assumptions that are not yet well studied. In this thesis we present a comprehensive and intuitive overview of the current applied FHE landscape, from design to implementation, and draw attention to potential vulnerabilities both in theory and in practice. In more detail, we show how to use currently available FHE libraries for aggregation and select parameters to avoid weak FHE instances