18 research outputs found
λνμνΈ μ¬λΆν κΈ°λ²μ κ΄ν μ°κ΅¬
Get PDFνμλ
Όλ¬Έ (λ°μ¬)-- μμΈλνκ΅ λνμ : μμ°κ³Όνλν μ리과νλΆ, 2019. 2. μ²μ ν¬.2009λ
Gentryμ μν΄μ μμ λνμνΈκ° μ²μ μ€κ³λ μ΄νλ‘ μ΅μ νμ κ³ μνλ₯Ό μν΄μ λ€μν κΈ°λ²λ€κ³Ό μ€ν΄λ€μ΄ μ€κ³λμ΄ μλ€. νμ§λ§ λνμνΈμ μ°μ°νμλ₯Ό 무μ νμΌλ‘ λ리기 μν΄μ νμμ μΈ μ¬λΆν
κΈ°λ²μ ν¨μ¨μ± λ¬Έμ λ‘ μ€μ μμ©μ μ μ©νκΈ°μλ λΆμ ν©νλ€λ νκ°λ₯Ό λ§μ΄ λ°μμλ€. λ³Έ λ
Όλ¬Έμμλ μ¬λΆν
κΈ°λ²μ κ³ μνλ₯Ό μν λ€μν κΈ°λ²μ μ μνκ³ μ΄λ₯Ό μ€μ λ‘ μμ©λΆμΌμ μ μ©νμλ€.
λ³Έ λ
Όλ¬Έμμλ λνμ μΈ λνμνΈ μ€ν΄λ€μ λν μ¬λΆν
κΈ°λ²μ λν μ°κ΅¬λ₯Ό μννμλλ°, 첫 λ²μ§Έλ‘λ Microsoft Researchμ IMBμμ λ§λ λνμνΈ λΌμ΄λΈλ¬λ¦¬μΈ SEALκ³Ό HElibμ μ μ©κ°λ₯ν μ¬λΆν
κΈ°λ²μ λν μ°κ΅¬λ₯Ό μννμλ€. ν΄λΉ μ¬λΆν
κΈ°λ²μμ ν΅μ¬μ μ΄ κ³Όμ μ μνΈνλ μνμμ 볡νΈν ν¨μλ₯Ό κ³μ°νλ λΆλΆμ΄λ€. μνΈλ μνμμ μ΅νμ λΉνΈλ₯Ό μΆμΆνλ μλ‘μ΄ λ°©λ²μ μ μνμ¬ μ¬λΆν
κ³Όμ μμ μλͺ¨λλ κ³μ°λκ³Ό ννλλ λ€νμμ μ°¨μλ₯Ό μ€μ΄λλ°μ μ±κ³΅νμλ€.
λ λ²μ§Έλ‘λ, λΉκ΅μ μ΅κ·Όμ κ°λ°λ κ·Όμ¬κ³μ° λνμνΈμΈ HEAAN μ€ν΄μ μ¬λΆν
κΈ°λ²μ κ°μ νλ μ°κ΅¬λ₯Ό μννμλ€. 2018λ
μ μΌκ°ν¨μλ₯Ό μ΄μ©ν κ·Όμ¬λ²μ ν΅ν΄μ μ²μ ν΄λΉ μ€ν΄μ λν μ¬λΆν
κΈ°λ²μ΄ μ μλμλλ°, λ§μ λ°μ΄ν°λ₯Ό λ΄κ³ μλ μνΈλ¬Έμ λν΄μλ μ μ²λ¦¬, νμ²λ¦¬ κ³Όμ μ΄ κ³μ°λμ λλΆλΆμ μ°¨μ§νλ λ¬Έμ κ° μμλ€. ν΄λΉ κ³Όμ λ€μ μ¬λ¬ λ¨κ³λ‘ μ¬κ·μ μΈ ν¨μλ€λ‘ νννμ¬ κ³μ°λμ΄ λ°μ΄ν° μ¬μ΄μ¦μ λν΄μ λ‘κ·Έμ μΌλ‘ μ€μ΄λ κ²μ μ±κ³΅νμλ€. μΆκ°λ‘, λ€λ₯Έ μ€ν΄λ€μ λΉν΄μ λ§μ΄ μ¬μ©λμ§λ μμ§λ§, μ μκΈ°λ° λνμνΈλ€μ λν΄μλ μ¬λΆν
κΈ°λ²μ κ°μ νλ μ°κ΅¬λ₯Ό μννμκ³ κ·Έ κ²°κ³Ό κ³μ°λμ λ‘κ·Έμ μΌλ‘ μ€μ΄λ κ²μ μ±κ³΅νμλ€.
λ§μ§λ§μΌλ‘, μ¬λΆν
κΈ°λ²μ νμ©μ±κ³Ό μ¬μ© κ°λ₯μ±μ 보μ΄κΈ° μν΄ μ€μ λ°μ΄ν° 보μμ νμλ‘ νλ κΈ°κ³νμ΅ λΆμΌμ μ μ©ν΄λ³΄μλ€. μ€μ λ‘ 400,000건μ κΈμ΅ λ°μ΄ν°λ₯Ό μ΄μ©ν νκ·λΆμμ μνΈνλ λ°μ΄ν°λ₯Ό μ΄μ©ν΄μ μννμλ€. κ·Έ κ²°κ³Ό μ½ 16μκ° μμ 80\% μ΄μμ μ νλμ 0.8 μ λμ AUROC κ°μ κ°μ§λ μ μλ―Έν λΆμ λͺ¨λΈμ μ»μ μ μμλ€.After Gentry's blueprint on homomorphic encryption (HE) scheme, various efficient schemes have been suggested. For unlimited number of operations between encrypted data, the bootstrapping process is necessary. There are only few works on bootstrapping procedure because of the complexity and inefficiency of bootstrapping. In this paper, we propose various method and techniques for improved bootstrapping algorithm, and we apply it to logistic regression on large scale encrypted data.
The bootstrapping process depends on based homomorphic encryption scheme. For various schemes such as BGV, BFV, HEAAN, and integer-based scheme, we improve bootstrapping algorithm. First, we improved bootstrapping for BGV (HElib) and FV (SEAL) schemes which is implemented by Microsoft Research and IMB respectively. The key process for bootstrapping in those two scheme is extracting lower digits of plaintext in encrypted state. We suggest new polynomial that removes lowest digit of input, and we apply it to bootstrapping with previous method. As a result, both the complexity and the consumed depth are reduced. Second, bootstrapping for multiple data needs homomorphic linear transformation. The complexity of this part is O(n) for number of slot n, and this part becomes a bottleneck when we use large n. We use the structure of linear transformation which is used in bootstrapping, and we decompose the matrix which is corresponding to the transformation. By applying recursive strategy, we reduce the complexity to O(log n). Furthermore, we suggest new bootstrapping method for integer-based HE schemes which are based on approximate greatest common divisor problem. By using digit extraction instead of previous bit-wise approach, the complexity of bootstrapping algorithm reduced from O(poly(lambda)) to O(log^2(lambda)). Our implementation for this process shows 6 seconds which was about 3 minutes.
To show that bootstrapping can be used for practical application, we implement logistic regression on encrypted data with large scale. Our target data has 400,000 samples, and each sample has 200 features. Because of the size of the data, direct application of homomorphic encryption scheme is almost impossible. Therefore, we decide the method for encryption to maximize the effect of multi-threading and SIMD operations in HE scheme. As a result, our homomorphic logistic regression takes about 16 hours for the target data. The output model has 0.8 AUROC with about 80% accuracy. Another experiment on MNIST dataset shows correctness of our implementation and method.Abstract
1 Introduction
1.1 Homomorphic Encryption
1.2 Machine Learning on Encrypted Data
1.3 List of Papers
2 Background
2.1 Notation
2.2 Homomorphic Encryption
2.3 Ring Learning with Errors
2.4 Approximate GCD
3 Lower Digit Removal and Improved Bootstrapping
3.1 Basis of BGV and BFV scheme
3.2 Improved Digit Extraction Algorithm
3.3 Bootstrapping for BGV and BFV Scheme
3.3.1 Our modications
3.4 Slim Bootstrapping Algorithm
3.5 Implementation Result
4 Faster Homomorphic DFT and Improved Bootstrapping
4.1 Basis of HEAAN scheme
4.2 Homomorphic DFT
4.2.1 Previous Approach
4.2.2 Our method
4.2.3 Hybrid method
4.2.4 Implementation Result
4.3 Improved Bootstrapping for HEAAN
4.3.1 Linear Transformation in Bootstrapping
4.3.2 Improved CoeToSlot and SlotToCoe
4.3.3 Implementation Result
5 Faster Bootstrapping for FHE over the integers
5.1 Basis of FHE over the integers
5.2 Decryption Function via Digit Extraction
5.2.1 Squashed Decryption Function
5.2.2 Digit extraction Technique
5.2.3 Homomorphic Digit Extraction in FHE over the integers
5.3 Bootstrapping for FHE over the integers
5.3.1 CLT scheme with M Z_t
5.3.2 Homomorphic Operations with M Z_t^a
5.3.3 Homomorphic Digit Extraction for CLT scheme
5.3.4 Our Method on the CLT scheme
5.3.5 Analysis of Proposed Bootstrapping Method
5.4 Implementation Result
6 Logistic Regression on Large Encrypted Data
6.1 Basis of Logistic Regression
6.2 Logistic Regression on Encrypted Data
6.2.1 HE-friendly Logistic Regression Algorithm
6.2.2 HE-Optimized Logistic Regression Algorithm
6.2.3 Further Optimization
6.3 Evaluation
6.3.1 Logistic Regression on Encrypted Financial Dataset
6.3.2 Logistic Regression on Encrypted MNIST Dataset
6.3.3 Discussion
7 Conclusions
Abstract (in Korean)Docto
Better Bootstrapping for Approximate Homomorphic Encryption
Get PDFAfter Cheon et al. (Asiacrypt\u27 17) proposed an approximate homomorphic encryption scheme, Heaan, for operations between encrypted real (or complex) numbers, the scheme is widely used in a variety of fields with needs on privacy-preserving in data analysis. After that, a bootstrapping method for Heaan is proposed by Cheon et al. (Eurocrypt\u27 18) with modulus reduction being replaced by a sine function. In this paper, we generalize the Full-RNS variant of Heaan proposed by Cheon et al. (SAC, 19) to reduce the number of temporary moduli used in key-switching. As a result, our scheme can support more depth computations without bootstrapping while ensuring the same level of security.
We also propose a new polynomial approximation method to evaluate a sine function in an encrypted state, which is specialized for the bootstrapping for Heaan. Our method considers a ratio between the size of a plaintext and the size of a ciphertext modulus. Consequently, it requires a smaller number of non-scalar multiplications, which is about half of the Chebyshev method.
With our variant of the Full-RNS scheme and a new sine evaluation method, we firstly implement bootstrapping for a Full-RNS variant of approximate homomorphic encryption scheme. Our method enables bootstrapping for a plaintext in the space to be completed in 52 seconds while preserving 11 bit precision of each slot
Improved Circuit-based PSI via Equality Preserving Compression
Get PDFCircuit-based private set intersection (circuit-PSI) enables two parties with input set and to compute a function over the intersection set , without revealing any other information. State-of-the-art protocols for circuit-PSI commonly involves a procedure that securely checks whether two input strings are equal and outputs an additive share of the equality result. This procedure is typically performed by generic two party computation protocols, and its cost occupies quite large portion of the total cost of circuit-PSI. In this work, we propose {\textit{equality preserving compression}} (EPC) protocol that compresses the length of equality check targets while preserving equality using homomorphic encryption (HE) scheme, which is secure against the semi-honest adversary. This can be seamlessly applied to state-of-the-art circuit-PSI protocol frameworks. We demonstrate by implementation that our EPC provides speed-up for circuit-PSI with set size from to , on LAN network. We believe that EPC protocol itself can be independent interest, which can be applied to other application than PSI
Faster Bootstrapping of FHE over the Integers
Get PDFBootstrapping in fully homomorphic encryption (FHE) over the integers is a homomorphic evaluation of the squashed decryption function suggested by van Dijk et al.
The typical approach for the bootstrapping is representing the decryption function as a binary circuit with a fixed message space. All bootstrapping methods in FHEs over the integers use this approach; however, these methods require too many homomorphic multiplications, slowing down the whole procedure. In this paper, we propose an efficient bootstrapping method using various message spaces. Our bootstrapping method requires only number of homomorphic multiplications, which is significantly lower than of the previous methods. We implement our bootstrapping method on the scale-invariant FHE over the integers; the CLT scheme introduced by Coron, Lepoint and Tibouchi. It takes 6 seconds for a 500-bit message space and a 72-bit security in PC. This is the fastest result among the bootstrapping methods on FHEs over the integers. We also apply our bootstrapping method to evaluate an AES-128 circuit homomorphically. As a result, it takes about 8 seconds per 128-bit block and is faster than the previous result of homomorphic evaluation of AES circuit using FHEs over the integers without bootstrapping
Faster Homomorphic Discrete Fourier Transforms and Improved FHE Bootstrapping
Get PDFIn this work, we propose a faster homomorphic linear transform algorithm for structured matrices such as the discrete Fourier transform (DFT) and linear transformations in bootstrapping.
First, we proposed new method to evaluate the DFT homomorphically for a given packed ciphertext from the Cooley-Tukey fast Fourier transform algorithm. While the previous method requires rotations and constant vector multiplications, our method only needs rotations/multiplications by consuming depth for the length of input vector .
Second, we apply the same method to the linear transform of bootstrapping for . To achieve this, we construct a recursive relation of matrices in those linear transformations. Accordingly, we can highly accelerate the linear transformation part of bootstrapping: the number of homomorphic operations becomes logarithmic to the number of slots, as in homomorphic DFT.
We also implement both algorithms. Our homomorphic DFT with length only takes about 8 seconds which is about 150 times faster result than previous one. The bootstrapping for with our linear transform algorithm takes about 2 minutes for plaintext space with 8 bit precision, which takes 26 hours using the previous method
Efficient Logistic Regression on Large Encrypted Data
Get PDFMachine learning on encrypted data is a cryptographic method for analyzing private and/or sensitive data while keeping privacy. In the training phase, it takes as input an encrypted training data and outputs an encrypted model without using the decryption key. In the prediction phase, it uses the encrypted model to predict results on new encrypted data.
In each phase, no decryption key is needed, and thus the privacy of data is guaranteed while the underlying encryption is secure. It has many applications in various areas such as finance, education, genomics, and medical field that have sensitive private data. While several studies have been reported on the prediction phase, few studies have been conducted on the training phase due to the inefficiency of homomorphic encryption (HE), leaving the machine learning training on encrypted data only as a long-term goal.
In this paper, we propose an efficient algorithm for logistic regression on encrypted data, and evaluate our algorithm on real financial data consisting of 422,108 samples over 200 features. Our experiment shows that an encrypted model with a sufficient Kolmogorov Smirnow statistic value can be obtained in 17 hours in a single machine. We also evaluate our algorithm on the public MNIST dataset, and it takes 2 hours to learn an encrypted model with 96.4% accuracy. Considering the inefficiency of HEs, our result is encouraging and demonstrates the practical feasibility of the logistic regression training on large encrypted data, for the first time to the best of our knowledge
Efficient Privacy Preserving Logistic Regression Inference and Training
Get PDFRecently, privacy-preserving logistic regression techniques on distributed data among several data owners drew attention in terms of their applicability in federated learning environment. Many of them have been built upon cryptographic primitives such as secure multiparty computations(MPC) and homomorphic encryptions(HE) to protect the privacy of data. The secure multiparty computation provides fast and secure unit operations for arithmetic and bit operations but they often does not scale with large data well enough due to large computation cost and communication overhead. From recent works, many HE primitives provide their operations in a batch sense so that the technique can be an appropriate choice in a big data environment. However computationally expensive operations such as ciphertext slot rotation or refreshment(so called bootstrapping) and large public key size are hurdles that hamper widespread of the technique in the industry-level environment.
In this paper, we provide a new hybrid approach of a privacy-preserving logistic regression training and a inference, which utilizes both MPC and HE techniques to provide efficient and scalable solution while minimizing needs of key management and complexity of computation in encrypted state. Utilizing batch sense properties of HE, we present a method to securely compute multiplications of vectors and matrices using one HE multiplication, compared to the naive approach which requires linear number of multiplications regarding to the size of input data. We also show how we used a 2-party additive secret sharing scheme to control noises of expensive HE operations such as bootstrapping efficiently
Bulletproofs+: Shorter Proofs for Privacy-Enhanced Distributed Ledger
Get PDFWe present a new short zero-knowledge argument for the range proof and the arithmetic circuits without a trusted setup. In particular, the proof size of our protocol is the shortest of the category of proof systems with a trustless setup. More concretely, when proving a committed value is a positive integer less than 64 bits, except for negligible error in the -bit security parameter, the proof size is byte long, which is of size of the previous shortest one due to BΓΌnz et al.~(Bulletproofs, IEEE Security and Privacy 2018), while computational overheads in both proof generation and verification are comparable with those of Bulletproofs, respectively.
Bulletproofs is established as one of important privacy enhancing technologies for distributed ledger, due to its trustless feature and short proof size. In particular, it has been implemented and optimized in various programming languages for practical usages by independent entities since it proposed. The essence of Bulletproofs is based on the logarithmic inner product argument with no zero-knowledge. In this paper, we revisit Bulletproofs from the viewpoint of the first sublinear zero-knowledge argument for linear algebra due to Groth~(CRYPTO 2009) and then propose Bulletproofs+, an improved variety of Bulletproofs. The main ingredient of our proposal is the zero-knowledge weighted inner product argument (zk-WIP) to which we reduce both the range proof and the arithmetic circuit proof. The benefit of reducing to the zk-WIP is a minimal transmission cost during the reduction process. Note the zk-WIP has all nice features of the inner product argument such as an aggregating range proof and batch verification
Cryptanalysis on the Multilinear Map over the Integers and its Related Problems
Get PDFThe CRT-ACD problem is to find the primes p_1,...,p_n given polynomially many instances of CRT_{(p_1,...,p_n)}(r_1,...,r_n) for small integers r_1,...,r_n. The CRT-ACD problem is regarded as a hard problem, but its hardness is not proven yet. In this paper, we analyze the CRT-ACD problem when given one more input CRT_{(p_1,...,p_n)}(x_0/p_1,...,x_0/p_n) for x_0=\prod\limits_{i=1}^n p_i and propose a polynomial-time algorithm for this problem by using products of the instances and auxiliary input.
This algorithm yields a polynomial-time cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT): We show that by multiplying encodings of zero with zero-testing parameters properly in the CLT scheme, one can obtain a required input of our algorithm: products of CRT-ACD instances and auxiliary input. This leads to a total break: all the quantities that were supposed to be kept secret can be recovered in an efficient and public manner.
We also introduce polynomial-time algorithms for the Subgroup Membership, Decision Linear, and Graded External Diffie-Hellman problems, which are used as the base problems of several cryptographic schemes constructed on multilinear maps
