A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate...
Transcript of A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate...
![Page 1: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/1.jpg)
A Full RNS Variant ofApproximate Homomorphic Encryption
Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University)
Miran Kim (UTHealth), Yongsoo Song (UC San Diego)
SAC 2018
![Page 2: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/2.jpg)
A Full RNS Variant ofApproximate Homomorphic Encryption
Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University)
Miran Kim (UTHealth), Yongsoo Song (UC San Diego)
SAC 2018
Residue Number System (a.k.a. CRT)
![Page 3: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/3.jpg)
Background
![Page 4: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/4.jpg)
Secure Computation
q Differential Privacy
q (Secure) Multi-Party Computation
q (Fully) Homomorphic Encryption§ Semantic security.
§ Non-interactive.
§ Reusable.
§ Long-term storage, Unlimited sources.
!
"# $%&'(), "#)
)(!)
$," -."
)(⋅)
$%&'( ),⋅ )
![Page 5: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/5.jpg)
02 / 35Landscape of HE Schemes
Scheme Word Encryption Bit Encryption Approximate Encryption
Scheme(Library)
PlaintextSpace
Operation
![Page 6: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/6.jpg)
02 / 35Landscape of HE Schemes
Scheme Word Encryption Bit Encryption Approximate Encryption
Scheme(Library)
BGV (HElib)B/FV (SEAL, NFLlib)
PlaintextSpace
Finite field+ Packing
OperationAddition,
Multiplication
![Page 7: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/7.jpg)
02 / 35Landscape of HE Schemes
Scheme Word Encryption Bit Encryption Approximate Encryption
Scheme(Library)
BGV (HElib)B/FV (SEAL, NFLlib)
FHEW, TFHE
PlaintextSpace
Finite field+ Packing
Single Bit
OperationAddition,
MultiplicationBinary Gate
+ Bootstrapping
![Page 8: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/8.jpg)
02 / 35Landscape of HE Schemes
Scheme Word Encryption Bit Encryption Approximate Encryption
Scheme(Library)
BGV (HElib)B/FV (SEAL, NFLlib)
FHEW, TFHE HEAAN
PlaintextSpace
Finite field+ Packing
Single BitReal / Complex
+ Packing
OperationAddition,
MultiplicationBinary Gate
+ Bootstrapping
Addition, Multiplication,
Rounding
![Page 9: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/9.jpg)
Approximate HE (HEAAN, 慧眼)
q Design§ Homomorphic Encryption for Arithmetic of Approximate Numbers [CKKS (AC'17)]
§ Bootstrapping [CHKKS (EC'18)]
![Page 10: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/10.jpg)
Approximate HE (HEAAN, 慧眼)
q Design§ Homomorphic Encryption for Arithmetic of Approximate Numbers [CKKS (AC'17)]
§ Bootstrapping [CHKKS (EC'18)]
qApplications in Machine Learning
![Page 11: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/11.jpg)
Approximate HE (HEAAN, 慧眼)
q Design§ Homomorphic Encryption for Arithmetic of Approximate Numbers [CKKS (AC'17)]
§ Bootstrapping [CHKKS (EC'18)]
qApplications in Machine Learning§ Training of Logistic Regression Model
[KSW+ (JMI'18), KSK+ (iDASH'17, BMC'18), CKKS (IEEE Access'18)]
![Page 12: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/12.jpg)
Approximate HE (HEAAN, 慧眼)
q Design§ Homomorphic Encryption for Arithmetic of Approximate Numbers [CKKS (AC'17)]
§ Bootstrapping [CHKKS (EC'18)]
qApplications in Machine Learning§ Training of Logistic Regression Model
[KSW+ (JMI'18), KSK+ (iDASH'17, BMC'18), CKKS (IEEE Access'18)]
§ Matrix Computation & Evaluation of Neural Networks [ JKLS (CCS'18) ]
![Page 13: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/13.jpg)
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
![Page 14: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/14.jpg)
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678
![Page 15: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/15.jpg)
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678 = 1234 × 5678 ⋅ 10)1
![Page 16: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/16.jpg)
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678 = 1234 × 5678 ⋅ 10)1
= 7006652 ⋅ 10)1
![Page 17: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/17.jpg)
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678 = 1234 × 5678 ⋅ 10)1
= 7006652 ⋅ 10)1 ↦ 7007 ⋅ 10)* = 7.007.
![Page 18: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/18.jpg)
Approximate Computation
q Numerical Representation§ 1.234 = 1234 ⋅ 10)*.§ Scaling factor + = 10*.
q Fixed-Point Arithmetic§ 1.234 × 5.678 = 1234 × 5678 ⋅ 10)1
= 7006652 ⋅ 10)1 ↦ 7007 ⋅ 10)* = 7.007.
§ Division by scaling factor + (a.k.a. Rounding operation).
![Page 19: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/19.jpg)
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
![Page 20: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/20.jpg)
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6
![Page 21: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/21.jpg)
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6 ≈ % ⋅ !.
![Page 22: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/22.jpg)
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6 ≈ % ⋅ !.
qApproximate Homomorphic Operations§ 89:(: )*' #< , )*' #= ↦ )*'(# ≈ #<#= ≈ %= ⋅ !<!=).
![Page 23: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/23.jpg)
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6 ≈ % ⋅ !.
qApproximate Homomorphic Operations§ 89:(: )*' #< , )*' #= ↦ )*'(# ≈ #<#= ≈ %= ⋅ !<!=).§ @19*2: )*' # #12 34 ↦ )*' #A ≈ %B< ⋅ # (#12 34B<) for % = ⁄34 34B<.
![Page 24: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/24.jpg)
(Leveled) Approximate HE
qApproximate Encoding / Encryption§ (Ring) LWE-based.
§ ! ↦ # = % ⋅ ! . % : scaling factor. # : significant digits of !.
'( = )*'+, # ⟹ '(, /0 #12 34 = # + 6 ≈ % ⋅ !.
qApproximate Homomorphic Operations§ 89:(: )*' #< , )*' #= ↦ )*'(# ≈ #<#= ≈ %= ⋅ !<!=).§ @19*2: )*' # #12 34 ↦ )*' #A ≈ %B< ⋅ # (#12 34B<) for % = ⁄34 34B<.§ Leveled Structure : 3D = %D > 3DB< = %DB< > ⋯ > (3< = %).
![Page 25: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/25.jpg)
Main Result
![Page 26: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/26.jpg)
Motivation
Ring structure !" = ⁄ℤ" & &' + 1 .
Expensive operation & High-precision library (log . = 250~800).
![Page 27: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/27.jpg)
Motivation
Ring structure !" = ⁄ℤ" & &' + 1 .
Expensive operation & High-precision library (log . = 250~800).Residue Number System (RNS) : ℤ" ≅ ℤ67×ℤ69×⋯ × ℤ6; .
![Page 28: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/28.jpg)
Motivation
Ring structure !" = ⁄ℤ" & &' + 1 .
Expensive operation & High-precision library (log . = 250~800).Residue Number System (RNS) : ℤ" ≅ ℤ67×ℤ69×⋯ × ℤ6; .
Scheme Word Encryption Approximate Encryption
Representation HElib (Double-CRT) [GHS12b]
Homo. Operations Full RNS B/FV Variants [BEHZ17, HPS18]
Library SEAL (v2.3)
![Page 29: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/29.jpg)
Motivation
Ring structure !" = ⁄ℤ" & &' + 1 .
Expensive operation & High-precision library (log . = 250~800).Residue Number System (RNS) : ℤ" ≅ ℤ67×ℤ69×⋯ × ℤ6; .
Scheme Word Encryption Approximate Encryption
Representation HElib (Double-CRT) [GHS12b]This Work
Homo. Operations Full RNS B/FV Variants [BEHZ17, HPS18]
Library SEAL (v2.3) RNS HEAAN
![Page 30: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/30.jpg)
Idea1 : Approx RNS Basis
q Rounding Operation
§ !"# $ $%& '( ⟼ !"# *(+, ⋅ $ $%& '(+, for *( = ⁄'( '(+,.
![Page 31: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/31.jpg)
Idea1 : Approx RNS Basis
q Rounding Operation
§ !"# $ $%& '( ⟼ !"# *(+, ⋅ $ $%& '(+, for *( = ⁄'( '(+,.
What if we don't use the same * = *( for all 0?
![Page 32: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/32.jpg)
Idea1 : Approx RNS Basis
q Rounding Operation
§ !"# $ $%& '( ⟼ !"# *(+, ⋅ $ $%& '(+, for *( = ⁄'( '(+,.
What if we don't use the same * = *( for all 0?'1 = *,*2 …*1 for approximate basis *( ≈ *.
!"# *(+, ⋅ $ ≈ !"# *+, ⋅ $ (w/ approximation error)
![Page 33: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/33.jpg)
Idea1 : Approx RNS Basis
q Rounding Operation
§ !"# $ $%& '( ⟼ !"# *(+, ⋅ $ $%& '(+, for *( = ⁄'( '(+,.
What if we don't use the same * = *( for all 0?'1 = *,*2 …*1 for approximate basis *( ≈ *.
!"# *(+, ⋅ $ ≈ !"# *+, ⋅ $ (w/ approximation error)
567 ≅ 59:×59<×⋯ × 597 for '1 = *,*2 …*1.
![Page 34: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/34.jpg)
Idea1 : Approx RNS Basis
q Polynomial Arithmetic§ Number Theoretic Transformation (NTT): !"# → ℤ"#&
![Page 35: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/35.jpg)
Idea1 : Approx RNS Basis
q Polynomial Arithmetic§ Number Theoretic Transformation (NTT): !"# → ℤ"#&§ Should be a prime number with '( ≡ 1 (,-. 20).
![Page 36: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/36.jpg)
Idea1 : Approx RNS Basis
q Polynomial Arithmetic§ Number Theoretic Transformation (NTT): !"# → ℤ"#&§ Should be a prime number with '( ≡ 1 (,-. 20).
q Example (' = 233, 0 = 253)'5 = 80000000080001, '8 = 80000000130001, ': = 7FFFFFFFE90001,…
!"@×!"B×⋯ × !"D ≅ ℤ"@& × ℤ"B& × … × ℤ"D& .
![Page 37: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/37.jpg)
Idea2 : Approx Modulus Switching
q Non-Polynomial Algorithms§ Key-switching process (e.g. Homomorphic multiplication)
![Page 38: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/38.jpg)
Idea2 : Approx Modulus Switching
q Non-Polynomial Algorithms§ Key-switching process (e.g. Homomorphic multiplication)
§ Mod Raising : !"# → !∆ & "# , ' ↦ '.
§ Mod Reduction : !∆ & "# → !"# , ) ↦ ) ∕ ∆ = ⁄) − ) ∆ ∆.
![Page 39: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/39.jpg)
Idea2 : Approx Modulus Switching
q Non-Polynomial Algorithms§ Key-switching process (e.g. Homomorphic multiplication)
§ Mod Raising : !"# → !∆ & "# , ' ↦ '.
§ Mod Reduction : !∆ & "# → !"# , ) ↦ ) ∕ ∆ = ⁄) − ) ∆ ∆.
§ RNS(23,25,…,2#)(') = '8 8 ∈[;].
![Page 40: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/40.jpg)
Idea2 : Approx Modulus Switching
q Non-Polynomial Algorithms§ Key-switching process (e.g. Homomorphic multiplication)
§ Mod Raising : !"# → !∆ & "# , ' ↦ '.
§ Mod Reduction : !∆ & "# → !"# , ) ↦ ) ∕ ∆ = ⁄) − ) ∆ ∆.
§ RNS(23,25,…,2#)(') = '8 8 ∈[;].
Alternative algorithms without RNS conversions?
![Page 41: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/41.jpg)
Idea2 : Approx Modulus Switching
RNS$%&'()*) ≡ ∑* )* . /0*&' $%. /0* (123 45) for /0* = ⁄45 0*.
∑* )* . /0*&' $%. /0* = 45 . 8 + ) for a small 8.
![Page 42: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/42.jpg)
Idea2 : Approx Modulus Switching
q Our Approx Mod Raising Algorithm (from !" to ∆ $ !")%&'×⋯× %&* → %&'×⋯×%&* × %∆'×⋯ × %∆, ,
RNS&012(45) ≡ ∑5 45 $ 9:512 &0$ 9:5 (;<= !") for 9:5 = ⁄!" :5.
∑5 45 $ 9:512 &0$ 9:5 = !" $ @ + 4 for a small @.
![Page 43: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/43.jpg)
Idea2 : Approx Modulus Switching
q Our Approx Mod Raising Algorithm (from !" to ∆ $ !")%&'×⋯× %&* → %&'×⋯×%&* × %∆'×⋯ × %∆, ,
-., … , -" ↦ -., … , -" , 2., … , 23
RNS&78.(-:) ≡ ∑: -: $ >?:8. &7$ >?: (@AB !") for >?: = ⁄!" ?:.
∑: -: $ >?:8. &7$ >?: = !" $ E + - for a small E.
2G = ∑: -: $ >?:8. &7$ >?: (@AB ∆G).
![Page 44: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/44.jpg)
Idea2 : Approx Modulus Switching
q Our Approx Mod Raising Algorithm (from !" to ∆ $ !")%&'×⋯× %&* → %&'×⋯×%&* × %∆'×⋯ × %∆, ,
-., … , -" ↦ -., … , -" , 2., … , 23 = RNS&8,∆9(!" $ ; + -).
RNS&8>.(-?) ≡ ∑? -? $ BC?
>.&8$ BC? (DEF !") for BC? = ⁄!" C?.
∑? -? $ BC?>.
&8$ BC? = !" $ ; + - for a small ;.
2H = ∑? -? $ BC?>.
&8$ BC? (DEF ∆H).
![Page 45: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/45.jpg)
Idea2 : Approx Modulus Switching
q Our Approx Mod Raising Algorithm (from !" to ∆ $ !")%&'×⋯× %&* → %&'×⋯×%&* × %∆'×⋯ × %∆, ,
-., … , -" ↦ -., … , -" , 2., … , 23 = RNS&8,∆9(!" $ ; + -).
RNS&8>.(-?) ≡ ∑? -? $ BC?
>.&8$ BC? (DEF !") for BC? = ⁄!" C?.
∑? -? $ BC?>.
&8$ BC? = !" $ ; + - for a small ;.
2H = ∑? -? $ BC?>.
&8$ BC? (DEF ∆H).
RNS Friendly Computation & Correctness of Homo Operations(w/ additional noise)
![Page 46: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/46.jpg)
Summary
q Idea 1: Approximate Basis§ !" = $%$& …$" with $" ≈ $ for RNS decomposition.
§ Approximate error ( $)*%+ ≈ $*%+ ) of the Rounding algorithm.
![Page 47: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/47.jpg)
Summary
q Idea 1: Approximate Basis§ !" = $%$& …$" with $" ≈ $ for RNS decomposition.
§ Approximate error ( $)*%+ ≈ $*%+ ) of the Rounding algorithm.
q Idea 2: Full-RNS Variant§ Approximate modulus-switching algorithms ,-. ↔ ,∆ 1 -. .§ Additional noise.
![Page 48: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/48.jpg)
Summary
q Idea 1: Approximate Basis§ !" = $%$& …$" with $" ≈ $ for RNS decomposition.
§ Approximate error ( $)*%+ ≈ $*%+ ) of the Rounding algorithm.
q Idea 2: Full-RNS Variant§ Approximate modulus-switching algorithms ,-. ↔ ,∆ 1 -. .§ Additional noise.
Efficiency & Convenience of Implementation (GMP, NTL free)
![Page 49: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/49.jpg)
Summary
q Idea 1: Approximate Basis§ !" = $%$& …$" with $" ≈ $ for RNS decomposition.
§ Approximate error ( $)*%+ ≈ $*%+ ) of the Rounding algorithm.
q Idea 2: Full-RNS Variant§ Approximate modulus-switching algorithms ,-. ↔ ,∆ 1 -. .§ Additional noise.
Efficiency & Convenience of Implementation (GMP, NTL free)
vs Precision loss of computation
![Page 50: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/50.jpg)
HEAAN vs RNS HEAAN
- 8x ~ 12x speed up
![Page 51: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/51.jpg)
HEAAN vs RNS HEAAN
HEAAN- 14 bits precision
RNS HEAAN- 32 bits precision
![Page 52: A Full RNS Variant of Approximate Homomorphic Encryption · A Full RNSVariant of Approximate Homomorphic Encryption Jung HeeCheon, KyoohyungHan, Andrey Kim (Seoul National University)](https://reader035.fdocuments.us/reader035/viewer/2022081613/5fb4c4c09d934f36800752fd/html5/thumbnails/52.jpg)
https://github.com/HanKyoohyung/HEAAN-dev
Questions?