Building Algorithm-Hiding FHE Systems from Exotic Number Representations P. Martins 1 L. Sousa 1 1 INESC-ID Instituto Superior Técnico, Univ. Lisboa Workshop on Randomness and Arithmetics for Cryptography on Hardware
Table of Contents Motivation Background Proposed Solution Experimental Results Related Art Conclusion
Motivation Meltdown, Spectre Process Process Client 1 Client 2 Hypervisor Client 1 Client 2
Motivation Meltdown, Spectre Process Process Client 1 Client 2 with FHE Hypervisor Client 1 Client 2 ◮ Data disclosure is prevented ◮ What about algorithm disclosure?
Table of Contents Motivation Background Proposed Solution Experimental Results Related Art Conclusion
Solution #1 Describe GP-CPU as Homomorphic Circuit Convert Algorithm to Instruction Memory Homomorphically Evaluate GP-CPU M. Brenner, J. Wiebelitz, G. von Voigt, M. Smith, Secret program execution in the cloud applying homomorphic encryption, in: IEEE DEST 2011, pp. 114–119. doi:10.1109/DEST.2011.5936608.
Solution #1 ◮ The evaluator does not know which instruction is being executed ◮ All the CPU circuitry needs to be evaluated at each cycle ◮ Including memory accesses, ALU operations, etc
Solution #1 ◮ The evaluator does not know which instruction is being executed ◮ All the CPU circuitry needs to be evaluated at each cycle ◮ Including memory accesses, ALU operations, etc ⇒ Impractical
BGV ◮ Ring : R = Z [ X ] / ( φ m ( X )) φ m ( X ) is a cyclotomic polynomial of degree ϕ ( m ) ◮ Ciphertexts : c 0 + c 1 Y ∈ R q [ Y ] ◮ Decryption : [ c 0 + c 1 s ] q = [[ m ] 2 + 2 v ] q m ∈ R 2 ◮ Addition : ( c 0 + c ′ 0 ) + ( c 1 + c ′ 1 ) Y evaluated at Y = s leads to ≈ [[ m + m ′ ] 2 + 2 ( v + v ′ )] q Z. Brakerski, C. Gentry, V. Vaikuntanathan, (Leveled) Fully Homomorphic Encryption Without Bootstrapping, ACM Trans. Comput. Theory 6 (3) (2014) 13:1–13:36
BGV ◮ Multiplication : ( c 0 + c 1 Y ) × ( c ′ 0 + c ′ 1 Y ) = ct mult , 0 + ct mult , 1 Y + ct mult , 2 Y 2 evaluated at Y = s leads to ≈ [[ m × m ′ ] 2 + 2 v ′′ ] q ◮ Relinearisation : Multiply ct mult , 2 by pseudo-encryption of s 2 and add to ( ct mult , 0 , ct mult , 1 ) ◮ Modulus-switching : δ i ← 2 · [ − ct mult , i / 2 ] q / q ′ for i = 0 , 1 � [ q ′ / q · ( ct mult , 0 + δ 0 )] q ′ , ← ct � [ q ′ / q · ( ct mult , 1 + δ 1 )] q ′
Table of Contents Motivation Background Proposed Solution Experimental Results Related Art Conclusion
Proposed Solution Analyse “Natural” Homomorphic Structures Design Efficient “Application-Specific In- struction Set Processor” Homomorphically Evaluate ASIP P. Martins, L. Sousa, A methodical FHE-based cloud computing model, in Future Generation Computer Systems, Volume 95, 2019, pp. 639-648, doi:10.1016/j.future.2019.01.046.
“Natural” Homomorphic Structure #1 ◮ Binary plaintext space P = Z [ X ] / ( φ m ( X ) , 2 ) with φ m = F 0 × . . . × F l − 1 mod 2 ◮ Exploit factorisation to encrypt multiple bits in a single ciphertext ◮ Bits m 0 , . . . , m l − 1 are encoded as m i = m ( x ) mod ( F i ( x ) , 2 ) ∀ 0 ≤ i < l ◮ Hom. additions and multiplications operate on them in parallel
“Natural” Homomorphic Structure #1 ◮ Represent x ∈ [ 0 , 1 ] as x 0 , . . . , x l − 1 ∈ { 0 , 1 } s.t. P ( x i = 1 ) = x ◮ Batch-encrypt x 0 , . . . , x l − 1 ◮ Coefficient-wise multiplications and scaled additions z i = x i ∧ y i ⇒ z = xy z i = (( 1 ⊕ s i ) ∧ x i ) ⊕ ( s i ∧ y i ) ⇒ z = ( 1 − s ) x + sy P. Martins, L. Sousa, A Stochastic Number Representation for Fully Homomorphic Cryptography, in: 2017 IEEE SiPS, 2017, pp. 1–6. doi:10.1109/SiPS.2017.8109973.
“Natural” Homomorphic Structure #1 Require: B ( x ) = � d � d � b i x i ( 1 − x ) d − i i = 0 i Require: x 0 1: for i ∈ { 0 , . . . , d } do b ( 0 ) := b i 2: i 3: end for 4: for j ∈ { 1 , . . . , d } do for i ∈ { 0 , . . . , d − j } do 5: b ( j ) := b ( j − 1 ) ( 1 − x 0 ) + b ( j − 1 ) i + 1 x 0 6: i i end for 7: 8: end for 9: return B ( x 0 ) = b ( d ) 0 De Casteljau’s algorithm for the evaluation of a polynomial in Bernstein form
“Natural” Homomorphic Structure #2 ◮ Modify BGV with the following decryption [ c 0 + c 1 s ] q = [ m + v ] q ◮ A number x ∈ R is represented as a polynomial x = ⌊ ∆ x ⌉ + v ◮ After multiplications, rescale ��� � q ′ / q · ct mult , 0 q ′ / q · ct mult , 1 �� �� �� ct ← q ′ , q ′ J. H. Cheon, A. Kim, M. Kim, Y. Song, Homomorphic Encryption for Arithmetic of Approximate Numbers, Cryptology ePrint Archive, Report 2016/421 (2016).
“Natural” Homomorphic Structure #2 Require: P ( x ) = � d i = 0 a i x i Require: x 0 1: s := a d 2: for i ∈ { d − 1 , . . . , 0 } do s := a i + x 0 s 3: 4: end for 5: return P ( x 0 ) = s Horner’s method for the evaluation of a polynomial in power form
ASIP Design ◮ Approximate continuous functions with Bernstein polynomials through Weierstrass theorem ◮ If necessary, convert Bernstein polynomials to power form ◮ Factorise multivariate polynomials into univariate polynomials ◮ Use de Casteljau algorithm or Horner’s method
ASIP Design Approximate continuous functions with Bernstein polynomials through Weierstrass theorem � k 1 � , . . . , k m β ( n 1 ,..., n m ) f , k 1 ,..., k m = f n 1 n m m � n j � B ( n 1 ,..., n m ) β ( n 1 ,..., n m ) x k j � � j ( 1 − x j ) n j − k j ( x 1 , . . . , x m ) = f , k 1 ,..., k m f k j 0 ≤ k l ≤ n l j = 1 l ∈{ 1 ,..., m }
ASIP Design If necessary, convert Bernstein polynomials to power form n 1 � k 1 � � n 1 � j 1 x j 1 1 . . . x j m � x k 1 1 ( 1 − x 1 ) n 1 − k 1 × m = � n 1 � k 1 j 1 k 1 = j 1 n m � k m � � n m � j m m ( 1 − x m ) n m − k m = � x k m . . . × � n m � k m j m k m = j m � k h m � � n h � j h � � x k h h ( 1 − x h ) n h − k h � n h � k h j h j l ≤ k l ≤ n l h = 1 l ∈{ 1 ,..., m }
ASIP Design Factorise multivariate polynomials into univariate polynomials B ( n 1 ,..., n m ) ( x 1 , . . . , x m ) = f n 1 n 2 � n 1 � � n 2 � � x k 1 1 ( 1 − x 1 ) n 1 − k 1 � x k 2 2 ( 1 − x 2 ) n 2 − k 2 k 1 k 2 k 1 = 0 k 2 = 0 n m � n m � β ( n 1 ,..., n m ) � m ( 1 − x m ) n m − k m . . . x k m . . . f , k 1 ,..., k m k m k m = 0 n 1 n 2 n m α ( n 1 ,..., n m ) � � � x k 1 x k 2 k 1 ,..., k m x k m . . . P ( x 1 , . . . , x m ) = 1 . . . m 1 k 1 = 0 k 2 = 0 k m = 0
Proposed Computing Model x 1 , . . . , x m f Encrypt E ( x i ) � � β ( n 1 ,..., n m ) Encrypt E f , k 1 ,..., k m or � � α ( n 1 ,..., n m ) Encrypt E f , k 1 ,..., k m Homomorphic Evaluator de Casteljau or Horner Encrypt E ( f ( x 1 , . . . , x m ))
Table of Contents Motivation Background Proposed Solution Experimental Results Related Art Conclusion
Example #1 Require: z ∈ R K 1: Sort ( z 1 , . . . , z K ) as ( z ( 1 ) , . . . , z ( K ) ) s.t. z ( 1 ) ≥ . . . ≥ z ( K ) � j ≤ k z ( j ) � k ∈ { 1 , . . . , K }| 1 + kz ( k ) > � 2: k ( z ) := max 3: τ ( z ) := ( j ≤ k ( z ) z ( j ) ) − 1 � k ( z ) 4: return p s.t. p i := max ( 0 , z i − τ ( z )) Sparsemax function for mapping scores to probabilities
Example #1 Sequential Parallel Exe- Function Scheme # slots n 1 n 2 m log 2 q MAE Execution cution Time Speedup Time [s] [s] 2 15 sparsemax 1 ( x 1 , 0 ) Fixed-point 5 744 0.0843 0.489 - - sparsemax 1 ( x 1 , 0 ) Fixed-point 10 2 15 744 0.0495 0.689 - - 2 16 sparsemax 1 ( x 1 , 0 ) Fixed-point 15 1550 0.0336 9.00 - - sparsemax 1 ( x 1 , x 2 , 0 ) Fixed-point 2 2 2 15 744 0.181 0.902 0.543 1.7 2 15 sparsemax 1 ( x 1 , x 2 , 0 ) Fixed-point 3 3 744 0.133 1.57 0.687 2.3 2 16 sparsemax 1 ( x 1 , x 2 , 0 ) Fixed-point 4 4 1550 0.120 20.7 6.87 3.0 sparsemax 1 ( x 1 , 0 ) Stochastic 630 5 8191 327 0.104 0.409 0.272 1.5 sparsemax 1 ( x 1 , 0 ) Stochastic 1024 10 21845 1440 0.063 16.2 6.40 2.5 sparsemax 1 ( x 1 , 0 ) Stochastic 2160 15 55831 2592 0.036 83.0 19.5 4.3 sparsemax 1 ( x 1 , x 2 , 0 ) Stochastic 630 2 2 8191 327 0.151 0.301 0.254 1.1 sparsemax 1 ( x 1 , x 2 , 0 ) Stochastic 1024 3 3 21845 985 0.129 9.46 3.58 2.6 sparsemax 1 ( x 1 , x 2 , 0 ) Stochastic 2160 4 4 55831 2592 0.112 39.6 9.78 4.0 The functions sparsemax 1 ( x 1 , 0 ) and sparsemax 1 ( x 1 , x 2 , 0 ) were approximated and homomorphically evaluated on a i7-5960X, using both a fixed-point approach with Horner’s scheme and a stochastic number representation with de Casteljau’s algorithm
Example #2
Recommend
More recommend
