faster bootstrapping with polynomial error jacob alperin
play

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff - PowerPoint PPT Presentation

Mar 30, 2024 •513 likes •1.03k views

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech CRYPTO 2014 19 August 2014 1 / 10 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval (

  1. Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech CRYPTO 2014 19 August 2014 1 / 10

  2. Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] 2 / 10

  3. Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] ◮ “Naturally occurring” schemes are somewhat homomorphic (SHE): can only evaluate functions of an a priori bounded depth. µ Eval ( f ) f ( µ ) Eval ( g ) g ( f ( µ )) 2 / 10

  4. Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] ◮ “Naturally occurring” schemes are somewhat homomorphic (SHE): can only evaluate functions of an a priori bounded depth. µ Eval ( f ) f ( µ ) Eval ( g ) g ( f ( µ )) ◮ Thus far, “bootstrapping” is required to achieve unbounded FHE. 2 / 10

  5. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk 3 / 10

  6. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. 3 / 10

  7. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : 3 / 10

  8. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. 3 / 10

  9. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. 3 / 10

  10. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known decryption circuits have logarithmic O (log λ ) depth. 3 / 10

  11. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known decryption circuits have logarithmic O (log λ ) depth. ⇒ Quasi-polynomial λ O (log λ ) error growth and lattice approx factors = 3 / 10

  12. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � � � Eval Dec · , µ µ sk ◮ Error growth of bootstrapping determines cryptographic assumptions. State of the art [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known decryption circuits have logarithmic O (log λ ) depth. ⇒ Quasi-polynomial λ O (log λ ) error growth and lattice approx factors = ◮ Can we do better? 3 / 10

  13. Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . 4 / 10

  14. Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . ◮ Make multiplication right-associative: C 1 d ( · · · ( C t − 2 d ( C t − 1 d C t )) · · · ) has error � i e i · poly ( λ ) 4 / 10

  15. Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . ◮ Make multiplication right-associative: C 1 d ( · · · ( C t − 2 d ( C t − 1 d C t )) · · · ) has error � i e i · poly ( λ ) ◮ Barrington’s Theorem . . . ( P 0 , 1 ) ( P 1 , 1 ) ( P 14 , 1 ) ( P 15 , 1 ) . . . ( P 0 , 0 ) ( P 1 , 0 ) ( P 14 , 0 ) ( P 15 , 0 ) depth d length 4 d 4 / 10

  16. Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . ◮ Make multiplication right-associative: C 1 d ( · · · ( C t − 2 d ( C t − 1 d C t )) · · · ) has error � i e i · poly ( λ ) ◮ Barrington’s Theorem 0 . . . ( P 0 , 1 ) ( P 1 , 1 ) ( P 14 , 1 ) ( P 15 , 1 ) 0 . . . ( P 0 , 0 ) ( P 1 , 0 ) ( P 14 , 0 ) ( P 15 , 0 ) 1 depth d length 4 d 4 / 10

  17. Bootstrapping with Polynomial Error [BrakerskiVaikuntanathan’14] ◮ Error growth for multiplication in [GSW’13] is asymmetric: Error in C := C 1 d C 2 is e := e 1 · poly ( λ ) + µ 1 · e 2 . ◮ Make multiplication right-associative: C 1 d ( · · · ( C t − 2 d ( C t − 1 d C t )) · · · ) has error � i e i · poly ( λ ) ◮ Barrington’s Theorem 0 . . . ( P 0 , 1 ) ( P 1 , 1 ) ( P 14 , 1 ) ( P 15 , 1 ) 0 . . . ( P 0 , 0 ) ( P 1 , 0 ) ( P 14 , 0 ) ( P 15 , 0 ) 1 length 4 d ≈ λ 6 depth d ≈ 3 log λ ✗ Problem: Barrington’s transformation is very inefficient. 4 / 10

  18. Our Results 1 Faster bootstrapping with small polynomial error growth 5 / 10

  19. Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. 5 / 10

  20. Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! 5 / 10

  21. Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! ⋆ Key Idea: Embed additive group ( Z q , +) into small symmetric group 5 / 10

  22. Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! ⋆ Key Idea: Embed additive group ( Z q , +) into small symmetric group Reference # Homom Ops Noise Growth ˜ λ O (log λ ) [GHS’12,AP’13] (packing) O (1) ✔ ˜ O ( λ 6 ) [BV’14] large poly( λ ) ˜ ˜ O ( λ 2 ) This work O ( λ ) ✔ 5 / 10

  23. Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! ⋆ Key Idea: Embed additive group ( Z q , +) into small symmetric group Reference # Homom Ops Noise Growth ˜ λ O (log λ ) [GHS’12,AP’13] (packing) O (1) ✔ ˜ O ( λ 6 ) [BV’14] large poly( λ ) ˜ ˜ O ( λ 2 ) This work O ( λ ) ✔ 2 Variant of [GSW’13] encryption scheme 5 / 10

  24. Our Results 1 Faster bootstrapping with small polynomial error growth ⋆ Treats decryption as an arithmetic function over Z q , not a circuit. Avoids Barrington’s Theorem – but still uses permutation matrices! ⋆ Key Idea: Embed additive group ( Z q , +) into small symmetric group Reference # Homom Ops Noise Growth ˜ λ O (log λ ) [GHS’12,AP’13] (packing) O (1) ✔ ˜ O ( λ 6 ) [BV’14] large poly( λ ) ˜ ˜ O ( λ 2 ) This work O ( λ ) ✔ 2 Variant of [GSW’13] encryption scheme ⋆ Very simple description and error analysis 5 / 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD78,Gen09] FHE lets you do this:

1.36k views • 98 slides
Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com

Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com

Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com http://streamhacker.com http://text-processing.com https://github.com/japerk/nltk-trainer @japerk Problem you want to do NLProc many proven supervised

901 views • 31 slides
PATTERN RECOGNITION AND MACHINE LEARNING Polynomial Curve Fitting Sum-of-Squares Error Function 0

PATTERN RECOGNITION AND MACHINE LEARNING Polynomial Curve Fitting Sum-of-Squares Error Function 0

Christopher M. Bishop PATTERN RECOGNITION AND MACHINE LEARNING Polynomial Curve Fitting Sum-of-Squares Error Function 0 th Order Polynomial 1 st Order Polynomial 3 rd Order Polynomial 9 th Order Polynomial Over-fitting Root-Mean-Square (RMS)

865 views • 75 slides
Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School

Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School

Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School 12 Oct 2015 1 / 14 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval ( f ) f ( ) A cryptographic holy

1.01k views • 66 slides
On Multi-Domain Polynomial Interpolation Error Bounds S AMUEL M UTUA , P ROF . S.S. M OTSA The 40

On Multi-Domain Polynomial Interpolation Error Bounds S AMUEL M UTUA , P ROF . S.S. M OTSA The 40

Aim Error bound theorems Numerical experiment Results Conclusions On Multi-Domain Polynomial Interpolation Error Bounds S AMUEL M UTUA , P ROF . S.S. M OTSA The 40 th South African Symposium of Numerical and Applied Mathematics 22 - 24 March

728 views • 25 slides
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faug` ere, P . Nguyen, G. Renault, R. Zeitoun Public Key Cryptography 2014 26-28 March, 2014 - Buenos Aires, Argentina

613 views • 36 slides
Faster algorithms for the characteristic polynomial Clment P ERNET and Arne S TORJOHANN

Faster algorithms for the characteristic polynomial Clment P ERNET and Arne S TORJOHANN

State of the art A new algorithm The new algorithm into practice Faster algorithms for the characteristic polynomial Clment P ERNET and Arne S TORJOHANN Symbolic Computation Group University of Waterloo, Canada. ISSAC 2007, Waterloo, July

935 views • 61 slides
Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation =

Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation =

Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation = Polynomial + error bound Rigorous methods Algorithmic methods Efficient and accurate 1/16 Multinormval Why Algorithmic and Rigorous Polynomial

1.12k views • 98 slides
The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta

The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta

The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta Sp ath Bergische Universit at Wuppertal June 12th, 2019 The Alperin-McKay conjecture Notation: G a finite group and a prime with |

580 views • 27 slides
Sending ICS Forms Using MT63 Soundcard Mode Faster than Voice and Error Free AH6EZ/W7 Dick

Sending ICS Forms Using MT63 Soundcard Mode Faster than Voice and Error Free AH6EZ/W7 Dick

Sending ICS Forms Using MT63 Soundcard Mode Faster than Voice and Error Free AH6EZ/W7 Dick Illman MT63 Mode Used by many EOC organizations - Proven communications method Forward Error Correction - (better than voice and handwriting)

347 views • 15 slides
Bootstrapping without the Boot We like minimally supervised learning (bootstrapping).

Bootstrapping without the Boot We like minimally supervised learning (bootstrapping).

Executive Summary (if youre not an executive, you may stay for the rest of the talk) What: Bootstrapping without the Boot We like minimally supervised learning (bootstrapping). Lets convert it to unsupervised learning

344 views • 7 slides
AND MACHINE LEARNING CHAPTER 1: INTRODUCTION Example Handwritten Digit Recognition Polynomial

AND MACHINE LEARNING CHAPTER 1: INTRODUCTION Example Handwritten Digit Recognition Polynomial

PATTERN RECOGNITION AND MACHINE LEARNING CHAPTER 1: INTRODUCTION Example Handwritten Digit Recognition Polynomial Curve Fitting Sum-of-Squares Error Function 0 th Order Polynomial 1 st Order Polynomial 3 rd Order Polynomial 9 th Order

811 views • 59 slides
Crom: Faster Web Browsing Using Specula9ve Execu9on James Mickens Jeremy Elson Jon Howell Jacob

Crom: Faster Web Browsing Using Specula9ve Execu9on James Mickens Jeremy Elson Jon Howell Jacob

Crom: Faster Web Browsing Using Specula9ve Execu9on James Mickens Jeremy Elson Jon Howell Jacob R. Lorch Surfing the Web Prefetching: Web 1.0 Sta9c objects connected by declara9ve links Find prefetchable objects by traversing graph

613 views • 43 slides
Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater

Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater

Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater Jacob Eisenstein School of Informatics University of Edinburgh School of Interactive Technology Georgia Institute of Technology July 9, 2012

560 views • 36 slides
Linear Discriminant Functions Linear Discriminant Functions 5.8, 5.9, 5.11 Jacob Hays Amit

Linear Discriminant Functions Linear Discriminant Functions 5.8, 5.9, 5.11 Jacob Hays Amit

10/2/2008 Linear Discriminant Functions Linear Discriminant Functions 5.8, 5.9, 5.11 Jacob Hays Amit Pillay James DeFelice Minimum Squared Error Minimum Squared Error Previous methods only worked on linear separable cases, by looking at

390 views • 19 slides
Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag,

Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag,

BIBLIOGRAPHIE 245 Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag, 1995. [2] J org Arndt. Algorithms for programmers. 2002. [3] Michael Artin. Algebra . Prentice Hall, 1991. [4] David H. Bailey.

151 views • 3 slides
Financial results FY 2007 Conference call 2007 highlights Very satisfactory sales growth Key

Financial results FY 2007 Conference call 2007 highlights Very satisfactory sales growth Key

25/ 1/ 2008 Financial results FY 2007 Conference call 2007 highlights Very satisfactory sales growth Key financials 4 Q 2 0 0 7 2 0 0 7 exceeded expectations Sales growth, LCY 15% 14% EBIT growth, despite high raw Sales growth,

324 views • 17 slides
Motivations Present and future probes of DE: BAO, Weak Lensing, Ly , 21cm, ... they all require

Motivations Present and future probes of DE: BAO, Weak Lensing, Ly , 21cm, ... they all require

Dark Matter Clustering from the Renormalization Group and implications for cosmic acceleration Massimo Pietroni - Infn Padova (in collaboration with Sabino Matarrese) Motivations: BAO and all that Eulerian Perturbation Theory:

327 views • 21 slides
COVID-19 AND LUNG CANCER What We Know, What We Dont Know and What It All Means for Current

COVID-19 AND LUNG CANCER What We Know, What We Dont Know and What It All Means for Current

COVID-19 AND LUNG CANCER What We Know, What We Dont Know and What It All Means for Current Patient Care A Live CME Webinar Thursday, July 2, 2020 12:00 PM 1:00 PM ET Moderator Neil Love, MD Faculty Leora Horn, MD, MSc Naiyer A

740 views • 53 slides
Secure Indexing/Search for g Regulatory-Compliant Record R Retention i 1 There is a need for

Secure Indexing/Search for g Regulatory-Compliant Record R Retention i 1 There is a need for

Secure Indexing/Search for g Regulatory-Compliant Record R Retention i 1 There is a need for trustworthy record keeping k i Email Instant Messaging Spending on Files Files eDiscovery Growing eDiscovery Growing at 65% CAGR

730 views • 56 slides
WC WC P P S S S S G G o o o o g g l l e e A A p p p p s s - - S S l

WC WC P P S S S S G G o o o o g g l l e e A A p p p p s s - - S S l

k Ma y 2 0 1 6 WC WC P P S S S S G G o o o o g g l l e e A A p p p p s s - - S S l l i d i d e e s s A t a G l a n c e . . . A c c e s s I t A t . . . w w w . g o o g l

56 views • 5 slides
Delivering Value. Kinross Gold Corporation Cautionary Statement on Forward-Looking Information

Delivering Value. Kinross Gold Corporation Cautionary Statement on Forward-Looking Information

First Quarter 2020 Results May 6, 2020 Delivering Value. Kinross Gold Corporation Cautionary Statement on Forward-Looking Information All statements, other than statements of historical fact, contained or incorporated by reference in or made

669 views • 22 slides
SpOT-Light: Lightweight Private Set Intersection from Sparse OT Extension Benny Pinkas Mike

SpOT-Light: Lightweight Private Set Intersection from Sparse OT Extension Benny Pinkas Mike

SpOT-Light: Lightweight Private Set Intersection from Sparse OT Extension Benny Pinkas Mike Rosulek Ni Trieu Avishay Yanai Presented by Cui Hongrui October 18, 2019 PRTY (BIU&OSU) SpOT October 18, 2019 1 / 30 Overview Introduction

1.5k views • 33 slides
REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart H: Photon Emitting Remote

REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart H: Photon Emitting Remote

REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart H: Photon Emitting Remote Afterloader, Teletherapy, and Gamma Stereotactic Radiosurgery Units P Deleted old 35.643, Modification of teletherapy unit or room before beginning a

567 views • 32 slides

More recommend