FHE over the Integers and Modular Arithmetic Circuits Eunkyung Kim 1 - - PowerPoint PPT Presentation

FHE over the Integers and Modular Arithmetic Circuits

Eunkyung Kim1 Mehdi Tibouchi2

1Ewha Womans University, South Korea 2NTT Secure Platform Laboratories, Japan

WHEAT 2016, 2016–07–06

1/27 c ⃝2016 NTT Secure Platform Laboratories

Outline

Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod-Q multiplication

2/27 c ⃝2016 NTT Secure Platform Laboratories

Outline

Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod-Q multiplication

3/27 c ⃝2016 NTT Secure Platform Laboratories

FHE and binary message spaces

▶ Most FHE schemes introduced with message space Z/2Z ▶ Support the homomorphic evaluation of Boolean circuits ▶ In particular, in FHE “over the integers” [vDGHV10,. . . ], ciphertexts

usually look like: c = pq + 2r + m, m ∈ {0, 1}

▶ Some variants with multiple slots (message space (Z/2Z)m) or

extension fields (GF(2m)), but still binary

4/27 c ⃝2016 NTT Secure Platform Laboratories

How about non-binary message spaces?

▶ Could we replace 2 by some other value Q? (odd prime, say) ▶ We would then evaluate mod-Q arithmetic circuits instead of

Boolean ones

▶ The most naive way works somewhat ▶ E.g. for FHE over the integers, use ciphertexts of the form:

c = pq + Qr + m, m ∈ {0, . . . , Q − 1}

▶ Addition and multiplication work fine mod Q: can evaluate

low-degree polynomials mod Q on ciphertexts

▶ Can you get fully homomorphic encryption that way?

5/27 c ⃝2016 NTT Secure Platform Laboratories

The bootstrapping problem

▶ To get FHE from somewhat homomorphic encryption, we use

bootstrapping: homomorphic evaluation of the decryption circuit

▶ Decryption (for ciphertexts above) looks like:

m = (c mod p) mod Q

▶ This has to be expressed as a low-depth mod-Q arithmetic circuit

(squashing). Main hurdle: division c mod p

▶ In binary: write 1/p ≈ ∑ siyi (yi fixed precision public reals, all but

• ne pseudorandom; si random secret bits). Division then becomes a

large iterated addition: ∑ si(cyi)

6/27 c ⃝2016 NTT Secure Platform Laboratories

The Nuida–Kurosawa approach

▶ Squashing mod Q: need to write a low-depth mod-Q arithmetic

circuit for precise enough iterated addition

▶ Looked like a daunting task, so nobody touched it for many years,

until Nuida–Kurosawa (EUROCRYPT 2015)

▶ They gave explicit mod-Q circuits for iterated addition; deduced an

FHE scheme over the integers with message space Z/QZ

▶ Only works for small Q (otherwise, squashed decryption circuit

depth too large for bootstrappability)

7/27 c ⃝2016 NTT Secure Platform Laboratories

Outline

Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod-Q multiplication

8/27 c ⃝2016 NTT Secure Platform Laboratories

Boolean circuits vs. arithmetic circuits

▶ Mod-Q arithmetic circuits can be efficiently simulated by Boolean

circuits (size expansion factor polylogarithmic in Q) [vzGS91]

▶ In particular, easy to homomorphically evaluate mod-Q arithmetic

circuits using FHE with binary message space:

• 1. encrypt m ∈ Z/QZ bit by bit, as log2 Q ciphertexts ci
• 2. convert the mod-Q arithmetic circuit to Boolean, by replacing + and

× gates by Boolean subcircuits doing those operations

▶ Therefore, FHE with non-binary message space at most an

• ptimization

9/27 c ⃝2016 NTT Secure Platform Laboratories

Is the optimization worth it?

▶ So we asked ourselves the following question: is the mod-Q scheme

in [NK15] (NKQ) a good optimization compared to using Boolean circuits?

▶ For large Q, impossible:

▶ overhead of NKQ (in terms of ciphertext size & cost of

bootstrapping) is poly(Q)

▶ converting a mod-Q circuit to Boolean, the overhead is only

polylog(Q)

▶ It could be worth it for small Q, though. Let’s compare. ▶ For a level playing field, we compared NKQ to its own binary

version: Convert-NK2

10/27 c ⃝2016 NTT Secure Platform Laboratories

Outline

Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod-Q multiplication

11/27 c ⃝2016 NTT Secure Platform Laboratories

A new FHE Convert-NK2 with M = Z/QZ

Let NK2 be NK FHE with M = Z/2Z, then Convert-NK2 scheme is described as follow:

▶ KeyGen(1λ): (pk, sk) ← NK2. KeyGen(1λ) ▶ Enc(pk, m): for m ∈ M = Z/QZ, write m = (mn−1, · · · , m0)

(n = ⌈log(Q + 1)⌉) and encrypt m bitwise ⃗ c = (cn−1, · · · , c0) with ci ← NK2. Enc(pk, mi)

▶ Dec(sk,⃗

c): mi ← NK2. Dec(sk, ci) and return m =

n−1

∑

i=0

mi2i

▶ Eval: Use Boolean circuits which compute mod-Q addition and

mod-Q multiplication

12/27 c ⃝2016 NTT Secure Platform Laboratories

In this work

We compared Convert-NK2 vs NKQ; which is better?

13/27 c ⃝2016 NTT Secure Platform Laboratories

Convert-NK2 vs NKQ: Criteria for Comparison

• 1. Ciphertext size

▶ γQ: NQ ∈ [1, 2γQ ) ∩ Z ▶ γ′

2 ≈ γ2 log Q: ciphertext of Convert-NK2 is n-tuple of ciphertexts of

NK2

• 2. Time complexity to execute one mod-Q multiplication

▶ TQ: time complexity of a single ciphertext refresh operation in NKQ, ▶ T ′

2: time complexity of carrying out a multiplication mod Q in

Convert-NK2

14/27 c ⃝2016 NTT Secure Platform Laboratories

Outline

Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod-Q multiplication

15/27 c ⃝2016 NTT Secure Platform Laboratories

Figure : Conditions on parameters from [NK15]

16/27 c ⃝2016 NTT Secure Platform Laboratories

Choice of parameters in NK FHE

Q is treated as constant

▶ ρ = Θ(λ log log log λ): size of noise ▶ η = Θ(λ2 log log λ): size of secret prime ▶ γ = Θ(λ4 log2 λ): size of ciphertexts ▶ L = ⌈logQ λ⌉ + 2: the number of precision after Q-ary point in zi ▶ Θ = Θ((λ log λ)4): the number of sparse elements si

In a nutshell, we want to compare the case Q > 2 with Q = 2, so it is important not to ignore Q as constant.

17/27 c ⃝2016 NTT Secure Platform Laboratories

Choice of parameters in NK FHE

Q is treated as constant

▶ ρ = Θ(λ log log log λ): size of noise ▶ η = Θ(λ2 log log λ): size of secret prime ▶ γ = Θ(λ4 log2 λ): size of ciphertexts ▶ L = ⌈logQ λ⌉ + 2: the number of precision after Q-ary point in zi ▶ Θ = Θ((λ log λ)4): the number of sparse elements si

In a nutshell, we want to compare the case Q > 2 with Q = 2, so it is important not to ignore Q as constant.

17/27 c ⃝2016 NTT Secure Platform Laboratories

Dependence of parameters on Q

▶ In NKQ. KeyGen, we have vi = pqi + Qri + si and

log |vi mod p| = log |Qri + si| ≤ log Q + ρ = O(ρ)

▶ Squashed decryption circuit can be computed within in degree

QLQ+2 ≈ Q3λ (LQ ≈ logQ λ) In order to make NKQ. Eval(pk, NKQ. Dec, vi, c) works correctly, ηQ = (noise size) · Θ(degree of Dec) = Θ(ρQ3λ) Thus, η ∝ Q3, and hence γ ∝ Q6 since γ ∝ η2

18/27 c ⃝2016 NTT Secure Platform Laboratories

Choice of parameters with consideration of Q

We have parameters depending on Q

▶ ηQ = Θ(Q3λ2 log log λ): size of secret prime ▶ γQ = Θ(Q6λ4 log2 λ): size of ciphertexts ▶ LQ = ⌈logQ λ⌉ + 2: the number of precision after Q-ary point in zi

and not depending on Q

▶ ρ = Θ(λ log log log λ): size of noise ▶ Θ = Θ((λ log λ)4): the number of sparse elements si

19/27 c ⃝2016 NTT Secure Platform Laboratories

Ciphertext size of Convert-NK2 is smaller than NKQ

▶ γQ: ciphertext size of NKQ ▶ γ′ 2: ciphertext size of Convert-NK2

Proposition

For a given security parameter λ and odd prime Q > 2, we have γ′

2

γQ = Θ (log Q Q6 )

20/27 c ⃝2016 NTT Secure Platform Laboratories

Sketch of proof

▶ Ciphertext space of NKQ is Z/NQZ and NQ ∈ [1, 2γ Q) ∩ Z ▶ γQ = Θ(Q6λ4 log2 λ) ▶ Ciphertext space of Convert-NK2 is (Z/N2Z)log Q ▶ γ′ 2 = log Q · Θ(26λ4 log2 λ) = Θ(log Qλ4 log2 λ) ▶ γ′ 2

γQ = Θ(log Qλ4 log2 λ) Θ(Q6λ4 log2 λ) = Θ (log Q Q6 )

21/27 c ⃝2016 NTT Secure Platform Laboratories

Outline

Introduction Message spaces of FHE schemes Do modular arithmetic circuit matter? Our results Problem statement (I) Ciphertext size (II) Time complexity for mod-Q multiplication

22/27 c ⃝2016 NTT Secure Platform Laboratories

Basic binary operation

▶ k bit + k bit: 2 AND for each carry, and total 2k AND ▶ k bit × l bit for (k ≤ l): 2l(k + l) AND using so-called

“two-out-of-three” technique

23/27 c ⃝2016 NTT Secure Platform Laboratories

Boolean circuit for modQ multiplication

input m, m′ ∈ Z/QZ, Pre-computed Q′ = ⌈ 2K

Q ⌉ with K > 2n

and n ≈ log Q

• utput m · m′ mod Q
• 1. m · m′

(n bit × n bit)

• 2. (mm′) · Q′

(2n bit × (K − n) bit)

• 3. Q · ⌊ mm′Q′

2k

⌋ (n bit × n bit)

• 4. mm′ − Q⌊ mm′Q′

2k

⌋ (2n bit + 2n bit)

24/27 c ⃝2016 NTT Secure Platform Laboratories

Boolean circuit for modQ multiplication

input m, m′ ∈ Z/QZ, Pre-computed Q′ = ⌈ 2K

Q ⌉ with K > 2n

and n ≈ log Q

• utput m · m′ mod Q
• 1. m · m′

(n bit × n bit)

• 2. (mm′) · Q′

(2n bit × (K − n) bit)

• 3. Q · ⌊ mm′Q′

2k

⌋ (n bit × n bit)

• 4. mm′ − Q⌊ mm′Q′

2k

⌋ (2n bit + 2n bit)

Total Number of AND gates

2(2n(n + n)) + 2(K − n)(2n + K − n) + 2(2n) ≈ 14 log2 Q

24/27 c ⃝2016 NTT Secure Platform Laboratories

▶ tQ: time complexity of one mod-NQ multiplication ▶ TQ: (♯ of mults in NKQ. Dec)×tQ ▶ T ′ 2: (♯ of AND gate in mod-Q mult Boolean circuit)×T2

Proposition

For a given security parameter λ and odd prime Q > 2, we have T ′

2

TQ = O ( log4 Q Q7 )

25/27 c ⃝2016 NTT Secure Platform Laboratories

Sketch of proof

▶ tQ = log NQ log log NQ ≈ log NQ = γQ = Θ(Q6λ4 log2 λ) ▶

TQ = 4QΘL2

Q · tQ

= 4QΘ log2 λ log2 Q Θ(Q6λ4 log2 λ) = Θ ( Q7Θλ4 log4 λ log Q )

▶

T ′

2

= 14 log2 Q · 4 · 2ΘL2

2 · t2

= 8Θ log2 λΘ(26λ4 log2 λ) = Θ(log2 QΘλ4 log4 λ)

26/27 c ⃝2016 NTT Secure Platform Laboratories

Sketch of proof

▶ tQ = Θ(Q6λ4 log2 λ) ▶ TQ = Θ

( Q7Θλ4 log4 λ log Q )

▶ T ′ 2 = Θ(log2 QΘλ4 log4 λ)

Therefore T ′

2

TQ = Θ(log2 QΘλ4 log4 λ) Θ (

Q7Θλ4 log4 λ log Q

) = Θ ( log4 Q Q7 )

26/27 c ⃝2016 NTT Secure Platform Laboratories

Thank you for your attention

Questions?

27/27 c ⃝2016 NTT Secure Platform Laboratories