High-Performance FV Somewhat Homomorphic Encryption on GPUs: An - - PowerPoint PPT Presentation

High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA

Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10th 2018 – CHES 2018

FHE – The holy grail of Cryptography

• FHE enables computing on encrypted data without decryption

[GB2009]

• Challenge: requires enormous computation

Client Cloud Server Homomorphic evaluation of 𝑔 𝐹𝑜𝑑(𝑦) 𝐹𝑜𝑑(𝑔(𝑦))

Encryption/Decryption

Ahmad Al Badawi - ahmad@u.nus.edu 2

How the problem is being tackled?

• Algorithmic methods:

– New FHE schemes – Plaintext packing (1D, 2D, …) – Encoding schemes – Approximated computing – Squashing the target function – DAG optimizations for the target circuit

• Acceleration methods:

– Speedup FHE basic primitives (KeyGen, Enc, Dec, Add, Mul) – Modular Algorithms – Parallel Implementations – Hardware implementations: GPUs, FPGAs and probably ASICs

Ahmad Al Badawi - ahmad@u.nus.edu 3

Our Contributions

• 1. Implementation of FV RNS on GPUs
• 2. Introducing a set of CUDA optimizations
• 3. Benchmarking with state-of-the-art implementations

Ahmad Al Badawi - ahmad@u.nus.edu 4

Why GPUs for FHE?

Ahmad Al Badawi - ahmad@u.nus.edu 5

• GPU +

– Naturally available – many computing cores – Developer friendly (FPGA, ASIC)

• FHE +

– Huge level of parallelism “If you were plowing a field, which would you rather use? Two strong oxen or 1024 chickens?”

Seymour Cray 1925-1996

Textbook FV

Ahmad Al Badawi - ahmad@u.nus.edu 6

• Basic mathematical structure is 𝑆: ℤ 𝑦 /(𝑦𝑜 + 1)

– Plaintext space: 𝑆𝑢: ℤ𝑢 𝑦 /(𝑦𝑜 + 1) – Ciphertext space: 𝑆𝑟: ℤ𝑟 𝑦 /(𝑦𝑜 + 1)

• Public key: 𝑞𝑙0, 𝑞𝑙1 ∈ 𝑆𝑟
• Secret key: 𝑡𝑙 ∈ 𝑆𝑟
• 𝑑 = 𝐹𝑜𝑑(𝑛): (

𝑟 𝑢 𝑛 + 𝑞𝑙0𝑣 + 𝑓0 𝑟 , 𝑞𝑙1𝑣 + 𝑓1 𝑟)

• 𝑛 = 𝐸𝑓𝑑 𝑑 :

𝑢 𝑟

𝑑0 + 𝑑1𝑡𝑙 𝑟

𝑢

• 𝑑+ = 𝐵𝑒𝑒 𝑑0, 𝑑1 : ( 𝑑00 + 𝑑10 𝑟, 𝑑01 + 𝑑11 𝑟)

Textbook FV (cont.)

Ahmad Al Badawi - ahmad@u.nus.edu 7

• 𝑑× = 𝑁𝑣𝑚 𝑑0, 𝑑1, 𝑓𝑤𝑙 :
• 1. Tensor product:

𝑤0 = ⌊

𝑢 𝑟 𝑑00𝑑10⌉ 𝑟 , 𝑤2 = ⌊ 𝑢 𝑟 𝑑01𝑑11⌉ 𝑟

𝑤1 = ⌊𝑢 𝑟 (𝑑00𝑑11 + 𝑑01𝑑10)⌉

𝑟

• 2. Base decomposition:

𝑤2 = 𝑤2

(𝑗)𝑥𝑗 𝑚 𝑗=0

, 𝑚 =

• 2. Relinearization:

𝑑× = 𝑤𝑘 + 𝑓𝑤𝑙𝑗𝑘 ⋅ 𝑤2

(𝑗) 𝑚 𝑗=0 𝑟

, 𝑘 ∈ {0,1}

Implementation Requirements

Ahmad Al Badawi - ahmad@u.nus.edu 8

• Polynomial arithmetic in cyclotomic rings
• Large polynomial degree (a few thousands)

– Power-of-2 cyclotomic – Addition/Subtraction: 𝒫(𝑜) – Multiplication: 𝒫(n log 𝑜)

• Large coefficients ∈ ℤ𝑟 (a few hundreds of bits)

– Modular algorithms (RNS)

• Extra non-trivial operations:

– Scaling-and-round ⌊

𝑢 𝑟 𝑦⌉

– Base decomposition

Polynomial Arithmetic

Ahmad Al Badawi - ahmad@u.nus.edu 9

𝑙 = log2 𝑟 log2 𝑞 𝑜 CRT: 𝑟 = 𝑞𝑗

𝑙−1 𝑗=0

, where 𝑞𝑗 is a prime RNS / CRT

log2 𝑞-bit number

. . . . . . . . .

Addition/Subtraction: component-wise add/sub modulo 𝑞𝑗

𝑞0 𝑞1 𝑞𝑙−1

Polynomial Arithmetic (cont.)

Ahmad Al Badawi - ahmad@u.nus.edu 10

Addition/Subtraction/Multiplication: component-wise add/sub/mul modulo 𝑞𝑗

𝑞0 𝑞1 𝑞𝑙−1

𝑜 RNS / CRT 𝑜

32-bit number

NTT (DGT)

. . . . . . . . . . . . . . .

NTT NTT−1

. . .

𝑞0 𝑞1 𝑞𝑙−1

𝑙 = log2 𝑟 log2 𝑞

DFT, NTT, DWT, DGT…?

Ahmad Al Badawi - ahmad@u.nus.edu 11

Pros Cons DFT

• Well-established
• Several efficient libraries to use
• Floating point errors increase as (𝑜 & 𝑞𝑗

′s) increase

• Reduce precision (smaller 𝑞𝑗

′s) => longer RNS matrix

=> more DFTs

NTT

• Exact
• Transform length (2𝑜)

DWT

• Exact
• Only power-of-2 cyclotomics
• Transform length (𝑜)

DGT

• Exact
• Transform length (

𝑜 2)

• 50% Less interaction with

memory

• Only power-of-2 cyclotomics
• Gaussian Arithmetic (larger number of

multiplications ~(30% - 40%)

• We use DGT in our implementation

Efficient DGT/NTT/DWT on GPU?

Ahmad Al Badawi - ahmad@u.nus.edu 12

𝐵 = NTT(𝑏) s.t. 𝐵𝑘 = 𝑏𝑗𝑥𝑘𝑗

𝑜−1 𝑗=0

mod 𝑟 𝑏 = NTT−1(𝐵) s.t. 𝑏𝑗 = 𝑜−1 𝐵𝑘𝑥−𝑗𝑘

𝑜−1 𝑘=0

mod 𝑟

• Better to store 𝑥𝑘𝑗 in lookup table.

– LUT can be stored in GPU texture memory (which is limited on GPU) – DWT LUT are 𝒫(𝑜) – DGT LUT are 𝒫(

𝑜 2)

• Compute in 𝐻𝐺(𝑞 ) or in 𝐻𝐺(𝑞𝑗)?

– We found it is better to do it 𝐻𝐺(𝑞𝑗). – Why? (see next)

Compute in 𝐻𝐺(𝑞 ) or in 𝐻𝐺(𝑞𝑗)?

Ahmad Al Badawi - ahmad@u.nus.edu 13

𝑞0 𝑞1 𝑞𝑙−1

𝑜

. . . . . . . . .

𝑙 = log2 𝑟 log2 𝑞

𝑯𝑮(𝒒 )

𝑞 : 64-bit prime (should fit in one word) 𝑞 ≤

𝑞 2𝑜 (one multiplication)

𝑜 212 213 214 215 216 log2 𝑞 26 25 25 24 24

• Longer RNS matrix => more NTTs
• Size double (32-bit => 64-bit)
• Supports limited number of operations

in NTT domain

𝑯𝑮(𝒒𝒋)

𝑞: word-size prime (can be 64-bit)

• Shorter RNS matrix => Less NTTs
• No size doubling
• Supports unlimited number of
• perations in NTT domain

But, is NTT/DWT/DGT performance-critical?

Ahmad Al Badawi - ahmad@u.nus.edu 14

Toy Settings

NTT RNS Base Extension RNS Scaling

• thers

Medium Settings

NTT RNS Base Extension RNS Scaling

• thers

Large Settings

NTT RNS Base Extension RNS Scaling

• thers

Breakdown of homomorphic multiplication (AND) in the BFV FHE scheme

Halevi, Shai, Yuriy Polyakov, and Victor Shoup. "An Improved RNS Variant of the BFV Homomorphic Encryption Scheme." (2018).

Computing CRT on GPU?

Ahmad Al Badawi - ahmad@u.nus.edu 15

• CRT 𝑏, {𝑞𝑗} :

(𝑏0, … , 𝑏𝑙−1) = 𝑏 mod 𝑞𝑗

• CRT−1(𝑏0, … , 𝑏𝑙−1) = 𝑏 s.t.

𝑏 = 𝑟 𝑞𝑗

𝑙−1 𝑗=0

𝑟 𝑞𝑗

−1

𝑏𝑗 (mod 𝑞𝑗) (mod 𝑟) where 𝑟 = 𝑞𝑗

𝑙−1 𝑗=0

• At least two methods:

– Classic algorithm – Garner’s algorithm

Classic Garners LUT

𝑙2 𝑙 𝑙 − 1 2

Thread Divergence

Non tractable Nil

• Is CRT critical to performance?

– No!

RNS tools

Ahmad Al Badawi - ahmad@u.nus.edu 16

• Useful to:

– Remain in RNS representation – No costly multi-precision arithmetic

• Two basic operations:

– Scale-and-round – Base decomposition

• Adopted from (BEHZ2016*) scheme
• Are RNS tools critical to performance?

– Extremely critical

* Bajard, Jean-Claude, et al. "A full RNS variant of FV like somewhat homomorphic encryption schemes." International Conference on Selected Areas in Cryptography. Springer, Cham, 2016.

FV_RNS Homomorphic Multiplication

Ahmad Al Badawi - ahmad@u.nus.edu 17

Benchmarking Results

Ahmad Al Badawi - ahmad@u.nus.edu 18

0.000 200.000 400.000 600.000 800.000 1000.000 1200.000 1400.000 1600.000 (11,62) (12,186) (13,372) (14,744) Time (ms)

Key Generation

GPU-FV SEAL NFLlib-FV 0.000 5.000 10.000 15.000 20.000 25.000 30.000 35.000 (11,62) (12,186) (13,372) (14,744) Time (ms)

Enc

GPU-FV SEAL NFLlib-FV 0.000 2.000 4.000 6.000 8.000 10.000 12.000 14.000 16.000 18.000 (11,62) (12,186) (13,372) (14,744) Time (ms)

Dec

GPU-FV SEAL NFLlib-FV 0.000 50.000 100.000 150.000 200.000 250.000 300.000 350.000 400.000 450.000 500.000 (11,62) (12,186) (13,372) (14,744) Time (ms)

HomoMul + Relinearization

GPU-FV SEAL NFLlib-FV

Which FV RNS variant to Implement?

Ahmad Al Badawi - ahmad@u.nus.edu 20

• Two RNS variants of FV

– BEHZ – HPS

• Answer can be found in:

– Al Badawi, Ahmad, et al. "Implementation and Performance Evaluation of RNS Variants of the BFV Homomorphic Encryption Scheme." IACR Cryptology ePrint Archive 2018 (2018): 589.

21

Thank You

Questions? Ahmad Al Badawi ahmad@u.nus.edu