Homomorphic SIM 2 D operations: Single Instruction Much More Data - - PowerPoint PPT Presentation

Homomorphic SIM2D operations: Single Instruction Much More Data

Wouter Castryck Ilia Iliashenko Frederik Vercauteren

𝐷 𝐷cryp

§ç{à#£*°| 175.2

Homomorphic encryption

𝐷

175.2 2𝑦1023 + 𝑦2 + 7𝑦 + 5

𝐷

§ç{à#£*°|

𝐷cryp

real-world data plaintext ciphertext

Homomorphic encoding

𝑒-direction 𝑢-direction

Typically a ring of the form 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) where 𝑢 ∈ 𝐚≥2 and 𝑔 𝑦 ∈ 𝐚[𝑦] is monic irreducible of degree 𝑒. We represent this by a box: Polynomials of degree < 𝑒 and coefficients in [0, 𝑢). Plaintext space

𝑏 𝑗 𝑏𝑦𝑗

How to encode real-world input 𝜄? 𝜄 ≈ 𝑏𝑠𝑐𝑠 + 𝑏𝑠−1𝑐𝑠−1 + ⋯ + 𝑏1𝑐 + 𝑏0 for some base 𝑐 ∈ 𝐃. Decoding: evaluate in 𝑦 = 𝑐. Works well if no overflow. General principle: find an integer-digit expansion Then encode as 𝑏𝑠𝑦𝑠 + 𝑏𝑠−1𝑦𝑠−1 + ⋯ + 𝑏1𝑦 + 𝑏0.

𝑒-direction 𝑢-direction

Homomorphic encoding

General principle: find an integer-digit expansion Then encode as 𝑏𝑠𝑦𝑠 + 𝑏𝑠−1𝑦𝑠−1 + ⋯ + 𝑏1𝑦 + 𝑏0. How to encode real-world input 𝜄? 𝜄 ≈ 𝑏𝑠𝑐𝑠 + 𝑏𝑠−1𝑐𝑠−1 + ⋯ + 𝑏1𝑐 + 𝑏0 for some base 𝑐 ∈ 𝐃. Decoding: evaluate in 𝑦 = 𝑐. Works well if no overflow.

𝑒-direction 𝑢-direction

𝜾 = 𝟑𝟕 + 𝟑𝟓 + 𝟑𝟒 + 𝟑 + 𝟐 Homomorphic encoding

General principle: find an integer-digit expansion Then encode as 𝑏𝑠𝑦𝑠 + 𝑏𝑠−1𝑦𝑠−1 + ⋯ + 𝑏1𝑦 + 𝑏0. How to encode real-world input 𝜄? 𝜄 ≈ 𝑏𝑠𝑐𝑠 + 𝑏𝑠−1𝑐𝑠−1 + ⋯ + 𝑏1𝑐 + 𝑏0 for some base 𝑐 ∈ 𝐃. Decoding: evaluate in 𝑦 = 𝑐. Works well if no overflow.

𝑒-direction 𝑢-direction

𝜾 = 𝟑𝟕 + 𝟑𝟓 + 𝟑𝟒 + 𝟑 + 𝟐 Homomorphic encoding

General principle: find an integer-digit expansion Then encode as 𝑏𝑠𝑦𝑠 + 𝑏𝑠−1𝑦𝑠−1 + ⋯ + 𝑏1𝑦 + 𝑏0. How to encode real-world input 𝜄? 𝜄 ≈ 𝑏𝑠𝑐𝑠 + 𝑏𝑠−1𝑐𝑠−1 + ⋯ + 𝑏1𝑐 + 𝑏0 for some base 𝑐 ∈ 𝐃. Decoding: evaluate in 𝑦 = 𝑐. Works well if no overflow.

𝑒-direction 𝑢-direction

𝜾 = 𝟑𝟕 + 𝟑𝟓 + 𝟑𝟒 + 𝟑 + 𝟐 Homomorphic encoding

General principle: find an integer-digit expansion Then encode as 𝑏𝑠𝑦𝑠 + 𝑏𝑠−1𝑦𝑠−1 + ⋯ + 𝑏1𝑦 + 𝑏0. How to encode real-world input 𝜄? 𝜄 ≈ 𝑏𝑠𝑐𝑠 + 𝑏𝑠−1𝑐𝑠−1 + ⋯ + 𝑏1𝑐 + 𝑏0 for some base 𝑐 ∈ 𝐃. Decoding: evaluate in 𝑦 = 𝑐. Works well if no overflow.

𝑒-direction 𝑢-direction

𝜾 = 𝟑𝟕 + 𝟑𝟓 + 𝟑𝟒 + 𝟑 + 𝟐 Homomorphic encoding

Encoding fractional expansions 𝜄 ≈ 𝑏𝑠𝑐𝑠 + ⋯ + 𝑏1𝑐 + 𝑏0 + 𝑏−1𝑐−1 + ⋯ + 𝑏−𝑡𝑐−𝑡? Works as long as high powers and low powers do not overflow each other.

[Dowlin et al., ‘15] If 𝑔(𝑦) = 𝑦𝑒 + 1 then 𝑦−𝑗 ≡ −𝑦𝑒−𝑗 , so: put fractional part at the high powers, with negated sign.

𝑒-direction 𝑢-direction

𝜾 = 𝟑𝟕 + 𝟑𝟓 + 𝟑𝟒 + 𝟑 + 𝟐 + 𝟑−𝟐 + 𝟑−𝟒 Fractional encoding

Encoding fractional expansions 𝜄 ≈ 𝑏𝑠𝑐𝑠 + ⋯ + 𝑏1𝑐 + 𝑏0 + 𝑏−1𝑐−1 + ⋯ + 𝑏−𝑡𝑐−𝑡? Works as long as high powers and low powers do not overflow each other.

[Dowlin et al., ‘15] If 𝑔(𝑦) = 𝑦𝑒 + 1 then 𝑦−𝑗 ≡ −𝑦𝑒−𝑗 , so: put fractional part at the high powers, with negated sign.

𝑒-direction 𝑢-direction

𝜾 = 𝟑𝟕 + 𝟑𝟓 + 𝟑𝟒 + 𝟑 + 𝟐 + 𝟑−𝟐 + 𝟑−𝟒 Fractional encoding

Encoding fractional expansions 𝜄 ≈ 𝑏𝑠𝑐𝑠 + ⋯ + 𝑏1𝑐 + 𝑏0 + 𝑏−1𝑐−1 + ⋯ + 𝑏−𝑡𝑐−𝑡? Works as long as high powers and low powers do not overflow each other.

[Dowlin et al., ‘15] If 𝑔(𝑦) = 𝑦𝑒 + 1 then 𝑦−𝑗 ≡ −𝑦𝑒−𝑗 , so: put fractional part at the high powers, with negated sign.

𝑒-direction 𝑢-direction

𝜾 = 𝟑𝟕 + 𝟑𝟓 + 𝟑𝟒 + 𝟑 + 𝟐 + 𝟑−𝟐 + 𝟑−𝟒 Fractional encoding

SIMD

SIMD

SIMD

Batch encoding is possible thanks to CRT [Smart-Vercauteren, ‘14]: 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) ՜

≅

𝐚[𝑦] (𝑔

1 𝑦 , 𝑢) ×

𝐚[𝑦] (𝑔

2 𝑦 , 𝑢) × ⋯ ×

𝐚 𝑦 𝑔

𝑠 𝑦 , 𝑢

where the 𝑔

𝑗(𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢.

SIMD

Batch encoding is possible thanks to CRT [Smart-Vercauteren, ‘14]: 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) ՜

≅

𝐚[𝑦] (𝑔

1 𝑦 , 𝑢) ×

𝐚[𝑦] (𝑔

2 𝑦 , 𝑢) × ⋯ ×

𝐚 𝑦 𝑔

𝑠 𝑦 , 𝑢

where the 𝑔

𝑗(𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢.

SIMD

Batch encoding is possible thanks to CRT [Smart-Vercauteren, ‘14]: 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) ՜

≅

𝐚[𝑦] (𝑔

1 𝑦 , 𝑢) ×

𝐚[𝑦] (𝑔

2 𝑦 , 𝑢) × ⋯ ×

𝐚 𝑦 𝑔

𝑠 𝑦 , 𝑢

where the 𝑔

𝑗(𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢.

SIMD

Batch encoding is possible thanks to CRT [Smart-Vercauteren, ‘14]: 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) ՜

≅

𝐚[𝑦] (𝑔

1 𝑦 , 𝑢) ×

𝐚[𝑦] (𝑔

2 𝑦 , 𝑢) × ⋯ ×

𝐚 𝑦 𝑔

𝑠 𝑦 , 𝑢

where the 𝑔

𝑗(𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢.

SIMD

Batch encoding is possible thanks to CRT [Smart-Vercauteren, ‘14]: 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) ՜

≅

𝐚[𝑦] (𝑔

1 𝑦 , 𝑢) ×

𝐚[𝑦] (𝑔

2 𝑦 , 𝑢) × ⋯ ×

𝐚 𝑦 𝑔

𝑠 𝑦 , 𝑢

where the 𝑔

𝑗(𝑦) are coprime factors of 𝑔 𝑦 modulo 𝑢.

SIMD 𝐷cryp SIMD i

Single Instruction, Multiple Data

• SIMD seems incompatible with fractional encoding, because

most factors of 𝑦𝑒 + 1 modulo 𝑢 are not of that form.

• The CRT allows for more fine-grained decompositions by also

incorporating factorizations of 𝑢. We give a very general fractional encoding method which does not require that 𝒈 𝒚 = 𝒚𝒆 + 𝟐. We show that this enables more flexible and denser data packing. Contributions

Write 𝑔 𝑦 = 𝑦 ⋅ 𝑕 𝑦 + 𝑔 0 . Fractional encoding revisited First encode as a Laurent polynomial in 𝐚[𝑦±1] by substituting 𝑦 for 𝑐. 𝑏𝑠𝑐𝑠 + ⋯ + 𝑏1𝑐 + 𝑏0 + 𝑏−1𝑐−1 + ⋯ + 𝑏−𝑡𝑐−𝑡

𝑏𝑠𝑦𝑠 + ⋯ + 𝑏1𝑦 + 𝑏0 + 𝑏−1𝑦−1 + ⋯ + 𝑏−𝑡𝑦−𝑡 Then apply: 𝐚 𝑦±1

mod 𝑢 𝐚𝑢 𝑦±1 𝜃𝑔

𝑆𝑢 where 𝜃𝑔: ቊ 𝑦 ↦ 𝑦 𝑦−1 ↦ −𝑔 0 −1𝑕(𝑦) Write 𝑔 𝑦 = 𝑦 ⋅ 𝑕 𝑦 + 𝑔 0 . Fractional encoding revisited First encode as a Laurent polynomial in 𝐚[𝑦±1] by substituting 𝑦 for 𝑐. mild requirement: 𝒈(𝟏) invertible mod 𝒖

Visually: looks like a mess, seems to overflow from the start! Decoding

𝑒-direction 𝑢-direction

Visually: looks like a mess, seems to overflow from the start! Decoding

𝑒-direction 𝑢-direction

Visually: looks like a mess, seems to overflow from the start! Algebraically, much cleaner. If 𝑛 − ℓ + 1 = 𝑒 then the restricted map is an isomorphism of free 𝐚𝑢-modules of rank 𝑒. Decoding

𝑒-direction 𝑢-direction

𝐚𝑢 𝑦±1

≥ℓ ≤𝑛 𝜃𝑔

𝑆𝑢

Suppose we know that the evaluation of 𝐷 when carried out in 𝐚[𝑦±1] ends up in a certain box

ℓ 𝑛 height 𝑢 width 𝑛 − ℓ + 1 = 𝑒

Bounding box 𝐚 𝑦±1

≥ℓ ≤𝑛 mod 𝑢 𝐚𝑢 𝑦±1 ≥ℓ ≤𝑛 𝜃𝑔

𝑆𝑢.

𝑦-axis 𝐚-axis

, and that some shifted plaintext space covers this box. Decoding = inverting

The CRT decomposition used in [Smart-Vercauteren, ‘14] Decomposing plaintext space 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) ՜

≅

𝐚[𝑦] (𝑔

1 𝑦 , 𝑢) ×

𝐚[𝑦] (𝑔

2 𝑦 , 𝑢) × ⋯ ×

𝐚 𝑦 𝑔

𝑠 𝑦 , 𝑢

can be viewed as a vertical slicing of plaintext space: Each individual slice should cover the bounding box of the corresponding entry.

We generalize this discussion: suppose Decomposing plaintext space 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) ≅ 𝑢 = 𝑢1𝑢2𝑢3 ⋯ 𝑢𝑡 𝑔 𝑦 = ෑ

𝑗=1 𝑠𝑗

𝑔

𝑗𝑘(𝑦) mod 𝑢𝑗

and are factorizations into coprimes. Then: 𝐚 𝑦 𝑔 𝑦 , 𝑢1 × × 𝐚 𝑦 𝑔 𝑦 , 𝑢𝑡 ⋮

𝐚 𝑦 𝑔

11 𝑦 , 𝑢1

× 𝐚 𝑦 𝑔

12 𝑦 , 𝑢1

× ⋯ × 𝐚 𝑦 𝑔

1𝑠1 𝑦 , 𝑢1

× × 𝐚 𝑦 𝑔

𝑡1 𝑦 , 𝑢𝑡

× 𝐚 𝑦 𝑔

𝑡2 𝑦 , 𝑢𝑡

× ⋯ × 𝐚 𝑦 𝑔

𝑡𝑠𝑡 𝑦 , 𝑢𝑡

⋮ We generalize this discussion: suppose Decomposing plaintext space 𝑆𝑢 = 𝐚[𝑦] (𝑔 𝑦 , 𝑢) ≅ 𝑢 = 𝑢1𝑢2𝑢3 ⋯ 𝑢𝑡 𝑔 𝑦 = ෑ

𝑗=1 𝑠𝑗

𝑔

𝑗𝑘(𝑦) mod 𝑢𝑗

and are factorizations into coprimes. Then:

Decomposing plaintext space

𝑢1 𝑢2 𝑢3 𝑢4

Blocks What if a computation does not fit into one of these bricks?

Blocks What if a computation does not fit into one of these bricks? Distribute computation over enough horizontal slices.

Blocks What if a computation does not fit into one of these bricks? Distribute computation over enough horizontal slices. In each horizontal slice, select enough factors 𝑔

𝑗𝑘(𝑦).

Gives rise to notion of block: ራ

𝑗∈𝐽

ራ

𝑘∈𝐾𝑗

𝑢𝑗, 𝑔

𝑗𝑘 𝑦

Toolkit for optimal packing Choose good 𝑢 for given circuit 𝐷 and dataset, taking into account:

• lower bounds coming from correct decoding,
• upper bound coming from correct decryption,
• splitting behaviour:

similar-sized 𝑢’s give very different brick structures.

Toolkit for optimal packing Choose set of blocks that make the best fit for the computation.

Toolkit for optimal packing Choose appropriate encoding base 𝑐, can be specific to block.

Toolkit for optimal packing Choose appropriate encoding base 𝑐, can be specific to block.

Toolkit for optimal packing Choose appropriate encoding base 𝑐, can be specific to block. Smaller base gives wider but lower encodings.

Thank you! Questions?