practical bootstrapping in quasilinear time jacob alperin
play

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff - PowerPoint PPT Presentation

Jan 19, 2023 •366 likes •1.36k views

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD78,Gen09] FHE lets you do this:

  1. Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21

  2. Fully Homomorphic Encryption [RAD’78,Gen’09] ◮ FHE lets you do this: � � µ Eval f , µ f ( µ ) where | f ( µ ) | and decryption time don’t depend on | f | . A cryptographic “holy grail” with tons of applications. 2 / 21

  3. Fully Homomorphic Encryption [RAD’78,Gen’09] ◮ FHE lets you do this: � � µ Eval f , µ f ( µ ) where | f ( µ ) | and decryption time don’t depend on | f | . A cryptographic “holy grail” with tons of applications. ◮ Naturally occurring schemes are “somewhat homomorphic” (SHE): they can only evaluate functions of an a priori bounded depth. � � � � µ Eval f, µ f ( µ ) Eval g, f ( µ ) g ( f ( µ )) 2 / 21

  4. Bootstrapping: SHE → FHE [Gen’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � µ Eval f ( x ) = Dec x ( µ ) , sk sk 3 / 21

  5. Bootstrapping: SHE → FHE [Gen’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � µ Eval f ( x ) = Dec x ( µ ) , sk sk ⋆ The only known way of obtaining unbounded FHE. ⋆ Goal: Efficiency! Minimize depth d and size s of decryption “circuit.” ⋆ Best SHEs [BGV’12] can evaluate in time ˜ O ( d · s · λ ) . 3 / 21

  6. Bootstrapping: SHE → FHE [Gen’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � µ Eval f ( x ) = Dec x ( µ ) , sk sk ⋆ The only known way of obtaining unbounded FHE. ⋆ Goal: Efficiency! Minimize depth d and size s of decryption “circuit.” ⋆ Best SHEs [BGV’12] can evaluate in time ˜ O ( d · s · λ ) . ◮ Intensive study, many techniques [G’09,GH’11a,GH’11b,GHS’12b] , but still very inefficient – the main bottleneck in FHE, by far. 3 / 21

  7. Bootstrapping: SHE → FHE [Gen’09] ◮ Homomorphically evaluates the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. � � µ Eval f ( x ) = Dec x ( µ ) , sk sk ⋆ The only known way of obtaining unbounded FHE. ⋆ Goal: Efficiency! Minimize depth d and size s of decryption “circuit.” ⋆ Best SHEs [BGV’12] can evaluate in time ˜ O ( d · s · λ ) . ◮ Intensive study, many techniques [G’09,GH’11a,GH’11b,GHS’12b] , but still very inefficient – the main bottleneck in FHE, by far. ◮ The asymptotically most efficient methods on “packed” ciphertexts [GHS’12a,GHS’12b] are very complex, and appear practically worse than asymptotically slower methods. 3 / 21

  8. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime 4 / 21

  9. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts 4 / 21

  10. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . 4 / 21

  11. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . [GHS’12b]: ˜ O ( λ ) runtime, for “packed” plaintexts. Declare victory? 4 / 21

  12. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . [GHS’12b]: ˜ O ( λ ) runtime, for “packed” plaintexts. Declare victory? Dec circuit [GHS’12a] Bootstrapping compiler Procedure mod Φ m ( X ) 4 / 21

  13. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . [GHS’12b]: ˜ O ( λ ) runtime, for “packed” plaintexts. Declare victory? Dec circuit [GHS’12a] Bootstrapping compiler Procedure mod Φ m ( X ) ✗ Log-depth mod- Φ m ( X ) circuit is complex, w/large hidden constants. 4 / 21

  14. Milestones in Bootstrapping [Gen’09]: ˜ O ( λ 4 ) runtime [BGV’12]: ˜ O ( λ 2 ) runtime, or ˜ O ( λ ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires “exotic” plaintext rings, emulating Z 2 arithmetic in Z p . [GHS’12b]: ˜ O ( λ ) runtime, for “packed” plaintexts. Declare victory? Dec circuit [GHS’12a] Bootstrapping compiler Procedure mod Φ m ( X ) ✗ Log-depth mod- Φ m ( X ) circuit is complex, w/large hidden constants. ✗✗ [GHS’12a] compiler is very complex, w/large polylog overhead factor. 4 / 21

  15. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 5 / 21

  16. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). 5 / 21

  17. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 5 / 21

  18. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: 5 / 21

  19. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: ⋆ Based on a substantial enhancement of “ring-switching” [GHPS’12] to non-subrings. 5 / 21

  20. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: ⋆ Based on a substantial enhancement of “ring-switching” [GHPS’12] to non-subrings. ✔ Appears quite practical, avoids both main inefficiencies of [GHS’12b] : no homomorphic reduction modulo Φ m ( X ) , no generic compilation. 5 / 21

  21. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: ⋆ Based on a substantial enhancement of “ring-switching” [GHPS’12] to non-subrings. ✔ Appears quite practical, avoids both main inefficiencies of [GHS’12b] : no homomorphic reduction modulo Φ m ( X ) , no generic compilation. ✔ Special purpose, completely algebraic description – no “circuits.” 5 / 21

  22. Our Results Practical bootstrapping algorithms with quasi-linear ˜ O ( λ ) runtimes: 1 For “unpacked” (single-bit) plaintexts: ✔ Extremely simple! ✔ Uses only power-of-2 cyclotomic rings (fast, easy to implement). ⋆ Cf. [BGV’12] : ˜ O ( λ ) amortized across λ ciphertexts, exotic rings. 2 For “packed” (many-bit) plaintexts: ⋆ Based on a substantial enhancement of “ring-switching” [GHPS’12] to non-subrings. ✔ Appears quite practical, avoids both main inefficiencies of [GHS’12b] : no homomorphic reduction modulo Φ m ( X ) , no generic compilation. ✔ Special purpose, completely algebraic description – no “circuits.” ✔ Completely decouples the algebraic structure of SHE plaintext ring from that needed for bootstrapping. 5 / 21

  23. Setting the Stage: Decryption in SHE [LPR’10,BV’11,BGV’12] ◮ Let R = Z [ X ] / ( X k/ 2 + 1) , for k a power of 2. (The k th cyclotomic ring.) 6 / 21

  24. Setting the Stage: Decryption in SHE [LPR’10,BV’11,BGV’12] ◮ Let R = Z [ X ] / ( X k/ 2 + 1) , for k a power of 2. (The k th cyclotomic ring.) Let R q = R/qR = Z q [ X ] / ( X k/ 2 + 1) for any integer q . 6 / 21

  25. Setting the Stage: Decryption in SHE [LPR’10,BV’11,BGV’12] ◮ Let R = Z [ X ] / ( X k/ 2 + 1) , for k a power of 2. (The k th cyclotomic ring.) Let R q = R/qR = Z q [ X ] / ( X k/ 2 + 1) for any integer q . ◮ Plaintext ring is R 2 , ciphertext ring is R q for q ≫ 2 . Can assume k, q = ˜ O ( λ ) by ring- and modulus-switching. 6 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech CRYPTO 2014 19 August 2014 1 / 10 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval (

1.03k views • 50 slides
Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com

Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com

Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com http://streamhacker.com http://text-processing.com https://github.com/japerk/nltk-trainer @japerk Problem you want to do NLProc many proven supervised

901 views • 31 slides
Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen

LinuxDay/Cagliari 2005: Practical Office Automation Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen <sparre@crs4.it> Questions are welcome at any time during the talk. p. 1

435 views • 17 slides
Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation Hacking the OpenOffice.org File Format Jacob Sparre Andersen sparre@crs4.it LinuxDay/Cagliari 2005: Practical Office Automation http://edb.jacob-sparre.dk/foredrag/OOo/ p. 1 Ouverture Subject: This talk is

310 views • 17 slides
Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech Oberwolfach Crypto Workshop 29 July 2014 1 / 22 Agenda 1 A homomorphic encryption tool: ring switching 2 An application: (practical!) bootstrapping

1.11k views • 98 slides
The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta

The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta

The Alperin-McKay conjecture for simple groups of type A Julian Brough joint work with Britta Sp ath Bergische Universit at Wuppertal June 12th, 2019 The Alperin-McKay conjecture Notation: G a finite group and a prime with |

580 views • 27 slides
Bootstrapping without the Boot We like minimally supervised learning (bootstrapping).

Bootstrapping without the Boot We like minimally supervised learning (bootstrapping).

Executive Summary (if youre not an executive, you may stay for the rest of the talk) What: Bootstrapping without the Boot We like minimally supervised learning (bootstrapping). Lets convert it to unsupervised learning

344 views • 7 slides
Some classes of solutions to quasilinear elliptic equations of p -Laplace type I. E. Verbitsky

Some classes of solutions to quasilinear elliptic equations of p -Laplace type I. E. Verbitsky

Some classes of solutions to quasilinear elliptic equations of p -Laplace type I. E. Verbitsky University of Missouri, Columbia Singular Problems Associated to Quasilinear Equations Shanghai, China, June 13, 2020 In honor of Marie-Fran

1.01k views • 38 slides
Prelude to Parting After the birth of Rachels first child and his 11 th son Jacob

Prelude to Parting After the birth of Rachels first child and his 11 th son Jacob

The Prospering of Jacob This final part of chapter 30 proceeds in 2-stages Stage 1 is the prelude to parting in vv. 25-36, which we just read Jacob recognizes its time to return to Canaan Which Laban, quite expectedly resists T o which

281 views • 10 slides
Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater

Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater

Bootstrapping a Unified Model of Lexical and Phonetic Acquisition Micha Elsner Sharon Goldwater Jacob Eisenstein School of Informatics University of Edinburgh School of Interactive Technology Georgia Institute of Technology July 9, 2012

560 views • 36 slides
Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag,

Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag,

BIBLIOGRAPHIE 245 Bibliographie [1] J.L. Alperin and Rowen B. Bell. Groups and representations . Springer Verlag, 1995. [2] J org Arndt. Algorithms for programmers. 2002. [3] Michael Artin. Algebra . Prentice Hall, 1991. [4] David H. Bailey.

151 views • 3 slides
Ethics Practical impacts of Ethics in your Cities Jacob G. Horowitz, City Attorney Michael C.

Ethics Practical impacts of Ethics in your Cities Jacob G. Horowitz, City Attorney Michael C.

Ethics Practical impacts of Ethics in your Cities Jacob G. Horowitz, City Attorney Michael C. Cernech, City Manager TAMARAC Solid Middle Class Community or Hotbed of Corruption? Your Role in creating an ethical organization Are ethical

587 views • 29 slides
Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob,

Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob,

Eigen: a practical approach to linear algebra http://eigen.tuxfamily.org Beno t Jacob, Dept. of Mathematics, bjacob@math.toronto.edu NA seminar, University of Toronto 23 january 2009 Eigen is co-developed with Ga el Guennebaud

490 views • 28 slides
QUASILINEAR PREFERENCES Utility additive, y and linear in y : U ( x, y ) = F ( x ) + y , Example:

QUASILINEAR PREFERENCES Utility additive, y and linear in y : U ( x, y ) = F ( x ) + y , Example:

ECO 305 FALL 2003 October 7 QUASILINEAR PREFERENCES Utility additive, y and linear in y : U ( x, y ) = F ( x ) + y , Example: F ( x ) = x 1 / 2 Indi ff . curves vertically parallel y = u F ( x ) for any constant u Measure prices

510 views • 4 slides
Parametric Bootstrapping 18.05 Spring 2017 Parametric bootstrapping Use the estimated parameter

Parametric Bootstrapping 18.05 Spring 2017 Parametric bootstrapping Use the estimated parameter

Parametric Bootstrapping 18.05 Spring 2017 Parametric bootstrapping Use the estimated parameter to estimate the variation of estimates of the parameter! Data: x 1 , . . . , x n drawn from a parametric distribution F ( ). Estimate by a

63 views • 5 slides
Norma Chhab Alperin World Bank-ECLAC May 2018 Relevance of ICP results depend on their

Norma Chhab Alperin World Bank-ECLAC May 2018 Relevance of ICP results depend on their

Norma Chhab Alperin World Bank-ECLAC May 2018 Relevance of ICP results depend on their frequent and timely availability Recommendation: a frequency of at least every two or three years with extrapolations to annual results Global

675 views • 29 slides
p -Ranks of quasi-symmetric designs and standard modules of coherent configurations Akihide

p -Ranks of quasi-symmetric designs and standard modules of coherent configurations Akihide

p -Ranks of quasi-symmetric designs and standard modules of coherent configurations Akihide Hanaki Shinshu University June 2, 2014, Villanova University. A. Hanaki (Shinshu Univ.) p -Ranks of quasi-symmetric designs June 2, 2014 1 / 22

709 views • 22 slides
Characterizing Noetherian spaces as a 0 2 -analogue to compact spaces 1 Matthew de Brecht &

Characterizing Noetherian spaces as a 0 2 -analogue to compact spaces 1 Matthew de Brecht &

Characterizing Noetherian spaces as a 0 2 -analogue to compact spaces 1 Matthew de Brecht & Arno Pauly Kyoto University Universit Libre de Bruxelles TOPOSYM 2016 1 This work was supported by JSPS Core-to-Core Program, A. Advanced

332 views • 29 slides
On The Complexity Of Computing Grbner Bases For Quasi-Homogeneous Systems Jean-Charles Faugre

On The Complexity Of Computing Grbner Bases For Quasi-Homogeneous Systems Jean-Charles Faugre

On The Complexity Of Computing Grbner Bases For Quasi-Homogeneous Systems Jean-Charles Faugre 1 Mohab Safey El Din 1 , 2 Thibaut Verron 1 , 3 1 Universit Pierre et Marie Curie, Paris 6, France INRIA Paris-Rocquencourt, quipe P OL S YS

471 views • 25 slides
A domain theory for quasi-Borel spaces Ohad Kammar with Matthijs V ak ar and Sam Staton

A domain theory for quasi-Borel spaces Ohad Kammar with Matthijs V ak ar and Sam Staton

A domain theory for quasi-Borel spaces Ohad Kammar with Matthijs V ak ar and Sam Staton International Workshop on Domain Theory and its Applications 8 July 2018 Ohad Kammar, Matthijs V ak ar, and Sam Staton A domain theory for

731 views • 23 slides
Automata for Real-Time Systems B. Srivathsan Chennai Mathematical Institute 1/33 Let T

Automata for Real-Time Systems B. Srivathsan Chennai Mathematical Institute 1/33 Let T

Automata for Real-Time Systems B. Srivathsan Chennai Mathematical Institute 1/33 Let T denote the set of all timed words L ( A ) = T ? Universality: Given A , is Inclusion: Given A , B , is L ( B ) L ( A ) ? Universality and

673 views • 63 slides
Recoil scheme and logarithmic accuracy in agular-ordered parton showers Silvia Ferrario Ravasio

Recoil scheme and logarithmic accuracy in agular-ordered parton showers Silvia Ferrario Ravasio

Recoil scheme and logarithmic accuracy in agular-ordered parton showers Silvia Ferrario Ravasio IPPP Durham Milan Christmas Meeting 19-20 December 2019 Based on Gavin Bewick, S.F.R., Peter Richardson and Mike Seymour [arxiv:1904.11866]

896 views • 66 slides
Non-semisimple modular tensor categories from quasi-quantum groups Tobias Ohrmann Leibniz

Non-semisimple modular tensor categories from quasi-quantum groups Tobias Ohrmann Leibniz

Motivation Modular tensor categories Small quasi-quantum groups and modularization Non-semisimple modular tensor categories from quasi-quantum groups Tobias Ohrmann Leibniz University Hannover August 06, 2019 Motivation Modular tensor

878 views • 55 slides
Basics on Differential-Algebraic Equations (DAEs) Stephan Trenn Technomathematics group, Dept. of

Basics on Differential-Algebraic Equations (DAEs) Stephan Trenn Technomathematics group, Dept. of

Basics on Differential-Algebraic Equations (DAEs) Stephan Trenn Technomathematics group, Dept. of Mathematics, University of Kaiserslautern ICCAS 2014, Seoul, Korea October 23rd, 2014, Tutorial Session TA06 Motivation DAEs vs. ODEs Special

549 views • 43 slides

More recommend