Sparse-secret Ring-LWE in FHE: Is It Really Needed? Ilia Iliashenko - - PowerPoint PPT Presentation

Sparse-secret Ring-LWE in FHE: Is It Really Needed?

Ilia Iliashenko (joint work with Hao Chen, Kim Laine, Yongsoo Song)

Lattice Coding & Crypto Meeting, Royal Holloway 20 Nov

Learning with Errors (LWE)

𝒄 = ⋅ + 𝑩 𝒕 𝒇

Decision: distinguish between (𝑩, 𝒄) and uniformly random (𝑵, 𝒘). Search:

find 𝒕. 𝑩 ∈ ℤ/

0×2 is uniformly random, 𝒕 ∈ ℤ/ 0 and 𝒇 ∈ ℤ/ 0 is small.

Sample 𝒕 and 𝒇 coefficient-wise

𝒄 = ⋅ + 𝑩 𝒕 𝒇 𝒕𝟏 𝒕𝟐 … 𝒕𝒐6𝟐

Uniformly random 𝑉8 over 0,1 0. Uniformly random 𝑉< over −1,0,1 0. Uniformly random 𝑉/ over ℤ/

0.

Discrete Gaussian 𝒠/ over ℤ/

0.

Hardness of LWE

𝒄 = ⋅ + 𝑩 𝒕 𝒇 𝒕𝟏 𝒕𝟐 … 𝒕𝒐6𝟐 𝒕 ← 𝑉/, or 𝑉8, or 𝒠/ 𝒇 ← 𝒠/ with 𝜏 ∈ Ω 𝑜 LWE is as hard as classical lattice problems (GapSVP, DGS)

Uniformly random 𝑉8 over 0,1 0. Uniformly random 𝑉< over −1,0,1 0. Uniformly random 𝑉/ over ℤ/

0.

Discrete Gaussian 𝒠/ over ℤ/

0.

Sparse-secret LWE

𝒄 = ⋅ + 𝑩 𝒕 𝒇 𝒕𝟏 𝒕𝟐 … 𝒕𝒐6𝟐 𝒕 ← 𝑉< ℎ : 𝑥𝑢 𝒕 = ℎ 𝒇 ← 𝒠/ ???

Uniformly random 𝑉8 over 0,1 0. Uniformly random 𝑉< over −1,0,1 0. Uniformly random 𝑉/ over ℤ/

0.

Discrete Gaussian 𝒠/ over ℤ/

0.

Ring-LWE

𝒄 = ⋅ + 𝒕 𝒇

𝒃𝟏 𝒃𝟐 𝒃𝟑 … 𝒃𝒐6𝟐 −𝒃𝒐6𝟐 𝒃𝟏 𝒃𝟐 … 𝒃𝒐6𝟑 …

Ring-LWE

𝑐 = + 𝑡 𝑓 𝑏 𝑏, 𝑐, 𝑡, 𝑓 ∈ 𝑆/ = ℤ[𝑌]/(𝑟, 𝑌0 + 1) (𝑜 must be a power of two) ⋅

Hardness of Ring-LWE

𝑐 = + 𝑡 𝑓 𝑏 𝑏, 𝑐, 𝑡, 𝑓 ∈ 𝑆/ = ℤ[𝑌]/(𝑟, 𝑌0 + 1) (𝑜 must be a power of two) 𝑡 ← 𝑉/ or 𝒠/ Ring-LWE is at least as hard as SIVP ⋅

Attacks on sparse-secret LWE

Albrecht, Eurocrypt’17 Albrecht et al., Asiacrypt ’17 Cheon et al., IEEE Access’19 Curtis and Player, WAHC’19 Cheon and Son, WAHC’19 …

Efficient FHE schemes need sparse secrets for bootstrapping

computation bootstrapping noise plaintext Bootstrapping performs decryption homomorphically.

Multiplicative depth of bootstrapping depends on 𝑥𝑢 𝑡 :

• FV:

log 𝑥𝑢 𝑡 + log(log 𝑥𝑢 𝑡 + log 𝑢)

• BGV:

log 𝑥𝑢 𝑡 + log 𝑢

Reference: Chen and Han, Eurocrypt’18

TFHE bootstrapping does not have this dependency.

Efficient FHE schemes need sparse secrets for bootstrapping

Approximate HE

𝑑𝑢 𝑛Z ⋆ 𝑑𝑢 𝑛8 = 𝑑𝑢 ≃ 𝑛Z ⊙ 𝑛8

Approximate HE (HEAAN/CKKS)

Idea: consider ciphertext noise as a part of a message.

Decrypt 𝑑𝑢 = 𝑛 + 𝑓 ≃ 𝑛.

Reference: Cheon et al., Asiacrypt’17

HEAAN bootstrapping

computation Mult undecryptable noise plaintext

HEAAN bootstrapping

computation bootstrapping noise plaintext

HEAAN “bootstrapping”

bootstrapping plaintext is lost

HEAAN “bootstrapping”

bootstrapping plaintext is lost Bootstrappable Encryption Scheme Let 𝐷e be the set of circuits that 𝐹 can compactly and correctly evaluate. We say that 𝐹 is bootstrappable with the respect to gate Γ if 𝐸𝑓𝑑e Γ ⊆ 𝐷e. Correctness of Homomorphic Encryption HE scheme 𝐹 is correct for a circuit 𝐷 if for any plaintexts 𝜌Z, … , 𝜌k it holds: If ct = Evaluatee(𝐷, Enc 𝜌Z , … , Enc 𝜌k ), then Dece 𝑑𝑢 = 𝐷 𝜌Z, … , 𝜌k .

HEAAN “bootstrapping”

bootstrapping plaintext is lost Bootstrappable Encryption Scheme Let 𝐷e be the set of circuits that 𝐹 can compactly and correctly evaluate. We say that 𝐹 is bootstrappable with the respect to gate Γ if 𝐸𝑓𝑑e Γ ⊆ 𝐷e. Correctness of Homomorphic Encryption HE scheme 𝐹 is correct for a circuit 𝐷 if for any plaintexts 𝜌Z, … , 𝜌k it holds: If ct = Evaluatee(𝐷, Enc 𝜌Z , … , Enc 𝜌k ), then Dece 𝑑𝑢 = 𝐷 𝜌Z, … , 𝜌k .

HEAAN works with complex vectors

ℂ0/8 𝑨Z 𝑨8 … 𝑨0/8 𝑨Z … 𝑨0/8 𝑨0/8 … s 𝑨Z ℂ0 𝑤u … 𝑤06Z ℝ0

Inverse DFT* *with primitive roots of unity

𝑆/ ⌊ ⌉ Δ ⋅ 𝑤u … ⌊ ⌉ Δ ⋅ 𝑤06Z

𝑌u 𝑌06Z …

How to encode less than 𝑜/2 values?

𝑨Z 𝑨8 … 𝑨{ ℂ{

𝑛 must divide n/2

𝑤u 𝑤Z … 𝑤8{6Z

𝑍u 𝑍8{6Z … 𝑍Z

ℤ[𝑍] 𝑤u 0 … 𝑤Z … 𝑤8{6Z …

𝑌u 𝑌0/8{ 𝑌(0/8{)(8{6Z) 𝑍 ↦ 𝑌0/8{

𝑆/

Decoding

𝑏u … 𝑏06Z 𝑏u

~

… 𝑏06Z

~ computation

∆~ ⋅ 𝒜𝟐 + 𝒇𝟐 … ∆~ ⋅ 𝒜𝒐/𝟑 + 𝒇𝒐/𝟑

DFT*

≈ 𝑨Z … ≈ 𝑨0/8

1/∆~ *with primitive roots of unity 𝑌u 𝑌06Z 𝑌u 𝑌06Z

Rotation of encoded vectors

ℂ‚/8 𝑨Z 𝑨8 … 𝑨0/8 𝑆/ 𝑏u … 𝑏06Z

𝑌u 𝑌06Z

𝑐u … 𝑐06Z

𝑌u 𝑌06Z

𝑌 → 𝑌„… 𝑨†‡Z 𝑨†‡8 … 𝑨†

Rotation of encoded vectors

ℂ{ 𝑨Z 𝑨8 … 𝑨{ 𝑆/ 𝑏u … 𝑏06Z

𝑌u 𝑌06Z

𝑐u … 𝑐06Z

𝑌u 𝑌06Z

𝑌 → 𝑌„ˆ 𝑨Z 𝑨8 … 𝑨{

Rotations by 𝑙𝑛 slots are automorphisms of 𝑆 fixing 𝑆~ = ℤ 𝑌

Š ‹ˆ /(𝑟, 𝑌0 + 1), 𝑆~ ⊂ 𝑆.

− + ⋅ = 𝑐

Key generation, encryption and decryption

𝒠/ secret key public key 𝑉/ 𝑉<(ℎ)

𝑓 𝑡 𝑏 Key generation

− + ⋅ = 𝑐

Key generation, encryption and decryption

𝒠/ secret key public key 𝑉/ 𝑉<(ℎ)

𝑓 𝑡 𝑏 Encryption

Given a public key 𝑞𝑙 and an encoding 𝑛 ∈ 𝑆/ compute

𝑓Z

𝒠/

𝑑Z 𝑣

𝑉< 𝒠/

𝑑u 𝑛 + ⋅ 𝑞𝑙• + 𝑓u 𝑣 ⋅ 𝑞𝑙• + Key generation

− + ⋅ = 𝑐

Key generation, encryption and decryption

𝒠/ secret key public key 𝑉/ 𝑉<(ℎ)

𝑓 𝑡 𝑏 Encryption

Given a public key 𝑞𝑙 and an encoding 𝑛 ∈ 𝑆/ compute

𝑓Z

𝒠/

𝑑Z 𝑣

𝑉< 𝒠/

𝑑u Decryption

Given a secret key 𝑡 and a ciphertext 𝑑𝑢 = (𝑑u, 𝑑Z) compute

𝑑𝑢 𝑡

/ = 𝑑u + 𝑑Z ⋅ 𝑡 mod 𝑟 = 𝑛 + 𝑓 noise

𝑛 + ⋅ 𝑞𝑙• + 𝑓u 𝑣 ⋅ 𝑞𝑙• + Key generation

Rescaling

𝑑u Δ , 𝑑Z Δ ℂ0/8 𝛦8 ⋅ 𝑨Z 𝛦8 ⋅ 𝑨8 … 𝛦8 ⋅ 𝑨0/8 𝛦 ⋅ 𝑨Z 𝛦 ⋅ 𝑨8 … 𝛦 ⋅ 𝑨0/8 𝑑u, 𝑑Z 𝑆/ Let Δ divide 𝑟. 𝑆//”

HEAAN bootstrapping

𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢′ ∈ 𝑆/–

8 , 𝑟′ > 𝑟

Plaintext Cleartext vector Ciphertext Input Output 𝑛 𝑌

8{

= 𝑑𝑢 𝑡

/

𝒜𝟏 … 𝒜𝒏6𝟐 ≃ 𝑛(𝑌

8{)

𝒜𝟏 … 𝒜𝒏6𝟐

CKKS bootstrapping

𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢′ ∈ 𝑆/–

8 , 𝑟′ > 𝑟

Plaintext Cleartext vector Ciphertext Input Output 𝑛 𝑌

8{

= 𝑑𝑢 𝑡 − 𝐽 𝑌 ⋅ 𝑟 𝒜𝟏 … 𝒜𝒏6𝟐 𝒜𝟏 … 𝒜𝒏6𝟐 ≃ 𝑛(𝑌

8{)

CKKS bootstrapping

𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢′ ∈ 𝑆/–

8 , 𝑟′ > 𝑟

Plaintext Cleartext vector Ciphertext Input Output ModRaise 𝑑𝑢 ∈ 𝑆š›

8 , 𝑅u > 𝑟

𝑛 𝑌

8{ + 𝐽 𝑌 ⋅ 𝑟 š›

𝒜𝟏 … 𝒜𝒏6𝟐 𝒜𝟏 … 𝒜𝒏6𝟐 𝑛 𝑌

8{

= 𝑑𝑢 𝑡 − 𝐽 𝑌 ⋅ 𝑟 ≃ 𝑛(𝑌

8{)

CKKS bootstrapping

𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢′ ∈ 𝑆/–

8 , 𝑟′ > 𝑟

Plaintext Cleartext vector Ciphertext Input Output ModRaise 𝑑𝑢 ∈ 𝑆š›

8 , 𝑅u > 𝑟

SubSum 𝑑𝑢Z ∈ 𝑆š•

8

≃ 𝑛 𝑌

8{ + 𝐽 𝑌 8{ ⋅ 𝑟 š•

𝒜𝟏 … 𝒜𝒏6𝟐 𝒜𝟏 … 𝒜𝒏6𝟐 ≃ 𝑛(𝑌

8{)

𝑛 𝑌

8{ + 𝐽 𝑌 ⋅ 𝑟 š›

𝑛 𝑌

8{

= 𝑑𝑢 𝑡 − 𝐽 𝑌 ⋅ 𝑟

CKKS bootstrapping

𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢′ ∈ 𝑆/–

8 , 𝑟′ > 𝑟

Plaintext Cleartext vector Ciphertext Input Output ModRaise 𝑑𝑢 ∈ 𝑆š›

8 , 𝑅u > 𝑟

SubSum 𝑑𝑢Z ∈ 𝑆š•

8

≃ 𝑢(𝑌

8{) š•

𝒜𝟏 … 𝒜𝒏6𝟐 𝒜𝟏 … 𝒜𝒏6𝟐 ≃ 𝑛(𝑌

8{)

𝑛 𝑌

8{ + 𝐽 𝑌 ⋅ 𝑟 š›

𝑛 𝑌

8{

= 𝑑𝑢 𝑡 − 𝐽 𝑌 ⋅ 𝑟

CKKS bootstrapping

𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢′ ∈ 𝑆/–

8 , 𝑟′ > 𝑟

Plaintext Cleartext vector Ciphertext Input Output ModRaise 𝑑𝑢 ∈ 𝑆š›

8 , 𝑅u > 𝑟

SubSum 𝑑𝑢Z ∈ 𝑆š•

8

𝑑𝑢8 ∈ 𝑆š‹

8

𝒖𝟏 … 𝒖𝟑𝒏6𝟐 CoefToSlot (inverse DFT) 𝒜𝟏 … 𝒜𝒏6𝟐 𝒜𝟏 … 𝒜𝒏6𝟐 ≃ 𝑛(𝑌

8{)

𝑛 𝑌

8{ + 𝐽 𝑌 ⋅ 𝑟 š›

𝑛 𝑌

8{

= 𝑑𝑢 𝑡 − 𝐽 𝑌 ⋅ 𝑟 ≃ 𝑢(𝑌

8{) š•

CKKS bootstrapping

Plaintext Cleartext vector Ciphertext Input Output ModRaise SubSum 𝑑𝑢Z ∈ 𝑆š•

8

𝑑𝑢8 ∈ 𝑆š‹

8

Mod 𝑟 𝑑𝑢< ∈ 𝑆šŸ

8

𝒏𝟏 … 𝒏𝟑𝒏6𝟐 CoefToSlot (inverse DFT) 𝒜𝟏 … 𝒜𝒏6𝟐 𝒜𝟏 … 𝒜𝒏6𝟐 ≃ 𝑛(𝑌

8{)

≃ 𝑢(𝑌

8{) š•

𝒖𝟏 … 𝒖𝟑𝒏6𝟐 𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢′ ∈ 𝑆/–

8 , 𝑟′ > 𝑟

𝑑𝑢 ∈ 𝑆š›

8 , 𝑅u > 𝑟

𝑛 𝑌

8{ + 𝐽 𝑌 ⋅ 𝑟 š›

𝑛 𝑌

8{

= 𝑑𝑢 𝑡 − 𝐽 𝑌 ⋅ 𝑟

CKKS bootstrapping

Plaintext Cleartext vector Ciphertext Input Output ModRaise SubSum 𝑑𝑢Z ∈ 𝑆š•

8

𝑑𝑢8 ∈ 𝑆š‹

8

𝑑𝑢< ∈ 𝑆šŸ

8

𝑑𝑢 ∈ 𝑆š¡

8

≃ 𝑛(𝑌

8{) š¡

CoefToSlot (inverse DFT) SlotToCoef (DFT) 𝒜𝟏 … 𝒜𝒏6𝟐 𝒜𝟏 … 𝒜𝒏6𝟐 ≃ 𝑛(𝑌

8{)

≃ 𝑢(𝑌

8{) š•

𝒖𝟏 … 𝒖𝟑𝒏6𝟐 𝒏𝟏 … 𝒏𝟑𝒏6𝟐 𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢′ ∈ 𝑆/–

8 , 𝑟′ > 𝑟

𝑑𝑢 ∈ 𝑆š›

8 , 𝑅u > 𝑟

𝑛 𝑌

8{ + 𝐽 𝑌 ⋅ 𝑟 š›

𝑛 𝑌

8{

= 𝑑𝑢 𝑡 − 𝐽 𝑌 ⋅ 𝑟 Mod 𝑟

CKKS bootstrapping

𝑑𝑢~ ∈ 𝑆/–

8 , 𝑟′ = 𝑅

Plaintext Cleartext vector Ciphertext Input Output ModRaise SubSum 𝑑𝑢Z ∈ 𝑆š•

8

CoefToSlot (inverse DFT) 𝑑𝑢8 ∈ 𝑆š‹

8

𝑑𝑢< ∈ 𝑆šŸ

8

SlotToCoef (DFT) 𝑑𝑢 ∈ 𝑆š¡

8

𝒜𝟏 … 𝒜𝒏6𝟐 𝒜𝟏 … 𝒜𝒏6𝟐 ≃ 𝑛(𝑌

8{)

𝒖𝟏 … 𝒖𝟑𝒏6𝟐 ≃ 𝑢(𝑌

8{) š•

𝒏𝟏 … 𝒏𝟑𝒏6𝟐 ≃ 𝑛(𝑌

8{) š¡

𝑑𝑢 ∈ 𝑆/

8

𝑑𝑢 ∈ 𝑆š›

8 , 𝑅u > 𝑟

𝑛 𝑌

8{ + 𝐽 𝑌 ⋅ 𝑟 š›

𝑛 𝑌

8{

= 𝑑𝑢 𝑡 − 𝐽 𝑌 ⋅ 𝑟 Mod 𝑟

SubSum

𝑛 𝑌

8{ + 𝐽 𝑌 ⋅ 𝑟 š›

≃ 𝑛 𝑌

8{ + 𝐽 𝑌 8{ ⋅ 𝑟 š•

SubSum computes Tr: 𝑆 → 𝑆′, where 𝑆~: ℤ = 2𝑛. 𝑑𝑢 £

¤¥u 8{6Z

Rot(𝑑𝑢, 𝑗𝑛) 𝒜𝟏 … 𝒜𝒏6𝟐 𝒐 𝟑𝒏 𝒜𝟏 … 𝒐 𝟑𝒏 𝒜𝒏6𝟐

CoefToSlot and SlotToCoef

CoefToSlot = Encoding

done homomorphically

SlotToCoef = Decoding

done homomorphically

CoefToSlot and SlotToCoef

𝐴 ↦ 𝐮 = 𝚻6Z ⋅ 𝐴 t ↦ 𝐴 = 𝚻 ⋅ 𝐮 CoefToSlot = Encoding

done homomorphically

𝚻 is the canonical embedding matrix (DFT with 4𝑛-th primitive roots of unity) SlotToCoef = Decoding

done homomorphically

CoefToSlot and SlotToCoef

𝐴 ↦ 𝐮 = 𝚻6Z ⋅ 𝐴 = 𝑴Z ⋅ … ⋅ 𝑴- ⋅ 𝐴

𝑀¤’s are sparser than 𝑁.

t ↦ 𝐴 = 𝚻 ⋅ 𝐮 = 𝑴′Z ⋅ … ⋅ 𝑴′-– ⋅ 𝐮

The columns of 𝑴¤’s need to be encoded into the plaintext space.

CoefToSlot = Encoding

done homomorphically

SlotToCoef = Decoding

done homomorphically

𝚻 is the canonical embedding matrix (DFT with 4𝑛-th primitive roots of unity)

CoefToSlot and SlotToCoef

𝐴 ↦ 𝐮 = 𝚻6Z ⋅ 𝐴 = 𝑴Z ⋅ … ⋅ 𝑴- ⋅ 𝐴

𝑀¤’s are sparser than 𝑁.

t ↦ 𝐴 = 𝚻 ⋅ 𝐮 = 𝑴′Z ⋅ … ⋅ 𝑴′-– ⋅ 𝐮

The columns of 𝑴¤’s need to be encoded into the plaintext space. CoefToSlot 𝑑𝑢Z ∈ 𝑆š•

8

SlotToCoef 𝑑𝑢< ∈ 𝑆šŸ

8

Since 𝑅Z > 𝑅<, homomorphic operations in CoefToSlot are heavier than those of SlotToCoeff. Thus, use more FFT in CoefToSlot (𝑚 > 𝑚′).

CoefToSlot = Encoding

done homomorphically

SlotToCoef = Decoding

done homomorphically

𝚻 is the canonical embedding matrix (DFT with 4𝑛-th primitive roots of unity)

Mod 𝑟

𝑑𝑢 𝑡

š› = 𝑛 𝑌 8{ + 𝐽 𝑌 ⋅ 𝑟,

Mod 𝑟

𝑑𝑢 𝑡

š› = 𝑛 𝑌 8{ + 𝐽 𝑌 ⋅ 𝑟,

𝐽 𝑌

± < 𝐿

Mod 𝑟

𝑑𝑢 𝑡

š› = 𝑛 𝑌 8{ + 𝐽 𝑌 ⋅ 𝑟,

𝐽 𝑌

± < 𝐿 ≤ 1 + 𝑥𝑢(𝑡)/2

Mod 𝑟

𝑑𝑢 𝑡

š› = 𝑛 𝑌 8{ + 𝐽 𝑌 ⋅ 𝑟,

𝐽 𝑌

± < 𝐿 ≤ 1 + 𝑥𝑢(𝑡)/2 𝑦 / ≃ 𝑟 2𝜌 sin 2𝜌𝑦 𝑟 , 𝑦 ∈ −𝐿𝑟, 𝐿𝑟

Mod 𝑟

𝑑𝑢 𝑡

š› = 𝑛 𝑌 8{ + 𝐽 𝑌 ⋅ 𝑟,

𝐽 𝑌

± < 𝐿 ≤ 1 + 𝑥𝑢(𝑡)/2 𝑦 / ≃ 𝑟 2𝜌 sin 2𝜌𝑦 𝑟 = 𝑟 2𝜌 cos 2𝜌𝑦 𝑟 − 𝜌 2 , 𝑦 ∈ −𝐿𝑟, 𝐿𝑟

Sine should be approximated by a polynomial

Previous works:

• Cheon et al., Eurocrypt’18:

Taylor + double-angle formula for sine

• Chen et al., Eurocrypt’19:

Chebyshev

• Han-Ki, eprint’19:

Hermite + Chebyshev nodes + double-angle formula for cosine

Sine should be approximated by a polynomial

Previous works:

• Cheon et al., Eurocrypt’18:

Taylor + double-angle formula for sine

• Chen et al., Eurocrypt’19:

Chebyshev

• Han-Ki, eprint’19:

Hermite + Chebyshev nodes + double-angle formula for cosine

The above results assume that

• the secret key 𝑡 is sparse, 𝑥𝑢 𝑡 = 64,
• and, thus, 𝐿 ≤ 12 with high probability.

Sine should be approximated by a polynomial

Previous works:

• Cheon et al., Eurocrypt’18:

Taylor + double-angle formula for sine

• Chen et al., Eurocrypt’19:

Chebyshev

• Han-Ki, eprint’19:

Hermite + Chebyshev nodes + double-angle formula for cosine

The above results assume that

• the secret key 𝑡 is sparse, 𝑥𝑢 𝑡 = 64,
• and, thus, 𝐿 ≤ 12 with high probability.

What happens when secret keys are dense?

Distribution of K when secret keys are dense

𝑜 = 2048 max 𝐿 = 57 𝑜 = 4096 max 𝐿 = 90 𝑜 = 8192 max 𝐿 = 125

Distribution of K when secret keys are dense

𝑜 = 16384 max 𝐿 = 177 𝑜 = 32768 max 𝐿 = 255 𝑜 = 65536 max 𝐿 = 360

Distribution of K when secret keys are dense

𝑜 = 16384 max 𝐿 = 177 𝑜 = 32768 max 𝐿 = 255 𝑜 = 65536 max 𝐿 = 360

Similar to the extreme value distribution.

Chebyshev approximation grows linearly with K

deg 𝐿 deg ≃ 7𝐿 + 25

Approximation error: 106Z8

Chebyshev approximation grows linearly with K

deg 𝐿 deg ≃ 7𝐿 + 25 Using Paterson-Stockmeyer such approximation require:

• ≃

2 7𝐿 + 25 + log8(2 7𝐿 + 25 ) multiplications

• ≃ log8 𝐿 + 3 mult. levels

Approximation error: 106Z8

Chebyshev approximation grows linearly with K

deg 𝐿 deg ≃ 7𝐿 + 25 Using Paterson-Stockmeyer such approximation require:

• ≃

2 7𝐿 + 25 + log8(2 7𝐿 + 25 ) multiplications

• ≃ log8 𝐿 + 3 mult. levels

Example: 𝑜 = 65536 ⇒ 𝐿 = 360:

• 84 multiplications
• 12 mult. levels

Approximation error: 106Z8

Use the double-angle formula for cosine

cos 2𝛽 = 2 cos8 𝛽 − 1

Use the double-angle formula for cosine

cos 2𝛽 = 2 cos8 𝛽 − 1

1. Take a sufficiently large 𝐿 = 2k.

Use the double-angle formula for cosine

cos 2𝛽 = 2 cos8 𝛽 − 1

1. Take a sufficiently large 𝐿 = 2k. 2. Approximate cos 2𝜌𝑦 −

Á 8Â in the range [−𝑟, 𝑟] (e.g using Chebyshev).

Use the double-angle formula for cosine

cos 2𝛽 = 2 cos8 𝛽 − 1

1. Take a sufficiently large 𝐿 = 2k. 2. Approximate cos 2𝜌𝑦 −

Á 8Â in the range [−𝑟, 𝑟] (e.g using Chebyshev).

3. Compute 𝑙 iterations of the double-angle formula.

Use the double-angle formula for cosine

cos 2𝛽 = 2 cos8 𝛽 − 1

1. Take a sufficiently large 𝐿 = 2k. 2. Approximate cos 2𝜌𝑦 −

Á 8Â in the range [−𝑟, 𝑟] (e.g using Chebyshev).

3. Compute 𝑙 iterations of the double-angle formula.

Example:

𝑜 = 65536 ⇒ 𝐿 = 2Ã

Use the double-angle formula for cosine

cos 2𝛽 = 2 cos8 𝛽 − 1

1. Take a sufficiently large 𝐿 = 2k. 2. Approximate cos 2𝜌𝑦 −

Á 8Â in the range [−𝑟, 𝑟] (e.g using Chebyshev).

3. Compute 𝑙 iterations of the double-angle formula.

Example:

𝑜 = 65536 ⇒ 𝐿 = 2Ã: cos 2𝜌𝑦 − 𝜌 2𝐿 ≃ 𝑞 𝑌 , deg 𝑞 𝑌 = 26

Use the double-angle formula for cosine

cos 2𝛽 = 2 cos8 𝛽 − 1

1. Take a sufficiently large 𝐿 = 2k. 2. Approximate cos 2𝜌𝑦 −

Á 8Â in the range [−𝑟, 𝑟] (e.g using Chebyshev).

3. Compute 𝑙 iterations of the double-angle formula.

Example:

𝑜 = 65536 ⇒ 𝐿 = 2Ã: cos 2𝜌𝑦 − 𝜌 2𝐿 ≃ 𝑞 𝑌 , deg 𝑞 𝑌 = 26 9 iterations of the double-angle formula

Use the double-angle formula for cosine

cos 2𝛽 = 2 cos8 𝛽 − 1

1. Take a sufficiently large 𝐿 = 2k. 2. Approximate cos 2𝜌𝑦 −

Á 8Â in the range [−𝑟, 𝑟] (e.g using Chebyshev).

3. Compute 𝑙 iterations of the double-angle formula.

Example:

𝑜 = 65536 ⇒ 𝐿 = 2Ã: cos 2𝜌𝑦 − 𝜌 2𝐿 ≃ 𝑞 𝑌 , deg 𝑞 𝑌 = 26 9 iterations of the double-angle formula Total cost:

• 19 multiplications
• 14 levels

Results for the entire pipeline

# slots CtoS levels StoC levels After levels

• Avg. time,

sec

• Avg. amort. time,

msec 4096 2 2 9 179 44 3 2 8 114 28 8192 3 2 8 204 25 4 2 7 121 15 16384 4 3 6 181 11 5 3 5 159 10 𝑜 = 65536, Δ = 2„u, 𝑟 ≃ 2Äu, 𝜇 = 128 bits Input data: z ∈ ℂ, |Re 𝑨 |, |Im(𝑨)| < 16. Number of experiments per parameter set: 100 Precision before bootstrapping: ≃ 33 bits Precision after bootstrapping: ≃ 8 bits

Results for the entire pipeline

𝑜 = 65536, Δ = 2„u, 𝑟 ≃ 2Äu, 𝜇 = 128 bits Input data: z ∈ ℂ, |Re 𝑨 |, |Im(𝑨)| < 16. Number of experiments per parameter set: 100 Precision before bootstrapping: ≃ 33 bits Precision after bootstrapping: ≃ 8 bits Memory consumption: ~47GB (mostly due to key-switching keys) # slots CtoS levels StoC levels After levels

• Avg. time,

sec

• Avg. amort. time,

msec 4096 2 2 9 179 44 3 2 8 114 28 8192 3 2 8 204 25 4 2 7 121 15 16384 4 3 6 181 11 5 3 5 159 10

Comparison to HK19

slots 1024 16384 Total time, sec After precision, bits After levels HK19 HK19 Ours Ours

Conclusion

• Attacks on sparse-secret LWE/RLWE become more powerful.

Conclusion

• Attacks on sparse-secret LWE/RLWE become more powerful.
• HEAAN can avoid sparse secrets as its “bootstrapping” is practically possible

without them.

Future work

• Bootstrapping definition for HEAAN.

Future work

• Bootstrapping definition for HEAAN.
• Better approximation of mod 𝑟 (e.g. Hermite approximation of HK19).

Future work

• Bootstrapping definition for HEAAN.
• Better approximation of mod 𝑟 (e.g. Hermite approximation of HK19).
• Mixed bootstrapping using other schemes (e.g. TFHE).

Future work

• Bootstrapping definition for HEAAN.
• Better approximation of mod 𝑟 (e.g. Hermite approximation of HK19).
• Mixed bootstrapping using other schemes (e.g. TFHE).
• Bootstrapping without sparse secrets in other schemes.

Thank you!

We’re hiring! Thank you!