Abstract image of a woman sitting on books and studying on a laptop

Helib

文杰 陆

This document discusses Ring-Learning With Errors (Ring-LWE) and its application to fully homomorphic encryption schemes. Specifically, it covers Ring-LWE based cryptosystems, the leveled fully homomorphic encryption scheme of Brakerski, Vaikuntanathan and Gentry (BGV) as implemented in the HElib library, and example code demonstrations using HElib. Notations used include integers modulo q, polynomial rings, and cyclotomic polynomials.

Technology
1 of 54
Downloaded 425 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Ring-­‐Learning  With  Errors  &  HElib Wenjie  Lu(陸 文杰)   University  of  Tsukuba   riku@mdl.cs.tsukuba.ac.jp   1
Outline 1.  Homomorphic  EncrypFon  &  Fully  Homomorphic  EncrypFon  (FHE)   2.  Learning  With  Errors  (LWE)  &  Ring-­‐LWE     3.  Ring-­‐LWE  based  FHE  operaFons:  KeyGen  etc.   4.  HElib   1.  BGV’s  leveled  FHE  scheme   2.  OpFmizaFons  e.g.  modulo-­‐switch  in  HElib   3.  Example  codes   5.  Two  kind  of  packing  methods  &  example  codes   6.  Some  other  rouFnes  in  HElib    &  example  codes   7.  An  applicaFon  on  epidemiology  study     8.  Misc.  includes  noise-­‐esFmaFon  &  parameters  decision  in  HElib   2
Privacy  Preserving  CompuFng 3 Secure  MulF-­‐parFes  CompuFng Secure  Outsourcing Homomorphic  Encryp-on
Homomorphic  EncrypFon •  AddiFve  Hom.  EncrypFon,  e.g.  Paillier     •  MulFplicaFve  Hom.  EncrypFon,  e.g.  ElGamal   •  Fully  Homomorphic  EncrypFon                  SaFsfies  both  addiFve  and  mulFplicaFve 4
Fully  homomorphic  encrypFon •  Breakthrough  by  Gentry  in  2009   •  Main  idea:   1.  First  build  a  somewhat  homomorphic  encrypFon   2.  Then  apply  bootstrapping  to  achieve  FHE   •  Common  facts  of  the  current  FHE  schemes   1.  Noise  grows  with  operaFons   2.  MulFplicaFon  yields  the  most  noise   3.  DecrypFon  will  fail  with  too  large  noise 5 [A  fully  homomorphic  encrypFon  scheme  Gentry  2009]
Ring-­‐learning  With  Errors  based  FHE •  RLWE  schemes:    The  most  efficient  schemes            for  now.   •  Different  kinds  of  RLWE  based  FHE   1.  BGV’s    leveled  scheme  (implemented  by  HElib)   2.  Brakerski,  Scale-­‐invariant  scheme   3.  …… 6 [(Leveled)  fully  homomorphic  encrypFon  without  bootstrapping]   Brakerski,  Gentry,  Vaikuntanathan  2012 [Fully  Homomorphic  Encryp-on  without  Modulus  Switching  from   Classical  GapSVP]  Brakerski,2012
Nota-ons 7 •             :  Integer  modulo  q   •             :  Vectors  consists  of  n  integer  modulo  q   •                           :  uniformly  sample            from   •                                                                                   :    set  of  polynomials   •  F(x)  a  polynomial,                                                    :  a  quoFent  set               •  Cyclotomic  polynomial:  
Nota-ons 8 •             :  Integer  modulo  q   •             :  Vectors  consists  of  n  integer  modulo  q   •                           :  uniformly  sample            from   •                                                                                   :    set  of  polynomials   •  F(x)  a  polynomial,                                                    :  a  quoFent  set               •  Cyclotomic  polynomial:   x 1 ⌘ 6x + 6 mod 7
Nota-ons 9 •             :  Integer  modulo  q   •             :  Vectors  consists  of  n  integer  modulo  q   •                           :  uniformly  sample            from   •                                                                                   :    set  of  polynomials   •  F(x)  a  polynomial,                                                    :  a  quoFent  set               •  Cyclotomic  polynomial:  
Nota-ons 10 •             :  Integer  modulo  q   •             :  Vectors  consists  of  n  integer  modulo  q   •                           :  uniformly  sample            from   •                                                                                   :    set  of  polynomials   •  F(x)  a  polynomial,                                                    :  a  quoFent  set               •  Cyclotomic  polynomial:   Cyclotomic  polynomial:  Some  “prime”  polynomial
Learning  With  Errors •  LWE-­‐AssumpFon   •  Ring-­‐LWE:  use  a  polynomial  ring  instead   11 [On  lajces,  learning  with  errors,  random.  Regev  2005  ]
Learning  With  Errors •  LWE-­‐AssumpFon   •  Ring-­‐LWE:  use  a  polynomial  ring  instead   12 [On  lajces,  learning  with  errors,  random.  Regev  2005  ]
Learning  With  Errors •  LWE-­‐AssumpFon   •  Ring-­‐LWE:  use  a  polynomial  ring  instead   13 [On  lajces,  learning  with  errors,  random.  Regev  2005  ]
Add.  &  Mul.  On   14 (i.e.  n  is  power  of  2)
Paremeters  in  RLWE-­‐based  scheme 15 (default  3.2) Security   parameter The  stand  deviaFon  of  the  discrete    Gaussian  distribuFon
Message  Space  &  Ciphertext  Space •  Message  Space:  polynomial  quoFent  ring   •  Ciphertex  Space     16 Coefficients   modulo  p Polynomial  modulo   Coefficients   modulo  q Polynomial  modulo  
Basic  EncrypFon  Scheme  OperaFons •  KeyGeneraFon   17 [Can  Homomorphic  Encryp-on  be  Prac-cal?  K.  Lauter  et  al.  2011]
Basic  EncrypFon  Scheme  OperaFons •  EncrypFon   •  DecrypFon     18 addi-ons,  mul-plica-ons  over   polynomial  ring.
Homomorphic  OperaFons •  AddiFon   •  MulFplicaFon     The  size  of  ciphertext  increases!   19
HElib •  Purely  wrimen  in  C++   •  Implements  the  BGV-­‐type  encrypFon  scheme   •  Supports  opFmazaFons  such  as:  reLinearazaFon,   bootstapping,  packing   •  Supports  mulFthread  from  this  March   20 [hmps://github.com/shaih/Helib]
Architecture  of  HElib PAlgebra Structure of Zm*, §2.4 PAlgebraMod plaintext-slot algebra, §2.5 NumbTh miscellaneous utilities, §2.2 CModulus polynomials mod p, §2.3 Math DoubleCRT polynomial arithmetic, §2.8 FHE KeyGen/Enc/Dec, §3.2 Ctxt Ciphertext operations, §3.1 Crypto EncryptedArray Routing plaintext slots, §4.1 IndexSet/IndexMap Indexing utilities, §2.6 FHEcontext parameters,§2.7 bluestein FFT/IFFT, §2.3 timing §2.1 KeySwitching Matrices for key-switching, §3.3 21*  Reference  from  the  HElib  design  document
Leveled  homomorphic  encrypFon The  BGV-­‐type  scheme  is  a  leveled  homomorphic  encrypFon   scheme   •  What  is  levels?   –  The  ciphertext  space  is  not  fixed.   •  Why  need  levels  ?     –  Bootstrapping  is  too  too  heavy     –  To  somehow  reduce  the  noise  inside  ciphertexts     •  When  to  change  the  level?   – Majorly  arer  ciphertexts  mulFplicaFon   22 L1 L2 L3 L4 [(Leveled)  fully  homomorphic  encrypFon  without  bootstrapping]   Brakerski,  Gentry,  Vaikuntanathan  2012
Parameters  of  the    Leveled  homomorphic  encrypFon 1. An  posi9ve  integer  L,  called  levels   2. A  prime  sequence   •  The  ciphertext-­‐space  changes  level  by  level   •  The  noise  inside  ciphertexts  can  reduce  by   •  This  opera9on  called  Modulo-­‐switch     23 [(Leveled)  fully  homomorphic  encrypFon  without  bootstrapping]   Brakerski,  Gentry,  Vaikuntanathan  2012 One  mulFplicaFon
How  to  decide  the  levels? •  Majorly  depends  on  the  evaluaFon  funcFon   24 Need  at  least  2-­‐levels 1-­‐level  may  also  works 1-­‐level  may  not  works
reLinearizaFon  (Key  switching) •  What  is  relinearizaFon? 25 [Efficient  fully  homomorphic  encrypFon  from  LWE  Brakerski,  Vaikuntanathan,  2011] The  dimension  of  ciphertext  increases!  
reLinearizaFon  (Key  switching) •  Why  want  to  reLinearize  ?   – To  reduce  the  overhead  in  ciphertext  mulFplicaFon   •  Need  to  add  extra  informaFon  into  the  public  key   •  Should  always  reLinearize  ?   – Depends  on  the  mulFplicaFon  depth   26 [Efficient  fully  homomorphic  encrypFon  from  LWE  Brakerski,  Vaikuntanathan,  2011]
Sample  codes:  Setup levels To  add  extra  informaFon  for  reLinearizaFon   27 Line  6:  The  FHESecKey  class  was  designed  to  inherit   from  the  FHEPubKey  class
Sample  codes:  Enc/Dec/Mult Line  2:  Plaintext  need  to  be  a  polynomial.   Line  7  &  9:  To  use  or  not  use  reLineraza-on  during  homomorphic  mul-plica-on   28 sk.Decrypt(plain,  ctxt);
Packing What  is  packing  ?   •  To  pack  several  messages  into  one  ciphertext   Why  use  packing  ?   1.  To  reduce  the  numbers  of  ciphertext     2.  To  amorFze  the  computaFon  Fme   Different  kinds  of  packing   •  Pack  into  coefficients   •  Pack  into  subfields  (so-­‐called  CRT-­‐based  packing)   29
I.  Pack  into  coefficients •  Example  Message  Space   •  image  that  8  boxes  and  each  can  put  in  a  less  than   13^2  posiFve  integer.     1 2 3 4 30
I.  Pack  into  coefficients •  We  need  to  design  how  to  encode  our  data  into  a   useful  polynomial  form   Enc(                                              )   Enc(                                          )   Enc(                                                                                              )   Just  the  mul-plica-on  between  polynomials!     mod  (13^2,  x^8  +  1) 31
Example:  Encoding  for  scalar  product •  Given   •  If  we  make  two  polynomials  such  as   •  But     •  Change  a  limle  bit             32
Sample  codes:     Pack  into   Coefficients 3rd  coeff. 33
II.  Pack  into  subfields •  Not  put  into  each  coefficients  directly   •  UFlize  the  Chinese  Reminder  Theorem   A  number  p  can   be  factorized  into     prime  factors   Consider  the  CRT  in  the  integer  field We  have  the  isomorphism  from  CRT 34
II.  Pack  into  subfields •  Not  put  into  each  coefficients  directly   •  UFlize  the  Chinese  Reminder  Theorem   A  number  p  can   be  factorized  into     prime  factors   Consider  the  CRT  in  the  integer  field We  have  the  isomorphism  from  CRT 35
II.  Pack  into  subfields •  Polynomial-­‐CRT   The  cyclotomic  polynomial   can  be  factorized  into  disFnct   l    irreducible  polynomials For  each  irreducible  polynomial called  slots 36 Euler  funcFon (Some  “prime”  polynomial)
Example:  Component-­‐wise  OperaFons •  m  =  8,  p  =  17   •  So  each  slot  hold  degree  0  polynomial  modulo  17.   37          
Example:  Component-­‐wise  OperaFons 38 + = + = mod  17 x x = mod  17 =
Example:  “RotaFon”  OperaFon 39 On  field: An  automorphism   Replace 2  ler-­‐rotated  !!
OperaFons  supported  by  HElib •  Component-­‐wise  (entry-­‐wise)  addiFon/mult.   •  RotaFon     -  Shir;  padding  with  0s   -  Running  sums   -  total  sums 40
Sample  codes Codes  for     CRT-­‐packing 41
Sample  codes  for  other  HElib  rou-nes   42
Noise  EsFmaFon •  Ok  to  decrypt:   •  Fresh  ciphertext:   •  Modulus-­‐switch:   •  reLineara9on:   •  Ctxt-­‐plain  add.:   •  Ctxt-­‐plain  mult.:   43 *  Reference  from  the  HElib  design  document
Noise  EsFmaFon •  Ctxt-­‐ctxt  add.:     •  Ctxt-­‐ctxt  mult.:   •  Rota9on:        1  ctxt-­‐plain  mult.,  1  ctxt-­‐plain  add.   •  ShiP:                      2  ctxt-­‐plain  mult. 44 *  Reference  from  the  HElib  design  document
45 on  epidemiology     a A a  (expected) A(expected) Count Case o1 o2 e1=n3n1/n e2=n4n1/n n1 Control o3 o4 e3=n3n2/n e4=n4n2/n n2 Count n3 n4 n Applica-on observed  
46 on  epidemiology     a A Count Case o1 o2 n1 Control o3 o4 n2 Count n3 n4 n Applica-on Data:   [AA,  Aa,  aa,  Aa,  …..] x=[      2  ,      1,      0,      1,    …..] Encoding [case,  control,  case,  control,  ….] Encoding y=[      1  ,                0,              1,          0,      …..]
47 on  epidemiology     a A Count Case o1 o2 n1 Control o3 o4 n2 Count n3 n4 n Applica-on Data:   [AA,  Aa,  aa,  Aa,  …..] x=[      2  ,      1,      0,      1,    …..] Encoding [case,  control,  case,  control,  ….] Encoding y=[      1  ,                0,              1,          0,      …..]How  to  efficiently   compute  scalar   product??   Packing!
Misc:  Example  to  choose  parameters •  Problem:  To    calculate  chi-­‐square  test   •  Main  computaFon:  scalar  product  of  integer  vectors   •  Integer  vectors:                                          ;  Data  set  size   1.  Plaintext  space  parameters:    p,  r   2.  Polynomial  parameter:  m                                    >  2000  to  pack  N  integers     3.  Levels  parameter:  L                    Pack  into  coefficient:  Only  need  1  mulF.  =>  L  =  1                Pack  into  subfields:  Need  1  mulF.  &  1  running  sums  =>  L  =  2  is  bemer   4.      Check  m  again  by  calling  FindM 48
Misc:  FindM()  &  the  number  of  slots •  HElib  providers  a  such  funcFon:          FindM(k,  L,  p,  m);        It  print  out  :                                        ***  Bound  N=XXX,  choosing  m=YYY,  phi(m)=ZZZ          k-­‐bits  security  if  phi(m)  >=  N   •  The  number  of  slots  is  defined  as:   49
Misc:  Example  to  choose  parameters •  Problem:  To  compute  the  product  of  matrix  and  vector   1.  Plaintext  parameter:  p^r  >  8   2.  #slot  >=  2  (pack  each  rows(columns))   3.  Levels:  L  =  3  maybe  good   4.   m  is  decided  by  FindM()  according  to  L,  p,  #slots                   50 2 1 1 0 2 2 6 6 2 2 1 0 0 1 6 2
Misc.:  Rules  of  thumb   •  By  default,  only  use  half  of  the  machine  bits  for  levels   1.  32-­‐bits  pla}orm,  open  –DNOT_HALF_PRIME  flag   before  building  the  HElib   2.  64-­‐bits  pla}orm:  before  call  buildModChain()   •  Plaintext  parameter  p^r  !=  2,  bemer  to  add  more  levels                   [hmps://github.com/shaih/HElib/issues/52] 51
Misc.:  Install  HElib •  Install  NTL(Number  Theory  Library)    hmp://www.shoup.net/ntl/   •  Install  GMP,  m3  library.   •  Install  HElib    hmps://github.com/shaih/HElib   •  To  use  mulFthread,  need  g++4.9(seems  not  works   on  Mac  OS  for  now) 52
References •  The  design  document  inside  the  HElib  repo.   •  Fully  Homomorphic  SIMD  opera9ons.  N.P.Smart,  et.al     •  Can  homomorphic  be  prac9cal?  K.  Lauter  et.  al   •  Secure  Paern  Matching  using  Somewhat  homomorphic  encryp9on.   M.  Yasusa  et.  al   •  Fully  Homomorphic  Encryp9on  without  Boostrapping.                Z.  Brakerski  et.  al   •  Fully  Homomorphic  Encryp9on  with  Polylog  Overhead.            C.  Gentry  et  al. 53
Thank  you! 54

More Related Content

PDF
暗号文のままで計算しよう - 準同型暗号入門 -
MITSUNARI Shigeo
 
PDF
中3女子でもわかる constexpr
Genya Murakami
 
PDF
Marp Tutorial
Rui Watanabe
 
PPTX
AESについて 輪講資料
Sorasuke
 
PPT
技術勉強会(楕円曲線暗号)資料
Tetsuyuki Oishi
 
PDF
準同型暗号の実装とMontgomery, Karatsuba, FFT の性能
MITSUNARI Shigeo
 
PPTX
自然言語処理 Word2vec
naoto moriyama
 
PDF
多数のセンサーによる 時空間センシングデータの 効率的な集約送信技術
奈良先端大 情報科学研究科
 
暗号文のままで計算しよう - 準同型暗号入門 -
MITSUNARI Shigeo
 
中3女子でもわかる constexpr
Genya Murakami
 
Marp Tutorial
Rui Watanabe
 
AESについて 輪講資料
Sorasuke
 
技術勉強会(楕円曲線暗号)資料
Tetsuyuki Oishi
 
準同型暗号の実装とMontgomery, Karatsuba, FFT の性能
MITSUNARI Shigeo
 
自然言語処理 Word2vec
naoto moriyama
 
多数のセンサーによる 時空間センシングデータの 効率的な集約送信技術
奈良先端大 情報科学研究科
 

What's hot (20)

PPTX
Docker Tokyo
cyberblack28 Ichikawa
 
PDF
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Jun Kurihara
 
PDF
ARM CPUにおけるSIMDを用いた高速計算入門
Fixstars Corporation
 
PDF
Goの時刻に関するテスト
Kentaro Kawano
 
PDF
RSA暗号運用でやってはいけない n のこと #ssmjp
sonickun
 
PPT
Raft
Preferred Networks
 
PDF
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
T. Suwa
 
PDF
分散型IDと検証可能なアイデンティティ技術概要
Naohiro Fujie
 
KEY
ラムダ計算入門
Eita Sugimoto
 
PDF
WASM(WebAssembly)入門 ペアリング演算やってみた
MITSUNARI Shigeo
 
PDF
Dockerを支える技術
Etsuji Nakai
 
PDF
Twitterのsnowflakeについて
moai kids
 
PDF
RSA鍵生成脆弱性ROCAの紹介
MITSUNARI Shigeo
 
PDF
Domain Modeling Made Functional (DevTernity 2022)
Scott Wlaschin
 
PDF
DNN音響モデルにおける特徴量抽出の諸相
Takuya Yoshioka
 
PDF
Singularityで分散深層学習
Hitoshi Sato
 
PDF
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
MITSUNARI Shigeo
 
PDF
SQLアンチパターン 幻の第26章「とりあえず削除フラグ」
Takuto Wada
 
PDF
Wavelet matrix implementation
MITSUNARI Shigeo
 
PPTX
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
Eiji Sasahara, Ph.D., MBA 笹原英司
 
Docker Tokyo
cyberblack28 Ichikawa
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Jun Kurihara
 
ARM CPUにおけるSIMDを用いた高速計算入門
Fixstars Corporation
 
Goの時刻に関するテスト
Kentaro Kawano
 
RSA暗号運用でやってはいけない n のこと #ssmjp
sonickun
 
Raft
Preferred Networks
 
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
T. Suwa
 
分散型IDと検証可能なアイデンティティ技術概要
Naohiro Fujie
 
ラムダ計算入門
Eita Sugimoto
 
WASM(WebAssembly)入門 ペアリング演算やってみた
MITSUNARI Shigeo
 
Dockerを支える技術
Etsuji Nakai
 
Twitterのsnowflakeについて
moai kids
 
RSA鍵生成脆弱性ROCAの紹介
MITSUNARI Shigeo
 
Domain Modeling Made Functional (DevTernity 2022)
Scott Wlaschin
 
DNN音響モデルにおける特徴量抽出の諸相
Takuya Yoshioka
 
Singularityで分散深層学習
Hitoshi Sato
 
ペアリングベースの効率的なレベル2準同型暗号(SCIS2018)
MITSUNARI Shigeo
 
SQLアンチパターン 幻の第26章「とりあえず削除フラグ」
Takuto Wada
 
Wavelet matrix implementation
MITSUNARI Shigeo
 
「NIST SP 800-204C サービスメッシュを利用したマイクロサービスベースのアプリケーション向けDevSecOpsの展開」概説
Eiji Sasahara, Ph.D., MBA 笹原英司
 
Ad

Viewers also liked (15)

PDF
Genopri2015
文杰 陆
 
PPTX
Homomorphic Encryption
Göktuğ Serez
 
PPTX
Digital Fingerprinting
santhu652
 
PDF
Inverted Index Based Multi-Keyword Public-key Searchable Encryption with Stro...
Mateus S. H. Cruz
 
PDF
Promcon2016
wyukawa
 
PDF
The monad fear
LINE Corporation
 
PDF
Realizing Fine-Grained and Flexible Access Control to Outsourced Data with At...
Mateus S. H. Cruz
 
PDF
Privacy-Preserving Search for Chemical Compound Databases
Mateus S. H. Cruz
 
PDF
Overview of MONOMI
Mateus S. H. Cruz
 
PDF
Fast, Private and Verifiable: Server-aided Approximate Similarity Computation...
Mateus S. H. Cruz
 
PDF
DBMask: Fine-Grained Access Control on Encrypted Relational Databases
Mateus S. H. Cruz
 
PDF
ENKI: Access Control for Encrypted Query Processing
Mateus S. H. Cruz
 
PDF
Overview of CryptDB
Mateus S. H. Cruz
 
PDF
Fuzzy Keyword Search over Encrypted Data in Cloud Computing
Mateus S. H. Cruz
 
PDF
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Mateus S. H. Cruz
 
Genopri2015
文杰 陆
 
Homomorphic Encryption
Göktuğ Serez
 
Digital Fingerprinting
santhu652
 
Inverted Index Based Multi-Keyword Public-key Searchable Encryption with Stro...
Mateus S. H. Cruz
 
Promcon2016
wyukawa
 
The monad fear
LINE Corporation
 
Realizing Fine-Grained and Flexible Access Control to Outsourced Data with At...
Mateus S. H. Cruz
 
Privacy-Preserving Search for Chemical Compound Databases
Mateus S. H. Cruz
 
Overview of MONOMI
Mateus S. H. Cruz
 
Fast, Private and Verifiable: Server-aided Approximate Similarity Computation...
Mateus S. H. Cruz
 
DBMask: Fine-Grained Access Control on Encrypted Relational Databases
Mateus S. H. Cruz
 
ENKI: Access Control for Encrypted Query Processing
Mateus S. H. Cruz
 
Overview of CryptDB
Mateus S. H. Cruz
 
Fuzzy Keyword Search over Encrypted Data in Cloud Computing
Mateus S. H. Cruz
 
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Mateus S. H. Cruz
 
Ad

Similar to Helib (16)

PPTX
Halo2 Verifier in Move from ZERO to ONE.pptx
funfriendcjf
 
PDF
Instrumentation & the Pitfalls of Abstraction
ESUG
 
PDF
An Introduction to Quantum Programming Languages
David Yonge-Mallo
 
PPTX
R meetup lm
Nathan Day
 
PDF
Gnu octave
Milad Nourizade
 
PPTX
Hybrid multichannel signal separation using supervised nonnegative matrix fac...
Daichi Kitamura
 
KEY
Verification with LoLA: 4 Using LoLA
Universität Rostock
 
PDF
Online Divergence Switching for Superresolution-Based Nonnegative Matrix Fa...
奈良先端大 情報科学研究科
 
PDF
High-dimensional polytopes defined by oracles: algorithms, computations and a...
Vissarion Fisikopoulos
 
PPTX
Fuzzy logic
Mahmoud Hussein
 
PDF
Introduction to Groovy (Serbian Developer Conference 2013)
Joachim Baumann
 
PPTX
Theorem proving 2018 2019
Emmanuel Zarpas
 
PPTX
Polynomial regression
naveedaliabad
 
PDF
Backdoors to Satisfiability
msramanujan
 
PPTX
Ruby basics
Tushar Pal
 
PDF
Theorem proving 2018 2019
Emmanuel Zarpas
 
Halo2 Verifier in Move from ZERO to ONE.pptx
funfriendcjf
 
Instrumentation & the Pitfalls of Abstraction
ESUG
 
An Introduction to Quantum Programming Languages
David Yonge-Mallo
 
R meetup lm
Nathan Day
 
Gnu octave
Milad Nourizade
 
Hybrid multichannel signal separation using supervised nonnegative matrix fac...
Daichi Kitamura
 
Verification with LoLA: 4 Using LoLA
Universität Rostock
 
Online Divergence Switching for Superresolution-Based Nonnegative Matrix Fa...
奈良先端大 情報科学研究科
 
High-dimensional polytopes defined by oracles: algorithms, computations and a...
Vissarion Fisikopoulos
 
Fuzzy logic
Mahmoud Hussein
 
Introduction to Groovy (Serbian Developer Conference 2013)
Joachim Baumann
 
Theorem proving 2018 2019
Emmanuel Zarpas
 
Polynomial regression
naveedaliabad
 
Backdoors to Satisfiability
msramanujan
 
Ruby basics
Tushar Pal
 
Theorem proving 2018 2019
Emmanuel Zarpas
 

Recently uploaded (20)

PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
What is a Computer? Input Devices /output devices
GulJan8
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
Configure Apache Mutual Authentication
Antonino Piraino
 

Helib

  • 1. Ring-­‐Learning  With  Errors  &  HElib Wenjie  Lu(陸 文杰)   University  of  Tsukuba   riku@mdl.cs.tsukuba.ac.jp   1
  • 2. Outline 1.  Homomorphic  EncrypFon  &  Fully  Homomorphic  EncrypFon  (FHE)   2.  Learning  With  Errors  (LWE)  &  Ring-­‐LWE     3.  Ring-­‐LWE  based  FHE  operaFons:  KeyGen  etc.   4.  HElib   1.  BGV’s  leveled  FHE  scheme   2.  OpFmizaFons  e.g.  modulo-­‐switch  in  HElib   3.  Example  codes   5.  Two  kind  of  packing  methods  &  example  codes   6.  Some  other  rouFnes  in  HElib    &  example  codes   7.  An  applicaFon  on  epidemiology  study     8.  Misc.  includes  noise-­‐esFmaFon  &  parameters  decision  in  HElib   2
  • 3. Privacy  Preserving  CompuFng 3 Secure  MulF-­‐parFes  CompuFng Secure  Outsourcing Homomorphic  Encryp-on
  • 4. Homomorphic  EncrypFon •  AddiFve  Hom.  EncrypFon,  e.g.  Paillier     •  MulFplicaFve  Hom.  EncrypFon,  e.g.  ElGamal   •  Fully  Homomorphic  EncrypFon                  SaFsfies  both  addiFve  and  mulFplicaFve 4
  • 5. Fully  homomorphic  encrypFon •  Breakthrough  by  Gentry  in  2009   •  Main  idea:   1.  First  build  a  somewhat  homomorphic  encrypFon   2.  Then  apply  bootstrapping  to  achieve  FHE   •  Common  facts  of  the  current  FHE  schemes   1.  Noise  grows  with  operaFons   2.  MulFplicaFon  yields  the  most  noise   3.  DecrypFon  will  fail  with  too  large  noise 5 [A  fully  homomorphic  encrypFon  scheme  Gentry  2009]
  • 6. Ring-­‐learning  With  Errors  based  FHE •  RLWE  schemes:    The  most  efficient  schemes            for  now.   •  Different  kinds  of  RLWE  based  FHE   1.  BGV’s    leveled  scheme  (implemented  by  HElib)   2.  Brakerski,  Scale-­‐invariant  scheme   3.  …… 6 [(Leveled)  fully  homomorphic  encrypFon  without  bootstrapping]   Brakerski,  Gentry,  Vaikuntanathan  2012 [Fully  Homomorphic  Encryp-on  without  Modulus  Switching  from   Classical  GapSVP]  Brakerski,2012
  • 7. Nota-ons 7 •             :  Integer  modulo  q   •             :  Vectors  consists  of  n  integer  modulo  q   •                           :  uniformly  sample            from   •                                                                                   :    set  of  polynomials   •  F(x)  a  polynomial,                                                    :  a  quoFent  set               •  Cyclotomic  polynomial:  
  • 8. Nota-ons 8 •             :  Integer  modulo  q   •             :  Vectors  consists  of  n  integer  modulo  q   •                           :  uniformly  sample            from   •                                                                                   :    set  of  polynomials   •  F(x)  a  polynomial,                                                    :  a  quoFent  set               •  Cyclotomic  polynomial:   x 1 ⌘ 6x + 6 mod 7
  • 9. Nota-ons 9 •             :  Integer  modulo  q   •             :  Vectors  consists  of  n  integer  modulo  q   •                           :  uniformly  sample            from   •                                                                                   :    set  of  polynomials   •  F(x)  a  polynomial,                                                    :  a  quoFent  set               •  Cyclotomic  polynomial:  
  • 10. Nota-ons 10 •             :  Integer  modulo  q   •             :  Vectors  consists  of  n  integer  modulo  q   •                           :  uniformly  sample            from   •                                                                                   :    set  of  polynomials   •  F(x)  a  polynomial,                                                    :  a  quoFent  set               •  Cyclotomic  polynomial:   Cyclotomic  polynomial:  Some  “prime”  polynomial
  • 11. Learning  With  Errors •  LWE-­‐AssumpFon   •  Ring-­‐LWE:  use  a  polynomial  ring  instead   11 [On  lajces,  learning  with  errors,  random.  Regev  2005  ]
  • 12. Learning  With  Errors •  LWE-­‐AssumpFon   •  Ring-­‐LWE:  use  a  polynomial  ring  instead   12 [On  lajces,  learning  with  errors,  random.  Regev  2005  ]
  • 13. Learning  With  Errors •  LWE-­‐AssumpFon   •  Ring-­‐LWE:  use  a  polynomial  ring  instead   13 [On  lajces,  learning  with  errors,  random.  Regev  2005  ]
  • 14. Add.  &  Mul.  On   14 (i.e.  n  is  power  of  2)
  • 15. Paremeters  in  RLWE-­‐based  scheme 15 (default  3.2) Security   parameter The  stand  deviaFon  of  the  discrete    Gaussian  distribuFon
  • 16. Message  Space  &  Ciphertext  Space •  Message  Space:  polynomial  quoFent  ring   •  Ciphertex  Space     16 Coefficients   modulo  p Polynomial  modulo   Coefficients   modulo  q Polynomial  modulo  
  • 17. Basic  EncrypFon  Scheme  OperaFons •  KeyGeneraFon   17 [Can  Homomorphic  Encryp-on  be  Prac-cal?  K.  Lauter  et  al.  2011]
  • 18. Basic  EncrypFon  Scheme  OperaFons •  EncrypFon   •  DecrypFon     18 addi-ons,  mul-plica-ons  over   polynomial  ring.
  • 19. Homomorphic  OperaFons •  AddiFon   •  MulFplicaFon     The  size  of  ciphertext  increases!   19
  • 20. HElib •  Purely  wrimen  in  C++   •  Implements  the  BGV-­‐type  encrypFon  scheme   •  Supports  opFmazaFons  such  as:  reLinearazaFon,   bootstapping,  packing   •  Supports  mulFthread  from  this  March   20 [hmps://github.com/shaih/Helib]
  • 21. Architecture  of  HElib PAlgebra Structure of Zm*, §2.4 PAlgebraMod plaintext-slot algebra, §2.5 NumbTh miscellaneous utilities, §2.2 CModulus polynomials mod p, §2.3 Math DoubleCRT polynomial arithmetic, §2.8 FHE KeyGen/Enc/Dec, §3.2 Ctxt Ciphertext operations, §3.1 Crypto EncryptedArray Routing plaintext slots, §4.1 IndexSet/IndexMap Indexing utilities, §2.6 FHEcontext parameters,§2.7 bluestein FFT/IFFT, §2.3 timing §2.1 KeySwitching Matrices for key-switching, §3.3 21*  Reference  from  the  HElib  design  document
  • 22. Leveled  homomorphic  encrypFon The  BGV-­‐type  scheme  is  a  leveled  homomorphic  encrypFon   scheme   •  What  is  levels?   –  The  ciphertext  space  is  not  fixed.   •  Why  need  levels  ?     –  Bootstrapping  is  too  too  heavy     –  To  somehow  reduce  the  noise  inside  ciphertexts     •  When  to  change  the  level?   – Majorly  arer  ciphertexts  mulFplicaFon   22 L1 L2 L3 L4 [(Leveled)  fully  homomorphic  encrypFon  without  bootstrapping]   Brakerski,  Gentry,  Vaikuntanathan  2012
  • 23. Parameters  of  the    Leveled  homomorphic  encrypFon 1. An  posi9ve  integer  L,  called  levels   2. A  prime  sequence   •  The  ciphertext-­‐space  changes  level  by  level   •  The  noise  inside  ciphertexts  can  reduce  by   •  This  opera9on  called  Modulo-­‐switch     23 [(Leveled)  fully  homomorphic  encrypFon  without  bootstrapping]   Brakerski,  Gentry,  Vaikuntanathan  2012 One  mulFplicaFon
  • 24. How  to  decide  the  levels? •  Majorly  depends  on  the  evaluaFon  funcFon   24 Need  at  least  2-­‐levels 1-­‐level  may  also  works 1-­‐level  may  not  works
  • 25. reLinearizaFon  (Key  switching) •  What  is  relinearizaFon? 25 [Efficient  fully  homomorphic  encrypFon  from  LWE  Brakerski,  Vaikuntanathan,  2011] The  dimension  of  ciphertext  increases!  
  • 26. reLinearizaFon  (Key  switching) •  Why  want  to  reLinearize  ?   – To  reduce  the  overhead  in  ciphertext  mulFplicaFon   •  Need  to  add  extra  informaFon  into  the  public  key   •  Should  always  reLinearize  ?   – Depends  on  the  mulFplicaFon  depth   26 [Efficient  fully  homomorphic  encrypFon  from  LWE  Brakerski,  Vaikuntanathan,  2011]
  • 27. Sample  codes:  Setup levels To  add  extra  informaFon  for  reLinearizaFon   27 Line  6:  The  FHESecKey  class  was  designed  to  inherit   from  the  FHEPubKey  class
  • 28. Sample  codes:  Enc/Dec/Mult Line  2:  Plaintext  need  to  be  a  polynomial.   Line  7  &  9:  To  use  or  not  use  reLineraza-on  during  homomorphic  mul-plica-on   28 sk.Decrypt(plain,  ctxt);
  • 29. Packing What  is  packing  ?   •  To  pack  several  messages  into  one  ciphertext   Why  use  packing  ?   1.  To  reduce  the  numbers  of  ciphertext     2.  To  amorFze  the  computaFon  Fme   Different  kinds  of  packing   •  Pack  into  coefficients   •  Pack  into  subfields  (so-­‐called  CRT-­‐based  packing)   29
  • 30. I.  Pack  into  coefficients •  Example  Message  Space   •  image  that  8  boxes  and  each  can  put  in  a  less  than   13^2  posiFve  integer.     1 2 3 4 30
  • 31. I.  Pack  into  coefficients •  We  need  to  design  how  to  encode  our  data  into  a   useful  polynomial  form   Enc(                                              )   Enc(                                          )   Enc(                                                                                              )   Just  the  mul-plica-on  between  polynomials!     mod  (13^2,  x^8  +  1) 31
  • 32. Example:  Encoding  for  scalar  product •  Given   •  If  we  make  two  polynomials  such  as   •  But     •  Change  a  limle  bit             32
  • 33. Sample  codes:     Pack  into   Coefficients 3rd  coeff. 33
  • 34. II.  Pack  into  subfields •  Not  put  into  each  coefficients  directly   •  UFlize  the  Chinese  Reminder  Theorem   A  number  p  can   be  factorized  into     prime  factors   Consider  the  CRT  in  the  integer  field We  have  the  isomorphism  from  CRT 34
  • 35. II.  Pack  into  subfields •  Not  put  into  each  coefficients  directly   •  UFlize  the  Chinese  Reminder  Theorem   A  number  p  can   be  factorized  into     prime  factors   Consider  the  CRT  in  the  integer  field We  have  the  isomorphism  from  CRT 35
  • 36. II.  Pack  into  subfields •  Polynomial-­‐CRT   The  cyclotomic  polynomial   can  be  factorized  into  disFnct   l    irreducible  polynomials For  each  irreducible  polynomial called  slots 36 Euler  funcFon (Some  “prime”  polynomial)
  • 37. Example:  Component-­‐wise  OperaFons •  m  =  8,  p  =  17   •  So  each  slot  hold  degree  0  polynomial  modulo  17.   37          
  • 38. Example:  Component-­‐wise  OperaFons 38 + = + = mod  17 x x = mod  17 =
  • 39. Example:  “RotaFon”  OperaFon 39 On  field: An  automorphism   Replace 2  ler-­‐rotated  !!
  • 40. OperaFons  supported  by  HElib •  Component-­‐wise  (entry-­‐wise)  addiFon/mult.   •  RotaFon     -  Shir;  padding  with  0s   -  Running  sums   -  total  sums 40
  • 41. Sample  codes Codes  for     CRT-­‐packing 41
  • 42. Sample  codes  for  other  HElib  rou-nes   42
  • 43. Noise  EsFmaFon •  Ok  to  decrypt:   •  Fresh  ciphertext:   •  Modulus-­‐switch:   •  reLineara9on:   •  Ctxt-­‐plain  add.:   •  Ctxt-­‐plain  mult.:   43 *  Reference  from  the  HElib  design  document
  • 44. Noise  EsFmaFon •  Ctxt-­‐ctxt  add.:     •  Ctxt-­‐ctxt  mult.:   •  Rota9on:        1  ctxt-­‐plain  mult.,  1  ctxt-­‐plain  add.   •  ShiP:                      2  ctxt-­‐plain  mult. 44 *  Reference  from  the  HElib  design  document
  • 45. 45 on  epidemiology     a A a  (expected) A(expected) Count Case o1 o2 e1=n3n1/n e2=n4n1/n n1 Control o3 o4 e3=n3n2/n e4=n4n2/n n2 Count n3 n4 n Applica-on observed  
  • 46. 46 on  epidemiology     a A Count Case o1 o2 n1 Control o3 o4 n2 Count n3 n4 n Applica-on Data:   [AA,  Aa,  aa,  Aa,  …..] x=[      2  ,      1,      0,      1,    …..] Encoding [case,  control,  case,  control,  ….] Encoding y=[      1  ,                0,              1,          0,      …..]
  • 47. 47 on  epidemiology     a A Count Case o1 o2 n1 Control o3 o4 n2 Count n3 n4 n Applica-on Data:   [AA,  Aa,  aa,  Aa,  …..] x=[      2  ,      1,      0,      1,    …..] Encoding [case,  control,  case,  control,  ….] Encoding y=[      1  ,                0,              1,          0,      …..]How  to  efficiently   compute  scalar   product??   Packing!
  • 48. Misc:  Example  to  choose  parameters •  Problem:  To    calculate  chi-­‐square  test   •  Main  computaFon:  scalar  product  of  integer  vectors   •  Integer  vectors:                                          ;  Data  set  size   1.  Plaintext  space  parameters:    p,  r   2.  Polynomial  parameter:  m                                    >  2000  to  pack  N  integers     3.  Levels  parameter:  L                    Pack  into  coefficient:  Only  need  1  mulF.  =>  L  =  1                Pack  into  subfields:  Need  1  mulF.  &  1  running  sums  =>  L  =  2  is  bemer   4.      Check  m  again  by  calling  FindM 48
  • 49. Misc:  FindM()  &  the  number  of  slots •  HElib  providers  a  such  funcFon:          FindM(k,  L,  p,  m);        It  print  out  :                                        ***  Bound  N=XXX,  choosing  m=YYY,  phi(m)=ZZZ          k-­‐bits  security  if  phi(m)  >=  N   •  The  number  of  slots  is  defined  as:   49
  • 50. Misc:  Example  to  choose  parameters •  Problem:  To  compute  the  product  of  matrix  and  vector   1.  Plaintext  parameter:  p^r  >  8   2.  #slot  >=  2  (pack  each  rows(columns))   3.  Levels:  L  =  3  maybe  good   4.   m  is  decided  by  FindM()  according  to  L,  p,  #slots                   50 2 1 1 0 2 2 6 6 2 2 1 0 0 1 6 2
  • 51. Misc.:  Rules  of  thumb   •  By  default,  only  use  half  of  the  machine  bits  for  levels   1.  32-­‐bits  pla}orm,  open  –DNOT_HALF_PRIME  flag   before  building  the  HElib   2.  64-­‐bits  pla}orm:  before  call  buildModChain()   •  Plaintext  parameter  p^r  !=  2,  bemer  to  add  more  levels                   [hmps://github.com/shaih/HElib/issues/52] 51
  • 52. Misc.:  Install  HElib •  Install  NTL(Number  Theory  Library)    hmp://www.shoup.net/ntl/   •  Install  GMP,  m3  library.   •  Install  HElib    hmps://github.com/shaih/HElib   •  To  use  mulFthread,  need  g++4.9(seems  not  works   on  Mac  OS  for  now) 52
  • 53. References •  The  design  document  inside  the  HElib  repo.   •  Fully  Homomorphic  SIMD  opera9ons.  N.P.Smart,  et.al     •  Can  homomorphic  be  prac9cal?  K.  Lauter  et.  al   •  Secure  Paern  Matching  using  Somewhat  homomorphic  encryp9on.   M.  Yasusa  et.  al   •  Fully  Homomorphic  Encryp9on  without  Boostrapping.                Z.  Brakerski  et.  al   •  Fully  Homomorphic  Encryp9on  with  Polylog  Overhead.            C.  Gentry  et  al. 53