Approximate Homomorphic Encryption and Privacy Preserving Machine - - PowerPoint PPT Presentation

Jung Hee Cheon (SNU, CryptoLab)

Approximate Homomorphic Encryption and Privacy Preserving Machine Learning

Thanks to YongSoo Song, Kiwoo Lee, Andrey KIM

• 1. Homomorphic Encryption
• 2. HEAAN
• 3. Bootstrapping of HEAAN
• 4. Toolkit for Homomorphic Computation

Outline

 Integer-based HE scheme

• RAD PH[1]
• (Secret Key, Operation Key) = (a large prime 𝑞, 𝑜 = 𝑞𝑟0)
• Encryption: 𝐹𝑜𝑑 𝑛 = 𝑛 + 𝑞𝑟 𝑛𝑝𝑒 𝑜
• Decryption: 𝐹𝑜𝑑 𝑛

𝑛𝑝𝑒 𝑞 = 𝑛

• 𝐹𝑜𝑑 𝑛1 + 𝐹𝑜𝑑 𝑛2 = 𝑛1 + 𝑞𝑟1 + 𝑛2 + 𝑞𝑟2

= 𝑛1 + 𝑛2 + 𝑞 𝑟1 + 𝑟2 = 𝐹𝑜𝑑 𝑛1 + 𝑛2

• DGHV HE scheme (on ℤ2)[2]
• 𝐹𝑜𝑑(𝑛 ∈ 𝑎2100) = 𝑛 + 2100𝑓 + 𝑞𝑟
• SECURE against quantum computing
• Use a polynomial ring 𝑆𝑟 = ℤ𝑟[𝑦]/(𝑦𝑜 + 1)

Homomorphic Encryption

But, INSECURE!

2100𝑓1 𝑛1 2100𝑓2 𝑛2

2200𝑓1𝑓2 + 2100 𝑛1𝑓2 + 𝑛2𝑓1 +

𝑛1𝑛2

X

• On Polynomials (RingLWE)
• [Gen09] ideal lattice
• NTRU: LTV12
• Ring-LWE: BV11b, GHS13, BLLN13, HEAAN etc
• On Integers (AGCD)
• [DGHV10] FHE over the Integers. Eurocrypt 2010
• CMNT11, CNT12, CCKLLTY13, CLT14, etc
• On Matrices (LWE)
• [BV11a] Efficient FHE from (Standard) LWE. FOCS11
• Bra12, BGV12, GSW13

Fully Homomorphic Encryption

• 1. 2009~2012: Plausibility and Scalable for Large Circuits
• [GH11] A single bit bootstrapping takes 30 minutes
• [GHS12b] 120 blocks of AES-128 (30K gates) in 36 hours
• 2. 2012~2015: Depth-Linear Construction
• [BGV12] Modulus/Key Switching
• [Bra12] Scale Invariant Scheme
• [HS14] IBM's open-source library Helib: AES evaluation in 4 minutes
• 3. 2015~Today: Usability
• Various schemes with different advantages (HEAAN, TFHE)
• Real-world tasks: Big data analysis, Machine learning
• Competitions for Private Genome Computation (iDash, 2014~)
• HE Standardization meetings (2017~)

Continued on next page

Summary of Progress in HE

Standardization: HomomorphicEncryption.org

1st Workshop (2017.7.13-14) 2nd Workshop (2018.3.15-16) 3rd Workshop (2018.10.20)

Jul 2017 in Microsoft, Redmond Mar 2018 in MIT Oct 2018 in Toronto

 Best Performing HE Schemes

Type Classical HE Fast Bootstrapping Approximate Computation Scheme [BGV12] BGV [Bra12, FV12] B/FV [DM15] FHEW [CGGI16] TFHE [CKKS17] HEAAN Plaintext Finite Field Packing Binary string Real/Complex numbers Packing Operation Addition, Multiplication Look-up table & bootstrapping Fixed-point Arithmetic Library HElib (IBM) SEAL (Microsoft Research) Palisade (Duality inc.) TFHE (Inpher, Gemalto, etc.) HEAAN (SNU)

Homomorphic Encryption

• 2. HEAAN: Approximate Homomorphic Encryption

Exact Multiplication

1.23 4.56 0.78 0.91 5.6088 0.7098 3.98112624 2.34 5.67 8.91 0.23 13.2678 2.0493 27.18970254 108.2456382397886496

• The plaintext size is doubled after a multiplication.

2 4 8 16

Approximate Multiplication

HEAAN [CKKS17]

• Rescale after a multiplication
• Tracing # of significands
• Most data is processed approximately in Data analysis or ML

1.23 4.56 0.78 0.91 5.6188 0.7198 3.98112624 2.34 5.67 8.91 0.23 13.2778 2.0593 27.19970254 108.2556382397886496 2 2 2 2

HEAAN = 慧眼 = Insightful Minds

[CKKS, AC17] Homomorphic Encryption for Arithmetic of Approximate Numbers https://eprint.iacr.org/2016/421.pdf

 Numerical Representation

• Encode 𝑛 into an integer 𝑛 ≈ 𝑞𝑦 for a scaling factor 𝑞 : 2 ↦ 1412 ≈

2 ⋅ 103

• Fixed–Point Multiplication
• Compute 𝑛 = 𝑛1𝑛2 and extract its significant digits 𝑛′ ≈ 𝑞−1 ⋅ 𝑛

: 1.234 × 5.678 = 1234 ⋅ 10−3

× 5678 ⋅ 10−3 = 7006652 ⋅ 10−6 ↦ 7007 ⋅ 10−3 = 7.007

 Previous HE on LWE problem (Regev, 2005)

• ct = Encsk 𝑛 , ct, sk = 𝑟

𝑢 𝑛 + 𝑓 mod 𝑟

• Modulo 𝑢 plaintext vs Rounding operation

Approximate Computation

𝑛 𝑟/𝑢 𝑓 𝑢

 A New Message Encoding

• ct = Encsk 𝑛 , ct, sk = 𝑞𝑛 + 𝑓

mod 𝑟

• Consider 𝑓 as part of approximation error

 Homomorphic Operations  Support for the (approximate) fixed-point arithmetic

• Leveled HE : 𝑟 = 𝑞𝑀

HEAAN

Input 𝜈1 ≈ 𝑞𝑛1, 𝜈2 ≈ 𝑞𝑛2 Addition 𝜈1 + 𝜈2 ≈ 𝑞 ⋅ (𝑛1 + 𝑛2) Multiplication 𝜈 = 𝜈1𝜈2 ≈ 𝑞2 ⋅ 𝑛1𝑛2 Rounding 𝜈′ ≈ 𝑞−1 ⋅ 𝜈 ≈ 𝑞 ⋅ 𝑛1𝑛2 𝜈1 = 𝑞𝑛1 + 𝑓1 𝑟 𝜈2 = 𝑞𝑛2 + 𝑓2 𝜈 = 𝑞2𝑛1𝑛2 + 𝑓 𝜈′ = 𝑞 ⋅ 𝑛1𝑛2 + 𝑓′ 𝑟/𝑞

 Construction over the ring

• A single ctx can encrypt a vector of plaintext values 𝑨 = (𝑨1, 𝑨2, … , 𝑨ℓ)
• Parallel computation in a SIMD manner 𝑨 ⊗ 𝑥 = (𝑨1𝑥1, 𝑨2𝑥2, … , 𝑨ℓ𝑥ℓ)

HEAAN Packed Ciphertext

Continued on next page

 Let 𝑆 = ℤ 𝑌 𝑌𝑜 + 1 and 𝑆𝑟 = 𝑆 mod 𝑟 = ℤ𝑟 𝑌 𝑌𝑜 + 1

• A ciphertext can encrypt a polynomial 𝑛 𝑌 ∈ 𝑆
• Note (m0+m1X+ … ) (m0’+m1’X+ … )= m0m0’+(m0m1’ +m0’m1)X+…
• Decoding/Encoding function

𝑆 = ℤ 𝑌 𝑌𝑜 + 1 ⊆ ℝ 𝑌 𝑌𝑜 + 1 → ℂ𝑜/2 where 𝑌𝑜 + 1 = 𝑌 − 𝜂1 𝑌 − 𝜂1

−1

𝑌 − 𝜂2 𝑌 − 𝜂2

−1 ⋯ 𝑌 − 𝜂 𝑜 2

𝑌 − 𝜂

𝑜 2 −1

• Example: 𝑜 = 4, 𝜂1 = 𝑓𝑦𝑞(𝜌𝑗/4), 𝜂2 = 𝑓𝑦𝑞(5𝜌𝑗/4)
• 𝑨 = 1 − 2𝑗, 3 + 4𝑗 ↦ 𝑛 𝑌 = 2 − 2 2 𝑌 + 𝑌2 −

2 𝑌3

• ↦ 𝜈 𝑌 = 2000 − 2828𝑌 + 1000𝑌2 − 1414 𝑌3
• 𝜈 𝜂1 ≈ 1000.15 − 1999.55 𝑗, 𝜈 𝜂2 ≈ 2999.85 + 3999.55 𝑗

RLWE-based HEAAN

𝑛 𝑌 ↦ 𝑨 = 𝑨1, … , 𝑨𝑜∕2 , 𝑨𝑗 = 𝜈 𝜂𝑗 ,

• 3. Bootstrapping of HEAAN

Bootstrapping

Decryption

𝐹𝑜𝑑𝑙(𝐿) 𝐹𝑜𝑑(𝑑)

c = 𝐹𝑜𝑑𝑙(𝑛; 𝑠) 𝐿 𝑛

𝐹𝑜𝑑𝑙 𝑛; 𝑠′ , 𝑠′: small

Safe Box

[1] Cheon-Han-Kim-Kim-Song: Bootstrapping for Approximate Homomorphic Encryption. EUROCRYPT 2018

• Old Ciphertext with large noise
• Encrypted Secret Key
• New ciphertext with small noise
• Evaluate Decrypt circuit

Input Output Process

• Ciphertexts of a leveled HE have a limited lifespan
• Refresh a ciphertext ct = Encsk 𝑛

by evaluating the decryption circuit homomorphically : Decsk ct = 𝑛 ⟺ 𝐺ct sk = 𝑛 where 𝐺ct ∗ = Dec∗ ct

• Bootstrapping key BK = Encsk(sk)

: 𝐺ct BK = 𝐺ct Encsk sk = Encsk 𝐺ct sk = Encsk(𝑛)

• Homomorphic operations introduce errors  Fine

: 𝐺ct BK = 𝐺ct Encsk sk = Encsk 𝐺ct sk + 𝑓 = Encsk(𝑛 + 𝑓)

• How to evaluate the decryption circuit (efficiently)?

: Decsk ct = ct, sk (mod 𝑟)

Bootstrapping

𝐸𝑓𝑑𝑡𝑙 𝑑𝑢 ↦ 𝑢 = 𝑑𝑢, 𝑡𝑙 ↦ 𝑢 𝑟 = 𝜈, 𝑢 = 𝑟𝐽 + 𝜈 for some 𝐽 < 𝐿

• Naïve solution: polynomial interpolation on [−𝐿𝑟, 𝐿𝑟]
• Huge depth, complexity & inaccurate result

Approximate Decryption

𝐸𝑓𝑑𝑡𝑙 𝑑𝑢 ↦ 𝑢 = 𝑑𝑢, 𝑡𝑙 ↦ 𝑢 𝑟 = 𝜈, 𝑢 = 𝑟𝐽 + 𝜈 for some 𝐽 < 𝐿

• Idea1: Restriction of domain 𝜈 ≪ 𝑟

Approximate Decryption

• Idea1: Restriction of domain 𝜈 ≪ 𝑟
• Idea 2: Sine approximation 𝜈 ≈ 𝑟

2𝜌 sin 𝜄 for 𝜄 = 2𝜌 𝑟 𝑢 (period:𝑟, slope at 0=1)

𝑟 1

𝐸𝑓𝑑𝑡𝑙 𝑑𝑢 ↦ 𝑢 = 𝑑𝑢, 𝑡𝑙 ↦ 𝑢 𝑟 = 𝜈, 𝑢 = 𝑟𝐽 + 𝜈 for some 𝐽 < 𝐿

Approximate Decryption

 Sine Evaluation

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

• Idea 2: Iterate by double-angle formula
• 𝐷𝑙+1 𝜄 = 𝐷𝑙

2 𝜄 − 𝑇𝑙 2 𝜄 , 𝑇𝑙+1 𝜄 = 2𝑇𝑙 𝜄 ⋅ 𝐷𝑙 𝜄

1

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

• Idea 2: Iterate by double-angle formula
• 𝐷𝑙+1 𝜄 = 𝐷𝑙

2 𝜄 − 𝑇𝑙 2 𝜄 , 𝑇𝑙+1 𝜄 = 2𝑇𝑙 𝜄 ⋅ 𝐷𝑙 𝜄

2

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

• Idea 2: Iterate by double-angle formula
• 𝐷𝑙+1 𝜄 = 𝐷𝑙

2 𝜄 − 𝑇𝑙 2 𝜄 , 𝑇𝑙+1 𝜄 = 2𝑇𝑙 𝜄 ⋅ 𝐷𝑙 𝜄

3

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

• Idea 2: Iterate by double-angle formula
• 𝐷𝑙+1 𝜄 = 𝐷𝑙

2 𝜄 − 𝑇𝑙 2 𝜄 , 𝑇𝑙+1 𝜄 = 2𝑇𝑙 𝜄 ⋅ 𝐷𝑙 𝜄

4

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

• Idea 2: Iterate by double-angle formula
• 𝐷𝑙+1 𝜄 = 𝐷𝑙

2 𝜄 − 𝑇𝑙 2 𝜄 , 𝑇𝑙+1 𝜄 = 2𝑇𝑙 𝜄 ⋅ 𝐷𝑙 𝜄

5

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

• Idea 2: Iterate by double-angle formula
• 𝐷𝑙+1 𝜄 = 𝐷𝑙

2 𝜄 − 𝑇𝑙 2 𝜄 , 𝑇𝑙+1 𝜄 = 2𝑇𝑙 𝜄 ⋅ 𝐷𝑙 𝜄

6

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

• Idea 2: Iterate by double-angle formula
• 𝐷𝑙+1 𝜄 = 𝐷𝑙

2 𝜄 − 𝑇𝑙 2 𝜄 , 𝑇𝑙+1 𝜄 = 2𝑇𝑙 𝜄 ⋅ 𝐷𝑙 𝜄

7

Bootstrapping of HEAAN

 Sine Evaluation

• Direct Taylor approximation
• Huge depth & complexity
• Idea 1: Low-degree approx. near 0
• 𝐷0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙 !

𝜄 2𝑠 2𝑙 ≈ cos 𝜄 2𝑠

• 𝑇0 𝜄 = 𝑙=0

𝑒 −1 𝑙 2𝑙+1 !

𝜄 2𝑠 2𝑙+1 ≈ sin( 𝜄 2𝑠)

• Idea 2: Iterate by double-angle formula
• 𝐷𝑙+1 𝜄 = 𝐷𝑙

2 𝜄 − 𝑇𝑙 2 𝜄 , 𝑇𝑙+1 𝜄 = 2𝑇𝑙 𝜄 ⋅ 𝐷𝑙 𝜄

• Numerically stable & Linear complexity

𝑇𝑠 𝜄 ≈ sin 𝜄

8

Bootstrapping of HEAAN

 Iteration vs Direct Computation

• 𝑇𝑠(𝜄) is obtained from 𝑇0(𝜄) and 𝐷0(𝜄) by 𝑠 iterations
• One computation of Double–angle formula: 2 squarings + 1 addition
• 𝑠 iterations take 2𝑠 squarings + 𝑠 additions
• Degree of 𝑇𝑠(𝜄) ≈ 2𝑠
• Direct Taylor Approximation
• 2𝑠 multiplications to get 2𝑠 degree approximation 𝑈2𝑠 of sine function

Bootstrapping of HEAAN

 Slot-Coefficient Switching

• Ring–based HEAAN
• Homomorphic operations on plaintext slots, not on coefficients
• We need to perform the modulo reduction on coefficients
• Pre/post computation before/after sine evaluation
• Depth consumption: Sine evaluation
• Complexity: Slot-Coefficient switchings (# of slots)
• Performance of Bootstrapping
• Experimental Results
• 127 + 12 = 139 s / 128 slots×12 bits
• 456 + 68 = 524 s / 128 slots×24 bits

Coefficient Plaintext Slots ℝ 𝑌 𝑌𝑜 + 1 ℂ

𝑜 2

𝑢 𝑌 = 𝑟 ⋅ 𝐽 𝑌 + 𝜈(𝑌) (𝑢0,𝑢1,… 𝑢𝑜−1) (𝜈0, 𝜈1,… , 𝜈𝑜−1) 𝜈 𝑌 = 𝜈0 + ⋯ + 𝜈𝑜−1𝑌𝑜−1 ① coeff to slot ② sine eval ③ slot to coeff

Bootstrapping of HEAAN

Speed of FHE

2011 2013 2014 2015 2016 2018 1-bit Amortized

1bit, 1800s 1bit, 0.7s 1bit, 0.052s *120s, 250K bit 172s, 531bit 320s, 16K bit

 1800s → 0.05s (1bit)  1800s → 0.00046s (Amortized) : 30K~300K times

*[CHH18]Faster Homomorphic Discrete Fourier Transforms and Improved FHE Bootstrapping, eprint, 1073, 2018/ Intel Xeon CPU E5-2620 2.10GHz, 64RAM

[GH11] Implementing Gentry’s Fully-Homomorphic Encryption Scheme, Eurocrypt 2011. [CCK+13] Batch Fully Homomorphic Encryption over the Integers, Eurocrypt 2013. [CLT14] Scale-Invariant Fully Homomorphic Encryption over the Integers, PKC 2014. [HS15] Bootstrapping for Helib, Eurocrypt 2015 [DM15] FHEW: Boostrapping Homomorpic Encryption in Less Than a Second, Eurocrypt 2015. [CGGI16] Faster Fully Homomorphic Encryption: Bootstrapping in less than 0.1 Seconds, Asiacrypt 2016.

Secure Genome Analysis Competition

Hosted by by Sp Sponsored by by AIM AIM

Privacy Preserving Genom Analysis

Slide Courtesy of Xiaoqian Jiang (△ = too small iteration → hard to adapt for other data) Rank 1 3 △ △ 2 X X

2017 Track 3: Logistic Regression Training on Encrypted Data

2018 Track 2 : Secure Parallel Genome Wide Association Studies using HE

Team Submission Schemes End to End Performance Evaluation result ( F1- Score ) at different cutoffs Running time (mins) Peak Memory (M) 0.01 0.001 0.0001 0.00001 Gold Semi Gold Semi Gold Semi Gold Semi A*FHE A*FHE -1 + HEAAN 922.48 3,777 0.977 0.999 0.986 0.999 0.985 0.999 0.966 0.998 A*FHE -2 1,632.97 4,093 0.882 0.905 0.863 0.877 0.827 0.843 0.792 0.826 Chimera Version 1 + TFHE & HEAAN (Chimera) 201.73 10,375 0.979 0.993 0.987 0.991 0.988 0.989 0.982 0.974 Version 2 215.95 15,166 0.339 0.35 0.305 0.309 0.271 0.276 0.239 0.253 Delft Blue Delft Blue HEAAN 1,844.82 10,814 0.965 0.969 0.956 0.944 0.951 0.935 0.884 0.849 UC San Diego Logistic Regr + HEAAN 1.66 14,901 0.983 0.993 0.993 0.987 0.991 0.989 0.995 0.967 Linear Regr 0.42 3,387 0.982 0.989 0.980 0.971 0.982 0.968 0.925 0.89 Duality Inc Logistic Regr + CKKS (Aka HEAAN), pkg: PALISADE 3.8 10,230 0.982 0.993 0.991 0.993 0.993 0.991 0.990 0.973 Chi2 test 0.09 1,512 0.968 0.983 0.981 0.985 0.980 0.985 0.939 0.962 Seoul National University SNU-1 HEAAN 52.49 15,204 0.975 0.984 0.976 0.973 0.975 0.969 0.932 0.905 SNU-2 52.37 15,177 0.976 0.988 0.979 0.975 0.974 0.969 0.939 0.909 IBM IBM-Complex CKKS (Aka HEAAN), pkg: HElIb 23.35 8,651 0.913 0.911 0.169 0.188 0.067 0.077 0.053 0.06 IBM- Real 52.65 15,613 0.542 0.526 0.279 0.28 0.241 0.255 0.218 0.229

Slide Courtesy of Xiaoqian Jiang

• 4. T

Too

• olkit

it for

• r H

Hom

• mom
• mor
• rphic

hic Com

• mput

utati ation

• n

 Packing Method

• HEAAN supports vector operations
• How can we compute matrix operations for ciphertexts?
• Matrix Encoding method

How

• w to
• Pack

ck

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Encode

1 2 ⋯ 16

𝑑 = 𝐹𝑜𝑑( )

 Packing Method

• Matrix addition : trivial
• Matrix multiplication : non-trivial (exercise)
• Row/column rotation?

How

• w to
• ro

rotate

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 4 1 2 3 8 5 6 7 12 9 10 11 16 13 14 15

𝑠𝑝𝑢 𝑑, 1 = 𝐹𝑜𝑑(

16 1 ⋯ 15

) =

16 1 2 3 4 5 6 7 18 9 10 11 12 13 14 15

(wrong)

 Packing Method

• Solution : using masking vector

How

• w to
• ro

rotate

16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

⊙

1 1 1 1 1 1 1 1 1 1 1 1

=

1 2 3 5 6 7 9 10 11 13 14 15

𝑠𝑝𝑢 𝑑, 1 ⊙ 𝑛𝑏𝑡𝑙 =

4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3

⊙

1 1 1 1

=

4 8 12 16

𝑠𝑝𝑢 𝑑, −3 ⊙ 𝑛𝑏𝑡𝑙′ = ∴ 𝐷𝑝𝑚𝑆𝑝𝑢 (𝑑) = 𝑠𝑝𝑢 𝑑, 1 ⊙ 𝑛𝑏𝑡𝑙 + 𝑠𝑝𝑢 𝑑, −3 ⊙ 𝑛𝑏𝑡𝑙′ =

4 1 2 3 8 5 6 7 12 9 10 11 16 13 14 15

 Message Space

• Bit-wise HE: ℤ2={0,1} with logical gates
• Good at gate operations but slow at arithmetic.
• Word-wise HE: ℂ or ℤ𝑞 with add. & mult.
• Good at poly evaluation but hard to evaluate non-poly function.

 Idea: Use Polynomial Approximation for Non-Poly Functions!

• Don’t use naïve Taylor Approx. It is local i.e. approx at a point
• Minimize errors on an interval
• Methods: Least Square, Chevyshev, Minimax …

Polynomial Approximation

Application : Homomorphic Logistic Regression [HHCP]

• Need to evaluate sigmoid function : 1/(1+exp(-x))
• Real Financial Large Data (Provided by KCB)
• About 400,000 samples with 200 features.
• Target value = “credit score”

Polynomial Approximation

 Idea: 𝐷𝑝𝑛𝑞 𝑏, 𝑐 = lim

𝑙→∞ 𝑏𝑙 𝑏𝑙+𝑐𝑙 for a,b>0

• 1. Compute approximately (Take only the msb of the results)
• 2. Choose k as a power of 2
• 3. Use iteration algorithms for division

Comparison

Method hod Scheme eme (Amor mortized) tized) Ru Runnin nning tim ime # of pair irs Error Bit-wise HElib ≈ 1 ms 1800 TFHE ≈ 1 ms

• Ours

s

(W (Word rd-wi wise se)

HEAA AAN 0.73 ms 216 < 2-8

 General Max 𝑁𝑏𝑦 𝑏1, … , 𝑏𝑢 = lim

𝑙→∞ 𝑏1

𝑙+1+⋯+𝑏𝑢 𝑙+1

𝑏1𝑙+⋯+𝑏𝑢𝑙

for ai>0  2nd 𝑁𝑏𝑦 𝑏1, … , 𝑏𝑢 = lim

𝑙→∞ 𝑏1

𝑙+1+⋯+𝑏𝑢 𝑙+1−𝑛𝑏𝑦𝑙+1

𝑏1𝑙+⋯+𝑏𝑢𝑙−𝑛𝑏𝑦𝑙

 Applications: k-max, threshold counting, clustering, …

Min/Max

 Fast\Merge Sort: O(klogk)

• Comparison-based algorithm doesn’t work on HE
• We cannot check min-max condition

 Sorting Network: O(klog2k)

• Comparison network that always sort their inputs
• Data-independent algorithm

 Results

• 64 slots : about 12 min. (previous work : 42 min. [EGN+15])
• 32,768 slots : about 10.5 hour (previous work: impractical)

So Sort rting ng on

• n E

Enc ncry rypted Data

 Basic Tools:  Packing, Matrix Operation, Comparison, Approximate inv/sigmoid,  Decision Tree: Packing, Comparison  Boosting: Comparison and Gradient Decent  Deep Neural Network: Fast matrix operations + Approximate  Convolution Neural Network: + Comparison

Toward

• ward Hom
• mom
• mor
• rphi

phic c Ma Mach chine ne Learn rning ng

 HEAAN natively supports for the (approximate) fixed point arithmetic  Ciphertext modulus log 𝑟 = 𝑀 log 𝑞 grows linearly  Useful when evaluating analytic functions approximately:

• Polynomial
• Multiplicative Inverse
• Trigonometric Functions
• Exponential Function (Logistic Function, Sigmoid Function)

 Packing technique based on DFT

• SIMD (Single Instruction Multiple Data) operation
• Rotation on plaintext slots:

HEAAN: Summary

𝑨 = 𝑨1, … , 𝑨

𝑜 2

↦ 𝑨′ = (𝑨2, … , 𝑨

𝑜 2, 𝑨1)

Thank you for your attention! 감사합니다.