October 2015 FHEMMAPs Summer School Paris PRACTICAL FHE
October 2015 FHE+MMAPs Summer School, Paris PRACTICAL (F)HE Shai Halevi Part I - BGV Basics Part II - Packed Ciphertexts Part III - Bootstrapping 1
October 2015 FHE+MMAPs Summer School, Paris 2 Using FHE in “Real World” Settings •
October 2015 FHE+MMAPs Summer School, Paris 3 Using FHE in “Real World” Settings •
October 2015 FHE+MMAPs Summer School, Paris 4 Using FHE in “Real World” Settings • Useful to compute AES. dec homomorphically
October 2015 FHE+MMAPs Summer School, Paris How to Implement? • 5
Three Generations of HE Schemes • 1 G. First plausible candidate in [Gen’ 09] • Ciphertext is “noisy”, noise grows with computation, once too noisy, the “signal” is lost • log(Noise-magnitude) proportional to the degree of the evaluated function Parameters must be huge, to allow large noise • 2 G. [BV’ 11, BGV’ 12, …]: Better noise control • Noise grows linearly with degree • “Ciphertext packing” with many plaintext elements 6
Three Generations of HE Schemes • 1 G. Fast accumulation of noise • 2 G. Better noise management + packing • 3 G. [GSW 13, …]: “Asymmetric” noise growth • Very slow noise growth for some circuits • But slow noise growth in 3 G is incompatible with ciphertext-packing (as far as we know) • For efficiency, we have a choice: • 2 G+packing (faster asymptotically) • or 3 G+small-noise (sometimes faster in practice) 7
October 2015 FHE+MMAPs Summer School, Paris 8 Here: 2 nd Generation Scheme [BGV’ 12] •
October 2015 FHE+MMAPs Summer School, Paris Homomorphic Operations • 9
October 2015 How to Multiply • FHE+MMAPs Summer School, Paris 10
October 2015 How to Multiply • FHE+MMAPs Summer School, Paris 11
October 2015 FHE+MMAPs Summer School, Paris How to Multiply • • Use bit-decomposition? • This works, but we do something else here 12
October 2015 FHE+MMAPs Summer School, Paris How to Multiply • 13
October 2015 FHE+MMAPs Summer School, Paris How to Multiply • this is small 14
October 2015 How to Multiply • FHE+MMAPs Summer School, Paris 15
October 2015 FHE+MMAPs Summer School, Paris Noise Growth for Multiplication • 16
October 2015 17 FHE+MMAPs Summer School, Paris How Does Modulus-Switching Help? • Using mod-switching Without mod-switching Noise Modulus Fresh ciphertexts Level-1, degree=2 Level-2, degree=4 decryption errors
October 2015 The Moduli Chain • FHE+MMAPs Summer School, Paris 18
October 2015 FHE+MMAPs Summer School, Paris The BGV Multiplication Procedure • 19
October 2015 FHE+MMAPs Summer School, Paris Implementation Details • 20
October 2015 FHE+MMAPs Summer School, Paris 21 Moduli and Ciphertext Representation •
October 2015 FHE+MMAPs Summer School, Paris Ciphertext Operations • 22
October 2015 FHE+MMAPs Summer School, Paris Operation Cost • Cost measured in time, added-noise Operation Time Add / Add-Const Cheap Mult-by-Const Cheap Mult+Key. Switch Expensive Noise Cheap Moderate Expensive 23
October 2015 Tradeoffs • FHE+MMAPs Summer School, Paris 24
October 2015 FHE+MMAPs Summer School, Paris Changing the Decryption Invariant • 25
October 2015 FHE+MMAPs Summer School, Paris Mod-Switching Optimization • 27
October 2015 FHE+MMAPs Summer School, Paris Mod-Switching Optimization • 1 i. FFT 28
October 2015 FHE+MMAPs Summer School, Paris Mod-Switching Optimization • 29
October 2015 FHE+MMAPs Summer School, Paris Key-Switching Optimization • 30
October 2015 FHE+MMAPs Summer School, Paris Key-Switching Optimization • 31
October 2015 FHE+MMAPs Summer School, Paris When to Mod-Switch? • 32
October 2015 FHE+MMAPs Summer School, Paris When to Mod-Switch? • 33
October 2015 FHE+MMAPs Summer School, Paris 34 How Far to Mod-Switch? • Roughly, until the noise after mod-switching is dominated by the added noise term • Maintain noise estimates with ciphertexts, use estimates to make these decisions • Estimate must be somewhat conservative, small under-estimation will lead to wrong mod-switch decisions, escalating quickly
October 2015 FHE+MMAPs Summer School, Paris 35 Some Numbers (March 2015) • Numbers are just a sample, not all taken on the same machine, some are extrapolated Key. Gen Enc Depth =10 4 Depth =20 Depth =56 Dec Add 0. 07 Mult- Multilpy Const 0. 03 0. 0004 0. 007 0. 1 11 0. 21 0. 001 0. 016 0. 3 102 1. 37 0. 16 0. 01 0. 06 1. 5 Timing in seconds
October 2015 FHE+MMAPs Summer School, Paris Some Numbers (March 2015) Memory Depth =10 <2 GB Depth =20 3. 6 GB Depth =56 23 GB 36
October 2015 FHE+MMAPs Summer School, Paris TIME FOR A BREAK 37
- Slides: 36