Design and Implementation of a Homomorphic ... - Researcher

More documents

Recommendations

Info

EncryptedArrayMod2r ea(context); long nslots = ea.size(); // An EncryptedArrayMod2r object // number of plaintext slots /*** Encrypt random arrays over Z_{32} ***/ vector p0, p1, p2, p3; ea.random(p0); ea.random(p1); ea.random(p2); ea.random(p3); vector const1, const2; ea.random(const1); ea.random(const2); // Choose random arrays // two more random "constants" ZZX const1_poly, const2_poly; // encode constants as polynomials ea.encode(const1_poly, const1); ea.encode(const2_poly, const2); // Encrypt the random arrays Ctxt c0(publicKey), c1(publicKey), c2(publicKey), c3(publicKey); ea.encrypt(c0, publicKey, p0); ea.encrypt(c1, publicKey, p1); ea.encrypt(c2, publicKey, p2); ea.encrypt(c3, publicKey, p3); /*** Perform homomorphic operations ***/ c1.multiplyBy(c0); c0.addConstant(const1_poly); c2.multByConstant(const2_poly); // also does mod-switching, key-switching Ctxt tmp(c1); // tmp = c1 long amt = RandomBnd(2*(nslots/2)+1)-(nslots/2); // in [-nslots/2..nslots/2] ea.shift(tmp, amt); // rotate tmp by amt c2 += tmp; // then add to c2 amt = RandomBnd(2*nslots-1) - (nslots-1); ea.rotate(c2, amt); // in [-(nslots-1)..nslots-1] c1.negate(); c3.multiplyBy(c2); c0 -= c3; /*** Decrypt the results of the computation ***/ vector pp0, pp1, pp2, pp3; ea.decrypt(c0, secretKey, pp0); ea.decrypt(c1, secretKey, pp1); ea.decrypt(c2, secretKey, pp2); ea.decrypt(c3, secretKey, pp3); 36
References [1] L. I. Bluestein. A linear filtering approach to the computation of the discrete fourier transform. Northeast Electronics Research and Engineering Meeting Record 10, 1968. [2] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully homomorphic encryption without bootstrapping. In Innovations in Theoretical Computer Science (ITCS’12), 2012. Available at http://eprint.iacr.org/2011/277. [3] C. Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st ACM Symposium on Theory of Computing – STOC 2009, pages 169–178. ACM, 2009. [4] C. Gentry, S. Halevi, and N. Smart. Fully homomorphic encryption with polylog overhead. In ”Advances in Cryptology - EUROCRYPT 2012”, volume 7237 of Lecture Notes in Computer Science, pages 465–482. Springer, 2012. Full version at http://eprint.iacr.org/2011/566. [5] C. Gentry, S. Halevi, and N. Smart. Homomorphic evaluation of the AES circuit. In ”Advances in Cryptology - CRYPTO 2012”, volume 7417 of Lecture Notes in Computer Science, pages 850–867. Springer, 2012. Full version at http://eprint.iacr.org/2012/099. [6] C. Gentry, S. Halevi, and N. P. Smart. Better bootstrapping in fully homomorphic encryption. In Public Key Cryptography - PKC 2012, volume 7293 of Lecture Notes in Computer Science, pages 1–16. Springer, 2012. [7] V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. In H. Gilbert, editor, Advances in Cryptology - EUROCRYPT’10, volume 6110 of Lecture Notes in Computer Science, pages 1–23. Springer, 2010. [8] R. Rivest, L. Adleman, and M. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Computation, pages 169–177. Academic Press, 1978. [9] V. Shoup. NTL: A Library for doing Number Theory. http://shoup.net/ntl/, Version 5.5.2, 2010. [10] N. P. Smart and F. Vercauteren. Fully homomorphic SIMD operations. Manuscript at http://eprint.iacr.org/2011/133, 2011. A Proof of noise-estimate Recall that we observed empirically that for a random Hamming-weight-H polynomial s with coefficients −1/0/1 and an integral power r we have E[|s r (τ)| 2r ] ≈ r! · H r , where τ is the principal complex m-th root of unity, τ = e 2πi/m . To simplify the proof, we analyze the case that each coefficient of s is chosen uniformly at random from −1/0/1, so that the expected Hamming weight is H. Also, we assume that s is chosen as a degree-(m − 1) polynomial (rather than degree φ(m) − 1). Theorem 1. Suppose m, r, H are positive integers, with H ≤ m, and let τ = e 2πi/m ∈ C. Suppose that we choose f 0 , . . . , f m−1 independently, where for i = 0, . . . , m − 1, f i is ±1 with probability 37
Page 1 and 2: Design and Implementation of a Homo
Page 3 and 4: Organization of This Report We begi
Page 5 and 6: mod q l . A polynomial a ∈ A q is
Page 7 and 8: On subsequent calls with the same p
Page 9 and 10: void mapToSlots(vector& maps, const
Page 11 and 12: 2.6.2 The IndexMap class The class
Page 13 and 14: void addPrimes(const IndexSet& s);
Page 15 and 16: void sampleGaussian(double stdev=3.
Page 17 and 18: ool isOne() const; // does it point
Page 19 and 20: variable s(τ m ) (defined over the
Page 21 and 22: space modulus p), we need to conver
Page 23 and 24: with ˜c 2 = [ ∑ j c′′ j ] qQ
Page 25 and 26: Automorphism. “Raw” automorphis
Page 27 and 28: all the a i ’s are derived. The b
Page 29 and 30: from t in G i , then keySwitchMap[i
Page 31 and 32: void addAllMatrices(FHESecKey& sKey
Page 33 and 34: and X ↦→ X f k−ord(f i ) i an
Page 35 and 36: (since the plaintext values can be
Page 37: *** Perform homomorphic operations
Page 41 and 42: Here, each index i t runs over the

Design and Implementation of a Homomorphic ... - Researcher

Create successful ePaper yourself

Delete template?

Save as template?