Design and Implementation of a Homomorphic ... - Researcher

More documents

Recommendations

Info

‖a‖ canon 2 . The basic operations that we have in this scheme are the usual key-generation, encryption, and decryption, the homomorphic evaluation routines for addition, multiplication and automorphism (and also addition-of-constant and multiplication-by-constant), and the “ciphertext maintenance” operations of key-switching and modulus-switching. These are described in the rest of this report, but first we describe our plaintext encoding conventions and our Double-CRT representation of polynomials. 1.1 Plaintext Slots The native plaintext space of our variant of BGV are elements of A 2 , and the polynomial Φ m (X) factors modulo 2 into l irreducible factors, Φ m (X) = F 1 (X)·F 2 (X) · · · F l (X) (mod 2), all of degree d = φ(m)/l. Just as in [2, 4, 10] each factor corresponds to a “plaintext slot”. That is, we can view a polynomial a ∈ A 2 as representing an l-vector (a mod F i ) l i=1 . More specifically, for the purpose of packing we think of a polynomial a ∈ A 2 not as a binary polynomial but as a polynomial over the extension field F 2 d (with some specific representation), and the plaintext values that are encoded in a are its evaluations at l specific primitive m-th roots of unity in F 2d . In other words, if ρ ∈ F 2 d is a particular fixed primitive m-th root of unity, and our distinguished evaluation points are ρ t 1 , ρ t 2 , . . . , ρ t l (for some set of indexes T = {t 1 , . . . , t l }), then the vector of plaintext values encoded in a is: ( a(ρ t j ) : t j ∈ T ) . See Section 2.4 for a discussion of the choice of representation of F 2 d and the evaluation points. It is standard fact that the Galois group Gal = Gal(Q(ρ m )/Q) consists of the mappings κ k : a(X) ↦→ a(X k ) mod Φ m (X) for all k co-prime with m, and that it is isomorphic to Z ∗ m. As noted in [4], for each i, j ∈ {1, 2, . . . , l} there is an element κ k ∈ Gal which sends an element in slot i to an element in slot j. Indeed if we set k = t −1 j · t i (mod m) and b = κ k (a) then we have b(ρ t j ) = a(ρ t jk ) = a(ρ t j·t −1 j t i ) = a(ρ t i ), so the element in the j’th slot of b is the same as that in the i’th slot of a. In addition to these “datamovement maps”, Gal contains also the Frobenius maps, X −→ X 2i , which also act as Frobenius on the individual slots separately. We note that the values that are encoded in the slots do not have to be individual bits, in general they can be elements of the extension field F 2 d (or any sub-field of it). For example, for the AES application we may want to pack elements of F 2 8 in the slots, so we choose the parameters so that F 2 8 is a sub-field of F 2 d (which means that d is divisible by 8). 1.2 Our Modulus Chain and Double-CRT Representation We define the chain of moduli by choosing L + 1 “small primes” p 0 , p 1 , . . . , p L and the l’th modulus in our chain is defined as q l = ∏ l j=0 p j. The primes p i ’s are chosen so that for all i, Z/p i Z contains a primitive m-th root of unity (call it ζ i ) so Φ m (X) factors modulo p i to linear terms Φ m (X) = ∏ j∈Z ∗ (X − ζj m i ) (mod p i). A key feature of our implementation is that we represent an element a ∈ A ql via double-CRT representation, with respect to both the integer factors of q l and the polynomial factor of Φ m (X) 2
mod q l . A polynomial a ∈ A q is represented as the (l + 1) × φ(m) matrix of its evaluation at the roots of Φ m (X) modulo p i for i = 0, . . . , l: ( ) DoubleCRT l (a) = a(ζ j i ) mod p i . 0≤i≤l, j∈Z ∗ m Addition and multiplication in A q can be computed as component-wise addition and multiplication of the entries in the two tables (modulo the appropriate primes p i ), DoubleCRT l (a + b) = DoubleCRT l (a) + DoubleCRT l (b), DoubleCRT l (a · b) = DoubleCRT l (a) · DoubleCRT l (b). Also, for an element of the Galois group κ ∈ Gal, mapping a(X) ∈ A to a(X k ) mod Φ m (X), we can evaluate κ(a) on the double-CRT representation of a just by permuting the columns in the matrix, sending each column j to column j · k mod m. 1.3 Modules in our Library Very roughly, our HE library consists of four layers: in the bottom layer we have modules for implementing mathematical structures and various other utilities, the second layer implements our Double-CRT representation of polynomials, the third layer implements the cryptosystem itself (with the “native” plaintext space of binary polynomials), and the top layer provides interfaces for using the cryptosystem to operate on arrays of plaintext values (using the plaintext slots as described in Section 1.1). We think of the bottom two layers as the “math layers”, and the top two layers as the “crypto layers”, and describe then in detail in Sections 2 and 3, respectively. A block-diagram description of the library is given in Figure 1. Roughly, the modules NumbTh, timing, bluestein, PAlgebra, PAlgebraModTwo, PAlgebraMod2r, Cmodulus, IndexSet and IndexMap belong to the bottom layer, FHEcontext, SingleCRT and DoubleCRT belong to the second layer, FHE, Ctxt and KeySwitching are in the third layer, and EncryptedArray and EncryptedArrayMod2r are in the top layer. 2 The Math Layers 2.1 The timing module This module contains some utility function for measuring the time that various methods take to execute. To use it, we insert the macro FHE TIMER START at the beginning of the method(s) that we want to time and FHE TIMER STOP at the end, then the main program needs to call the function setTimersOn() to activate the timers and setTimersOff() to pause them. We can have at most one timer per method/function, and the timer is called by the same name as the function itself (using the pre-defiend variable func ). To obtain the value of a given timer (in seconds), the application can use the function double getTime4func(const char *fncName), and the function printAllTimers() prints the values of all timers to the standard output. 2.2 NumbTh: Miscellaneous Utilities This module started out as an implementation of some number-theoretic algorithms (hence the name), but since then it grew to include many different little utility functions. For example, CRT- 3
Page 1 and 2: Design and Implementation of a Homo
Page 3: Organization of This Report We begi
Page 7 and 8: On subsequent calls with the same p
Page 9 and 10: void mapToSlots(vector& maps, const
Page 11 and 12: 2.6.2 The IndexMap class The class
Page 13 and 14: void addPrimes(const IndexSet& s);
Page 15 and 16: void sampleGaussian(double stdev=3.
Page 17 and 18: ool isOne() const; // does it point
Page 19 and 20: variable s(τ m ) (defined over the
Page 21 and 22: space modulus p), we need to conver
Page 23 and 24: with ˜c 2 = [ ∑ j c′′ j ] qQ
Page 25 and 26: Automorphism. “Raw” automorphis
Page 27 and 28: all the a i ’s are derived. The b
Page 29 and 30: from t in G i , then keySwitchMap[i
Page 31 and 32: void addAllMatrices(FHESecKey& sKey
Page 33 and 34: and X ↦→ X f k−ord(f i ) i an
Page 35 and 36: (since the plaintext values can be
Page 37 and 38: *** Perform homomorphic operations
Page 39 and 40: References [1] L. I. Bluestein. A l
Page 41 and 42: Here, each index i t runs over the

Design and Implementation of a Homomorphic ... - Researcher

Create successful ePaper yourself

Delete template?

Save as template?