Practical (F)HE Part III – Bootstrapping

Practical (F)HE Part III – Bootstrapping
October 2015 FHE+MMAPs Summer School, Paris Practical (F)HE Part III – Bootstrapping Shai Halevi

Reminder: Operation Cost
October 2015 FHE+MMAPs Summer School, Paris Reminder: Operation Cost Cost measured in time, added-noise Operation Time Noise Add / Add-Const Cheap Mult-by-Const Moderate* Mult+KeySwitch Expensive Automorphism+KeySwitch * “Moderate” noise ≈√𝑚 even for multiplying by a 0-1 constant vector

Recryption for BGV [GHS’12c, AP’13,HS’15]
October 2015 FHE+MMAPs Summer School, Paris Recryption for BGV [GHS’12c, AP’13,HS’15] Decryption formula is 𝑝𝑡= 𝒄𝒕,𝒔𝒌 𝑞 𝑝 Observation: For 𝑞 close to a large 𝑝-power, this formula can be simplified Roughly if 𝑞= 𝑝 𝑒 +1 then 𝒖≔ 𝒔𝒌,𝒄𝒕 𝒑 𝒆+𝟏 , 𝒑𝒕≔𝒍𝒔𝒃 𝒖 −𝒎𝒔𝒃(𝒖)

Simplified Decryption
October 2015 FHE+MMAPs Summer School, Paris Simplified Decryption Notations: for an integer 𝑧 in base-p encoding 𝑧 𝑖 is the 𝑖th digit, an integer in [−𝑝/2,𝑝/2) 𝑧 𝑗…𝑖 are digits 𝑖 through 𝑗, in [− 𝑝 𝑗−𝑖+1 /2, 𝑝 𝑗−𝑖+1 /2) Lemma: For plaintext space mod 𝒑 𝒓 and modulus 𝒒 = 𝒑 𝒆 + 𝟏 with 𝑒≥𝑟+2, let 𝑧 be an integer with 𝒛 <𝒒(𝒒−𝟏)/𝟒, 𝒛 𝒒 <𝒒/𝟒, then For odd 𝑝 we have, 𝒛 𝒒 = 𝒛 𝒓−𝟏…𝟎 −𝒛 𝒆+𝒓−𝟏…𝒆 (𝒎𝒐𝒅 𝒑 𝒓 ) For 𝑝=2 we have, 𝒛 𝒒 = 𝒛 𝒓−𝟏…𝟎 −𝒛 𝒆+𝒓−𝟏…𝒆 −𝒛 𝒆−𝟏 (𝒎𝒐𝒅 𝟐 𝒓 )

Simplified Decryption
October 2015 FHE+MMAPs Summer School, Paris Simplified Decryption The term −𝑧 𝑒−1 for 𝑝=2 is only needed to handle negative 𝑧 in 2’s complement Proof (for 𝑝=2, positive 𝑧, 𝑧 𝑞 ): 𝑧= 𝑧 𝑞 +𝑘𝑞 for small 𝑘 𝑘 and 𝑧 𝑞 are small, so no carry bits from 1 to 2 𝑒  the same bit is added to 𝑧 0 and to 𝑧 𝑒 Also, 𝑒 𝑡ℎ bit of 𝑧 𝑞 is zero  𝑧 𝑞 0 =𝑧 0 −𝑧 𝑒

FHE+MMAPs Summer School, Paris
October 2015 FHE+MMAPs Summer School, Paris Recryption for BGV Assume for now 𝑝=2, no packing Choose 𝑞= 2 𝑒 +1>4⋅ |noise| Simplified decryption process is 𝒖≔ 𝒔𝒌,𝒄𝒕 𝟐 𝒆+𝟏 , 𝒑𝒕≔𝒖 𝒆 ⊕𝒖 𝒆−𝟏 ⊕𝒖 𝟎 Store 𝐸𝑛 𝑐 𝑝𝑘 (𝑠𝑘) wrt plaintext space 𝑝 ′ = 2 𝑒+1 Computing 𝑢 homomorphically is easy Harder to extraction 𝑢 𝑒 , 𝑢 𝑒−1 homomorphically

Homomorphic Bit-Extraction
October 2015 FHE+MMAPs Summer School, Paris Homomorphic Bit-Extraction We have 𝑐=𝐸𝑛𝑐 𝑢 (wrt ptxt space mod- 2 𝑒+1 ) Want to compute 𝑐 ′ =𝐸𝑛𝑐( 𝑢 ′ ) for 𝑢 ′ =𝑢 𝑒 Is there an arithmetic circuit modulo 2 𝑒+1 that transforms 𝑢 to 𝑢 ′ ? Not really, the output LBS in mod- 2 𝑒+1 arithmetic circuit depends only on the input LSBs We could do it with divide-by-2 gates But can we implement them homomorphically?

Homomorphic “Restricted Division”
October 2015 FHE+MMAPs Summer School, Paris Homomorphic “Restricted Division” With plaintext space mod 𝑝 𝑒 , consider a ciphertext 𝑐𝑡, encrypting some plainetxt 𝑝𝑡 𝒔𝒌,𝒄𝒕 𝒒 =𝒑𝒕+ 𝒑 𝒆 ⋅𝒏𝒐𝒊𝒔𝒆 Suppose we know that 𝑝𝑡 is divisible by 𝑝 Let 𝒄 𝒕 ′ = 𝒄𝒕⋅ 𝒑 −𝟏 𝒒 , then 𝒔𝒌,𝒄𝒕′ 𝒒 =𝒑𝒕/𝒑+ 𝒑 𝒆−𝟏 ⋅𝒏𝒐𝒊𝒔𝒆 𝑐 𝑡 ′ encypts 𝑝𝑡/𝑝 wrt plaintext space mod 𝑝 𝑒−1

October 2015 FHE+MMAPs Summer School, Paris [GHS12c] Homomorphic Bit-Extraction We can divide-by-2 homomorphically if we know that the plaintext is even Observation: squaring 𝑘 times keep LSB, zero-out the 𝑘 bits above it 𝑦 0 =𝑧 then 𝑦 0 0 =𝑧 0 𝑥 1 =𝑧− 𝑦 0 2 is even and 𝑥 1 1 =𝑧 1 Setting 𝑦 1 = 𝑥 1 /2, we have 𝑦 1 0 =𝑧 1 𝑥 2 =𝑧− 𝑦 0 4 −2 𝑦 1 2 divisible by 4 and 𝑥 2 2 =𝑧 2 Setting 𝑦 2 = 𝑥 2 /4, we have 𝑦 2 0 =𝑧 2 Etc.

October 2015 FHE+MMAPs Summer School, Paris [AP13] Homomorphic Bit-Extraction We have integer 𝑧, want to extract 𝑧 𝑒 𝑤 0,0 ←𝑧 // invariant: 𝑤 𝑘,𝑘 0 =𝑧 𝑘 For 𝑘←0 to 𝑒−1: 𝑦←𝑧 For 𝑗←0 to 𝑘 // remove low bits, one by one 𝑤 𝑗,𝑘+1 ← 𝑤 𝑗,𝑘 2 𝑦←(𝑦− 𝑤 𝑗,𝑘+1 )/2 // 𝑦− 𝑤 𝑗,𝑘+1 is even 𝑤 𝑘+1,𝑘+1 ←𝑦 // we are left with the 𝑘’th bit Output 𝑤 𝑒,𝑒

Homomorphic Digit-Extraction (𝑝>2)
October 2015 FHE+MMAPs Summer School, Paris Homomorphic Digit-Extraction (𝑝>2) We have integer 𝑧, want to extract 𝑧 𝑒 𝑤 0,0 ←𝑧 // invariant: 𝑤 𝑘,𝑘 0 =𝑧 𝑘 For 𝑘←0 to 𝑒−1: 𝑦←𝑧 For 𝑗←0 to 𝑘 // remove low digits 𝑤 𝑗,𝑘+1 ← 𝑤 𝑗,𝑘 𝑝 ?? 𝑦←(𝑦− 𝑤 𝑗,𝑘+1 )/𝑝 // 𝑝 | (𝑦− 𝑤 𝑗,𝑘+1 ) 𝑤 𝑘+1,𝑘+1 ←𝑦 // we are left with the 𝑘’th digit Output 𝑤 𝑒,𝑒 This does not work

October 2015 FHE+MMAPs Summer School, Paris [HS15] Homomorphic Digit-Extraction (𝑝>2) We have integer 𝑧, want to extract 𝑧 𝑒 𝑤 0,0 ←𝑧 // invariant: 𝑤 𝑘,𝑘 0 =𝑧 𝑘 For 𝑘←0 to 𝑒−1: 𝑦←𝑧 For 𝑗←0 to 𝑘 // remove low digits 𝑤 𝑗,𝑘+1 ← 𝐹 𝑝 ( 𝑤 𝑗,𝑘 ) 𝑦←(𝑦− 𝑤 𝑗,𝑘+1 )/𝑝 // 𝑝 | (𝑦− 𝑤 𝑗,𝑘+1 ) 𝑤 𝑘+1,𝑘+1 ←𝑦 // we are left with the 𝑘’th digit Output 𝑤 𝑒,𝑒 Exists degree-𝑝 polynomial that works

October 2015 FHE+MMAPs Summer School, Paris [HS15] Homomorphic Digit-Extraction (𝑝>2) We have integer 𝑧, want to extract 𝑧 𝑒 𝑤 0,0 ←𝑧 // invariant: 𝑤 𝑘,𝑘 0 =𝑧 𝑘 For 𝑘←0 to 𝑒−1: 𝑦←𝑧 For 𝑗←0 to 𝑘 // remove low digits 𝑤 𝑗,𝑘+1 ← 𝐹 𝑝 ( 𝑤 𝑗,𝑘 ) 𝑦←(𝑦− 𝑤 𝑗,𝑘+1 )/𝑝 // 𝑝 | (𝑦− 𝑤 𝑗,𝑘+1 ) 𝑤 𝑘+1,𝑘+1 ←𝑦 // we are left with the 𝑘’th digit Output 𝑤 𝑒,𝑒 We use a variant of the Paterson-Stockmeyer procedure for efficient evaluation of plaintext polynomial on a ciphertext

Recryption of Non-Packed Ciphertext
October 2015 FHE+MMAPs Summer School, Paris Recryption of Non-Packed Ciphertext Store 𝐸𝑛 𝑐 𝑝𝑘 (𝑠𝑘) wrt plaintext space 𝑝 ′ = p 𝑒+𝑟 Recryption process computes: 𝒖≔ 𝒔𝒌,𝒄𝒕 𝒑 𝒆+𝒓 , 𝒑𝒕≔𝒛 𝒓−𝟏…𝟎 −𝒛 𝒆+𝒓−𝟏…𝒆 For 𝑝=2 we have another term −𝑧 𝑒−1

Recryption of Packed Ciphertexts
October 2015 FHE+MMAPs Summer School, Paris Recryption of Packed Ciphertexts We still want to use the same procedure 𝒖≔ 𝒔𝒌,𝒄𝒕 𝒑 𝒆+𝟏 , 𝒑𝒕≔𝒖 𝟎 −𝒖 𝒆 (assuming 𝑟=1) 𝑢∈ 𝑅 𝑝 𝑒+1 , what are 𝑢 0 ,𝑢 𝑒 ? 𝑢 is represented in the decoding basis by a vector of coefficienct from 𝑍 𝑝 𝑒+1 =[− 𝑝 𝑒+1 /2, 𝑝 𝑒+1 /2) 𝑢 0 represented by the LSB’s of all these coefficients Similarly for 𝑢 𝑒 We use the decoding basis here since we need the coefficients to be small

Packed Homomorphic Digit-extraction
October 2015 FHE+MMAPs Summer School, Paris Packed Homomorphic Digit-extraction We have 𝑐=𝐸𝑛𝑐 𝑢 , want 𝑐 ′ =𝐸𝑛𝑐(𝑢 𝑒 ) Need to apply the digit-extraction procedure homomorphically to the coefficients of 𝑢 But operations on 𝑐 are applied to the message slots in 𝑢, not its coefficients E.g., computing 𝑢 2 doesn’t square the individual coefficients separately

October 2015 FHE+MMAPs Summer School, Paris Packed Homomorphic Digit-extraction We have 𝑐=𝐸𝑛𝑐 𝑢 , want 𝑐 ′ =𝐸𝑛𝑐(𝑢 𝑒 ) The [GHS12c] procedure: Lin1: Move the coefficients of 𝑢 to plaintext slots Nonlin: Apply digit-extraction in slots Lin2: Move the coefficients back to get result The non-linear step is exactly as before Efficient implementation of the linear transformations is a challenge

Packed Homomorphic MSB-extraction
October 2015 FHE+MMAPs Summer School, Paris Packed Homomorphic MSB-extraction “Generic linear transformation” for Lin1, Lin2? Work quadratic in 𝑁, inefficient The [AP13] optimizations: Decompose Lin1, Lin2 to FFT-like sparse transformations (using “ring switching”) Work O(𝑁𝑙𝑜𝑔 𝑁), mult-by-const depth O(𝑙𝑜𝑔 𝑁) The [HS15] implementation Similar decomposition (no “ring switching”) Concrete depth 2-3, work ~ 𝑁 1.5

Using the “Powerful Basis” [LPR14]
October 2015 FHE+MMAPs Summer School, Paris Using the “Powerful Basis” [LPR14] Another basis of 𝑅=𝑍 𝑋 / Φ 𝑚 (𝑋) Similar to the decoding basis, geometry a bit worse A bit easier to understand and explain Let 𝑚= 𝑚 1 ⋅…⋅ 𝑚 𝑡 s.t. the 𝑚 𝑖 ’s are co-prime Then 𝑅≅𝑍 𝑋 1 ,,…, 𝑋 𝑡 / Φ 𝑚 1 𝑋 1 , …, Φ 𝑚 𝑡 𝑋 𝑡

Using the “Powerful Basis” [LPR14]
October 2015 FHE+MMAPs Summer School, Paris Using the “Powerful Basis” [LPR14] An element 𝑢∈𝑅 represented as 𝑢 𝑋 1 ,…, 𝑋 𝑡 = 𝑖 1 ,…, 𝑖 𝑡 𝑢 𝑖 1 ,…, 𝑖 𝑡 ⋅ 𝑋 1 𝑖 1 ⋯ 𝑋 𝑡 𝑖 𝑡 Equivalently as a univariate polynomial using 𝑢′(𝑋)=𝑢( 𝑋 𝑚/ 𝑚 1 , 𝑋 𝑚/ 𝑚 2 ,…, 𝑋 𝑚/ 𝑚 𝑡 ) 𝑢 ′ 𝑋 = 𝑖 1 ,…, 𝑖 𝑡 𝑢 𝑖 1 ,…, 𝑖 𝑡 ⋅ 𝑋 𝑒( 𝑖 1 ,…, 𝑖 𝑡 ) with 𝑒 𝑖 1 ,…, 𝑖 𝑡 = 𝑗=1 𝑡 𝑖 𝑗 ⋅ 𝑚 𝑚 𝑗 Move the 𝑢 𝑖 1 ,…, 𝑖 𝑡 ’s to the slots and back

Recall the Plaintext Slots
October 2015 FHE+MMAPs Summer School, Paris Recall the Plaintext Slots 𝜉 is an 𝑚’th root of unity in 𝐺𝐹( 𝑝 𝑑 ) We have 𝑅 𝑝 ≅GF 𝑝 𝑑 𝑁 ≅ 𝑍 𝑝 𝜉 𝑁 , 𝑁=𝜙(𝑚)/𝑑 We use the following isomorphism between 𝑅 𝑝 and 𝑍 𝑝 𝜉 𝑁 : Let 𝑇⊂ 𝑍 𝑚 ∗ be a representative set for 𝑍 𝑚 ∗ /(𝑝) 𝑇 =𝑁, contains one element from each coset Then 𝑢∈ 𝑅 𝑝 ↔ 𝑢 𝜉 ℎ :ℎ∈𝑇 ∈ 𝑍 𝑝 𝜉 𝑁

The Lin2 Transformation
October 2015 FHE+MMAPs Summer School, Paris The Lin2 Transformation Input: 𝑣∈ 𝑅 𝑝 with the 𝑢 𝑖 1 ,… ,𝑖 𝑡 ’s in the slots I.e., the vector 𝑣 𝜉 ℎ :ℎ∈𝑇 includes all the coefficients 𝑢 𝑖 1 ,…, 𝑖 𝑡 Note that for each ℎ∈𝑇, 𝑣 𝜉 ℎ ∈𝐺𝐹 𝑝 𝑑 so it describes 𝑑 of the coefficients of 𝑢 The mapping 𝑣↔𝑢 is one-to-one The order in which the 𝑢 𝑖 1 ,…, 𝑖 𝑡 ’s are packed in the slots of 𝑣 is up to us to decide

The Lin2 Transformation
October 2015 FHE+MMAPs Summer School, Paris The Lin2 Transformation Input: 𝑣∈ 𝑅 𝑝 with the 𝑢 𝑖 1 ,… ,𝑖 𝑡 ’s in the slots Output: the element 𝑢∈ 𝑅 𝑝 itself The slots containing 𝑢 𝜉 ℎ :ℎ∈𝑇 The transformation that we compute on the slots is multi-point polynomial-evaluation Input: coefficients of 𝑢 Output: evaluation of 𝑢 in the 𝑁 roots of unity

Our Linear Transformations
October 2015 FHE+MMAPs Summer School, Paris Our Linear Transformations Lin2 is a multi-point polynomial evaluation Decompose Lin2 into 1D transforms by viewing 𝑢 as multi-variate polynomial 𝑢 𝑋 1 ,…, 𝑋 𝑡 = 𝑖 1 𝑋 1 𝑖 𝑖 2 𝑋 2 𝑖 2 ⋯ 𝑖 𝑡 𝑢 𝑖 1 ,…, 𝑖 𝑡 𝑋 𝑡 𝑖 𝑡 𝑢 𝑖 1 ,…, 𝑖 𝑡−1 ′ For each 𝑖 1 ,…, 𝑖 𝑡−1 , this is multi-point evaluation over all the assignments 𝑋 𝑡 = 𝜁 ℎ⋅(𝑚/ 𝑚 𝑡 ) , ℎ∈𝑇 Computing for all the 𝑖 1 ,…, 𝑖 𝑡−1 ’s in parallel, one for every column in the hypercube

October 2015 FHE+MMAPs Summer School, Paris Our Linear Transformations Lin2 is a multi-point polynomial evaluation Decompose Lin2 into 1D transforms by viewing 𝑢 as multi-variate polynomial 𝑢 𝑋 1 ,…, 𝑋 𝑡 = 𝑖 1 𝑋 1 𝑖 𝑖 2 𝑋 2 𝑖 2 ⋯ 𝑖 𝑡 𝑢 𝑖 1 ,…, 𝑖 𝑡 𝑋 𝑡 𝑖 𝑡 𝑢 𝑖 1 ,…, 𝑖 𝑡−1 ′ For each 𝑖 1 ,…, 𝑖 𝑡−1 , this is multi-point evaluation over all the assignments 𝑋 𝑡 = 𝜁 ℎ⋅(𝑚/ 𝑚 𝑡 ) , ℎ∈𝑇 Computing for all the 𝑖 1 ,…, 𝑖 𝑡−1 ’s in parallel, one for every column in the hypercube We choose the representatives T such that {ℎ⋅ 𝑚/ 𝑚 𝑡 :ℎ∈𝑇} only ranges over 𝜙( 𝑚 𝑡 )/𝑑 elements mod 𝑚 even though 𝑇 =𝜙(𝑚)/𝑑 Implies some constraints on 𝑚, 𝑚 𝑡 (and a careful choice of 𝑇)

October 2015 FHE+MMAPs Summer School, Paris Our Linear Transformations Lin2 is a multi-point poly-eval Decompose into 1D transforms along the different dimensions of the hypercube Each is itself a multi-point polynomial-evaluation Typically 2-3 such 1D transforms Multi-by-constant depth of 2-3 (rather than 1) # of 1D-rotations “in spirit” is 2 𝑁 or 3 𝑁 (vs. 𝑁) In practice we save a factor of ~50 Lin1 is the inverse of Lin2

October 2015 FHE+MMAPs Summer School, Paris Our Linear Transformations Lin2 is a multi-point poly-eval Decompose into 1D transforms along the different dimensions of the hypercube Some of these transformations are 𝑍 𝑝 -linear but not 𝐺𝐹( 𝑝 𝑑 )-linear Our homomorphic operations act on 𝐺𝐹( 𝑝 𝑑 ) slots How to implement 𝑍 𝑝 -linear transofmrations?

Implementing 𝑍 𝑝 -Linear Functions
October 2015 FHE+MMAPs Summer School, Paris Implementing 𝑍 𝑝 -Linear Functions Use Frobenius automorphism We can implement 𝑢 𝑋 →𝑢( 𝑋 𝑘 ) for any 𝑘 Most 𝑘’s rotate the slots, but 𝑘=𝑝 acts on each slot separately as Frobenius map If 𝑢∼( 𝑢 1 , 𝑢 2 ,…, 𝑢 𝑁 ) and 𝑢 ′ (𝑋)=𝑢( 𝑋 𝑝 ) then 𝑢 ′ ~( 𝑢 1 𝑝 , 𝑢 2 𝑝 ,…, 𝑢 𝑁 𝑝 ) Similarly, denote 𝜎 𝑒 (𝑢)=𝑢( 𝑋 𝑝 𝑒 ), then 𝜎 𝑒 (𝑢) ~( 𝑢 1 𝑝 𝑒 , 𝑢 2 𝑝 𝑒 ,…, 𝑢 𝑁 𝑝 𝑒 )

Linearized Polynomials
October 2015 FHE+MMAPs Summer School, Paris Linearized Polynomials Let 𝐹:𝐺𝐹 𝑝 𝑑 →𝐺𝐹( 𝑝 𝑑 ) be 𝑍 𝑝 -linear, then there exists constants 𝛾 0 , 𝛾 1 ,… 𝛾 𝑑−1 s.t. 𝐹 𝑋 = 𝑒=0 𝑑−1 𝛾 𝑒 ⋅ 𝜎 𝑒 (𝑋) In our case, we need a combination of slot-rotations (as per our “generic linear map”) and 𝑍 𝑝 -linear transformations on the slots Denote rotate-slots-by-𝑖 by 𝜌 𝑖 (𝑢)

Implementing Our 𝑍 𝑝 -Linear Maps
October 2015 FHE+MMAPs Summer School, Paris Implementing Our 𝑍 𝑝 -Linear Maps We need 𝐿 𝑢 = 𝑖=1 ℎ 𝐹 𝑖 ( 𝜌 𝑖 𝑢 ) 𝐹 𝑖 is some 𝑍 𝑝 -linear map on the slots Can be implemented as 𝐿 𝑢 = 𝑖=1 ℎ 𝑒=0 𝑑−1 𝛾 𝑖,𝑒 𝜎 𝑒 ( 𝜌 𝑖 𝑢 ) ℎ⋅𝑑 automorphisms (expensive) ℎ⋅𝑑 mult-by-const and additions (cheap) Depth 1 mult-by-constant

A Better Implementation
October 2015 FHE+MMAPs Summer School, Paris A Better Implementation 𝐿 𝑢 = 𝑖=0 ℎ−1 𝑒=0 𝑑−1 𝛾 𝑖,𝑒 ⋅ 𝜎 𝑒 ( 𝜌 𝑖 𝑢 ) = 𝒆=𝟎 𝒅−𝟏 𝝈 𝒆 𝒊=𝟎 𝒉−𝟏 𝝈 −𝒆 𝜸 𝒊,𝒆 ⋅ 𝝆 𝒊 𝒖 Compute ℎ rotations, 𝑢, 𝜌 1 𝑢 ,…, 𝜌 ℎ−1 (𝑢) Then 𝑑 inner products, 𝑤 𝑒 = 𝑖=0 ℎ−1 𝜎 −𝑒 𝛾 𝑖,𝑒 ⋅ 𝜌 𝑖 𝑢 , 𝑒=0,…,𝑑−1 Then 𝑑 automorphism, 𝑤 0 , 𝜎 1 𝑤 1 ,…, 𝜎 𝑑−1 ( 𝑤 𝑑−1 ) Only ℎ+𝑑 automorphism, not ℎ⋅𝑑

October 2015 FHE+MMAPs Summer School, Paris Packed Homomorphic Digit-extraction We have 𝑐=𝐸𝑛𝑐 𝑢 , want 𝑐 ′ =𝐸𝑛𝑐(𝑢 𝑒 ) Lin1: Move the coefficients of 𝑢 to plaintext slots Nonlin: Apply digit-extraction in slots Lin2: Move the coefficients back to get result Lin1, Lin2 implemented via sparse decomposition into 1D transforms The non-linear step is exactly as before efficient bootstrapping of packed ciphertexts

October 2015 FHE+MMAPs Summer School, Paris Performance (Feb 2015) Tested our implementation in many settings Targeted 10 remaining levels after recryption 𝒎 Ptxt space 𝒔𝒆𝒄 lvl Lvls b4/aftr Init Lin1,2 Nonlin Total Mem 21845 𝐹 76 22/10 177 127 193 320 3.4GB 18631 𝐹 110 20/10 248 131 293 424 3.5GB 28679 𝐹 96 24/11 224 123 342 465 35113 𝐹 159 24/12 694 325 1206 1531 8.2GB 45551 𝐹 106 38/10 1148 735 3135 3870 14.8GB 51319 𝐹 161 32/11 2787 774 1861 2635 39.9GB 49981 R 91 56/10 1533 2834 14616 17448 21.6GB

October 2015 FHE+MMAPs Summer School, Paris Performance (Feb 2015) Tested our implementation in many settings Targeted 10 remaining levels after recryption 𝒎 Ptxt space 𝒔𝒆𝒄 lvl Lvls b4/aftr Init Lin1,2 Nonlin Total Mem 21845 𝐹 76 22/10 177 127 193 320 3.4GB 18631 𝐹 110 20/10 248 131 293 424 3.5GB 28679 𝐹 96 24/11 224 123 342 465 35113 𝐹 159 24/12 694 325 1206 1531 8.2GB 45551 𝐹 106 38/10 1148 735 3135 3870 14.8GB 51319 𝐹 161 32/11 2787 774 1861 2635 39.9GB 49981 R 91 56/10 1533 2834 14616 17448 21.6GB Recryption takes as little as levels - Requires a very sparse key, is this safe?

October 2015 FHE+MMAPs Summer School, Paris C'est Tout

Practical (F)HE Part III – Bootstrapping

Similar presentations

Presentation on theme: "Practical (F)HE Part III – Bootstrapping"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Practical (F)HE Part III – Bootstrapping

Similar presentations

Presentation on theme: "Practical (F)HE Part III – Bootstrapping"— Presentation transcript:

Similar presentations

About project

Feedback