Download presentation
Presentation is loading. Please wait.
1
FULLY HOMOMORPHIC ENCRYPTION WITH POLYLOG OVERHEAD Craig Gentry and Shai Halevi IBM Watson Nigel Smart Univ. Of Bristol
2
Homomorphic Encryption Usual procedures (KeyGen,Enc,Dec) Say, encrypting bits Usual semantic-security requirement (pk, Enc pk (0)) ~ (pk, Enc pk (1)) Additional Eval procedure Evaluate arithmetic circuits on ciphertexts Result decrypted to the evaluation of the same circuit on the underlying plaintext bits Ciphertext does not grow with circuit complexity This work: asymptotically efficient Eval
3
Contemporary HE Schemes
4
Our Result # of levelstime per level
5
Our Approach Use HE over polynomial rings Pack an array of bits in each ciphertext Use ring-automorphisms to move bits around in the arrays Efficient data-movement schemes Using Beneš/Waksman networks and extensions
6
BACKGROUND Homomorphic Encryption over Polynomials Rings Evaluation representation, plaintext slots Homomorphic SIMD operations
7
HE Over Polynomial Rings
8
Plaintext Algebra (1)
9
Plaintext Algebra (2) 32T:323444312919 16T:161722474641 8T:84011552352 4T:42037594326 2T:21050615313 T:1525625838
10
Plaintext Slots
11
Homomorphic SIMD [SV’11]
![Homomorphic SIMD [SV’11]](http://images.slideplayer.com./26/8714373/slides/slide_11.jpg "Homomorphic SIMD [SV’11]")
12
We will use this later 1001010 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 13 x 14 0110101 x1x1 00x4x4 0x6x6 0 0x9x9 x 10 0x 12 0x 14 x x = = + x1x1 x9x9 x 10 x4x4 x 12 x6x6 x 14
13
COMPUTING ON DATA ARRAYS Forget about encryption for the moment…
14
So you want to compute some function… x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 21 x 22 x 23 x 24 x 25 x 26 ADD and MUL are a complete set of operations. Input bits
15
x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 21 x 22 x 23 x 24 x 25 x 26 x 15 x 16 x 17 x 18 x 19 x 21 x8x8 x9x9 x 10 x 11 x 12 x 14 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x 22 x 23 x 24 x 25 x 26 Input bits +++++++++++++ ××××××××××× +++++++++ 01 1 1 1 So you want to compute some function using SIMD…
16
Routing Values Between Levels We need to map this Into that x 15 x 16 x 17 x 18 x 19 1x 21 x8x8 x9x9 x 10 x 11 x 12 1x 14 x1x1 x2x2 x3x3 x4x4 x5x5 0x7x7 x 22 x 23 x 24 x 25 x 26 x 15 x 17 x 19 x 21 x 23 x 25 x2x2 x4x4 0x8x8 x 10 x 12 x 14 x1x1 x3x3 x5x5 x7x7 x9x9 x 11 1 x 16 x 18 1x 22 x 24 x 26 +++++++++++++
17
x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x1x1 x3x3 x5x5 **** +++ 0 x1x1 x2x2 x3x3 x4x4 x5x5 1100000 x1x1 x3x3 x5x5 0000x2x2 x4x4 00000 x2x2 x4x4 ***** 1110000
18
0 x1x1 x2x2 x3x3 x4x4 x5x5 x1x1 x3x3 x5x5 0000x2x2 x4x4 00000 +++ x1+x2x1+x2 x3+x4x3+x4 x5x5 0000
19
01 1 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 21 x 22 x 23 x 24 x 25 x 26 Input bits +++++++++++++ ××××××××××× +++++++++ 1 1 Not quite obvious
20
Routing Values Between Levels: Three Problems to Solve
22
Moving Values Between Slots 32T:323444312919 16T:161722474641 8T:84011552352 4T:42037594326 2T:21050615313 T:1525625838
23
Moving Values Between Slots
24
Homomorphic Automorphisms
25
From Shifts to Arbitrary Permutations
26
Use Beneš/Walksman Permutation Networks: Two back-to-back butterflies Every exchange is controlled by a bit Values sent on either straight edges or cross edges Every permutation can be realized by appropriate setting of the control bits
27
Realizing Permutation Networks Claim: every butterfly level can be realized by two shifts and two SELECTs Example: 01234567 21036745 Control bits: 1 0 1 1
28
Realizing Permutation Networks shift(-2) shift(2) input output 01234567 01234567 01234567 a1a1 a2a2 a3a3 21036745
29
Realizing Permutation Networks shift(-2) shift(2) input output 01234567 23456701 67012345 a1a1 a2a2 a3a3 21036745 SELECT(a 1,a 2 ) 21436701 SELECT(a 3,a 4 ) 21036745 a4a4 a5a5
30
Realizing Permutation Networks Claim: every level of the Benes network can be realized by two shifts and two SELECTs Proof : In every level, all the exchanges are between nodes at the same distance Distance 2 i for some i Can implement all these exchanges using shift(2 i ), shift(-2 i ), and two SELECTs
31
Realizing Permutation Networks
32
Routing Values Between Levels see paper
33
Handling Large Permutations
34
Decomposing Permutations 1318141612 153456 7892019 21711110 12345 6789 1112131415 1617181920 ?
35
Decomposing Permutations 1318141612 153456 7892019 21711110 12345 6789 1112131415 1617181920 13171456 15341612 7891110 21812019 ?
36
Decomposing Permutations 1318141612 153456 7892019 21711110 12345 6789 1112131415 1617181920 13171456 15341612 7891110 21812019 61713145 16123415 1178910 12181920 ?
37
Decomposing Permutations 1318141612 153456 7892019 21711110 12345 6789 1112131415 1617181920 13171456 15341612 7891110 21812019 61713145 16123415 1178910 12181920 ?
38
Decomposing Permutations 1318141612 153456 7892019 21711110 12345 6789 1112131415 1617181920 13171456 15341612 7891110 21812019 61713145 16123415 1178910 12181920 ?
39
1318141612 153456 7892019 21711110 12345 6789 1112131415 1617181920 13171456 15341612 7891110 21812019 61713145 16123415 1178910 12181920 ? Decomposing Permutations
40
Handling Large Permutations
41
Permuting The Columns Implement a Beneš network over each column
42
Permuting The Columns First level in all the networks
43
Permuting The Columns Second level in all the networks , etc.
44
Handling Large Permutations
45
Routing Values Between Levels see paper
46
Low Overhead Homomorphic Encryption
47
QUESTIONS?
48
Fan-Out and Cloning 2311221 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 2131212 x 15 x 16 x 17 x 18 x 19 x 20 x 21 1224121 x8x8 x9x9 x 10 x 11 x 12 x 13 x 14 variables intended multiplicity
49
Fan-Out and Cloning 2311221 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 2131212 x 15 x 16 x 17 x 18 x 19 x 20 x 21 1224121 x8x8 x9x9 x 10 x 11 x 12 x 13 x 14 4332222 x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x9 1111111 x7x7 x8x8 x 12 x 14 x 16 x 18 x 20 2222211 x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 Sort by intended multiplicity:
50
Fan-Out and Cloning 4332222 x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x9 1111111 x7x7 x8x8 x 12 x 14 x 16 x 18 x 20 2222211 x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 433 x 11 x2x2 x 17 433 x 11 x2x2 x 17 Replicate Replicate and shift
51
Fan-Out and Cloning 433433 x 11 x2x2 x 17 x 11 x2x2 x 17 4332222 x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x9 1111111 x7x7 x8x8 x 12 x 14 x 16 x 18 x 20 2222211 x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 Merge
52
Fan-Out and Cloning 4334332 x 11 x2x2 x 17 x 11 x2x2 x 17 x1x1 2222222 x5x5 x6x6 x9x9 x 10 x 13 x 15 x 19 2 x 21 4334332 x 11 x2x2 x 17 x 11 x2x2 x 17 x1x1 2222222 x5x5 x6x6 x9x9 x 10 x 13 x 15 x 19 4332222 x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x9 1111111 x7x7 x8x8 x 12 x 14 x 16 x 18 x 20 2222211 x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 2 Replicate, shift, merge Replicate, shift
53
Fan-Out and Cloning 4334332 x 11 x2x2 x 17 x 11 x2x2 x 17 x1x1 2222222 x5x5 x6x6 x9x9 x 10 x 13 x 15 x 19 22 x 21 4334332 x 11 x2x2 x 17 x 11 x2x2 x 17 x1x1 2222222 x5x5 x6x6 x9x9 x 10 x 13 x 15 x 19 4332222 x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x9 1111111 x7x7 x8x8 x 12 x 14 x 16 x 18 x 20 2222211 x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 Merge
54
Fan-Out and Cloning 4334332 x 11 x2x2 x 17 x 11 x2x2 x 17 x1x1 2222222 x5x5 x6x6 x9x9 x 10 x 13 x 15 x 19 4334332 x 11 x2x2 x 17 x 11 x2x2 x 17 x1x1 2222222 x5x5 x6x6 x9x9 x 10 x 13 x 15 x 19 4332222 x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x9 1111111 x7x7 x8x8 x 12 x 14 x 16 x 18 x 20 2222211 x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 2211 x3x3 x4x4 1111111 x7x7 x8x8 x 12 x 14 x 16 x 18 x 20 Copy, merge Copy Each variable appears at least as much as needed
Similar presentations
