* partially sponsored by iarpa spar * partially sponsored by darpa proceed

Download * Partially sponsored by IARPA SPAR * Partially sponsored by DARPA PROCEED

Post on 05-Jan-2016




0 download

Embed Size (px)


PowerPoint Presentation

Design & Implementation of Homomorphic-Encryption Library** Partially sponsored by IARPA SPAR* Partially sponsored by DARPA PROCEEDThe CryptosystemPAlgebraStructure of Zm*PAlgebraTwo/2rplaintext-slot algebraNumbThmiscellaneous utilitiesCModuluspolynomials mod pMathSingleCRT/DoubleCRTpolynomial arithmeticFHEKeyGen/Enc/DecCtxtCiphertext operationsCryptoEncryptedArray/EncrytedArrayMod2rRouting plaintext slotsIndexSet/IndexMapIndexing utilitiesFHEcontextparametersbluesteinFFT/IFFTtimingKeySwitchingMatrices for key-switchingBox Diagram of the LibraryA ciphertext encrypts an array of valuesEither bits, elements of GF(2n), or integers mod 2rArray size determined by other parametersIntended depth of circuits & security parameterE.g., 378, 600, 682, 720, 1285, Homomorphic operations include:Element-wise addition/subtraction, multiplicationAddition/subtraction, multiplication by constantsCyclic/non-cyclic shiftsAlso SELECT(A1,A2, pattern)= patternA1 + (1-pattern)A2User PerspectiveSecurity parameter=80, circuit width=4 arrays


(*) maybe similar work to homomorphic AESIf true, ~12x speedup on our previous implementation [CRYPTO 2012]PerformanceCircuit depthArray sizeTime (hrs:min:sec)72240:00:38144800:02:49355120:19:05707203:01:518420485:24:47Various optimizations and design choicesRepresenting plaintext algebra (2.4, 2.5)Double-CRT representation of polynomials(2.8)Ciphertexts as generic vectors (3.1.1-3.1.3)Dynamic noise estimate (3.1.4)Key-switching optimizations (3.1.6)Which key-switching matrices to generate (3.3)Implementation of rotation/shifts (4.1)Here I will only talk about 3 & 4Under the Hood The section numbers correspond to the design & implementation documentCiphertexts as Generic VectorsCiphertext-Parts & HandlesCiphertext-Parts & Handles (cont.)Ciphertext-Part ArithmeticCiphertext OperationsNoise EstimationNoise Estimation (cont.)A freshly-encrypted ciphertext comes with some noise estimateThe estimate evolves during computationWe use it to decide when to do modulus-switchingAlso the application can use it to know if it should expect a decryption errorNoise Estimation (cont.)We have the basic BGV implementation more or less doneEvaluate nontrivial circuits in a few minutes, and even complex circuits in just a few hoursAmenable to massive parallelismSummary


View more >