Presentation is loading. Please wait.

Presentation is loading. Please wait.

* Partially sponsored by IARPA SPAR * Partially sponsored by DARPA PROCEED.

Similar presentations


Presentation on theme: "* Partially sponsored by IARPA SPAR * Partially sponsored by DARPA PROCEED."— Presentation transcript:

1 * Partially sponsored by IARPA SPAR * Partially sponsored by DARPA PROCEED

2

3 PAlgebra Structure of Zm* PAlgebraTwo/2r plaintext-slot algebra NumbTh miscellaneous utilities CModulus polynomials mod p Math SingleCRT/DoubleCRT polynomial arithmetic FHE KeyGen/Enc/Dec Ctxt Ciphertext operations Crypto EncryptedArray/EncrytedArrayMod2r Routing plaintext slots IndexSet/IndexMap Indexing utilities FHEcontext parameters bluestein FFT/IFFT timing KeySwitching Matrices for key- switching Box Diagram of the Library

4  A ciphertext encrypts an array of values ◦ Either bits, elements of GF(2 n ), or integers mod 2 r  Array size determined by other parameters ◦ Intended depth of circuits & security parameter ◦ E.g., 378, 600, 682, 720, 1285, …  Homomorphic operations include: ◦ Element-wise addition/subtraction, multiplication ◦ Addition/subtraction, multiplication by constants ◦ Cyclic/non-cyclic shifts ◦ Also SELECT(A 1,A 2, pattern) = pattern  A 1 + (1-pattern)  A 2

5  Security parameter=80, circuit width=4 arrays (  ) (  ) maybe similar work to homomorphic AES ◦ If true, ~12x speedup on our previous implementation [CRYPTO 2012] Circuit “depth”Array sizeTime (hrs:min:sec) 72240:00:38 144800:02:49 355120:19:05 707203:01:51 8420485:24:47

6  Various optimizations and design choices 1.Representing plaintext algebra (§2.4, §2.5) 2.Double-CRT representation of polynomials(§2.8) 3.Ciphertexts as “generic” vectors (§3.1.1-§3.1.3) 4.Dynamic noise estimate (§3.1.4) 5.Key-switching optimizations (§3.1.6) 6.Which key-switching matrices to generate (§3.3) 7.Implementation of rotation/shifts (§4.1)  Here I will only talk about 3 & 4 § The section numbers correspond to the design & implementation document

7

8

9

10

11

12

13

14

15

16  A freshly-encrypted ciphertext comes with some noise estimate  The estimate evolves during computation  We use it to decide when to do modulus- switching  Also the application can use it to know if it should expect a decryption error

17  We have the basic BGV implementation more or less done  Evaluate nontrivial circuits in a few minutes, and even complex circuits in just a few hours  Amenable to massive parallelism


Download ppt "* Partially sponsored by IARPA SPAR * Partially sponsored by DARPA PROCEED."

Similar presentations


Ads by Google