Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRACTICAL (F)HE Shai Halevi 1 October 2015FHE+MMAPs Summer School, Paris Part I - BGV Basics Part II - Packed Ciphertexts Part III - Bootstrapping.

Similar presentations


Presentation on theme: "PRACTICAL (F)HE Shai Halevi 1 October 2015FHE+MMAPs Summer School, Paris Part I - BGV Basics Part II - Packed Ciphertexts Part III - Bootstrapping."— Presentation transcript:

1 PRACTICAL (F)HE Shai Halevi 1 October 2015FHE+MMAPs Summer School, Paris Part I - BGV Basics Part II - Packed Ciphertexts Part III - Bootstrapping

2 Using FHE in “Real World” Settings October 2015FHE+MMAPs Summer School, Paris 2

3 Using FHE in “Real World” Settings October 2015FHE+MMAPs Summer School, Paris 3

4 Using FHE in “Real World” Settings October 2015FHE+MMAPs Summer School, Paris 4 Useful to compute AES.dec homomorphically

5 How to Implement? October 2015FHE+MMAPs Summer School, Paris 5

6 1G. First plausible candidate in [Gen’09] Ciphertext is “noisy”, noise grows with computation, once too noisy, the “signal” is lost log(Noise-magnitude) proportional to the degree of the evaluated function  Parameters must be huge, to allow large noise 2G. [BV’11, BGV’12,…]: Better noise control Noise grows linearly with degree “Ciphertext packing” with many plaintext elements Three Generations of HE Schemes 6

7 1G. Fast accumulation of noise 2G. Better noise management + packing 3G. [GSW13,…]: “Asymmetric” noise growth Very slow noise growth for some circuits But slow noise growth in 3G is incompatible with ciphertext-packing (as far as we know) For efficiency, we have a choice: 2G+packing (faster asymptotically) or 3G+small-noise (sometimes faster in practice) Three Generations of HE Schemes 7

8 Here: 2 nd Generation Scheme [BGV’12] October 2015FHE+MMAPs Summer School, Paris 8

9 Homomorphic Operations October 2015FHE+MMAPs Summer School, Paris 9

10 How to Multiply October 2015FHE+MMAPs Summer School, Paris 10

11 How to Multiply October 2015FHE+MMAPs Summer School, Paris 11

12 How to Multiply October 2015FHE+MMAPs Summer School, Paris 12 Use bit-decomposition? This works, but we do something else here

13 How to Multiply October 2015FHE+MMAPs Summer School, Paris 13

14 How to Multiply October 2015FHE+MMAPs Summer School, Paris 14 this is small

15 How to Multiply October 2015FHE+MMAPs Summer School, Paris 15

16 Noise Growth for Multiplication October 2015FHE+MMAPs Summer School, Paris 16

17 How Does Modulus-Switching Help? October 2015 17 Using mod-switchingWithout mod-switching NoiseModulusNoiseModulus Fresh ciphertexts Level-1, degree=2 Level-2, degree=4 decryption errors FHE+MMAPs Summer School, Paris

18 The Moduli Chain October 2015FHE+MMAPs Summer School, Paris 18

19 The BGV Multiplication Procedure October 2015FHE+MMAPs Summer School, Paris 19

20 Implementation Details October 2015FHE+MMAPs Summer School, Paris 20

21 Moduli and Ciphertext Representation October 2015FHE+MMAPs Summer School, Paris 21

22 Ciphertext Operations October 2015FHE+MMAPs Summer School, Paris 22

23 Operation Cost Cost measured in time, added-noise October 2015FHE+MMAPs Summer School, Paris 23 OperationTimeNoise Add / Add-ConstCheap Mult-by-ConstCheapModerate Mult+KeySwitchExpensive

24 Tradeoffs October 2015FHE+MMAPs Summer School, Paris 24

25 Changing the Decryption Invariant October 2015FHE+MMAPs Summer School, Paris 25

26 Changing the Decryption Invariant October 2015FHE+MMAPs Summer School, Paris 26

27 Mod-Switching Optimization October 2015FHE+MMAPs Summer School, Paris 27

28 Mod-Switching Optimization October 2015FHE+MMAPs Summer School, Paris 28 1 iFFT

29 Mod-Switching Optimization October 2015FHE+MMAPs Summer School, Paris 29

30 Key-Switching Optimization October 2015FHE+MMAPs Summer School, Paris 30

31 Key-Switching Optimization October 2015FHE+MMAPs Summer School, Paris 31

32 When to Mod-Switch? October 2015FHE+MMAPs Summer School, Paris 32

33 When to Mod-Switch? October 2015FHE+MMAPs Summer School, Paris 33

34 How Far to Mod-Switch? Roughly, until the noise after mod-switching is dominated by the added noise term Maintain noise estimates with ciphertexts, use estimates to make these decisions Estimate must be somewhat conservative, small under-estimation will lead to wrong mod-switch decisions, escalating quickly October 2015FHE+MMAPs Summer School, Paris 34

35 Some Numbers (March 2015) Numbers are just a sample, not all taken on the same machine, some are extrapolated Timing in seconds October 2015FHE+MMAPs Summer School, Paris 35 KeyGenEncDecAddMult- Const Multilpy Depth =10 40.070.030.00040.0070.1 Depth =20 110.210.10.0010.0160.3 Depth =56 1021.370.160.010.061.5

36 Some Numbers (March 2015) October 2015FHE+MMAPs Summer School, Paris 36 Memory Depth =10 <2GB Depth =20 3.6GB Depth =56 23GB

37 TIME FOR A BREAK October 2015FHE+MMAPs Summer School, Paris 37


Download ppt "PRACTICAL (F)HE Shai Halevi 1 October 2015FHE+MMAPs Summer School, Paris Part I - BGV Basics Part II - Packed Ciphertexts Part III - Bootstrapping."

Similar presentations


Ads by Google