Lattice Cryptography

Which Ring-Based SHE Scheme is best?

Anamaria Costache and Nigel P. Smart

University of Bristol

Anamaria Costache and Nigel P. SmartWhich Ring-Based SHE Scheme is best? Slide 1

Fully Homomorphic Encryption

I Homomorphic encryption allows to compute on encrypted data.

I Allows to outsource computation to an untrusted server.

I Signal processing satellite applications.

I Analysing data (e.g. medical data) without compromisingconfidential information.





I A (fully) homomorphic encryption scheme E comprises of fouralgorithms: KeyGen,Enc,Dec and Evaluate.

I For (sk ,pk)← KeyGen(λ), plaintext message m withcorresponding ciphertext c and circuit C , we say that E iscorrect if

Dec(sk ,Evaluate(pk , C, c)) = C(m).

I E isI Fully Homomorphic if it is correct for all circuits C.I Somewhat Homomorphic if it is correct for some circuits C.



I RSA encryption is multiplicatively homomorphic [Rivest ShamirAdleman 77].

I Paillier is additively homomorphic [Paillier 99].

I A scheme both additively and multiplicatively homomorphic ismore powerful, but also harder to obtain.


A History of Homomorphic Encryption

I First Generation: Gentry’s first FHE scheme, bootstrappable[Gentry 09]

I Second Generation: Ring-Based leveled SomewhatHomomorphic Schemes, smaller ciphertexts. Use double-CRTto achieve a SIMD system and enhance efficiency. [GentryHalevi Smart 11]

I Third Generation: Schemes such as [Gentry Sahai Waters 13].Integer-based schemes, but slower computations andsomewhat impractical.


The problem

I Different applications call for different parameters. For exampleplaintext spaces vary, or depth of the circuit we want toevaluate.

I Ideally we want an unbounded scheme, but not all applicationsrequire this.

I Even when restricted to a certain form of HE, there are manyschemes available.


I We pick four of the most used Ring-Based schemes, BGV, FV,NTRU and YASHE and compare them against each other.

I On the face of it, YASHE and FV should be more efficient sincethey are scale-invariant, which should save in computation time.

I Similarly, NTRU and YASHE have fewer ring elements in theciphertexts.

I What effect do the above have on the efficiency of the scheme?


A Noise Problem

I All messages are encrypted by adding a noise factor to amultiple of the original message.

Enc(pk ,m) = c = α ·m + e( mod q).

I But then c · c has noise 2 · α ·m + e2:c · c = (α ·m + e) · (α ·m + e) = α2 ·m2 + 2 · α ·m + e2.

I This grows quickly, implying a need for a noise-managementcontrol.


A Noise Management Technique: SwitchModulus

I We use a chain of primes p0 < p1 < · · · < pL−1 and letqt =

∏ti=0 pi .

I This gives a chain of moduli q0 < q1 < · · · < qL−1 such thatqi | qi+1.


qt qt−1 · · · q1


The four schemes; DecBGVpk (c)

Decryption of a ciphertext ((c0, c1), t) at level t is performed bysetting

m′ ← [c0 − sk · c1]qt ,

and outputting

m′ mod p.


The four schemes; DecYASHEpk (c)

Decryption of a ciphertext (c, t) at level t is performed by setting

m′ ←⌈ p

qt· [c · sk ]qt

⌋,

and outputting

m′ mod p.


How do we compare the four schemes?

I We follow the security analysis in [Gentry Halevi Smart 13],which itself follows on from Lindner-Peikert [Lindner Peikert 10].

I We assume that we encrypt, perform ζ additions, onemultiplication, ζ additions, one multiplication and so on. Weperform a SwitchKey operation and a Scale after eachmultiplication.

I We measure efficiency by the size of a ciphertext in kBytes.


Analysis

I Decryption is done by either modular reduction or a roundingoperation. Thus if the noise is too large, we could decrypterroneously.

I To ensure correct decryption, we require

4 · cm · B∗scale = 2 · cm · B <

p0 For BGV and NTRU

⌊p0p

⌋For FV and YASHE.

(1)

I This gives us a lower bound on our bottom modulus.


Top modulus

I We want to find the sizes of the primes used in moduli. We startwith the top level and calculate the primes we need with correctdecryption in mind.

I We start off with a fresh ciphertext. We perform a number ofadditions, one multiplication and one scale operation, andcalculate a noise bound B2 on the resulting ciphertext.

I We require

pL−1 ≈⌈

B2B∗

scale

⌉.


Middle moduli

I For the middle moduli, we use the same methodology. The onlydifference is that that we do not start off with a fresh ciphertext,so the initial noise will be different.

I We call this bound B′(t), and we require

pt ≈⌈ B′(t)

B∗scale

⌉.

I We can then iterate downwards, using

log2 qt = log2 qt+1 − log2 pt+1.


Results; L = 5 and varying plaintext modulus sizelog2(p)

0 50 100 150 200 250

6

8

10

12

14

16

log2(p)

log 2

(|c|)

kByt

es

BGV FVNTRU YASHE

We see that the BGV scheme quickly takes over all other values.


Results; L = 5 and varying plaintext modulus sizelog2(p)

0 2 4 6 8 10 12 144.5

5

5.5

6

6.5

7

log2(p)

log 2

(|c|)

kByt

es

BGV FV NTRU YASHE

For small values of p, YASHE is indeed preferable. But as seen inthe previous slide, BGV is better overall.


Results; plaintext modulus p = 2, for varying depth L

5 10 15 20 25 302

4

6

8

10

12

L

log 2

(|c|)

kByt

es

BGV FV NTRU YASHE

As previously, YASHE wins for small p...


Results; plaintext modulus p = 232, for varying depth L

5 10 15 20 25 304

6

8

10

12

14

16

L

log 2

(|c|)

kByt

esBGVFV

NTRUYASHE

... and BGV for large p. In fact, the size of L has no impact on theschemes’ performance.


Open questions

I We have done a crude security analysis, in order to examinehow the scheme parameters are affected by scaling theplaintext modulus p and the depth required of the scheme.

I A stricter security analysis would contribute to the survey. Thiswould need to take into account attacks such as [Albrecht BaiDucas 16].


Thank you!

Any questions?


Introduction NFLlib Applications : Ideal Lattice Cryptography Application : PIR Conclusion

CT-RSA Conference 2016

NFLlibNTT-based Fast Lattice Library

Carlos Aguilar-Melchor1 Joris Barrier2 Serge Guelton3 Adrien Guinet3Marc-Olivier Killijian2 Tancrède Lepoint4

1Université de Toulouse, CNRS, France, [email protected]é de Toulouse, CNRS, France, {joris.barrier,marco.killijian}@laas.fr

3Quarkslab, France, {sguelton,aguinet}@quarkslab.com4CryptoExperts, France, [email protected]

February 23, 2016

Carlos Aguilar-Melchor, Joris Barrier, Serge Guelton, Adrien Guinet, Marc-Olivier Killijian, Tancrède Lepoint | NFLlib : NTT-based Fast Lattice Library 1/16


Outline

1 Introduction

2 NFLlibWhat is in the box ?Specific ModulusNTT formCRT RepresentationGaussian Random Generator

3 Applications : Ideal Lattice CryptographyHigh Performance Key ExchangeSomewhat Fully Homomorphic Encryption

4 Application : PIR

5 Conclusion



A Brief Overview

A Library…NFLlib is a homemade C++ library to efficiently deal with polynomials.

…SpecializedIndeed, NFLlib works exclusively with polynomials usually considered in (ideal) lattice-basedcryptography.

polynomials of fixed degree (a power of two),with coefficient of fixed size (modular operations).

P(X) = a0 + a1X + a2X2 + · · ·+ an−1Xn−1 + anXn



A Brief Overview

A Library…NFLlib is a homemade C++ library to efficiently deal with polynomials.

…SpecializedIndeed, NFLlib works exclusively with polynomials usually considered in (ideal) lattice-basedcryptography.

polynomials of fixed degree (a power of two),with coefficient of fixed size (modular operations).

P(X) = a0 + a1X + a2X2 + · · ·+ an−1Xn−1 + anXn



How to use NFLlib : Practice example

1 /* Set polynomial type with T the native type used2 * such as uint16_t, uint32_t, uint64_t */3 using poly_t = nfl::poly_from_modulus<T, degree, modulus>;4 poly_t p1, p2, p3, p_res;5

6 /*Fill polynomials with noise using different noise generators */7 p1 = poly_t(nfl::uniform); //or p1 = nfl::uniform;8 p2 = poly_t(nfl::gaussian<poly_t>(prng_instance));9 p3 = poly_t(nfl::bounded(bound));

10

11 /*Overloaded operators for an easy use */12 p_res = (p1 * p2) + p3 - p1;



NFLlib

1 Introduction



4 Application : PIR

5 Conclusion



What is in the box ?

Enabled OptimizationsNFLlib is a C++ library with state of the art optimizations :

Specific modulus ;NTT polynomial representation ;CRT representation to use big modulus ;NTT and iNTT optimized algorithm ;SSE and AVX2 processor instructions.

Remark : HElibThis kind of optimizations are implemented in HElib in the DoubleCRT class.



Modulus Optimizations

We choose our primes such as for an integer 1 ≤ s0 ≤ s − 1, a chosen prime p verifies ( Notethat all our 62-bit primes verify Eq. 1) :

(1 + 1/23s0) · β/(2s0 + 1) < p < β/2s0 (1)

Algorithm 1: Modular reduction with a modulus verifying Eq. 1Input: u = 〈u1,u0〉 ∈ [0,p2), p verifying Eq. (1), v0 = bβ2/pc mod β, 1 ≤ s0 ≤ s − 1 margin

bitsOutput: r = u mod p

1 q ← v0 · u1 + 2s0 · u mod β2

2 r ← u − bq/βc · p mod β3 if r ≥ p then r ← r − p4 return r

Algo. 1 is a significantly improvement from Moller, N., Granlund, T., “Improved division by invariant integers”. IEEE Trans.Computers (2011).



NTT form

Polynomials representationIn NFLlib polynomials are represented and handled in an evaluated form using the NumberTheoretic Transform (Discrete Fourrier Transform).

AdvantagesBy the book, polynomials multiplication is in O(n2). In the NTT form, the multiplication is anelement-to-element multiplication in (obviously) O(n).→ Great performance improvement



NTT form

Polynomials representationIn NFLlib polynomials are represented and handled in an evaluated form using the NumberTheoretic Transform (Discrete Fourrier Transform).

AdvantagesBy the book, polynomials multiplication is in O(n2). In the NTT form, the multiplication is anelement-to-element multiplication in (obviously) O(n).→ Great performance improvement



CRT Representation

MotivationFor performance reason we do not use specialized libraries to handle moduli that do not fit innative types when working directly with polynomials. However, we don’t want to limit toostrictly moduli sizes. So we use Chinese Theorem Representation (CRT) to deal with bigmoduli by splitting them in smaller integers.

RecoverTo recover big moduli we call an external library because we cannot do a better implementation.

HElibNote that in HElib they use FFT representation for big modulus instead of CRT.



Gaussian Random Generator

Description

unsigned int sigma = 20;unsigned int security = 128;unsigned int sample = 1 << 14;

FastGaussianNoise<uint8_t, T, 2> fg_prng(sigma, security, sample);

Distribution Uniform D3·19 D300

cycles / bit generated1 0.4 1.39 3.43

1We implement a constant time algorithm with a ×4 overhead



Applications : Key Exchange & SFHE

1 Introduction



4 Application : PIR

5 Conclusion



High Performance Key Exchange

Key Exchange ProtocolTo illustrate the performances of our library in a concrete setting we implement an equivalentof the key transport protocol RSASVE of NIST SP 800 56B. The client chooses a randommessage and encrypts it with the server public key then, the server decrypts this random valuethat is used to derivate (with a hashing function) a common secret.

Protocol 80 bits 128 bits 256 bits

RSA 7.95 Kops/s 0.31 Kops/s N/A

ECDH 7.01 Kops/s 5.93 Kops/s 1.61 Kops/s

RLWE/NFLlib 2 N/A 1020 Kops/s 508 Kops/s

2Enabled forward secrecy divides performances by 2



Somewhat Fully Homomorphic Encryption

SFHEWe modified the open-source implementation of the somewhat homomorphic encryptionscheme of Fan and Vercauteren from [1] and directly replaced flint by NFLlib .

Encrypt Decrypt Hom. Add. Hom. Mult.

[1] with flint 26.7ms 13.3ms 1.1ms 91.2ms

[1] with NFLlib 0.9ms 0.9 ms 0.01ms 17.2ms

Gain ×30 ×15 ×110 ×5.5

1. Tancrede Lepoint and Michael Naehrig. “A Comparison of the Homomorphic Encryption Schemes FV and YASHE”



Application : PIR

1 Introduction



4 Application : PIR

5 Conclusion



Private Information Retrieval

Computational Private Information Retrieval (PIR)A PIR scheme is a protocol in which a user retrieves a record from a database while hidingwhich from the database administrators. A computational PIR protocol requires that thedatabase server executes an homomorphic cryptography based algorithm over all the databasecontent.

Protocol [2] [3] [4]

Throughput 0.5 Gb/s 1 Gb/s 20 Gb/s

2. J. T. Trostle and A. Parrish, “Efficient computationally private information retrieval from anonymity or trapdoor groups,” inISC 20103. C. Aguilar Melchor and P. Gaborit, “A Fast Private Information Retrieval Protocol,” in ISIT’084. cPIR based on Lipmaa scheme using lattice based cryptography implemented with NFLlib



Conclusion

NFLlib is an optimized and efficient library designed to handlepolynomials over polynomials rings Zp[x ]/(xn + 1) in NTT form.

It can be used as a building block for ideal lattice basedcryptography that can be more efficient than existingimplementations based on NTL or flint .

Code available at : https://github.com/quarkslab/NFLlib


https://github.com/quarkslab/NFLlib

Date post:	09-Jan-2017
Category:	Technology
Upload:	priyanka-aash
View:	228 times
Download:	3 times

Lattice Cryptography

Technology