Abstract
In 2014, Smart and Vercauteren introduced a packing technique for homomorphic encryption schemes by decomposing the plaintext space using the Chinese Remainder Theorem. This technique allows to encrypt multiple data values simultaneously into one ciphertext and execute Single Instruction Multiple Data operations homomorphically. In this paper we improve and generalize their results by introducing a flexible Laurent polynomial encoding technique and by using a more fine-grained CRT decomposition of the plaintext space. The Laurent polynomial encoding provides a convenient common framework for all conventional ways in which input data types can be represented, e.g. finite field elements, integers, rationals, floats and complex numbers. Our methods greatly increase the packing capacity of the plaintext space, as well as one’s flexibility in optimizing the system parameters with respect to efficiency and/or security.
This work was supported by the European Commission under the ICT programme with contract H2020-ICT-2014-1 644209 HEAT, and through the European Research Council under the FP7/2007-2013 programme with ERC Grant Agreement 615722 MOTMELSUM. The first author thanks Ghent University for its hospitality. The authors also thank the anonymous referees for some helpful remarks.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Homomorphic encryption allows to perform arithmetic operations on encrypted data without decryption. The idea stems from [26] where the authors introduced so-called ‘privacy homomorphisms’ from plaintext space to ciphertext space. In 2009, Gentry [21] presented the first fully homomorphic encryption scheme (FHE) using ideal lattices. This breakthrough result was followed by several variants and improvements [6,7,8,9, 20, 23] all using the same blueprint. One first constructs a somewhat homomorphic encryption (SHE) scheme that can homomorphically evaluate arithmetic circuits of limited depth and then turns this into a fully homomorphic scheme using a bootstrapping procedure. The security of these schemes relies on the presence of a noise component in the ciphertexts. This noise grows during arithmetic operations and eventually reaches a threshold beyond which the ciphertext can no longer be decrypted correctly. The bootstrapping procedure basically reduces the inherent noise by executing the decryption circuit homomorphically. Despite considerable effort in making bootstrapping more efficient [2, 11, 13, 19], full fledged FHE is still rather slow, so implementers typically resort to using SHE schemes for practical applications.
The efficiency of homomorphic encryption schemes can be improved significantly by a judicious choice of plaintext space and encoding techniques for the common data types such as finite field elements, integers, rationals, floats and complex numbers. Concretely, throughout this paper we assume that the plaintext space is a ring of the form
where \(t \ge 2\) is an integer called the plaintext modulus, and \(\overline{f}(X)\) is the reduction modulo t of a monic irreducible polynomial \(f(X) \in \mathbb {Z}[X]\) of degree \(d \ge 1\). This setting is valid for most SHE schemes whose security relies on the Ring-LWE problem.Footnote 1 The degree d together with the ciphertext modulus q and the standard deviation \(\sigma \) of the initial noise distribution are the main security parameters, and these are typically determined by the required security level. The noise growth is influenced by d, q, \(\sigma \), but also by the plaintext modulus t. A first optimization to decrease the noise growth is therefore to use a smaller plaintext space. Several encoding techniques [3, 10, 12, 14, 18, 25] have been proposed whose goal is to ‘spread out’ the numerical input data as evenly as possible over the whole plaintext space, allowing for a smaller value of t. A second optimization, which can be combined with the first, is to decompose the plaintext space into smaller pieces using the Chinese Remainder Theorem (CRT) and run several computations in parallel [4, 27]. Smart and Vercauteren [27] described how to carry out SIMD calculations in an SHE context by viewing \(R_t\) as the CRT composition of
where \(\overline{f}_1(X)\overline{f}_2(X) \cdots \overline{f}_r(X)\) is a factorization of \(\overline{f}(X)\) into coprime factors. In fact, they concentrate on the case \(t = 2\), but the above immediate generalization is discussed in [22]. We will refer to this decomposition of \(R_t\) as a vertical slicing of the plaintext space.
Contributions. Our first contribution is an improvement of the above SIMD approach by utilizing a more fine-grained CRT decomposition of the plaintext space. We do this by also taking into account factorizations of the plaintext modulus t. We will refer to the CRT decomposition
corresponding to a factorization \(t = t_1t_2 \cdots t_s\) into coprime factors, as a horizontal slicing of the plaintext space. The flexibility of our method stems partly from the fact that factorisations modulo the various \(t_i\) do not imply a global factorisation modulo t. This alternative type of slicing for SIMD purposes is not new (see e.g. [4]). However, by combining horizontal and vertical slicing as explained in Sect. 4, the plaintext space becomes subdivided in ‘bricks’ as depicted in Fig. 4. In our SIMD approach, which we call SIM\(^2\)D, each data slot corresponds to a set of such bricks (called a block) rather than one vertical or horizontal slice as considered in previous works. This results in a much more flexible but, at the same time, denser packing as described in Sect. 5. In Sect. 6 we provide several tools that can help in making an optimal choice of blocks. This includes slight alterations to t and/or f(X) that lead to more fine-grained decompositions.
Our second contribution is a novel encoding technique for Laurent polynomials into a plaintext space of the form \(R_t = \mathbb {Z}_t[X]/(\overline{f}(X))\) that works for general \(\overline{f}\) (under the mild assumption that \(\overline{f}(0)\) is an invertible element of \(\mathbb {Z}_t\)). Previous work [15] could only deal with the very special case of 2-power cyclotomic polynomials, due to concerns of mixing of integral and fractional parts. Our encoding technique is explained in Sect. 3. Encoding elements of the Laurent polynomial ring \(\mathbb {Z}[X^{\pm 1}]\) serves as a convenient common framework for all customary encoding techniques: indeed, under \(X \mapsto b\) the Laurent polynomials specialize to b-ary expansions for any choice of base \(b \in \mathbb {C}\setminus \{0\}\). This framework allows to encode common data types such as finite field elements, integers, rationals, floats and complex numbers. Furthermore, we show that choosing different bases b for different blocks can be useful in optimizing the data packing (see Sect. 6).
Our algorithms for encoding, packing, unpacking and decoding are easy to implement (pseudo-code is provided) and extremely flexible to use. The overall goal is to provide a set of tools which together can be used to perform SIMD in an optimal way, given the constraints on the plaintext space imposed by security, efficiency and correctness requirements.
2 Preliminaries
2.1 Basic Notation
Vectors are denoted by bold letters such as \(\mathbf {a}\) and when the individual coordinates are required, we write a row vector as \((a_1,\dots ,a_k)\). For a natural number r, we denote the set \(\{1,\dots ,r\}\) by [r]. Similarly, for any \(\ell , m \in \mathbb {Z}, \ell \le m\), the set \(\{\ell , \ell +1,\dots ,m-1,m\}\) is denoted by \([\ell ,m]\). The quotient ring of integers modulo a natural number t is denoted \(\mathbb {Z}_t\).
2.2 Laurent Polynomials
Most common numerical types (integers, rational, real or complex numbers) are represented as (finite) power series expansions in a certain base \(b \in \mathbb {C}\setminus \{0\}\), using digits that are taken from some given subset of \(\mathbb {Z}\). These expansions naturally correspond to Laurent polynomials with integral coefficients, i.e. elements of the ring \(\mathbb {Z}[X^{\pm 1}]\).
Most frequently, an integral base \(b > 1\) with digit set \(\{0,\dots ,b-1\}\) is used in practice, such as binary \(b = 2\) or ternary \(b = 3\). For use in SHE schemes, several variations [3, 12, 14, 18] have been proposed. For the purposes of this paper we mention the non-integral base non-adjacent form (NIBNAF) from [3] which is a very sparse expansion with respect to a real base \(b \in (1,2)\) and using the digit set \(\{-1,0,1\}\). All of these expansions can be thought of as the evaluations at \(X = b\) of a Laurent polynomial with integral coefficients.
Example 1
The real number 2.3 can be approximated in base \(b=2\) using digits in \(\{0,1\}\) as
which is the evaluation of the Laurent polynomial
at \(X = b = 2\).
Recall that in general, any Laurent polynomial \(a(X) \in \mathbb {Z}[X^{\pm 1}]\) can be written as
where \(a_i \in \mathbb {Z}\) for every \(i \in [\ell ,m]\), \(a_{\ell }, a_m \ne 0\) and \(\ell \le m\). For a modulus t (which will be clear from the context) we write \(\overline{a}(X)\) for the Laurent polynomial in \(\mathbb {Z}_t[X^{\pm 1}]\) obtained by reducing all coefficients.
Definition 1
For an integral Laurent polynomial \(a(X) \in \mathbb {Z}[X^{\pm 1}]\) represented as in Eq. (1), we define the bounding box of a(X) as the tuple (w, h) with \(w = m - \ell \) and \(h = \log _2 (\max _i a_i - \min _i a_i + 1)\) the sizes of the exponent and the coefficient ranges of a(X).
We represent the bounding box graphically with a rectangle of width w and height h (Fig. 1).
2.3 Plaintext Space
Most SHE schemes utilize quotient rings of the form
where \(f(X) \in \mathbb {Z}[X]\) is a monic irreducible polynomial of degree d. The plaintext space is typically represented as a quotient ring \(R_t = \mathbb {Z}_t[X]/(\overline{f}(X))\) for an integral plaintext modulus t. Similarly, the ciphertext space is defined as \(R_q = \mathbb {Z}_q[X]/(\overline{f}(X))\) where \(q \gg t\). Another important parameter is the standard deviation \(\sigma \) of the discretized Gaussian distribution from which the SHE encryption scheme samples its noise, which is embedded into the ciphertexts.
Typically, one first sets the parameters q, d and \(\sigma \), primarily as functions of the security level, in order to prevent all known attacks on the underlying lattice problems [1]. Afterwards, the plaintext modulus t is selected, subject to two constraints. Firstly, it is bounded from above, which stems from the fact that the embedded noise grows during arithmetic operations up to a critical threshold above which ciphertexts can no longer be decrypted. Since the plaintext modulus directly affects the noise growth in ciphertexts, one can find a maximal t for which the decryption remains correct while evaluating a given arithmetic circuit \(\mathcal {C}\). We denote this bound by \(t^{\max }_{\mathcal {C}}\). If it is impossible to satisfy this bound then one can use the Chinese Remainder Theorem to split the computation into smaller parts, as explained in Remark 3; see also [4]. Secondly, as explained in the next section, the plaintext modulus t is bounded from below by some value \(t^{\min }_{\mathcal {C}}\) which depends on the input data and on the way the latter is encoded, and which ensures correct decoding.
Remark 1
The values of \(q, d, \sigma \) are not uniquely determined by the security level. Therefore, one can try to use the remaining freedom to target a specific value of \(t^{\max }_{\mathcal {C}}\). In the remainder of the paper, we will assume that \(t^{\max }_{\mathcal {C}}\) is given, and our aim is to utilize the available plaintext space in an optimal way. One motivation for targeting maximal flexibility here is that it is not clear whether preselecting a precise value of \(t^{\max }_{\mathcal {C}}\) is always possible in practice (e.g., for a fixed degree and security level it turns out that the value of \(t^{\max }_{\mathcal {C}}\) stabilizes as \(q \rightarrow \infty \)). This is further impeded by the fact that concrete implementations often do not allow q and d to be picked from some continuous-like range (e.g., the FV-NFLlib [16] and the SEAL [24] libraries require that d is a power of 2 and that \(\log _2q\) is a multiple of some integer). A second motivation is that it can be desirable to use a single SHE implementation for encrypting batches of data of largely varying sizes. The plaintext space should be chosen to fit the largest data, and the methods presented below can then be used to optimize the handling of the smaller data.
The most common choice for f(X) is a cyclotomic polynomial. The nth cyclotomic polynomial \(\varPhi _n(X) \in \mathbb {Z}[X]\) is the minimal polynomial of a primitive nth root of unity in \(\mathbb {C}\)
where \(\zeta _n = e^{2\pi i/n}\). The degree of \(\varPhi _n(X)\) is equal to \(\phi (n)\), where \(\phi (n)\) is the totient function. It is always irreducible over \(\mathbb {Z}\) and, additionally, \(\varPhi (0) = 1\) for \(n \ge 3\).
Cyclotomic polynomials are often used by SHE implementers since they have very nice arithmetic properties such as fast modular reduction and simple Galois groups, which can be used to move data values in between data slots.
3 Plaintext Encoding/decoding of Laurent Polynomials
In this section we consider the problem of encoding an integral Laurent polynomial in the plaintext space and the reverse operation of decoding. We also give necessary conditions on the ‘size’ of the plaintext space such that a given circuit \(\mathcal {C}\) can be evaluated correctly.
3.1 Encoding
Assume that the input data (integers, rationals, reals, ...) has been represented as a Laurent polynomial \(a(X) \in \mathbb {Z}[X^{\pm 1}]\). Encoding such a Laurent polynomial in the plaintext space \(R_t\) has been considered in a series of recent works [3, 12, 14, 18]. However, it was emphasized in [14] that the plaintext space should only be defined modulo a 2-power cyclotomic polynomial \(f(X) = X^{2^k} + 1\) for some k. The reason for this restriction is that the authors required a small and sparse representation for \(X^{-1}\), which in this case is given by \(X^{-1} \equiv -X^{2^k-1} \bmod f(X)\).
Here we propose a very general way of encoding Laurent polynomials which works for almost all defining polynomials f. Let \(\overline{f}(X)\) denote the reduction modulo t of f(X) and assume that f(0) is co-prime with t, so \(\overline{f}(0)\) is invertible in \(\mathbb {Z}_t\). Define \(\overline{g}(X)\) by writing \(\overline{f}(X) = \overline{g}(X)X + \overline{f}(0)\), then it is obvious that modulo \(\overline{f}(X)\) we have that \(X^{-1} \equiv -\overline{g}(X) \overline{f}(0)^{-1}\).
The encoding map \(\mathsf {Encd}_{\overline{f}}\) is then given by the sequence of ring homomorphisms
with
Example 2
In the case of the 2-power cyclotomic polynomial \(f(X) = X^{2^k} + 1\), the above map replaces negative powers \(X^{-j}\) by \(-X^{d-j}\), which coincides with the approach from [14]: when expressed in terms of the basis \(1, X, X^2,\dots ,X^{d-1}\) of \(R_t\), the map \(\eta _{\overline{f}}\) places the positive exponents at the low end of this range, and the negative exponents are placed at the high end.
3.2 Decoding
The crux of the construction relies on the fact that the above encoding map \(\mathsf {Encd}_{\overline{f}}\) defines an isomorphism when restricted to a subset of Laurent polynomials. Indeed, if we choose a subset of \(\mathbb {Z}_t[X^{\pm 1}]\) of the form
with \(\ell \) and m chosen such that \(m - \ell + 1 = d\), then the restriction of \(\eta _{\overline{f}}\) to \(\mathbb {Z}_{t}[X^{\pm 1}]^m_{\ell }\) is an isomorphism between two free \(\mathbb {Z}_{t}\)-modules of rank d. The inverse of this map, denoted \(\theta _{\overline{f},\ell ,m}\), is easy to compute in practice, since it simply corresponds to a matrix inversion.
Thus, \(\theta _{\overline{f},\ell ,m}\) determines the decoding algorithm from \(R_t\) to Laurent polynomials over \(\mathbb {Z}_{t}\). In the final step, one has to lift a Laurent polynomial from \(\mathbb {Z}_t[X^{\pm 1}]\) to \(\mathbb {Z}[X^{\pm 1}]\) by choosing a representative for each coefficient in a non-empty subset A of \(\mathbb {Z}\) of size t. For simplicity we will always take \(A = [z , z + t - 1 ]\) for some \(z \in \mathbb {Z}\), common choices being \(A = [-\lfloor (t-1)/2 \rfloor , \lceil (t-1)/2 \rceil ]\) or \(A= [0, t-1]\). But any set A of representatives would be possible, and in fact it can even depend on the coefficient under consideration. Together these two steps define the decoding map \(\mathsf {Decd}_{\overline{f},\ell ,m,A}\).
3.3 Correctness Conditions
Since homomorphic encryption aims to perform arithmetic operations on ciphertexts, one usually deals with a ciphertext being the outcome of an arithmetic circuit involving only multiplications and additions. By the homomorphic property this ciphertext corresponds to a plaintext which is the result of the same operations in the plaintext space. Given a circuit \(\mathcal {C}\), the result of its evaluation on encodings of Laurent polynomials \(\mathbf {a}= (a_1(X),\dots ,a_k(X))\) is denoted by \(\mathcal {C}(\mathsf {Encd}_{\overline{f}}(\mathbf {a})) \in R_t\).
To guarantee correctness of circuit evaluation, one has to make sure that there exist \(\ell ,m \in \mathbb {Z}\) such that \(m - \ell + 1 = d\) and some non-empty set \(A \subsetneq \mathbb {Z}\) of size at most t such that
where \(\mathcal {C}(\mathbf {a})\) is the result of the same circuit evaluation in \(\mathbb {Z}[X^{\pm 1}]\). This implies that the bounding box (w, h) of \(\mathcal {C}(\mathbf {a})\) has to satisfy \(w \le m - \ell + 1 = d\) and \(h \le \log _2|A| = \log _2 t\). In this case, we say that the plaintext space covers the bounding box of \(\mathcal {C}(\mathbf {a})\) as shown in Fig. 2 below.
If the bounding box (w, h) of a Laurent polynomial has larger height than the plaintext space, i.e. \(h > \log _2 t\), then we say that the computation overflows modulo t. If we end up with \(w > d\) then we say that it overflows modulo \(\overline{f}(X)\).
The parameters t and d should therefore be taken large enough to satisfy the above requirement. In practice, d is usually fixed by the security requirements of the SHE scheme. The choice for t, however, strongly depends on the arithmetic circuit \(\mathcal {C}\) one is trying to evaluate. Initially, the input data of the circuit is encoded by Laurent polynomials whose bounding boxes are of height \(h \le \log _2 (|\{b\text {-base digits}\}|)\). During arithmetic operations the height (typically) grows to the height of the bounding box of the outcome. For a given circuit \(\mathcal {C}\), this defines a lower bound for t to guarantee correct decoding, which we denote \(t^{\min }_{\mathcal {C}}\). Combined with the upper bound on t from Sect. 2.3, one obtains a range for t, namely \([t^{\min }_{\mathcal {C}}, t^{\max }_{\mathcal {C}}]\).
Example 3
To illustrate encoding and decoding, we take \(R_t = \mathbb {Z}_7[X]/(\overline{f}(X))\) where \(\overline{f}(X) = X^9 + 4 X^7 + 1\). Thus, \(\overline{g}(X) = X^8 + 4X^6\) and \(\mathsf {Encd}_{\overline{f}}\) maps \(X^{-1}\) to \(6X^8 + 3X^6\). Let us multiply two rational numbers, \(\frac{182}{243}\) and 1476. Their base-3 expansions are as follows
or as Laurent polynomials
Applying \(\mathsf {Encd}_{\overline{f}}\) we get encodings of a and b in \(R_t\), namely, \(\overline{a} = 6X^2 + 4X^4 + 4X^6 + 5X^8\) and \(\overline{b} = 2X^2 + 2X^6\). Their product is equal to
We take \(\ell = -3\), \(m = 5\) and \(A = \{4,5,\dots ,10\}\) in order to keep the product inside the box. Now we can define \(\mathsf {Decd}_{\overline{f},-3,5,A}\). The first step is to construct a linear operator \(\theta _{\overline{f},-3,5}\) using the inverse of the matrix defining the restriction of \(\eta _{\overline{f}}\) on \(\mathbb {Z}_7[X^{\pm 1}]^5_{-3}\):
Then \(\overline{c}\) is mapped to a Laurent polynomial \(4X^{-3} + 4X^{-1} + X + 4X^3 + 4X^5 \in \mathbb {Z}_7[X^{\pm 1}]\). By looking for representatives of the coefficients in the set A we get \(4X^{-3} + 4X^{-1} + 8X + 4X^3 + 4X^5 \in \mathbb {Z}[X^{\pm 1}]\) and evaluate it at \(X=3\)
which is the correct product of \(\frac{182}{243}\) and 1476.
Remark 2
Note that the above condition for correct decoding only depends on the bounding box of the evaluation of the circuit \(\mathcal {C}({\mathbf {a}})\) and not on the bounding boxes of the individual inputs \(a_i(X) \in \mathbb {Z}[X^{\pm 1}]\) nor on those of the intermediate values. Indeed, we always have
simply because \(\mathsf {Encd}_{\overline{f}}\) is a ring homomorphism. This implies that the bounding boxes of the input or intermediate values should not necessarily be contained in the bounding box of the plaintext space, as long as the outcome of evaluation is.
4 Splitting the Plaintext Space
In this section we recall how the Chinese Remainder Theorem (CRT) can be used to split the plaintext space naturally along two directions: firstly, we will split horizontally for each prime power factor \(t_i\) of the plaintext modulus t and secondly, each horizontal slice will be split vertically by factoring \(f(X) \bmod {t_i}\).
4.1 Horizontal Splitting
If t is a composite that factors into distinct prime powers \(t = t_1 \dots t_s\) then the ring \(R_t\) can be mapped via the CRT to a direct product of \(R_{t_i}\)’s resulting in the following ring isomorphism
whose inverse is easy to compute. For a given index subset \(I=\{i_1,\dots ,i_c\} \subseteq [s]\) the map \(\mathsf {CRT}_{t}\) induces a surjective morphism
which is well-defined via the projection map
so that \(\mathsf {CRT}_{t_I} = \pi _{t_I} \cdot \mathsf {CRT}_{t}\). The \(\mathsf {CRT}_t\) can be represented as a ‘horizontal’ splitting of the plaintext space according to the unique factorization of t into distinct prime powers \(\{t_i\}_{i \in [s]}\). Each horizontal slice in Fig. 3 corresponds to some \(R_{t_i}\).
4.2 Vertical Splitting
For each factor \(t_i\) of t we define \(\overline{f}_i(X) \in \mathbb {Z}_{t_i}[X]\) to be the reduction of f(X) modulo \(t_i\). Since f(0) is co-prime with t, it is also co-prime with any \(t_i\) and thus, \(\overline{f}_i(0)\) is invertible.
The factorization of \(\overline{f}_i(X)\) into irreducible factors modulo \(t_i\) can be computed as follows: if \(t_i\) is prime, then one can simply use factorization algorithms for polynomials over finite fields; for \(t_i\) a prime power, one first computes the factorization modulo the prime and then lifts it using Hensel’s lemma to a factorization modulo \(t_i\). The result in both cases is that we can easily obtain a factorization
for monic irreducible polynomials \(\overline{f}_{ij}(X) \in \mathbb {Z}_{t_i}[X]\). Note that the constant terms \(\overline{f}_{ij}(0)\) are all invertible because their product \(\overline{f}_i(0)\) is invertible. Applying the CRT in the polynomial dimension gives the following map for each \(t_i\):
Here the \(R_{t_i,j}\) denotes the ring \(\mathbb {Z}_{t_i}[X]/(\overline{f}_{ij}(X))\), which corresponds to a ‘brick’ in Fig. 4. The map \(\mathsf {CRT}_{t_i,\overline{f}_i}\), whose inverse is again easy to compute, can be thought of as a ‘vertical’ splitting of \(R_{t_i}\). For simplicity we will usually just write \(R_{i,j}\) rather than \(R_{t_i,j}\). By analogy with \(\mathsf {CRT}_{t_I}\), we introduce the surjective ring homomorphism \(\mathsf {CRT}_{t_i,{\overline{f}_J}}\) from \(R_{t_i}\) to \(\prod _{j \in J} R_{{t_i},j}\) where \(J=\{j_1,\dots ,j_c\} \subseteq [r_i]\).
5 Improved SIMD Encoding
In this section we combine the results of Sects. 3 and 4 to derive flexible SIMD encoding and decoding algorithms. Recall that to correctly decode the result of a circuit evaluation \(\mathcal {C}(\mathbf {a})\), we require that the bounding box of the plaintext space covers the bounding box of \(\mathcal {C}(\mathbf {a})\). We assume that this is indeed the case, and show how to select a minimal number of bricks of \(R_t\) to cover the bounding box of \(\mathcal {C}(\mathbf {a})\), leaving the other bricks available for doing parallel computations.
Recall that each brick corresponds to a ring \(R_{i,j}\) in the decomposition
Each ring \(R_{i,j}\) has its own bounding box of size \((d_{ij}, \log _2 t_i)\), where \(d_{ij} = \deg \overline{f}_{ij}\). Assuming that the bounding box of \(\mathcal {C}(\mathbf {a})\) is given by (w, h), we need to combine enough horizontal slices to cover the height h, and inside each horizontal slice, we need to select enough bricks to cover the width w as illustrated in Fig. 5. Any unused bricks can be used to encode other data values, for instance to compute \(\mathcal {C}(\mathbf {b})\) for some other input vector \(\mathbf {b}\), immediately resulting in SIMD computations.
We formalize this approach by combining bricks into a block structure: we call a block a set of tuples \(\mathcal {B}= \{(t_i, \overline{f}_{ij})\}_{i \in I(\mathcal {B}), j \in J(\mathcal {B},i)}\) with index sets \(I(\mathcal {B}) \subseteq [s]\) and \(J(\mathcal {B},i) \subseteq [r_i]\), where we recall that \(r_i\) is the number of irreducible factors of \(\overline{f}_i\). We of course think of this as corresponding to the set of \(R_{i,j}\)’s with \(i \in I(\mathcal {B}), j \in J(\mathcal {B},i)\). Equivalently, through an application of the CRT this corresponds to the set of quotient rings \(\{R_{t_i}/(\overline{F}_{i,\mathcal {B}})\}_{i \in I(\mathcal {B})}\) where \(\overline{F}_{i,\mathcal {B}} = \prod _{j \in J(\mathcal {B}, i)} \overline{f}_{ij}\). Graphically we think of a block as a set of bricks of \(R_t\), which are combined such that the \(R_{i,j}\)’s with the same index i are glued column-wise and the resulting rows are placed on top of each other (Fig. 6).
In order for a block \(\mathcal {B}\) to be suitable for computing \(\mathcal {C}(\mathbf {a})\), whose bounding box we denote by (w, h), we note that the bounding box of \(R_{t_i}/(\overline{F}_{i,\mathcal {B}})\) with \(i \in I(\mathcal {B})\) is \((w_{i, \mathcal {B}}, \log _2 t_i)\) where
If \(\min _{i \in I(\mathcal {B})} w_{i, \mathcal {B}} \ge w\) and \(\sum _{i \in I(\mathcal {B})} \log _2 t_i \ge h\) then we say that \(\mathcal {B}\) covers the bounding box (w, h). As we will see \(\mathcal {C}(\mathbf {a})\) will be decoded correctly as soon as an encoding block \(\mathcal {B}\) is used that covers its bounding box.
Example 4
We decompose \(R_t = \mathbb {Z}_{2761}[X]/(f(X))\) where \(f(X) = X^{20}+X^{15}+1\). The plaintext modulus factors into \(t_1 = 11\) and \(t_2 = 251\) and
Accordingly, \(R_t\) splits into \((R_{1,1} \times R_{1,2}) \times (R_{2,1} \times R_{2,2} \times R_{2,3})\). Overall we have 5 ‘bricks’ that can be combined into 31 different blocks. For example, one can take a block \(\{(11,X^{15} + 9X^{10} + 6X^5 + 4), (251, X^{5} + 18), (251,X^{5} + 120)\}\) corresponding to the combination of \(R_{1,2}, R_{2,1}\) and \(R_{2,2}\) or \(\{(11,X^5 + 3),(11,X^{15} + 9X^{10} + 6X^5 + 4)\}\) which simply corresponds to \(R_{11} = R_t/(11)\) (see Fig. 7).
The whole plaintext space can be represented by a block as well
Therefore, the SIMD packing problem consists in finding a set of disjoint blocks \(S = \{\mathcal {B}_1,\dots ,\mathcal {B}_u\}\) such that \(\bigcup _{\mathcal {B}\in S} \mathcal {B}= \mathcal {P}\) and every block covers the maximal bounding box among the corresponding output values.
To a partition S of \(\mathcal {P}\) there naturally corresponds a factorization of \(\overline{f}_i\) for every \(i \in [s]\):
This induces a family of CRT isomorphisms
Now we have all the ingredients to pack a number of data values into one plaintext as described in Algorithm 1.
After packing one can encrypt the output and feed it to an arithmetic circuit (together with other packings in case the circuit takes more than one argument). The resulting plaintext contains multiple evaluations corresponding to each block that can be decoded using Algorithm 2.
Algorithm 2 produces correct circuit evaluations for all blocks occurring in Algorithm 1 that satisfy the properties outlined in the next theorem.
Theorem 1
Let S be a set of disjoint blocks such that \(\bigcup _{\mathcal {B}\in S} \mathcal {B}= \mathcal {P}\). Let \(\mathcal {C}\) be an arithmetic circuit taking v arguments and for each block \(\mathcal {B}\) let \(\mathbf {a}_\mathcal {B}= (a_{\mathcal {B},1}, \dots , a_{\mathcal {B},v})\) be a vector of Laurent polynomials. For each \(k = 1, \ldots , v\) let \(b_k\) denote the output of Algorithm 1 upon input of \((a_{\mathcal {B}, k})_{\mathcal {B}\in S}\). Let \(\overline{c} = \mathcal {C}(b_1, \ldots , b_v)\). Then for each block \(\mathcal {B}\) we have that if it covers the bounding box of \(\mathcal {C}(\mathbf {a}_\mathcal {B})\), then upon input of \(\overline{c}\) Algorithm 2 produces \(\mathcal {C}(\mathbf {a}_\mathcal {B})\), for an appropriate choice of \(\ell \), m and A.
Proof
By our assumption there are \(\ell , m\) such that \(\mathcal {C}(\mathbf {a}_\mathcal {B}) = \sum _{i = \ell }^m \alpha _i X^i\) where
with \(A = \{ \min _i \alpha _i, \ldots , \max _i \alpha _i \}\). Let a denote the output of Algorithm 2 upon input of \(\overline{c}\) using these \(\ell \), m, and A. Since this is a Laurent polynomial having coefficients in A, by (3) it suffices to prove that the reductions of a and \(\mathcal {C}(\mathbf {a}_\mathcal {B})\) modulo \(t_i\) are the same for each \(i \in I(\mathcal {B})\). Again by (3) these reductions are contained in \(\mathbb {Z}_{t_i}[X^{\pm 1}]_\ell ^{m_i}\) where \(m_i = \ell + w_{i,\mathcal {B}} - 1\), so by injectivity of \(\eta _{\overline{F}_{i, \mathcal {B}}}\) it suffices to prove that
From Algorithm 2 we see that the left-hand side is just the reduction of \(\overline{c}\) into \(R_{t_i}/ (\overline{F}_{i, \mathcal {B}})\), while the right hand side is
because of the homomorphic properties of the encoding map. From Algorithm 1 we clearly see that \(\mathsf {Encd}_{\overline{F}_{i, \mathcal {B}}}(a_{\mathcal {B},k})\) is the reduction of \(b_k\) into \(R_{t_i}/ (\overline{F}_{i, \mathcal {B}})\), for all \(k = 1, \ldots , v\), so the theorem follows. \(\square \)
Example 5
Using the CRT decomposition of \(R_t\) from Example 4 we cube two Laurent polynomials simultaneously using SIMD, namely \(u(X) = 7X^3 + 7X^2\) and \(v(X) = 8X^5 + 7X\). To encode \(u^3\) we take the block \(\mathcal {B}_1\) with rings \(R_{1,1}, R_{2,1}\) and the remaining bricks to build the block \(\mathcal {B}_2\) to hold the result \(v^3\).
Since only positive exponents are present in the data, all encoding functions \(\mathsf {Encd}_{\overline{F}_{i, \mathcal {B}_1}}\) and \(\mathsf {Encd}_{\overline{F}_{i, \mathcal {B}_2}}\) map u(X) and v(X) identically to the corresponding \(R_{i,j}\)’s. Then we get
Applying \(\mathsf {CRT}^{-1}_{t_i,\overline{f}_i,\{\mathcal {B}_1, \mathcal {B}_2\}}\) for each \(t_i\) we find
which finally leads to the following plaintext via \(\mathsf {CRT}_t^{-1}\)
Now we evaluate an arithmetic circuit \(z \mapsto z^3\) in b and obtain
which simultaneously encodes \(u^3\) and \(v^3\).
In order to decode the data we apply Algorithm 2 starting with the block \(\mathcal {B}_1\) equipped with the exponent range [6, 9] and the coefficient set \(A_{\mathcal {B}_1}=[0,2760]\). At first, we should reduce \(\overline{c}\) modulo \(\overline{F}_{i,\mathcal {B}_1}\) and \(t_i\) for each \(i \in I(\mathcal {B}_1)\). As a result, we find
To decode into Laurent polynomials we set \(\ell _i=6\) and \(m_i=10\) for every \(i \in I(\mathcal {B}_1)\) because \(\deg \overline{F}_{1,\mathcal {B}_1} = \deg \overline{F}_{2,\mathcal {B}_1} = 5\). Then we follow the same procedure as in Example 3 to define \(\theta _{\overline{F}_1,6,10}\) and \(\theta _{\overline{F}_2,6,10}\) via matrices \(M_1 = 7 \cdot M\) and \(M_2 = 237 \cdot M\) where
These linear transformations give us two Laurent polynomials modulo 11 and 251, respectively
Using the coefficient-wise CRT and lifting coefficients in \(A_{\mathcal {B}_1}\) we recover the Laurent polynomial
which is equal to \(u^3\).
We repeat the same steps for the block \(\mathcal {B}_2\) with the exponent range [3, 15] and the same coefficient set A. This block has again the polynomials \(\overline{F}_{i, \mathcal {B}_2}\) of the same degree and thus every \(m_i = 17\) and \(\ell _i = 3\). Executing Algorithm 2 we get the following sequence of calculations
The last polynomial is exactly \(v^3\) so we correctly cubed two Laurent polynomials.
Remark 3
The CRT factorization can also be exploited when a homomorphic algorithm needs a bigger plaintext modulus than the upper bound \(t^{\max }_{\mathcal {C}}\) discussed above. Let us denote this modulus with a capital T to emphasize direct incompatibility of this parameter with other SHE parameters, namely, \(T > t^{\max }_{\mathcal {C}}\). However, one can find a set of natural numbers \(\{T_i\le t^{\max }_{\mathcal {C}}\}\) such that \(T \le T' = \prod _i T_i\). Then \(R_{T'}\) splits into smaller quotient rings \(R_{T_i}\). A plaintext \(a \in R_{T'}\) then maps to a vector whose ith component lies in \(R_{T_i}\). In that case the plaintext space splits into quotient rings with smaller moduli via CRT such that each ring fits the SHE settings according to the following diagram
A homomorphic circuit evaluation must then be repeated over each CRT factor \(T_i\). Nevertheless, this gives some freedom of choice for \(T_i\)’s so as to find \(R_{T'}\) with a nice CRT decomposition.
6 Parameter Choice
In this section we discuss a set of tools that will allow implementers to benefit from our enhanced SIMD approach as much as possible. There are three parameters that directly affect the packing capacity. We list them below in an order that seems natural for solving any packing problem. Nevertheless, all parameters depend on each other.
Plaintext Modulus. Earlier we defined the range \([t^{\min }_{\mathcal {C}}, t^{\max }_{\mathcal {C}}]\) from which the plaintext modulus t is allowed to be chosen. Additionally, at the end of Sect. 4 we discussed the CRT trick that allows to handle plaintext moduli that are bigger than \(t^{\max }_{\mathcal {C}}\). Altogether this gives a designer some freedom to choose t such that it splits into many ‘advantageous’ \(t_i\)’s. An ‘advantageous’ \(t_i\) means that the factorization of \(\overline{f}_i\) is such that the resulting CRT decomposition can embed as many plaintexts as possible, which is usually facilitated by a finer brick structure as in Fig. 8.
This brick structure is defined by the \(t_i\)’s and by the degrees of the \(\overline{f}_{ij}\)’s, namely \(d_{i1},\dots ,d_{i r_i}\) which constitute a decomposition type of f modulo \(t_i\). Let G be the Galois group of the splitting field of f over \(\mathbb {Q}\). It can be considered as a subgroup of the group \(S_d\) of permutations of d elements. Every automorphism \(\sigma \) can be represented as a product of cycle permutations with a corresponding pattern of cycle lengths. Additionally, we say that a set P of prime numbers has density \(\delta \) if
Then the probability that a desired decomposition type occurs for some random \(t_i\) is estimated by the following classical theorem.
Theorem 2
(Frobenius). The density of the set P of primes modulo which f has a given decomposition type \(d_1, d_2,\dots , d_r\) exists, and it is equal to 1 / |G| times the number of automorphisms \(\sigma \in G\) with cycle pattern \(d_1, d_2,\dots , d_r\).
An interesting case is where \(\overline{f}_i\) splits into linear factors since it gives maximal flexibility to combine blocks. There exists only one \(\sigma \in G\) corresponding to such a decomposition which is the identity permutation, so the corresponding probability is 1 / |G|.
Example 6
If f(X) is the nth cyclotomic polynomial then its Galois group G has \(d = \phi (n)\) elements and it always splits into irreducible factors of the same degree, i.e. its decomposition type modulo \(t_i\) is always \((d', \dots , d')\) where \(d'\) is the order of \(t_i\) modulo n; here we implicitly assume that \(\gcd (t_i,n) = 1\). Let us take \(f(X) = X^{2^k} + 1\). Its Galois group is isomorphic to \(\mathbb {Z}_{2^{k+1}}^\times \) or to the direct product of two cyclic groups \(C_2 \times C_{2^{k-1}}\). It contains \(2^k\) elements with orders shown in the following table:
ord | 1 | 2 | 4 | \(\dots \) | \(2^{k-1}\) |
\(\#\{a \in \mathbb {Z}_{2^{k+1}}^\times \}\) | 1 | 3 | 4 | \(\dots \) | \(2^{k-1}\) |
This implies that f splits into \(2^{k'}\) irreducible factors of degree \(2^{k-k'}\) modulo a random \(t_i\) with probability \(2^{-k'}\), for any \(k' \in \{1,\dots , k-2, k-1 \}\).
In the classical example of a homomorphic application a client encrypts his data and sends it to a third party to perform calculations. Since encryption and decryption are done only on the client side, he therefore has the possibility to tweak the plaintext modulus without re-generation of keys as long as the evaluation (or linearization) key does not depend on t. It is important to note that the plaintext modulus does not affect the security level of an SHE scheme but it does affect the decryption correctness. Hence, t should fit the upper bound \(t_{\mathcal {C}}^{\max }\) introduced by the noise growth inside ciphertexts. As a result, one can exploit the same technique as above to find \(R_t\) with the most useful decomposition.
Block Set. Recall that the plaintext space can be thought of as a set of bricks \(\mathcal {P}\). Every block is then a subset of \(\mathcal {P}\). The packing problem consists in finding a partition of \(\mathcal {P}\) with the maximal number of blocks where each one satisfies Theorem 1. It is clear that the partition search is highly dependent on the data values and the arithmetic operations being performed homomorphically. Therefore the same plaintext space can be used differently for various applications as shown in Fig. 9. If \(r = \sum _{i=1}^s r_i\) is the cardinality of \(\mathcal {P}\) then the total number of partitions is equal to the r-th Bell number \(B_r\). That number grows exponentially (see [17]) while r is increasing according to
As a result a system designer has a lot of flexibility to play with the plaintext space partitions to fit data into some block structure. Obviously, the maximal number of blocks cannot be bigger than r, in which case the blocks are just the singletons \(\{ R_{i,j} \}\). A plaintext space with many CRT factors is usually easier to handle because it is more flexible for block constructions.
If one does not find a satisfying partition of all of \(\mathcal {P}\), it is of course also possible to leave a couple of bricks unused by packing zeros in them (or even random values).
Encoding Base. Representing data using Laurent polynomials requires a numerical base b which can be a real or a complex number. The size of b affects the length of a representation as well as the size of its coefficients.
In [3] it was shown that non-integral bases taken from the interval (1, 2) have a simple greedy algorithm that, given a real number, produces a base-b expansion with a ternary set of coefficients. This procedure has the property that smaller bases lead to sparser representations and thus smaller coefficient growth but longer expansions. To illustrate this we resort again to the box representation of a Laurent polynomial (Fig. 10).
As a result, by changing the encoding base one could play a trade-off game between degree and coefficient size such that the number of plaintexts fitting a block structure is maximal. Furthermore, each block allows to encode data in a different base because neither Algorithm 1 nor Algorithm 2 depends on the choice of b.
Example 7
To illustrate the aforementioned techniques we revisit a medical application of the YASHE homomorphic encryption scheme [4] given in [5]. In this paper the standard logistic function is homomorphically computed to predict the probability of having a heart attack. The algorithm is divided into two steps.
Step 1. One computes the following weighted sum of six encrypted predictive variables
where each \(z_i \in [0,400]\). The multiplicative depth of the corresponding circuit is 1. For this step we take the same YASHE parameters as in [5], i.e. \(q \simeq 2^{128}\) and \(f(X) = X^{4096} + 1\). Given these parameters we derive \(t_{\max }^\mathcal {C}= 2097152 \simeq 2^{21}\) using [4, Lem. 9]. Running over all primes less than \(t_{\max }^{\mathcal {C}}\) we find that modulo \(t_1 = 257\) and modulo \(t_2 = 3583\) our polynomial f(X) can be written as a product of 128 coprime factors of degree 32. With \(t = t_1\) the conventional SIMD technique allows then to pack at most 128 values into one plaintext. This capacity can be achieved with base-3 balanced ternary expansions that result in an output bounding box of size \((29, \log _2 53)\). However, our approach supports \(t = t_1 \cdot t_2\) so one can pack 256 values using the same encoding method.
Step 2. The output of Step 1 is decrypted, decoded to a real number and encoded again to a plaintext. This ‘refreshed’ encoding is then encrypted and given as input to the following approximation of the logistic function
In this step the multiplicative depth is 3, \(q \simeq 2^{512}\) and \(f(X) = X^{16384} + 1\). These parameters lead to \(t_{\max }^\mathcal {C}\simeq 2^{50}\). Using the previous SIMD technique the maximal plaintext capacity can be achieved with the plaintext modulus \(t \simeq 2^{30.54}\) and base-3 balanced ternary encoding. In this case f(X) splits into 8192 quadratic factors and the output bounding box is of size (229, 29.54). We can thus compose 71 blocks with 115 slots and one block with the remaining slots. As a result, one plaintext can contain at most 71 values.
This capacity can be increased with our SIM\(^2\)D technique. In particular, one can notice that the ratio between \(t_{\max }^\mathcal {C}\) and the previously mentioned modulus t is around \(2^{19.46}\), which implies some part of the plaintext space remains unfilled. We can fill that space setting the plaintext modulus to \(t_1 \cdot t_2\) with \(t_1 \simeq 2^{30.54}\) and \(t_2 = 675071 \simeq 2^{19.36}\). The polynomial f(X) splits into 128 factors of degree 128 modulo \(t_2\). To fit the modulus \(t_2\) we encoded real values with the non-integral base \(b=1.16391\) and obtained the output bounding box (1684, 19.36). Therefore one block should consist of 14 slots, and we can construct 9 such blocks. As a result, we can combine these blocks with the 71 blocks given by the old SIMD technique, which results in a total plaintext capacity of 80 values.
7 Conclusion
In this paper we presented two techniques that make SIMD operations in the setting of homomorphic encryption more flexible and efficient. Our first technique showed how data values that are naturally represented as Laurent polynomials can be encoded into a plaintext space of the form \(\mathbb {Z}_t[X]/(\overline{f}(X))\). Furthermore, we also provided sufficient conditions for correct decoding after evaluation of an arithmetic circuit. Our second technique relied on a fine-grained CRT decomposition of the plaintext space resulting in a much denser and thus more efficient data packing compared to the state of the art. Finally, we provided guidelines on how to choose system parameters in order to find the most efficient packing strategy for a particular task.
Notes
- 1.
A recent adaptation of the FV scheme due to Chen et al. [10] uses as plaintext modulus a linear polynomial \(x-a\) instead of an integer t. The resulting plaintext space \(R_{x-a} = \mathbb {Z}[X]/(X^n + 1, x - a) \cong \mathbb {Z}/(a^n + 1)\) has various nice features, both in terms of noise growth and in terms of packing capacity. However, the algebraic structure of \(R_{x-a}\) becomes more restrictive for CRT decomposition, so rings of this type will not be considered in this paper.
References
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Benhamouda, F.., Lepoint, T., Mathieu, C., Zhou, H.: Optimization of bootstrapping in circuits. In: Klein, P.N. (ed.) Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 2423–2433. ACM-SIAM (2017)
Bonte, C., Bootland, C., Bos, J.W., Castryck, W., Iliashenko, I., Vercauteren, F.: Faster homomorphic function evaluation using non-integral base encoding. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 579–600. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_28
Bos, J.W., Lauter, K., Loftus, J., Naehrig, M.: Improved security for a ring-based fully homomorphic encryption scheme. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 45–64. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45239-0_4
Bos, J.W., Lauter, K.E., Naehrig, M.: Private predictive analysis on encrypted medical data. J. Biomed. Inform. 50, 234–243 (2014)
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.) Proceedings of the 3rd Innovations in Theoretical Computer Science Conference ITCS 2012, pp. 309–325. ACM (2012)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.), Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science FOCS, pp. 97–106. IEEE Computer Society Press (2011)
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29
Chen, H., Laine, K., Player, R., Xia, Y.: High-precision arithmetic in homomorphic encryption. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808. Springer, Heidelberg (2018). To appear
Cheon, J.H., Han, K., Kim, D.: Faster bootstrapping of FHE over the integers. Cryptology ePrint Archive, Report 2017/079 (2017). http://eprint.iacr.org/2017/079
Cheon, J.H., Jeong, J., Lee, J., Lee, K.: Privacy-preserving computations of predictive medical models with minimax approximation and non-adjacent form. In: Brenner, M., Rohloff, K., Bonneau, J., Miller, A., Ryan, P.Y.A., Teague, V., Bracciali, A., Sala, M., Pintore, F., Jakobsson, M. (eds.) FC 2017. LNCS, vol. 10323, pp. 53–74. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_4
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_1
Costache, A., Smart, N.P., Vivek, S.: Faster homomorphic evaluation of discrete fourier transforms. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 517–529. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_29
Costache, A., Smart, N.P., Vivek, S., Waller, A.: Fixed-Point Arithmetic in SHE Schemes. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 401–422. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_22
CryptoExperts. FV-NFLlib (2016). https://github.com/CryptoExperts/FV-NFLlib
Bruijn, N.G.D.: Asymptotic methods in analysis. Dover, New York (1958)
Dowlin, N., Gilad-Bachrach, R., Laine, K., Lauter, K.E., Naehrig, M., Wernsing, J.: Manual for using homomorphic encryption for bioinformatics. Proc. IEEE 105(3), 552–567 (2017)
Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9056. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144 (2012). http://eprint.iacr.org/2012/144
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM Symposium on Theory of Computing STOC, pp. 169–178. ACM Press (2009)
Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_28
Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_28
Huang, Z., Jalali, A., Chen, H., Han, K., Laine, K.: Simple encrypted arithmetic library – SEAL (v2.3). Technical report, Technical report, Microsoft Research (2017)
Naehrig, M., Lauter, K.E., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: Cachin, C., Ristenpart, T., (eds.) Proceedings of the 3rd ACM Cloud Computing Security Workshop, CCSW 2011, pp. 113–124. ACM (2011)
Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms. Found. Secure Comput. 4(11), 169–180 (1978)
Smart, N.P., Vercauteren, F.: Fully homomorphic SIMD operations. Des. Codes Crypt. 71(1), 57–81 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Castryck, W., Iliashenko, I., Vercauteren, F. (2018). Homomorphic SIM\(^2\)D Operations: Single Instruction Much More Data. In: Nielsen, J., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2018. EUROCRYPT 2018. Lecture Notes in Computer Science(), vol 10820. Springer, Cham. https://doi.org/10.1007/978-3-319-78381-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-78381-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78380-2
Online ISBN: 978-3-319-78381-9
eBook Packages: Computer ScienceComputer Science (R0)