This document discusses Ring-Learning With Errors (Ring-LWE) and its application to fully homomorphic encryption schemes. Specifically, it covers Ring-LWE based cryptosystems, the leveled fully homomorphic encryption scheme of Brakerski, Vaikuntanathan and Gentry (BGV) as implemented in the HElib library, and example code demonstrations using HElib. Notations used include integers modulo q, polynomial rings, and cyclotomic polynomials.

1. Ring-­‐Learning
With
Errors
&
HElib
Wenjie
Lu(陸 文杰）
University
of
Tsukuba
riku@mdl.cs.tsukuba.ac.jp
1

2. Outline
1. Homomorphic
EncrypFon
&
Fully
Homomorphic
EncrypFon
(FHE)
2. Learning
With
Errors
(LWE)
&
Ring-­‐LWE
3. Ring-­‐LWE
based
FHE
operaFons:
KeyGen
etc.
4. HElib
1. BGV’s
leveled
FHE
scheme
2. OpFmizaFons
e.g.
modulo-­‐switch
in
HElib
3. Example
codes
5. Two
kind
of
packing
methods
&
example
codes
6. Some
other
rouFnes
in
HElib
&
example
codes
7. An
applicaFon
on
epidemiology
study
8. Misc.
includes
noise-­‐esFmaFon
&
parameters
decision
in
HElib
2

3. Privacy
Preserving
CompuFng
3
Secure
MulF-­‐parFes
CompuFng
Secure
Outsourcing Homomorphic
Encryp-on

4. Homomorphic
EncrypFon
• AddiFve
Hom.
EncrypFon,
e.g.
Paillier
• MulFplicaFve
Hom.
EncrypFon,
e.g.
ElGamal
• Fully
Homomorphic
EncrypFon
SaFsfies
both
addiFve
and
mulFplicaFve
4

5. Fully
homomorphic
encrypFon
• Breakthrough
by
Gentry
in
2009
• Main
idea:
1. First
build
a
somewhat
homomorphic
encrypFon
2. Then
apply
bootstrapping
to
achieve
FHE
• Common
facts
of
the
current
FHE
schemes
1. Noise
grows
with
operaFons
2. MulFplicaFon
yields
the
most
noise
3. DecrypFon
will
fail
with
too
large
noise
5
[A
fully
homomorphic
encrypFon
scheme
Gentry
2009]

6. Ring-­‐learning
With
Errors
based
FHE
• RLWE
schemes:
The
most
efficient
schemes
for
now.
• Different
kinds
of
RLWE
based
FHE
1. BGV’s
leveled
scheme
(implemented
by
HElib)
2. Brakerski,
Scale-­‐invariant
scheme
3. ……
6
[(Leveled)
fully
homomorphic
encrypFon
without
bootstrapping]
Brakerski,
Gentry,
Vaikuntanathan
2012
[Fully
Homomorphic
Encryp-on
without
Modulus
Switching
from
Classical
GapSVP]
Brakerski,2012

7. Nota-ons
7
•
:
Integer
modulo
q
•
:
Vectors
consists
of
n
integer
modulo
q
•
:
uniformly
sample
from
•
:
set
of
polynomials
• F(x)
a
polynomial,
:
a
quoFent
set
• Cyclotomic
polynomial:

8. Nota-ons
8
•
:
Integer
modulo
q
•
:
Vectors
consists
of
n
integer
modulo
q
•
:
uniformly
sample
from
•
:
set
of
polynomials
• F(x)
a
polynomial,
:
a
quoFent
set
• Cyclotomic
polynomial:
x 1 ⌘ 6x + 6 mod 7

9. Nota-ons
9
•
:
Integer
modulo
q
•
:
Vectors
consists
of
n
integer
modulo
q
•
:
uniformly
sample
from
•
:
set
of
polynomials
• F(x)
a
polynomial,
:
a
quoFent
set
• Cyclotomic
polynomial:

10. Nota-ons
10
•
:
Integer
modulo
q
•
:
Vectors
consists
of
n
integer
modulo
q
•
:
uniformly
sample
from
•
:
set
of
polynomials
• F(x)
a
polynomial,
:
a
quoFent
set
• Cyclotomic
polynomial:
Cyclotomic
polynomial:
Some
“prime”
polynomial

11. Learning
With
Errors
• LWE-­‐AssumpFon
• Ring-­‐LWE:
use
a
polynomial
ring
instead
11
[On
lajces,
learning
with
errors,
random.
Regev
2005
]

12. Learning
With
Errors
• LWE-­‐AssumpFon
• Ring-­‐LWE:
use
a
polynomial
ring
instead
12
[On
lajces,
learning
with
errors,
random.
Regev
2005
]

13. Learning
With
Errors
• LWE-­‐AssumpFon
• Ring-­‐LWE:
use
a
polynomial
ring
instead
13
[On
lajces,
learning
with
errors,
random.
Regev
2005
]

14. Add.
&
Mul.
On
14
(i.e.
n
is
power
of
2)

15. Paremeters
in
RLWE-­‐based
scheme
15
(default
3.2)
Security
parameter
The
stand
deviaFon
of
the
discrete
Gaussian
distribuFon

16. Message
Space
&
Ciphertext
Space
• Message
Space:
polynomial
quoFent
ring
• Ciphertex
Space
16
Coefficients
modulo
p
Polynomial
modulo
Coefficients
modulo
q
Polynomial
modulo

17. Basic
EncrypFon
Scheme
OperaFons
• KeyGeneraFon
17
[Can
Homomorphic
Encryp-on
be
Prac-cal?
K.
Lauter
et
al.
2011]

18. Basic
EncrypFon
Scheme
OperaFons
• EncrypFon
• DecrypFon
18
addi-ons,
mul-plica-ons
over
polynomial
ring.

19. Homomorphic
OperaFons
• AddiFon
• MulFplicaFon
The
size
of
ciphertext
increases!
19

20. HElib
• Purely
wrimen
in
C++
• Implements
the
BGV-­‐type
encrypFon
scheme
• Supports
opFmazaFons
such
as:
reLinearazaFon,
bootstapping,
packing
• Supports
mulFthread
from
this
March
20
[hmps://github.com/shaih/Helib]

21. Architecture
of
HElib
PAlgebra
Structure of Zm*, §2.4
PAlgebraMod
plaintext-slot algebra, §2.5
NumbTh
miscellaneous
utilities, §2.2
CModulus
polynomials mod p, §2.3
Math
DoubleCRT
polynomial arithmetic, §2.8
FHE
KeyGen/Enc/Dec, §3.2
Ctxt
Ciphertext operations, §3.1
Crypto
EncryptedArray
Routing plaintext slots, §4.1
IndexSet/IndexMap
Indexing utilities, §2.6
FHEcontext
parameters,§2.7
bluestein
FFT/IFFT, §2.3
timing
§2.1
KeySwitching
Matrices for key-switching, §3.3
21*
Reference
from
the
HElib
design
document

22. Leveled
homomorphic
encrypFon
The
BGV-­‐type
scheme
is
a
leveled
homomorphic
encrypFon
scheme
• What
is
levels?
– The
ciphertext
space
is
not
fixed.
• Why
need
levels
?
– Bootstrapping
is
too
too
heavy
– To
somehow
reduce
the
noise
inside
ciphertexts
• When
to
change
the
level?
– Majorly
arer
ciphertexts
mulFplicaFon
22
L1
L2
L3
L4
[(Leveled)
fully
homomorphic
encrypFon
without
bootstrapping]
Brakerski,
Gentry,
Vaikuntanathan
2012

23. Parameters
of
the
Leveled
homomorphic
encrypFon
1. An
posi9ve
integer
L,
called
levels
2. A
prime
sequence
• The
ciphertext-­‐space
changes
level
by
level
• The
noise
inside
ciphertexts
can
reduce
by
• This
opera9on
called
Modulo-­‐switch
23
[(Leveled)
fully
homomorphic
encrypFon
without
bootstrapping]
Brakerski,
Gentry,
Vaikuntanathan
2012
One
mulFplicaFon

24. How
to
decide
the
levels?
• Majorly
depends
on
the
evaluaFon
funcFon
24
Need
at
least
2-­‐levels
1-­‐level
may
also
works
1-­‐level
may
not
works

25. reLinearizaFon
(Key
switching)
• What
is
relinearizaFon?
25
[Efficient
fully
homomorphic
encrypFon
from
LWE
Brakerski,
Vaikuntanathan,
2011]
The
dimension
of
ciphertext
increases!

26. reLinearizaFon
(Key
switching)
• Why
want
to
reLinearize
?
– To
reduce
the
overhead
in
ciphertext
mulFplicaFon
• Need
to
add
extra
informaFon
into
the
public
key
• Should
always
reLinearize
?
– Depends
on
the
mulFplicaFon
depth
26
[Efficient
fully
homomorphic
encrypFon
from
LWE
Brakerski,
Vaikuntanathan,
2011]

27. Sample
codes:
Setup
levels
To
add
extra
informaFon
for
reLinearizaFon
27
Line
6:
The
FHESecKey
class
was
designed
to
inherit
from
the
FHEPubKey
class

28. Sample
codes:
Enc/Dec/Mult
Line
2:
Plaintext
need
to
be
a
polynomial.
Line
7
&
9:
To
use
or
not
use
reLineraza-on
during
homomorphic
mul-plica-on
28
sk.Decrypt(plain,
ctxt);

29. Packing
What
is
packing
?
• To
pack
several
messages
into
one
ciphertext
Why
use
packing
?
1. To
reduce
the
numbers
of
ciphertext
2. To
amorFze
the
computaFon
Fme
Different
kinds
of
packing
• Pack
into
coefficients
• Pack
into
subfields
(so-­‐called
CRT-­‐based
packing)
29

30. I.
Pack
into
coefficients
• Example
Message
Space
• image
that
8
boxes
and
each
can
put
in
a
less
than
13^2
posiFve
integer.
1 2 3 4
30

31. I.
Pack
into
coefficients
• We
need
to
design
how
to
encode
our
data
into
a
useful
polynomial
form
Enc(
)
Enc(
)
Enc(
)
Just
the
mul-plica-on
between
polynomials!
mod
(13^2,
x^8
+
1)
31

32. Example:
Encoding
for
scalar
product
• Given
• If
we
make
two
polynomials
such
as
• But
• Change
a
limle
bit
32

33. Sample
codes:
Pack
into
Coefficients
3rd
coeff. 33

34. II.
Pack
into
subfields
• Not
put
into
each
coefficients
directly
• UFlize
the
Chinese
Reminder
Theorem
A
number
p
can
be
factorized
into
prime
factors
Consider
the
CRT
in
the
integer
field
We
have
the
isomorphism
from
CRT
34

35. II.
Pack
into
subfields
• Not
put
into
each
coefficients
directly
• UFlize
the
Chinese
Reminder
Theorem
A
number
p
can
be
factorized
into
prime
factors
Consider
the
CRT
in
the
integer
field
We
have
the
isomorphism
from
CRT
35

36. II.
Pack
into
subfields
• Polynomial-­‐CRT
The
cyclotomic
polynomial
can
be
factorized
into
disFnct
l
irreducible
polynomials
For
each
irreducible
polynomial
called
slots
36
Euler
funcFon
(Some
“prime”
polynomial)

37. Example:
Component-­‐wise
OperaFons
• m
=
8,
p
=
17
• So
each
slot
hold
degree
0
polynomial
modulo
17.
37

38. Example:
Component-­‐wise
OperaFons
38
+ =
+ = mod
17
x
x = mod
17
=

39. Example:
“RotaFon”
OperaFon
39
On
field:
An
automorphism
Replace
2
ler-­‐rotated
!!

40. OperaFons
supported
by
HElib
• Component-­‐wise
(entry-­‐wise)
addiFon/mult.
• RotaFon
- Shir;
padding
with
0s
- Running
sums
- total
sums
40

41. Sample
codes
Codes
for
CRT-­‐packing
41

42. Sample
codes
for
other
HElib
rou-nes
42

43. Noise
EsFmaFon
• Ok
to
decrypt:
• Fresh
ciphertext:
• Modulus-­‐switch:
• reLineara9on:
• Ctxt-­‐plain
add.:
• Ctxt-­‐plain
mult.:
43
*
Reference
from
the
HElib
design
document

44. Noise
EsFmaFon
• Ctxt-­‐ctxt
add.:
• Ctxt-­‐ctxt
mult.:
• Rota9on:
1
ctxt-­‐plain
mult.,
1
ctxt-­‐plain
add.
• ShiP:
2
ctxt-­‐plain
mult.
44
*
Reference
from
the
HElib
design
document

45. 45
on
epidemiology
a A a
(expected) A(expected) Count
Case o1 o2 e1=n3n1/n e2=n4n1/n n1
Control o3 o4 e3=n3n2/n e4=n4n2/n n2
Count n3 n4 n
Applica-on
observed

46. 46
on
epidemiology
a A Count
Case o1 o2 n1
Control o3 o4 n2
Count n3 n4 n
Applica-on
Data:
[AA,
Aa,
aa,
Aa,
…..]
x=[
2
,
1,
0,
1,
…..]
Encoding
[case,
control,
case,
control,
….]
Encoding
y=[
1
,
0,
1,
0,
…..]

47. 47
on
epidemiology
a A Count
Case o1 o2 n1
Control o3 o4 n2
Count n3 n4 n
Applica-on
Data:
[AA,
Aa,
aa,
Aa,
…..]
x=[
2
,
1,
0,
1,
…..]
Encoding
[case,
control,
case,
control,
….]
Encoding
y=[
1
,
0,
1,
0,
…..]How
to
efficiently
compute
scalar
product??
Packing!

48. Misc:
Example
to
choose
parameters
• Problem:
To
calculate
chi-­‐square
test
• Main
computaFon:
scalar
product
of
integer
vectors
• Integer
vectors:
;
Data
set
size
1. Plaintext
space
parameters:
p,
r
2. Polynomial
parameter:
m
>
2000
to
pack
N
integers
3. Levels
parameter:
L
Pack
into
coefficient:
Only
need
1
mulF.
=>
L
=
1
Pack
into
subfields:
Need
1
mulF.
&
1
running
sums
=>
L
=
2
is
bemer
4.
Check
m
again
by
calling
FindM
48

49. Misc:
FindM()
&
the
number
of
slots
• HElib
providers
a
such
funcFon:
FindM(k,
L,
p,
m);
It
print
out
:
***
Bound
N=XXX,
choosing
m=YYY,
phi(m)=ZZZ
k-­‐bits
security
if
phi(m)
>=
N
• The
number
of
slots
is
defined
as:
49

50. Misc:
Example
to
choose
parameters
• Problem:
To
compute
the
product
of
matrix
and
vector
1. Plaintext
parameter:
p^r
>
8
2. #slot
>=
2
(pack
each
rows(columns))
3. Levels:
L
=
3
maybe
good
4.
m
is
decided
by
FindM()
according
to
L,
p,
#slots
50
2
1
1
0
2
2
6
6
2
2
1
0
0
1
6
2

51. Misc.:
Rules
of
thumb
• By
default,
only
use
half
of
the
machine
bits
for
levels
1. 32-­‐bits
pla}orm,
open
–DNOT_HALF_PRIME
flag
before
building
the
HElib
2. 64-­‐bits
pla}orm:
before
call
buildModChain()
• Plaintext
parameter
p^r
!=
2,
bemer
to
add
more
levels
[hmps://github.com/shaih/HElib/issues/52]
51

52. Misc.:
Install
HElib
• Install
NTL(Number
Theory
Library)
hmp://www.shoup.net/ntl/
• Install
GMP,
m3
library.
• Install
HElib
hmps://github.com/shaih/HElib
• To
use
mulFthread,
need
g++4.9(seems
not
works
on
Mac
OS
for
now)
52

53. References
• The
design
document
inside
the
HElib
repo.
• Fully
Homomorphic
SIMD
opera9ons.
N.P.Smart,
et.al
• Can
homomorphic
be
prac9cal?
K.
Lauter
et.
al
• Secure
Paern
Matching
using
Somewhat
homomorphic
encryp9on.
M.
Yasusa
et.
al
• Fully
Homomorphic
Encryp9on
without
Boostrapping.
Z.
Brakerski
et.
al
• Fully
Homomorphic
Encryp9on
with
Polylog
Overhead.
C.
Gentry
et
al.
53

54. Thank
you!
54