HEAAN explained

HEAAN
Developer:Cryptography LAB in Seoul National University
Programming Language:C++
Genre:Homomorphic encryption
License:CC BY-NC 3.0

HEAAN (Homomorphic Encryption for Arithmetic of Approximate Numbers) is an open source homomorphic encryption (HE) library which implements an approximate HE scheme proposed by Cheon, Kim, Kim and Song (CKKS).[1] The first version of HEAAN was published on GitHub[2] on 15 May 2016, and later a new version of HEAAN with a bootstrapping algorithm[3] was released.Currently, the latest version is Version 2.1.

CKKS plaintext space

Unlike other HE schemes, the CKKS scheme supports approximate arithmetics over complex numbers (hence, real numbers). More precisely, the plaintext space of the CKKS scheme is

Cn/2

for some power-of-two integer

n

. To deal with the complex plaintext vector efficiently, Cheon et al. proposed plaintext encoding/decoding methods which exploits a ring isomorphism

\phi:R[X]/(Xn+1)Cn/2

.

Encoding method

Given a plaintext vector

\vecz=(z1,z2,...,zn/2)\inCn/2

and a scaling factor

\Delta>1

, the plaintext vector is encoded as a polynomial

m(X)\inR:=Z[X]/(Xn+1)

by computing

m(X)=\lfloor\Delta\phi-1(\vecz)\rceil\inR

where

\lfloor\rceil

denotes the coefficient-wise rounding function.

Decoding method

Given a message polynomial

m(X)\inR

and a scaling factor

\Delta>1

, the message polynomial is decoded to a complex vector

\vecz\inCn/2

by computing

\vecz=\Delta-1\phi(m(X))\inCn/2

.

Here the scaling factor

\Delta>1

enables us to control the encoding/decoding error which is occurred by the rounding process. Namely, one can obtain the approximate equation

Dcd(Ecd(\vecz;\Delta);\Delta)\vecz

by controlling

\Delta

where

Ecd

and

Dcd

denote the encoding and decoding algorithm, respectively.

From the ring-isomorphic property of the mapping

\phi:R[X]/(Xn+1)Cn/2

, for

m1=Ecd(\vecz1;\Delta)

and

m2=Ecd(\vecz2;\Delta)

, the following hold:

Dcd(m1+m2;\Delta)\vecz1+\vecz2

,

Dcd(m1 ⋅ m2;\Delta)\vecz1\circ\vecz2

,

where

\circ

denotes the Hadamard product of the same-length vectors.These properties guarantee the approximate correctness of the computations in the encoded state when the scaling factor

\Delta

is chosen appropriately.

Algorithms

The CKKS scheme basically consists of those algorithms: key Generation, encryption, decryption, homomorphic addition and multiplication, and rescaling. For a positive integer

q

, let

Rq:=R/qR

be the quotient ring of

R

modulo

q

. Let

\chis

,

\chir

and

\chie

be distributions over

R

which output polynomials with small coefficients. These distributions, the initial modulus

Q

, and the ring dimension

n

are predetermined before the key generation phase.

Key generation

The key generation algorithm is following:

s\leftarrow\chis

.

a

(resp.

a'

) uniform randomly from

RQ

(resp.

RPQ

), and

e,e'\leftarrow\chie

.

sk\leftarrow(1,s)\in

2
R
Q
, a public key

pk\leftarrow(b=-as+e,a)\in

2
R
Q

, and an evaluation key

evk\leftarrow(b'=-a's+e'+Ps2,a')\in

2
R
PQ
.

Encryption

The encryption algorithm is following:

r\leftarrow\chir

.

m\inR

, output a ciphertext

ct\leftarrow(c0=rb+e0+m,c1=ra+e1)\in

2
R
Q
.

Decryption

The decryption algorithm is following:

ct\in

2
R
q

, output a message

m'\leftarrow\langlect,sk\rangle

(modq)

.

The decryption outputs an approximate value of the original message, i.e.,

Dec(sk,Enc(pk,m))m

, and the approximation error is determined by the choice of distributions

\chis,\chie,\chir

. When considering homomorphic operations, the evaluation errors are also included in the approximation error. Basic homomorphic operations, addition and multiplication, are done as follows.

Homomorphic addition

The homomorphic addition algorithm is following:

ct

and

ct'

in
2
R
q
, output

ctadd\leftarrowct+ct'\in

2
R
q
.

The correctness holds as

Dec(sk,ctadd)Dec(sk,ct)+Dec(sk,ct')

.

Homomorphic multiplication

The homomorphic multiplication algorithm is following:

ct=(c0,c1)

and

ct'=(c0',c1')

in
2
R
q
, compute

(d0,d1,d2)=(c0c0',c0c1'+c1c0',c1c1')

(modq)

. Output

ctmult\leftarrow(d0,d1)+\lfloorP-1d2evk\rceil\in

2
R
q
.

The correctness holds as

Dec(sk,ctmult)Dec(sk,ct)Dec(sk,ct')

.

Note that the approximation error (on the message) exponentially grows up on the number of homomorphic multiplications. To overcome this problem, most of HE schemes usually use a modulus-switching technique which was introduced by Brakerski, Gentry and Vaikuntanathan.[4] In case of HEAAN, the modulus-switching procedure is called rescaling. The Rescaling algorithm is very simple compared to Brakerski-Gentry-Vaikuntanathan's original algorithm.Applying the rescaling algorithm after a homomomorphic multiplication, the approximation error grows linearly, not exponentially.

Rescaling

The rescaling algorithm is following:

ct\in

2
R
q
and a new modulus

q'<q

, output a rescaled ciphertext

ctrs\leftarrow\lfloor(q'/q)ct\rceil\in

2
R
q'
.

The total procedure of the CKKS scheme is as following: Each plaintext vector

\vecz

which consists of complex (or real) numbers is firstly encoded as a polynomial

m(X)\inR

by the encoding method, and then encrypted as a ciphertext

ct\in

2
R
q
. After several homomorphic operations, the resulting ciphertext is decrypted as a polynomial

m'(X)\inR

and then decoded as a plaintext vector

\vecz'

which is the final output.

Security

The IND-CPA security of the CKKS scheme is based on the hardness assumption of the ring learning with errors (RLWE) problem, the ring variant of very promising lattice-based hard problem Learning with errors (LWE).Currently the best known attacks for RLWE over a power-of-two cyclotomic ring are general LWE attacks such as dual attack and primal attack.The bit security of the CKKS scheme based on known attacks was estimated by Albrecht's LWE estimator.[5]

Library

Version 1.0, 1.1 and 2.1 have been released so far. Version 1.0 is the first implementation of the CKKS scheme without bootstrapping.In the second version, the bootstrapping algorithm was attached so that users are able to address large-scale homomorphic computations.In Version 2.1, currently the latest version, the multiplication of ring elements in

Rq

was accelerated by utilizing fast Fourier transform (FFT)-optimized number theoretic transform (NTT) implementation.

Notes and References

  1. Cheon . Jung Hee . Kim . Andrey . Kim . Miran . Song . Yongsoo . Homomorphic encryption for arithmetic of approximate numbers . Springer, Cham . ASIACRYPT 2017 . 2017 . Takagi T., Peyrin T. (eds) Advances in Cryptology – ASIACRYPT 2017 . 409–437. 10.1007/978-3-319-70694-8_15 .
  2. Web site: An approximate HE library HEAAN. Andrey Kim. Kyoohyung Han. Miran Kim. Yongsoo Song. 15 May 2016.
  3. [Cheon Jung-hee|Jung Hee Cheon]
  4. Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully Homomorphic Encryption without Bootstrapping. In ITCS 2012
  5. Martin Albrecht. Security Estimates for the Learning with Errors Problem, https://bitbucket.org/malb/lwe-estimator

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "HEAAN".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.