 Hello, my name is Duyong Kim, and in this video I will talk about how to efficiently compute the comparison operation in homophic encryption. This is the joint work with Professor Jeong-hee Chan and Dr. Dong-ok Kim. Okay, so let me start with some brief introduction of homophic encryption and the motivation of our work. In this work, we propose complexity-optimal homophic comparison methods for worldwide homophic encryption schemes. This is the follow-up study of our previous work presented at the last year at Asia Crypt. In the previous work, we only achieved quasi-optimal solution for homophic comparison, and it was even quite impractical. But in this work, we overcome these kinds of weaknesses. Firstly, we finally achieved the optimal complexity, which means the number of homophic multiplications. And now it shows quite nice performance in practice that it is not comparable to bitwise homophic comparison, which has been the most natural and efficient way. Of course, in amortized running time sense. And also in mathematical perspective, our work can be also viewed as a new framework called composite polynomial approximation for sine function. And it has a potential to be applied to more general functions. So the homophic encryption is a crypto system which allows computation on encrypted data without any decryption process. So theoretically, when we encrypt the data with homophic encryption, then we can do any computation and any analysis in real world, even without knowing the data itself, which ensures the data privacy. So for example, one of the most recognized application of homophic encryption is machine learning. At a high level, the machine learning is to generate a model from the training data and use the model for the inference or prediction phase. But without any privacy preserving method, an attacker can invade in any procedure of the machine learning and take the data, which can be very sensitive and private such as genome health or finance data. However, when we encrypt the training data with morph encryption, since we can do any computation in encrypted state, we can still learn the model and go on the prediction phase. But the attacker would not be able to learn any partial information of the data because the data is encrypted. So in this perspective, one may think homophic encryption is a perfect solution for the privacy concern in real world applications and might say, oh, let's encrypt everything with homophic encryption, then we are done. We hope so, but there always exists a gap between the theory and practice. We may think of various limitations of current morph encryption based on different perspectives, but one of the most troublesome points is the computational inefficiency due to the restricted basic operations. There are two big encryption approaches in morph encryption. One is worldwide approach and the other is bitwise approach. The worldwide approach is to encrypt the message by itself, but in bitwise approach, the message is decomposed and then each bit is encrypted separately. So in worldwide approach, it basically supports addition and multiplication, so it is good at polynomial evaluation, but they are not good at logical operations, including comparison. On the other hand, the bitwise approach basically support logical operations, but they are not good at polynomial evaluation because they have to express the polynomials as a set of logical operations. So in this talk, we will focus on making up for the weakness of worldwide approach with the goal that the worldwide approach is still efficient even when both polynomial variations and logical operations are required, which usually happen in real world computations. Okay, now let's imagine that we only have two tools addition and multiplication, which means the polynomial evaluation. Then how can we evaluate non polynomial functions, including comparison. Since only we can do is polynomial evaluation. It is quite natural to think of polynomial approximation on the non polynomial functions. In terms of polynomial approximation. Actually, we already know a number of general methods from the literature of numerical analysis, such as Taylor approximation, this square approximation, minimax approximation and championship approximation, and so on. So what may think that it would be enough to apply this well known masses. So theoretically, yes, but this methods do not satisfy us in efficiency and practicality. So, in detail what are the exact limitations of this general polynomial approximation methods. These methods commonly aim to find the relation between the degree and the error bound. In other words, they output the minimal degree polynomials within a certain error bound under some predetermined error measure. However, the number of multiplications, which we call complexity in this talk is also very important factor and it is actually more critical in more encryption. Since there is a large computational overhead in more encryption compared to the plain state computation. So, from this perspective, we came to the following natural question. Can we find a new polynomial approximation methods for the sign function with minimal complexity rather than the degree. And this was the starting point of our work. Now, let me talk about the high level idea of our work. Actually, we share the same high level idea up to our previous work to use some structured polynomial for the polynomial approximation. So, what it means is, okay, when we want to compute an unstructured polynomial, which means we do not know any information other than its degree, then it requires at least square root degree multiplications. And this lower bound derives an exponential computational complexity with respect to the output precision bits. However, when we use a structured polynomial, for example, the composite polynomial, then we may expect it requires only log-degree multiplications. That means, if we can approximate non-polynomial function through the structured polynomial instead of some unstructured polynomial, then even if the degree gets somewhat larger, we may expect much smaller complexity. The main difference of the previous work and this work is the previous work finds such structured polynomial from the existing algorithms in numerical analysis, while we design such structured polynomial ourselves by capturing some core properties in mathematical perspective. Now, let's go into some more details of our work. The core idea of our work actually came out from the observation and reinterpretation on the previous work. By capturing that the composite polynomial can be interpreted as an iterative algorithm in algorithmic perspective. The main idea of the previous work was to express the comparison function as a rational function approximation and then apply the well-known iterative algorithms for division. More precisely, the rational function in the red box was evaluated by iterative computations of a square over a square plus b square, which we call kind of scaring and normalization process. So, in this work, we tried to reinterpret the iterative algorithm in the previous work into the perspective of the polynomial composition rather than iterative algorithm itself. That is, the scaring and normalization process can be regarded as an evaluation of the rational function f0, which is defined as x square over x square plus 1 minus x square. Then, the algorithm is actually the composition of f0 and we could rephrase the goal of this approach as to compose the function f0 to make it get close to the step function. So, here is the graph of the f0 composition. Firstly, the red line is f0, which looks like somewhat symmetric and is kind of wavy function, which has some concavity and convexity in each interval. And the green line is 2 times the composition of f0 and the purple line is 3 times the composition of f0. So, you can see that the function gets close to the step function as the number of composition increases. And here, after looking into the graph, we realize that there is no reason for the basic function of the composition to be this kind of rational function f0, which requires very expensive division operation. Instead of the specific formula for f0, we may need some other properties, for example, symmetry and convexity and some other things may be enough. So, now we came to the following question. What are the core properties of f, which makes its composition get close to the sign function? Here, we simply think of the sign function because the step function described before and the sign function and comparison function are actually computationally equivalent. So, what it means is that if we compute one, then we can also compute another one. So, we simply thought of the sign function. From this observation, we try to find the core properties of the basic function f as following. Here, I would like to note that since we are dealing with polynomial approximation, we must set the domain for the approximation, which is actually inevitable. And for the simplicity, we set the domain to be minus one comma one interval. So, we are looking for the polynomial approximation over minus one comma one interval. The first core property is for the symmetry, which is quite natural because the sign function also has this kind of property. And the second one is necessary to ensure the point-wise convergence to the sign function, which means that if f1 is not equal to one, then the composition of f will not converge to the sign function in point-wise sense. And the third one is actually the optional one. And this property is to accelerate the convergence by making the function f as flat as possible at plus minus one. So, with these properties, the basic function f is uniquely determined for each degree n, sorry, in 2n plus one as the given formula, which is denoted by fn. So, this is the graph of the composition of fn. As you can see in the left side graph, for example, since f3 has a larger degree than f1, the f3 polynomial is more flat than f1 at plus minus one point, which means the composition of f3 would converge much faster than that of f1. And in the right side graph, we can check that the function gets close to the sign function as the number of composition increase. And you can see that this graph looks very similar to the previous graph on the previous slide for the composition of f0. But the main difference is our fn polynomial is actually polynomial, which are carefully devised by several core properties. While the f0 of the previous work is a rational function, which just came out from existing formula and algorithm, and its computation is quite expensive because of the division process. This is the theory for the convergence of the composition of fn to the sign function. That is, if it's at the number of compositions larger than some value, then we can theoretically guarantee that the composition of fn is very close to the sign function with this kind of measure with parameter epsilon and alpha. In terms of epsilon and alpha, we can express the goal of the fn composition as to make an input which is very small as epsilon to be very close to plus minus one with alphabet precision. One interesting point is that we can actually separate the goal into two different goals. So the first goal is to raise an epsilon size input to just the constant level rather than put it very close to plus minus one just to a constant level. And the first goal actually corresponds to the first red box. And the second goal is to make the constant to be very close to plus minus one with alphabet precision. And this second goal actually corresponds to the second red box. So after splitting the goal, we observe that several core properties of fn fits very well for the second goal, but not for the first goal. For example, the core property of two is for the point wise convergence to plus minus one and the core property of three was to accelerate the convergence. However, the first goal which aims to put epsilon size input to just a constant level does not need the convergence to plus minus one at all. And actually, this is the second goal. So our idea here is to construct another polynomial g which is devised only for the first goal and replace the pure f composition by the mixed composition of g and f. And we said a new core property four, which we will not describe in this talk, but we replaced a core property two and three in fn by a new core property four for g and polynomial and successfully constructed the g and polynomials. So for more details on the construction of g polynomials and its efficiency, please refer to our full paper. This is the graph of g polynomials and we can easily check that gn looks quite different to previous fn polynomials. For example, gn is not flat at plus minus one, but it is much steeper than fn at zero point. So it shows much better performance for our first goal, but they cannot purely used for the second goal. And the right side graph shows the total example of the comparison of pure fn composition and mixed composition of g and fn. So it experimentally also experimentally shows that the mixed composition shows better convergence rather than just pure composition of fn. Now we'll present some results of our work. So from the concrete analysis, we showed that our new comparison algorithms showed the optimal of synthetic complexity among all approximate polynomial evaluation of the sine function within the same measure determined by isilon and alpha. As you can see, our method show logarithmic complexity compared to the minimax approximation method and even much smaller than the previous work. And our new comparison method also shows quite nice performance in practice. We implemented our method on the HAN library, which is an implementation of the approximate HSCIMS called CKKS. And as you can see, in amortized running time sense, our accelerated method shows about one millisecond for comparison of 20-bit integers. And this is a comparable result to the bitwise comparison method based on TFHE. And even in latency, while the previous method required more than 40 minutes to compare 20-bit integers within 20-bit alpha precision, our method only requires one and a half minute, which is about 30 times faster result compared to the previous method. Before the end of my talk, I would like to share some interesting further works and open questions we may think of in this line of works. Firstly, as a follow-up study of this work, we believe it is very important to provide a strategy to the choice of N. Here N means that FN and GN polynomials denotes 2N plus 1 degree polynomial we devised. I mean, in this talk, we introduced family of polynomials FN and GN for each N. And their compositions achieve asymptotically optimal complexity for sine function approximation. But we haven't discussed which N is the best choice. But this question is not the simple because the computational cost in HE is not purely determined by the number of multiplications, but also the depth of the target circuit. And the cost model cannot be uniquely defined and determined because it varies for each situation and applications. So classifying the cost model of HE and providing the best choice of N for each situation would be an important step for this work. And the second one is the analysis on our GN polynomials actually includes some heuristic parts improving the convergence rate of mixed composition of FNG to the sine function. So it is another open question to be solved. And lastly, we believe the following open question would be a very worthwhile and interesting topic. So in the current state, regardless of the choice of the HE scheme, we are able to do both polynomial evaluation and comparison operation regardless of the efficiency. However, one fundamental limitation is some operations are built upon the other basic operations so that they cannot be super efficient as we want it. For example, in worldwide HE schemes as done in our work, we achieved the morphic comparison through the polynomial evaluation. And in bitwise HE schemes, they achieved the homophic polynomial variation by assembling logical gate operations. So I think it would be a very big step if we could get out of get out from this framework. So proposing a proposing new comparison algorithm without polynomial representation framework would be one option. And the other option would be to construct a totally new HE scheme which support both polynomial and logical operation as basic operations. This is the end of my talk and thank you for listening and watching.