 다음은 스팀사이퍼의 에피션의 FHE와 노이지이프틱스의 스튜디오입니다. 또한 패드릭, 미우, 앙토니, 전월, 프랑스와 사비의 스탠드, 클라웃, 칼리드, 그리고 미우, 패드릭, 피에릭, 아, 죄송합니다. 여러분 안녕하세요 전화해 주셔서 고맙습니다 이 전화에 대해 먼저 에피션트 FHE를 설명할 수 있겠습니다 그리고 저희는 에피션트 FHE를 디자인하고 에피션트 에피션트 에피션트에 전화해 주시기 바랍니다 먼저 애플리케이션을 얘기해 볼까요? 애플리케이션을 도전할 수 있을 것입니다 이 애플리케이션은 노하드에이스, 알리스 그건 많은 곳에서 많은 스마트폰, 스마트카드, 타블렛, Facebook, Twitter, etc. 그래서 많은 데이터를 구입하고 그리고 특별히 데이터를 구입하고 많은 데이터를 구입하고 모든 데이터를 구입하고 많은 데이터를 구입하고 전달적인 데이터를 구입하고 이 스토리지의 방법은 클로드가 사용됩니다. 클로드가 이 클로드 입니다. 이 클로드는 큰 스토리지와 큰 컴퓨터를 제공할 수 있습니다. 이 방법은 클로드와 컴퓨터를 제공할 수 있습니다. 하지만 클로드가λ듀서 아래에 있는 parameter to cloud. Cloud will do all the computation asked by Alice and with encrypted data without knowing the play takes itself. And then Alice will be able to decrypt the function of the data that she asked. So I will first explain what is the first framework of FHE, the theoretical one. So all the boxes like the gray boxes where is hank 이 방법은 이 분야의 기술의 기술을 말입니다. 이 분야의 기술을 말입니다. 이 분야의 기술을 평범한 것입니다. 이 분야의 기술을 평범한 것입니다. 예를 들어, 아이애스의 기술은 그룹이나 블랙을 입을 수 없죠. 그래서 이 기능을 없앨지, 예를 들어, 아티스트의 아티스트가 있습니다. 일단 아티스트는 지지하는 방식의 방식으로 클로드에 클로드는 아주 비싼 테크닉을 사용할 수 있습니다. 그는 부트라핑을 사용할 수 있습니다. 그리고 그는 이 결과의 엄마모픽 사인소텍을 사용할 수 있습니다. 그는 이 결과는 더 쉽게 할 수 있습니다. 그는 이 기능을 제공할 수 있습니다. 그리고 그는 FFM를 제공할 수 있습니다. 이 그런 프레임웍이 좋습니다. 이 방법은 엄마모픽의 기능을 fully achieve 이 방법을 사용할 수 있습니다. 그런데 이 방법은 연습을 안하는 것인데 도료로는 너무 오래 걸리는 것입니다. 그래서 이 방법은 오무우마픽의 도료로만 사용할 수 있습니다. 그래서 이 방법은 도료로만 사용할 수 있습니다. 그래서 이 방법은 도료로만 사용할 수 있습니다. 그리고 F가 높은 기간이 필요합니다. 이 방법은 좋지만 근데 아리스때는 적적 기준が 안되죠 아리스의 경우는 minions뿐 아니라 enomorphic encryption을 안하여 아주 큰 사이프트期간에 비교할 수 있습니다 이 방법을 아리스에서를 사용할 수 있습니다 그래서 아리스들은ignon, seymetric encryption을应으로 예를 들어, AES cocoon을 생각하고 이 단어로 seymetric 사이프트에 이 사이버틱을 제공하고, 그 로봇을 사용할 것입니다. 이 로봇은 알리스의 최소기의 정선을 사용할 수 있습니다. 그리고 이 로봇을 염원할 수 있습니다. 그 로봇은 염원할 수 있는 자체의 자체의 정선을 사용할 수 있습니다. 그래서 이 로봇은 에어여 수 있는 지적을 사용할 수 있습니다. 그리고 이 방식은 염몬픽 사이버틱을 사용할 수 있습니다. 그리고 그리고 프레임웍을 앞에서 따라서 따라서 이제 예를 들어, 모든 걸 다가가고 모든 걸 다가가고 그래서 이 프레임웍의 경험이 불편한 것에 대한 어떻게 사용할 수 있는 심의특급을 사용하는 것에 대한 어떻게 사용할 수 있는지 그 이유는 아주 비교적이기 때문에 그의 시험을 사용하는 것에 대해 수준성과 수준성의 효과가 이 사이파텍에서 소리가 생기고, 작은 양의 소리에 맞추는 사이파텍이 있는 것에 대해 오모오픅한 기능이 성장되어 있는 것에 대해 저희는 엄마랑 동의점이 돼지 흉내가 돋보일 것입니다.radas 2 3 1 2 1 1 2 1 2 1 1 2 1 1 이hell may be the key or the ivfor example, and you want to see it in the homomorphic point of view so you have no beats anymore, but all of these rectangles are cipher texts encryption of zero or one so they are freshly encrypted and you want to see how the noise behave into the cipher text during the encryption. 첫, unique and block Cipher이 있습니다. At each run, you are performing one function on all your ciphertext. The noise into each ciphertext will blow with the same manner. From run to run, you are updating the ciphertext from the present run, and this way in all your states, the ciphertext has the same noise. 마니투드의 소리의概지에 대해서 말합니다. 하지만 이 소리가 높을 것입니다. 한 번에 한 번에 한 번에 한 번 더한 번을 할 수 없을 수 있습니다. 그래서 한 번에 몇 번의 chances가 도전할 수 있습니다. 그래서 이 소리가 아주 높은 소리가 없을 수 없을 수 있습니다. 이 분석에 이의 과정에서 AES와 많은 작업을 하고 있었습니다. 루크릿이 작년에 이 중 1개의 연구한 분여에 다시 제공할 수 있습니다. 또한 이 다음 분위를 제공할 수 있습니다. 이 방식으로는 끝까지의 단 tastes where all the registers have too much noise to produce clean enough ciphertext. So, to say that only at time F you can output the first ciphertext for symmetric reason and then at time F plus R you are not able to produce more ciphertext because what you will produce is already orange. So, you cannot use it with output strapping anymore. 이렇게 소리가 소هane on trivia Haven 또는 나완호 탈에 구수 напис은 preparation kimchi, which is the best of biance for them to have something They'll have an am not of now even she's constant whatsoever the number of that you want like for block cipher And we we have a low noise like for the first fire The first sufflates that will you obtained with With a stream cipher 그는 새로운 시메시아의 가족을 얻고 필터의 방식을 통해 3rd-generation의 FHC를 사용하는 것에 시메시아의 시메시아의 방식을 통해 이의 디자인의 인스테이씨을 통해 필터의 방식을 통해 먼저 필터의 방식을 통해 책임을 다시 버 you want to update to register in a way that there is no extra noise each time. You want to do a zero noise operation on the register. So this way you can do this zero noise operation and extract one ciphertext. So apply F towards the register, have a ciphertext. And don't push it into the register anymore. You already have an updating on the register so you don't need to push it again. 이럴때문에 이건 그래서 더 정확히, 그 인스텐스에 의해, AES-based PRNG의 컴퓨터를 제공하고 있습니다. 그 컴퓨터를 제공하고 있습니다. 그 컴퓨터를 제공하고 있습니다. 그 컴퓨터를 제공하고 있습니다. 그 컴퓨터를 제공하고 있습니다. 그 컴퓨터를 제공하고 있습니다. 그럼 선치uana가 banda17를 제공하고�니다. 이것이 Triangle입니다. 모노뮐로는 1 to Degree H입니다. H이 Triangle입니다. 그리고 이 모양의 Triangles입니다. 모든 variables here are independent. We are adding it during Direct Sum. In this way, we can propose some concrete instantiation for a security of 80 bits and a security of 128 bits. To explain why we are using this function, it's to have a very low error growth using the third generation. First, I present a little of the third generation of FHE that was presented in GSW papers. Let's assume that you have a matrix C, which is a ciphatex, with this relation. There exists some key S and a small error E, such that SC is mu S plus E. You can see S as an approximate eigenvector and U as an approximate eigenvalue. This way, when you will add a ciphatex or multiply ciphatex, you can have the same result with the eigenvalues. That's how you get a morphism. And this scheme is as a security based on a standard LWE. Let's talk about the error growth of the user operation with this third generation. The error part of the ciphatex is a vector E. We will look at the variants of the element of this vector. In addition, the variants will be only the sum of the variants of the ciphatex that we use. And for the multiplication, the behavior is quite different from second generation where it was mostly depending on the depth or the tree when you put all the ciphatex. Now, what is better? There is an asymmetric error growth. Depending on the order of the ciphatex, your error growth will be better or worse. So this way, if you have only very freshly encrypted ciphatex and if you are doing a long homomorphic chain, you can have a quasi additive error growth. That is y times sigma square to k. k being the number of ciphatex and y being constant depending on the ciphatex that you use. As this multiplication is quasi additive, it will be very useful to have this kind of longer homomorphic chain. And that's how the function f was built. To see why we use that, we can prove that evaluating the function f is not adding more noise than doing one homomorphic chain of multiplication. And to have the intuition, if you look at one triangle, so the addition of ciphatex from one ciphatex to ciphatex3, etc. using the multiplicative property, you have y sigma2 times 1, 2, etc. until h. And you can just verify that evaluating one triangle is exactly giving the same noise than doing a multiplication of k ciphatex. And once in a triangle, has only k ciphatex inside. So it's a better way to have a function f, which is well done for a third generation. And we want to study f on a symmetric point of view, which kind of security we can have with a symmetric scheme, not homomorphically evaluated. So first, we will imagine that the permutation and behave as random permutation if the prng and shuffle are good enough. And we will mostly focus on the security of the function f. So we can see a lot of attacks on filtering functions that were used in the past decades. So algebraic attack, correlation attack, and a guess-and-determined attack has shown to us by Duval, Lallement, and Rotella. And for all these attacks, we can see the robustness of the function using standard criteria, such as the algebraic immunity, the resiliency, and the nonlinearity, for example. And with all these criteria, we can determine how robust is our function, and then we can prove all these criteria on f and show that it reaches the security of our 80 or the security of 128. And one example is that we can prove that a triangular function has an exact algebraic immunity of k, whereas the first triangle function has only k monomials in its a and f. So now let's talk about performances. So we did some experimental tests to see with RingJSW if the error growth of FLIP was as nice as we theoretically thought. So we did a lot of computation and we saw the error growth meeting the vector of error of each ciphertext E. And we are comparing freshly encrypted ciphertext with a ciphertext obtained by multiplying two fresh ciphertexts and then a ciphertext obtained by using FLIP, so long multiplication of ciphertexts. And what is important on this table is that we can see that an evaluation of FLIP is not more expensive than doing a multiplication. Here you can see 25% or 31%, for example, whereas a multiplication is only into two ciphertexts whereas FLIP is using a lot more than two ciphertexts multiplying in each with each other. And the percentage is the homomorphic capacity that we have. It's the potential functionalities that you can still do with this ciphertext. So all the multiplication or additions that Alice can ask to Claude to do are not only what we were able to do for the decryption of the symmetric encryption algorithm. We want to compare to previous work on a theoretical point of view. For the error increase, all previous works were done with the second generation of FHE where it was totally determined by the multiplicative depth. And if we are looking on our multiplicative depth, we are reaching a multiplicative depth of four whereas all the others were greater than 12. So it's a big step. You can see. And for the timing comparison, we did some implementation using the HE library. So with HE library, we designed the homomorphic capacities that we want to let to our ciphertext, which is the L plus 7 column. It means that we want L level to do the symmetric decryption and then 7 levels for the application of Alice. And with this way of compare the works, we can see that we are always better for the latency, for the 80 bits version of security and the 128. And for the true outputs, our version of 80 bits is the best. But for the 128 security version, we are twice lower than low MC and we are comparable to cranium. For this case, we are using a lot of ciphertext, a lot of multiplication, so without optimization, we are not as good as other constructions. So now to conclude, the filter permutator is a new family of stream cipher, which is very designed and adapted to FHE. And some open problems are arising with this construction. For example, can we really reduce the degree of a function like our function F of degree 9 or 16 and still have something secure? So can we do it increasing the key size in our construction? And then what are the impact of some tweaks on the filter permutator? For example, we saw that if we had a whitening before or after the permutation, it's like randomizing the key and the analysis is more difficult to see with that. And another way of having an important tweak is to sort parallel instantiation of the filter permutator. So not to using only one F, but parallel function F, and this way we are kind of randomizing the function and it's very difficult to estimate the security of this construction. And then for the concrete instantiation, FLIP, it has an optimal noise for the third generation. We have only one level of multiplication. It seems difficult to have less. And we can reach an efficient FHE framework. That's to say that the more graphic capacity that we are letting after using FLIP is still huge. We can do a lot. Our multiplicative depth is only four, which seems very slow and which enables to do a lot of functionalities. And the choice of the function on FLIP are letting new open problems on Boolean function. For example, can we refine the security analysis? We use a lot of standard criteria, but our function is not standard. We are using only a few number of monomials, whereas random function of this size has a lot more of monomials. And we are using a function only on a constant weight input, whereas all the criterias use the function using all these entries. So can we still use the standard criteria to measure how good is a function? Or can we do better and something, not that standard? So thank you for your attention. Are there any questions or comments? Thanks for your talk. I have a question on your latency comparison just this slide before. This one? Yeah. So for how many bits do you measure this latency here? Can you repeat? So you give latency in terms of seconds. What do you measure here? Do you measure a single bit output here? So for the latency, with HLEB there is some batching. So the time that we have and the number of bits is depending on how they are batching with the parameters that we ask. So FLIP normally is working with one bit at a time, but this number has made with a lot of bits implemented in the same ciphertext. Or the algorithms with the same batching or are they different? Can you repeat? I'm just wondering whether this latency comparison makes sense. I mean, how can you put them next to each other when it depends on this batching parameter and you're not giving it here. Is it the same batching for all the algorithms? For all the algorithms, we are using the same... We are comparing with the same way with HLEB saying that the depth of the three... the multiplicative depth that we want and then HLEB is giving the parameter to doing it. So... Let's take it offline. Thank you. Okay. Thanks to the speaker again. Don't forget 730. We start.