 Bonjour tout le monde, bienvenue à la présentation de la révisition des schemes de homomorphique et encryption pour les fields finaux. Je suis Basse en Zucca et c'est un joint-work avec André Kim de Samsung Technologies et Yuri Polyakov de Duality Technologies. Avant de l'entraîner dans les détails, j'explique à ceux qui ne sont pas habitués à ce sujet, qu'est-ce qu'une encryption homomorphique? Une encryption homomorphique est une technologie relativement récente qui permet à l'utilisateur d'entraîner la computation directement sur les données. Et directement, je pense que la personne qui est en train de performer la computation n'a pas besoin de connaître la description. Il a beaucoup d'applications potentielles pour l'utilisation de la privacy, ralentant des enquêtes privées pour la délégation de la computation sur les données sensitives à un serveur remote. Maintenant, pour construire un scheme de homomorphique et encryption en pratique, nous relâchons sur le terrain d'entraînement avec un problème de horreur. Donc, considérez-vous, dans RQ, qui est l'élément que l'on peut voir comme polynomial de degré n-1, avec n-2, et qui, en coéficien, ont été modulés dans l'intagère Q. En formule, le RING-LW-U-E problème dit que si vous samplez un élément random à un RQ et deux éléments secrets, S et E, selon une distribution particulière sur RQ, le produit de noise-product A S plus E se verra comme un élément uniforme dans RQ, même si vous savez A. Cela signifie que même en connaissant A, c'est computationnel et difficile de distinguer A S plus E d'un élément uniforme dans RQ. C'est intéressant, depuis maintenant, nous pouvons utiliser le RING-LW-U-E sample A S plus E A pour masquer des messages dans RQ par ajouter un message M pour la première partie. Depuis que A S plus E se verra uniforme dans RQ, donc, A M plus A S plus E. Donc, un texte cipher sera un couple d'éléments de RQ et probablement le plus convenient de penser à ces textes cipher est de les voir comme polynomiaux de degré n-1, avec coéficien dans RQ. En gardant ça en mind, nous pouvons noter que, par évaluer un texte cipher sur le S secret, l'un peut récover la version noisy du message M. Maintenant, pour récover le message M, l'un doit être réveillé par la termine E. Le plus common de le faire, c'est de choisir le message de l'un à l'autre par prendre ses coéficiennes modulées à l'intagère T, en comparaison avec RQ. Et puis, pour décrocher le message, à l'arrivée du texte le plus significatif ou le plus significatif du texte cipher. Le premier cas correspond à l'enquête de l'enquête de BGV. Dans cet enquête, le message est encodé dans la liste des bits significatifs du texte cipher, d'où la noix est évaluée par T afin d'évaluer le plus significatif. Le deuxième alternatif correspond à l'enquête de BFE et à ce moment, c'est l'opposé. Le message est évalué par un facteur, ou rarement RQ par T, d'être encodé dans le texte cipher, d'où la noix reste dans les bits significatifs du texte cipher. Notez que, afin d'être capable de décrypter correctement, la noix et le message ne doivent pas s'évaluer à l'un de l'autre. Depuis que la noix est évaluée par son size, cela signifie que la noix E doit rester plus petit que une certaine borne, qui probablement correspond à RQ par T. Les schémes basées sur le Wringel sont naturellement homomorphiques pour l'addition et la multiplication, c'est pourquoi le Wringel est très intéressant pour l'encryption homomorphique. Par exemple, si vous considérez l'enquête de BFE et ajoutez deux textes cipher comme si ils étaient polynoméles, vous obtiendrez un nouveau texte cipher qui correspond à l'encryption de l'un des deux messages et qui sera l'un des noix de l'un des deux messages plus le carrière résultant de l'addition de l'un des deux messages. Par exemple, pour la multiplication, vous verrez que si vous multipliez les deux textes cipher comme si ils étaient polynoméles, vous obtiendrez un polynoméle de l'un des deux, mais ce polynoméle sera aussi une encryption de l'un des deux messages. Maintenant, en regardant ces équations, vous verrez que la noix s'occupe d'une opération homomorphique et aussi que les multiplication introduisent beaucoup plus de noises que d'additions et depuis que la noix doit rester plus petit qu'une certaine bounde pour décrire correctement, cela signifie qu'on doit choisir les paramètres des schémes selon le nombre d'opérations que nous voulons performer. La conséquence directe de cette noix est que le paramètre Q peut devenir très grand en pratiquant plusieurs centaines ou même des milliers de bits. Cette conséquence est une raison d'implémentation de la encryption homomorphique qui choisit d'utiliser le paramètre Q comme un produit d'un modulaire très distingue, où chaque modulaire est assez petit pour s'améliorer sur la machine. Ensuite, la mécanique de la chine dit qu'à l'aide de la compétition de la compétition, nous pouvons performer la compétition de la compétition de la compétition de la compétition QI et que la compétition de cette compétition soit plus importante pour s'améliorer la propagation de la chine. Le set de modulaire QI à QK est généralement appelé la base R&S de Q. Aussi, la compétition de la chine et le BGV sont théorétiquement équivalentes. Nous pouvons également convertir de l'un de la chine pour les autres QI et QR Co Prime. Les différences signifiant sont en pratique. Pour l'instant, la chine et le BGV ont un plus efficace en multiplication homomorphique pour réagir la chine et le BGV dynamiquement, qui fait que c'est plus difficile de l'utiliser et de l'implémenter que le BGV. Il a aussi été notices par Kostas, Lane et Player que le BGV a un plus bon chine et le BGV avec des modules de plate-texte large. Cela fonctionne en souhaitant réduire la gaffe entre les deux schemes en pratique. Notre première contribution est de modifier le BGV encodement afin d'obtenir un schéma avec une chine un peu relative de la BGV. Nous avons aussi réduit la complexité algorithmique de multiplication homomorphique de BGV. Et notre dernière contribution est de développer une variante plus utilisable de BGV où l'utilisateur n'a pas besoin d'entrer la chine dynamiquement. Finalement, nous avons également introduit plusieurs optimisations pour BGV qui ne sera pas présentée dans cette vidéo, mais je vous invite à lire le papier si vous êtes intéressés. En particulier, nous proposons de séparer la multiplication homomorphique dans la multiplication homomorphique comme ce que peut être fait avec la linearisation. Et nous proposons aussi l'improvement de la procédure de Polyakov et Shuf. Nous allons commencer avec la modification de l'encodement. Pour BGV, nous avons déjà vu que le schéma de plate-texte pourrait être décrypté par l'évaluer sur la clé secret et ensuite prendre le résultat du modulo T. C'est peut-être assez petit pour que M plus Tv ne soit pas sur le modulo Q. La décryption sera correcte. Pour BGV, c'est un peu plus compliqué depuis que nous devons retirer le facteur Q sur T devant M2. Donc après l'évaluer sur la clé secret, nous allons évaluer le résultat par T sur Q et renforcer la coefficient du résultat pour les internautes. Ceci est équivalent pour renforcer la message M plus la coefficient de cette fraction qui, si V est assez petit, sera renforcée à 0. Now notice the difference between the two bounds with this RTQ term which is the reminder of Q modulo T. This term comes from the difference between T over Q and the flooring of Q over T. In particular, when you multiply T over Q with this factor you obtain not 1 but 1 minus RTQ over Q. Now, if we take a look at the size of the noise after a nomomorphic multiplication in BFV we will see that this RTQ term also appears due to the scaling of T over Q which is also required in this procedure. And now the question is what is the dominant term between V input which is the size of the noise of the ciphertexte and RTQ over 2. A fresh ciphertexte has its noise bounded by at most 2 to the 15 in size. This means that if RTQ over 2 is larger than 2 to the 15 it will be responsible for the largest part of the noise growth during the first multiplication. For instance, if T is equal to 2 to the 32 RTQ over 2 is roughly equal to 2 to the 31 this might lead to a difference of 16 bits as compared with BGV on the first multiplication. However, after the first multiplication the input will be larger and so will become dominant in the equation. So there will be no further growth of the noise due to this RTQ term. So this phenomenon matches what has been described in the experiment of BFV. So overall this RTQ term impacts both the decryption and the homomorphic multiplication. One way to reduce its impact on the noise growth would be to choose the moduli such that RTQ gets small but it would be more like a patch than a real solution in our mind and it would also restrict further the choice of the moduli QI. What we propose instead is just to simply change the way the message is going to BFV instead of scaling the message by the following of Q over T we just round the message after the multiplication by Q over T. In this way, after scaling down by T over Q, we will get the message plus T over Q times the rounding error. This means that the decoding error is reduced from RTQ T over 2Q to T and this results in the same decryption and noise growth bound as for BGV. Note that when T and Q are co-prime this encoding can be simply computed in RNS as minus QM modulo T divided by T. Now let me explain how we manage to reduce BFV homomorphic multiplication complexity. So unlike for BGV in BFV, the product of the two ciphertext must be done without performing any reduction modulo Q. Why that? It's simply because since the message is encoded into the most significant bit of the ciphertext by scaling it up by Q over T. After the product of the two ciphertext the product of the two messages will be scaled up by Q square over T square and performing a reduction modulo Q would make us lose the message. So in practice to perform this product without performing any reduction modulo Q we extend the RNS basis Q with a second RNS basis P large enough so that the product does not wrap around modulo PQ. After having performed this product we need to scale the product of the two ciphertext down by T over Q in order to get back the product of the two messages scaled up only by Q over T as for the original ciphertext. The dominant term after having performed this scaling down by T over Q is the term in K tensor highlighted in yellow here which is TQ times K times K prime modulo P. And so we need to make sure that P is large enough so that this term does not wrap around modulo P. And in practice we can choose P with K plus 1 moduli which is 1 more moduli than for Q. Since the size of P is directly related to this term our idea to reduce the size of P would be simply to transform this term which is a multiple of Q into a multiple of P so that it will vanish modulo P. So this we will begin the homomorphic multiplication procedure by switching the modulus of one of the two ciphertext from Q to P so that the message of one of the two ciphertext will be scaled up not by Q over T but by P over T. Then we just perform the product of the two ciphertext as usual modulo PQ so that the product of the two messages will be scaled up not by Q square over T square but by PQ square and similarly the term K tensor will be scaled up not by Q square over T but by QP over T. And because of this the term K times K prime will be a multiple of QP instead of Q of just Q and this means that it will vanish modulo PQ and the dominant term will be gone. And we finish the homomorphic multiplication procedure by scaling the product of the two ciphertext by T over P instead of T over Q originally and this has another advantage since this scaling can be done directly in base Q which also saves some computation. Unfortunately the rounding error epsilon due to the modulus switching of one of the two ciphertexts from Q to P at the beginning of the procedure will be multiplied by the other ciphertext during the tensoring phase and so will be added to the noise. However, since the product of the two ciphertexts will be scaled down by T over P, it means that we can control the size of this error by with the magnitude of P. We've proved in the paper that taking P approximately of the same size and Q makes this noise negligible in comparison of the noise caused by the homomorphic multiplication itself. This means that we can take P as a product of K moduli like Q instead of K plus 1 previously. It is also possible to improve further the performance of the multiplication by considering a leveled approach somewhat similar to BGV. In this approach both ciphertexts will be scaled down from Q to some integer Q prime dividing Q and so the product of the two ciphertexts will be performed internally modulo Q prime P prime instead of QP. Since Q prime, P prime will be smaller and maybe much smaller than QP we will obtain a significant gain in performance. At the end of the procedure we will scale the resulting ciphertexts back from Q prime to Q to get back a ciphertext and cryptid modulo Q as originally. The downside of this approach is that it requires to have a good estimate or at least a lower bound on the noise carried by our ciphertexts in order to scale their noise appropriately during the procedure because one could be tempted to take a very small modulus Q prime so that Q prime P prime will be very small and the multiplication will be very fast. But if we do this, the noise added by the modulus switching from Q to Q prime will dominate the noise of the ciphertext and so we will lose some computational budget. This is a problematic somewhat similar to what we encounter in BGV and I will use this opportunity to talk about the BGV implementation we've developed in this work. Unlike for BFV, in BGV the product of the two ciphertexts can be performed modulo Q and thus we don't need to scale it down by T over Q. This is why BGV homomorphic multiplication is natively more efficient than BFVs. The conter part of this efficiency is that the noise is not scaled down automatically by T over Q and thus we grow quadratically if we don't reduce it manually. To reduce this noise manually we rely on the modulus switching procedure which allows us to scale the ciphertexts and thus their noise down by one integer. The problematic is therefore to have a precise estimate of the noise carried by the ciphertext in order to choose the size of the integer accordingly. To solve this issue HLIB, the reference implementation for BGV includes the dynamic noise estimation mechanism so that before each multiplication the noise is scaled down to a minimum level. This requires to have an additional set of small prime integers that can be combined together to scale down the noise by the right amount. In this work we propose an alternative approach which does not require any dynamic estimation. In our implementation all the parameters will be fixed at key generation and so the user only needs to indicate the maximum number of additions or rotations he needs to perform between two multiplications. From these parameters we will know how large noise can become in the worst case the size of the moduli qi forming q accordingly to this bound. Then after each multiplication the ciphertext will be scaled down by one of the moduli forming q and we won't need any additional set of prime numbers. So overall our variant of BGV and BFV have the same decryption bound and the same noise bound for addition. The noise after a multiplication in our variant of BFV is equal or roughly to delta2tv in boot whereas for BGV it is twice larger. This factor 2 comes from the fact that in BGV after each multiplication the noise caused by moduli switching adds to the scaled down noise. Since the scaled down noise is said to match the moduli switching noise we obtain this factor 2. By BFV has also another small advantage for the noise growth since the noise of BGV must be kept of small magnitude. In this case the noise added by key switching can become non negligible in comparison to the multiplication noise which depends on the plaintext modulus t. This is exactly what happens when the plaintext modulus is small and this is why we can say that BFV has a small advantage in this case. I'm going to finish this presentation by presenting some experimental results. We've implemented our variants of BFV and BGV in the palisade c++ library. Some parts of our implementations are already present in the current version of palisade and the last optimization will be included in the next release. To the best of our knowledge this was the first time that BGV and BFV were implemented on the same library which allows for a fairer comparison of the two schemes. Our experiments were run on a commodity desktop computer operating on Ubuntu with 64 GB of RAM and an Intel CPU running at 3 GHz. Finally, all the other experiments were run in a single threaded mode. Last, I would like to mention that all the experiments were run using hybrid key switching with a 3 digits component composition. On this graphics we compare the performance of the homomorphic multiplications of our variants of BFV and BGV at various depths. First, we notice that our new variant of BGV is faster by a constant factor in comparison of the original BFV as expected since we've been able to reduce the size of the second RNS basis P by one moduli. Then, we notice that our leveled variant of BFV mimics the behavior of BGV multiplication as expected by becoming more and more efficient as we go deeper into the computation. The most surprising point of this graphics is that we notice that for small and medium plaintext modules BGV seems slower than our leveled variant of BFV. This can be explained by the fact that in our variant of BGV, the size of the moduli depends on T. When T is small, we have small moduli. In BGV, the number of levels corresponds roughly to the number of moduli. While for BFV, the moduli's size is independent of the plaintext modules. First, when T is small we have more moduli in the case of BGV than in the case of BFV. And therefore, we need to perform more entity in the first level. And since we are running the experiments on a single threaded mode there is a performance difference. Note that this phenomenon is just a particularity for implementation and we could make BGV much faster by tracking several BGV small moduli together on the same machine world. For instance, when T is equal to the moduli are about 20 bit large. First, we could theoretically rank up to 3 moduli on the same 64 bit machine world and compute 3 times less entities. This table compares the performance and noise growth of our variants of BFV and BGV for evaluating a binary tree of depth L using a plaintext moduluf T of roughly 16 bits. The column log E corresponds to the size of the noise at the end of the computation. As expected, we notice that our variant of BGV has a noise growth slightly more important than our variant of BFV while it only has a small performance advantage, but once again we have to precise that we have not trung the moduli together in the implementation. Finally, notice that our variant of BGV has a slightly better noise growth than the original BFV but this is mainly due to the fact that in our variant of BFV we use the moduli switching right after encryption in order to reduce the encryption noise down to the moduli switching noise. This second table is similar to the first one but for polynomial evaluation instead of binary tree evaluation and the evaluated polynomials are of degree L. This time, we notice that our variant of BGV has a significantly higher noise growth than BFV as expected since we also have to choose the moduli QY larger to compensate the noise caused by the homomorphic additions. Once again, BGV has a minor advantage in performance in comparison to BFV. To summarize, we've proposed variants of BFV with a somewhat better noise growth than BGV whereas it was shown previously that the original BFV has the worst noise growth in comparison of BGV when the plaintext modulus T is large. Then, our implementation of BGV can be slightly slower than BFV in the Siegel-threaded mode when the plaintext modulus is small if the moduli are not trunked together. Overall, we've reduced the complexity of BFV homomorphic multiplication. Our first improvement was to reduce the size of the second RNS basis P by one moduli, which makes us gain a constant number of operations. Our second improvement was to propose a leveled variant of BFV where the multiplications becomes more efficient as the computation progress similarly to BGV. Finally, we implemented a variant of BGV which does not require any dynamic noise estimation. This noise is automatically scaled down by one of the moduli before each multiplication which makes it easier to use and simpler to implement. Unfortunately, this simplicity comes at a cost in performance since the size of the moduli must be chosen more conservatively than in the dynamic case. This is everything I wanted to present. Thank you for your attention.