 Hi, welcome to my talk, Transci-frame Framework for Approximant Morphic Encryption. My name is Sung-kwang Kim and this is a joint work with Ji-hoon Cho, Jin-cheol Ha, Yong-hak Lee, Joo-hee Lee, Joo-young Lee, Dok-je-moon, and Hyo-jin Yoon. Before we start, we'll give an overview of this paper. First of all, we present the first Transci-frame Framework for real numbers. Maybe one of you might not know the term Transci-frame Framework. Basically, Transci-frame Framework is a conversion from symmetric ciphertext to an HE ciphertext. So far, there was a Transci-frame Framework for exact data in a modular ring. Second, we present HE-friendly cipher, which targets practically shorter, morphic valuation time. HE-friendly cipher is a kind of symmetric cipher which can be efficiently evaluated in Transci-frame Framework. For HE-friendly ciphers, it has been believed that multiplicative depth and complexity are the most relevant measure for efficiency. However, we found out that linear layers can significantly affect the homomorphic evaluation time, with devised more simpler randomized key schedule rather than randomized linear layer. Finally, we implemented our framework and cipher and achieved 23 times smaller ciphertext expansion and 9,085 times smaller latency than the CKKNAS-only environment. Now let's begin from homomorphic encryption. Homomorphic encryption is an encryption scheme that enables addition and multiplication of our encrypted data. Some might think about partially homomorphic encryption, but when we say HE in this presentation, it supports both addition and multiplication. There are well-known examples of HE scams, FE SCAM for modular ring and CKKNAS for complex ring. Because of this feature, homomorphic encryption can protect data when they are being used. For example, morphic encryption can be used for machine learning inference and statistics of sensitive data while preserving privacy. Here we introduced some grammars in RLW-based homomorphic encryption schemes. When we say message, it is a vector of data to be manipulated. When we say plaintext, it's a polynomial to be encrypted. Encoding function maps from message to plaintext without key. Ciphertext is literally a ciphertext of RLWE encryption, which is a pair of polynomials. Encryption maps from plaintext to ciphertext with key. We give some examples of FE and VGV and CKKNAS. Message space of FE, VGV is CTN. For CKKNAS, it is CN over 2, which is complex vector space. When we say slot, it means a component of the message vector. Encoding function of FE, VGV is number-theoretic transformLite function, while CKKNAS has discrete free transformLite encoding function. Through the encoding function, data becomes plaintext, which is in a quotient ring. The difference of two schemes is modulo t. When we say coefficient, it implies that the coefficients of the plaintext. Encryption function and ciphertext space, you can see that two schemes have the same encryption function in ciphertext space. Recent homomorphic encryption schemes have two demerits. First one is slow encryption speed. Morphic encryption schemes usually use a large parameter RLWE sample, which is much slower than conventional symmetric cipher. Second one is large ciphertext expansion. Ciphertext expansion refers to how much ciphertext is expended from plaintext, the size of a ciphertext is 10 times to a million times larger than the size of the plaintext, according to parameters. When encrypting small message, this ratio becomes worse. The situation leads to a large memory and network bandwidth overhead. Imagine that a client wants to delegate computation to a server while all the data are encrypted. Naively, one can think that all the data can be encrypted with homomorphic encryption and compute with them. However, as you can see in this table, encryption speed and ciphertext expansion might be quite an overload, so demands for hybrid encryption arise. To resolve the demerits of HE, lauter and R proposed trans ciphering framework, which is conversion from symmetric ciphertext to a homomorphic ciphertext. The client sends homomorphically encrypted symmetric key to server once and encrypts all the messages with symmetric cipher. Then given symmetric ciphertext, the server evaluates the decryption circuit to make homomorphically encrypted messages. Using trans ciphering framework, the client can encrypt fast and get smaller ciphertext. In trans ciphering framework, there is a symmetric cipher. It is evaluated both in clear and while encrypted. In this sense, a cipher needs to be efficiently evaluated using homomorphic encryption, we call it HE friendly cipher. So far in most hardware, N gates and XOR gates need roughly same resources. However, in homomorphic encryption, multiplication is much more expensive than addition. So to design an HE friendly cipher, it requires low multiplicative depth and complexity. Since then, some HE friendly ciphers such as low MC, Previum, Flip, Rasta and Masta were proposed. Here comes a problem. The first problem is that there is no trans ciphering framework for real numbers. In real world applications, most of the data are form of real number. However, it is hard to design a cipher over real number. For example, imagine a cipher E, which can be represented as polynomial functions over real numbers. When solving such system of equation can be translated to this minimization problem, this function fL is polynomial and differentiable. Using differentiation, one can easily get an approximated root. The second problem is that previous works on HE friendly ciphers did not consider practicality enough. Many works pointed out that multiplicative depth and complexity are most relevant course metrics. They are not all the relevant metrics to momorphic valuation time. Furthermore, client-side encryption is too slow as a symmetric cipher. It takes at most 100 million cycles per eye, few hundred bit block. That's far beyond the speed of symmetric cipher. To make a trans ciphering framework for real numbers, we observe some similarities between CKKS and FVSKIMS. The first observation is that CKKS and FVSKIMS have similar encryption algorithms. Here we wrote down the formula of encryption algorithms in CKKS and FVSKIMS. As you can see, they are very similar and the major difference is delta. For CKKS, the delta is scaling factor which preserves precision while delta in FV is a big scalar to make plaintext modulo t. The second observation is that CKKS and FVSKIMS have similar plaintext space. Both SKIMS use a plaintext and polynomial ring, ZX, with bounded coefficients. In this figure, we give a pictorial description of two SKIMS. These bars stands for coefficients. They are different in the size of delta. We found out that those two SKIMS can be converted to each other by boost ramping. We wanted this kind of picture. Symmetric ciphers are evaluated using the FVSKIM and the last output is in CKKS ciphertext of original messages. Now we present RTF transcycling framework which is a new transcycling framework for real numbers. RTF means real to finite field. The overall diagram is on the right. We will describe from the client side. The client has a real message M and converts to integers modulo t by scaling and rounding off. Here, t should be large enough to preserve predetermined precision. The client generates key stream from a non-space stream cipher over ZT. By adding the key stream to the scaled message, the client can get a symmetric ciphertext C. The client needs to send an FV-encrypted symmetric key, K, to the server. The server, receiving nonce and an FV-encrypted key, evaluates the key stream. Then the key stream is in the slots. To make the same form, key stream is taken out to coefficients by slot to coif. It is a homomorphic evaluation of the decoding function. And then, given symmetric ciphertexts, the server concatenates those symmetric ciphertexts to a polynomial and scale up by delta. By subtracting the FV-encrypted key stream, the scaled original message is recovered in FV-ciphertext. Finally, CKKS bootstrapping converted to CKKS ciphertext. Their half-boot is a kind of reduced bootstrapping. Since the scaled messages are already in the coefficients, we do not need to evaluate the last slot to coif in CKKS bootstrapping. We also made an HE friendly cipher, HERA, over ZT, to use in the RTF framework. Like RASTA, it is a block cipher-like stream cipher outbooting a vector in ZT16. HERA is an SPN with randomized key schedule. On the right, this figure describes the round function of HERA. Like conventional SPN, HERA starts and ends with linear layer. You can see that the round function starts with linear layer, and the finalization function ends with linear layer. The input of this function is a fixed constant. In previous works, it has been popular to use simpler S-box and complex affine layers. In this sense, random affine layers are adopted to reduce multiplicative depth. However, it turned out that the random affine layer reduces the efficiency on both client and server side. We decided to use AS-like MDS matrix for high diffusion. This figure, 16 boxes represent each component of ZT16. Mix columns is a multiplication by this matrix to each column. It is used in AES and is MDS over Galois field of size 2 to the power of 8. For a sufficiently large prime T, this matrix is also MDS over ZT. Mix rows is a row version of mixed columns. In this table, we list some functions and its cost to evaluate homomorphically. I put three functions and are multiplication by some matrices, and the last function is cube function is exponentiation by 3. Among linear maps, the evaluation time is quite different, especially freshly generated matrix which is used in flip and rasta take more time compared to cube function. Rather than randomize affine layer, we use a simple randomized key schedule. Enounce is fed to an extendable output function and the randomized output is multiplied to the master key component wisely. As the component-wise multiplication is a basic multiplication in homomorphic encryption, it is very efficient to evaluate homomorphically. S-box is component-wise cube map. The cube map enjoys a lot of nice cryptographic properties. For example, it is invertible, low degree and has low linear and differential probability. Specifically, the inverse of the cube function is of high degree, so it prevents algebraic mid-in-the-middle attack. We analyze the security of HERA against many different attacks. First of all, since nonce is fed to XOF, it is impossible to attack HERA in CPA model, so differential-based attacks such as differential and cryptanalysis, higher order differential, and possible differential is not allowed. By the same reason, integral attacks are impossible to apply. Nevertheless, to prevent unknown statistical attack, we provide linear and differential probability using the Y-trail strategy. We check the linear probability of cube function and prove the branch number of our linear layer. Because of its low degree nature of HE-friendly ciphers, algebraic attacks may be fatal to HE-friendly ciphers. We deal with linearization, interpolation attack, GCD attack, and Gravener basis attack. To prevent linearization and interpolation attack, the number of monomials should be large enough when the cipher is represented as a poinomial. We believe that the number of monomials in HERA is sufficiently large since the linear layer is dense. We also check that, mid and the middle attack, is inefficient since the inverse of cube is of high degree. To prevent GCD attack and Gravener basis attack, the degree and the degree of regularity is important. To compute all of those values and take into account guess and determine approach. This table shows the recommended number of rounds with respect to each attack. X-axis stands for the security level, like 80-bit, 128-bit security. Y-axis stands for the attacks. The number of rounds of HERA is the maximum of each column. As we propose the first trend ciphering framework for real numbers, there is not many things to compare. We compare RTF combined with HERA to LWEs to RLWE conversion and CKKS only environment. We experimented LWEs to RLWE conversion using Open Pegasus library in this paper below. The CKKS only environment is experimented using Let's Go library. The first RTF HERA is full batching instance and the second RTF HERA is set to have the same number of slots as LWEs to RLWE conversion. We emphasize that the red part, ciphertext size, ciphertext expansion ratio and client side performance is significantly better than the CKKS only environment. Thank you for listening.