 Hello everyone. Today we're going to present to improve the programmable bootstrapping with larger precision and efficient arithmetic circuit for TFHE. This is a working collaboration between me, Ilaria Killotti, Damian Lige, Jean-Baptiste Orphila, and Samuel Eltape. The four of us today are going to take care of the presentation. So before we start, let's see a little overview of what we're going to present today. So the presentation is going to be split in five major parts. We're going to start with the introduction of the TFHE scheme, an overview of the TFHE scheme. Then we're going to present our improvements, which are the PBS mini-loot, the BFV product into TFHE and the WOPBS. And then we're going to finish with some challenges and conclusions. Okay, so before we start talking about the TFHE, let's understand what is the FHE. So FHE stands for fully homomorphic encryption. And it's a new technology allowing to do computations of encrypted data, ever-encrypted messages. So in the slides, you're going to often see the messages encrypted inside a box. As Insta seen this slide, a little blue box with a lock on the bottom. This means encryption. And the message is going to be X and Y in this slide. So in practice, what happens in homomorphic encryption is that if we add homomorphically to ciphertext, or if we multiply homomorphically to ciphertext, the result is going to be a new ciphertext encrypting the addition and the multiplication of the original messages, respectively. By combining addition and multiplication, we can possibly evaluate any function. And the type of messages we can treat in homomorphic encryption are values. We can have bits, integers, real messages. So the most annoying part in homomorphic encryption is what we call the noise growth. To be more clear, what happens when we encrypt is that we add some little amount of noise, this little randomness that is measured in the slides with this little thermometer. And when we start, when we encrypt, the noise is very, very small. However, when we start computing homomorphic operations, the noise grows. And when we do additions and linear combination, the noise grows a little bit. However, when we do multiplication and nonlinear operations, the noise grows faster. And the problem is that if there is too much noise, and especially if the noise reaches a limit, a certain limit that in the slides are going to be is going to be indicated by this horizontal red line in thermometers, then we risk to have an incorrect decryption. Thanks for us. There is a technique called the bootstrapping that allows us to deal with this noise growth problem. And the TFHG, the scheme that we're going to use today has a bootstrapping. So the bootstrapping of TFHG is very special. As any bootstrapping, it allows to reduce the noise inside ciphertext. So in particular, it takes an input, what we call an LWE ciphertext, we're going to explain in a few slides what it is. There is a noisy and by using a bootstrapping key, which is an encryption of the secret key originally used to encrypt the X. It will evaluate the encryption circuit and produce a new ciphertext of the type LWE as well, with less noise inside. So in practice, he refreshes the ciphertext noise. And the bootstrapping of TFHG is even more special because at the same time that it reduces the noise is also able to evaluate a lookup table. So the result is not only going to be the same encryption of the same message with less noise, but an encryption of L of X, where L of X is the position corresponding to X, the input inside the lookup table. So the result is going to be L of X with less noise. So this technique is actually in the rest of the slides, we're going to often call this technique PBS for programmable bootstrapping. Before we try to understand how the bootstrapping work, let's check what are the ciphertext using TFHG. So first of all, what is an LWE ciphertext? So LWE ciphertext is a TAPO AB, where A is a uniformly random vector, and B is equal to the inner product between this uniformly random vector A and the secret key. And then we have an addition of the message rescale to a certain delta and the error. The error is generally a Gaussian error, sampled with a certain variance and the variance is going to be indicated in the thermometer. The LWE ciphertext are very nice because they have a homomorphic properties and especially they are homomorphic with respect to the addition and in the germ multiplication. In TFHG we not only use LWE ciphertext but we use also two other ciphertext. The first one is ring LWE ciphertext, which are homomorphic with respect to the addition and the constant multiplication, and ring GSW ciphertext, which are homomorphic with respect to addition, constant multiplication and multiplication as well. So this means that when we have two ring GSW ciphertext, we can multiply them together and the result is going to be a ring GSW ciphertext containing the product of the messages. There is an additional operation in TFHG that is largely used, which is called external product, and it's an operation between a ring GSW ciphertext and a ring LWE ciphertext. And the result is going to be a ring LWE ciphertext encrypting the product of the messages. Okay, so now that we saw what are the ciphertext in TFHG, let's try to understand how the bootstrapping is done. So just to summarize what we said before, we're going to have an LWE ciphertext in input, quite nosy. We're going to take also in input a lookup table that we want to evaluate and the bootstrapping key that in the case of TFHG is a list of ring GSW ciphertext. We're not going to see the details because this is not important for the comprehension of the presentation. The output as announced before is going to be again an LWE ciphertext this time encrypting L of M with less noise. So what is the operation that we evaluate during bootstrapping? Well, we homomorphically evaluate the decryption algorithm of the LWE encryption. And the decryption algorithm consists in two major steps. The first one is the computation of D minus A times S, which by solving the equations I showed you before, gives us an output delta M plus the error. And the second step is a rescaling and rounding, allowing us to retrieve the message M. So in order to better understand what is coming next, it's important that we visualize what is the LWE input, so delta M plus the error. So you can always imagine it as a list of bits where we have the message that is put in the most significant bits and the error that is in the least significant bits. And in this presentation, the message is going to get values between zero and P minus one. How does the bootstrapping work? So we have a first step that is called the modular switching, which is a step of switching from the modular ZQ, which is the original modular ciphertext modules, and a modular 2N, which means that we are going to select the log 2N most significant bits inside this homomorphically of the input. So what happens in practice is that by selecting this log 2N most significant bits, we're going to preserve the message because the message is in the most significant bits. And if the error is not too big before entering the bootstrapping, then the message will also be preserved after modular switching. The second step is a description of the lookup table inside the polynomial V, modulo xn plus one, in which we're going to put some redundancy. So what does it mean? It means that if the vector you're seeing in the slide is a vector representing the coefficients of a polynomial modulo xn plus one, we're going to have multiple repetitions of the elements of the lookup table. So we're going to start with many repetitions of L0, then many repetitions of L1, and so on, until Lp minus one. And then the third step is going to be a rotation of this polynomial of delta m plus error position. Well, delta m plus the error are going to be the result of the modular switching. So we're not going to check into detail this step. This is performed in TFHE by using a loop of external products. And the final result of this operation is a wring LWA encryption of the same vector rotated. And what happens after the rotation is that the coefficient that were associated to L of m are going to move to the first position of the vector. And the last step was going to be what we call a sample extraction, which consists in extracting the first element of this polynomial into an LWA ciphertext. And since the first element was L of m, then we're going to obtain an LWA encryption of L of m with less noise as expected before. The TFHE bootstrapping seems a very powerful actually is a very powerful tool, but unfortunately has some limitations. And the major limitation is due to the fact that we work modulo xn plus one. So in order to be more clear what happens when we work modulo xn plus one. So we have polynomial of size n with n coefficients. And since the rotation modulo xn plus one is of order to n, what happens is that it exists a sort of imaginary part of size n as well, which contains exactly the same elements of the first part of the first n elements, but with a minus sign in front of them. So what happened is the following. See if the most significant bit of our message is equal to zero during the rotation, we're going to find an element inside the first n coefficient so an element of V. And the result is going to be exactly L of m. However, if in the most significant bit of the message is going to be equal to one after the rotation, the result is going to be in the, let's say imaginary part. And so the result is not going to be L of m, but minus L of m instead. So if we want to always have L of m as a result, we have to know the first the most significant bit of the message and especially in general, we're going to fix this most significant bit to zero. And we're going to try to keep it equal to zero all the time. And this is actually a big limitation. So in this paper what we try to do is to overcome this limitation together with other tfhe limitations. In the rest of the presentation, you're going to see our contribution. So we're going to start with what we call pbs menu to, which is a technique allowing us to evaluate several lookup tables per bootstrapping on the same input. And then we're going to see how to use the bfe like multiplication into tfhe to improve a tfhe techniques. And this was especially possible thanks to a tight noise analysis. And finally, we're going to see what we call the world pbs, which is a pbs without a bit of padding, which is the technique allowing us to overcome the limitation I just described about the most significant bit set to zero. So now we're going to have a look on a new method, which is called pbs many minutes and allows us to evaluate many function into one single pbs. First, we're going to introduce a new tool, which is called generalized strapping, and which will act on the mode of switching, which is the first step of the bootstrapping. So in the usual strapping, the first step required to shift from cypher text, which is encoded over qubits into cypher text, which is only encoded over two n bits, and that the frame obtain after this mode of switching contains the most significant So the idea is to add more degrees of freedom to this step. So first, we want to choose the position of the most significant bit, which will be retained after a little switching. So, for instance, we define new variable, which is called kpa, and this kpa in this example is defined to two. So in this case, after a little switching, this means that we have shifted from two bits from the most significant bits. And so that if our message encrypted was only originally defined as m-prime concatenated with m, after the middle switching will only have the encryption on m, since we have shifted from two bits. We can also define a shifting which is negative so that the kappa is negative. We can also define that after the middle switching will add some random bits as the most significant one in the frame which is retained after the middle switching. In this example, we define kappa as minus one. So this means that we want to shift from one bit after the module is Q, so that after the middle switching will have one random bit as the most significant bit. So this is about shifting from the right side, but in this case we'll define what we called a right padding. In this case, the idea is to have some bits that we will ensure to be equal to zero after the middle switching. This is defined by the variable theta and theta will represent the number of bits which are equal to zero after the middle switching. So in this example, we define theta as two, so that after the middle switching, the two least significant bits are now equal to zero. So with these two approaches, so that in fact this offer us the possibility to choose the frame which will be module switch. So with the kappa, we shift from kappa bits, and with the theta we ensure that the last theta bits will be equal to zero so that the frame of the middle switching is now up to our choice. The first application of this journalism strapping will be in the PBS Minidutes. So just for recall, in the PBS normally we have one PBS for one news, and that at the brand rotation state, we are going to choose the correct case of the loot which will be evaluated, meaning that we want to obtain L of M depending on the encryption of the message and Now, if we apply the general bootstrap by defining just the theta and theta will be equal to one. This means that we here we represent what we obtain after module switch in the plain text version, so that the last bit will be equal to zero and we are sure that this offers more possibilities to uncut lutes. Now we are able to uncut two lookup tables, instead of just one as previously. Why is this this possible, because now we can use the value of this list list significant bit to select which lookup table will be will be chosen. For instance, if we say that the list significant bit is equal to zero, we will select the first lookup table so L zero, so that after sample extract will be obtained LWCiphertext encrypting L zero L zero of M. If the last bit is now equal to one, then this means that we are going to select the first, the single lookup table, so that we obtain an encryption of L one of M. The value of the previous minutes is then that using this parameter theta, we are now able to evaluate to to the power of theta function with the cost of only one pbs and the cost of two to power theta sample extract. However, the sample extract is almost free, so that the cost of a generalized pbs and the evaluation of many lutes is the cost of only one pbs. This offers the multiple instruction single paradigm to the pbs. The cost of however some drawbacks. In fact, we require that the message are small enough since we are restricting the last bits after the switching to be equal to zero. And moreover, the more we increase the value of theta, the more increase the probability of having here or after after a pbs. So now we're going to focus on the BFV product in the context of TFHE. The product at a BFV. It's pretty simple. You have to wring LW ciphertext as input, and you compute a tensor product with between those two. You end up with a larger ciphertext encrypted with a bigger secret key. And what they do in BFV, they add this key switch to go back to the original secret key. So in this presentation, we're going to call the tensor product followed by the key switch wring LW product. We had to work on the noise formula for this operation in order to prove that it's possible to use it in the TFHE context. In the TFHE context, we have a small Q, the integer modules for the ciphertext. It means that we cannot have really big amounts of noise. So we had to work on this formula. And we did it in a generic way, meaning we can have different kind of secret key distributions. It can be binary, ternary, Gaussian, or anything else as long as you can provide the standard deviation and the mean of the distribution. So we were able to use that ugly formula and prove that we can compute some level multiplication in TFHE. For instance, we can see that with the message precision of 4-bit, we can have eight levels of multiplication. So to use it in TFHE, we have to convert LW ciphertext into wring LW ciphertext. Indeed, in TFHE, we mostly work with messages encrypted as LW ciphertext. So we're going to use this key switch converting our input messages M0 and M1 into constant polynomials encrypted in wring LW ciphertext. Then we do the tensor product and key switch. We end up with wring LW ciphertext encrypting M0 times M1. And to go back to LW, we simply compute the sample extraction. So we're going to see how this BFV product in TFHE can be useful to overcome the legacy click property of the programmable bootstrapping. So we're going to start with this toy example. We consider a ciphertext encrypting this plain text with a zero in the most infamous and this lookup table L. To do the regular programmable bootstrapping, we end up with a ciphertext of the message L of M. If now we look at what would happen if there was one in the most significant bits, we end up with minus L of M. And that's exactly what we want to correct. A way to do that is to compute what we call the sine. So we use another lookup table. It's a constant lookup table. And if we go back to this plain text with a zero in the most significant bit, we end up with an encryption of one. If we now look at what happened with one in the most significant bit, we end up with a minus one. And it's easy to see that if we compute a multiplication between those two, we end up with what we wanted, which is L of M in both cases. So how to build this warp pbs? We start with a ciphertext encrypting plain text without any bit of padding. We start with pulling a bit, which is random because of the way we encrypt with LWE. And we apply the little trick we just showed you. In more details, we're going to see what it is. You start with this ciphertext encrypting a random beta followed by your message M. You compute two pbs is one for the lookup table you want to evaluate and one for the sign. And then you use the LWE multiplication we described and you end up with the desired message L of M. So there are two pbs is to evaluate here. And we see that we can factorize them into one using the team 19 trick. There is a price here you add a little bit of additional noise. If the message is small enough, you can use our trick pbs mini loot and also evaluate for the price of one pbs only those two lookup tables. So I'm going to present another way to achieve programmable bootstrapping without padding. So in the version Damien just showed you, we use the LWE multiplication to correct the sign of the random bit in the MSB of the message. And here we use another technique. So we still have an encryption of a message M as input. And we want to obtain the evaluation of a lookup table L with M. So the lookup table L is representing the bottom left of the screen. And so we don't want to work with this huge table we want to work with lookup table twice as small. So first we are going to break apart this lookup table into two lookup table L0 and L1. So now we are going to see how we can use L0 and L1 to obtain this encryption of L of M. So at the beginning we have our encryption of the message M and here we call beta the most significant bit of this message and M prime the rest of the message. If beta is equal to zero and we evaluate the lookup table L0 on M prime, we obtain the evaluation of the lookup table L on M. And if we have beta equals to one and we evaluate L1 in N prime, we will obtain L the lookup table of M. So now how does this work in FHE? So at the beginning we have our ciphertext of message M. And at the end we want to obtain the encryption of the evaluation of the lookup table. So first we are going to perform the PBS with the first lookup table to obtain the evaluation of our lookup table at the sign up to a sign. We also are going to perform a bootstrap with the sign lookup table as with the first version of the bootstrap without padding and the bootstrapping with the second lookup table. Then we are going to add some offset to the sign and perform an LWE multiplication. So we all will do the same thing for the second lookup table with the sign. And at the end we are going just to sum everything. So here we use the, we use beta, the MSB of the message to select between L0 and L1 the two lookup tables and also to correct the sign at the same time. So as with the previous version, we have a layer of PBS, so we can use either the SIEM 19 PBS trick or the PBS menu which we just introduced. And we can, as there is two multiplication, LWE multiplication, we can use an LWE square which consists of an LWE multiplication with both input that are the same. And the complexity of the LWE square is more or less the same as one of LWE multiplication. So now we want to compare the complexity of a classical PBS and the two versions of the bootstrap without padding we just introduced. So we are going to look at PBS working on PBIT message. So for traditional PBS you will need a PBS for P plus one bit. So P bit for the message and the plus one is for the zero padding you put in the most significant bit of the message. For the first version of the bootstrap without padding, you will need two PBS for P plus one bit. So the P is for the message and the plus one is for the random padding we added during the module switching. For the second version, sorry, and we also have LWE multiplication. For the second version of the bootstrapping without padding, we need three PBS, but only for PBIT because we don't need any padding. We added two LWE multiplication and three additions. So we can see that the warp PBS one seems to be always to cost more than traditional PBS, but it's really dependent on the context for the comparison between what PBS to and traditional PBS. So what about parallel complexity? How does it compare? So each layer of PBS became just one PBS. And if we have two multiplication, we have one multiplication. So the interesting take on this slide is that the algorithm we introduced are easily parallelizable. And with the help of parallelization, the complexity are quite close to the one of a traditional PBS. So now it's the time to conclude this presentation and to, so I will begin by by summing up the contribution we just presented. So first of all, we showed you a BFV like multiplication in TFHE. Then we introduced a way to evaluate several look at table at once with the PBS menu. And finally, we introduced two way to build a bootstrapping without padding, the warp PBS one and the warp PBS two. So if you look at the at the paper, you will find more contribution. You will find a generic and types noises analysis of each introduced FHG operators. You will also find a way to build an efficient circuit bootstrap using the PBS menu. You will also find an efficient algorithm to split ciphertext in chunk using the warp PBS. And using this splitting in chunks, you can easily build a large precision bootstrap. And to finish, we also introduced a new approach for get bootstrapping, and we extended to arithmetic circuits. Finally, I'm going to introduce some open problems that still need to be solved. So first of all, we need to take a look at the FFT because for the tons of product we need a high precision FFT. And we want to experiment with hardware implementation, as it will be easy to parallelize everything and to play with the precision inside the FFT. We also want to find alternatives to the bootstrapping without padding, we just showed you because of the noise growth in those algorithms. And to finish, we want to improve the LWE to GLWE switch because as of now it's a huge part of the complexity of the warp PBS. Thank you for your listening.