阿里PEGASUS笔记:PEGASUS : Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption


这篇文章写的比较早了,当时关于PEGASUS其实也是一知半解,回过头来看发现这里的除了Linear Transform应该都是现有的技术,这篇文章主要是做了Batched RLWE到多个LWE之间的互相转换做LUT再打包回去。其中LWE执行LUT其实就是Functional Bootstrapping的技术,Extract和KeySwitch应该是出自陈昊的文章。


同态加密(HE)被认为是保护隐私应用的最重要的原语之一。然而,在加密数据上评估多项式和非多项式函数的有效方法仍然缺乏,这阻碍了同态加密在现实生活中的应用。为了解决这个问题,我们提出了一个实用框架PEGASUS。PEGASUS可以在打包的CKKS密码文和FHEW密码文之间有效地来回切换,而无需解密,使我们可以在CKKS方面有效地评估算术函数,并在FHEW密码文上评估查找表(也就是非多项式函数)。我们的FHEW → CKKS转换算法比现有方法更实用。我们将计算复杂性从线性提高到亚线性。此外,我们的转换密钥的大小明显更小,例如,从80千兆字节减少到12兆字节。 我们提出了PEGASUS的广泛基准,包括sigmoid/ReLU/min/max/division,排序和最大集合。为了进一步证明PEGASUS的能力,我们又开发了两个应用程序。第一个是私人决策树评估,其通信成本比以前基于HE的方法小两个数量级。第二个是一个安全的K-means聚类,它能够在几分钟内运行在成千上万的加密样本上,比现有的最佳系统要好14×-20倍。据我们所知,这是第一项支持在单服务器环境下使用HE进行实用K-means聚类的工作。









  • 我们的LUT方法接收一个40比特的输入数据,代价是引入了一些近似错误。 这样大的输入域对于许多应用来说是足够的,例如保护隐私的机器学习。我们对这些误差进行了经验和理论分析。

  • 我们提出了一种存储高效且快速的重新打包算法。简而言之,我们的重新打包密钥由一个CKKS密码文组成,这比CHIMERA由成千上万的CKKS密码文组成的密钥小得多。

  • 我们使用SEAL实现了PEGASUS。与CHIMERA不同的是,我们没有将CKKS输出到环面上。因此,Pegasus可以受益于底层优化的NTT/RNS的效率。https://github.com/Alibaba-Gemini-Lab/OpenPEGASUS。

  • 我们提出了广泛的实证结果,包括加密数据的最小/最大、排序、除法、平方根和决策树评估。为了进一步证明Pegasus的潜力,我们还实现了一个可行的应用程序,在几分钟内对成千上万的加密样本运行K-means聚类。据我们所知,我们是第一个在单服务器环境下使用纯HE实现实际安全K-means聚类的人。


R n , q = R n / q R n ≡ Z q [ X ] / ( X n + 1 ) R_{n, q}=R_{n} / q R_{n} \equiv \mathbb{Z}_{q}[X] /\left(X^{n}+1\right) Rn,q=Rn/qRnZq[X]/(Xn+1)

( b , a ) = ( m + e − a T s , a ) ∈ LWE s n , q ( m ) , m ∈ Z q (b,\mathbf{a})=(m+e-\mathbf{a}^T\mathbf{s},\mathbf{a})\in \text{LWE}_{\mathbf{s}}^{n, q}(m),m\in Z_q (b,a)=(m+eaTs,a)LWEsn,q(m),mZq

( b ^ , a ^ ) = ( m ^ + e ^ − a ^ ⋅ s ^ , a ^ ) ∈ RLWE s ^ n , q ( m ^ ) , m ^ ∈ R n , q (\hat{b},\hat{a})=(\hat{m}+\hat{e}-\hat{a}\cdot \hat{s},\hat{a})\in \text{RLWE}_{\hat{s}}^{n,q}(\hat{m{}}),\hat{m} \in R_{n,q} (b^,a^)=(m^+e^a^s^,a^)RLWEs^n,q(m^),m^Rn,q

用一个向量 s \mathbf{s} s来表示多项式密钥 s ^ \hat{s} s^,那么 RLWE s ^ n , q ( m ^ ) \text{RLWE}_{\hat{s}}^{n,q}(\hat{m{}}) RLWEs^n,q(m^)可写为 RLWE s n , q ( m ^ ) \text{RLWE}_{\mathbf{s}}^{n,q}(\hat{m{}}) RLWEsn,q(m^)

Ecd ⁡ \operatorname{Ecd} Ecd Ecd ⁡ ( v , Δ ) = v ^ ∈ R n , q \operatorname{Ecd}(\mathbf{v}, \Delta)=\hat{v} \in R_{n, q} Ecd(v,Δ)=v^Rn,q ( v ∈ R ℓ ) (\mathbf{v} \in \mathbb{R}^{\ell}) (vR)

Dcd ⁡ \operatorname{Dcd} Dcd Dcd ⁡ ( v ^ , Δ , ℓ ) = v ∈ R ℓ \operatorname{Dcd}(\hat{v}, \Delta, \ell)=\mathbf{v} \in \mathbb{R}^{\ell} Dcd(v^,Δ,)=vR 将多项式环上的元素逆编码为一个向量。

  1. RNS and NTT: A well-known technique to optimize the integer polynomial arithmetic on R n , q R_{n, q} Rn,q is to use a full RNS by taking the modulus q q q as the product of distinct and machine-word-sized primes, i.e., q = ∏ i ∈ ⟨ L ⟩ q i . q=\prod_{i \in\langle L\rangle} q_{i} . q=iLqi. One can achieve up to L × L \times L× improvement in polynomial arithmetic according to the ring isomorphism R n , q → ∏ i ∈ ⟨ L ⟩ R n , q i . R_{n, q} \rightarrow \prod_{i \in\langle L\rangle} R_{n, q_{i}} . Rn,qiLRn,qi.

RNS: Residue Number Systems, NTT: Number Theoretic Transform


初始有一个RLWE密文 c t ∈ R L W E s ‾ n , q ( Ecd ⁡ ( v , Δ ) ) \mathrm{ct} \in \mathrm{RLWE}_{\overline{\mathbf{s}}}^{n, q}(\operatorname{Ecd}(\mathbf{v}, \Delta)) ctRLWEsn,q(Ecd(v,Δ)),其中 v ∈ R ℓ . \mathbf{v} \in \mathbb{R}^{\ell} . vR. 可以将转化过程分为三步

  1. 提取编码向量的元素,得到一组LWE密码文。

 ct  → c t i ∈ L W E s ‾ n ˉ , q ( Δ v [ i ] )  for  i ∈ ⟨ ℓ ⟩ \text { ct } \rightarrow \mathrm{ct}_{i} \in \mathrm{LWE}_{\overline{\mathbf{s}}}^{\bar{n}, q}(\Delta \mathbf{v}[i]) \text { for } i \in\langle\ell\rangle  ct ctiLWEsnˉ,q(Δv[i]) for i

  1. 对每个LWE密文进行查找表操作 T ( x ) T(x) T(x)

c t i → c t i ′ ∈ L W E s ‾ n ˉ , q ( Δ T ( v [ i ] ) )  for  i ∈ ⟨ ℓ ⟩ \mathrm{ct}_{i} \rightarrow \mathrm{ct}_{i}^{\prime} \in \mathrm{LWE}_{\overline{\mathbf{s}}}^{\bar{n}, q}(\Delta T(\mathbf{v}[i])) \text { for } i \in\langle\ell\rangle ctictiLWEsnˉ,q(ΔT(v[i])) for i

  1. 将这些LWE密文重新打包为一个RLWE密文,其中的密文是 T ( v ) T(\mathbf{v}) T(v)的编码.

{ c t i ′ } i ∈ ⟨ ℓ ⟩ → c t ′ ′ ∈ RLW ⁡ E s ‾ n ˉ , q ′ ′ ( Ecd ⁡ ( T ( v ) , Δ ) ) \left\{\mathrm{ct}_{i}^{\prime}\right\}_{i \in\langle\ell\rangle} \rightarrow \mathrm{ct}^{\prime \prime} \in \operatorname{RLW} \mathrm{E}_{\overline{\mathrm{s}}}^{\bar{n}, q^{\prime \prime}}(\operatorname{Ecd}(T(\mathrm{v}), \Delta)) {cti}ictRLWEsnˉ,q(Ecd(T(v),Δ))



i n p u t : c t i n = R L W E s ‾ n ‾ , Q l ( E c d ( v , Δ ) )   ( l > 1 ) , a look up table  T ( x ) : R → R \mathrm{input} : \mathrm{ct}_{in}=\mathrm{RLWE}_{\overline{\mathbf{s}}}^{\overline{n},Q_l}(\mathrm{Ecd(\mathbf{v},\Delta)})\ (l>1),\text{a look up table } T(x):\mathbb{R}\to\mathbb{R} input:ctin=RLWEsn,Ql(Ecd(v,Δ)) (l>1),a look up table T(x):RR

o u t p u t : c t o u t ∈ R L W E s ‾ n ‾ , Q L ′ ( E c d ( T ( v ) , Δ ) ) \mathrm{output}: \mathrm{ct}_{out}\in\mathrm{RLWE}_{\mathrm{\overline{s}}}^{\overline{n},Q_{L'}}(\mathrm{Ecd}(T(\mathbf{v}),\Delta)) output:ctoutRLWEsn,QL(Ecd(T(v),Δ))

Q l = ∏ l ∈ ⟨ i ⟩ q l ( 1 ≤ i ≤ L ) Q_l=\prod_{l\in \langle i\rangle}{q_l} (1 \le i \le L) Ql=liql(1iL) ,it requires l > 1 l > 1 l>1 since S2C itself might consume 1 or 2 ciphertext moduli. The computational costs of the following LUT evaluation and repacking depends on the modulus size of the LWE ciphertexts. To lighten the computation, PEGASUS drops all RLWE moduli but keeps the first one q 0 q_0 q0 before Step 3.

R e m a r k : s ‾ → n ‾ , s → n , s ‾ → n ‾ , 0 < Δ , Δ r , Δ r ′ < q 0 \mathrm{Remark:} \overline{\mathbf{s}}\rightarrow \overline{n},\mathbf{s}\to n,\underline{\mathbf{s}}\to \underline{n},0<\Delta,\Delta_r,\Delta_r'Remark:sn,sn,sn,0<Δ,Δr,Δr<q0

1: c t ′ = S 2 C ( c t i n ) \mathrm{ct}^{\prime}=\mathrm{S2C}\left(\mathrm{ct}_{\mathrm{in}}\right) ct=S2C(ctin)

▹ c t ′ ∈ R L W E s ‾ n ‾ , q 0 ( Δ v ^ ) ,   v i = v [ i ] \triangleright \mathrm{ct}^{\prime} \in \mathrm{RLWE} _{\overline{\mathbf{s}}}^{\overline{n}, q_{0}}(\Delta \hat{v}) ,\ v_i=\mathbf{v}[i] ctRLWEsn,q0(Δv^), vi=v[i]

S2C算法将 c t ct ct的slot中的值转为多项式系数(coefficient)上的值

2: 提取多项式系数.for each i ∈ ⟨ ℓ ⟩ i \in\langle\ell\rangle i. c t i = E x t r a c t i ( c t ′ ) \mathrm{ct}_{i}= \mathrm{Extract}^{i}\left(\mathrm{ct}^{\prime}\right) cti=Extracti(ct)

▹ c t i ∈ L W E s ‾ n ˉ , q 0 ( Δ v [ i ] ) \triangleright \mathrm{ct}_{i} \in \mathrm{LWE}_{\overline{\mathbf{s}}}^{\bar{n}, q_{0}}(\Delta \mathbf{v}[i]) ctiLWEsnˉ,q0(Δv[i])

Extract算法将 c t ′ ct' ct的每项多项式系数分别提取到一个LWE的密文中

3: for i ∈ ⟨ ℓ ⟩ i \in\langle\ell\rangle i do ▹ \triangleright parallel

4: c t ˙ i = P E G A S U S . K S ( c t i , S w K s ‾ → s ‾ ) \dot{\mathrm{ct}}_{i}= \mathrm{PEGASUS.KS} \left(\mathrm{ct}_{i}, \mathrm{SwK}_{\overline{\mathbf{s}} \rightarrow \underline{\mathbf{s}}}\right) ct˙i=PEGASUS.KS(cti,SwKss).

▹ c t ˙ i ∈ L W E s ‾ n ‾ , q 0 ( Δ v [ i ] ) \triangleright \dot{\mathrm{ct}}_{i} \in \mathrm{LWE}_{\mathbf{\underline{s}}}^{\underline{n}, q_{0}}(\Delta \mathrm{v}[i]) ct˙iLWEsn,q0(Δv[i])

将维数 n ˉ \bar{n} nˉ 换位更小的 n ‾ \underline{n} n ​,因为后一步的LUT会扩大模数。

5: \quad c t ¨ i = P E G A S U S . L U T ( c t ˙ i , E K , T ( x ) ) \ddot{c t}_{i}= \mathrm{PEGASUS.LUT} \left(\dot{c t}_{i}, E K, T(x)\right) ct¨i=PEGASUS.LUT(ct˙i,EK,T(x)).

▹ c t ¨ i ∈ L W E s n , q 0 ( Δ T ( v [ i ] ) ) \triangleright \ddot{\mathrm{ct}}_{i} \in \mathrm{LWE}_{\mathbf{s}}^{n, q_{0}}(\Delta T(\mathbf{v}[i])) ct¨iLWEsn,q0(ΔT(v[i]))

执行查找表(lookup table).

6: c t i ¨ = ( b i , a i ) = P E G A S U S . K S ( c t ¨ i , S w K s → s ‾ ) \ddot{ \mathrm{ct}_{i}}=\left(b_{i}, \mathbf{a}_{i}\right)= \mathrm{PEGASUS.KS}( \left.\ddot{\mathrm{ct}}_{i}, \mathrm{SwK}_{\mathbf{s} \rightarrow \underline{\mathbf{s}}}\right) cti¨=(bi,ai)=PEGASUS.KS(ct¨i,SwKss).

▹ c t ¨ i ∈ LWE ⁡ s ‾ n ‾ , q 0 ( Δ T ( v [ i ] ) ) \triangleright \ddot{\mathrm{ct}}_{i} \in \operatorname{LWE}^{\underline{n}, q_{0}}_{\mathbf{\underline{s}}}(\Delta T(\mathbf{v}[i])) ct¨iLWEsn,q0(ΔT(v[i]))

将维数 n n n 再次缩减到 $\underline{n} $.

7: end for

8: 令 b = [ b 0 , ⋯   , b ℓ − 1 ] \mathbf{b}=\left[b_{0}, \cdots, b_{\ell-1}\right] b=[b0,,b1] A ∈ Z q 0 ℓ × n ‾ \mathbf{A} \in \mathbb{Z}_{q_{0}}^{\ell \times \underline{n}} AZq0×n A \mathbf{A} A 的第 i i i行是 $ \mathbf{a}_{i} $

▹ A s + b   m o d   q 0 = Ecd ⁡ ( T ( v ) , Δ ) \quad \triangleright \mathbf{A} \mathbf{s}+\mathbf{b} \bmod q_{0}=\operatorname{Ecd}(T(\mathbf{v}), \Delta) As+bmodq0=Ecd(T(v),Δ)

9: 对RK进行线性变换 c t ~ = P E G A S U S . L T ( R K , RotK ⁡ , Δ r ′ , A , b ) . \tilde{c t}= \mathrm{PEGASUS.LT } \left(\mathrm{RK}, \operatorname{RotK}, \Delta_{r}^{\prime}, \mathbf{A}, \mathbf{b}\right) . ct~=PEGASUS.LT(RK,RotK,Δr,A,b).

▹ c t ~ ∈ R L W E s ‾ n ˉ , Q L − 1 ( Ecd ⁡ ( A s + b , Δ r ′ ) ) \triangleright \tilde{ct} \in \mathrm{RLWE}_{\overline{\mathbf{s}}}^{\bar{n}, Q_{L-1}}\left(\operatorname{Ecd}\left(\mathbf{A} \mathbf{s}+\mathbf{b}, \Delta_{r}^{\prime}\right)\right) ct~RLWEsnˉ,QL1(Ecd(As+b,Δr))

 Repacking key  R K ∈ RLWE ⁡ s ‾ n ˉ , Q L ( Ecd ⁡ ( s ‾ , Δ r ) ) \text { Repacking key } \mathrm{RK} \in \operatorname{RLWE}_{\overline{\mathrm{s}}}^{\bar{n}, Q_{L}}\left(\operatorname{Ecd}\left(\underline{\mathbf{s}}, \Delta_{r}\right)\right)  Repacking key RKRLWEsnˉ,QL(Ecd(s,Δr))
10: 调用 F mod  \mathcal{F}_{\text {mod }} Fmod  c t ~ \tilde{ct} ct~中的余数 q 0 q_{0} q0消去得到 c t out  \mathrm{ct}_{\text {out }} ctout .

  c t o u t ∈ R L W E s ‾ n ˉ , Q L ′ ( Ecd ⁡ ( T ( v ) , Δ ) ) \ \mathrm{ct}_{\mathrm{out}} \in \mathrm{RLWE}_{\overline{\mathbf{s}}}^{\bar{n}, Q_{L^{\prime}}}(\operatorname{Ecd}(T(\mathbf{v}), \Delta))  ctoutRLWEsnˉ,QL(Ecd(T(v),Δ))


S2C & Extract

S 2 C \mathrm{S2C} S2C相当于同态地运行了一个 D c d \mathrm{Dcd} Dcd函数。

Given the RLWE ciphertext ct which encrypts Ecd ⁡ ( v , Δ ) \operatorname{Ecd}(\mathbf{v}, \Delta) Ecd(v,Δ), the operation S 2 C ( c t ) \mathrm{S} 2 \mathrm{C}(\mathrm{ct}) S2C(ct) results in an RLWE ciphertext that encrypts a ring element v ^ \hat{v} v^ whose coefficients are v i = Δ v [ i ] v_{i}=\Delta \mathbf{v}[i] vi=Δv[i] for all possible positions.

E x t r a c t i \mathrm{Extract}^i Extracti R L W E \mathrm{RLWE} RLWE中的系数每一项提取成一个 L W E \mathrm{LWE} LWE密文。

Coefficients Extraction. Given the ciphertext c t = RLWE ⁡ s n , p ( m ^ ) \mathrm{ct}=\operatorname{RLWE}_{\mathbf{s}}^{n, p}(\hat{m}) ct=RLWEsn,p(m^), and an integer k ∈ ⟨ n ⟩ k \in\langle n\rangle kn, the operation Extract k ( c t ) ^{k}(\mathrm{ct}) k(ct) results in L W E s n , p ( m k ) \mathrm{L W E}_{\mathbf{s}}^{n, p}\left(m_{k}\right) LWEsn,p(mk), i.e., an LWE encryption of the k k k -th coefficient of m ^ \hat{m} m^ under the same secret key.

PEGASUS uses the combination of S2C and Extract to convert an RLWE ciphertext of an encoded vector to a set of LWE ciphertexts of the vector elements.

PEGASUS 中 S2C算法来自 K. Han, M. Hhan, and J. H. Cheon, “Improved homomorphic discrete fourier transforms and FHE bootstrapping,” IEEE Access, vol. 7, pp. 57 361–57 370, 2019.



KeySwitching方法将一个由 s ‾ \overline{\mathbf{s}} s加密的LWE密文转换为由 s ‾ \underline{\mathbf{s}} s加密的LWE密文。需要一个转换密钥。目的是为了减少维数更大的向量在运算中带来的更大的噪声。


阿里PEGASUS笔记:PEGASUS : Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption_第1张图片


阿里PEGASUS笔记:PEGASUS : Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption_第2张图片

LookUp Table

在PEGASUS的LUT方法中,他们采用的技术是将每个LUT计算结果 T ( i ) T(i) T(i)作为一个多项式中第 i i i项的系数,通过一个算法将第 m m m项的次数变为0,然后通过提取多项式中次数为0的项来得到 T ( m ) T(m) T(m)


阿里PEGASUS笔记:PEGASUS : Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption_第3张图片


lookup table算法的最终要达到的效果是得一个密文是执行了 T ( m ) T(m) T(m)的LWE密文,
阿里PEGASUS笔记:PEGASUS : Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption_第4张图片


正确性一:如果最后得到的 A C n ‾ ∈ RLWE ⁡ s ( f ^ ⋅ X b ~ + a ~ ⊤ s ‾   m o d   n ) \mathrm{AC}_{\underline{n}} \in \operatorname{RLWE}_{\mathrm{s}}\left(\hat{f} \cdot X^{\tilde{b}+\tilde{\mathbf{a}}^{\top} \underline{\mathbf{s}} \bmod n}\right) ACnRLWEs(f^Xb~+a~smodn),则输出为 L W E s n , q ( ⌈ Δ T ( m ) ⌋ + e ) \mathrm{LWE}_{\mathbf{s}}^{n,q}(\lceil\Delta T(m)\rfloor +e) LWEsn,q(ΔT(m)+e)

b ~ + a ~ ⊤ s ‾   m o d   n ≈ 2 n q ⌈ Δ m ⌋ + 2 ϵ n \tilde{b}+\tilde{\mathbf{a}}^\top \underline{\mathbf{s}} \bmod n \approx \frac{2n}{q}\lceil \Delta m \rfloor + 2\epsilon n b~+a~smodnq2nΔm+2ϵn , let δ = b ~ + a ~ ⊤ s ‾ , \delta = \tilde{b}+\tilde{\mathbf{a}}^\top \underline{\mathbf{s}} , δ=b~+a~s,

Then the 0 -th coefficient of f ^ ⋅ X b ^ + a ~ ⊤ s ‾   m o d   n \hat{f} \cdot X^{\hat{b}+\tilde{\mathbf{a}}^{\top}\underline{\mathbf{s}}} \bmod n f^Xb^+a~smodn is
{ f ∣ δ ∣ X ∣ δ ∣ ⋅ − X n − ∣ δ ∣ = ⌈ Δ T ( − η ∣ δ ∣ ) ⌋  for  δ ≤ 0 − f n − δ X n − δ ⋅ X δ = ⌈ Δ T ( η δ ) ⌋  for  δ > 0 \left\{\begin{array}{l} f_{|\delta|} X^{|\delta|} \cdot-X^{n-|\delta|}=\left\lceil\Delta T\left(-\eta_{|\delta|}\right)\right\rfloor \text { for } \delta \leq 0 \\ -f_{n-\delta} X^{n-\delta} \cdot X^{\delta}=\left\lceil\Delta T\left(\eta_{\delta}\right)\right\rfloor \text { for } \delta>0 \end{array}\right. {fδXδXnδ=ΔT(ηδ) for δ0fnδXnδXδ=ΔT(ηδ) for δ>0
By definition
η δ = ⌈ 2 n q 0 ⌈ Δ m ⌋ ⌋ q 0 2 n Δ ≈ m \eta_{\delta}=\frac{\left\lceil\frac{2 n}{q_{0}}\lceil\Delta m\rfloor\right\rfloor q_{0}}{2 n \Delta} \approx m ηδ=2nΔq02nΔmq0m

**正确性二:**最后得到的 A C n ‾ \mathrm{AC}_{\underline{n}} ACn确实满足上述的格式。

s ‾ [ j ] = 1 \underline{\mathbf{s}}[j]=1 s[j]=1时, E K j , 0 ∈ RGSW ⁡ s n , q ( 1 ) ) , E K j , 1 ∈ RGSW ⁡ s n , q ( 0 ) \mathrm{EK}_{j, 0} \in \operatorname{RGSW}_{\mathrm{s}}^{n, q}\left(1)\right), \mathrm{EK}_{j, 1} \in \operatorname{RGSW}_{\mathrm{s}}^{n, q}\left(0\right) EKj,0RGSWsn,q(1)),EKj,1RGSWsn,q(0)

s ‾ [ j ] = 0 \underline{\mathbf{s}}[j]=0 s[j]=0时, E K j , 0 ∈ RGSW ⁡ s n , q ( 1 ) ) , E K j , 1 ∈ RGSW ⁡ s n , q ( 1 ) \mathrm{EK}_{j, 0} \in \operatorname{RGSW}_{\mathrm{s}}^{n, q}\left(1)\right), \mathrm{EK}_{j, 1} \in \operatorname{RGSW}_{\mathrm{s}}^{n, q}\left(1\right) EKj,0RGSWsn,q(1)),EKj,1RGSWsn,q(1)

s ‾ [ j ] = − 1 \underline{\mathbf{s}}[j]=-1 s[j]=1时, E K j , 0 ∈ RGSW ⁡ s n , q ( 0 ) ) , E K j , 1 ∈ RGSW ⁡ s n , q ( 1 ) \mathrm{EK}_{j, 0} \in \operatorname{RGSW}_{\mathrm{s}}^{n, q}\left(0)\right), \mathrm{EK}_{j, 1} \in \operatorname{RGSW}_{\mathrm{s}}^{n, q}\left(1\right) EKj,0RGSWsn,q(0)),EKj,1RGSWsn,q(1)

  1. Suppose s ‾ [ j ] = 0 \underline{\mathbf{s}}[j]=0 s[j]=0 then a ~ [ j ] s ‾ [ j ] = 0 \tilde{\mathbf{a}}[j] \underline{\mathbf{s}}[j]=0 a~[j]s[j]=0. We note that E K j , 0 \mathrm{EK}_{j, 0} EKj,0 and E K j , 1 \mathrm{EK}_{j, 1} EKj,1 are both GSW encryption of 1 in this case.
    A C j + 1 = ( ( X − a ~ [ j ] − 1 ) ⋅ t j ) ⊙ RGSW ⁡ s ‾ ‾ ( 1 ) + t j = X − a ~ [ j ] ⋅ t j = X − a ~ [ j ] ⋅ X a ~ [ j ] ⋅ A C j = A C j \begin{aligned} \mathrm{AC}_{j+1} &=\left(\left(X^{-\tilde{\mathbf{a}}[j]}-1\right) \cdot \mathrm{t}_{j}\right) \odot \operatorname{RGSW}_{\underline{\underline{s}}}(1)+\mathrm{t}_{j} \\ &=X^{-\tilde{\mathbf{a}}[j]} \cdot \mathrm{t}_{j}=X^{-\tilde{\mathbf{a}}[j]} \cdot X^{\tilde{\mathbf{a}}[j]} \cdot \mathrm{AC}_{j}=\mathrm{AC}_{j} \end{aligned} ACj+1=((Xa~[j]1)tj)RGSWs(1)+tj=Xa~[j]tj=Xa~[j]Xa~[j]ACj=ACj
  2. Suppose s ‾ [ j ] = 1 \underline{\mathbf{s}}[j]=1 s[j]=1 then a ~ [ j ] s ‾ [ j ] = a ~ [ j ] . \tilde{\mathbf{a}}[j] \underline{\mathbf{s}}[j]=\tilde{\mathbf{a}}[j] . a~[j]s[j]=a~[j]. We note that E K j , 0 \mathrm{EK}_{j, 0} EKj,0 is a GSW encryption of 1 and E K j , 1 \mathrm{EK}_{j, 1} EKj,1 is a GSW encryption of 0 in this case.
    A C j + 1 = ( ( X − a ~ [ j ] − 1 ) ⋅ t j ) ⊙ RGSW ⁡ s ‾ ‾ ( 0 ) + t j = t j = X a ~ [ j ] ⋅ A C j \begin{aligned} \mathrm{AC}_{j+1} &=\left(\left(X^{-\tilde{\mathbf{a}}[j]}-1\right) \cdot \mathrm{t}_{j}\right) \odot \operatorname{RGSW}_{\underline{\underline{s}}}(0)+\mathrm{t}_{j} \\ &=\mathrm{t}_{j}=X^{\tilde{\mathbf{a}}[j]} \cdot \mathrm{AC}_{j} \end{aligned} ACj+1=((Xa~[j]1)tj)RGSWs(0)+tj=tj=Xa~[j]ACj
  3. Suppose s ‾ [ j ] = − 1 \underline{\mathbf{s}}[j]=-1 s[j]=1 then a ~ [ j ] s ‾ [ j ] = − a ~ [ j ] . \tilde{\mathbf{a}}[j] \underline{\mathbf{s}}[j]=-\tilde{\mathbf{a}}[j] . a~[j]s[j]=a~[j]. We note that E K j , 0 \mathrm{EK}_{j, 0} EKj,0 is GSW encryption of 0 and E K j , 1 \mathrm{EK}_{j, 1} EKj,1 is a GSW encryption of 1 in this case.
    A C j + 1 = ( ( X − a ~ [ j ] − 1 ) ⋅ t j ) ⊙ RGSW ⁡ s ‾ ( 1 ) + t j = X − a ~ [ j ] ⋅ t j = X − a ~ [ j ] ⋅ A C j \begin{aligned} \mathrm{AC}_{j+1} &=\left(\left(X^{-\tilde{\mathbf{a}}[j]}-1\right) \cdot \mathrm{t}_{j}\right) \odot \operatorname{RGSW}_{\underline{\mathbf{s}}}(1)+\mathrm{t}_{j} \\ &=X^{-\tilde{\mathbf{a}}[j]} \cdot \mathrm{t}_{j}=X^{-\tilde{\mathbf{a}}[j]} \cdot \mathrm{AC}_{j} \end{aligned} ACj+1=((Xa~[j]1)tj)RGSWs(1)+tj=Xa~[j]tj=Xa~[j]ACj
    then,we have A C j ∈ RLWE ⁡ s ( f ^ ⋅ X b ~ + ∑ l ∈ ⟨ j ⟩ a ~ [ j ] s ‾ [ j ]   m o d   n ) \mathrm{AC}_{j} \in \operatorname{RLWE}_{\mathbf{s}}\left(\hat{f} \cdot X^{\tilde{b}+\sum_{l \in\langle j\rangle}\tilde{\mathbf{a}}[j] \underline{\mathbf{s}}[j] } \bmod n\right) ACjRLWEs(f^Xb~+lja~[j]s[j]modn), which means A C n ‾ ∈ RLWE ⁡ s ( f ^ ⋅ X b ~ + a ~ ⊤ s ‾   m o d   n ) \mathrm{AC}_{\underline{n}} \in \operatorname{RLWE}_{\mathrm{s}}\left(\hat{f} \cdot X^{\tilde{b}+\tilde{\mathbf{a}}^{\top} \underline{\mathbf{s}} \bmod n}\right) ACnRLWEs(f^Xb~+a~smodn)
Linear Transform

线性变换是将输入的 c t i n ∈ R L W E s ‾ n ˉ , q ( Ecd ⁡ ( z , Δ r ) ) \mathrm{ct}_{\mathrm{in}} \in \mathrm{RLWE}_{\overline{\mathrm{s}}}^{\bar{n}, q}\left(\operatorname{Ecd}\left(\mathbf{z}, \Delta_{r}\right)\right) ctinRLWEsnˉ,q(Ecd(z,Δr))以及明文矩阵 M \mathbf{M} M,明文向量 t \mathbf{t} t,得到 c t o u t ∈ R L W E s ‾ n ˉ , q / Δ r ( Ecd ⁡ ( M z + t , Δ r ) ) \mathrm{ct}_{\mathrm{out}} \in \mathrm{RLWE}_{\overline{\mathrm{s}}}^{\bar{n}, q/\Delta_r}\left(\operatorname{Ecd}\left(\mathbf{Mz+t}, \Delta_{r}\right)\right) ctoutRLWEsnˉ,q/Δr(Ecd(Mz+t,Δr))

看到总体的框架中,由于LUT执行的结果是$i\in\langle l \rangle, (b_i,\mathbf{a}i)=\mathrm{LWE}{\mathbf{s}}^{n,q}(\lceil\Delta T(m_i)\rfloor +e) , 其 中 ,其中 \Delta T(m_i)+e = \mathbf{a}_i \mathbf{s}+b_i \bmod q$

对于对于由 a i \mathbf{a}_i ai构成所有行的矩阵 A \mathbf{A} A,由 b i b_i bi构成每一个元素的向量 b \mathbf{b} b A s + b   m o d   q = Δ T ( m ) \mathbf{As+b} \bmod q=\Delta T(m) As+bmodq=ΔT(m)

所以在拥有一个 R L W E s ‾ n ˉ , q ( Ecd ⁡ ( s , Δ r ) ) \mathrm{RLWE}_{\overline{\mathrm{s}}}^{\bar{n}, q}\left(\operatorname{Ecd}\left(\mathbf{s}, \Delta_{r}\right)\right) RLWEsnˉ,q(Ecd(s,Δr))时,可以通过线性变换计算得到 c t o u t ∈ R L W E s ‾ n ˉ , q / Δ r ( Ecd ⁡ ( A s + b , Δ r ) ) \mathrm{ct}_{\mathrm{out}} \in \mathrm{RLWE}_{\overline{\mathrm{s}}}^{\bar{n}, q/\Delta_r}\left(\operatorname{Ecd}\left(\mathbf{As+b}, \Delta_{r}\right)\right) ctoutRLWEsnˉ,q/Δr(Ecd(As+b,Δr))


阿里PEGASUS笔记:PEGASUS : Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption_第5张图片


阿里PEGASUS笔记:PEGASUS : Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption_第6张图片


先来看例子中的情况,当 ℓ > n ‾ \ell>\underline{n} >n时,特别地,当 ℓ = 4 , n ‾ = 2 \ell=4,\underline{n}=2 =4,n=2时。

  1. Tiling and Diagonals.

    n ¨ = 4 , n ~ = 2 \ddot{n}=4,\tilde{n}=2 n¨=4,n~=2,有两个向量 m ~ 0 , m ~ 1 \tilde{\mathbf{m}}_0,\tilde{\mathbf{m}}_1 m~0,m~1.

    m ~ 0 [ 0 ] = M [ 0 , 0 ] , m ~ 0 [ 1 ] = M [ 1 , 1 ] , m ~ 0 [ 2 ] = M [ 2 , 0 ] , m ~ 0 [ 3 ] = M [ 3 , 1 ] , m ~ 0 [ 4 ] = M [ 4 , 0 ] \tilde{\mathbf{m}}_0[0]=M[0,0],\tilde{\mathbf{m}}_0[1]=M[1,1],\tilde{\mathbf{m}}_0[2]=M[2,0],\tilde{\mathbf{m}}_0[3]=M[3,1],\tilde{\mathbf{m}}_0[4]=M[4,0] m~0[0]=M[0,0],m~0[1]=M[1,1],m~0[2]=M[2,0],m~0[3]=M[3,1],m~0[4]=M[4,0].

    m ~ 1 [ 0 ] = M [ 0 , 1 ] , m ~ 1 [ 1 ] = M [ 1 , 0 ] , m ~ 1 [ 2 ] = M [ 2 , 1 ] , m ~ 1 [ 3 ] = M [ 3 , 0 ] , m ~ 1 [ 4 ] = M [ 4 , 1 ] \tilde{\mathbf{m}}_1[0]=M[0,1],\tilde{\mathbf{m}}_1[1]=M[1,0],\tilde{\mathbf{m}}_1[2]=M[2,1],\tilde{\mathbf{m}}_1[3]=M[3,0],\tilde{\mathbf{m}}_1[4]=M[4,1] m~1[0]=M[0,1],m~1[1]=M[1,0],m~1[2]=M[2,1],m~1[3]=M[3,0],m~1[4]=M[4,1].

  2. Baby-Step.

    g ~ = 2 , c 0 = R o t L 0 ( c t i n ) , c 1 = R o t L 1 ( c t i n ) \tilde{g}=2,c_0=\mathrm{RotL}^0(\mathrm{ct}_\mathrm{in}),c_1=\mathrm{RotL}^1(\mathrm{ct}_\mathrm{in}) g~=2,c0=RotL0(ctin),c1=RotL1(ctin).

    c 0 ∈ R L W E s ‾ n ˉ , q ( Ecd ⁡ ( z [ 0 ] , z [ 1 ] , Δ r ) ) , c 1 ∈ R L W E s ‾ n ˉ , q ( Ecd ⁡ ( z [ 1 ] , z [ 0 ] , Δ r ) ) \mathrm{c}_{\mathrm{0}} \in \mathrm{RLWE}_{\overline{\mathbf{s}}}^{\bar{n}, q}\left(\operatorname{Ecd}\left(z[0],z[1], \Delta_{r}\right)\right), \mathrm{c}_{\mathrm{1}} \in \mathrm{RLWE}_{\overline{\mathbf{s}}}^{\bar{n}, q}\left(\operatorname{Ecd}\left(z[1],z[0], \Delta_{r}\right)\right) c0RLWEsnˉ,q(Ecd(z[0],z[1],Δr)),c1RLWEsnˉ,q(Ecd(z[1],z[0],Δr))

  3. Giant-Step.

    b ~ = 1 , c t ~ = R o t L 0 ( E c d ( m ~ 0 ) ⋅ c 0 + E c d ( m ~ 1 ) ⋅ c 1 ) \tilde{b}=1,\tilde{\mathrm{ct}}=\mathrm{RotL}^0(\mathrm{Ecd}(\tilde{\mathbf{m}}_0)\cdot c_0+\mathrm{Ecd}(\tilde{\mathbf{m}}_1)\cdot c_1) b~=1,ct~=RotL0(Ecd(m~0)c0+Ecd(m~1)c1)

    c t ~ = R L W E s ‾ ( E c d ( M z ) , Δ r ) \tilde{\mathrm{ct}}=\mathrm{RLWE}_{\overline{\mathbf{s}}}(\mathrm{Ecd}(\mathbf{Mz}),\Delta_r) ct~=RLWEs(Ecd(Mz),Δr).

阿里PEGASUS笔记:PEGASUS : Bridging Polynomial and Non-polynomial Evaluations in Homomorphic Encryption_第7张图片

F m o d \mathcal{F}_{mod} Fmod

PEGASUS中 F m o d \mathcal{F}_{mod} Fmod算法来自K. Han and D. Ki, “Better bootstrapping for approximate homomorphic encryption,” in Topics in Cryptology - CT-RSA 2020 - The Cryptographers’ Track at the RSA Conference 2020, San Francisco, USA, February 24-28, 2020, Proceedings, pp. 364–390.
