Optimization of Bootstrapping in Circuits
Fabrice Benhamouda
IBM Research, USA
Tancrède Lepoint
SRI International
Claire Mathieu
École Normale Supérieure
SODA’17
3
2
1
0
0
1
1
Crypto Cloud
1
Hang Zhou
Max Planck Institute
Motivation: Fully Homomorphic Encryption
Encrypted(not a)
Encrypted(a)
Encrypted(a xor b)
Encrypted(b)
Encrypted(a and b)
Motivation: Noise Level
Encrypted(not a)
`a
Encrypted(a)
`a
Encrypted(a xor b)
max(`a , `b )
Encrypted(b)
`b
Encrypted(a and b)
1 + max(`a , `b )
Valid for decryption:
noise level within some parameter L
(L ≈ 17 in practice)
Motivation: Bootstrap Operations
Encrypted(. . . )
Encrypted(. . . )
≤L
0
bootstrap
Goal: Minimize the number of bootstrap operations
Bootstrap Problem
Input:
a directed acyclic graph G = (V , E ) with two kinds of vertices:
` = max(·, ·)
` = 1 + max(·, ·)
an integer parameter L
Output:
a subset S ⊆ V of minimum cardinality such that bootstrapping S
ensures ` ≤ L at every vertex
Previous Results
Greedy approaches with approximation ratio Ω(|V |)
[Gentry Halevi 2011; Gentry Halevi Smart 2012]
Heuristic method
[Lepoint Paillier 2013]
Polynomial time algorithm for L = 1 and NP-hardness for L ≥ 2
[Paindavoine Vialla 2015]
Our Results
Approximation
Polynomial-time L-approximation algorithm (L ≥ 1)
Idea: linear program and new rounding scheme
Inapproximability
UG-hard to compute an (L − )-approximation (L ≥ 2)
Idea: reduction to the DAG vertex deletion problem [Svensson 2013]
Our Results
Approximation
Polynomial-time L-approximation algorithm (L ≥ 1)
Idea: linear program and new rounding scheme
Inapproximability
UG-hard to compute an (L − )-approximation (L ≥ 2)
Idea: reduction to the DAG vertex deletion problem [Svensson 2013]
Preliminary Observation
L=2
a path containing 3 red vertices
⇓
some vertex is bootstrapped
Preliminary Observation
L=2
a path containing 3 red vertices
⇓
some vertex is bootstrapped
Preliminary Observation
L=2
a path containing 3 red vertices
⇓
some vertex is bootstrapped
Interesting path: containing L + 1 red vertices
Preliminary Observation
L=2
a path containing 3 red vertices
⇓
some vertex is bootstrapped
Interesting path: containing L + 1 red vertices
Observation
bootstrap solution ⇐⇒ every interesting path has a bootstrapped vertex
Linear Program Relaxation
v1
v2
(
1 if v is bootstrapped
xv =
0 otherwise
v3
v4
constraint: xv1 + xv2 + xv3 + xv4 ≥ 1
min
X
xv
v ∈V
s. t.
X
xv ≥ 1
∀ interesting path p
0 ≤ xv ≤ 1
∀v ∈V
v ∈p
Rounding Algorithm
Definition:
length of a path: sum of xv along the path
fv ,i : minimum length of a path that ends at v and contains
i red vertices
Interval Av ,i := [fv ,i , fv ,i + xv ]
Randomized Rounding
1
2
Pick t ∈ [0, 1] uniformly at random
For every vertex v , bootstrap v if t ∈ Av ,i for some i ∈ {1, . . . , L}.
Correctness
Need to show:
Every interesting path v1 , . . . , vk contains a bootstrapped vertex.
Define ij := # red vertices among v1 , . . . , vj .
Claim
The union of Avj ,ij covers the [0, 1]-interval.
Correctness
Claim
The union of Avj ,ij covers the [0, 1]-interval.
Proof:
1 A
v1 ,i1 starts at 0;
2 every pair of consecutive intervals A
vj ,ij and Avj+1 ,ij+1 intersect;
3 A
vk ,ik covers 1.
0
1
Correctness
Claim
The union of Avj ,ij covers the [0, 1]-interval.
Proof:
1 A
v1 ,i1 starts at 0;
2 every pair of consecutive intervals A
vj ,ij and Avj+1 ,ij+1 intersect;
3 A
vk ,ik covers 1.
Av1 ,i1
0
1
Correctness
Claim
The union of Avj ,ij covers the [0, 1]-interval.
Proof:
1 A
v1 ,i1 starts at 0;
2 every pair of consecutive intervals A
vj ,ij and Avj+1 ,ij+1 intersect;
3 A
vk ,ik covers 1.
Av1 ,i1
Av2 ,i2
0
fvj+1 ,ij+1 ≤ fvj ,ij + xvj by definition of f
1
Correctness
Claim
The union of Avj ,ij covers the [0, 1]-interval.
Proof:
1 A
v1 ,i1 starts at 0;
2 every pair of consecutive intervals A
vj ,ij and Avj+1 ,ij+1 intersect;
3 A
vk ,ik covers 1.
Av1 ,i1
Av2 ,i2
Av3 ,i3
0
fvj+1 ,ij+1 ≤ fvj ,ij + xvj by definition of f
1
Correctness
Claim
The union of Avj ,ij covers the [0, 1]-interval.
Proof:
1 A
v1 ,i1 starts at 0;
2 every pair of consecutive intervals A
vj ,ij and Avj+1 ,ij+1 intersect;
3 A
vk ,ik covers 1.
Av1 ,i1
Av2 ,i2
Av3 ,i3
0
fvj+1 ,ij+1 ≤ fvj ,ij + xvj by definition of f
1
Correctness
Claim
The union of Avj ,ij covers the [0, 1]-interval.
Proof:
1 A
v1 ,i1 starts at 0;
2 every pair of consecutive intervals A
vj ,ij and Avj+1 ,ij+1 intersect;
3 A
vk ,ik covers 1.
Av1 ,i1
Av2 ,i2
Av3 ,i3
0
fvj+1 ,ij+1 ≤ fvj ,ij + xvj by definition of f
1
Correctness
Claim
The union of Avj ,ij covers the [0, 1]-interval.
Proof:
1 A
v1 ,i1 starts at 0;
2 every pair of consecutive intervals A
vj ,ij and Avj+1 ,ij+1 intersect;
3 A
vk ,ik covers 1.
Av1 ,i1
Av2 ,i2
0
ik = L + 1
Av3 ,i3
Avk ,ik
1
=⇒
fvk ,ik ≥ 1 by definition of f and LP constraints
L-Approximation
A vertex v is bootstrapped if t ∈ Av ,i for some i ∈ {1, . . . , L}.
P[v is bootstapped] ≤ L · xv .
Expected number of bootstrapped vertices:
X
L · xv ≤ L · OPT.
v ∈V
Conclusion
Approximation
Polynomial-time L-approximation algorithm (L ≥ 1)
Inapproximability
UG-hard to compute an (L − )-approximation (L ≥ 2)
Thank you!
Motivation: Classical Encryption
x
Encrypted(x)
K
Encrypted(x)
Motivation: Classical Encryption
What is f (x)?
K
Encrypted(x)
Motivation: Fully Homomorphic Encryption
Gentry 2008:
Fully Homomorphic Encryption (FHE)
Encrypted(x)
K
Encrypted(f (x))
Motivation: Fully Homomorphic Encryption
Gentry 2008:
Fully Homomorphic Encryption (FHE)
Encrypted(x)
K
Encrypted(f (x))
f (x)
Encrypted(f (x))
Derandomization
{fv ,i }v ,i ∪ {fv ,i + xv }v ,i contains 2|V | · L values.
[0, 1] interval is decomposed into O(|V | · L) sub-intervals.
Deterministic Rounding
1
For each sub-interval, pick any t and perform the previous rounding;
2
Return the best solution found.
Inapproximability
DAG Vertex Deletion (DVD) problem (Svensson 2013):
Input:
a directed acyclic graph G = (V , E )
an integer parameter L
Output:
a subset S ⊆ V of minimum cardinality such that G \ S contains
no path of L vertices.
Inapproximability for DVD [Svensson]
NP-hard to compute an (L − )-approximation for the DVD problem
(L ≥ 2), assuming the Unique Games Conjecture
Inapproximability
Reduction from DVD to the bootstrap problem:
DVD instance ⇐⇒ bootstrap instance with red and white vertices
Technical issues: indegree in the DVD problem is not bounded;
indegree in the bootstrap problem is bounded by 2
Inapproximability for bootstrap problem
NP-hard to compute an (L − )-approximation for the bootstrap problem
(L ≥ 2), assuming the Unique Games Conjecture
Example
2
4
1
3
2
0
1
0
2
1
0
0
0
0
1
1
0
0
` = max(·, ·)
1
0
0
`=0
` = 1 + max(·, ·)
L=2
0