Lattigo: a Multiparty Homomorphic Encryption Library in Go

Lattigo: a Multiparty Homomorphic Encryption Library in Go

Lattigo: a Multiparty Homomorphic Encryption Library inGo Christian Mouchet Jean-Philippe Bossuat [email protected] [email protected] EPFL EPFL Juan Troncoso-Pastoriza Jean-Pierre Hubaux [email protected] [email protected] EPFL EPFL ABSTRACT Table 1: The github.com/ldsec/lattigo/v2 Go module We present and demo of Lattigo, a multiparty homomorphic en- lattigo/ring provides the RNS (Residue Number Sys- cryption library in Go. After a brief introduction of the origin and tem) modular arithmetic over the ring 3 history of the library, we dive into the most relevant technical as- Z& »-¼/¹- ¸ 1º with 3 a power of two. This pects that differentiate Lattigo from other existing libraries. From includes: RNS basis extension, RNS division, the cryptographic research perspective, we describe our realiza- number theoretic transform (NTT), and uni- tion of the keyswitch and CKKS bootstrapping operations. We form, Gaussian and ternary sampling. also present our approach to multiparty homomorphic encryption lattigo/bfv implements the Full-RNS, scale-invariant and its importance for Lattigo use-cases. From the software per- scheme of Brakerski, Fan and Vercauteren 3 spective, we elaborate on the choice of the Go language and the (BFV) [5, 12, 14]; it supports Z? arithmetic. benefits it brings to application developers who use the library. lattigo/ckks implements the Full-RNS scheme of Cheon et We then present performance benchmarks and the main use-case al. [10, 11] (CKKS, a.k.a. HEAAN), that sup- applications the library had so far. The last part of the presentation ports approximate arithmetic over C3/2. This comprises a tutorial on how to use Lattigo to build a "toy" use-case: package features a bootstrapping procedure. a privacy-preserving web-application for scheduling meetings. lattigo/dbfv implements the local operations for mul- tiparty key-generation and key-switching 1 INTRODUCTION functionalities for the BFV scheme [19]. lattigo/dckks implements the local operations for mul- Homomorphic Encryption (HE) techniques are becoming increas- tiparty key-generation and key-switching ingly popular. This is reflected in a growing number of crypto- functionalities for the CKKS scheme [19]. graphic libraries that implement efficient instantiations, and in the current process for standardization of HE [3]. Traditionally, HE schemes are used in a two-party setting comprising a data-holder by featuring built-in concurrency primitives, extensive standard libraries and comprehensive toolchains for building, testing and party %1 that sends its encrypted input data G%1 to an external party analyzing code. In this demo, we present the Lattigo library, a Go %2, which can compute any polynomial function 5 ¹G%1 º over the scheme’s plaintext space, and then sends the encrypted result back module for R-LWE-based multiparty homomorphic encryption. to party %1 for decryption. In the passive-adversary model, this simple protocol can achieve secure two-party computations. 2 LIBRARY OVERVIEW The aforementioned setting can be extended to # parties through the use of Multiparty Homomorphic Encryption (MHE) techniques Lattigo is a Go module that contains the packages listed in Table 1. such as multi-key-HE (MKHE) [9, 18] and threshold-HE (Th-HE) Genesis. The development of Lattigo started in March 2019 as a [4, 19]. In such schemes, the involved parties collectively (hence, part of our research on multiparty homomorphic encryption (MHE) interactively) enforce the access control to the data by distributing and secure multiparty computation. In addition to the scientific the scheme’s decryption circuit. Mouchet et al. proposed a threshold interest in being able to quickly integrate our research results into version of BFV and showed that its use as a secure-multiparty- a code-base for their empirical evaluation, we saw an opportunity computation (MPC) solution is, for several generic circuits, faster to benefit the community by bringing HE to a new programming and has less communication overhead than LSSS-based MPC in language: Go. Our group currently uses Go for the implementation the same adversary model [19]. Thus, there is a great interest in of several applied research projects. As these systems transitioned building concrete MPC systems that can employ MHE schemes. from proof-of-concept implementations to real-world prototypes Such systems, by nature, are highly interactive, concurrent and deployed in operational settings, the need for a cryptographic layer cross-platform. For this reason, implementing them may represent supporting MHE became essential. a significant investment in terms of time and effort when using Scope and interface principles. For each scheme, the corre- C++, which most of the state-of-the-art HE libraries are using. More sponding package implements the cryptographic objects and the recent languages, such as Go [1], greatly reduce this effort, notably local operations on these objects. These local operations are de- fined as exported Go interface types (e.g., bfv.Encryptor) for WAHC’20, 15 Dec. 2020, Online which implementations are provided as methods (e.g., Encrypt(*)) . of context-specific objects (e.g., skEncryptor, pkEncryptor) that 1 WAHC’20, 15 Dec. 2020, Online Christian Mouchet, Jean-Philippe Bossuat, Juan Troncoso-Pastoriza, and Jean-Pierre Hubaux encapsulate the cryptographic parameters, temporary buffers and 150 pre-computations. As of version v2.1.0, Lattigo provides a single- 213.5 threaded implementation of its API and all types assume single- threaded use. Therefore, the API user controls the concurrency aspects of its application. 100 Support for Multiparty Access Structures. At the time of 13 Throughput time [sec] 2 writing, the dbfv and dckks packages implement the # -out-of-# - Key-size º/ Threshold access structure of Mouchet et al. [19] (we elaborate on & ¹ Throughput 50 this scheme in Section 2.2). Key-size [MB] log 212.5 2.1 Cryptographic Optimizations and Features 0 We summarize the features in Lattigo that are relevant from a 1 2 3 4 5 6 7 8 cryptographic-research standpoint. U Standalone Arithmetic Layer. The library exposes most of Number of Special Primes its polynomial arithmetic layer in the lattigo/ring sub-package. This package is implemented in pure Go and features a wide range Figure 1: Comparison of the public key-switch operation of low-level optimized algorithms, with a minimal, unexported use throughput (in ciphertext-bits/sec.) and public switching- of the unsafe package (that enables pointer arithmetic) and with- key size in Lattigo v2.1.0 for 3 = 215 and variable 1 ≤ U ≤ 8 out any dependency on external numerical libraries. This includes and ! = 16 − U. Montgomery-form arithmetic, ring operations, Number Theoretic Transforms (NTT), evaluation of automorphisms, RNS bases exten- sions and scaling, and sampling of Gaussian, uniform and ternary distributions. Hence, it can be used to build and evaluate other Table 2: CKKS Bootstrapping Parameters. 3 is the ring de- R-LWE based FHE schemes and primitives. gree, ℎ is the number of non-zero coefficients in the secret- ¹ º ¹ º Generalized Keyswitch Procedure. For both the BFV and key, log & bit-size of the ciphertext modulus, log % is the CKKS schemes, Lattigo uses a generalization of the keyswitch pro- bit-size of the key-switching decomposition-basis (the secu- ¹ º cedure proposed by Han and Ki [15], which lets the user specify the rity is based on log &% ) and 퐶 the ciphertext modulus con- norm of the decomposition-basis % used during the key-switching. sumption by bootstrapping (in bits). Hence, the parameters can be represented as a triplet f3, !, Ug, Set 3 ℎ log¹&º log¹%º 퐶 where 3 is the ring degree, ! is the number of ciphertext moduli Best of [8] 1240 1240 1057 64 (prime factors of &) and U is the number of special primes for the Best of [15] 1270 182 900 216 key-switching (prime factors of %). Even though it introduces an ad- II 192 1248 305 743 ditional (yet optional) parameter, we observed that giving the user III 215 1416 366 956 the ability to tune the trade-off (indeed, the size of &% is capped by the security parameter) between homomorphic-capacity and Lattigo is the second library to feature an open-source implementa- keyswitch complexity results in great throughput gains. We com- tion of a bootstrapping circuit for the CKKS scheme and the first pared the homomorphic throughput of the keyswitch procedure one to make such implementation available for the Full-RNS vari- along with the size of the public switch-key for several values of U 15 ant of the scheme. Compared to the current state-of-the-art, the using the parameters f2 , 16 − U, Ug, i.e. for a fixed modulus size procedure is both more efficient and more precise (as shown in &%, the number of primes between & and % varies. Figure 1 shows Figure 2), and it does not require the use of sparse secret keys. that, by increasing U to 4, we get a 2× increase in throughput and a Homomorphic Polynomial Evaluation. The lattigo/ckks 5× decrease in the key-size. This shows that, in terms of throughput, package provides a scale-invariant and depth-optimal polynomial the loss in homomorphic capacity is more than compensated by evaluation algorithm, for both the standard and the Chebyshev the run-time reduction. bases. It allows the user to provide the clear-text polynomial coeffi- We also further optimized the keyswitch-key format and keyswitch cient and a desired output scale, and it recursively back-propagates algorithm for the evaluation of automorphisms such as rotations, it to ensure that all rescalings in the evaluation are exact (as de- as proposed by Bossuat et al. [7]. scribed in more details by Bossuat et al. [7]). Novel BFV Quantization. Even in its RNS variant, [5, 14], the BFV homomorphic multiplication is an expensive operation be- cause it requires the use of a secondary and temporary basis [12].

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us