Algorithmic Acceleration of B/FV-Like Somewhat Homomorphic Encryption for Compute-Enabled RAM

Abstract

Somewhat Homomorphic Encryption (SHE) allows arbitrary computation with finite multiplicative depths to be performed on encrypted data, but its overhead is high due to memory transfer incurred by large ciphertexts. Recent research has recognized the shortcomings of general-purpose computing for high-performance SHE, and has begun to pioneer the use of hardware-based SHE acceleration with hardware including FPGAs, GPUs, and Compute-Enabled RAM (CE-RAM). CE-RAM is well-suited for SHE, as it is not limited by the separation between memory and processing that bottlenecks other hardware. Further, CE-RAM does not move data between different processing elements. Recent research has shown the high effectiveness of CE-RAM for SHE as compared to highly-optimized CPU and FPGA implementations. However, algorithmic optimization for the implementation on CE-RAM is underexplored. In this work, we examine the effect of existing algorithmic optimizations upon a CE-RAM implementation of the B/FV scheme [19], and further introduce novel optimization techniques for the Full RNS Variant of B/FV [6]. Our experiments show speedups of up to 784x for homomorphic multiplication, 143x for decryption, and 330x for encryption against a CPU implementation. We also compare our approach to similar work in CE-RAM, FPGA, and GPU acceleration, and note general improvement over existing work. In particular, for homomorphic multiplication we see speedups of 506.5x against CE-RAM [34], 66.85x against FPGA [36], and 30.8x against GPU [3] as compared to existing work in hardware acceleration of B/FV.

Appendices

A  Proofs for Novel Optimizations

In this section, we present proofs of correctness for our novel RNS optimizations.

1.1 A.1 Proof of Theorem 1

Proof

If x is even, then \(x = 2y\), and \(x\cdot 2^{g-1} = (2y)2^{g-1} = 2^g y \equiv y \mod 2^g - 1\). If x is odd, then \(x = 2y+1\), and \(x2^{g-1} = (2y+1)2^{g-1} = y2^g + 2^{g-1} \equiv 2^{g-1} + y \mod (2^g - 1)\).    \(\square \)

1.2 A.2 Proof of Lemma 2

Proof

\(x(2^g - 1) = x\cdot 2^g - x \equiv -x \mod 2^g\).    \(\square \)

1.3 A.3 Proof of Theorem 2

Proof

If x is even, then \(x = 2y\), and \(x(2^{g-1}+1) = (2y)(2^{g-1}+1) = 2^g y + 2y \equiv -y + 2y \equiv y \mod 2^g + 1\). If x is odd, then \(x = 2y+1\), and \(x(2^{g-1}+1) = (2y+1)(2^{g-1}+1) = y2^g + 2y + 2^{g-1} + 1 \equiv -y + 2y + 2^{g-1} + 1 \equiv y + 2^{g-1} + 1 \mod 2^g - 1\).    \(\square \)

B  Proofs for Fermat-like Coprimes

Let the terms \(q_i\) be elements of \(S_2 = \{2^m-1, 2^m+1, 2^{2m}+1, 2^{4m}+1, \cdots 2^{2^{f-1}m}+1, 2^{2^f m}+1\}\), as in Sect. 3.2. Then the following results hold [32]:

Lemma 3

For \(q_i \in S_2\) with \(q_0 = 2^m-1\), \(|\frac{q_0}{q}|_{q_0} = 2^{m-(k-1)}\).

Proof

Note that \(\frac{q}{q_0} = (2^m+1)(2^{2m})(2^{4m})\cdots (2^{2^f m})\). Because \(2^m\) is equal to 1 modulo \(q_0\), each of the \(f+1\) terms in this product is equal to two. Thus \(|\frac{q}{q_0}|_{q_0} = |2^{f+1}|_{q_0}\). The inverse of this is \(|\frac{q_0}{q}|_{q_0} = 2^{m-(f+1)} = 2^{m-(k-1)}\).    \(\square \)

Lemma 4

For \(q_i = 2^{2^{i} m}+1\), \(i \in [1,k]\), \(|\frac{q_i}{q}|_{q_i}\) is \(2^{2^{i-1}m-(f-i+2)}\).

Proof

Note that \(\frac{q}{q_i} = (2^{2^{i} m}-1) (2^{2^{i+1} m}+1) (2^{2^{i+2} m}+1) \cdots (2^{2^{f} m}+1)\). We see that \(|(2^{2^{i} m}-1)|_{q_i} = |(-1)-1|_{q_i} = |-2|_{q_i}\). For the remaining terms \(2^{2^{j} m}+1\) (for \(j \in [i+1, f]\)), we have \(|2^{2^{j} m}+1|_{q_i} = |(2^{2^{i-1} m})^{2^{j-(i-1)}}+1|_{q_i} = |(-1)^{2^{j-(i-2)}}+1|_{q_i}\). Because \(j > i\), this is equal to \(|1+1|_{q_i} = 2\). Combining these, we see that \(|\frac{q}{q_i}|_{q_i} = |(-2)2^{f-(i-1)}|_{q_i} = |-2^{f-i+2}|_{q_i}\). Then the inverse term \(|\frac{q_i}{q}|_{q_i}\) is \(2^{2^{i-1}m-(f-i+2)}\).    \(\square \)

In both of these terms, the exponent of two should always be positive; if this is not the case then too many moduli have been chosen for too small a dynamic range [39].

C NTT Algorithm

Algorithm 7 gives the algorithm of the Number-Theoretic Transform.