Efficiently Processing Complex-Valued Data in Homomorphic Encryption

Representing complex numbers

One naive way to encode a complex number z would be to view it as a pair of real numbers, for instance using Cartesian or polar coordinates. These can be fed separately to the SHE scheme, which is now used to evaluate two circuits. A more direct way is to use a complex base b. For instance, one could take b = e^πi/n, as was done by Cheon, Kim, Kim and Song [9], albeit in a somewhat different context. This choice has the additional feature that f(b) = 0, so that wrapping around modulo f(X) = Xⁿ + 1 does not lead to incorrect decoding. However, finding an integer-digit base b expansion with small norm which approximates z sufficiently well is an n-dimensional lattice problem, which is practically infeasible. To get around this Costache, Smart and Vivek [10] instead use b = ζ : = e^πi/m for some divisor m ∣ n, which is small enough for finding short base ζ approximations, while preserving the feature that wrapping around modulo f(X) is unharmful. But in their approach, a huge portion of plaintext space is left unused}. Indeed, the encoding map is

where Y = X^n/m, t ≥ 2 is an integral plaintext modulus and z_i is the reduction of z_i mod t, so that all plaintext computations are carried out in the subring ℤ[Y]/(t, Y^m + 1), which is of index t^n−m in R_t. Our proposal is to resort to a plaintext modulus of the form t = X^m + b for some small integer b, with ∣b∣ ≥ 2. In this case, for m < n, we have R_X^m+b = ℤ[X] / (X^m + b, Xⁿ + 1) = ℤ[X]/(b^n/m + 1, X^m + b). An additional assumption (which is discussed in more detail in the next section), is that

where b denotes the reduction of b modulo b^n/m + 1. Throughout we fix such an α and let β be its multiplicative inverse, which necessarily exists. This implies that (β̄X)^m + 1 = 0, therefore we have a well-defined ring homomorphism

which is surjective with kernel (b^n/m + 1). In other words, while Costache, Smart and Vivek restrict their computations to an injective copy of ℤ[ζ]/(t) inside R_t, we can view R_X^m+b as an isomorphic copy of ℤ[ζ]/(b^n/m + 1). Essentially, our approach transfers the unused part of the plaintext space coming from the large dimension n into a larger integral modulus, reflected in the exponent n/m.

In the remainder of this paper, we explain how this observation can be used to efficiently process complex-valued input data in homomorphic encryption. First, in Section 2 we explain how to encode and decode elements of the ring ℤ[ζ] of 2m^th cyclotomic integers and discuss the assumption (1), with special attention to the case m = 2 where ℤ[ζ] = ℤ[i] is the ring of Gaussian integers. Next in Section 3 we explain how this can be used to encode other data types such as cyclotomic rationals or complex floats, either by resorting to LLL as in [10] or by using Chen et al.’s fractional encoder from [7]. In Section 4 we discuss how to adapt the FV scheme so that it can cope with plaintext spaces of the form R_X^m+b. Finally, in Section 5 we discuss the performance of this adaptation in comparison with previous approaches. In short we can reach a depth at least 5 times that of the best approach which directly encrypts encodings of complex numbers [10]. We can also reach very similar depths to the state of the art where one encrypts the real and imaginary parts separately [7]. However, since we natively encrypt complex numbers our ciphertexts are two times smaller and hence our approach is more efficient by roughly a factor two in time and three in space.

Encoding

Encoding an element of ℤ[ζ] happens in two steps. The first step applies the map (2) yielding a polynomial of degree less than m which typically has very large coefficients. The second step is comparable to the hat encoder of Chen et al. [7] and switches to another representant by spreading this polynomial across the range 1, X, …, Xⁿ⁻¹ while making the coefficients a lot smaller. The result will then be lifted to R = ℤ[X]/(Xⁿ + 1) and fed to our adaptation of the FV scheme, where the smaller coefficients are important to keep the noise growth bounded.

Here is how this second step is carried out in practice: we think of the coefficients z_iβⁱ as being represented by integers between −⌊b^n/m/2⌋ and ⌈b^n/m/2⌉. We then expand these integers to base b using digits a_i,j from the range −⌊b/2⌋, …, ⌊b/2⌋ to find

There is a minor caveat here, namely if b is odd then there are more integers modulo b^n/m + 1 than there are balanced b-ary expansions of length at most n/m. This is easily resolved by allowing the last digit to be one larger. For even b the situation is opposite: since z_iβⁱ is represented by an integer of size at most b^n/m/2 = b/2 ⋅ b^n/m−1 we have a surplus of base-b expansions. Here it makes sense to choose an expansion with the shortest Hamming weight (e.g., if b = 2 then we simply pick the non-adjacent form). We denote the maximal number of non-zero coefficients that can appear in a fresh encoding by N_b.

Given such base-b expansions of the coefficients, we replace each occurrence of b by −X^m and then substitute the results in the image of (2). We end up with an expansion ∑i=0n−1c¯iXi where the c_i are represented by integers of absolute value at most ⌊b/2⌋, or in fact ⌊(b + 1)/2⌋ if we take into account the caveat.

Decoding

In order to decode a given expansion ∑i=0n−1c¯iXi we walk through the same steps in reverse order. First we pick another representant by reducing the expansion modulo X^m + b, in order to end up with

This can be rewritten as ∑i=0m−1c¯i′α¯iβ¯iXi so we decode as ∑i=0m−1z_iζⁱ ∈ ℤ[ζ] where z_i is a representant of c′_iαⁱ taken from the range −⌊b^n/m/2⌋, …, ⌈b^n/m/2⌉.

On the assumption (1)

Usually n and m are determined by security considerations and the concrete application. To apply our encoding method we want to find a small value of b for which condition (1) is met. This is easiest if n/m is small or m is small. If no satisfactory value of b can be found then one can try to enlarge m and view ℤ[ζ] as a subring of a higher degree cyclotomic ring. Below we give two lemmas constraining the possible choices for b given m and n; still assuming we are working with 2-power cyclotomic f. Their proofs are given in the full version of this paper [3]. We note that it does not help to allow for negative b in our case, that is for n = 2^k, because b satisfies (1) if and only if −b does.

3.1 Fractional encoding

Here we consider how to encode a rational number into the space ℤ/pℤ for some integer p, so that it can then be expanded using the technique in Section 2. This problem was considered by Chen, Laine, Player and Xia in [7, Section 6]. Their approach is to define a finite subset 𝓟 of ℚ along with an encoding map Enc : 𝓟 → ℤ/pℤ and a decoding map Dec : Enc(𝓟) → 𝓟. The maps should satisfy, firstly, correctness: Dec(Enc(x/y)) = x/y for x/y ∈ 𝓟 and secondly, Enc should be both additively and multiplicatively homomorphic so long as it still encodes an element of 𝓟.

The natural choice for the map Enc is Enc(x/y) = xy⁻¹ mod p where the inverse of y is computed modulo p. Care thus needs to be taken to ensure that y has such an inverse, which is ensured with a careful choice of 𝓟.

In our setting the coefficient modulus p is of the form b^n/2 + 1, thus if one wants roughly the same precision for the integer and fractional parts one can take for an odd base b

while for even b one can choose

where δ ∈ {0, 1} depending on whether you want one more base-b digit in the fractional (δ = 0) or integer (δ = 1) part.

The encoding of an element e ∈ 𝓟 is then computed as −eb^n/2 mod b^n/2 + 1. The important thing to note about using this encoding is that for decoding to work the result of the computations must lie in 𝓟. If your input data are complex numbers and you approximate them using n/4 fractional b-ary digits then it is likely that after one multiplication the result is no longer in 𝓟. Thus one must appropriately choose the precision with which to encode the data, depending primarily on the depth of the circuit to be evaluated and the final precision required. The only constraint is that the precision should be a divisor of b^n/4 so that −eb^n/2 is an integer.

We note that the fractional encoder need not require m to be 2. However in this case there appears to be no straightforward way to find a good rational approximation with small numerators and denominators except when the denominators are all equal, in this case if this denominator is r then we simply require an approximation of rz in ℤ[ζ] subject to some constraint on the coefficients. However, the problem of finding such an approximation to our complex number itself, rather than a scaling, is interesting in its own right as it avoids the need for encoding fractional values and tracking the denominator inherently present in such encodings.

3.2 Integer coefficient approximation

The task of finding a cyclotomic integer closely approximating an arbitrary complex number was considered by Costache, Smart and Vivek in [10]. Here the idea is to solve an instance of the closest vector problem (CVP) in the (scaled) lattice ℤ[ζ], where the power basis is scaled and split into real and complex part, which are approximated by integers. In detail: we choose a scaling constant C > 0, and define the constants a_i and b_i for i = 0, …, m − 1, where a_i = ⌈ℜ(Cζⁱ)⌋ and b_i = ⌈ℑ(Cζⁱ)⌋. The lattice we then consider is given by the m rows of the matrix

The target vector in our CVP instance will then be the appropriately scaled real and complex parts of the complex number z we wish to approximate. Concretely, this vector is (0, …, 0, ⌈ℜ(Cz)⌋, ⌈ℑ(Cz)⌋).

If (z₀, …, z_m−1, A, B) is a solution to the CVP instance then we must have

and similarly for the imaginary part. We therefore see that ∑i=0m−1z_iζⁱ is a good approximation to z. Further, C gives some control over the quality of the approximation, larger C gives a finer-grained lattice but also increases the size of the last two coefficients of the basis vectors which may lead to a larger distance between the target vector and the closest lattice point, which in turn makes solving the CVP instance harder and negatively affects the quality of our approximation of Cz.

In [10] the authors solve this CVP instance using the embedding technique. Namely they attempt to solve the shortest vector problem in the lattice spanned by the rows of

for some non-zero constant T. With suitable parameter choices, performing LLL reduction on this lattice will return a basis of short vectors for this lattice, among which at least one has ± T in the final coordinate. The remaining coefficients then give plus or minus the target vector minus a close vector.

One issue with the embedding technique is that each new instance of the CVP problem requires performing lattice reduction which for large m is rather time-consuming. In typical applications we want to approximate many different complex numbers, using the same C so only the target vector changes. A more efficient approach therefore is to perform lattice reduction on the CVP lattice itself and since this is independent of the target vector it needs only to be done once so we can spend significantly more time in this step to find a good basis of this lattice. We can then apply a technique such as Babai’s nearest plane algorithm, or Babai’s rounding algorithm, with this reduced basis to find an approximate closest vector.

4.1 Basic scheme

Writing R = ℤ[X]/(Xⁿ + 1), the ciphertext space is defined by R_q = R/(q) for some positive integer q, while the plaintext space is R_X^m+b = R/(X^m + b). We will assume that b ≪ q. Recall that in the original FV scheme the plaintext space is R/(t) for some positive integer t ≪ q. We define the scaling parameter Δ_b as

Obviously, Δ_b is the analogue of the scalar Δ = ⌊q/t⌋ in the original FV scheme. Other parameters are the error distribution χ_e = 𝓓(σ²) on R (coefficient-wise with respect to the power basis, with standard deviation σ) and the key distribution χ_k = 𝓤₃ which uniformly generates elements of R with ternary coefficients (with respect to the power basis). We also define the decomposition base w and denote ℓ = ⌊log_wq⌋.

The new encryption scheme ComFV is then defined in the same way as FV where t and Δ are replaced by X^m + b and Δ_b, respectively.

• ComFV.KeyGen( ): Let s ← χ_k and e, e₀, … e_ℓ ← χ_e. Uniformly sample random a, a₀, …, a_ℓ ∈ R_q and compute b_i = [−(a_i ⋅ s + e_i) + wⁱ ⋅ s²]_q. Output the secret key sk = s, the public key pk = ([−(a ⋅ s + e)]_q, a) and the evaluation key evk=bi,aii=0ℓ.

• ComFV.Encrypt(pk, msg): Sample u ← χ_k and e₀, e₁ ← χ_e. Set p₀ = pk[0] and p₁ = pk[1], and compute c₀ = [Δ_b ⋅ msg + p₀ ⋅ u + e₀]_q and c₁ = [p₁ ⋅ u + e₁]_q. Output ct = (c₀, c₁).

• ComFV.Decrypt(sk, ct): Return

  msg′=Xm+bqc0+c1⋅sqmod(Xm+b).

  The security of this scheme is based on the same argument as of the original FV scheme. In particular, it is hard to distinguish the public key pk and ciphertext pairs from uniform tuples according to the decision version of the Ring-LWE problem [18]. The evaluation keyevk does not leak any information about the secret key as long as a circular security assumption holds [13].

  Recall that for an element a ∈ K the canonical (infinity) norm of a is defined as

  a∞can=a(ζ),a(ζ3),…,a(ζ2n−1)∞.

  To verify correctness we use the notion of invariant noise introduced in [7]. The invariant noise of a ciphertext ct = (c₀,c₁) encrypting a plaintext msg ∈ R_X^m+b is an element v ∈ K with the smallest canonical norm such that

  Xm+bq⋅c0+c1⋅sq=msg+v+g⋅(Xm+b)(4)

  for some g ∈ R.^[1] Then decryption works correctly when v∞can<1/2 that is supported by the following theorem.

4.2 Homomorphic operations

In this section we show how homomorphic addition and multiplication are performed in the new scheme. We prove correctness of these operations and estimate the invariant noise growth. Throughout this section, Ct(msg, v) denotes a ciphertext encrypting message msg ∈ R_X^m+b with invariant noise v.

Addition is the coordinate-wise sum of corresponding ciphertext components:

• ComFV.Add(ct_0, ct₁): Return ([ct₀[0] + ct₁[0]]_q, [ct₀[1] + ct₁[1]]_q).

The invariant noise grows additively after homomorphic addition.

Multiplication consists of two steps. The first one, denoted ComFV.BMul, returns the coefficients of the ciphertext product when expressed as of a polynomial in s, namely of (ct₀[0] + ct₀[1]s)(ct₁[0] + ct₁[1]s). The second step then maps the degree two term back to degree one using the relinearization technique.

• ComFV.BMul(ct₀, ct₁): Compute

  c0=Xm+bq⋅ct0[0]⋅ct1[0]q,c1=Xm+bq⋅(ct0[0]⋅ct1[1]+ct0[1]⋅ct1[0])q,c2=Xm+bq⋅ct0[1]⋅ct1[1]q

  and return ct_BMul = (c₀, c₁, c₂).

• ComFV.Relin(ct_BMul, evk): Writing ct_BMul = (c₀,c₁,c₂), expand c₂ in base w, namely c₂ = ∑i=0ℓc_2,iwⁱ with c_2,i ∈ R_w. Compute

  c0′=c0+∑i=0ℓevk[i][0]⋅c2,iandc1′=c1+∑i=0ℓevk[i][1]⋅c2,i

  and output c_Relin = (c′₀, c′₁).

• ComFV.Mul(ct₀, ct₁, evk): Return

  cMul=(c0′,c1′)=ComFV.Relin(ComFV.BMul(ct0,ct1),evk).

  The next theorem bounds the norm of the invariant noise upon multiplication.