HEAAN

HEAAN
Developer(s)	Cryptography LAB in Seoul National University
Initial release	May 15, 2016;8 years ago
Repository	github.com/snucrypto/HEAAN ;
Written in	C++
Type	Homomorphic encryption
License	CC BY-NC 3.0

Last updated December 11, 2024

HEAAN (Homomorphic Encryption for Arithmetic of Approximate Numbers) is an open source homomorphic encryption (HE) library which implements an approximate HE scheme proposed by Cheon, Kim, Kim and Song (CKKS).^[1] The first version of HEAAN was published on GitHub ^[2] on 15 May 2016, and later a new version of HEAAN with a bootstrapping algorithm^[3] was released. Currently, the latest regular version is version 1.1^[4] and the latest pre-release version is 2.1.^[5]

CKKS plaintext space

Unlike other HE schemes, the CKKS scheme supports approximate arithmetics over complex numbers (hence, real numbers). More precisely, the plaintext space of the CKKS scheme is $\mathbb {C} ^{n/2}$ for some power-of-two integer $n$ . To deal with the complex plaintext vector efficiently, Cheon et al. proposed plaintext encoding/decoding methods which exploits a ring isomorphism ${\displaystyle \phi$ .

Encoding method

Given a plaintext vector ${\vec {z}}=(z_{1},z_{2},...,z_{n/2})\in \mathbb {C} ^{n/2}$ and a scaling factor $\Delta >1$ , the plaintext vector is encoded as a polynomial $m(X)\in R:=\mathbb {Z} [X]/(X^{n}+1)$ by computing $m(X)=\lfloor \Delta \cdot \phi ^{-1}({\vec {z}})\rceil \in R$ where $\lfloor \cdot \rceil$ denotes the coefficient-wise rounding function.

Decoding method

Given a message polynomial $m(X)\in R$ and a scaling factor $\Delta >1$ , the message polynomial is decoded to a complex vector ${\vec {z}}\in \mathbb {C} ^{n/2}$ by computing ${\vec {z}}=\Delta ^{-1}\cdot \phi (m(X))\in \mathbb {C} ^{n/2}$ .

Here the scaling factor $\Delta >1$ enables us to control the encoding/decoding error which is occurred by the rounding process. Namely, one can obtain the approximate equation ${\text{Dcd}}({\text{Ecd}}({\vec {z}};\Delta );\Delta )\approx {\vec {z}}$ by controlling $\Delta$ where ${\text{Ecd}}$ and ${\text{Dcd}}$ denote the encoding and decoding algorithm, respectively.

From the ring-isomorphic property of the mapping ${\displaystyle \phi$ , for $m_{1}={\text{Ecd}}({\vec {z}}_{1};\Delta )$ and $m_{2}={\text{Ecd}}({\vec {z}}_{2};\Delta )$ , the following hold:

${\text{Dcd}}(m_{1}+m_{2};\Delta )\approx {\vec {z}}_{1}+{\vec {z}}_{2}$ ,
${\text{Dcd}}(m_{1}\cdot m_{2};\Delta )\approx {\vec {z}}_{1}\circ {\vec {z}}_{2}$ ,

where $\circ$ denotes the Hadamard product of the same-length vectors. These properties guarantee the approximate correctness of the computations in the encoded state when the scaling factor $\Delta$ is chosen appropriately.

Algorithms

The CKKS scheme basically consists of those algorithms: key Generation, encryption, decryption, homomorphic addition and multiplication, and rescaling. For a positive integer $q$ , let $R_{q}:=R/qR$ be the quotient ring of $R$ modulo $q$ . Let $\chi _{s}$ , $\chi _{r}$ and $\chi _{e}$ be distributions over $R$ which output polynomials with small coefficients. These distributions, the initial modulus $Q$ , and the ring dimension $n$ are predetermined before the key generation phase.

Key generation

The key generation algorithm is following:

Sample a secret polynomial $s\leftarrow \chi _{s}$ .
Sample $a$ (resp. $a'$ ) uniform randomly from $R_{Q}$ (resp. $R_{PQ}$ ), and $e,e'\leftarrow \chi _{e}$ .
Output a secret key $sk\leftarrow (1,s)\in R_{Q}^{2}$ , a public key $pk\leftarrow (b=-a\cdot s+e,a)\in R_{Q}^{2}$ , and an evaluation key $evk\leftarrow (b'=-a'\cdot s+e'+P\cdot s^{2},a')\in R_{PQ}^{2}$ .

Encryption

The encryption algorithm is following:

Sample an ephemeral secret polynomial $r\leftarrow \chi _{r}$ .
For a given message polynomial $m\in R$ , output a ciphertext $ct\leftarrow (c_{0}=r\cdot b+e_{0}+m,c_{1}=r\cdot a+e_{1})\in R_{Q}^{2}$ .

Decryption

The decryption algorithm is following:

For a given ciphertext $ct\in R_{q}^{2}$ , output a message $m'\leftarrow \langle ct,sk\rangle$ $({\text{mod }}q)$ .

The decryption outputs an approximate value of the original message, i.e., ${\text{Dec}}(sk,{\text{Enc}}(pk,m))\approx m$ , and the approximation error is determined by the choice of distributions $\chi _{s},\chi _{e},\chi _{r}$ . When considering homomorphic operations, the evaluation errors are also included in the approximation error. Basic homomorphic operations, addition and multiplication, are done as follows.

Homomorphic addition

The homomorphic addition algorithm is following:

Given two ciphertexts $ct$ and $ct'$ in $R_{q}^{2}$ , output $ct_{\text{add}}\leftarrow ct+ct'\in R_{q}^{2}$ .

The correctness holds as ${\text{Dec}}(sk,ct_{\text{add}})\approx {\text{Dec}}(sk,ct)+{\text{Dec}}(sk,ct')$ .

Homomorphic multiplication

The homomorphic multiplication algorithm is following:

Given two ciphertext $ct=(c_{0},c_{1})$ and $ct'=(c_{0}',c_{1}')$ in $R_{q}^{2}$ , compute $(d_{0},d_{1},d_{2})=(c_{0}c_{0}',c_{0}c_{1}'+c_{1}c_{0}',c_{1}c_{1}')$ $({\text{mod }}q)$ . Output $ct_{\text{mult}}\leftarrow (d_{0},d_{1})+\lfloor P^{-1}\cdot d_{2}\cdot evk\rceil \in R_{q}^{2}$ .

The correctness holds as ${\text{Dec}}(sk,ct_{\text{mult}})\approx {\text{Dec}}(sk,ct)\cdot {\text{Dec}}(sk,ct')$ .

Note that the approximation error (on the message) exponentially grows up on the number of homomorphic multiplications. To overcome this problem, most of HE schemes usually use a modulus-switching technique which was introduced by Brakerski, Gentry and Vaikuntanathan.^[6] In case of HEAAN, the modulus-switching procedure is called rescaling. The Rescaling algorithm is very simple compared to Brakerski-Gentry-Vaikuntanathan's original algorithm. Applying the rescaling algorithm after a homomomorphic multiplication, the approximation error grows linearly, not exponentially.

Rescaling

The rescaling algorithm is following:

Given a ciphertext $ct\in R_{q}^{2}$ and a new modulus $q'<q$ , output a rescaled ciphertext $ct_{\text{rs}}\leftarrow \lfloor (q'/q)\cdot ct\rceil \in R_{q'}^{2}$ .

The total procedure of the CKKS scheme is as following: Each plaintext vector ${\vec {z}}$ which consists of complex (or real) numbers is firstly encoded as a polynomial $m(X)\in R$ by the encoding method, and then encrypted as a ciphertext $ct\in R_{q}^{2}$ . After several homomorphic operations, the resulting ciphertext is decrypted as a polynomial $m'(X)\in R$ and then decoded as a plaintext vector ${\vec {z}}'$ which is the final output.

Security

The IND-CPA security of the CKKS scheme is based on the hardness assumption of the ring learning with errors (RLWE) problem, the ring variant of very promising lattice-based hard problem Learning with errors (LWE). Currently the best known attacks for RLWE over a power-of-two cyclotomic ring are general LWE attacks such as dual attack and primal attack. The bit security of the CKKS scheme based on known attacks was estimated by Albrecht's LWE estimator.^[7]

Library

Version 1.0, 1.1 and 2.1 have been released so far. Version 1.0 is the first implementation of the CKKS scheme without bootstrapping. In the second version, the bootstrapping algorithm was attached so that users are able to address large-scale homomorphic computations. In Version 2.1, currently the latest version, the multiplication of ring elements in $R_{q}$ was accelerated by utilizing fast Fourier transform (FFT)-optimized number theoretic transform (NTT) implementation.

Related Research Articles

In mathematical physics and mathematics, the Pauli matrices are a set of three $2 \times 2$ complex matrices that are traceless, Hermitian, involutory and unitary. Usually indicated by the Greek letter sigma, they are occasionally denoted by tau when used in connection with isospin symmetries.

<span class="mw-page-title-main">Wave equation</span> Differential equation important in physics

The wave equation is a second-order linear partial differential equation for the description of waves or standing wave fields such as mechanical waves or electromagnetic waves. It arises in fields like acoustics, electromagnetism, and fluid dynamics.

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

<span class="mw-page-title-main">Moment of inertia</span> Scalar measure of the rotational inertia with respect to a fixed axis of rotation

The moment of inertia, otherwise known as the mass moment of inertia, angular/rotational mass, second moment of mass, or most accurately, rotational inertia, of a rigid body is defined relative to a rotational axis. It is the ratio between the torque applied and the resulting angular acceleration about that axis. It plays the same role in rotational motion as mass does in linear motion. A body's moment of inertia about a particular axis depends both on the mass and its distribution relative to the axis, increasing with mass & distance from the axis.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

Screw theory is the algebraic calculation of pairs of vectors, also known as dual vectors – such as angular and linear velocity, or forces and moments – that arise in the kinematics and dynamics of rigid bodies.

The Kerr–Newman metric describes the spacetime geometry around a mass which is electrically charged and rotating. It is a vacuum solution which generalizes the Kerr metric by additionally taking into account the energy of an electromagnetic field, making it the most general asymptotically flat and stationary solution of the Einstein–Maxwell equations in general relativity. As an electrovacuum solution, it only includes those charges associated with the magnetic field; it does not include any free electric charges.

In mathematics, Hensel's lemma, also known as Hensel's lifting lemma, named after Kurt Hensel, is a result in modular arithmetic, stating that if a univariate polynomial has a simple root modulo a prime number $p$ , then this root can be lifted to a unique root modulo any higher power of $p$ . More generally, if a polynomial factors modulo $p$ into two coprime polynomials, this factorization can be lifted to a factorization modulo any higher power of $p$ .

In mathematics, differential algebra is, broadly speaking, the area of mathematics consisting in the study of differential equations and differential operators as algebraic objects in view of deriving properties of differential equations and operators without computing the solutions, similarly as polynomial algebras are used for the study of algebraic varieties, which are solution sets of systems of polynomial equations. Weyl algebras and Lie algebras may be considered as belonging to differential algebra.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

The Tonelli–Shanks algorithm is used in modular arithmetic to solve for r in a congruence of the form r² ≡ n, where p is a prime: that is, to find a square root of n modulo p.

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and outsourced to commercial cloud environments for processing, all while encrypted.

<span class="mw-page-title-main">Voigt effect</span>

The Voigt effect is a magneto-optical phenomenon which rotates and elliptizes linearly polarised light sent into an optically active medium. The effect is named after the German scientist Woldemar Voigt who discovered it in vapors. Unlike many other magneto-optical effects such as the Kerr or Faraday effect which are linearly proportional to the magnetization, the Voigt effect is proportional to the square of the magnetization and can be seen experimentally at normal incidence. There are also other denominations for this effect, used interchangeably in the modern scientific literature: the Cotton–Mouton effect and magnetic-linear birefringence, with the latter reflecting the physical meaning of the effect.

In mathematics and mathematical physics, raising and lowering indices are operations on tensors which change their type. Raising and lowering indices are a form of index manipulation in tensor expressions.

In fluid dynamics, the Oseen equations describe the flow of a viscous and incompressible fluid at small Reynolds numbers, as formulated by Carl Wilhelm Oseen in 1910. Oseen flow is an improved description of these flows, as compared to Stokes flow, with the (partial) inclusion of convective acceleration.

In coding theory, generalized minimum-distance (GMD) decoding provides an efficient algorithm for decoding concatenated codes, which is based on using an errors-and-erasures decoder for the outer code.

<span class="mw-page-title-main">Magnetic levitation</span> Suspension of objects by magnetic force

Magnetic levitation (maglev) or magnetic suspension is a method by which an object is suspended with no support other than magnetic fields. Magnetic force is used to counteract the effects of the gravitational force and any other forces.

Inverse modeling is a mathematical technique where the objective is to determine the physical properties of the subsurface of an earth region that has produced a given seismogram. Cooke and Schneider (1983) defined it as calculation of the earth's structure and physical parameters from some set of observed seismic data. The underlying assumption in this method is that the collected seismic data are from an earth structure that matches the cross-section computed from the inversion algorithm. Some common earth properties that are inverted for include acoustic velocity, formation and fluid densities, acoustic impedance, Poisson's ratio, formation compressibility, shear rigidity, porosity, and fluid saturation.

In PAC learning, error tolerance refers to the ability of an algorithm to learn when the examples received have been corrupted in some way. In fact, this is a very common and important issue since in many applications it is not possible to access noise-free data. Noise can interfere with the learning process at different levels: the algorithm may receive data that have been occasionally mislabeled, or the inputs may have some false information, or the classification of the examples may have been maliciously adulterated.

Short integer solution (SIS) and ring-SIS problems are two average-case problems that are used in lattice-based cryptography constructions. Lattice-based cryptography began in 1996 from a seminal work by Miklós Ajtai who presented a family of one-way functions based on SIS problem. He showed that it is secure in an average case if the shortest vector problem $(where for some constant) is hard in a worst-case scenario.$

References

↑ Cheon, Jung Hee; Kim, Andrey; Kim, Miran; Song, Yongsoo (2017). "Homomorphic encryption for arithmetic of approximate numbers". Takagi T., Peyrin T. (eds) Advances in Cryptology – ASIACRYPT 2017. ASIACRYPT 2017. Springer, Cham. pp. 409–437. doi:10.1007/978-3-319-70694-8_15.
↑ Andrey Kim; Kyoohyung Han; Miran Kim; Yongsoo Song. "An approximate HE library HEAAN". GitHub . Retrieved 15 May 2016.
↑ Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim and Yongsoo Song. Bootstrapping for Approximate Homomorphic Encryption. In EUROCRYPT 2018(springer).
↑ "Release HEAAN with BOOTSTRAPPING · snucrypto/HEAAN". GitHub. Retrieved 2024-12-10.
↑ Release HEAAN with Faster Multiplication · snucrypto/HEAAN, Cryptography LAB in Seoul National University, Sep 5, 2018, retrieved 2024-12-10
↑ Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully Homomorphic Encryption without Bootstrapping. In ITCS 2012
↑ Martin Albrecht. Security Estimates for the Learning with Errors Problem, https://bitbucket.org/malb/lwe-estimator

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[CKKS17-1] Cheon, Jung Hee; Kim, Andrey; Kim, Miran; Song, Yongsoo (2017). "Homomorphic encryption for arithmetic of approximate numbers". Takagi T., Peyrin T. (eds) Advances in Cryptology – ASIACRYPT 2017. ASIACRYPT 2017. Springer, Cham. pp. 409–437. doi:10.1007/978-3-319-70694-8_15.

[HEAAN-2] Andrey Kim; Kyoohyung Han; Miran Kim; Yongsoo Song. "An approximate HE library HEAAN". GitHub . Retrieved 15 May 2016.

[CHK+18-3] Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim and Yongsoo Song. Bootstrapping for Approximate Homomorphic Encryption. In EUROCRYPT 2018(springer).

[4] "Release HEAAN with BOOTSTRAPPING · snucrypto/HEAAN". GitHub. Retrieved 2024-12-10.

[5] Release HEAAN with Faster Multiplication · snucrypto/HEAAN, Cryptography LAB in Seoul National University, Sep 5, 2018, retrieved 2024-12-10

[BGV12-6] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully Homomorphic Encryption without Bootstrapping. In ITCS 2012

[7] Martin Albrecht. Security Estimates for the Learning with Errors Problem, https://bitbucket.org/malb/lwe-estimator

[1]

[2]

[3]

[4]

[5]

[6]

[7]