HEAAN

HEAAN
Developer(s)	Cryptography LAB in Seoul National University
Initial release	May 15, 2016;6 years ago
Repository	github.com/snucrypto/HEAAN ;
Written in	C++
Type	Homomorphic encryption
License	CC BY-NC 3.0

Last updated April 03, 2023

HEAAN (Homomorphic Encryption for Arithmetic of Approximate Numbers) is an open source homomorphic encryption (HE) library which implements an approximate HE scheme proposed by Cheon, Kim, Kim and Song (CKKS).^[1] The first version of HEAAN was published on GitHub ^[2] on 15 May 2016, and later a new version of HEAAN with a bootstrapping algorithm^[3] was released. Currently, the latest version is Version 2.1.^[4]^{[ verification needed ]}

CKKS plaintext space

Unlike other HE schemes, the CKKS scheme supports approximate arithmetics over complex numbers (hence, real numbers). More precisely, the plaintext space of the CKKS scheme is $\mathbb {C} ^{n/2}$ for some power-of-two integer $n$ . To deal with the complex plaintext vector efficiently, Cheon et al. proposed plaintext encoding/decoding methods which exploits a ring isomorphism ${\displaystyle \phi$ .

Encoding method

Given a plaintext vector ${\vec {z}}=(z_{1},z_{2},...,z_{n/2})\in \mathbb {C} ^{n/2}$ and a scaling factor $\Delta >1$ , the plaintext vector is encoded as a polynomial $m(X)\in R:=\mathbb {Z} [X]/(X^{n}+1)$ by computing $m(X)=\lfloor \Delta \cdot \phi ^{-1}({\vec {z}})\rceil \in R$ where $\lfloor \cdot \rceil$ denotes the coefficient-wise rounding function.

Decoding method

Given a message polynomial $m(X)\in R$ and a scaling factor $\Delta >1$ , the message polynomial is decoded to a complex vector ${\vec {z}}\in \mathbb {C} ^{n/2}$ by computing ${\vec {z}}=\Delta ^{-1}\cdot \phi (m(X))\in \mathbb {C} ^{n/2}$ .

Here the scaling factor $\Delta >1$ enables us to control the encoding/decoding error which is occurred by the rounding process. Namely, one can obtain the approximate equation ${\text{Dcd}}({\text{Ecd}}({\vec {z}};\Delta );\Delta )\approx {\vec {z}}$ by controlling $\Delta$ where ${\text{Ecd}}$ and ${\text{Dcd}}$ denote the encoding and decoding algorithm, respectively.

From the ring-isomorphic property of the mapping ${\displaystyle \phi$ , for $m_{1}={\text{Ecd}}({\vec {z}}_{1};\Delta )$ and $m_{2}={\text{Ecd}}({\vec {z}}_{2};\Delta )$ , the following hold:

${\text{Dcd}}(m_{1}+m_{2};\Delta )\approx {\vec {z}}_{1}+{\vec {z}}_{2}$ ,
${\text{Dcd}}(m_{1}\cdot m_{2};\Delta )\approx {\vec {z}}_{1}\circ {\vec {z}}_{2}$ ,

where $\circ$ denotes the Hadamard product of the same-length vectors. These properties guarantee the approximate correctness of the computations in the encoded state when the scaling factor $\Delta$ is chosen appropriately.

Algorithms

The CKKS scheme basically consists of those algorithms: key Generation, encryption, decryption, homomorphic addition and multiplication, and rescaling. For a positive integer $q$ , let $R_{q}:=R/qR$ be the quotient ring of $R$ modulo $q$ . Let $\chi _{s}$ , $\chi _{r}$ and $\chi _{e}$ be distributions over $R$ which output polynomials with small coefficients. These distributions, the initial modulus $Q$ , and the ring dimension $n$ are predetermined before the key generation phase.

Key generation

The key generation algorithm is following:

Sample a secret polynomial $s\leftarrow \chi _{s}$ .
Sample $a$ (resp. $a'$ ) uniform randomly from $R_{Q}$ (resp. $R_{PQ}$ ), and $e,e'\leftarrow \chi _{e}$ .
Output a secret key $sk\leftarrow (1,s)\in R_{Q}^{2}$ , a public key $pk\leftarrow (b=-a\cdot s+e,a)\in R_{Q}^{2}$ , and an evaluation key $evk\leftarrow (b'=-a'\cdot s+e'+P\cdot s^{2},a')\in R_{PQ}^{2}$ .

Encryption

The encryption algorithm is following:

Sample an ephemeral secret polynomial $r\leftarrow \chi _{r}$ .
For a given message polynomial $m\in R$ , output a ciphertext $ct\leftarrow (c_{0}=r\cdot b+e_{0}+m,c_{1}=r\cdot a+e_{1})\in R_{Q}^{2}$ .

Decryption

The decryption algorithm is following:

For a given ciphertext $ct\in R_{q}^{2}$ , output a message $m'\leftarrow \langle ct,sk\rangle$ $({\text{mod }}q)$ .

The decryption outputs an approximate value of the original message, i.e., ${\text{Dec}}(sk,{\text{Enc}}(pk,m))\approx m$ , and the approximation error is determined by the choice of distributions $\chi _{s},\chi _{e},\chi _{r}$ . When considering homomorphic operations, the evaluation errors are also included in the approximation error. Basic homomorphic operations, addition and multiplication, are done as follows.

Homomorphic addition

The homomorphic addition algorithm is following:

Given two ciphertexts $ct$ and $ct'$ in $R_{q}^{2}$ , output $ct_{\text{add}}\leftarrow ct+ct'\in R_{q}^{2}$ .

The correctness holds as ${\text{Dec}}(sk,ct_{\text{add}})\approx {\text{Dec}}(sk,ct)+{\text{Dec}}(sk,ct')$ .

Homomorphic multiplication

The homomorphic multiplication algorithm is following:

Given two ciphertext $ct=(c_{0},c_{1})$ and $ct'=(c_{0}',c_{1}')$ in $R_{q}^{2}$ , compute $(d_{0},d_{1},d_{2})=(c_{0}c_{0}',c_{0}c_{1}'+c_{1}c_{0}',c_{1}c_{1}')$ $({\text{mod }}q)$ . Output $ct_{\text{mult}}\leftarrow (d_{0},d_{1})+\lfloor P^{-1}\cdot d_{2}\cdot evk\rceil \in R_{q}^{2}$ .

The correctness holds as ${\text{Dec}}(sk,ct_{\text{mult}})\approx {\text{Dec}}(sk,ct)\cdot {\text{Dec}}(sk,ct')$ .

Note that the approximation error (on the message) exponentially grows up on the number of homomorphic multiplications. To overcome this problem, most of HE schemes usually use a modulus-switching technique which was introduced by Brakerski, Gentry and Vaikuntanathan.^[5] In case of HEAAN, the modulus-switching procedure is called rescaling. The Rescaling algorithm is very simple compared to Brakerski-Gentry-Vaikuntanathan's original algorithm. Applying the rescaling algorithm after a homomomorphic multiplication, the approximation error grows linearly, not exponentially.

Rescaling

The rescaling algorithm is following:

Given a ciphertext $ct\in R_{q}^{2}$ and a new modulus $q'<q$ , output a rescaled ciphertext $ct_{\text{rs}}\leftarrow \lfloor (q'/q)\cdot ct\rceil \in R_{q'}^{2}$ .

The total procedure of the CKKS scheme is as following: Each plaintext vector ${\vec {z}}$ which consists of complex (or real) numbers is firstly encoded as a polynomial $m(X)\in R$ by the encoding method, and then encrypted as a ciphertext $ct\in R_{q}^{2}$ . After several homomorphic operations, the resulting ciphertext is decrypted as a polynomial $m'(X)\in R$ and then decoded as a plaintext vector ${\vec {z}}'$ which is the final output.

Security

The IND-CPA security of the CKKS scheme is based on the hardness assumption of the ring learning with errors (RLWE) problem, the ring variant of very promising lattice-based hard problem Learning with errors (LWE). Currently the best known attacks for RLWE over a power-of-two cyclotomic ring are general LWE attacks such as dual attack and primal attack. The bit security of the CKKS scheme based on known attacks was estimated by Albrecht's LWE estimator.^[6]

Library

Version 1.0, 1.1 and 2.1 have been released so far. Version 1.0 is the first implementation of the CKKS scheme without bootstrapping. In the second version, the bootstrapping algorithm was attached so that users are able to address large-scale homomorphic computations. In Version 2.1, currently the latest version, the multiplication of ring elements in $R_{q}$ was accelerated by utilizing fast Fourier transform (FFT)-optimized number theoretic transform (NTT) implementation.

Related Research Articles

In mathematical physics and mathematics, the Pauli matrices are a set of three $2 \times 2$ complex matrices which are Hermitian, involutory and unitary. Usually indicated by the Greek letter sigma, they are occasionally denoted by tau when used in connection with isospin symmetries.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

The Kerr–Newman metric is the most general asymptotically flat, stationary solution of the Einstein–Maxwell equations in general relativity that describes the spacetime geometry in the region surrounding an electrically charged, rotating mass. It generalizes the Kerr metric by taking into account the field energy of an electromagnetic field, in addition to describing rotation. It is one of a large number of various different electrovacuum solutions, that is, of solutions to the Einstein–Maxwell equations which account for the field energy of an electromagnetic field. Such solutions do not include any electric charges other than that associated with the gravitational field, and are thus termed vacuum solutions.

In mathematics, the Grothendieck group, or group of differences, of a commutative monoid $M$ is a certain abelian group. This abelian group is constructed from $M$ in the most universal way, in the sense that any abelian group containing a homomorphic image of $M$ will also contain a homomorphic image of the Grothendieck group of $M$ . The Grothendieck group construction takes its name from a specific case in category theory, introduced by Alexander Grothendieck in his proof of the Grothendieck–Riemann–Roch theorem, which resulted in the development of K-theory. This specific case is the monoid of isomorphism classes of objects of an abelian category, with the direct sum as its operation.

In mathematics, Differential algebra is, broadly speaking, the area of mathematics consisting in the study of differential equations and differential operators as algebraic objects in view of deriving properties of differential equations and operators without computing the solutions, similarly as polynomial algebras are used for the study of algebraic varieties, which are solution sets of systems of polynomial equations. Weyl algebras and Lie algebras may be considered as belonging to differential algebra.

In physics, the Majorana equation is a relativistic wave equation. It is named after the Italian physicist Ettore Majorana, who proposed it in 1937 as a means of describing fermions that are their own antiparticle. Particles corresponding to this equation are termed Majorana particles, although that term now has a more expansive meaning, referring to any fermionic particle that is its own anti-particle.

The Tonelli–Shanks algorithm is used in modular arithmetic to solve for r in a congruence of the form r² ≡ n, where p is a prime: that is, to find a square root of n modulo p.

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and out-sourced to commercial cloud environments for processing, all while encrypted.

<span class="mw-page-title-main">Voigt effect</span>

The Voigt effect is a magneto-optical phenomenon which rotates and elliptizes linearly polarised light sent into an optically active medium. Unlike many other magneto-optical effects such as the Kerr or Faraday effect which are linearly proportional to the magnetization, the Voigt effect is proportional to the square of the magnetization and can be seen experimentally at normal incidence. There are several denominations for this effect in the literature: the Cotton–Mouton effect, the Voigt effect, and magnetic-linear birefringence. This last denomination is closer in the physical sense, where the Voigt effect is a magnetic birefringence of the material with an index of refraction parallel and perpendicular $) to the magnetization vector or to the applied magnetic field.$

In signal processing, a polyphase matrix is a matrix whose elements are filter masks. It represents a filter bank as it is used in sub-band coders alias discrete wavelet transforms.

In mathematics and mathematical physics, raising and lowering indices are operations on tensors which change their type. Raising and lowering indices are a form of index manipulation in tensor expressions.

In fluid dynamics, the Oseen equations describe the flow of a viscous and incompressible fluid at small Reynolds numbers, as formulated by Carl Wilhelm Oseen in 1910. Oseen flow is an improved description of these flows, as compared to Stokes flow, with the (partial) inclusion of convective acceleration.

Turingery or Turing's method was a manual codebreaking method devised in July 1942 by the mathematician and cryptanalyst Alan Turing at the British Government Code and Cypher School at Bletchley Park during World War II. It was for use in cryptanalysis of the Lorenz cipher produced by the SZ40 and SZ42 teleprinter rotor stream cipher machines, one of the Germans' Geheimschreiber machines. The British codenamed non-Morse traffic "Fish", and that from this machine "Tunny".

Coppersmith's attack describes a class of cryptographic attacks on the public-key cryptosystem RSA based on the Coppersmith method. Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent e is small or when partial knowledge of a prime factor of the secret key is available.

In coding theory, generalized minimum-distance (GMD) decoding provides an efficient algorithm for decoding concatenated codes, which is based on using an errors-and-erasures decoder for the outer code.

In physics, particularly in quantum field theory, the Weyl equation is a relativistic wave equation for describing massless spin-1/2 particles called Weyl fermions. The equation is named after Hermann Weyl. The Weyl fermions are one of the three possible types of elementary fermions, the other two being the Dirac and the Majorana fermions.

Inverse modeling is a mathematical technique where the objective is to determine the physical properties of the subsurface of an earth region that has produced a given seismogram. Cooke and Schneider (1983) defined it as calculation of the earth's structure and physical parameters from some set of observed seismic data. The underlying assumption in this method is that the collected seismic data are from an earth structure that matches the cross-section computed from the inversion algorithm. Some common earth properties that are inverted for include acoustic velocity, formation and fluid densities, acoustic impedance, Poisson's ratio, formation compressibility, shear rigidity, porosity, and fluid saturation.

In coding theory, Zemor's algorithm, designed and developed by Gilles Zemor, is a recursive low-complexity approach to code construction. It is an improvement over the algorithm of Sipser and Spielman.

Short integer solution (SIS) and ring-SIS problems are two average-case problems that are used in lattice-based cryptography constructions. Lattice-based cryptography began in 1996 from a seminal work by Miklós Ajtai who presented a family of one-way functions based on SIS problem. He showed that it is secure in an average case if the shortest vector problem $(where for some constant) is hard in a worst-case scenario.$

A central problem in algorithmic graph theory is the shortest path problem. One of the generalizations of the shortest path problem is known as the single-source-shortest-paths (SSSP) problem, which consists of finding the shortest path between every pair of vertices in a graph. There are classical sequential algorithms which solve this problem, such as Dijkstra's algorithm. In this article, however, we present two parallel algorithms solving this problem.

References

↑ Cheon, Jung Hee; Kim, Andrey; Kim, Miran; Song, Yongsoo (2017). "Homomorphic encryption for arithmetic of approximate numbers". Takagi T., Peyrin T. (eds) Advances in Cryptology – ASIACRYPT 2017. ASIACRYPT 2017. Springer, Cham. pp. 409–437. doi:10.1007/978-3-319-70694-8_15.
↑ Andrey Kim; Kyoohyung Han; Miran Kim; Yongsoo Song. "An approximate HE library HEAAN" . Retrieved 15 May 2016.
↑ Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim and Yongsoo Song. Bootstrapping for Approximate Homomorphic Encryption. In EUROCRYPT 2018(springer).
↑ snucrypto/HEAAN, Cryptography LAB in Seoul National University, 2021-07-19, retrieved 2021-07-20
↑ Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully Homomorphic Encryption without Bootstrapping. In ITCS 2012
↑ Martin Albrecht. Security Estimates for the Learning with Errors Problem, https://bitbucket.org/malb/lwe-estimator

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[CKKS17-1] Cheon, Jung Hee; Kim, Andrey; Kim, Miran; Song, Yongsoo (2017). "Homomorphic encryption for arithmetic of approximate numbers". Takagi T., Peyrin T. (eds) Advances in Cryptology – ASIACRYPT 2017. ASIACRYPT 2017. Springer, Cham. pp. 409–437. doi:10.1007/978-3-319-70694-8_15.

[HEAAN-2] Andrey Kim; Kyoohyung Han; Miran Kim; Yongsoo Song. "An approximate HE library HEAAN" . Retrieved 15 May 2016.

[CHK+18-3] Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim and Yongsoo Song. Bootstrapping for Approximate Homomorphic Encryption. In EUROCRYPT 2018(springer).

[4] snucrypto/HEAAN, Cryptography LAB in Seoul National University, 2021-07-19, retrieved 2021-07-20

[BGV12-5] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully Homomorphic Encryption without Bootstrapping. In ITCS 2012

[6] Martin Albrecht. Security Estimates for the Learning with Errors Problem, https://bitbucket.org/malb/lwe-estimator

[1]

[2]

[3]

[4]

[5]

[6]