Building an Efficient Lattice Gadget Toolkit: Subgaussian Sampling and More

Genise, Nicholas; Micciancio, Daniele; Polyakov, Yuriy

doi:10.1007/978-3-030-17656-3_23

Cited by 24 publications

(24 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To be fully homomorphic, it relies on external products between TRGSW and TRLWE samples. In this case, we first decompose the TRLWE sample in TRLWE samples using a Gadget decomposition algorithm [GMP19]. Then, we perform an inner product between the decomposed TRLWE and the TRGSW sample (which already is a vector of TRLWE samples).…”

Section: Arithmeticmentioning

confidence: 99%

“…To obtain formal guarantees of independence (instead of a heuristic), Chillotti et al [CGGI20] points out that we could perform the gadget decomposition in a probabilistic way. We implemented the probabilistic gadget decomposition proposed by Genise et al [GMP19], but we obtained no improvements over the deterministic algorithm. We were only able to obtain the linear growth by lowering the error variance introduced by the gadget decomposition.…”

Section: Suitable Functionsmentioning

confidence: 99%

See 1 more Smart Citation

Revisiting the functional bootstrap in TFHE

Guimarães

Borin

Aranha

2021

TCHES

View full text Add to dashboard Cite

The FHEW cryptosystem introduced the idea that an arbitrary function can be evaluated within the bootstrap procedure as a table lookup. The faster bootstraps of TFHE strengthened this approach, which was later named Functional Bootstrap (Boura et al., CSCML’19). From then on, little effort has been made towards defining efficient ways of using it to implement functions with high precision. In this paper, we introduce two methods to combine multiple functional bootstraps to accelerate the evaluation of reasonably large look-up tables and highly precise functions. We thoroughly analyze and experimentally validate the error propagation in both methods, as well as in the functional bootstrap itself. We leverage the multi-value bootstrap of Carpov et al. (CT-RSA’19) to accelerate (single) lookup table evaluation, and we improve it by lowering the complexity of its error variance growth from quadratic to linear in the value of the output base. Compared to previous literature using TFHE’s functional bootstrap, our methods are up to 2.49 times faster than the lookup table evaluation of Carpov et al. (CT-RSA’19) and up to 3.19 times faster than the 32-bit integer comparison of Bourse et al. (CT-RSA’20). Compared to works using logic gates, we achieved speedups of up to 6.98, 8.74, and 3.55 times over 8-bit implementations of the functions ReLU, Addition, and Maximum, respectively.

show abstract

Section: Arithmeticmentioning

confidence: 99%

Section: Suitable Functionsmentioning

confidence: 99%

Revisiting the functional bootstrap in TFHE

Guimarães

Borin

Aranha

2021

TCHES

View full text Add to dashboard Cite

show abstract

“…We improve an existing efficient subgaussian gadget decomposition algorithm [3] with a noncentral bounded uniform distribution which is a subgaussian distribution [18]. Our algorithm theoretically achieves Pythagorean error growth, linear time complexity as [3], and much faster computation cost. Hence, it can be an alternative of naive digit decomposition used in FHE schemes without any extra assumption in practice.…”

Section: A Our Contributionmentioning

confidence: 99%

“…The coefficient of output is larger than binary decomposition with an additional factor Ω( √ log k). Therefore, subgaussian sampling is regarded as a potential alternative [2], [3] since it can achieve not only significant properties of the Gaussian distribution such as Pythagorean additivity without the factor Ω( √ log k) but also somewhat faster implementation performance due to its relaxed probability condition. Even though subgaussian sampling has much more attractive advantages in many advanced cryptosystems, the importance of the subgaussian distribution has mainly been studied in a theoretical way [2].…”

Section: Introductionmentioning

confidence: 99%

“…Then they analyze the output quality by using the benefits of subgaussian sampling such as Pythagorean additivity. However, thanks to the first practical implementation of subgaussian sampling with a triangular distribution recently proposed by Genise et al [3], the deterministic algorithms used in many HE schemes can be replaced by their algorithm with small computation time overhead and without heuristic independence assumption. Furthermore, such digit decomposition algorithm can be used for many of other lattice based cryptographic primitives which support homomorphic operations such as GSW-style HE [10]- [13] , homomorphic signature scheme [14], Attribute-Based Encryption (ABE) schemes [15], [16], homomorphic identitybased encryption [17] and more.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Lattice Gadget Decomposition Algorithm With Bounded Uniform Distribution

2021

View full text Add to dashboard Cite

A gadget decomposition algorithm is commonly used in many advanced lattice cryptography applications which support homomorphic operations over ciphertexts to control the noise growth. For a special structure of a gadget, the algorithm is digit decomposition. If such algorithm samples from a subgaussian distribution, that is, the output is randomized, it gives more benefits on output quality. One of the important advantages is Pythagorean additivity which makes the resulting noise contained in a ciphertext grow much less than naive digit decomposition. Therefore, the error analysis becomes cleaner and tighter than the use of other measures like Euclidean norm and infinity norm. Even though such advantage can also be achieved by use of discrete Gaussian sampling, it is not attractive for practical performance due to a large factor in resulting noise and the complex computation of the exponential function, whereas a more relaxed probability condition is required for a subgaussian distribution. Nevertheless, subgaussian sampling has barely received an attention so far, thus no practical algorithms was implemented before an efficient algorithm is presented by Genis et al., recently. In this paper, we present a practically efficient gadget decomposition algorithm where output follows a subgaussian distribution. We parallelize the existing practical subgaussian gadget decomposition algorithm, using a bounded uniform distribution. Our algorithm is divided into two independent subalgorithms and only one algorithm depends on the input. Therefore, the other algorithm can be considered as precomputation. As an experimental result, our algorithm performs over 50% better than the existing algorithm.

show abstract

Rounding in the Rings

Liu

Wang

2020

Advances in Cryptology – CRYPTO 2020

View full text Add to dashboard Cite

Building an Efficient Lattice Gadget Toolkit: Subgaussian Sampling and More

Cited by 24 publications

References 32 publications

Revisiting the functional bootstrap in TFHE

Revisiting the functional bootstrap in TFHE

Efficient Lattice Gadget Decomposition Algorithm With Bounded Uniform Distribution

Rounding in the Rings

Contact Info

Product

Resources

About