Faster Homomorphic Encryption over GPGPUs via Hierarchical DGT

Abstract

Privacy guarantees are still insufficient for outsourced data processing in the cloud. While employing encryption is feasible for data at rest or in transit, it is not for computation without remarkable performance slowdown. Thus, handling data in plaintext during processing is still required, which creates vulnerabilities that can be exploited by malicious entities. Homomorphic encryption schemes enable computation over ciphertexts without knowing the related plaintexts or the decryption key. This work focuses on the challenge of developing an efficient implementation of the BFV scheme on CUDA. This is done by combining and adapting different literature approaches, as the double-CRT representation and the Discrete Galois Transform. Moreover, we propose and implement an improved formulation of the DGT inspired by classical algorithms, which computes the transform up to 2.6 times faster than the state-of-the-art. By using these approaches, we obtain up to 3.6 times faster homomorphic multiplication.

Appendices

A Properties of Gaussian Integers

This Appendix presents important properties of Gaussian integers and useful results that can be applied on their implementation. In the following, we recall some important properties stated by Wuthrich that are useful to this work [30].

Definition 3

(Norm). The norm of a Gaussian integer is defined as its product with its conjugate³. That is, \(N(a + ib) = (a + ib) \cdot (a - ib) = a^2 + b^2,\) so \(N(\alpha ) = \alpha \cdot \overline{\alpha }\).

Proposition 1

(Wuthrich’s Proposition 5.7). For each prime number \(p\equiv 1 \mod 4\) there are exactly two Gaussian primes \(\pi \) and \(\overline{\pi }\) of norm p.

Lemma 1

(Wuthrich’s Lemma 5.4). If \(\pi \in \mathbb {Z}[i]\) is such that \(N(\pi )\) is a prime number, then \(\pi \) is a Gaussian prime.

Lemma 2

(Wuthrich’s Lemma 5.6). Let p be a prime number with \(p \equiv 1 \mod 4\). Then there exists a Gaussian prime \(\pi \) such that \(p = \pi . \overline{\pi }\).

Lemma 3

(Wuthrich’s Lemma 5.10). Any prime \(p \equiv 1 \mod 4\) can be written as a sum of two squares. This is a manifestation of Fermat’s theorem on sums of two squares.

From Lemma 2 and Proposition 1, if p is prime such that \(p \equiv 1 \mod 4\), then we know that it can be factored as a product of exactly two Gaussian primes that are the conjugate of each other. Lemma 3 is a direct consequence since we know that a prime \(p \equiv 1 \mod 4\) can be factored as \(p = \pi \cdot \overline{\pi }\) and, assuming that \(\pi = a + bi\), we obtain that \(\pi \cdot \overline{\pi } = a^2 + b^2\).

B Generating k-th Primitive Roots of i Modulo p

The use of the DGT for polynomial multiplication in a cyclotomic polynomial ring requires the computation of a k-th root of i modulo a prime p, discussed in Sect. 3.1. This element is used for achieving a cyclotomic polynomial reduction for free when n is a power of two. When p is a Mersenne prime, the literature presents efficient analytic methods; for other choices of p, the best option still is a trial-and-error approach.

Badawi et al. state that a naive implementation of such approach takes 156 hours to find a \(2^{14}\)-th primitive root of i for \(p = 2^{64}-2^{32}+1\) [5]. Because of that, they propose a more efficient strategy, when \(p \equiv 1 \mod 4\), by factoring p in two Gaussian primes, namely \(f_0\) and \(f_1\). This decomposition of p is quite simple and relies on Lemma 2 and Proposition 1.

Algorithm 6 starts from the Fermat’s Little Theorem, which states that if p is a prime then \(n^{p-1} \equiv 1 \mod p\) for all \(n \in \mathbb {Z}_p\). Hence, the square root of that must be equivalent to either 1 or \(-1\). In the latter case, we can find a number \(k^2\) such that \(k \equiv n^{(p-1)/4} \equiv i \mod p\). In other words, if \(k^2 \equiv -1 \mod p\) then \(k^2 + 1 \equiv 0\mod p\) and p divides \(k^2 + 1\). Since \(k^2+1\) factors in \((k+i)\cdot (k-i)\), we found a factorization of p.

At this point, there is no guarantee that \(k+i\) is a Gaussian prime. By Lemma 4, we find that the greatest common divisor of p and \(k+i\) is either \(k+i\) or that there exists some u such that \(u \mid p\) and \(u \mid k+i\). Thus, since \(u = \texttt {gcd}(p, k+i)\) results in a Gaussian prime, we take it as the first factor of p. From Lemma 2, \(\overline{u}\) is the second factor.

Lemma 4

Let p be an odd prime such that \(p \equiv 1 \mod 4\) and \(k \in \mathbb {Z}_p\). The greatest common divisor of p and \(k+i\) is \(k+i\) or a Gaussian prime u such that \(u \mid p\) and \(u \mid k+i\).

Proof

By the Fermat’s theorem on sums of two squares, we have that an odd prime p can be expressed as \(p = x^2 + y^2\), with \(x,y \in \mathbb {Z}\), if, and only if, \(p \equiv 1 \mod 4\). Since \(x^2 + y^2 = (x + iy)(x - iy)\) and \(N(x + iy) = N(x - iy) = p\), then \(x + iy\) and \(x - iy\) are Gaussian primes and \(p = (x + iy)(x - iy)\) is the unique factorization of p in \(\mathbb {Z}[i]\), not considering the order of the factors⁴.

On the other hand, we have that \((k + i)(k - i) \equiv p \mod p\), by construction. Combining the two facts, we obtain that \(p = (x + iy)(x - iy) \equiv (k + i)(k - i)\), which is equivalent to \((k + i)(k - i) = \ell (x + iy)(x - iy)\), for some \(\ell \in \mathbb {Z}\).

When \(\ell = 1\), we have an equality and we find that \((k + i)\) and \((k - i)\) are indeed the factors of p. When \(\ell \ne 1\), \((k + i)\) is not a Gaussian prime and still can be factored in \(\mathbb {Z}[i]\); otherwise, it would be a factor of p. We know that p divides \((k + i)(k - i)\) but not \(k+i\), or its conjugate, since \(k < p\) and \((k + i)/p\) is not a Gaussian integer. Then, \(k + i\) and p must share a common factor u that can be found as the greatest common divisor. Since the two factors of p are \(x + iy\) and \(x + iy\), u must be one of them.

Finally, the factors of p can be found by computing the greatest common divisor of p and \(k + i\) and then computing its conjugate. Since \(p = x^2+y^2\) and \(N(x + iy) = N(x - iy) = x^2 + y^2\), by Lemma 1, the factors are Gaussian primes.

Given a method for factoring a prime number \(p \equiv 1 \mod 4\) in \(\mathbb {Z}[i]\), Badawi et al. propose Algorithm 7, which makes much faster the step of precomputing a k-th root of i for a prime \(p \equiv 1 \mod 4\) [5]. The method starts by finding the factorization \(p = f_0 \cdot f_1 \in \mathbb {Z}_p[i]\) using the Algorithm 6. Thus, we have that each Gaussian prime \(f_j\), with \(j = \{0,1\}\), defines a cyclic group corresponding to the set of Gaussian integers modulo \(f_j\). Then, a k-th root of i modulo p, denoted as h, is constructed via CRT using that \(h_j = \zeta ^{\frac{(p-1)}{4n}}_j \mod f_j\), with \(j = \{0,1\}\), where \(\zeta _j\) is a generator for the cyclic group j.