An Efficient Encrypted Floating-Point Representation Using HEAAN and TFHE

Moon, Subin; Lee, Younho

doi:https://doi.org/10.1155/2020/1250295

Security and Communication Networks

On this page

Abstract Introduction Related Work and System Model Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 1250295 | https://doi.org/10.1155/2020/1250295

An Efficient Encrypted Floating-Point Representation Using HEAAN and TFHE

Subin Moon¹and Younho Lee²

Guest Editor: Veljko Milutinovic

Received30 Oct 2019

Revised17 Jan 2020

Accepted03 Feb 2020

Published02 Mar 2020

Abstract

As a method of privacy-preserving data analysis (PPDA), a fully homomorphic encryption (FHE) has been in the spotlight recently. Unfortunately, because many data analysis methods assume that the type of data is of real type, the FHE-based PPDA methods could not support the enough level of accuracy due to the nature of FHE that fixed-point real-number representation is supported easily. In this paper, we propose a new method to represent encrypted floating-point real numbers on top of FHE. The proposed method is designed to have analogous range and accuracy to 32-bit floating-point number in IEEE 754 representation. We propose a method to perform arithmetic operations and size comparison operations. The proposed method is designed using two different FHEs, HEAAN and TFHE. As a result, HEAAN is proven to be very efficient for arithmetic operations and TFHE is efficient in size comparison. This study is expected to contribute to practical use of FHE-based PPDA.

1. Introduction

Fully homomorphic encryption (FHE) is a technology that supports computation on ciphertexts without decrypting them. Using these properties, we can process and analyze sensitive medical and financial information without exposing them if we use FHE. Therefore, FHE is expected to be an indispensable core technology for the prevalence of artificial intelligence and data mining, which is the core technology of the 4th industrial revolution [1, 2].

Most existing FHEs manage ciphertext on a bit-by-bit basis. Some methods have a number of slots in a ciphertext and support SIMD operations. Even in this case, only one bit of plaintext can be inserted into a single slot. This is because FHE schemes are defined on particular mathematical structures. If multiple bits occupy a slot, it is unclear as to whether or not all efficient computation algorithms can be implemented using the operations provided naturally on the mathematical structures.

On the other hand, in the case where only a 1-bit plaintext is inserted in the slot, any efficient algorithm can be implemented with the bitwise-AND and bitwise-XOR operations. Thus, if these operations are implemented with the operations on the mathematical structures, and the ciphertexts are enabled to work with them indefinite number of times, we can say that FHE schemes can implement any efficient algorithm. There are numerous FHE schemes that follow this argument [3–12], including HELib and TFHE.

The purpose of this study is to realize representation of encrypted floating-point real number and their operations. Various machine learning algorithms use real numbers to manage their input, output, and intermediate values, as is the case with the recently introduced Deep Neural Network. There have been various attempts to realize these algorithms using FHE and to perform machine learning and classification even when receiving encrypted input values. However, due to the bitwise nature of the plaintexts in most FHE schemes as described above, the existing attempts have treated real numbers with fixed-point representation in most cases. Since using fixed-point numbers in this field causes the degradation of the accuracy and range of the expressed values, it also affects the algorithm performance. For this reason, floating-point representation is preferred in numerical applications [13].

Unfortunately, there have been only few attempts to represent floating-point numbers with FHE. A representative study is the HEAAN method [14]. In HEAAN, floating point numbers can be thought of because they have the advantage of keeping the same significant digits regardless of the size of the computed result. However, HEAAN has a few drawbacks. First, it does not provide comparison operations on given numbers. This is a big problem when implementing various applications using HEAAN. Second, HEAAN provides the division operation only within a limited range of realizations. That is, if “a” is the real number contained in a cipher text, then |1−a| ≤ 1/2 should be held. Therefore, in order to use HEAAN for applications, it is necessary to scaling the values.

Apart from HEAAN, TFHE was proposed in 2017, which supports very fast bootstrapping [7]. Sadly, because it does not provide floating-point operations, a new method is needed to support the encrypted floating-point representation over TFHE and the operations that can work on top of the representation.

Therefore, we propose an encrypted floating-point representation on which it is provided efficient floating-point operations over the encrypted values by the above FHE schemes. In the proposed method, real numbers are expressed with sign, exponent, and mantissa similarly to the conventional IEEE 754 expression. However, it is designed to achieve the efficiency of the entire operations by utilizing the characteristics of each FHE method. Supporting the efficient floating-point operations over the proposed encrypted representation is not an easy task because we have to consider all possible values that ciphertexts of the proposed representation must have when we design the computation circuits to implement the operations.

In this paper, we compare the performance of two representations each of which is implemented on top of HEAAN and FHE, respectively. As a result of performance comparison, HEAAN has a computation speed of several tens to hundreds of times faster than that of TFHE-based implementation. In the comparison operation, TFHE has tens to hundreds of times higher performance than HEAAN. In the case of the equality checking operation, we could observe that TFHE case is about 5 times faster than HEAAN. The proposed method is expected to be used for the implementation of the algorithms in privacy-preserving machine learning. In particular, it tells you what type of FHE schemes to use depending on the type of operation being used. Based on this, we hope that it could be widely used in encrypted data processing and analysis applications.

This paper is organized as follows. Section 2 describes the preliminary to help understanding this study. Section 3 introduces the research motivation and related work. In Section 4, the proposed method is given, which is followed by the performance evaluation of implementation results in Section 5. Section 6 concludes the paper.

2. Preliminary

2.1. IEEE 754 Floating-Point Representation

The proposed representation is a variant of IEEE 754 standard floating-point representation to support the arithmetic and relational operations efficiently with the underlying FHE schemes. Therefore, to understand the proposed representation easily, we first briefly overview it. In IEEE 754, two types of floating-point representation are defined, single-precision and double-precision, depending on the number of bits assigned for a representation. In this work, we only focus on the single-precision representation as this is only applied for the proposed one.

Figure 1 shows the IEEE 754 single-precision representation. It is composed of three parts: 1-bit sign, 8-bit exponent, and 23-bit mantissa. The sign bits represent if the value is positive (0) or negative (1). The exponent bits represent the exponent which is in the range between −127 and 127. The “fraction” bits contain the significant bits of the value. In normal mode, Figure 1 represents a real number (−1) ^(sign) ∗ 1. (FRACTION) (2) ∗ 2^{(EXPONENT(2)−127)}, where binary values represent unsigned positive integers.

The arithmetic and relational operations between the numbers expressed in this way can be carried out as follows. In the case of addition and subtraction, the exponents of two operands are made equal. The mantissas of them are adjusted following the changed exponents, respectively. After that, the operation is performed with the adjusted mantissas. In the case of multiplication and division, operations are performed on exponents and mantissas of two operands, respectively. After processing, adjustment is performed on the resultant exponent and mantissa in order to match the expression rules. Please refer to [15] for details.

2.2. Fully Homomorphic Encryption (FHE)

FHE is a special cryptosystem that can process encrypted data without decrypting them. This is useful for data delegation or privacy-preserving data processing. Figure 2 shows the difference between FHE and a conventional encryption scheme when addition of two encrypted numbers is performed. With the ciphertexts by FHE, addition of their hidden plaintext values is possible without decryption.

An FHE scheme is defined with the following algorithms: ParamGen (1^λ, N, L) ⟶ param: this generates a parameter for key generation. It takes the security parameter λ, the number of slots in a ciphertext N, and the possible multiplicative depth of a fresh ciphertext without bootstrapping L. KeyGen (param) ⟶ sk, pk, evk: this is a key generation algorithm, which takes the parameter from the parameter generation algorithm and outputs sk, a secret key for decryption, pk, a public key for encryption, and evk, a set of the evaluation keys with which some computation over the ciphertexts can be done if the ciphertexts are generated with the matched pk. Enc (, pk) ⟶ C: an encryption algorithm which takes a vector of plaintext message of dimension N and a public key and outputs a ciphertext that contains . Dec (C, sk) ⟶ (or ⊥): it takes a ciphertext c and a secret key sk, and outputs a plaintext if C is the result of Enc(, pk) and pk is matched to sk. Otherwise, it outputs ⊥.

In addition to the above algorithms, FHE provides computational algorithms between ciphertexts. However, they provide different functions for each FHE scheme. Therefore, they will be described when each FHE scheme is introduced. We introduce two recent FHE schemes, which are used to implement the proposed (encrypted) floating-point representation.

2.2.1. HEAAN

HEAAN’s ciphertext can contain multiple plaintext bits in one slot, unlike the previous FHE methods [14, 16]. Let the corresponding bit length be the word size. HEAAN also supports various operations between the encrypted values of a word size in the ciphertext slots. Unfortunately, they are supported in an approximate fashion. That is, if an operation is performed between encrypted word-sized values, the bit-precision of the result is similar to that of an operand. In the case of multiplication, when the bit length of operands is n, the result’s bit length should be 2n−1 to represent the result correctly. However, in HEAAN, only the most significant n bits of the result are correct. At the expense of this bit accuracy, HEAAN supports very fast arithmetic operations on word-sized encrypted data. This fast computation speed allows HEAAN to be used in many fields such as machine learning and machine control [17, 18]. In addition, unlike TFHE, HEAAN has the advantage of providing a complete SIMD function. That is, there is an advantage that the value can be shifted between slots. The major disadvantage of HEAAN compared to TFHE is that it requires bootstrapping. That is, when performing multiplication operations more than a certain number of times consecutively, that is, when a multiplication circuit having a certain depth or more is performed, bootstrapping should be performed to do further multiplication while preserving the correct computation result. Otherwise, the ciphertext no longer has the correct plaintext. HEAAN_Mult (C₀, C₁, evk) ⟶ C_mult: this algorithm multiplies the encrypted values stored in each slot of the same position in two ciphers C₀, C₁ with each other and stores the result in the same slot position of the resultant ciphertext C_mult. HEAAN_Add/Sub (C₀, C₁, evk) ⟶ C_add (C_sub): this algorithm performs slotwise addition (subtraction) with two ciphertexts C₀ and C₁ and outputs C_add (C_sub) which has the result of the computation. HEAAN_Bootstrapping (C₀, evk) ⟶ c_new: this algorithm takes a ciphertext C₀ and returns a new ciphertext C_new with the same plaintext. We can execute a multiplicative circuit of a certain number of depths with Cnew, where the depth is defined by the parameters. HEEAN_LeftShift (C₀, k, evk) ⟶ C_shifted: this algorithm generates a new ciphertext C_shifted by moving the plaintexts in each slot of cipher C₀ to the left by k slots. It is a circular shift. Thus, we can shift the values in C₀ to the right by k slots by making the values shifted left by N-k slots, where N is the number of total slots.

HEAAN supports the following algorithms in addition to the common FHE algorithms described above.

2.2.2. TFHE

TFHE [9, 19] was created in 2017 using the GSW [20] technique. Each slot in the TFHE ciphertext contains a 1-bit plaintext. It supports bitwise AND and bitwise XOR operations on the encrypted plaintext bit in each slot. Based on those operations, it is possible to implement any arbitrary efficient algorithm which can work with encrypted inputs. In addition to the basic algorithms mentioned above, TFHE supports the following algorithms: TFHE_AND (C₀, C₁, evk) ⟶ c_and: a bitwise AND operation is performed on the values of the slot at the same position in the two ciphertexts c₀ and c₁, and the result is stored in the slot of the same position in the resultant cipher C_and. TFHE_XOR (C₀, C₁, evk) ⟶ C_xor: it executes the slotwise XOR operations on bit values of the same slot position in c₀ and c₁. The result is stored in the same slot position of the resultant ciphertext C_xor.

One advantage of THE is that it supports very fast bootstrapping. However, it needs bootstrapping at the end of every operation. Thus, we suppose that the bootstrapping is contained in the above bitwise operations.

2.2.3. An Overview for the Ciphertext Structures and Operations

To help the readers understand both FHE methods, we discuss the format of the ciphertext used and more details on them. Let us talk about HEAAN first. Figure 3 shows the structure of the HEAAN ciphertext and the operations supported on it. In HEAAN, as shown in the figure below, a limited number of real numbers can be stored in one ciphertext. Arithmetic operations can be performed between those in the same slot as shown in Figure 3(B). In addition to this, as shown in Figure 3(C), it is possible to move the embedded plaintexts between slots. Finally, if there are two ciphertexts where only 0 or 1 are encrypted in each slot, then logical AND/XOR operations between the encrypted values are possible in the same slot position of both ciphertexts. These logical operations can be implemented by arithmetic subtraction, addition, and multiplication using the equations described in Figure 3(D). Unfortunately, there is a disadvantage that a slot can only store a fixed-point real-number plaintext. Also, a certain operation can work only when the stored plaintext value is within a limited range. TFHE has similar ciphertext structure as HEAAN, but each slot can contain only 0 or 1 (1 bit value). Also, slot-shift operation is not supported.

3.1. Related Work

There have been some attempts to represent encrypted floating-point real numbers before this study. Arita and Nakasato [21] proposed the FHE4FX method that can perform addition and multiplication between encrypted floating-point numbers without decryption based on the FV FHE method [22]. It generates an encrypted floating-point representation by encrypting each sign, exponent, and mantissa part of a real number in separate ciphertexts. For the multiplication and addition operations between encrypted values, it first determines the type of FHE operations to be performed on the sign, exponent, and mantissa parts based on the comparison result of values of each part of the ciphertext. Unfortunately, there is some limitation in this approach that it is necessary to use the decryption key for computation and it does not support operations other than addition and multiplication.

Zhu et al. [23] proposed a method to represent floating-point numbers as Double List Tree format and provide the encryption function for them with Paillier cryptosystem [24]. Their work utilizes hashtag (#) to represent the location of the decimal points of encrypted numbers. However, in this method, the digits of the real number can be inferred through the position of the hashtag used for performing the operation of each digit. Furthermore, their arithmetic operations use the size comparison operation. However, they did not show how to implement the size comparison operation.

In the method of Jaschke and Armknecht [25], when an operation is performed on encrypted rational numbers, they are multiplied by an exponent of 2 to move the decimal place values to an integer position. After this, rounding is performed to remove the decimal point value, and the main operation is performed with only the integer parts of two operands. After that, the desired result is obtained by adjusting the digits. This process has the disadvantage that the precision of the operation is reduced because the calculation is performed after some bit values of input rational numbers are removed.

There are other methods such as those of Seiko and Nakasato [26] and Dowlin et al. [27]. However, they require a very large computation for floating-point operations. Also, as we mentioned in the previous section, HEAAN [14, 16] has some limitation on representing encrypted floating-point numbers. Also, there has been no approach to represent encrypted floating-point numbers on top of TFHE [9, 19].

In conclusion, there is no way to represent encrypted floating-point real numbers with similar level of accuracy and efficiency to the floating-point representation used in common computing environment, even if there are so many methods using existing FHE methods. In this paper, we aim to solve this problem and make it possible to represent encrypted floating-point numbers and to perform computation with them efficiently. In other words, this research is the first study to propose and implement a size comparison operation and arithmetic operations over encrypted floating-point real-number representation efficiently using FHE.

3.2. System Model

The system model assumed in this study is as follows. The client translates the plaintext representation of the floating-point real numbers into the encrypted one using the proposed method and delivers it to the central server. The central server then performs an algorithm that can be performed on the encrypted input and returns the results back to the client. The client can decode the result to get the result. In this model, the client and server shares their public keys with each other.

The security model we assume is the general Honest-But-Curious (HBC) model. The central server performs predefined protocols, but it tries to obtain useful information of the clients while running the protocol. The clients are those who own their data, including both input and result of the protocol, and want it to be protected from the central server. Please check Figure 4 above for the detailed description of the system and security model.

4. Proposed Approach

In this section, we propose a new scheme to represent encrypted floating-point numbers using two methods, HEAAN and TFHE, respectively. Our proposal includes the methods to support the arithmetic and the relation operations over the encrypted numbers represented by the proposed methods. Before explaining each method, we first introduce the tools used to implement the proposed methods and then proceed to the description of the proposed one. We omit showing the evaluation key (evk) when we present the proposed methods because any calculation involving the proposed encrypted representation needs evk.

4.1. Building Blocks

4.1.1. Kogge–Stone Adder (KSA)

The authors in [28] implemented the Kogge–Stone Adder [29], which performs addition on two input numbers, using FHE to have it work on encrypted input numbers. In [28], it is assumed that each slot of a ciphertext stores only one bit value, and all the slots are used to represent one number. Therefore, we can use [28] to implement the Kogge–Stone Adder over encrypted inputs using either TFHE or HEAAN, if we put only one-bit plaintext in each slot of ciphertext. Using this, it is possible to implement the adder using a circuit with log n multiplication depth when inputs are of n bits. Figure 5(A) shows the encrypted KSA (E-KSA) in [12]. Two ciphertexts are output of the adder where the first has the sum where all n slots are filled with outputs, whereas only one slot is used in the other ciphertext to represent the carry of the addition.

4.1.2. Comparator (COMP) Module

It compares the size of two ciphertexts and returns a ciphertext containing the result. For example, if there are two ciphers C₁ and C₂, and each represents a binary number using the bit values of all of its slots, this module returns a ciphertext of 1 when C₁ > C₂ and returns 0 otherwise (if the resultant ciphertext has many slots, it outputs the ciphertext containing 1 in every slot; this also holds in the case where the resultant ciphertext contains 0). It can be implemented as shown in Figure 5(B) using E-KSA module. The reason why this works is illustrated in Figure 5(C). For example, if C₁ contains an encryption of 1100₍₂₎ (4 bits) and C₂ contains 1010₍₂₎, we can see that a carry is generated as a result of adding the 1’s complements of C₁ and C₂. Based on this, we can confirm that C₁ > C₂.

When using such a COMP circuit, if two ciphertexts C₁ and C₂ are input, we can make a circuit that outputs a ciphertext C_B containing the larger plaintext and another ciphertext C_S which contains the smaller plaintext among the plaintexts encrypted in C₁ and C₂, respectively. If we assume the result of executing the COMP module with input C₁ and C₂ as COMP (C₁, C₂), C_B can be derived by calculating C₁ ∗ COMP(C₁, C₂) + C₂ ∗ (1_c—COMP (C₁, C₂)). Similarly, C_S ⟵ C₁ ∗ (1_c—COMP (C₁, C₂)) + C₂ ∗ COMP (C₁, C₂). 1_c means an encoding of 1 where calculation is possible with other ciphertexts. If the ciphertext has many slots, 1_c is an encoding of 1 in every slot. One caveat is that you cannot know whether C_B and C_S come from either C₁ or C₂, respectively, because the above formulas’ calculation results depend on the results of COMP() circuit whose output is encrypted; thus, it cannot be known without decryption. We can define the above two circuits as MinMax() as follows:

4.2. HEAAN-Based Method

The HEAAN-based method uses three ciphertexts to represent a single real number. The first ciphertext represents the sign of the real number, the second ciphertext stores the exponent value, and the last ciphertext stores the mantissa. The sign and exponent are expressed as bit values like IEEE 754 standard. However, when expressing a mantissa, the corresponding number is not stored as a multibit value. Instead, it is encrypted to a HEAAN ciphertext directly. One significant difference of this approach from IEEE 754 is that the value of the mantissa is assumed to be in the range [0, 1). This is because the HEAAN operation works better when the hidden plaintext in the ciphertext in [0, 1) than [1, 2).

Figure 6 shows the procedure on how a single floating-point number is encrypted using three ciphertexts. cresult [] is an array containing ciphertexts. It is assumed that the value assigned to the ciphertext cresult [] is encrypted and stored in the corresponding ciphertext. Figure 7 shows an example of converting a real number into the proposed encrypted representation.

4.2.1. Addition/Subtraction

The HEAAN-based addition method is implemented as shown in Figure 8. In this method, two operands are classified to a smaller number and the other bigger number first. Then, the exponent value of the smaller number is increased to be matched to that of the bigger number. The increase of the value of the smaller number, which results from the increasing the exponent, is cancelled by dividing the mantissa part. After that, two mantissa parts are added to complete the addition.

The details of addition operation is as follows. We suppose two operands to be added as C₁ = (C₁[SIGN], C₁[EXPO], C₁[FRAC]), C₂ = (C₂[SIGN], C₂[EXPO], C₂[FRAC]). The function ReArrange (), which returns a larger value in c_B and a small value in c_S among the input C₁ and C₂, can be implemented as shown in Figure 9. C₁ and C₂ are compared based on their exponent values.

We suppose the result of Rearrange (C₁, C₂, EXPO) is C_S and C_B. We run the following addition code with C_S and C_B in Figure 10. The output of the code is C_out. We discuss how the following code works. Because C_S[EXPO] < C_B[EXPO] and C_S[FRAC], C_B[EXPO] in [0, 1), the sign of the addition result is C_B[SIGN]. Also, to perform calculation, the code increases C_S[EXPO] to make it the same as C_B[EXPO]. To keep the original value of C_S after increasing C_S[EXPO], the code decreases C_S[FRAC] accordingly. After that, it returns the result of C_B[FRAC] + C_S[FRAC] when both C_B and C_S have the same sign or C_B[FRAC] − C_S[FRAC] if the signs are different. To keep the result’s fraction is in [0, 1), the exponent is increased by 1 and the fraction is divided by 2.

Because the maximum binary string that C_B[EXPO] and C_S[EXPO] can have is 11111111₍₂₎, C_eqcc is an encryption of 1 only once in the loop. In this case, C_B[FRAC] + C_S[FRAC] ∗ (1 − 2 ∗ C_sign) is given to C_out[FRAC], where C_sign is the result of checking if C_B[SIGN] and C_S[SIGN] are the same: if so, it has the encryption of 0, and 1 otherwise. In Step 3, EQCC (C_B[EXPO], C_S[EXPO]) executes HEAAN_XNOR(C_B[EXPO], C_S[EXPO]) from inside to perform XNOR operation between the bit values in the same slot of C_B[EXPO] and C_S[EXPO], respectively. After that, we multiply all the bit values in each slot of XNOR result to create C_comp. C_comp becomes 1 if C_B[EXPO] and C_S[EXPO] have exactly the same bit value in all of their slots; otherwise, it becomes 0.

To perform subtraction, the sign of the number to be subtracted is inverted using HEAAN_XNOR, and then the addition operation is performed instead.

4.2.2. Multiplication

Multiplication is easier to implement than addition. First, the sign of the result value is equal to the value obtained by XORing the sign of two input numbers, and the result of the exponent part can be obtained by adding the exponents of the two inputs. E-KSA can be used to calculate it. Also, the mantissa can be obtained by multiplying the mantissas of two input numbers. In this case, the result of multiplying mantissa is still in [0, 1). Thus, we have nothing to do further. Figure 11 shows the process of multiplying two encrypted floating-point real numbers C₁ and C₂ in the proposed method.

4.2.3. Comparison

In the HEAAN-based approach, COMP_HEAAN() function is used as a tool to perform the size comparison operation of the encrypted floating-point values. COMP_HEAAN () takes two HEAAN ciphertexts and the computation key evk of the ciphertext and performs the following operation [30]:

Using the above circuit, we can compare the size of two encrypted floating-point numbers C₁ = (C₁[SIGN], C₁[EXPO], C₁[FRAC]) and C₂ = (C₂[SIGN], C₂[EXPO], C₂[FRAC]) using the code written in Figure 12. If the code outputs an encryption of 1, it says C₁’s absolute value is greater than C₂’s and it returns an encryption of 0 otherwise. Step 2 in Figure 12 is described in Figure 13 in detail.

A circuit for determining if two encrypted representations are equal can be implemented similar to addition/subtraction circuit: it can be easily obtained by calculating whether the FRAC part and the SIGN part of both floating-point numbers to be compared are the same using COMP_HEAAN() after equalizing their EXPO parts.

4.2.4. Division

The division operation is similar to the multiplication operation except that the exponent part of the divisor is subtracted from the exponent of the dividend, and the inverse of the mantissa of the divisor is calculated using the inverse function and then it is multiplied by the mantissa of the dividend. In this case, if we do nothing further, the mantissa of the resultant value may be greater than 1. To deal with this, before performing the multiplication operations in the fraction part, the mantissa of the dividend is corrected so that it is smaller than the mantissa of the divisor. However, it is greater if the mantissa of the dividend is doubled. The process can be described as follows.

Step 1 in Figure 14 can be specified in detail as follows in Figure 15.

4.3. TFHE-Based Method

The TFHE-based expression follows the standard IEEE 754 exactly. For example, to represent 30.3 with the TFHE-based representation, we first translate this as 1.1110010011001100110 × 2³₍₂₎. Then we add 127 to the exponent to represent the exponent bits. The fraction part stores all the fraction bits except the first “1” at the left of the decimal point. In this approach, sign, exponents, and mantissa are encrypted by separate ciphertexts. The number of ciphertexts in C[SIGN] is 1, C[EXPO] is 8, and C[FRAC] is 23 when the encrypted floating-point number is represented as C = (C [SIGN], C [EXPO], C[FRAC]). Also, for ease of expression, TFHE_XOR () operation is written as ⊕, and TFHE_AND () operation is indicated by. Figure 16 explains the procedure of making a TFHE-based encrypted floating-point number representation with an example of 30.3.

To explain the methods clearly, we are going to use the following notations. An array of ciphertexts C[] = c₀||c₁||…||c_n−1 can be described as C[0] = c₀, C[1] = c₁,… , C_[n−1] = c_n−1, where c_i (i ∈ [0, n−1]) refers to an encryption of a single bit value. If we describe C[] = (c_n−1 c_n−2 … c₂c₁c₀) ₍₂₎, as a binary integer representation, then C[0] = c₀, C[1] = c₁,… , C_[n−1] = c_n−1, too_. If there are two array of ciphertexs A[] and C[], where both are represented as binary integers and they are added using E-KSA circuit, then the result C_R[] is 2ⁿ⁻¹ (c_n−1 + a_n−1) + 2ⁿ⁻² (c_n−2 + a_n−2)+ … + 2¹(c₁ + a₁) + c₀₊a_0. Also, you have to keep in mind that c ⊕ (c₀||c₁||…||c_n−1) = (c ⊕ c₀||c ⊕ c₁…||c ⊕ c_n-1) and (c_a0||c_a1||…||c_an) ⊕ (c_b0||c_b1||…||c_bn) = (c_a0 ⊕ c_b0||c_a1 ⊕ c_b1||…||c_an ⊕ c_bn). The concatenation of two ciphertext arrays A[] and B[] can be described as A[]||B[], and it generates a new array of ciphertexts. Finally, C[] = C[] >> 1 means C[i + 1] = C[i] for all i = 0, …, len(C[])−2 and C[0] = 0.

4.3.1. Addition/Subtraction

The addition algorithm is constructed in a manner as similar as the HEAAN-based method. However, in this TFHE based method, arrays of ciphertexts are used to represent the components of the representation and each ciphertext has one bit value, which complicates the process as shown in Figure 17. We use E-KSA as building block. The input of E-KSA, however, is arrays of ciphertexts instead of ciphertexts of multiple slots. Our implementation of E-KSA considered that. Figure 18 shows an implementation of Equality Comparison Circuit (TFHE_EQCC()) for TFHE representation, which is also a building block for addition operation. We also introduce the negate function (Negate()) which flips the bits in the input set of ciphertexts in Figure 19.

Figure 20 shows the procedure of addition operation with TFHE-based representation. For subtraction, the addition operation can be used after modifying the sign of the value to be subtracted.

4.3.2. Multiplication

The multiplication operation proceeds as follows. First, a basic operation is performed in which an XOR operation is performed on sign portions and the addition is performed on exponent portions. Then, the result of the multiplication operation of the fraction parts is applied. When adding the exponent parts, 127 is subtracted from the addition result to get the correct result. This is because the exponent part is basically expressed by adding 127 so that a negative number can be expressed with unsigned bit-strings. The overall multiplication process is shown in Figure 21 below.

Among the three operations in Figure 21, (1) and (2) are easy to implement, so we focus on (3). To perform (3), the numbers actually represented by C₁[FRAC] and C₂[FRAC] must be restored. The bits in C₁[FRAC] and C₂[FRAC] mean the values to the right of the decimal point in the two numbers’ fraction parts, and the leading “1” to the left of the decimal point is omitted as specified by the standard. Therefore, the multiplication calculation should be performed after recovering the “1”. Therefore, the multiplication is performed by attaching an encoding of “1” to the most significant digit, which is just left to the decimal point. In this case, the multiplication result cannot exceed 4, so the result is a 46-bit value with two bits to the left of the decimal point and the remaining 44 bits to the right.

After calculating C_m[], the final step is to check whether the value in the ciphertext C_m[0], which represents the most significant bit of the multiplication result and 1 bit left away from the decimal point, is 1. If C_m[0] is 1, the fraction part of the multiplication result is C_m [1] ∼ C_m [22], and the exponent value should be incremented by one. If C_m[0] is 0, that means C_m [1] is 1, so the exponent does not increase and the fraction part of the result is C_m [2]∼C_m [24]. The method that reflects this is shown in Figure 22 below.

4.3.3. Division

The division operation is similar to the multiplication operation. That is, to calculate the exponent part, the exponent value of the denominator is subtracted from the numerator, and division operation is performed between the fraction parts of them. Since the exponent should be added to 127 (=2^{((length of exponent bits)−1)} − 1) to represent the negative exponent, 127 should be added to the resultant exponent after the subtraction. An overview of division operation to calculate the resultant exponent and fraction is shown in Figures 23 and 24, respectively.

After calculating the exponent and the fraction, we need to correct them because the range of the result of calculating the fraction part is (0.5, 2). Thus, if the fraction part’s result is less than 1, 1 must be subtracted from the exponent and the bit position of the resultant fraction must be shifted to left by 1 bit. The sign is determined by XORing the signs of the numerator and denominator. Figure 25 shows the operations to be performed for division. C_out[EXPO] and C_out[FRAC] are the result values, C₁ = (C₁[SIGN], C₁[EXPO], C₁[FRAC]) is the numerator, and C₂ = (C₂[SIGN], C₂[EXPO], C₂[FRAC]) is the denominator.

As with multiplication, the most important and difficult process is (3). We use the nonrestoring division [31] method, which uses the divide-and-conquer to implement (3). This is known to be more efficient than the well-known methods such as those of Newton-Rapth [32] and Burnikel and Ziegler [33]. Figure 26 shows the result of implementing the nonrestoring division algorithm [15] to make it work on ciphertext input. This algorithm assumes that the highest-order bits are stored in index 0 of each input array, and the lower-order bits are stored as the index becomes larger. The bit length of both dividend and divisor is 24 bits each.

We deal with how to calculate (3) specifically. Since the mantissa is represented by omitting 1 immediately to the left of the decimal point which is the largest digit, in order to perform division correctly, the omitted bits should be restored before starting the division operation. To do this, the size of the ciphertext arrays indicating both the dividend and divisor is increased by one each, and we place an encoding of 1 to the highest position (i.e., the zeroth index). Then, division is performed through R_DIV (). The result is a 25-bit quotient. In this case, if the bit value of the highest position is 1, the next 23 bits are stored in the resultant fraction. Otherwise, the value of the second digit is 1 because the division quotient range is (0.5, 2). Therefore, the subsequent 23 bits are stored in the fraction part. If so, the value of exponent must be decreased by one. Figure 27 shows an example of the case where the left part of the decimal point becomes zero in the fraction part of the division result. The steps to be performed is shown in the figure. The details of (3) is shown in Figure 28.

4.3.4. Comparison and Equality Check

The comparison operation can be done using the COMP() circuit described in Figure 5(B), using the bitwise concatenation results of all of the sign, exponent, and fraction ciphertext arrays in both values to be compared as inputs. IEEE 754 standard exactly uses the same approach to compare the floating-point numbers. The process of comparing two numbers can be expressed as shown in Figure 29.

The equality can be easily checked as they are represented using bits. Two values are treated the same only if they have the same bits.

4.4. Discussion on the Differences between the Implementation of Two Methods

The differences between the implementation of the two methods can be summarized as follows. First, in the operation with exponent values, the HEAAN-based method can reduce the number of operations by using the SIMD operation, but the TFHE-based method must perform operations in bit units, which requires large number of TFHE operations.

Second, the HEAAN-based implementation can implement the operations for dealing with the mantissa part with a small number of HEAAN operations using arithmetic operation provided by HEAAN, but in TFHE-based method, the operation must be processed for each bit of mantissa, which also requires a large number of TFHE operations.

In the above two cases, the HEAAN-based method seems to be dominant, but HEAAN requires bootstrapping when it needs complex arithmetic with their floating point representations: especially when it needs calculation of more than a predetermined multiplication depth. In this case, HEAAN needs a lot of computation resources. Thus, it will be much slower than the TFHE-based method.

5. Performance Evaluation

In this section, we compare the performance of the two encrypted floating-point values’ representations proposed in this paper. The first subsection deals with the performance on various exponent bits. Then, we discuss the effect of the length of mantissa bits in the next subsection. Before showing the details of experiments, we provide the complexity analysis result of the operations in terms of the required multiplication operation on each FHE in Table 1. Because of the SIMD operation supported, HEAAN requires less number of multiplication operations. However, some operations which require heavy multiplication depth such as division need bootstrapping operation in HEAAN, which causes heavy delay.

5.1. Experiment on Various Exponent Bits

We measured the execution time of the operations on both methods on various exponent bits. The environment used is as shown in Table 2. The performance of the E-KSA(), COMP(), and MinMax() modules used to implement the operations in each representation is compared in Figure 30. Since HEAAN uses them only to deal with the exponent bits, we measure the execution time of the modules in processing only exponent bits in the TFHE case, for fair comparison. In order to show the performance change according to the bit length of the exponent, we measure the execution time with the exponent bit lengths of 2, 4, and 8 cases, respectively. The results are shown in the figure below. As shown in the figure, when bitwise operation is implemented in HEEAN, it takes more time than TFHE because it requires to perform interslot calculation. However, in the case of TFHE, the longer the bit length, the longer the execution time, but HEAAN is not.

Next, we compare the performance of arithmetic operations. Figure 31 shows the comparison of execution time of arithmetic operations. We can say the HEAAN-based method is superior to the TFHE-based one in terms of the speed of the arithmetic operations because the operations that should be done between the fraction parts of both operands can be executed more efficiently than the TFHE. One peculiar point is that the addition/subtraction operation is the slowest. This is due to the nature of the FHE operation. In the case of addition, the addition operation of the fraction part must be performed after the exponent has been adjusted. However, in the case of operations on data encrypted with FHE, since the exponent parts are also encrypted, we cannot make both encrypted operands have the same exponents. Therefore, the actual operation is performed by performing the operation of the fraction part for all possible exponent values and selecting the result only when the exponent values of the two operands match. Therefore, since the number of combinations of all possible exponents of both operands is large, the addition/subtraction operation takes the longest.

Figure 32 compares the performance of size comparison and equivalence operations. Since the comparison operation takes too long when the exponent is 8 bits, the experiment is performed only on 2-bit and 4-bit exponents. In this case, the HEAAN-based method consumes too many multiply operation depths for comparison operations, resulting in poor performance due to the large number of bootstrapping. Finally, we compare the execution time of the equality check operation. We can confirm that TFHE is five times faster because of the inefficiency of the equality check operation between HEAAN ciphertexts.

5.2. Experiments on Various Mantissa Bits

Experiments with various mantissa bit lengths are presented in this subsection. The experimental environment is shown in Table 3. According to the developers of the libraries, both libraries offer 128-bit security in this setting. The experimental results are shown in Table 4 below. In order to provide mantissas of various bit lengths in the HEAAN-based method, we adjusted the “quantize-bit” parameter value in HEAAN. In each slot of the HEAAN ciphertext, there is a plaintext value and the noise which is attached to the plaintext value during encryption or arithmetic operations. The quantize-bit defines the bit length of those combined values. Since the bit length of noise added during encryption is at most five with a very high probability, which is around (1 − 3 ∗ 10⁻⁷) (this refers to Pr[μ-5σ<X<μ+5σ], where X is a random variable of standard normal distribution with parameter (μ , σ); the σ value used in HEAAN is 3.2), we set the quantize bit as the bit length of the mantissa bit plus five. The quantize bit values used are shown as p-bit in Table 4.

From Table 4, we can see that the comparison operation is much faster in the TFHE-based method than in the HEAAN-based implementation. However, in the multiplication operation, HEAAN-based method is better than TFHE in terms of the required time. Regarding the other operations, HEAAN seems better. However, as the exponent bit length is longer, the gap of the performance will be reduced because more multiplication depth is necessary, so bootstrapping may be needed in the HEAAN-based implementation. Thus, it is estimated that TFHE-based method might be better if the exponent bit is above a certain threshold.

5.3. Experiment on Precision in the HEAAN-Based Method

To verify the precision of the HEAAN-based method, we conducted the following experiment. After selecting two random float-type values, they were multiplied by each other, and then another random float-type number was selected and multiplied by the previous result of multiplication. This process was repeated 10 times. We performed this process using only plaintext and performed the same process with the encrypted values generated with HEAAN-based method. We decrypt the result of multiplication in each step and compare it with the result of multiplication with the plaintexts. To measure the error of calculation, we used the following formula: |(multiplication result with plaintexts)−(multiplication result with HEAAN ciphertexts)| |(multiplication result with plaintexts)|. It means the relative error of calculation. The measurement results are shown in Table 5 below. Since 2⁻²³ is around 1.192E-7, we can say the error generated by the multiplication on two HEAAN-based encrypted floating-point representations is small enough compared to the errors generated by the multiplication on float-type values.

6. Conclusion

In this paper, we have proposed a new encrypted floating-point number representation method that supports full arithmetic and comparison operations and is able to represent a real number whose range is very similar to that supported by the IEEE 754 standard. Our representation has been implemented on two recent FHE schemes, HEAAN and TFHE, to demonstrate the feasibility of the proposed method. We hope the proposed representation will be applied to the privacy-preserving applications where the floating point numbers are used in common, such as the machine learning with private data.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korean government (MSIT) (No. 2019R1A2C4069769).

References

S. Chhertri, N. Rashid, S. Faezi et al., “Security trends and advances in manufacturing systems in the era of industry 4.0,” in Proceedings of the 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), Irvine, CA, USA, November 2017.
View at: Publisher Site | Google Scholar
J. Campos, P. Sharma, E. Jantunen, D. Baglee, and L. Fumagalli, “The challenges of cybersecurity frameworks to protect data required for the development of advanced maintenance,” Procedia CIRP, vol. 47, p. 227, 2016.
View at: Publisher Site | Google Scholar
C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the 41st annual ACM symposium on Symposium on theory of computing—STOC’09, pp. 169–178, Bethesda, MA, USA, May–June 2009.
View at: Publisher Site | Google Scholar
L. Ducas and D. Micciancio, “FHEW: bootstrapping homomorphic encryption in less than a second,” in Advances in Cryptology–Eurocrypt 2015, pp. 617–640, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
S. Halevi and V. Shoup, “Bootstrapping for HElib,” in Eurocrypt’15, pp. 641–670, Springer, Heidelberg, Germany, 2015.
View at: Publisher Site | Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) $\mathsf{LWE}$,” SIAM Journal on Computing, vol. 43, no. 2, pp. 831–871, 2014.
View at: Publisher Site | Google Scholar
K. Lauter, M. Naehrig, and V. Vaikuntanathan, “Can homomorphic encryption be practical?” in Proceedings of the 3rd ACM workshop on Cloud Computing Security Workshop—CCSW’11, pp. 113–124, Chicago, IL, USA, October 2011.
View at: Publisher Site | Google Scholar
M. Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” Eurocrypt 2010, LNCS, vol. 6110, Springer, Heidelberg, Germany, 2010.
View at: Google Scholar
I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, in “Faster Fully Homomorphic Encryption: Bootstrapping in Less than 0.1 Seconds,” in Asiacrypt 2016, pp. 3–33, Springer, Heidelberg, Germany, 2016.
View at: Publisher Site
H. Chen, K. Laine, and R. Player, “Simple encrypted arithmetic library—SEAL v2.1,” in Financial Cryptograph and Data Security, Springer, Heidelberg, Germany, 2017.
View at: Publisher Site | Google Scholar
C. Gentry, S. Halevi, and N. P. Smart, “Homomorphic evaluation of the AES circuit,” Lecture Notes in Computer Science, vol. 12, no. 7417, pp. 850–867, 2012.
View at: Publisher Site | Google Scholar
S. Halevi and V. Shoup, “Algorithms in HElib,” in Crypto’14, vol. 8616, Springer, Heidelberg, Germany, 2014.
View at: Google Scholar
C. Z. Janikow and Z. Michalewicz, “An experimental comparison of binary and floating point representations in genetic algorithms,” in Proceedings of the ICGA’91, pp. 31–36, San Diego, Calif, USA, July 1991, http://www.cs.umsl.edu/~janikow/publications/1991/GAbin/text.pdf.
View at: Google Scholar
J. H. Cheon, A. Kim, M. Kim, and Y. Song, “Homomorphic encryption for arithmetic of approximate numbers,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’17), pp. 409–437, Hong Kong, China, December 2017.
View at: Google Scholar
G. David, “What every computer scientist should know about floating-point arithmetic,” ACM Computing Surveys, vol. 23, no. 1, pp. 5–48, 1992.
View at: Google Scholar
J. H. Cheon, K. Han, A. Kim, M. Kim, and Y. Song, “Bootstrapping for approximate homomorphic encryption,” in Proceedings of the 2018 Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’18), pp. 306–384, Aarhus, Denmark, May 2018.
View at: Google Scholar
J. H. Cheon, K. Han, S.-M. Hong et al., “Toward a secure drone system: flying with real-time homomorphic authenticated encryption,” IEEE Access, vol. 6, pp. 24325–24339, 2018.
View at: Publisher Site | Google Scholar
K. Han, S. Hong, J. Cheon, and D. Park, “Logistic regression on homomorphic encrypted data at scale,” in Proceedings of the 31st Annual Conference on Innovative Applications of Artificial Intelligence (IAAI-19), Anaheim, CA, USA, July 2019, https://aaai.org/Conferences/AAAI-19/iaai-19/.
View at: Google Scholar
I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, “Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE,” in Advances in Cryptology—ASIACRYPT 2017, vol. 10624, pp. 377–408, Springer, Heidelberg, Germany, 2017.
View at: Publisher Site | Google Scholar
C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” in CRYPTO’13, vol. 8042, pp. 75–92, Springer, Heidelberg, Germany, 2013.
View at: Google Scholar
S. Arita and S. Nakasato, “Fully homomorphic encryption for point numbers,” in Proceedings of the 12th International Conference, Information Security Practice and Experience (ISPEC) 2016, vol. 10143, pp. 253–270, Zhangjiajie, China, November 2016.
View at: Google Scholar
J. Fan and F. Vercauteren, “Somewhat practical fully homomorphic encryption,” IACR Cryptology ePrint Archive, vol. 2012, p. 144, 2012, https://eprint.iacr.org/2012/144.
View at: Google Scholar
T. Zhu, X. Zou, and J. Pan, “Query with SUM aggregate function on encrypted floating-point numbers in cloud,” Journal of Information Processing Systems (JIPS), vol. 13, no. 3, pp. 573–589, 2017.
View at: Publisher Site | Google Scholar
P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in Proceedings of the 18th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT) 1999, pp. 223–238, Prague, Czech Republic, May 1999.
View at: Publisher Site | Google Scholar
A. Jaschke and F. Armknecht, “Accelerating homomorphic computations on rational numbers,” in Proceedings of the Applied Cryptography and Network Security (ACNS) 14th International Conference, pp. 19–22, Guildford, UK, June 2016.
View at: Google Scholar
S. Arita and S. Nakasato, “Fully homomorphic encryption for point numbers,” in Proceedings of the International Conference on Information Security and Cryptology, pp. 253–270, Springer, Seoul, Korea, December 2016.
View at: Google Scholar
N. Dowlin, R. Gilad-Bachrach, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing, “Manual for using homomorphic encryption for bioinformatics,” Proceedings of the IEEE, vol. 105, no. 3, 2017.
View at: Publisher Site | Google Scholar
K. Seo, P. Kim, and Y. Lee, “Implementation and performance enhancement of arithmetic adder for fully homomorphic encrypted data,” Journal of the Korea Institute of Information Security & Cryptography, vol. 27, no. 3, pp. 413–426, 2017.
View at: Google Scholar
P. M. Kogge and H. S. Stone, “A parallel algorithm for the efficient solution of a general class of recurrence equations,” IEEE Transactions on Computers, vol. C-22, no. 8, pp. 786–793, 1973.
View at: Publisher Site | Google Scholar
J. Cheon, D. Kim, D. Kim, H. H. Lee, and K. Lee, “Numerical method for comparison on homomorphically encrypted numbers,” IACR Eprint Archive, Springer, Heidelberg, Germany, 2019, https://eprint.iacr.org/2019/417.
View at: Publisher Site | Google Scholar
S. Kaur, M. Singh, and R. Agarwal, “Vhdl implementation of non-restoring division algorithm using high speed adder/subtractor,” International Journal of Advanced Research in Electrical, Electronics and Instrumentation Engineering, vol. 2, pp. 3317–3324, 2013, https://www.researchgate.net/publication/250612202_VHDL_Implementation_of_Non_Restoring_Division_Algorithm_Using_High_Speed_AdderSubtractor.
View at: Google Scholar
M. J. Flynn, “On division by functional iteration,” IEEE Transactions on Computers, vol. C-19, no. 8, pp. 702–706, 1970.
View at: Publisher Site | Google Scholar
C. Burnikel and J. Ziegler, “Fast recursive division,” Tech. Rep., Max–Planck–Institut für Informatik, Saarbrücken, Germany, 1998, Research Report Max-Planck-Institut fuer Informatik Research Report MPI-I-98-1-022.
View at: Google Scholar

Copyright

Copyright © 2020 Subin Moon and Younho Lee. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

3577

Downloads

1499

Citations

Security and Communication Networks

An Efficient Encrypted Floating-Point Representation Using HEAAN and TFHE

Abstract

1. Introduction

2. Preliminary

2.1. IEEE 754 Floating-Point Representation

2.2. Fully Homomorphic Encryption (FHE)

2.2.1. HEAAN

2.2.2. TFHE

2.2.3. An Overview for the Ciphertext Structures and Operations

3. Related Work and System Model

3.1. Related Work

3.2. System Model

4. Proposed Approach

4.1. Building Blocks

4.1.1. Kogge–Stone Adder (KSA)

4.1.2. Comparator (COMP) Module

4.2. HEAAN-Based Method

4.2.1. Addition/Subtraction

4.2.2. Multiplication

4.2.3. Comparison

4.2.4. Division

4.3. TFHE-Based Method

4.3.1. Addition/Subtraction

4.3.2. Multiplication

4.3.3. Division

4.3.4. Comparison and Equality Check

4.4. Discussion on the Differences between the Implementation of Two Methods

5. Performance Evaluation

5.1. Experiment on Various Exponent Bits

5.2. Experiments on Various Mantissa Bits

5.3. Experiment on Precision in the HEAAN-Based Method

6. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright