Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
HOMOMORPHIC ENCRYPTION WITH OPTIMIZED PARAMETER SELECTION
Document Type and Number:
WIPO Patent Application WO/2017/079237
Kind Code:
A1
Abstract:
The techniques and/or systems described herein are directed to improvements in homomorphic encryption to improve processing speed and storage requirements. For example, the techniques and/or systems can be used on a client device to encode data to be sent to a remote server, to be operated on while maintaining confidentiality of data. The encoding scheme can be optimized by automatically selecting one or more parameters using an error growth simulator based on an actual program that operates on the encoded data. For example, the simulator can be used iteratively to determine an optimized parameter set which allows for improved homomorphic operations while maintaining security and confidentiality of a user's data.

Inventors:
LAINE KIM (US)
DOWLIN NATHAN (US)
GILAD-BACHRACH RAN (US)
NAEHRIG MICHAEL (US)
WERNSING JOHN (US)
LAUTER KRISTIN E (US)
Application Number:
PCT/US2016/060038
Publication Date:
May 11, 2017
Filing Date:
November 02, 2016
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
MICROSOFT TECHNOLOGY LICENSING LLC (US)
International Classes:
G06F7/483; G09C1/00; H04L9/00
Other References:
SHAI HALEVI ET AL: "Design and Implementation of a Homomorphic-Encryption Library Contents", 30 November 2012 (2012-11-30), XP055345636, Retrieved from the Internet
ZVIKA BRAKERSKI ET AL: "(Leveled) Fully Homomorphic Encryption without Bootstrapping", ACM TRANSACTIONS ON COMPUTATION THEORY (TOCT), ACM, 2 PENN PLAZA, SUITE 701 NEW YORK NY 10121-0701 USA, vol. 6, no. 3, 1 July 2014 (2014-07-01), pages 1 - 36, XP058054966, ISSN: 1942-3454, DOI: 10.1145/2633600
CRAIG GENTRY ET AL: "Homomorphic Evaluation of the AES Circuit", INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH,, vol. 20150103:190644, 3 January 2015 (2015-01-03), pages 1 - 35, XP061017378
MIRAN KIM ET AL: "Private Genome Analysis through Homomorphic Encryption", INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH,, vol. 20151008:185005, 7 October 2015 (2015-10-07), pages 1 - 18, XP061019256, DOI: 10.1186/1472-6947-15-S5-S3
Attorney, Agent or Firm:
MINHAS, Sandip et al. (US)
Download PDF:
Claims:
CLAIMS

1. A system comprising:

one or more processors; and

memory storing modules that, when executed by the one or more processors, cause the system to perform operations comprising:

receiving a sequence of operations including a plurality of homomorphic operations to be performed on at least one ciphertext;

running a simulation on the sequence of operations to determine an expected error in the at least one ciphertext;

generating at least one encoding parameter and at least one encrypting parameter based on a result of the simulation, wherein the generating includes automatically selecting the at least one encoding parameter and the at least one encrypting parameter to reduce a processing time or to reduce a memory requirement when the sequence of operations is implemented on homomorphically encrypted data; and

transmitting the at least one encoding parameter and the at least one encrypting parameter via a network to a computing device.

2. The system of claim 1, wherein the operations further comprise:

determining that the expected error in the at least one ciphertext is above a threshold; and

generating at least one updated encoding parameter or at least one updated encrypting parameter based on the expected error.

3. The system of claims 1 or 2, wherein the operations further comprise determining a length N of a polynomial for encoding data as a polynomial, wherein the at least one encoding parameter includes the length N of the polynomial.

4. The system of any one of claims 1 through 3, wherein the operations further comprise determining a decomposition bit count W for encrypting an encoded polynomial as the at least one ciphertext, wherein the at least one encrypting parameter includes the decomposition bit count W.

5. The system of any one of claims 1 through 4, wherein the plurality of homomorphic operations include at least one of addition, subtraction, multiplication, or division.

6. The system of any one of claims 1 through 5, wherein the at least one ciphertext is a first ciphertext, and wherein the operations further comprise receiving a second ciphertext via a network from a computing device, the second ciphertext including data having been encoded using the at least one encoding parameter and the second ciphertext having been encrypted using the at least one encrypting parameter.

7. The system of claims 1 or 2, wherein the operations further comprise:

determining a length N of a polynomial for encoding data as a polynomial, wherein the length N of the polynomial is selected as a lower-bound length;

determining a decomposition bit count W for encrypting the polynomial as the at least one ciphertext, wherein the decomposition bit count Wis selected as an upper-bound size, wherein the running the simulation on the sequence of operations to determine the expected error in the at least one ciphertext includes using the length N of the polynomial and the decomposition bit count W;

determining that the expected error is above an error threshold; and

determining an updated decomposition bit count W wherein the updated decomposition bit count W' is smaller than the decomposition bit count W.

8. The system of claim 7, wherein the operations further comprise running an updated simulation using the length N of the polynomial and the updated decomposition bit count W' to determine an updated expected error of the at least one ciphertext.

9. A computer-implemented method for simulating homomorphic operations to generate operating parameters, the computer-implemented method performed by at least one processor, and the computer-implemented method comprising:

receiving a sequence of operations including a plurality of homomorphic operations to be performed on at least one ciphertext;

running a simulation on the sequence of operations to determine an expected error in the at least one ciphertext;

generating at least one encoding parameter or at least one encrypting parameter based on a result of the simulation, wherein the generating includes automatically selecting the at least one encoding parameter or the at least one encrypting parameter to reduce a processing time or to reduce a memory requirement when the sequence of operations is implemented on homomorphically encrypted data; and

transmitting the at least one encoding parameter or the at least one encrypting parameter via a network to a computing device.

10. The computer-implemented method of claim 9, further comprising:

determining that the expected error in the at least one ciphertext is above a threshold; and generating at least one updated encoding parameter or at least one updated encrypting parameter based on the expected error.

11. The computer-implemented method of claims 9 or 10, wherein the operations further comprise determining a length N of a polynomial for encoding data as an encoded polynomial, wherein the at least one encoding parameter includes the length N of the polynomial.

12. The computer-implemented method of any one of claims 9 through 11, wherein the operations further comprise determining a decomposition bit count W for encrypting an encoded polynomial as the at least one ciphertext, wherein the at least one encrypting parameter includes the decomposition bit count W.

13. The computer-implemented method of any one of claims 9 through 12, wherein the at least one encoding parameter includes at least one parameter indicating that encoding a real number in a polynomial includes slot encoding.

14. The computer-implemented method of claim 9, wherein the operations further comprise:

determining a length N of a polynomial for encoding data as a polynomial, wherein the length N of the polynomial is selected as a lower-bound length;

determining a decomposition bit count W for encrypting the polynomial as the at least one ciphertext, wherein the decomposition bit count JF is selected as an upper-bound size, wherein the running the simulation on the sequence of operations to determine the expected error in the at least one ciphertext includes using the length N of the polynomial and the decomposition bit count W;

determining that the expected error is above an error threshold; and

determining an updated decomposition bit count W, wherein the updated decomposition bit count W is smaller than the decomposition bit count W.

15. The computer-implemented method of claim 14, wherein the operations further comprise running an updated simulation using the length N of the polynomial and the updated decomposition bit count W to determine an updated expected error of the at least one ciphertext.

Description:
HOMOMORPHIC ENCRYPTION WITH OPTIMIZED PARAMETER

SELECTION

BACKGROUND

[0001] The development of cloud storage and services has allowed users to offload and/or outsource both storage of their data and associated computations on that data. As a result, businesses can choose to forego the expensive proposition of maintaining their own data centers, relying instead on cloud storage and computational services. In addition to storing data in remote servers, computations can be performed in remote servers as well.

[0002] Maintaining data confidentiality is an especially important concern for storing data and performing computations on data in remote servers. Encryption schemes represent one form of technology directed towards securing data when stored in memory, when operated on, and/or transmitted over networks.

SUMMARY

[0003] The techniques and/or systems described herein are directed to improvements in homomorphic encryption to improve processing speed and storage requirements. For example, the techniques and/or systems can be used on a client device to encode and/or encrypt data to be sent to a remote server, to be operated on while maintaining confidentiality of data. The encoding and/or encrypting scheme can be optimized by automatically selecting one or more parameters using an error growth simulator based on an actual program that operates on the encoded and/or encrypted data, thereby improving practicality and ease-of-use.

BRIEF DESCRIPTION OF THE DRAWINGS

[0004] The detailed description is described with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference number in different figures indicates similar or identical items.

[0005] FIG. 1 illustrates an example environment for managing secure computations on encrypted data.

[0006] FIG. 2 illustrates an example process for managing secure computations on encrypted data.

[0007] FIG. 3 illustrates an example process for encoding fractional parts of real numbers. [0008] FIG. 4 illustrates another example process for encoding fractional parts of real numbers.

[0009] FIG. 5 illustrates an example process for encoding numbers using a fractional base.

[0010] FIG. 6 illustrates an example process for encoding numbers in a balanced odd base.

[0011] FIG. 7 illustrates an example process for encoding numbers using slot encoding.

[0012] FIG. 8 illustrates an example service provider for automatically selecting parameters using an error growth simulator.

[0013] FIG. 9 illustrates an example process for automatically selecting parameters using an error growth simulator.

[0014] FIG. 10 illustrates another example process for automatically selecting parameters using an error growth simulator.

DETAILED DESCRIPTION

[0015] The techniques and/or systems described herein provide homomorphic encryption with optimized encodings and parameter selection. The optimized encodings and parameter selection can be provided by encoding a fractional part of real numbers in high order coefficients, by encoding a number using a small fractional base to get efficient approximate arithmetic, by encoding numbers in balanced odd base b, with each base-b term encoded as a coefficient of a plaintext polynomial, by using slot encoding to manage coefficient growth in homomorphic operations, and/or by providing automatic parameter selection using an error growth simulator. The techniques and/or systems described herein may be used in fully homomorphic encryption, partial homomorphic encryption, and practical homomorphic encryption.

[0016] Fully Homomorphic Encryption (FHE) refers to an encryption scheme that allows an untrusted server to execute arbitrary computation on encrypted data on behalf of a computing device often referred to as a client. Solutions for constructing an FHE scheme can incur significant costs due to a reliance on certain mathematical concepts (e.g., ideal lattices) to evaluate any function on encrypted data. In practice, these constructions can be improved using techniques, such as those related to batch-wise or bit-wise encryption, but often remain unworkable for a number of reasons, for example, necessitating deep circuits, such as those based on symmetric encryption standards, and/or substantial storage space to process ciphertexts. While some FHE constructions are capable of computing block ciphers homomorphically, evaluating a single block using these constructions can be several orders of magnitude slower in terms of throughput and latency when compared to evaluating a single block non-homomorphically.

[0017] The techniques and/or systems described herein can improve a functioning of a computing device by reducing an amount of processing and/or by reducing an amount of memory required for performing computations on encrypted data. For example, the encoding techniques discussed herein can reduce a number of scaling factors and the computational overhead of tracking and applying the scaling factors throughout computations. Further, the encoding techniques can improve processing by obviating a need to perform any "bootstrapping" operations, which otherwise would be a huge computational burden to reformulate data during computations to remove noise. The techniques and/or systems discussed herein can improve the functioning of a computer and/or a network by improving the security of the data transmitted, operated on, and stored in a network. For example, the techniques described herein can allow encrypted data to be transmitted, operated on, and a result can be obtained, all without requiring the data to be decrypted or decoded on a remote server, thereby ensuring a confidentiality of the data. Further, the techniques and/or systems described herein allow clients to outsource computations to a network computer when a client does not have all the data required to run an algorithm.

[0018] Also, the techniques and/or systems discussed herein improve the functioning of machine learning algorithms because the confidentiality afforded by using homomorphic encryption encourages more users to use algorithms, which in turn, allows algorithms to operate on wider data sets, thereby improving the accuracy of various prediction algorithms. Relative to non-optimized homomorphic encrypting using bitwise encryption, the encoding techniques discussed herein can decrease the size of data that needs to be transmitted over a network, thereby reducing congestion in a network, and further reducing an amount of processing required by components of the network. The optimization techniques and/or systems discussed herein further generate parameters which improves the functioning of a computing device by providing optimized parameters to reduce processing time and memory requirements.

[0019] Various examples for implementing homomorphic encryption using optimized encoding and parameter selection are described herein with reference to FIGS. 1-10.

[0020] FIG. 1 illustrates an example environment 100 that is usable to implement the techniques and/or systems associated with the homomorphic encryption scheme described herein. The environment 100 includes computing device(s) 102 having processor(s) 104 and a memory 106 including an encoding/encrypting module 108 and a decoding/decrypting module 110. In various embodiments, the encoding/encrypting module 108 can include one or more programs or hardware that operates to encode and/or encrypt data in a scheme for secure remote computation. The environment 100 also includes service provider(s) 112 to provide one or more services to the computing device 102, such as the secure remote computing. To that end, the service provider 112 can include processor(s) 114 and a memory 116 including a parameter selection module 118 and a computation module 120 provide the secure remote computing, which is explained in connection with the figures provided in this disclosure.

[0021] The computing device 102 can include, but is not limited to, any one of a variety of computing devices, such as a smart phone, a mobile phone, a personal digital assistant (PDA), an electronic book device, a laptop computer, a desktop computer, a tablet computer, a portable computer, a gaming device, a personal media player device, a server computer, a wearable device, or any other electronic device.

[0022] As introduced above, the computing device 102 can include one or more processor(s) 104 and memory 106. The processor(s) 104 can be a single processing unit or a number of units, each of which could include multiple different processing units. The processor(s) 104 can include one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units (CPUs), graphics processing units (GPUs), security processors (e.g., secure cryptoprocessors), and/or other processors. Alternatively, or in addition, some or all of the techniques described herein can be performed, at least in part, by one or more hardware logic components. For example, and without limitation, illustrative types of hardware logic components that can be used include Field-Programmable Gate Arrays (FPGAs), Application-Specific Integrated Circuits (ASICs), Application-Specific Standard Products (ASSPs), state machines, Complex Programmable Logic Devices (CPLDs), other logic circuitry, systems on chips (SoCs), and/or any other devices that perform operations based on software and/or hardware coded instructions. Among other capabilities, the processor(s) 104 can be configured to fetch and/or execute computer-readable instructions stored in the memory 106.

[0023] The memory 106 can include one or a combination of computer-readable media. As used herein, "computer-readable media" includes computer storage media and communication media. [0024] Computer storage media includes volatile and non-volatile, removable and nonremovable media implemented in any method or technology for storage of information, such as computer-readable instructions, data structures, program modules, or other data. Computer storage media includes, but is not limited to, Phase Change Memory (PCM), Static Random-Access Memory (SRAM), Dynamic Random-Access Memory (DRAM), other types of Random-Access Memory (RAM), Read-Only Memory (ROM), Electrically Erasable Programmable ROM (EEPROM), flash memory or other memory technology, Compact Disc ROM (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store information for access by a computing device.

[0025] In contrast, communication media includes computer-readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave. As defined herein, computer storage media does not include communication media.

[0026] In various embodiments, the computing device 102 can communicate with the service provider 112 via one or more wired or wireless networks 122, such as the Internet, a Mobile Telephone Network (MTN), or other various communication technologies.

[0027] In various embodiments, the memory 106 can include an operating system configured to manage hardware and services within and coupled to the computing device 102 for the benefit of other components and other devices.

[0028] The encoding/encrypting module 108 and the decoding/decrypting module 110 can include hardware and/or software components. For example, the encoding/encrypting module 108 and/or the decoding/decrypting module 110 can be implemented by one or more modules stored in the memory 106 and/or by one or more components of the processor(s) 104. As used herein, the term "module" is intended to represent example divisions of software and/or firmware for purposes of discussion, and is not intended to represent any type of requirement or required method, manner or organization. Accordingly, while various "modules" are discussed, their functionality and/or similar functionality could be arranged differently (e.g., combined into a fewer number of modules, broken into a larger number of modules, etc.). Further, while certain functions are described herein as being implemented as software modules configured for execution by a processor, in other embodiments, any or all of the functions can be implemented (e.g., performed) in whole or in part by hardware logic components, such as FPGAs, ASICs, ASSPs, state machines, CPLDs, other logic circuitry, SoCs, and so on.

[0029] The encoding/encrypting module 108 can perform operations to encode and/or encrypt data in accordance with embodiments of the disclosure. For example, the encoding/encrypting module 108 can utilize parameters generated by the service provider 112 to encode data using the techniques disclosed herein. Further, the encoding/encrypting module 108 can generate a public key based at least in part on the parameters generated by the service provider 112 to encrypt the encoded data.

[0030] The decoding/decrypting module 110 can perform operations to decrypt and/or decode data in accordance with embodiments of the disclosure. For example, the decoding/decrypting module 110 can utilize parameters generated by the service provider 112 to generate a secret key for decrypting the encrypted data. Further, the decoding/decrypting module 110 can decode the decrypted data to obtain a plaintext result.

[0031] The service provider 112 can include one or more computing devices, such as one or more desktop computers, laptop computers, servers, and the like. The one or more computing devices can be configured in a cluster, data center, cloud computing environment, or a combination thereof. In one example, the one or more computing devices provide cloud computing resources, including computational resources, storage resources, and the like, that operate remotely from the computing device 102.

[0032] The one or more computing devices of the service provider 112 can include one or more processor(s) 114 and memory 116. The one or more processor(s) 114 can comprise a single processing unit or a number of units, each of which could include multiple different processing units. The one or more processor(s) 114 can include, for example, one or more microprocessors, microcomputers, microcontrollers, digital signal processors, CPUs, GPUs, security processors (e.g., secure cryptoprocessors), etc.

[0033] The memory 116 can include a parameter selection module 118 for automatically selecting parameters using an error growth simulator. For example, the parameter selection module 118 can receive a program, sequence, or series of operations from the computing device 102, for example, to perform on homomorphically encrypted data. As described below in connection with FIGS. 2 and 8-10, the parameter selection module 118 can operate a program to determine operating parameters such as a plaintext modulus T, a length N of a polynomial, a modulus Q, a standard deviation of error σ, a decomposition bit count W, a base B for encoding integers or real numbers into plaintext polynomials, a desired security level, an allowable error level, and the like. After parameters are generated and/or selected by the parameter selection module 118, the parameters can be transmitted to the computing device 102, to be used by the encoding/encrypting module 108 and/or by the decoding/decrypting module 110.

[0034] The memory 116 can also include a computation module 120 to perform computations on encoded data received from the computing device 102. For example, the computation module 120 can be a program such as a machine learning program, a prediction engine, an image analysis program, a financial program, or any other program that performs calculations on encrypted data. For example, the computation module 120 can include a tax preparation program, and can receive tax and financial data encoded by the encoding/encrypting module 108. In another example, the computation module 120 can include a genomic data analysis program to perform predictive analysis on genomic data encoded and/or encrypted by the encoding/encrypting module 108. As can be understood in the context of this disclosure, the computation module 120 can include any program, computation, or operation that can be performed on data. In various embodiments, the computation module 120 can perform computations on the received encoded and/or encrypted data and can generate an encoded and/or encrypted result, which can be transmitted to the computing device 102 for decryption and/or decoding by the decoding/decrypting module 110.

[0035] The environment 100 also includes one or more users 124 to employ the computing device 102. The one or more users 124 can interact with the computing device 102 to perform a variety of operations.

[0036] The example processes (e.g., in FIGS. 2-7, 9, and 10) are illustrated as logical flow graphs, each operation of which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof. In the context of software, the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, configure a device to perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement the process. Further, any of the individual operations can be omitted. [0037] FIG. 2 illustrates an example process 200 for managing secure computations on encrypted data, according to one example implementation. By way of example, the process 200 can be performed by and between computing device(s) 202 and service provider(s) 204, which can correspond to the computing device 102 and the service provider 112 in FIG. 1.

[0038] At 206, the service provider 204 can generate encoding and/or encrypting parameters using the parameter selection module 118, for example, of FIG. 1. In some embodiments, the service provider 204 generates the encoding and encrypting parameters in response to a request from the computing device 102. By way of example, the encoding and encrypting parameters can include, but are not limited to, a plaintext modulus T, a length N of a polynomial, a modulus Q, a standard deviation of error σ, a decomposition bit count W, a base B, a desired security level, an allowable error level, whether to use slot encoding, etc. Further details of generating the encoding and encrypting parameters are provided below in connection with FIGS. 8-10.

[0039] At 208, the encoding and encrypting parameters can be transmitted to the computing device 202. In some embodiments, the parameters 208 can be encrypted using a public key associated with the computing device 202, to further ensure the security of the data processing.

[0040] The computing device 202 can receive the parameters 208, and at 210 can use the encoding parameters to encode data as a plaintext polynomial. Further details of encoding data as a plaintext polynomial are discussed in connection with FIGS. 3-7, for example.

[0041] At 212, the data encoded in operation 210 is encrypted as a ciphertext, based at least in part on the parameters generated by the service provider 204. Because the data is encoded and encrypted by the computing device 202, the security and confidentiality of the data is preserved. In some embodiments, the operation 212 can include generating a public key for encrypting the encoded data, and a private key for decrypting the encrypted data. As can be understood in the context of this disclosure, the public and private keys can be generated at least in part based on the encoding and encrypting parameters generated in by the service provider 204 in operation 206.

[0042] At 214, the ciphertext is transmitted to the service provider 204. After the ciphertext is received by the service provider 204, at operation 216, computations can be performed on the ciphertext. As can be understood in the context of this disclosure, computations to be performed on the ciphertext can be determined by a program running on the service provider 204, and can include, but is not limited to, an image analysis process, a genomic analysis algorithm, a prediction algorithm, financial transactions, etc. Further, because of the process of encoding and encrypting the data, the computations can be performed on the data without decoding or decrypting the data. That is to say, homomorphic operations applied to the encoded and encrypted data can correspond to operations performed on the underlying data, without revealing any information about the contents of the data to the service provider 204. In some embodiments, computations can include addition, subtraction, multiplication, and/or division.

[0043] At 218, an encoded and encrypted result is generated by the service provider 204. As discussed above, a result can be generated without decoding or decrypting the data, which therefore ensures the confidentiality of the data and the result of the operations. For example, if a prediction algorithm performs operations on encoded and encrypted data, the service provider 204 learns nothing about the prediction, other than the fact that operations were performed, which can correspond to a prediction.

[0044] At 220, an encoded and encrypted result is returned to the computing device 202, after which, the computing device 202 can use an associated secret key to decrypt and decode the result to obtain a plaintext result. In some embodiments, the secret key (and the public key, discussed above) can be based at least in part on the encoding and/or encrypting parameters received from the service provider 204, resulting in optimized homomorphic encryption. As may be understood in the context of this disclosure, a plurality of users may encrypt data using the public key, and contribute the data to a computation performed on the service provider 204, but only one user may have the secret key to decrypt any result from the service provider 204. In this manner, optimized computations can be performed remotely without revealing any information about a user's data.

[0045] FIG. 3 illustrates another example process 300 for encoding fractional parts of real numbers, according to one example implementation. In one embodiment, the process 300 can be performed by the encoding/encrypting module 108 in the computing device 102 of FIG. 1. However, processes can be performed in other environments and by other devices as well.

[0046] In general, the process 300 includes receiving data (as a real number) in operation 302, which is encoded as a polynomial in a message space of a homomorphic encryption scheme. This process is performed by the computing device (such as the computing device 102) on data to generate encoded data, which can be encrypted and transmitted to a service provider (such as the service provider 112), for computation. An encoded and/or encrypted result is generated by the computation module 120 without decrypting or decoding the data, and an encrypted and/or encoded result is returned to the computing device 102.

[0047] One advantage of the process 300 is that it can operate directly on real numbers (e.g., example 304, where a - 5.75 10 , indicating that the number 5.75 is written in base

10), instead of having to scale a real number (e.g., by multiplying by 10) such that the real number is converted to an integer. As the process 300 avoids this scaling, the process 300 reduces processing time and memory requirements, by not tracking a scaling factor associated with each piece of encoded data during computation in the homomorphic encryption scheme. Thus, process 300 improves the functioning of the computer by reducing processing and memory requirements while encoding, encrypting, performing computations, and while decrypting and/or decoding an encoded result.

[0048] At 306, the process 300 encodes the real number as an expanded polynomial. For example, in the example 308, the number 5.75 can be expressed in a binary expansion as 5.75 = x 2 + \ + x ~l + x ~2 , which when evaluated at x = 2 , give a result of 5.75.

[0049] At 310, the process 300 determines a size of an encoded polynomial. For example, this operation 310 can include receiving an encoding parameter determined by the parameter selection module 118. In some embodiments, the size of the encoded polynomial is determined by considering various factors, such as a desired level of security (i.e., larger polynomials are generally more secure), a desired number of operations (i.e., more operations can be performed on a larger polynomial), a desired processing time and/or memory resource requirement (i.e., larger polynomials generally require more processing time and/or memory requirements), etc. In example 312, a size of the encoded olynomial is determined and/or selected as « = 4096 . Thus, the

[0050] At 314, using the size of the encoded polynomial determined in operation 310, the process 300 wraps around the fractional coefficients as high-order coefficients. For example, the coefficients x ~l + x ~2 represent the fractional portion of the real number a = 5.75 10 . That is to say, x ~l + x ~2 returns the value of 0.75 when evaluated at x = 2 .

Instead of expressing these coefficients as low-order coefficients, these coefficients can be wrapped around to the high-order coefficients of the encoded polynomial, as illustrated in the example 316. In this wrap-around process, the coefficients x 1 + x 2 are wrapped to become , with the coefficients multiplied by -1 (negated). Thus, in this manner, the real number a - 5.75 10 can be encoded as a single polynomial without scaling the real number to be an integer. For further illustration, in example 316 the polynomial a = x 2 +\ + x ~l +x ~2 is mapped to the polynomial a = -jc 4095 -jc 4094 + 0jc 4093 + ... + 0jc 3 +JC 2 + 1 when the fractional coefficients are wrapped around as the high-order coefficients. As can be understood in the context of this disclosure, when the encoded and/or encrypted data is transmitted to the service provider 112 for computation in the computation module 120, the computation module 120 utilizes the combined polynomial encoding the real number to perform a secure computation. That is to say, the homomorphic encryption scheme understands the top coefficients represent the fractional portion of the real number, while bottom coefficients represent the integer portion of the real number.

[0051] FIG. 4 illustrates an example process 400 for encoding fractional parts of real numbers, according to one example implementation. In one embodiment, the process 400 can be performed by the encoding/encrypting module 108 in the computing device 102 of FIG. 1. However, processes can be performed in other environments and by other devices as well.

[0052] In general, the process 400 includes receiving data (as a real number) in operation 402, which is encoded as a polynomial in a message space of a homomorphic encryption scheme. This process is performed by the computing device (such as the computing device 102) on data to generate encoded data, which can be encrypted and transmitted to a service provider (such as the service provider 112), for computation. An encoded and/or encrypted result is generated by the computation module 120 without decrypting or decoding the data, and an encrypted and/or encoded result is returned to the computing device 102.

[0053] One advantage of the process 400 is that it can operate directly on real numbers (e.g., example 404, where a - 5.3 10 , indicating that the number 5.3 is written in base 10), instead of having to scale a real number (e.g., by multiplying by 10) such that the real number is converted to an integer. As the process 400 avoids this scaling, the process 400 reduces processing time and memory requirements, by not tracking a scaling factor associated with each piece of encoded data during computation in the homomorphic encryption scheme. Thus, process 400 improves the functioning of the computer by reducing processing and memory requirements while encoding, encrypting, performing computations, and while decrypting and/or decoding an encoded result.

[0054] At 406, the process 400 encodes the real number as an expanded polynomial.

For example, the number 5.3 = 101.010011 2 (indicating that 5.3 is represented as "101.010011" in base 2, with the "0011" pattern repeating indefinitely). Accordingly, the expanded polynomial for 5.3 can be written as shown in example 408, where 5.3 - x 2 + l + x ~2 + x ~5 + x ~6 + x ~9 + x ~10 + ... , x = 2 , which when evaluated at x = 2 gives a result of 5.3.

[0055] At 410, the process 400 determines a size of an encoded polynomial. For example, this operation 410 can include receiving one or more encoding parameters determined by the parameter selection module 118. In some embodiments, the size of the encoded polynomial is determined by considering various factors, such as a desired level of security (i.e., larger polynomials are generally more secure), a desired number of operations (i.e., more operations can be performed on a larger polynomial), a desired processing time and/or memory resource requirement (i.e., larger polynomials generally require more processing time and/or memory requirements), etc. In example 412, a size of the encoded polynomial is determined and/or selected as « = 4096 . Thus, the combined polynomial for the real number a can be expressed as: a = Ύ^^^'■

[0056] The operation 410 can further reserve coefficients for an integer part of the real number, can reserve coefficients for a fractional part of the real number, and can truncate the expansion of the polynomial. For example, for a polynomial of size ft = 4096 , the bottom 1000 coefficients (or any other number) may be reserved for an integer part of the real number, while the top 50 coefficients (or any other number) may be reserved for a fractional part of the real number. Further, in a polynomial encoding an infinite expansion (such as the "0011" repeating coefficients for the number 5.3 expressed in base 2), the fractional coefficients may be truncated depending on a level of precision and/or depending on the number of coefficients reserved for the top coefficients. In this example, the expansion of 5.3 = 101.010011 2 may be truncated after the first occurrence of the pattern "0011." In some embodiments, the number of coefficients reserved for the respective parts of the real number and/or a truncation/rounding may be determined by one or more encoding parameters determined by the parameter selection module 118. [0057] At 414, using the size of the encoded polynomial, reserved coefficients, and truncation determined in operation 410, the process 400 wraps around the fractional coefficients as high-order coefficients. For example, the coefficients x ~2 + x ~5 + x ~6 represent the fractional portion of the real number a = 5.3 10 . That is to say, x ~2 + x ~5 + x ~6 returns the value of 0.296875 when evaluated at x = 2 . In this example, the result is approximate due to the truncation in the operation 410. Instead of expressing these coefficients as low-order coefficients, these coefficients can be wrapped around to the high-order coefficients of the encoded polynomial, as illustrated in the example 416.

In this wrap-around process, the coefficients x ~2 + x ~5 + x "6 are wrapped to become - jc 4094 - x 4091 - jc 4090 , with the coefficients multiplied by -1 (negated). Thus, in this manner, the real number a - 5.3 10 can be encoded as a single polynomial without scaling the real number to be an integer. For further illustration, in the example 416 the polynomial a = x 2 + l + x ~2 + x ~5 + x ~6 is mapped to the polynomial a = -Ox 4095 - x 4094 - Ox 4093 - Ox 4092 - x 4091 - x 4090 + ... + Ox 3 + x 2 + Ox 1 + 1 when the fractional coefficients are wrapped around as the high-order coefficients. As can be understood in the context of this disclosure, when the encoded and/or encrypted data is transmitted to the service provider 112 for computation in the computation module 120, the computation module 120 utilizes the combined polynomial encoding the real number to perform a secure computation. That is to say, the homomorphic encryption scheme understands the top coefficients represent the fractional portion of the real number, while bottom coefficients represent the integer portion of the real number.

[0058] By way of example, the coefficients are reserved in the polynomial to define regions in the polynomial that represent a number during operations such as addition and multiplication. For example, when two polynomials are multiplied together (encoded as described in the process 400), the fractional part of the polynomial will grow "down" towards the bottom of the polynomial, and the integer portion of the polynomial will grow up towards the top of the polynomial as the integer portion grows bigger. The fractional part of the polynomial growing "down" is discarded when decoding. As an example of such discarding, in an example where two numbers representing heights of individuals are multiplied together (e.g., 1.75 m and 1.57 m), both of which heights have two digits of precision, the answer 2.7475 m 2 has a fractional part "growing down." However, this answer does not contain any real information past the precision of the inputs, and accordingly, the result can be rounded or truncated within the precision allowed (e.g., resulting in an answer of 2.75 m 2 or 2.74 m 2 , respectively). Thus, the fractional parts may be discarded in accordance with a precision or a set number of coefficients. In some embodiments, when performing multiplication on such encoded polynomials, the fractional part (growing down) and the integral part (growing up) can be constrained to not allow overlap, thereby preventing any corruption of information during operations.

[0059] FIG. 5 illustrates an example process 500 for encoding fractional parts of real numbers, according to one example implementation. In one embodiment, the process 500 can be performed by the encoding/encrypting module 108 in the computing device 102 of FIG. 1. However, processes can be performed in other environments and by other devices as well. Further, process 500 can be used either singularly or in combination with the various techniques and/or techniques discussed herein.

[0060] In general, the process 500 includes receiving data (as a real number) in operation 502. If appropriate, this number can be rounded and/or represented as an approximation. In some embodiments, a base encoding can be determined and/or selected according to the resolution required for rounding the data, and the determined base can be used to generate encoded data as a polynomial. This process 500 is performed by the computing device (such as the computing device 102) on data to generate encoded data, which can be encrypted and transmitted to a service provider (such as the service provider 112), for computation. An encoded and/or encrypted result is generated by the computation module 120 without decrypting or decoding the data, and an encrypted and/or encoded result is returned to the computing device 102.

[0061] One advantage of the process 500 is that it can operate directly on real numbers (e.g., example 504, where r - 1.3 10 , indicating that the number 1.3 is written in base 10), and can generate a polynomial with a low number of terms. Further, as the process 500 can incorporate rounding or approximating numbers, which often allows for a more efficient encoding than encoding an exact value, the process 500 reduces processing time and memory requirements. Thus, process 500 improves the functioning of the computer by reducing processing and memory requirements while encoding, performing computations, and while decrypting and/or decoding an encoded result.

[0062] At 506, the process determines if an approximation of the real number received in operation 502 is appropriate. For example, some application can require precise encoding of data, such as in banking transactions or financial data. In another example, some applications such as pattern recognition or image analysis can allow for approximation of numbers. Further, whether the data can be approximated or rounded can be determined by the parameter selection module 118 in FIG. 1, or can be determined by an administrator, programmer, an available amount of processing, storage requirements, etc. For example, it can be determined that the real number r - 1.3 10 can be approximated as example 508, where r = 1.31 10 . In some embodiments, operation

506 can include determining an allowable amount of error, a threshold, and/or an upper and lower bound for an allowed approximation of the real number received in operation 502.

[0063] At 510, the process determines a base encoding to encode the approximated value. In some embodiments, the base encoding can be determined based on the value of the real number received in operation 502, while in some embodiments, the approximation r = 1.31 10 can be determined along with determining the base encoding, which is illustrated in example 512 as base = 1.1. That is to say, in some embodiments, operations 506 and 510 can be performed iteratively to determine and/or select a base encoding and to determine an approximated value within an error threshold allowed for the real number received in operation 502, for example.

[0064] At 514, the operation encodes the real number as a polynomial using the base encoding determined in operation 510. For example, for the approximated example 508 as r = 1.31 10 and using base = \ A , the approximated real number can be encoded as a polynomial as r = x 2 + x - \ (example 516), which, when evaluated at x = \ . \ , gives r = 1.31 10 .

[0065] It can be understood in the context of this disclosure that any number can be selected as a small fractional base, such as base = 1.2, 1.01, 1.001, etc. , with various tradeoffs associated with each base, such as the fidelity or resolution required to represent or approximate numbers, the size of a polynomial required to represent numbers, the expected inputs, the application of utilizing the underlying data, processing time, memory requirements, etc. Further, the process 500 can include operations to truncate coefficients beyond a set number of coefficients. For example, truncating a polynomial to a few coefficients (e.g., two) generates a sparse representation of the number as a polynomial, leading to faster processing time, and reducing a probability of wrapping coefficients around, thereby eliminating potential problems during decoding. In another embodiment, the fractional base, such as base = 1.2, 1.01, 1.001, etc. , can be selected to generate a polynomial using a particular number of coefficients, such as one or two coefficients, thereby providing a sparse representation leading to improved performance. Thus, the process 500 further improves a functioning of a computer in this manner.

[0066] FIG. 6 illustrates an example process 600 for encoding numbers in a balanced odd base, according to one example implementation. In one embodiment, the process 600 can be performed by the encoding/encrypting module 108 in the computing device 102 of FIG. 1. However, processes can be performed in other environments and by other devices as well. Further, process 600 can be used either singularly or in combination with the various techniques and/or techniques discussed herein.

[0067] In general, the process 600 includes receiving data (e.g. as an integer or as a real number) in operation 602. If appropriate, an odd base can be selected for encoding, with coefficients selected to include negative numbers when generating encoded data as a polynomial. This process 600 is performed by the computing device (such as the computing device 102) on data (such as example 604, where « = 19 10 ) to generate encoded data, which can be encrypted and transmitted to a service provider (such as the service provider 112), for computation. An encoded and/or encrypted result is generated by the computation module 120 without decrypting or decoding the data, and an encrypted and/or encoded result is returned to the computing device 102.

[0068] One advantage of the process 600 is that by encoding numbers in a balanced odd base, as operations are performed on the data in the computation module 120, for example, operations involving positive and negative coefficients can, on average, result in a zero coefficient, thereby reducing a growth of the coefficients of a polynomial during computations. In some embodiments, this can allow more operations to be performed on a polynomial of fixed length, or can allow a shorter polynomial to be used to guarantee the same number of computations, which in turn improves processing and memory requirements for a given application, program, or operation. Thus, process 600 improves the functioning of the computer by reducing processing and memory requirements while encoding, encrypting, performing computations, and while decrypting and/or decoding an encoded and/or encrypted result.

[0069] At 606, the process selects an odd base for encoding, such as b = 3 given as example 608. For example, the parameter selection module 118 in FIG. 1 can specify the odd base for encoding, and/or an administrator or programmer can determine the odd base for encoding based on the data received in operation 602, or based on the application using the homomorphic encryption. For example, the application can require a large number of computations that can benefit from managing the growth of the coefficients by having the coefficients, on average, go to zero. As can be understood in the context of this disclosure, any odd base (other than 1 or -1) can be selected, such as b = 3, 5, 7, 9, 1 1, etc.

[0070] At 610, the number received in operation 602 can be expressed using the base selected in operation 606, and the coefficients can be selected to include negative values. By way of example, for the example 608 as b = 3 , the polynomial coefficients may be selected as— ^ ^≤ coefficients≤ ^ ^ , illustrated in example 612. Thus, using a base b = 3 , the coefficients may be selected as {-1, 0, 1 }.

[0071] In 614, the operation includes encoding numbers in balanced base b, with each base-b term encoded as a coefficient of a plaintext polynomial. In example 616, the number n - \9 l0 can be expressed as a polynomial x 3 -x 2 + 0x + l , which when evaluated at x = 3 returns a result of 19. As discussed above, when operations are subsequently performed on the polynomial encoding using the balanced base-b encoding, positive and negative coefficient terms can cancel out (e.g., when adding two encoded polynomials), thereby preventing the growth of the polynomial to improve the function of the computer.

[0072] By way of another example of the process 600, using a base b = 11 , the coefficients that may be selected include {-5, -4, -3, -2, -1, 0, 1, 2, 3, 4, 5}. Given a number n - 123456789 10 , this may be encoded as a polynomial

X s - 5x 7 + 4x 6 - 3x 5 - 5x* + 3x 3 - x 2 + 5 , which when evaluated at x = 11 returns a result of 123456789.

[0073] FIG. 7 illustrates an example process 700 for encoding numbers using slot encoding, according to one example implementation. In one embodiment, the process 700 can be performed by the encoding/encrypting module 108 in the computing device 102 of FIG. 1. However, processes can be performed in other environments and by other devices as well. Further, process 700 can be used either singularly or in combination with the various techniques and/or techniques discussed herein. [0074] In general, the operation 702 includes receiving data (e.g. as an integer or as a real number) encoded as a polynomial in operation 702. For example, a polynomial such as 5 = x 2 + Ox + 1 , illustrated as example 704, can be received as a polynomial, which can have been encoded according to embodiments of this disclosure (such as in example 308 of FIG. 3). In some embodiments, the process 700 can receive data not yet encoded as a polynomial, and can encode the data as a polynomial directly using the slot encoding techniques discussed herein. However, as can be understood in the context of this disclosure, the slot encoding can be applied to data previously encoded as a polynomial to illustrate the aspects of this technique. Following receipt of the data encoded as a polynomial (e.g., using any of the techniques discussed in this disclosure, for example) the process 700 can determine a slot size for slot encoding. Following this determination, the polynomial can be encoded as a slot-encoded polynomial, which can be encrypted and transmitted to a service provider (such as the service provider 112), for computation. An encoded and/or encrypted result is generated by the computation module 120 without decrypting or decoding the data, and an encrypted and/or encoded result is returned to the computing device 102.

[0075] One advantage of the process 700 is that encoding polynomials using slot encoding allows for more operations to be performed on the data in the computation module 120. For example, as operations are performed on the encoded polynomials, the size of the coefficients increases, and it can be possible for the polynomial to "run out" of space to perform operations (such as addition, subtraction, multiplication, and division). Using slot encoding can reduce the amount by which the polynomial coefficients grow, ensuring a polynomial can be properly decoded after operations are performed. Therefore, the process 700 can improve processing abilities for a given application, program, or operation, and improves the functioning of the computer by increasing the number of available computations that can be performed on the data.

[0076] At 706, the operation determines a slot size for a slot encoding of the polynomial received in operation 702. For example, operation 706 can determine that each coefficient can be represented by 5, 10, 20, or any number of slots, as can be understood in the context of this disclosure. In various embodiments, the number of slots to use for slot encoding can be determined by the parameter selection module 118 of FIG. 1. As discussed above, it can be understood in the context of this disclosure that for a polynomial of a given length, increasing the number of slots for each coefficient can reduce the amount of data stored in that polynomial, but can increase the number of operations that can be performed on that polynomial. Thus, selecting or determining the slot size is based at least in part on amount of data to be encoded and the number of operations (e.g., an upper-bound, worst-case estimate, average-case estimate, or maximum possible number of operations) to be performed on the polynomial.

[0077] Example 708 illustrates a slot size of 10 for the slot encoding of the polynomial example 704. For example, while using a slot size of 10, the integer portion of the polynomial example 504 (i.e., 1, or x° ) can be encoded in the polynomial example 708 at x 9 , x 8 x° . That is to say, the integer 1 can be encoded as a coefficient for any term x 9 , x 8 x° , given a slot size of 10. Next, the x 1 portion of the polynomial example 704 can be encoded at x 19 , x 18 ,..., x 10 . However, it can be understood in the context of this disclosure that because the coefficient term in example 704 is 0*x l , the coefficient term will be represented as a zero term in the slot encoded polynomial. Further, the x 2 portion of the polynomial can be encoded at slots x 29 , x 28 ,..., x 20 . It can be understood in the context of this disclosure that the arrows mapping the coefficients in the example 704 to the slots illustrated in example 708 are for illustrative purposes only, to visually illustrate the slot encoding techniques discussed herein.

[0078] At 710, the operation includes encoding the polynomial (received in operation 702, for example) as the slot encoded polynomial. For example, the coefficients in the polynomial example 704 can be mapped to the available slots (as illustrated in example 708) to form the slot encoded polynomial example 712, represented as x 1 + \ ^> x 2% + x 2 . That is to say, the received polynomial x 2 + 1 can be encoded as a slot encoded polynomial as x 2% + x 2 . As can be understood in the context of this disclosure that slots can be selected at random, according to a distribution algorithm, or according to parameters determined by the parameter selection module 118, of FIG. 1. As can be further understood in this context of this disclosure, operations can be performed on slot encoded polynomials, which can reduce the computational burden of managing coefficients in the polynomials. For example, using the techniques described herein, the number 5 can be encoded as a polynomial x 2 + 1 , which can also be represented as a slot- encoded polynomial (of a slot size of 10) as x" + x It can be further understood in the context of this disclosure that the number 5 can also be represented as a slot-encoded

23 8 28 2 23 8

polynomial as x + x , and the polynomials x + x and x + x can be added (e.g., in 28 23 8 2 the computation module 120) to generate a summed polynomial x + x + x + x , which when decoded (e.g., by the decoding module 110) can be understood to represent the sum of 10.

[0079] FIG. 8 illustrates an example service provider(s) 800 for automatically selecting parameters using an error growth simulator, according to one example implementation. In some embodiments, the service provider 800 can correspond to the service providers 112 and 204 of FIGS. 1 and 2.

[0080] The one or more computing devices of the service provider 800 can include one or more processor(s) 802 and memory 804. The one or more processor(s) 802 can comprise a single processing unit or a number of units, each of which could include multiple different processing units. The one or more processor(s) 802 can include, for example, one or more microprocessors, microcomputers, microcontrollers, digital signal processors, CPUs, GPUs, security processors (e.g., secure cryptoprocessors), etc.

[0081] The memory 804 can include a computation module 806, which can correspond to the computation module 120 in FIG. 1. As can be understood in the context of this disclosure, the computation module 806 can include any program, computation, or operation that can be performed on data. In various embodiments, the computation module 806 can perform computations on the received encoded and/or encrypted data and can generate an encoded and/or encrypted result, which can be transmitted to a computing device such as the computing device 102 of FIG. 1 for subsequent decryption and/or decoding. In various embodiments, the computation module 806 can perform addition, subtraction, multiplication, and/or division in any combination on the encoded and/or encrypted data, as would be understood in the context of this disclosure.

[0082] The memory can further include a parameter selection module 808 (e.g., corresponding to the parameter selection module 118 in FIG. 1) for automatically selecting parameters using an error growth simulator. For example, the parameters to be selected can include, but are not limited to, a plaintext modulus T 810, a length N of a polynomial 812, a modulus Q 814, a decomposition bit count JF 816, a standard deviation of error σ 818, a base B 820, a security level 822, an error level 824, and the like.

[0083] In some embodiments, the plaintext modulus T 810 can be set to be larger than any coefficient appearing in any plaintext polynomial at any point in the computations (e.g., coefficients in a "fresh" polynomial, or in a polynomial after operations have been performed, such as addition and/or multiplication). In one simplified example, assuming a base = 2 , the coefficients present in a freshly encoded polynomial (i.e., before any operations are performed) are limited to either 0 or 1. However, in an example where the number 3 is encoded as x + 1 , and two encoded polynomials are added together, the coefficients in the polynomial grow to 2x + 2 . Thus, the plaintext modulus Jmust be set larger than the coefficients present in any polynomial (e.g., larger than 2) to avoid modular reduction, which can occur if the coefficients increase larger than the plaintext modulus T. However, as the plaintext modulus T increases, an error grows during homomorphic operations. Therefore, the plaintext modulus T can be set above any coefficient value that may occur in any encoded polynomial, without being higher than required, to prevent any unnecessary increase in the rate at which noise grows during operations.

[0084] In some embodiments, the length N of the polynomial 812 can correspond to the length of the encoded polynomials illustrated in example 312 and example 412. In some embodiments, the length N of the polynomial 812 is a multiple of 2, such that N = 1024, 2048, 4096, or 8192 , although it can be understood in the context of this disclosure that these are non-limiting examples, and N can depend on a data type or application, as discussed herein. For example, the length N of the polynomial 812 can depend on a desired level of security, the size of input data, the number of operations to be performed, the processing capabilities of a computing device, an amount of available memory at a computing device, etc.

[0085] In some embodiments, the modulus Q 814 is used in encoding the plaintext data prior to encryption, and in some embodiments, the modulus Q is a large prime number. In some embodiments, the modulus Q 814 can determine a coefficient space in a polynomial ring and/or a dimension of a lattice, which can determine a degree of polynomial to be handled.

[0086] In some embodiments, the decomposition bit count W 816 can be used in a key switching procedure when computations modify an encryption key. For example, when two encoded and encrypted numbers using a secret key S are multiplied, the encoded and encrypted result will have a secret key S 2 . In some embodiments, when the encoded and encrypted result is sent to a computing device (such as the computing device 102), the computing device can decrypt the result using a secret key S 2 . Instead of requiring the secret key S 2 to decrypt the result, the service provider 800 can perform a key switching procedure, which can convert the secret key S 2 to the secret key S. The decomposition bit count W 814 can be used in such a key switching procedure. In some embodiments, this key switching procedure is an expensive (computationally) operation. To speed up processing, a larger decomposition bit count W 814 can be used, although in this case, a large W can introduce error in the ciphertext, thereby degrading data or invalidating a result.

[0087] In some embodiments, the standard deviation of error σ 818 can depend on the length N of the polynomial 812 and the modulus Q 814.

[0088] In some embodiments, the base B 820 can be determined by the parameter selection module 808. For example, the base B 820 can include any base larger than 1, for example, 5, 3, 2, 1.2, 1.1, 1.01, etc.

[0089] In some embodiments, the parameter selection module 808 can receive inputs, such as a desired security level 822 and/or an acceptable error level 824. For example, the parameter selection module 808 can include a user interface where a user can indicate a desired security level 822 (e.g., "low," "medium," or "high") or can indicate an acceptable error level 824 (e.g., 1% error, 5% error), or whether or not approximations, rounding, and/or truncations are allowed. In some embodiments, a user can specify whether slot encoding can be used, as well as the number of slots to use. As can be understood in the context of this disclosure, any number of parameters can be added or adjusted by the user, depending on the sophistication of the user, and/or the desired complexity of the parameter selection module 808.

[0090] FIG. 9 illustrates an example process 900 for automatically selecting parameters using an error growth simulator, according to one example implementation. In one embodiment, the process 900 can be performed by the parameter selection modules 118 or 808 in the service providers 112 or 800 of FIGS. 1 and 8, respectively. However, processes can be performed in other environments and by other devices as well. Further, process 900 can be used either singularly or in combination with the various techniques and/or techniques discussed herein.

[0091] In general, the operation 902 includes receiving a program including one or more homomorphic calculations. For example, a program received in operation 902 can be uploaded to a service provider (such as the service providers 112 or 800) by a user, or can be selected from a library of components located at a service provider. In some embodiments, a program can be received by selecting or building operations from a library of components including homomorphic calculations and/or operations. Following the receipt of the program in operation 902, various parameters are optimized for encoding and/or encrypting of data to be used in the received program, which can collectively be referred to as operation 904. After parameters are determined, they can be returned to a user or computing device.

[0092] One advantage of the process 900 is that optimizing parameters for encoding and encrypting allows for security and confidentiality of data to be maintained while improving the processing requirements and memory requirements of the homomorphic operations. For example, the parameters can be tailored to generate polynomials large enough to guarantee operation in a worst-case scenario or an average-case scenario, without being too large as to become unmanageable. Further the process 900 can be performed automatically on an actual program intended to be used, thereby increasing the accuracy and probability that the parameters will result in an efficient operation. Therefore, the process 900 can improve processing abilities for a given application, program, or operation, and can improve the functioning of the computer by improving a processing abilities and improving memory requirements when performing homomorphic operations.

[0093] At 904, the operation optimizes various parameters for the encoding and/or encrypting of data. For example, operations included in the operation 904 can include generating at least one encoding parameter and at least one encrypting parameter based on a result of the simulation.

[0094] At 906, the operation determines the plaintext modulus T using a worst-case analysis. In some embodiments, the plaintext modulus J is determined to guarantee that the value of the plaintext modulus J is larger than any coefficient present in the plaintext polynomial at any time during any operation. In some embodiments, the plaintext modulus T can be determined using an average-case analysis. Therefore, operation 906 can include determining an upper bound for the largest coefficient that can be present in a plaintext polynomial. In some embodiments, the largest coefficient can be determined using a worst-case analysis, while in some embodiments, the largest coefficient can be determined by analyzing actual or simulated data. For example, the operation 906 can include determining a data type of any input data, a range of the input data, as well as a largest coefficient present in a polynomial based on the determined data type or input data.

[0095] At 908, the operations determine a length N of the polynomial. In some embodiments, the length N of the polynomial can be a power of 2, such as N = 1024, 2048, 4096, or 8192 , although it can be understood in the context of this disclosure that these are non-limiting examples, and N can depend on a data type or application, as discussed herein. For example, the length N of the polynomial can depend on a desired level of security, the size of input data, the number of operations to be performed, the processing capabilities of a computing device, an amount of available memory at a computing device, etc.

[0096] At 910, the modulus Q can be determined. In some embodiments, the modulus Q can be a prime number. In some embodiments, the modulus Q and the length N of the polynomial can be chosen as a pair, such that the modulus Q is predetermined and associated with a particular length N of the polynomial.

[0097] At 912, the standard deviation of error σ can be determined. In some embodiments, the standard deviation of error is determined based on the length N of the polynomial and the modulus Q.

[0098] At 914, a decomposition bit count JFcan be determined. As discussed above, the decomposition bit count W can be used in a key switching operation. Details of determining the decomposition bit count JF are also described in connection with FIG. 10.

[0099] At 916, a simulation is run to determine an expected error on a ciphertext. In some embodiments, the simulation does not need any actual encrypted data or plaintext data to operate. Instead, the simulation can run using only the estimated sizes of the plaintext components. The simulation can determine the error growth associated with each computation to determine the error growth in the ciphertexts throughout the simulated operations.

[00100] At 918, it is determined if the error is below a threshold. In some embodiments, the threshold can be determined as an average-case analysis of the simulated error, with an error above the threshold resulting in a failure when a result is to be decrypted and/or decoded. For example, if the parameters are not optimized, an error of the simulator can grow and make it impossible to decrypt a result of the computations. In the event the error is above a threshold, the operations can return to determine one or more parameters (e.g., starting at operation 908). Following the newly determined parameters, the process can simulate the error again and can determine at operation 918 if the error is below the threshold. Thus, the process 900 can be performed iteratively to optimize the parameters to be used in the homomorphic encryption scheme. [00101] At 920, the parameters optimized in the operations 902-918 can be sent to a client computing device, and the parameters can be used by the computing device to encode, encrypt, decrypt, and decode the data to be used in homomorphic calculations.

[00102] FIG. 10 illustrates an example process 1000 for automatically selecting parameters using an error growth simulator, according to one example implementation. In one embodiment, the process 1000 can be performed by the parameter selection modules 118 or 808 in the service providers 112 or 800 of FIGS. 1 and 8, respectively. However, processes can be performed in other environments and by other devices as well. Further, process 1000 can be used either singularly or in combination with the various techniques and/or techniques discussed herein. For example, process 1000 (or individual operations in the process 1000) can be used in combination with, or instead of, the operations identified in the process 900 for optimizing parameters. Therefore, the process 1000 can also improve processing abilities for a given application, program, or operation, and can also improve the functioning of the computer by improving a processing abilities and improving memory requirements when performing homomorphic operations.

[00103] At 1002, the operation optimizes various parameters for the encoding and/or encrypting of data. For example, operations included in the operation 1002 can include generating at least one encoding parameter and at least one encrypting parameter based on a result of the simulation.

[00104] At 1004, the operation includes determining a lower-bound for the length N of the polynomial and a lower-bound for the modulus Q. Because the length N of the polynomial is correlated with the amount of processing required to perform a homomorphic operation using that polynomial, the operation 1004 can begin with a lower-bound to use a small size. In some embodiments, the lower-bound of the length N of the polynomial is determined by a minimum level of security and/or the minimum size required to perform a number of operations. In some embodiments, the operation 1004 begins at predefined lower-bound. In some embodiments, the length N of the polynomial is determined and/or selected in conjunction with the modulus Q, as a {N, Q) pair.

[00105] At 1006, the operation determines an upper-bound of the decomposition bit count W. As described above, the decomposition bit count W can be used in a key-switching operation, with a larger W generally allowing for faster processing. However, a larger W generally also introduces more error in a ciphertext during a key-switching procedure when compared to a smaller W. Therefore, in some embodiments, the operation 1006 can determine an upper-bound Wto prioritize speed. However, it is understood in the context of this disclosure that the operation 1006 can begin with a lower-bound of Wto minimize noise or degradations to a ciphertext, and iteratively increase W until a desired operation is obtained.

[00106] At 1008, a simulation is run to determine an expected error on the ciphertext, and at 1010, it is determined whether the expected error is below a threshold. In some embodiments, operations 1008 and 1010 can correspond with operations 916 and 918 in the process 900.

[00107] At 1012, if the error is below a threshold, which in some embodiments indicates that the ciphertext can be properly decrypted and decoded when presented to a computing device, the parameters are sent to a client for encoding and encrypting. In some embodiments, the operation 1012 can correspond to the operation 920 in the process 900.

[00108] If the error is not below a threshold at operation 1010, the process can decrease the decomposition bit count W at operation 1014. Next, at operation 1016, it is determined if the decomposition bit count W below a threshold. If the decomposition bit count W not below a threshold (operation 1016), the processing moves to operation 1008 to run the simulation to determine an expected error using an updated l value. In some embodiments, the threshold for the decomposition bit count JFcan be set arbitrarily, or can be set at a lowest possible value. In some embodiments, the lower bound for W can be set when an amount of processing and/or memory required to execute a key- switching operation using a decomposition bit count W (lower bound) at a particular {N, Q) pair would be greater than an amount of processing and/or memory required to execute a key-switching operation using a decomposition bit count W (upper bound) at a larger {N, Q) pair.

[00109] If the decomposition bit count W is below a threshold in operation 1016, operation 1018 increases the length N of the polynomial and the modulus Q, and continues processing by determining an upper-bound of the decomposition bit count W, and determining an expected error. Thus, the process 1000 can be performed iteratively to optimize the parameters to be used in the homomorphic encryption scheme.

[00110] Therefore, as described herein, optimized parameters can be determined and/or selected for improved homomorphic encryption, including improved operation of a computer by improving processing and/or memory requirements for the homomorphic encryption. Further, the optimizing of parameters and encodings discussed herein may also be used outside the strict context of homomorphic encryption applications, in any application where secure computations are required.

EXAMPLE CLAUSES

[00111] Example A, a system comprising: one or more processors; and memory storing modules that, when executed by the one or more processors, cause the system to perform operations comprising: receiving a sequence of operations including a plurality of homomorphic operations to be performed on at least one ciphertext; running a simulation on the sequence of operations to determine an expected error in the at least one ciphertext; generating at least one encoding parameter and at least one encrypting parameter based on a result of the simulation; and transmitting the at least one encoding parameter and the at least one encrypting parameter via a network to a computing device.

[00112] Example B, the system of Example A, wherein the operations further comprise: determining that the expected error in the at least one ciphertext is above a threshold; and generating at least one updated encoding parameter or at least one updated encrypting parameter based on the expected error.

[00113] Example C, the system of Example A or Example B, wherein the operations further comprise automatically selecting the at least one encoding parameter and the at least one encrypting parameter to reduce a processing time or to reduce a memory requirement when the sequence of operations is implemented on homomorphically encrypted data.

[00114] Example D, the system of any one of Examples A through C, wherein the operations further comprise determining a length N of a polynomial for encoding data as a polynomial, wherein the at least one encoding parameter includes the length N of the polynomial.

[00115] Example E, the system of any one of Examples A through D, wherein the operations further comprise determining a decomposition bit count W for encrypting an encoded polynomial as the at least one ciphertext, wherein the at least one encrypting parameter includes the decomposition bit count W.

[00116] Example F, the system of any one of Examples A through E, wherein the plurality of homomorphic operations include at least one of addition, subtraction, multiplication, or division.

[00117] Example G, the system of any one of Examples A through F, wherein the at least one ciphertext is a first ciphertext, and wherein the operations further comprise receiving a second ciphertext via a network from a computing device, the second ciphertext including data having been encoded using the at least one encoding parameter and the second ciphertext having been encrypted using the at least one encrypting parameter.

[00118] Example H, the system of any one of Examples A through C, Example F, and Example G, wherein the operations further comprise: determining a length N of a polynomial for encoding data as a polynomial, wherein the length N of the polynomial is selected as a lower-bound length; determining a decomposition bit count W for encrypting the polynomial as the at least one ciphertext, wherein the decomposition bit count W is selected as an upper-bound size, wherein the running the simulation on the sequence of operations to determine the expected error in the at least one ciphertext includes using the length N of the polynomial and the decomposition bit count W; determining that the expected error is above an error threshold; and determining an updated decomposition bit count W, wherein the updated decomposition bit count W is smaller than the decomposition bit count W.

[00119] Example I, the system of Example H, wherein the operations further comprise running an updated simulation using the length N of the polynomial and the updated decomposition bit count W to determine an updated expected error of the at least one ciphertext.

[00120] While Example A through Example I are described above with respect to a system, it is understood in the context of this document that the content of Example A through Example I may also be implemented via a device, computer storage media, and/or a method.

[00121] Example J, at least one device comprising: one or more processors; and memory storing modules that, when executed by the one or more processors, cause the at least one device to perform operations comprising: receiving a sequence of operations including a plurality of homomorphic operations to be performed on at least one ciphertext; running a simulation on the sequence of operations to determine an expected error in the at least one ciphertext, wherein the simulation is run iteratively to determine a plurality of parameters to be used for encoding and encrypting data to be used in the plurality of homomorphic operations; generating at least one encoding parameter and at least one encrypting parameter based on a result of the simulation, the at least one encoding parameter and the at least one encrypting parameter included in the plurality of parameters; and transmitting the plurality of parameters via a network to a computing device. [00122] Example K, the at least one device of Example J, wherein the operations further comprise: determining that the expected error in the at least one ciphertext is above a threshold; and generating at least one updated encoding parameter or at least one updated encrypting parameter based on the expected error.

[00123] Example L, the at least one device of Example J or Example K, wherein the operations further comprise automatically selecting the at least one encoding parameter and the at least one encrypting parameter to reduce a processing time or to reduce a memory requirement when the sequence of operations is implemented on homomorphically encrypted data.

[00124] Example M, the at least one device of any one of Examples J through L, further comprising: determining a length N of a polynomial for encoding data as a polynomial, wherein the length N of the polynomial is selected as a lower-bound length; and determining a decomposition bit count Wfor encrypting the polynomial as the at least one ciphertext, wherein the decomposition bit count W is selected as an upper-bound size, wherein running the simulation on the sequence of operations to determine the expected error in the at least one ciphertext includes simulating an encoding using the length N of the polynomial and simulating an encrypting using the decomposition bit count W.

[00125] Example N, the at least one device of any one of Examples J through L, further comprising selecting a length N of a polynomial for encoding data as a polynomial and selecting a modulus Q for determining a coefficient space in a polynomial ring as a predetermined {N, Q) pair.

[00126] While Example J through Example N are described above with respect to a device, it is understood in the context of this document that the content of Example J through Example N may also be implemented via a system, computer storage media, and/or a method.

[00127] Example O, a computer-implemented method for simulating homomorphic operations to generate operating parameters, the computer-implemented method performed by at least one processor, and the computer-implemented method comprising: receiving a sequence of operations including a plurality of homomorphic operations to be performed on at least one ciphertext; running a simulation on the sequence of operations to determine an expected error in the at least one ciphertext; generating at least one encoding parameter or at least one encrypting parameter based on a result of the simulation; and transmitting the at least one encoding parameter or the at least one encrypting parameter via a network to a computing device. [00128] Example P, the computer-implemented method of Example O, further comprising: determining that the expected error in the at least one ciphertext is above a threshold; and generating at least one updated encoding parameter or at least one updated encrypting parameter based on the expected error.

[00129] Example Q, the computer-implemented method of Example O or Example P, further comprising automatically selecting the at least one encoding parameter or the at least one encrypting parameter to reduce a processing time or to reduce a memory requirement when the sequence of operations is implemented on homomorphically encrypted data.

[00130] Example R, the computer-implemented method of any one of Examples O through Q, wherein the operations further comprise determining a length N of a polynomial for encoding data as an encoded polynomial, wherein the at least one encoding parameter includes the length N of the polynomial.

[00131] Example S, the computer-implemented method of any one of Examples O through R, wherein the operations further comprise determining a decomposition bit count Wfor encrypting an encoded polynomial as the at least one ciphertext, wherein the at least one encrypting parameter includes the decomposition bit count W.

[00132] Example T, the computer-implemented method of any one of Examples O through S, wherein the at least one encoding parameter includes at least one parameter indicating that encoding a real number in a polynomial includes slot encoding.

[00133] While Example O through Example T are described above with respect to a method, it is understood in the context of this document that the content of Example O through Example T may also be implemented via a device, system, and/or computer storage media.

Conclusion

[00134] Although the present disclosure can use language that is specific to structural features and/or methodological operations, the disclosure is not limited to the specific features or operations described herein. Rather, the specific features and operations are disclosed as illustrative forms of implementing the disclosure.