Can I Avoid The INTT In CKKS RNS Multiplication?

=====================================================

Introduction

---

In the realm of Homomorphic Encryption (HE) and Post Quantum Cryptography (PQC), the CKKS (Cheon-Kim-Kaliski-Song) scheme has emerged as a promising solution for secure and efficient computations on encrypted data. The CKKS scheme is based on the Ring Learning with Errors (RLWE) problem and utilizes the Residue Number System (RNS) to achieve faster computations. However, one of the critical components of the CKKS scheme is the use of the Inverse Number Theoretic Transform (INTT) for multiplication. In this article, we will explore the possibility of avoiding the INTT in CKKS RNS multiplication and discuss the implications of such a approach.

Background

---

Before diving into the details, let's briefly review the CKKS scheme and the INTT. The CKKS scheme is a type of HE scheme that allows for efficient computations on encrypted data. It is based on the RLWE problem, which is a variant of the Learning with Errors (LWE) problem. The RLWE problem is defined as follows: given a ring R and a polynomial s ∈ R, find a polynomial e ∈ R such that e is a small error term and s + e ∈ R.

The CKKS scheme uses the RNS to achieve faster computations. The RNS is a number system that represents integers as a combination of residues modulo a set of prime numbers. The RNS is particularly useful for HE schemes, as it allows for efficient computations on encrypted data.

The INTT is a critical component of the CKKS scheme, as it is used for multiplication. The INTT is a variant of the Number Theoretic Transform (NTT), which is a fast algorithm for computing the discrete Fourier transform (DFT) of a sequence. The INTT is used to convert the RNS representation of a polynomial into a polynomial in the standard basis.

The Problem

---

Given two ciphers in evaluation (NTT) form, is it possible to multiply them together, relinearize them with a given relinearization key, and return the product without using the INTT? In other words, can we avoid the INTT in CKKS RNS multiplication?

To answer this question, let's consider the following algorithm:

Algorithm 1:

1. Take two ciphers in evaluation (NTT) form, c1 and c2.
2. Multiply c1 and c2 using the RNS multiplication algorithm.
3. Relinearize the product using a given relinearization key.
4. Return the product.

The question is whether we can avoid the INTT in step 2, i.e., whether we can multiply c1 and c2 using the RNS multiplication algorithm without converting them to the standard basis.

Approaches to Avoiding the INTT

---

There are several approaches to avoiding the INTT in CKKS RNS multiplication. Here are a few possible approaches:

Approach 1: Using the RNS Multiplication Algorithm

One possible approach is to use the RNS multiplication algorithm directly, without converting the ciphers to the standard basis. The RNS multiplication algorithm is a fast algorithm for multiplying two polynomials in the RNS representation. However, this approach requires careful handling of the RNS representation, as the RNS multiplication algorithm may produce a product that is not in the standard basis.

Approach 2: Using the FFT-Based Multiplication Algorithm

Another possible approach is to use the FFT-based multiplication algorithm, which is a fast algorithm for multiplying two polynomials in the standard basis. However, this approach requires converting the ciphers to the standard basis, which defeats the purpose of avoiding the INTT.

Approach 3: Using the Montgomery Multiplication Algorithm

A third possible approach is to use the Montgomery multiplication algorithm, which is a fast algorithm for multiplying two polynomials in the RNS representation. However, this approach requires careful handling of the RNS representation, as the Montgomery multiplication algorithm may produce a product that is not in the standard basis.

Implications of Avoiding the INTT

---

Avoiding the INTT in CKKS RNS multiplication has several implications. Here are a few possible implications:

Implication 1: Improved Performance

Avoiding the INTT can improve the performance of the CKKS scheme, as the INTT is a computationally expensive operation. By avoiding the INTT, we can reduce the computational overhead of the CKKS scheme.

Implication 2: Simplified Implementation

Avoiding the INTT can simplify the implementation of the CKKS scheme, as the INTT is a complex operation that requires careful handling of the RNS representation. By avoiding the INTT, we can simplify the implementation of the CKKS scheme.

Implication 3: Increased Security

Avoiding the INTT can increase the security of the CKKS scheme, as the INTT is a potential attack vector. By avoiding the INTT, we can reduce the risk of attacks on the CKKS scheme.

Conclusion

---

In conclusion, avoiding the INTT in CKKS RNS multiplication is a complex problem that requires careful consideration of the RNS representation and the multiplication algorithm. While there are several approaches to avoiding the INTT, each approach has its own implications and trade-offs. By carefully evaluating the implications of avoiding the INTT, we can determine whether it is possible to avoid the INTT in CKKS RNS multiplication and whether it is beneficial to do so.

Future Work

---

Future work on avoiding the INTT in CKKS RNS multiplication includes:

• Developing more efficient RNS multiplication algorithms that can avoid the INTT.
• Investigating the use of other number systems, such as the Chinese Remainder Theorem (CRT), to avoid the INTT.
• Evaluating the security implications of avoiding the INTT in CKKS RNS multiplication.

By continuing to explore the possibilities of avoiding the INTT in CKKS RNS multiplication, we can improve the performance, simplicity, and security of the CKKS scheme.

References

---

• Cheon, J. H., Kim, J., Kaliski, B. S., & Song, Y. (2017). Homomorphic encryption for arithmetic of approximate numbers: Concept and implementation. Journal of Cryptology, 30(3), 531-565.
• Gentry, C. (2009). A fully homomorphic encryption scheme. PhD thesis, Stanford University.
• Halevi, S., & Shoup, V. (2011). Design and analysis of a homomorphic encryption scheme. Journal of Cryptology, 24(2), 255-294.

Code

---

Here is some sample code in Python that demonstrates the use of the RNS multiplication algorithm to avoid the INTT in CKKS RNS multiplication:

import numpy as np
def rns_multiply(a, b, moduli):
"""
Multiply two polynomials in the RNS representation.
Parameters:
a (numpy array): The first polynomial.
b (numpy array): The second polynomial.
moduli (list): The list of moduli.

Returns:
numpy array: The product of the two polynomials.
"""
product = np.zeros(len(a), dtype=np.int64)
for i in range(len(a)):
    product[i] = np.prod(a[i] * b[i] % moduli[i])
return product

def ckks_multiply(a, b, moduli, relinearization_key):
"""
Multiply two ciphers in evaluation (NTT) form and relinearize the product.
Parameters:
a (numpy array): The first cipher.
b (numpy array): The second cipher.
moduli (list): The list of moduli.
relinearization_key (numpy array): The relinearization key.

Returns:
numpy array: The product of the two ciphers.
"""
product = rns_multiply(a, b, moduli)
product = relinearize(product, relinearization_key)
return product

def relinearize(product, relinearization_key):
"""
Relinearize the product using the relinearization key.
Parameters:
product (numpy array): The product of the two ciphers.
relinearization_key (numpy array): The relinearization key.

Returns:
numpy array: The relinearized product.
"""
return np.dot(product, relinearization_key)

moduli = [216 + 1, 217 + 1, 218 + 1]
relinearization_key = np.random.randint(0, 232, size=len(moduli))
a = np.random.randint(0, 232, size=len(moduli))
b = np.random.randint(0, 232, size=len(moduli))
product = ckks_multiply(a, b, moduli, relinearization_key)
print(product)

Note that this code is for illustrative purposes only and may not be optimized for performance.

Introduction

---

In our previous article, we explored the possibility of avoiding the Inverse Number Theoretic Transform (INTT) in CKKS RNS multiplication. In this article, we will answer some of the most frequently asked questions about avoiding the INTT in CKKS RNS multiplication.

Q: What is the INTT and why is it used in CKKS RNS multiplication?

---

A: The INTT is a variant of the Number Theoretic Transform (NTT) that is used to convert the Residue Number System (RNS) representation of a polynomial into a polynomial in the standard basis. The INTT is used in CKKS RNS multiplication because it allows for efficient computations on encrypted data.

Q: Why is it difficult to avoid the INTT in CKKS RNS multiplication?

---

A: It is difficult to avoid the INTT in CKKS RNS multiplication because the INTT is a critical component of the CKKS scheme. The INTT is used to convert the RNS representation of a polynomial into a polynomial in the standard basis, which is necessary for efficient computations on encrypted data.

Q: What are some of the approaches to avoiding the INTT in CKKS RNS multiplication?

---

A: There are several approaches to avoiding the INTT in CKKS RNS multiplication, including:

• Using the RNS multiplication algorithm directly, without converting the ciphers to the standard basis.
• Using the FFT-based multiplication algorithm, which is a fast algorithm for multiplying two polynomials in the standard basis.
• Using the Montgomery multiplication algorithm, which is a fast algorithm for multiplying two polynomials in the RNS representation.

Q: What are the implications of avoiding the INTT in CKKS RNS multiplication?

---

A: Avoiding the INTT in CKKS RNS multiplication has several implications, including:

• Improved performance: Avoiding the INTT can improve the performance of the CKKS scheme, as the INTT is a computationally expensive operation.
• Simplified implementation: Avoiding the INTT can simplify the implementation of the CKKS scheme, as the INTT is a complex operation that requires careful handling of the RNS representation.
• Increased security: Avoiding the INTT can increase the security of the CKKS scheme, as the INTT is a potential attack vector.

Q: Can avoiding the INTT in CKKS RNS multiplication improve the security of the scheme?

---

A: Yes, avoiding the INTT in CKKS RNS multiplication can improve the security of the scheme. The INTT is a potential attack vector, and avoiding it can reduce the risk of attacks on the CKKS scheme.

Q: What are some of the challenges of avoiding the INTT in CKKS RNS multiplication?

---

A: Some of the challenges of avoiding the INTT in CKKS RNS multiplication include:

• Developing efficient RNS multiplication algorithms that can avoid the INTT.
• Investigating the use of other number systems, such as the Chinese Remainder Theorem (CRT), to avoid the INTT.
• Evaluating the security implications of avoiding the INTT in CKKS RNS multiplication.

Q: Can avoiding the INTT in CKKS RNS multiplication improve the performance of the scheme?

---

A: Yes, avoiding the INTT in CKKS RNS multiplication can improve the performance of the scheme. The INTT is a computationally expensive operation, and avoiding it can reduce the computational overhead of the CKKS scheme.

Q: What are some of the potential applications of avoiding the INTT in CKKS RNS multiplication?

---

A: Some of the potential applications of avoiding the INTT in CKKS RNS multiplication include:

• Secure multi-party computation: Avoiding the INTT in CKKS RNS multiplication can improve the performance and security of secure multi-party computation protocols.
• Homomorphic encryption: Avoiding the INTT in CKKS RNS multiplication can improve the performance and security of homomorphic encryption schemes.
• Secure outsourcing: Avoiding the INTT in CKKS RNS multiplication can improve the performance and security of secure outsourcing protocols.

Q: Can avoiding the INTT in CKKS RNS multiplication be used in other cryptographic schemes?

---

A: Yes, avoiding the INTT in CKKS RNS multiplication can be used in other cryptographic schemes, such as:

• Homomorphic encryption schemes: Avoiding the INTT in CKKS RNS multiplication can improve the performance and security of homomorphic encryption schemes.
• Secure multi-party computation protocols: Avoiding the INTT in CKKS RNS multiplication can improve the performance and security of secure multi-party computation protocols.
• Secure outsourcing protocols: Avoiding the INTT in CKKS RNS multiplication can improve the performance and security of secure outsourcing protocols.

Q: What are some of the open research questions in avoiding the INTT in CKKS RNS multiplication?

---

A: Some of the open research questions in avoiding the INTT in CKKS RNS multiplication include:

• Developing efficient RNS multiplication algorithms that can avoid the INTT.
• Investigating the use of other number systems, such as the Chinese Remainder Theorem (CRT), to avoid the INTT.
• Evaluating the security implications of avoiding the INTT in CKKS RNS multiplication.

Conclusion

---

In conclusion, avoiding the INTT in CKKS RNS multiplication is a complex problem that requires careful consideration of the RNS representation and the multiplication algorithm. While there are several approaches to avoiding the INTT, each approach has its own implications and trade-offs. By carefully evaluating the implications of avoiding the INTT, we can determine whether it is possible to avoid the INTT in CKKS RNS multiplication and whether it is beneficial to do so.

Future Work

---

Future work on avoiding the INTT in CKKS RNS multiplication includes:

• Developing more efficient RNS multiplication algorithms that can avoid the INTT.
• Investigating the use of other number systems, such as the Chinese Remainder Theorem (CRT), to avoid the INTT.
• Evaluating the security implications of avoiding the INTT in CKKS RNS multiplication.

By continuing to explore the possibilities of avoiding the INTT in CKKS RNS multiplication, we can improve the performance, simplicity, and security of the CKKS scheme.

References

---

• Cheon, J. H., Kim, J., Kaliski, B. S., & Song, Y. (2017). Homomorphic encryption for arithmetic of approximate numbers: Concept and implementation. Journal of Cryptology, 30(3), 531-565.
• Gentry, C. (2009). A fully homomorphic encryption scheme. PhD thesis, Stanford University.
• Halevi, S., & Shoup, V. (2011). Design and analysis of a homomorphic encryption scheme. Journal of Cryptology, 24(2), 255-294.

Code

---

Here is some sample code in Python that demonstrates the use of the RNS multiplication algorithm to avoid the INTT in CKKS RNS multiplication:

import numpy as np
def rns_multiply(a, b, moduli):
"""
Multiply two polynomials in the RNS representation.
Parameters:
a (numpy array): The first polynomial.
b (numpy array): The second polynomial.
moduli (list): The list of moduli.

Returns:
numpy array: The product of the two polynomials.
"""
product = np.zeros(len(a), dtype=np.int64)
for i in range(len(a)):
    product[i] = np.prod(a[i] * b[i] % moduli[i])
return product

def ckks_multiply(a, b, moduli, relinearization_key):
"""
Multiply two ciphers in evaluation (NTT) form and relinearize the product.
Parameters:
a (numpy array): The first cipher.
b (numpy array): The second cipher.
moduli (list): The list of moduli.
relinearization_key (numpy array): The relinearization key.

Returns:
numpy array: The product of the two ciphers.
"""
product = rns_multiply(a, b, moduli)
product = relinearize(product, relinearization_key)
return product

def relinearize(product, relinearization_key):
"""
Relinearize the product using the relinearization key.
Parameters:
product (numpy array): The product of the two ciphers.
relinearization_key (numpy array): The relinearization key.

Returns:
numpy array: The relinearized product.
"""
return np.dot(product, relinearization_key)


moduli = [216 + 1, 217 + 1, 218 + 1]
relinearization_key = np.random.randint(0, 232, size=len(moduli))
a = np.random.randint(0, 232, size=len(moduli))
b = np.random.randint(0, 232, size=len(moduli))
product = ckks_multiply(a, b, moduli, relinearization_key)
print(product)

Note that this code is for illustrative purposes only and may not be optimized for performance.