Homomorphic comparison algorithm

references:

1. [PS73] Paterson M S, Stockmeyer L J. On the number of nonscalar multiplications necessary to evaluate polynomials[J]. SIAM Journal on Computing, 1973, 2(1): 60-66.
2. [KLLW16] Kim M, Lee H T, Ling S, et al. On the efficiency of FHE-based private queries[J]. IEEE Transactions on Dependable and Secure Computing, 2016, 15(2): 357-363.
3. [IZ21] Iliashenko I, Zucca V. Faster homomorphic comparison operations for BGV and BFV[J]. Proceedings on Privacy Enhancing Technologies, 2021, 2021(3): 246-264.

Fast polynomial evaluation algorithm

for $n-$ length polynomial$P\left(x\right)$ , if you want to calculatennFunction value P ( ξ i ) P(\xi^i)on$n\; unit\; roots$$P\left(x^i\right)$, then using FFT/NTT can achieve$O(n\log$The complexity of$n$$)$$O(\log n)$ . But if we consider a single arbitrary point$x$ evaluates$P\left(x\right)$ , how to calculate it quickly? "Fast" here meansfewer "non-scalar multiplications". The cost of scalar multiplication is similar to that of addition. From now on we will assume that "multiplication" refers to non-scalar multiplication.

Horner rule：${\sum }_{i=0}^n{a}_i{x}^i=(\cdots ((a_{n}x+a_{n-1})x+a_{n-2})\cdots )x+a_0$, a total of $n$ times multiplication.

[PS73] proposed that only $O(\sqrt{n})$ times multiplication polynomial single-point evaluation algorithm. First of all, it can be proved that the lower bound of complexity of polynomial evaluation is$O(\sqrt{n})$：

Then [PS73] proposed three polynomial evaluation algorithms in sequence.

Algorithm A

Theorem: Degree $Any\; polynomial\; of\; n$ exists using$n/2+O(\log Evaluation\; algorithm\; for\; n)$ multiplications.

For convenience, we assume $n=2^m-1$ (Polynomial length$2^m$ ), while the polynomial is leading,

1. First precompute $x^2,x^4,x^8,\cdots ,x^{2^{m-1}}$ , cost$\log n$ times multiplication

2. Given a certain $2p-The\; leading\; polynomial\; of\; degree\; 1$ can be written in the following form:
   $$\begin{array}{rl}& x^{2p-1}+a_{2p-2}{x}^{2p-2}+\cdots +a_{1}x+a_0\\ =& (x^p+c)(x^{p-1}+a_{2p-2}{x}^{p-2}+\cdots +a_{p+1}x+a_p)\\ +& (x^{p-1}+b_{p-2}{x}^{p-2}+\cdots +b_{1}x+b_0)\end{array}$$

   where $c=a_{p-1}-1$，$b_j=a_j-c{a}_{p+j}$is a constant, and $x^p$ has been precomputed

3. So we put $2p-$The leading polynomial of degree$1$ is decomposed into two$p-$The first polynomial of degree$1$ continuesto be evaluated recursively. The recursive formula for multiplicative complexity is$N(2p-1)=2N(p\_-1)+1$ , initial value$N(1)=0$ , so$N(n)=(n+1)/2-1\approx n/2$

For any $n$ , we will$n$ binary decomposition, so the polynomial can be split into a number of lengths$2^{}$For the slicesof${}^i$ , after executing the evaluation algorithm respectively, multiply by$x^2,x^4,x^8,\cdots ,x^{2^{\lfloor \log n\rfloor Assemble}}$ . This costs extra$\log n$ times multiplication.

Algorithm B

Theorem: Degree $Any\; polynomial\; of\; n$ exists using$2\sqrt{n}$Evaluation algorithm for submultiplications.

We assume $n=km-1$ (Polynomial length$km$），

1. First precompute $x^2,x^3,\cdots ,x^k$ , cost$k$ multiplications

2. Using the generalized version of Horner's rule , write the polynomial in the following form:
   $$\begin{array}{rl}& a_{km-1}{x}^{km-1}+a_{km-2}{x}^{km-2}+\cdots +a_{1}x+a_0\\ =& \left(\cdots \right((a_{km-1}{x}^{k-1}+\cdots +a_{k(m-1)})x^k\\ & +(a_{k(m-1)-1}{x}^{k-1}+\cdots +a_{k(m-2)}))x^k+\cdots )x^k\\ & +(a_{k-1}{x}^{k-1}+\cdots +a_{1}x+a_0)\end{array}$$

   Because $x^2,\cdots .x^{k-1},x^k$ are all precomputed, so the multiplication cost is$m$

3. The total complexity is $k+m$ , select$k=\sqrt{n}$time optimization

Algorithm C

Theorem: Degree $Any\; polynomial\; of\; n$ exists using$\sqrt{2n}+O(\log Evaluation\; algorithm\; for\; n)$ multiplications.

We assume $n=k\cdot (2^m-1)$ , while the polynomial is leading,

1. Precompute $x^2,x^3,\cdots ,x^k$ , cost$k$ multiplications

2. Precompute $x^{2k},{}^{\_}{x}^{4k},{}^{\_}{x}^{8k},{}^{\_}\cdots ,x^{k\cdot 2^{m-1}}$ , spend$m$ times multiplication

3. Given a certain $k(2p-1)$ degree first polynomial, write it in the following form:
   $$\begin{array}{rl}& x^{k(2p-1)}+a_{k(2p-1)-1}{x}^{k(2p-1)-1}+\cdots +a_{1}x+a_0\\ =& (x^{k(p-1)}+a_{k(2p-1)-1}{x}^{k(2p-1)-1}+\cdots +a_{k(p-1)})x^{kp}\\ +& (a_{k(p-1)-1}{x}^{kp-1}+\cdots +a_{1}x+a_0)\end{array}$$

   Abbreviated as $p(x)=q(x)\cdot x^{kp}+r\left(x\right)$ , where$q\left(x\right)$ isthe degree$k(p-1)$ The leading polynomial,$r\left(x\right)$ is of degree at most$kp-$Polynomial of$1$$x^{kp}$ has been precalculated

4. Then calculate the division with remainder (note that this is different from $The\; value\; of\; x$ is irrelevant and can be pre-calculated)$r(x)-x^{k(p-1)}=c(x)\cdot q(x)+s\left(x\right)$ , where$The\; degree\; of\; c\left(x\right)$ is at most$k-1$，$The\; degree\; of\; s\left(x\right)$ is at most$k(p-1)-1$ , then it is written as
   $$p(x)=(x^{kp}+c(x))\cdot q(x)+(x^{k(p-1)}+s(x))$$

   Among them, $x^{k(p-1)}+s\left(x\right)$ is alsodegree$k(p-1)$ The leading polynomial of

5. For the above two $k(p-1)$ Recursive evaluation ofpolynomials of degree 1.The recursive formula of multiplicative complexity is$N\left(k\right(2p\_-1))=2N\left(k\right(p-1))+1$ , initial value$N(k)=0$ , therefore$N(n)=(n/k+1)/2-1\approx n/2k$ , select$k=\sqrt{n/2}$time optimization

For any $n$ , similar to Algorithm A for sharding, requiring additional$\log \sqrt{2n}$times multiplication.

Comparison algorithm based on interpolation

Comparison functions over finite fields

Generally, we use Boolean comparison circuits:
$$\begin{array}{rl}EQ(a,b)& :=\prod _{i=1}^l(a_i\oplus b_i\oplus 1)\\ LT(a,b)& :=\sum _{i=1}^l(a_i\oplus 1)\cdot b_i\prod _{j=i+1}^l(a_j\oplus b_j\oplus 1)\end{array}$$

[IZ21] proposed $GF(q),q=p^{}$Comparator circuit on${}^{d\; .}$Let$S\subseteq GF\left(q\right)$ is a subset of prime fields, in which the value range of polynomial coefficients is[ B ] = { 0 , 1 , ⋯ , B } [B]=\{0,1,\cdots,B\}[B]={ 0,1,⋯,B}。再令 $S^{\prime }=\{0,1,\cdots ,B^l-1\},l\le d$ is the value range of the integer, we write the integer as$B$ 进制形式 $a=a_l\cdots a_2{a}_1$, in which $a_i\in \left[B\right]$ is an integer. We define the following bijection:
$$\begin{array}{rl}i:S^{\prime }& \to S\\ \sum _{i=1}^l{a}_i{B}^{i-1}& \mapsto \sum _{i=1}^l{a}_i{x}^{i-1}\end{array}$$

According to this mapping, we can get from $a,b\in S^{The\; total\; order\; relationship\; of\; \prime }$ induces$i\left(a\right),i\left(b\right)\in S\subseteq The\; total\; ordering\; relationship\; of\; GF\left(q\right)$ . That is:based on the size relationship of integers, the size relationship of finite field elements is induced.

Given any two finite field elements $X,Y\in S$ , their size relationship constitutes afunction $L{T}_S(X,Y)$ . According tothe finite field interpolation theorem, for any multi-variable function, there is a unique multi-variablepolynomial, making the two have the same functionality.

The above $h:a\mapsto a^{q-1}$ isan indicator function. The order of the multiplicative cyclic group is$q-1$ , therefore$x\left(a\right)=1⟺a\ne 0$ . In fact, the equality circuit on the finite field is
$$E{Q}_S(X,Y):=1-x(X-Y)$$

According to lexicographic order, the integer can be further represented as " $S$ base", thereby realizingany large integer. Write the integer as$a=a_l\cdots a_2{a}_1$, in which $a_i\in S$ 是有限域元素。那么，
$$\begin{array}{rl}E{Q}_{S^l}(a,b)& :=\prod _{i=1}^{l}E{Q}_S(a_i,b_i)\\ L{T}_{S^l}(a,b)& :=\sum _{i=1}^{l}L{T}_S(a_i,b_i)\prod _{j=i+1}^{l}E{Q}_S(a_j,b_j)\end{array}$$

Next, let's take a look at how to implement the basic comparison function $L{T}_S(X,Y)$ . For simplicity, we consider the prime domain$S\subseteq$Comparison function on$GF$$($$p$$)\; .$For extended domain$GF(p^d)$, is a similar idea.

Two-variable polynomial interpolation

We let S = { 0 , 1 , ⋯ , p − 1 } S = \{0,1,\cdots,p-1\}S={ 0,1,⋯,p−1 } , then according to the total order relationship between integers, the followingdouble variable function:

According to the interpolation theorem, we can get a double variable polynomial :
$$P(X,Y):=\sum _{a=0}^{p-2}E{Q}_S(X,a)\sum _{b=a+1}^{p-1}E{Q}_S(Y,b)$$

[IZ21] Point out that the above polynomial can be reduced to the following form, and its total degree is $p$，

主要的计算开销是 ${\sum }_{ij}{a}_{ij}{X}^i{Y}^j={\sum }_i\left({\sum }_j{a}_{ij}{X}^i\right)Y^j$ , only requires$O\left(p\right)$ multiplications, the multiplication depth is$O(\log p)$

Single variable polynomial interpolation

We let S = { 0 , 1 , ⋯ , ( p − 1 ) / 2 } S=\{0,1,\cdots,(p-1)/2\}S={ 0,1,⋯,(p−1 ) /2 } , and divide the finite field into two parts
GF ( p ) + = S , GF ( p ) − = { − ( p − 1 ) / 2 , ⋯ , − 2 , − 1 } GF(p) ^+=S,\,\, GF(p)^-=\{-(p-1)/2,\cdots,-2,-1\}GF(p)+=S,GF(p)−={ −(p−1)/2,⋯,−2,−1}

According to the size relationship between integers, the function $X<Y⟺Z:=(X-Y)\in GF(p{)}^{-}$

According to the interpolation theorem, we can get a single variable polynomial :
$$Q(X,Y):=\sum _{a=-(p-1)/2}^{-1}E{Q}_s(Z,a)$$

[IZ21] pointed out that the above polynomial can be reduced to the following form,

Attention ${\sum }_i{c}_i(X-Y{)}^{}$The powers of${}^i$$Zg(Z^2)$form, where$g\left(x\right)$ is the degree$(p-3)$ Single variable polynomial of$/2\; .$According to Horber's rule, we usethe Paterson-Stockmeyer algorithmto calculate polynomial evaluation, which only requires$O(\sqrt{p/2})$ is the number of multiplications.

However, it should be noted that the single variable interpolation S = { 0 , 1 , ⋯ , ( p − 1 ) / 2 } S=\{0,1,\cdots,(p-1)/2\}S={ 0,1,⋯,(p−1 ) /2 } than double variable interpolationS = { 0 , 1 , ⋯ , p − 1 } S=\{0,1,\cdots,p-1\}S={ 0,1,⋯,p−The range of 1 } is half smaller, so for$l$ bit$S$ base number, indicating that the range is reduced to$1/2^l$ , had to extend$l$ 到 $\frac{l\cdot \log p}{\log p-1}$to ensure the same representation range.

other apps

实现最大值、最小值，
$$\begin{array}{rl}\min (X,Y)& =X\cdot LT(X,Y)+Y\cdot (1-LT(X,Y))\\ & =Y+(X-Y)\cdot LT(X,Y)\\ & =Y+Z\cdot Q(X,Y)\\ & =\frac{p+1}{2}(X+Y)+g^{\prime }(Z^2),\\ \max (X,Y)& =Y\cdot LT(X,Y)+X\cdot (1-LT(X,Y))\\ & =X+(Y-X)\cdot LT(X,Y)\\ & =X-Z\cdot Q(X,Y)\\ & =\frac{p+1}{2}(X+Y)-g^{\prime }(Z^2)\end{array}$$

where $g^{\prime }\left(x\right)$is the degree$(p-1)/2$ single variable polynomial, using [PS73] only requires$O(\sqrt{p/2})$ times multiplication.

Implement the ReLU function,
$$ReLU\left(X\right):=\max (X,0)=\frac{p+1}{2}X-g^{\prime }(X^2)$$

Depth-optimal equality circuit in finite fields

[KLLW16] took advantage of the fact that the Frobenius map in the extended domain does not require multiplication operations in the homomorphism , and implemented a multiplication depth-optimized discriminant circuit in the extended domain.

As mentioned above, let $h:a\mapsto a^{p^l-1}$is an indicator function, then the finite field$GF(p^{}$The equality circuit on${}^l$$)$
$$EQ(X,Y):=1-x(X-Y)$$

Then use binary tree multiplication directly, the depth is $\lceil l\cdot \log p\rceil$ . For the extended domain GF ( 2 l ) GF(2^l)of the binary domain$GF(2^l)$, **depth is$l$ , **This is too high.

However, we calculate $m^e\in GF(p^l)$, possible,
$$m^e=m^{{\sum }_{i=0}^n{e}_i{p}^i}=\prod _{i=0}^n(m^{p^i}{)}^{e_i}$$

where $m^{p^i}$ is the extended domain$GF(p^{Frobenius\; maps\; on\; l})/GF\left(p\right)$GF ( pl ) GF(p^l)for FHE ciphertext$GF\left(p^l\right)$上的$GF\left(p\right)$ - domain automorphism$\sigma \left(x\right):=x^p$ ,index
$$\sigma (ct)=\left(\sigma \right(a)\; ),\sigma \left(a\right)\sigma \left(s\right)+D\cdot m^p+s(e))\in {\left(GF(p^d)\right)}^2$$

Then switch the secret key back to $s\in GF(p^l)$is the private key. The above process is depth-free (no homomorphic multiplication is required), so each$m^{p^{The\; multiplication\; depth\; of\; i}}$ is zero. Therefore, the above$m^{In\; the\; calculation\; of\; e,}$ only${\sum }_{i=0}^n{e}_i$The continuous product of terms, the multiplication depth is $\lceil \log {\sum }_{i=0}^n{e}_i\rceil$

For χ ( X − Y ) \chi(XY) in the discriminant circuit$x(X-Y)$ ,Let
$$\begin{array}{rl}e& =p^l-1\\ & =(p-1)p^{l-1}+\cdots +(p-1)p+(p-1)\\ & =(p-1)(p^{l-1}+\cdots +p+1)\end{array}$$

Therefore, calculate Z first $Z:=(X-Y{)}^{p-1}$，再计算 $Z^{p^i},i=1,\cdots ,l-1$ , then calculation$x(X-Y)={\prod }_{i=0}^{l-1}{Z}^{p^i}$ , the depth is$\lceil \log (p-1)\rceil +\lceil \log l\rceil$ . For the extended domain GF ( 2 l ) GF(2^l)of the binary domain$GF(2^l)$,the depth is only$\lceil \log l\rceil$。

Of course, for { 0 , 1 } l \{0,1\}^l{ 0,1}l data, Boolean circuit respectively in$GF\left(2\right)$ is equal to the upper judgment, and then the Boolean result is multiplied. Its depth is also$\lceil \log l\rceil$ . However, in some applications (not just equality circuits), using Boolean circuits is not appropriate.