Baby-Step Giant-Step & Homomorphic DFT

references:

1. [CT65] Cooley J W, Tukey J W. An algorithm for the machine calculation of complex Fourier series[J]. Mathematics of computation, 1965, 19(90): 297-301.
2. [Shoup95] Shoup V. A new polynomial factorization algorithm and its implementation[J]. Journal of Symbolic Computation, 1995, 20(4): 363-397.
3. [HS14] Halevi S, Shoup V. Algorithms in helib[C]//Advances in Cryptology–CRYPTO 2014: 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2014, Proceedings, Part I 34. Springer Berlin Heidelberg, 2014: 554-571.
4. [CHKKS18] Cheon J H, Han K, Kim A, et al. Bootstrapping for approximate homomorphic encryption[C]//Advances in Cryptology–EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29-May 3, 2018 Proceedings, Part I 37. Springer International Publishing, 2018: 360-384.
5. [CHH18] Cheon J H, Han K, Hhan M. Faster homomorphic discrete fourier transforms and improved fhe bootstrapping[J]. Cryptology ePrint Archive, 2018.
6. [HHC19] Han K, Hhan M, Cheon J H. Improved homomorphic discrete fourier transforms and fhe bootstrapping[J]. IEEE Access, 2019, 7: 57361-57370.
7. Nussbaumer Transform 以及 Amortized FHEW bootstrapping
8. Chimera: Hybrid RLWE-FHE scheme
9. Quick Multiplication Techniques: Karatsuba, Toom, Good, Schonhage, Strassen, Nussbaumer
10. Paterson-Stockmeyer polynomial evaluation algorithm

Baby-Step Giant-Step

Shop95

The article [Shoup95] studies and implements the BSGS factoring method for decomposing univariate polynomials into irreducible factors. CRT and FFT are used to represent polynomials (earlier than Doube-CRT of GHS12), and fast multiplication, division, inverse, square, GCD and other operations of polynomials are implemented.

Polynomial decomposition can be divided into three steps,

1. square-free factorization：Shoda-style decomposition $f={\prod }_i{f}_i$, inside $f_i$is square free
2. distinct-degree factorization: Decompose the square free polynomial into$f_i={\prod }_j{f}_{i,j}$, inside $f_{i,j}$ is some degree $Product\; of\; irreducible\; factors\; of\; j$
3. equal-degree factorization: The irreducible factors are square free polynomials of the same degree$f_{i,j}$, decomposed into these irreducible polynomials

The main steps are concentrated in step 2, [Shoup95] observed the fact: for any non-negative integer$a,b\in {WITH}^{+}$，多项式 $h_{a,b}(x)=x^{p^a}-x^{p^b}\in GF\left(p\right)\left[x\right]$ possessive fullness $\mathrm{ofg}f|(a-b)$ impossible multi-format $f$ cause expression.

for $\mathrm{ofg}f\le The\; square\; free\; polynomial\; of\; n$ has its true factor degree not exceeding $n/2$, inequality $f_d,1\le d\le n$ is the whole thing $The\; product\; of\; d$ times irreducible factors. We can enumerate all $1\le a-b\le n$，计算出 $h_{a,b}\left(x\right)$，再设计 $\gcd (h_{a,b},f)$ $f_d$

[Shoup95] Use BSGS Calculation from calculation $h_{a,b}$, set the upper bound on the degree of the true factors $B$，将它分为 $B=l\cdot m$，Baby-Step 就是 { i : 1 ≤ i ≤ l } \{i:1 \le i \le l\} { i:1≤i≤l},Giant-Step Step { l ⋅ j : 1 ≤ j ≤ m } \{l \cdot j:1 \le j \le m\} { l⋅j:1≤j≤m}，

However, if we simply calculate directly $h_i,H_j$, the above algorithm is still impractical. [Shoup95] Compute them iteratively: $h_{i+1}=h_i(h_1)(\mathrm{mod}f)$，$H_{j+1}=H_j(H_1)\left(modf\right)$, the question now is how to quickly calculate thesemodular-composition, in the form $g(h)(modf)$

[Shoup95] still adopts the BSGS algorithm (similar to the [PS73] polynomial evaluation algorithm) and selects parameters$t\approx \sqrt{n}$,Definition $h^i(modf),0\le i\le t$ 表格，那么：
$$g(x)=\sum _{j=0}^{n/t}{g}_j(x)\cdot {and}^j,and=x^t,\mathrm{ofg}{g}_j<t$$
Therefore, directly use the contents of the precalculation table to simply calculate addition (and multiplication),
$$g_j(h)=\sum _{i=0}^t{g}_{j,i}\cdot h^i(modf)$$
接着，采取 Horner 法则，计算出
$$g(x)=((g_{n/t}\cdot h^t+\cdots )\cdot h^t+g_1)\cdot h^t+g_0$$
The polynomial operations are all calculated in Double-CRT mode, and the total complexity is $O(n^{2.5}+n\log n\log \log n\log p)$

CT65

[CT65] gives a recursive form of DFT decomposition, which can actually be regarded as a BSGS version of the FFT algorithm. The DFT formula is:
$$A_j:=\sum _{k=0}^{N-1}{a}_k\cdot g^{jk}$$
adopts the BSGS algorithm and is decomposed into $N=N_1\cdot N_2$，设置索引
$$\begin{array}{rl}j& :=N_1\cdot j_1+j_0,j_0\in [N_1],j_1\in [N_2]\\ k& :=N_2\cdot k_1+k_0,k_0\in \left[N_2\right],k_1\in [N_1]\end{array}$$
Free
$$\begin{array}{rl}{A}_{j_1,j_0}& :=\sum _{k_0\in [N_2]}\sum _{k_1\in \left[N_1\right]}{a}_{k_1,k_0}\cdot g^{jk}\\ & =\sum _{k_0\in \left[N_2\right]}\left(\sum _{k_1\in \left[N_1\right]}{a}_{k_1,k_0}\cdot g^{N_{2}j{k}_1}\right)\cdot g^{j{k}_0}\\ & =\sum _{k_0\in \left[N_2\right]}\left(\sum _{k_1\in \left[N_1\right]}{a}_{k_1,k_0}\cdot g^{N_{2}j{k}_1}\right)\cdot g^{j_0{k}_0}\cdot g^{N_1{j}_1{k}_0}\end{array}$$
You are, general $a_N$ is arranged in the shape of row major order$N_1\times N_2$ 目次阵 $a_{N_1\times N_2}$，

1. For each $k_0$, Usage shape $N_1\times N_1$的matrix
   W 1 := { ζ j 0 k 1 } j 0 , k 1 W_1:=\{\zeta^{j_0k_1}\}_{j_0,k_1 } IN1​:={ ζj0​k1​}j0​,k1​​
   The calculated length is $N_1$Each partArrow arrow $a_{k_0}$ 目 NTT 变卢（单位底为 { ζ N 1 j 0 , j 0 ∈ [ N 1 ] } \{\zeta_{N_1}^{j_0},j_0 \in [N_1]\} { ζN1​j0​​,j0​∈[N1​]}), achieved shape $N_1\times N_2$ 的矩阵
   $${IN}_1\times a_{N_1\times N_2}={\left\{A_{j_0,k_0}^{\prime }:=\sum _{k_1\in [N_1]}{a}_{k_1,k_0}\cdot g^{N_{2}j{k}_1}\right\}}_{j_0,k_0}$$

2. Used shape $N_1\times N_2$的matrix
   W 2 := { ζ j 0 k 0 } j 0 , k 0 W_2 := \{\zeta^{j_0k_0}\}_{j_0,k_0 } IN2​:={ ζj0​k0​}j0​,k0​​
   $A^{\prime }$ makes the next operation a standard NTT (otherwise the unit root used in the subsequent NTT needs to be properly distorted), and the result at this time is the shape $N_1\times N_2$ 的矩阵
   $${IN}_2\odot A_{N_1\times N_2}^{\prime }={\left\{A_{j_0,k_0}^{\prime \prime }:=g^{j_0{k}_0}\cdot \sum _{k_1\in \left[N_1\right]}{a}_{k_1,k_0}\cdot g^{N_{2}j{k}_1}\right\}}_{j_0,k_0}$$

3. Each piece $j_1$, Usage shape $N_2\times N_2$ Definition
   $${IN}_3:=\{{\zeta }_{N_2}^{j_1{k}_0}{\}}_{j_1,k_0}$$
   The calculated length is $N_2$ each partline arrow $A_{j_0}^{\prime \prime }$ 目 NTT 变卢（单位底为 { ζ N 2 j 1 , j 1 ∈ [ N 2 ] } \{\zeta_{N_2}^{j_1},j_1 \in [N_2]\} { ζN2​j1​​,j1​∈[N2​]}), achieved shape $N_2\times N_1$ 的矩阵
   W 3 × ( A N 1 × N 2 ′ ′ ) T = { A j 1 , j 0 } j 1 , j 0 W_3 \times (A_{N_1 \times N_2}'')^T = \{A_{j_1,j_0}\}_{j_1,j_0} IN3​×(AN1​×N2​′′​)T={ Aj1​,j0​​}j1​,j0​​

Shape $N_2\times N_1$ 目次阵 $A_{N_2\times N_1}$，按懇读取为读取为 $A_N=NTT(a_N)$

总之，$a_N,A_N$ are all arranged into matrices in row major order (different shapes), then there are:
$$A_{N_2\times N_1}={IN}_3\times (W_2\odot (W_1\times a_{N_1\times N_2}){)}^T$$
In fact, this process can be expressed by the ring homomorphism of Nussbaumer Transform
$$\mathbb{F}[x]/(x^N-1)\cong (\mathbb{F}[y]/(y^{N_1}-1))[x]/(x^{N_2}-y)\cong \left(F\right[y]/(y^{N_1}-1))[z]/(z^{N_2}-1)$$

CHKKS18

The earliest [HS14] proposed the diagonal algorithm for matrix-vector multiplication: using SIMD technologyHadamard andRotate operations realize homomorphic linear operations. [CHKKS18] adopted the BSGS trick to calculate them. Our default index is automatic ( m o d n ) \pmod n $(\mathrm{mod}n)$, basic code:

• For any linear transformation $M\in {\mathbb{C}}^{n\times n}$，简记 $dia{g}_i(M)=[M_{0,i},M_{1,i+1},\cdots ,M_{n,i+n}]$ 是第 $i\in Z$ diagonals (can be negative − i -i $n-i$ 行对angled线）
• For any vector $in\in C^n$，简记 $ro{t}_i(v)=[v_i,{in}_{i+1},\cdots ,{in}_{i+n-1}$$i\in Z$ Distance (possible is the number of losses $-i$, circular right shift $i$ distance)

Use BSGS algorithm to decompose $n=l\times k$, the linear transformation can be expressed as:

Select during optimization $k\approx \sqrt{n}$，Calculation rate：$O(\sqrt{n})$ Next Rotate calculation (关于 $v$'s secret sentence), $O\left(n\right)$ Next Hadamard calculation. Fixed square screen in the public domain $M$, inside $ro{t}_{-off}(dia{g}_{ki+j}(M))$ is a precomputed constant polynomial (encoded with InvDFT) that does not The Rotate operation under CKKS ciphertext is required.

[CHKKS18] Convert the above linear transformation to homomorphic calculation under slot-packing CKKS and use it to implement coeff-to-slot to batch CKKS bootstrapping. The linear transformations used are DFT and InvDFT, [CHKKS18] treats them as general linear transformations and uses this homomorphic matrix multiplication to implement.

However, for public linear transformations, it is much more efficient to directly use the Functional Key-Switch proposed by TFHE. For the secret linear transformation, TFHE also proposed according to $M$ to construct KS-Key for M to support Private Functional Key-Switch. But if this special KS-Key for M is not provided, instead $M$ is encrypted into a general CKKS ciphertext, then you can only use the above homomorphic matrix multiplication and slowly calculate using Rotate and Hadamard.

Faster Homomorphic DFT

[CHH18] observed that the DFT matrix hassparse decomposition (that is, the butterfly algorithm), so for this special linear transformation, we can Compared with the general matrix multiplication of [CHKKS18], the complexity is reduced by one$n$ factor. It can be applied to the CKKS batch bootstrapping of [CHKKS18], increasing the computational speed by hundreds of times. The content of [HHC19] (published in IEEE Access) is basically the content of [CHH18] (hanging on eprint), just with a different name.

Sparse-Diagonal matrix Factorization

[CHH18] It is said that according to the recursive FFT of [CT65], the DFT matrix can be sparsely decomposed as follows:

Continuing to decompose the former iteratively, we can finally obtain:

Easy to find, d i a g i ( D 2 i ( n ) ) ≠ 0 ⃗ ⟺ k ∈ { 0 , ± n 2 i } diag_i(D_{2^i}^ {(n)}) \neq \vec 0 \iff k\in \{0,\pm \dfrac{n}{2^i}\} diagi​(D2i(n)​)=0 ⟺k∈{ 0,±2in​}, only 3 diagonals are non-zero, so it is very efficient to calculate by slope multiplication,
D 2 i ( n ) ⋅ v = ∑ k ∈ { 0 , ± n / 2 i } d i a g k ( D 2 i ( n ) ) ⊙ r o t k ( v ) D_{2^i}^{(n)} \cdot v = \sum_ {k\in \{0,\pm n/2^i\}} diag_k(D_{2^i}^{(n)}) \odot rot_{k}(v) D2i(n)​⋅in=k∈{ 0,±n/2i}∑​diagk​(D2i(n)​)⊙rotk​(v)
Arithmetic:

Attention $ro{t}_0(v)=v$ Unnecessary calculation, special circumstances $i=1$ 根据 $ro{t}_{n/2^i}\left(v\right)=ro{t}_{-n/2^i}\left(v\right)$ Possible calculation. Finally,$DFT\cdot in={\prod }_{i=0}^{{\log }_{2}n}{D}_{2^i}^{\left(n\right)}\cdot v$ 目复杂率为 $O({\log }_{2}n)$

For the inverse transform, since the inverse matrix of the DFT is exactly its Hermitian,

It is therefore clear that the CT butterfly, like the GS butterfly above, is also sparsely diagonal, and thus similarly fast matrix multiplications exist.

Radix-r

However, although the number of operations mentioned above is very small, the calculation depth is ${\log }_2\left(n\right)$ requires multi-layer Rotate and CMult serialization, which may cause noise control problems. question. We can merge certain consecutive $k$ matrices, then the depth is reduced to ${\log }_{r}n,r=2^k$, the price is the increase in computational complexity.

According to the multiplication property of diagonal matrices: the product of two diagonal matrices is still a diagonal matrix,
$$dia{g}_i(a)\cdot dia{g}_j(b)=dia{g}_{i+j}(a\odot ro{t}_i(b))$$
可以证明，连续 $Merge\; of\; k$ matrices
$$D_{k,s}=D_{2^{s+k}}^{(n)}\cdots D_{2^{s+2}}^{\left(n\right)}\cdot D_{2^{s+1}}^{\left(n\right)}$$
The index of the non-zero diagonal of is
$${It\; is}_1\cdot \frac{n}{2^{s+1}}+{It\; is}_2\cdot \frac{n}{2^{s+2}}+\cdots +{It\; is}_t\cdot \frac{n}{2^{s+k}}$$
Inside e i ∈ { 0 , ± 1 } e_i \in \{0,\pm1\} It isi​∈{ 0,±1}，easy to know index capital city $\frac{n}{2^{s+k}}$Multiples of , the upper bound of the absolute value is$\frac{(2^k-1)n}{2^{s+k}}$, the number of these indexes is at most $2^{k+1}-1$

The complexity of DFT at this time is:$O(r{\log }_{r}n)$ Next Rotate sum Hadamard, depth $O({\log }_{r}n)$

Hybrid method

Since the non-zero index of the above decomposition presents an arithmetic series (both$\frac{n}{2^{s+k}}$multiples), so BSGS techniques can be used to extract the common calculation part to further improve calculation efficiency.

Optimization setting $k_2\approx \sqrt{t}$, the complexity of DFT at this time is: still $O\left(r{\log }_{r}n\right)$ Next Hadamard, but it's just demand $O(\sqrt{r}{\log }_{r}n)$ Next Ratate(However $r$ is a constant), the depth is also $O\left({\log }_{r}n\right)$

Result

Execution time of homomorphic DFT: On the order of seconds

CKKS bootstrapping time: 2 minutes delay, amortized at 4 milliseconds