Session Chairs: Benjamin Fuller & Atsuko Miyaji
Balanced Non-Adjacent Forms
Marc Joye
Speaker(s): Marc Joye
Efficient Boolean Search over Encrypted Data with Reduced Leakage
Sarvar Patel Giuseppe Persiano Joon Young Seo Kevin Yeo
Speaker(s): Joon Young Seo
Revisiting Homomorphic Encryption Schemes for Finite Fields
Andrey Kim Yuriy Polyakov Vincent Zucca
Speaker(s): Vincent Zucca
Transciphering Framework for Approximate Homomorphic Encryption
Jihoon Cho Jincheol Ha Seongkwang Kim Byeonghak Lee Joohee Lee Jooyoung Lee Dukjae Moon Hyojin Yoon
Speaker(s): Seongkwang Kim
Improved Programmable Bootstrapping with Larger Precision and Efficient Arithmetic Circuits for TFHE
Ilaria Chillotti Damien Ligier Jean-Baptiste Orfila Samuel Tap
Speaker(s): Samuel Tap
So thank you for starting recording so Oops you’ve muted yourself thank you so now we would like to start normal encryption and encrypted search session the first speaker is mark joy the title is balance no adojence forms so could you start please mark so thank you etsuko every season on your side yes that’s good can you see my legs
Yes yes okay perfect um so this session is on part of it at least it’s on philomorphic encryption and sometimes sociomorphic encryption is called the holy grail of crypto and indeed that’s a beautiful technology um and for example it could be a solution to address data breaches
And what is nice with fhe sociomorphic encryption is that data is end to end encrypted so that is encrypted at rest during transit and even during its processing so unlike traditional cryptography so there is no need to decrypt to process the data now if you want to implement fhe
So one of the main challenge is the noise so today all the construction we know for photomorphic encryption produced noisy ciphertext and when you play with those ciphertext so when you work over encrypted data so the noise tent tends to increase and if the noise exceeds a given threshold so it might be
The case that the ciphertext cannot longer be decrypted and so what i’d like to do in this talk is to find a way to better control the noise and let’s first take a look at one example so assume that you have some private data x and you’d like to compute k times x
So the basic approach so the most natural one we did first to get the encryption of x then you multiply by k and of course you get the encryption of k times x but there’s another way to do it so something else you could do instead
Would be to first decompose k so in some radix b then you obtain the encryption of b to the i times x then you take a linear combination of all the ciphertext and again so it’s easy to see that you’ll get the encryption of k times x
So what’s the advantage of the signal approach over the first one so remember that’s what we’d like to address is the noise issue so if we look at the nose variance in the first case so we see that that variance is proportional to the square of k in the second case
So you can see that the noise variance is now proportional to the sum of the square of the digit of k and you see that that second bond is slower than the first one so that one is better and what i’d like to do is to find the best possible decomposition
So the problem is the following one so we are given some integer k somewhat b and you’d like to find the best possible decomposition so that is written like this such that the square the sum of the square of the digit so this is called the euclidean weight is minimum and
There are already some decomposition that we know so for example so when b is equal to two so there is one that is pretty well known which is the nav so the non-adjacent form and for that form so we know that the number of non-zero digits is minimum so the
Number of one and minus one is minimal in that form so in the naf and because of that so i mean it’s easy to see that that one will uh minimize euclidean weight another case that is not too difficult to deal with is when the radix is odd so when b is r
So what you can always do for a node radix b you can always decompose an integer using digit in the set minus b minus 1 over 2 up to b minus 1 over 2. so the form you get is unique and it can be shown that actually so it also minimize the
Euclidean weight so the difficult case is when uh you have an even radix b that is larger than two but in that case there is a very simple but useful observation is that when you have some decomposition so like this one so something you can always do of course you can flip
The sign of one digit so this one and what you have to do is just to propagate the sign to the side to the to the next digit and that give you another representation that is valid so you may need to propagate again and again and again
But at the end so you get a valid representation of your uh integer k so let’s take an example so assume for example that’s radix b is equal to 4 so 2 2 is a valid representation for 10 what you could do so you could flip the digits so you get
1 minus two two which is another value representation for ten in red x4 you can also flip the digits and you end up with minus two minus one and one and this is the minimal form so you cannot do better and so intuition tells you that well uh
It seems that what we have to do is when we have a two followed by a minus two then we flip so we flip that that tube and the same so if you have a two followed by another two and actually so this is essentially what we
Do to get uh the optimal form and so i just show you the algorithm here it is so as an input you take an integer k and as an output so you get that optimal form so i call it the binauf the digits are in that range so
Between minus b over two up to b over two and this is right it’s called balanced um so what is the domain the main step in that recording is this one so there is that if branching here with two conditions so this one and this one
And in if one of those two condition is satisfied then you have to flip you just flip the digit value so some special cases when b is r so it simplifies to just one condition and actually so this is just the usual balanced form so using that set of digits
And that one is known to be unique when we have b equal to 2 so it’s not too difficult to see that this is another way to get enough so the regular one and so i mean that’s not a surprise and so the the difficult case so when b
Is even and larger than two so we need to check those two condition and this is the general algorithm to get the binaura recording so it’s called binauf because it’s enough when b is equal to 2 and balanced because the set of digi that is used is balanced okay
Um so the main results uh so first we showed that binauf is unique and more importantly so we showed that the equidant weight of binauf is minimal so you cannot do better so in the paper so we also analyze the digit distribution and that allows us to compute the expectation and the variance
And what is nice is that the expectation is zero so the distribution is centered i mean which is also a useful property so to sum up so i did present a new form to decompose an integer so you can do exactly the same using modular integer so that’s in the paper
We show that snap always exists and is unique it’s optimal so meaning that the euclidean weight is minimal we analyze the dg distribution and also in the paper so you can’t find uh several cryptographic applications and mostly for uh foreign morphic encryption thank you very much
Thank you mark do we have any questions from the audience if not i’ll i’ll ah so you’re you analyzed oh sorry one one audience has hangings okay just you you analyze this for a particular radix can you give some intuition for why different radixes come up in practice in in fhe evaluation
So typically so you use a power of two because that’s more convenient and uh i mean this is mostly used in what is known as the gadget decomposition and so the size of b i mean um tells you uh i’m going to give you exactly the decomposition so i mean it’s always a
Trade-off um so i mean a smaller b i mean will increase the size of the encryption but uh give you a more fine control of the noise while a larger value for b i mean instead the opposite effect i mean that’s also using the gsw cryptosystem so i mean this is a
Well-known trick to to manage the noise okay um great uh thank you very much mark there’s no more questions we’ll move to the next speaker which gets all introduced so the this talk is going to be given by uh jun young the title of the talk is efficient boolean
Search over encrypted data with reduced leakage and can you go ahead and uh share your screen uh can everyone see my screen or not yet oh it’s not shared right oh sorry oh can you see my screen yep that looks great okay so um yeah hi uh my name is uh jin
Yang and i’m here to present our work titled the efficient boolean search over increment data with reduced leakage so um there has been extensive studies on encrypted search and many different approaches have been proposed with different trade-offs and in our work specifically we focus on structured encryption which considers a more
Relaxed privacy requirement with the hope of achieving small overhead necessary for practical applications a little bit of a preliminaries a multi-map data structure maintains a set of labels to uh value two low pairs and the multiple data structure supports a query operation that receives a label and returns a value tuple associated
With the given label and um you’ll consider the extended boolean multi-map that enables more complex query operations beyond simply just retrieving value tuples associated with a single label and essentially a boolean multi-map is associated with the supported class of boolean formula query over labels and in our work we specifically focus on
Conjunctive queries and the cnf formulae and finally encrypted buoy multi-map is just a structured encryption for uh boolean multimaps our work is largely influenced by the following three papers and especially and we’ll especially reference the biex scheme presented in km17 throughout our work so um we present new encrypted boolean
Multi-maps which are adaptably secure non-interactive have similar or better efficiency and have reduced leakage compared to prior works in particular we obtain new constructions for handling conjunctions and cnf queries with reduced leakage and has have a optimal communication complexity and furthermore our scheme only uses a symmetric key parameters and ends up being
Quite practical uh we start by presenting the approach to handling conjunctive queries using previous works such as km17 so consider the conjunctive query l1 and l2 and all the way up to lq the main idea of bix is to decompose the query into q minus one two conjunctions where each is computed independently
Such that the resulting response sets are all pr evaluations under the key solely depending on the first label l1 and essentially the server can retrieve mm of l1 and l2 mm l1 and l3 etc independently and compute the intersection of all q minus 1 sets and return the response to the client
However there are several drawbacks to using this approach first the scheme leaks the volumes of the q minus one two conjunctions so the server can learn volumes of more complex queries and secondly the server must perform competition computation on the order of the sum of the size of the response sets
From the two conjunctions which seems quite wasteful as the response sets of mm of l1 and l2 is already a superset of the final response and um to address these drawbacks uh we present the new filtering algorithm which is going to be the core of our um paper
Which will be utilized by our by our construction and the conch filter the main idea is to only retrieve mm of l1 and l2 and do the filtering on this set instead of retrieving all of mm of l1 and l3 and on mml and l4 and so on like it does in km17
To do this we maintain an additional data structure that allows the server to check whether a value v and mm of l1 and l2 belongs to mm of like l1 and l3 mml and l4 and so on directly without having to retrieve them retrieve them and this data structure is constructed
In such a way that the leakage is significantly reduced and at a high level um this data structure is just a set of double prf evaluations of the values stored in the encrypted multi-maps and one can check for the membership by simply applying a prf in the response
Set and then checking whether this uh resulting evaluation is in this set and then do the filtering on the response Um and it turns out our conch filter scheme has smaller query leakage and with the setup leakage being identical to bix and km17 and it also turns out that the storage and the token size also turns out to be identical to km17 and um so our we also present um
The cnn filter which handles our cnf queries um and um using a clever reformulation of the given clf formula and using our filtering algorithm again we can actually construct the new um cnf scheme cnn filter which has a small leakage and better computation cost compared to um bix
Um so it’s a bit lengthy to go into details on this here but please see the full paper for anyone interested um so this table shows micro benchmarks for the search time of the rcn filter and the bix on randomly chosen queries and we actually see that our cn filter
Scheme outperforms biex in all scenarios and in some cases as much as a 20x faster and the both line charts show search token sizes of the cn filter and the biex and we see that in practice our token size of the sand filter is almost twice as small as that of the iex
And lastly um this table shows storage instead of time of stamp filter and diex since cn filter maintains an additional data structure we observe that the source size and set of time are generally larger for cn filter but we see that the storage size is only
20 to 25 larger and we believe that the extra set up time is a reasonable um trade-off given the leakage communication and the service computation improvements that our scheme provides and that is it great thank you once again um any questions from the audience so just while while we’re waiting
Um can you give some intuition on why you couldn’t so you’re essentially except for the first leaking triples of volumes why you couldn’t extend this to any like constant number of of operands or literals um constants so like why couldn’t could you put three conjunctions in the outer prf evaluation
What keeps you from being able to do that so that would actually increase the storage size to i guess like so right now the storage size is all quadratic like in a bi ex but if we um make a triple then that would actually make the storage size um
Like yeah to the power of three so um that essentially is a reason why we uh had to um keep it as only a double prf so this would keep the storage size asymptotically the same as the encrypted multimap how it’s constructed yeah all right great thank you very much uh junior
And vincent can you share with your phone great so the the third speaker of this session is going to be vincent suka who’s going to be talking about revisiting homomorphic encryption schemes for finite fields can you hear me uh vincent your microphone appears oh actually i’m sorry keep talking
Yeah can you hear me yes i’m so sorry that was that was my fault please continue okay so before diving uh into the subject i will quickly remind some basics about homomorphic encryption even though mark already did it so essentially homomorphic encryption allows users to perform computation
Directly over encrypted data and in a nutshell this means that if you have two encrypted messages you can compute an encryption of their sum or their product without having access to the decryption key now the problematic thing with automotive encryption is that each ciphertext carries some noise which
Grows as computations are performed and we can only decrypt a message if the noise is not too large so this means essentially that ciphertext have a computational budget and the most expensive operation in terms of both computational complexity and noise introduced is usually thermometric multiplication and the way of handling this noise
Growth depends essentially on the scheme you consider and in this work we focused on optimizing this operation and for the bgv and bfv scheme so in bgv and bfv the ciphertexts are represented modulo in integer q and in bjb the message is encrypted into the list significant digits of a
Ciphertext while the noise is scaled by some parameter t to lie into the most significant digit as long as the noise is small enough the product of two cypher text will not overwrap modulo q and thus we can compute it directly modulo queue but because the noise grows
Quadratically you see on the picture that i won’t be able to perform another multiplication after this one if i wanted to so the idea of the scheme is to handle this quadratic noise growth is to scale the ciphertext down by some factor before the next multiplication in such a
Way that the noise will also be scaled down to a minimum level that is equivalent to removing the red part of the noise on my picture so that after this i will be able to perform another multiplication and it is therefore crucial to have a precise estimate of the size of the
Noise carried by your cycle text to scale it down appropriately if the noise is underestimated then it won’t be reduced enough and if it’s overestimated then we will lose some computational budget uselessly in the bfv encryption scheme at the opposite it’s a message that is scaled up to be encoded into the most
Significant digit and because of this when we perform a multiplication the product of the two cipher text will necessarily overwrap modulo q and if the cipher text if the project over rock modulo q then we lose the product of the two messages so to prevent this we need to add another
Temporarily modulus p to perform the multiplication and prevent the product of overwrapping the downside of this approach is that the multiplication has to be performed modulo pq and is less efficient than for bgv and then to get back a cypher text representing modulo q we basically scale the ciphertext down you and
Like in bgv the noise this will scale the noise down and similarly and since we have to perform this scaling automatic um after each multiplication the noise is also scaled automatically and we don’t need to have any dynamic noise estimation in the ciphertext so in theory bgv and bfv are equivalent and
We can even convert ciphertext from one scheme to the other however in practice bgv is faster while bfe is simpler to use since it does not require to handle the noise growth dynamically it was also noticed recently then by kostas lane and player that when the
Plaintext modulus t is large vfe has a more important noise growth than bgv in this work we’ve focused on reducing the gap in practice between the two schemes uh first we modified the bfv encoding which was responsible of the noise growth observed by kostas lane and player in such a way that
Now both schemes have essentially the same noise balance second we modified behavior memory multiplication in order to reduce the size of the second integer p which improves the computational complexity of the procedure and to improve it further we also propose a level variant of bfv multiplication in which the product is
Performed internally modulo p prime q prime which is smaller than pq and the last contribution was to propose the static sort of static variant of bgv where everything is set up at key generation and we don’t need any dynamic noise estimation we also proposed some other optimization
For bfv and in particular we improved the rns decryption procedure of levy poliakoff and ship removing the constraint on the module on the size of the modularity so overall if you look at the performance of the different scheme we studied you notice that the our new variant of bgv the blue line is
Faster than the original bfe the purple one and the level variant of bfv the red line mimic the behavior of bgv the most surprising point on this graphics is that our variance of bgv appears to be smaller at least for small moduli than at the first level than bfe
This is actually a side effect of our implementation since every modular well when the size of the modular in bgv depends on the plaintext modulus so when the plaintext modulus is small you have small moduli and you can have more of them so when the plaintext modulus is small
We have a lot of moduli and since each moduli is represented on a different machine world and the experiments were run in a single thread spreading mode we have to compute a lot of entities uh sequentially so that’s why we have this gap of performance between the two
Schemes but this can be easily overcome if you choose to trunk the small moduli together on the same machine well well that’s essentially everything i wanted to say so thank you for your attention and i will be happy to answer your question if you have some thank you so
Is there any question or comment from audience okay so i have a question so it is very nice result so i want to know the difference so now you show the result in the case of t equal to and t equal to 360 n plus one
So is there any you know good key that output good result well the proper regarding the performance the shape of tea does not impact uh well the shape of it does not impact the performance it it may impact the way you encode the message but the procedure itself will
Only be impacted for bgp by the size of t and not by its shape so for the performance there is no particular t that well not a particular shape of t that could be could result in better performances okay thank you so is any other question
Okay thank you again and let’s move to the next talk uh can you see the slides yep okay i’ll start hi my name is seongwang kim today i present trend ciphering framework for approximate homomorphic encryption this is a joint work with jihoon jinter hyung chewie now let’s begin from morph encryption
Morph encryption is an encryption scheme that enables addition and multiplication over encrypted data someone might think about partially homomorphic encryption but when we say he in this presentation it supports both addition and multiplication there are well-known examples of he fe schemes in the previous slides for modular ring and skks for complex reading
Recent homomorphic encryption schemes have two demerits slow encryption speed and large ciphertext expansion as you can see in this table encryption speed and ciphertex expansion might be quite an overload to resolve the merits of hc lauter at our proposed trend ciphering framework which is conversion from symmetric ciphertext to a homomorphic ciphertext
Imagine that a client wants to delegate computation to a server while all the data are encrypted the client sends homomorphically encrypted symmetry key to server once and encrypts all the messages with symmetric cipher then given symmetric ciphertext the server evaluates the decryption circuit to make morphically encrypted messages
Using the trend ciphering framework the client can encrypt fast and get smaller ciphertext however for real numbers there have been no transferring framework to make a trend ciphering framework for real numbers we observe some similarities between ckt and some fb schemes the first observation is that ckks and fv schemes have similar encryption
Algorithms here we wrote down the formula of the encryption algorithms in both schemes as you can see they are very similar and the major difference is the delta for ckks the delta is scaling vector which preserves precision while delta and fv is a big scalar to make plaintext modulo t
The second observation is that ckks and fv have similar plaintext space both schemes use a plain text in polynomial ring zx with bounded coefficients in this figure we give a pictorial description of two skims these bars stands for coefficients they are different in the size of delta
We found out that those two schemes can be converted to each other by boost wrapping now we pre we present our tf turn ciphering framework which is a new transcife framework for real numbers rtf means real to finite field the overall diagram is on the right
The client has a real message m and convert it to integers modulo t by scaling and rounding off here t should be large enough to preserve predetermined precision the client generates key stream from a non-spaced stream cipher over zt by adding the key stream to the scaled message
The client can get a symmetric ciphertext c the client needs to send an fe encrypted symmetry key k to the server the server roughly speaking transceiver to fv ciphertext and bootstrap it to a ckk ciphertext we also made an age-friendly cypher hera over zt to use in the rtf framework
Like rasta it is a block cipher-like stream cipher outputting a vector in zt16 hera is an sbn with randomized key schedule on the right this figure describes the round function of hara hara is composed of aes like mds matrix component-wise cube map randomized key schedule and fixed constant input
This table shows the recommended number of rounds with respect to each attack we analyzed the security of hera against linear and differential cryptanalysis linearization interpolation attack see the attack and gravity basis attack the number of rounds of hera is the maximum of each column as we propose the first train cycling
Framework for real numbers there’s not many things to compare we compare rtf combined with hera to lwe to rlw conversion and ckkks only environment we experiment lwe to rswwe conversion using open pegasus library in this paper below the ckks only environment is experimented using latico library the first rtf hera is full batching
Instance and the second rtf pair is said to have the same number of slots as lwe to rw conversion we emphasize that the red part ciphertext size ciphertext expansion ratio and the client-side performance is significantly better than the ckks only environment that’s it thank you for listening
All right thank you do we have uh questions from the audience and i’ll do that well while we’re waiting do you do you have a sense of what type of circuits you have to be evaluating for the the client-side encryption to become the bottleneck uh it’s it’s like
It was uh well known to multiplication but i think it was a mattress matrix multiplication is harder when matrix is randomly generated so we fix the matrix so sorry what do you mean am i wrong uh no just what do you mean by you fix the matrix ah i mean that uh
It’s well known that there is a bottleneck for multiplication so the linear layers are usually randomized but we think that it was wrong so we fixed and do not uh generate random matrixes for the cipher good okay okay thank you very much okay we’ll um move on to the the last
Talk of the the session which is going to be given by uh samuel the title is improve quote programmable bootstrapping with larger precision and efficient arithmetic circuits for tfh and uh say oh sorry not by samuel is not speaking it’s by sean bertis sorry go ahead tell me ortiz
Especially for the execution yeah smaller small replacement at the last moment so yeah we’ll present our work which is the untitled improved programmable strapping with larger precision and efficient arithmetic circuits for tfhe this is a joining work with uh and simultaneous so first what is feiichi so fhe is a
Cryptographic paradigm which allows us to compute our unprecedented data so the idea that in folio movie encryption we are able to make addition and also notification over archite data so that at the end we obtain an encrypted version of the addition of the plain text all the multiplication over the plain text
So this is quite general and we are able to evaluate almost every circuit on every possible types of data which might be its integer or real messages the thing we have to look on the fhe is the noise because due to security reason we have to add noise when encrypting and
The fact is when we are making some operation this noise will grows so we have to be sure when evaluating circuit bits but this noise doesn’t get over a threshold so that the decryption will give us the correct results so magically there is a breakthrough in fhe which is called strapping and it’s
Quite simplified the evaluation of circuits since it allows us to reduce the noise so bootstrapping takes one cipher text in as input which is a lw ciphertext in our case plus a public key which is a bootstrapping key and so with the bootstrapping algorithm at the end it
Will output the same cipher text with the noise which has been reduced in our case we are particularly interested in the tfh bootstrapping because it takes another parameters which is a lookup table so representation of a discrete function as a recap table and so as long as we
Refresh the noise with the bootstrapping we’ll also be able to evaluate to evaluate the lookup table which means that from a ciphertext which encrypts x at the end of the bootstrapping we we are able to have the encryption of l of x and the noise has been reduced so this is the
Particularity of the tfa chip strapping in the following slides we are referring to the programmable strapping as the pbs so uh the pbs has some limitation and in this contribution we want to overcome these limitations so the first one is that during a pbs we only able to
Evaluate one function so we propose a new solution in order to be able to evaluate more function during one pbs the other limitation is about the requirement that we have in the programmable strapping so to be able to correctly evaluate the pbs we we have a
Bit of padding which has to be known in the plain text although i said the intuition is that we can use only half on the precision space of the message space during the strapping otherwise the bootstrap will not be correct in order to overcome this limitation i will introduce the bfv modification into
The tfh scheme and we propose two versions of an algorithm which is called woops for without padding programmable strapping so first let’s have a look on on the pbs middle east so without getting into details the idea of the pbs main dilutes is to trick a little the pbs to have a
More generalized version which allows us to define a new parameters fifa and this fitter will give us the possibility to evaluate two to the power of theta functions on the same input which is interesting in this approach is that it offered the multiple instructions sigil data paradigm to the
Pbs and that the cost is almost because of only one pbs the only difference is that we have to compute multiple sample extracts for as many functions as we want to compute but in practice the sample extract is almost free the second idea is to introduce a new
Operation in tfhe which is the lw product to do so we start from the lwe product of bfv so the idea is to have two rlws and to make a computation which is more or less a transfer product and realization and at the end we obtain the
Product of the two messages as an llw so with simple tricks like the key switch and sample extract we are able to extend this product to lwes now the tedious part of including the dfv product into tfhe was the noise analysis and we have done this noise
Analysis to be sure that it exists practice parameter practical parameters to do so with the tfh streams since the parameters from bfv and tfh are quite different with this new tool we are now able to define the woop abs so the pbs without padding bits
So first we start with of message and we want to compute the first pbs will be the pbs computing the function l so now at the end we obtain plus or minus l of m the evaluation and in fact this is why we need in the classical pbs
A padding bit in fact we aren’t sure the correctness and the correctness isn’t sure up to the sign so if we remove this padding bit at the end we are not sure about the sign of the function we are computing so at the end we have the
Encryption of plus or minus l of m and we don’t know this sign to counter this we are computing another we have to compute another pbs which will be the sign and so which is interesting is the pbs will be compute on the same input
So in the end we are going to have the sign of the bbs but it is also encrypted however since it is applied on the same input in the end we know that the sign will be the same for the two pbs so that
We are going to have plus l of m and plus one or minus l of m and minus one and then with the simple information this simple observation that f n times 1 is equal to minus l of m minus time minus 1. in the end using the product we
Have just introduced before we are able to obtain the correct results of the dbs So in conclusion we have seen lot in detail that we have the now the bf notification to the fhe and this is used to compute the um without padding pbs and also they are a simple method to compute many loots during a single dbs in the purpose in the paper there is
Much more result than that which are another version of the pbs which might be more efficient and many many optimization of the two versions of the dbses moreover we propose a generic type noise analysis which might be seen as a tool to generally analyze a new tfh operation
Moreover there is a lot of applications of this two of these new tools which are the generic circuit board strapping or large position bds or more efficient gate destruction for example it also raises some open problems more for example we want to have a fast and quite precise quite precise fast fourier
Transform in order to accelerate and reduce the parameter during the gfh computations moreover we want to reduce the noise growth during the wps because it has some cost on the noise and lastly we want to improve the key switching in order to globally improve the performances during the lw products thank you
Thank you yeah clap just while we’re waiting to see if there’s any questions i want to thank all all the speakers today um five really nice talks um just i’ll i’ll ask kind of a silly question is is the size of the lut that you’re evaluating like
Is is there any bound on the complexity of the lookup table you’re evaluating or you can encode an arbitrary function as as long as the the plaintext like feel or as long as the plain text lookup makes sense yeah you’re kind of right in fact the size of
The lookup table depends on the size of the message so the size of lookup level will be two to the power the size of the message since we have to have at least one one association for each of the entry of the message in practice it’s much more larger than
That since we have to make some redundancy to be sure that the computation of the bbs is correct because we have to deal with the error so which this is quite dependent from the tft parameters it just is um you didn’t mention it but if if you have a a pac cipher ciphertext
Uh a simdi ciphertext where you have multiple message slots can you can you apply the techniques there as well or so yeah so but in tfhe maybe the most silly way to pack thing would be to have an lwe as input and so we cannot directly apply this so
The idea will be first to have sample extract to have some lwes and on each lw is you have to apply the dbs okay all right do do we have other other questions okay let’s um thank all the the speakers again this uh great session really appreciate everybody’s time and attention