Nir Drucker

• Doctor of Philosophy
• Researcher at IBM Research - Israel

Modern cryptographic methods for implementing privacy-preserving LLMs such as Homomorphic Encryption (HE) require the LLMs to have a polynomial form. Forming such a representation is challenging because Transformers include non-polynomial components, such as Softmax and layer normalization. Previous approaches have either directly approximated pre-...

The arithmetic of modern fully homomorphic encryption (FHE) schemes is basically limited to addition, subtraction, and multiplication, so that most computations are actually evaluations of some finite (possibly multivariate) polynomial over the input ciphertexts. Thus, FHE computations that involve functions that cannot be expressed with a finite p...

This chapter describes basic packing techniques to efficiently utilize single instruction multiple data (SIMD) and operations over SIMD-based elements. The primitives described are used to implement a simple matrix-vector multiplication use case. Subsequent chapters build upon these techniques to create more sophisticated and general packing scheme...

Designing algorithms for applications over HE presents challenges stemming from the special characteristics of HE. In this chapter, we review these special characteristics and the challenges they bring. The set of operations that an algorithm under HE can use is different from the set of operations available for a plaintext algorithm. For example,...

Data science is the study of extrapolating insights out of data and information. It leverages tools and techniques from different academic fields such as mathematics, computer science, information science, and domain knowledge to analyze data and create data-driven observations, hypotheses, and conclusions. These hypotheses, or models, attempt to r...

In this chapter we describe tile tensors, a versatile data structure used for working with tensors under encryption. It offers a layered approach that separates packing details from a high-level view of the computation. Its tile tensor shape notation allows to easily choose from among multiple packing options.

Chapter 5 described some commonly used general approximation methods and their trade-offs when used under fully homomorphic encryption (FHE). The reader is now ready to learn how to apply these and more targeted methods for estimating specific functions that are commonly used by modern analytics. We will describe how these functions can be estimate...

This chapter brings together the previously discussed techniques to the data science world. It includes a description of some specific ML models and use cases and explains how these can be handled privately with HE, what are the limitations of every model and how to overcome them under HE.

homomorphic encryption (HE) is a cryptographic primitive that provides unique security guarantees in the privacy enhancing technologies (PETs) ecosystem. In Chap. 1, we discussed some privacy aspects that affect data science applications. The HE primitive can solve some of these privacy issues. This chapter dives into the properties and capabilitie...

Using HE as a security primitive requires a careful understanding of the security guarantees it provides for applications, where different applications use it in various ways for which they may require different security models. This chapter introduces the security aspects of using HE. It starts by describing some basic cryptographic concepts and t...

This chapter aims to combine all the previous techniques for implementing a large NN model (e.g., ResNet50). The reader first learns the limitations of such an implementation and the ML techniques to overcome them.

Chapter 8 introduced the tile tensor data structure, basic packing options, and simple operators it supports. This chapter covers additional packing options that incorporate more techniques from Chap. 7: complex packing and diagonal packing. Another important packing technique not previously discussed is interleaved packing, which extends the opera...

Privacy-preserving machine learning (PPML) solutions are gaining widespread popularity. Among these, many rely on homomorphic encryption (HE) that offers confidentiality of the model and the data, but at the cost of large latency and memory requirements. Pruning neural network (NN) parameters improves latency and memory in plaintext ML but has litt...

Approximated homomorphic encryption (HE) schemes such as CKKS are commonly used to perform computations over encrypted real numbers. It is commonly assumed that these schemes are not “exact” and thus they cannot execute circuits with unbounded depth over discrete sets, such as binary or integer numbers, without error overflows. These circuits are u...

Homomorphic Encryption (HE) is a cryptographic tool that allows performing computation under encryption, which is used by many privacy-preserving machine learning solutions, for example, to perform secure classification. Modern deep learning applications yield good performance for example in image processing tasks benchmarks by including many skip...

One-hot maps are commonly used in the AI domain. Unsurprisingly, they can also bring great benefits to ML-based algorithms such as decision trees that run under Homomorphic Encryption (HE), specifically CKKS. Prior studies in this domain used these maps but assumed that the client encrypts them. Here, we consider different tradeoffs that may affect...

One-hot maps are commonly used in the AI domain. Unsurprisingly, they can also bring great benefits to ML-based algorithms such as decision trees that run under Homomorphic Encryption (HE), specifically CKKS. Prior studies in this domain used these maps but assumed that the client encrypts them. Here, we consider different tradeoffs that may affect...

Homomorphic Encryption (HE) is a cryptographic tool that allows performing computation under encryption, which is used by many privacy-preserving machine learning solutions, for example, to perform secure classification. Modern deep learning applications yield good performance for example in image processing tasks benchmarks by including many skip...

Privacy-preserving machine learning solutions have recently gained significant attention. One promising research trend is using Homomorphic Encryption (HE), a method for performing computation over encrypted data. One major challenge in this approach is training HE-friendly, encrypted or unencrypted, deep CNNs with decent accuracy. We propose a nov...

Privacy-preserving solutions enable companies to offload confidential data to third-party services while fulfilling their government regulations. To accomplish this, they leverage various cryptographic techniques such as Homomorphic Encryption (HE), which allows performing computation on encrypted data. Most HE schemes work in a SIMD fashion, and t...

Privacy-preserving deep neural network (DNN) inference is a necessity in different regulated industries such as healthcare, finance, and retail. Recently, homomorphic encryption (HE) has been used as a method to enable analytics while addressing privacy concerns. HE enables secure predictions over encrypted data. However, there are several challeng...

The amount of data stored in data repositories increases every year. This makes it challenging to link records between different datasets across companies and even internally, while adhering to privacy regulations. Address or name changes, and even different spelling used for entity data, can prevent companies from using private deduplication or re...

Homomorphic encryption enables private artificial intelligence computations to be run on the cloud. Recent work used tile tensors to speed up the evaluation of neural network inference. We introduce an extension to tile tensors for the complex plane, resulting in an ∼1.68 × amortized speedup.

Privacy-preserving neural network (NN) inference solutions have recently gained significant traction with several solutions that provide different latency-bandwidth trade-offs. Of these, many rely on homomorphic encryption (HE), a method of performing computations over encrypted data. However, HE operations even with state-of-the-art schemes are st...

Harvey butterflies and their variants are core primitives in many optimized number-theoretic transform (NTT) implementations, such as those used by the HElib and SEAL homomorphic encryption libraries. However, these butterflies are not constant-time algorithms and may leak secret data when incorrectly implemented. Luckily for SEAL and HElib, the co...

The Advanced Encryption Standard (AES) was standardized in 2001 by NIST and has become the de facto block cipher used today. AES is a block cipher with a block size of 128 bits and is based on the proposal by Rijmen and Daemen, named “Rijndael”. The Rijndael proposal includes a definition for a block cipher with 256 bits block size (and a 256-bits...

The amount of data stored in data repositories increases every year. This makes it challenging to link records between different datasets across companies and even internally, while adhering to privacy regulations. Address or name changes, and even different spelling used for entity data, can prevent companies from using private deduplication or re...

New post-quantum Key Encapsulation Mechanism (KEM) designs pose challenging tradeoffs between communication bandwidth and computational overheads. These are being evaluated by the cryptographic community and by NIST, as part of the NIST PQC standardization project. An interesting set of KEM designs that were evaluated in Round-2 of the project are...

TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this p...

The KEM BIKE is a Round-3 alternative finalist in the NIST Post-Quantum Cryptography project. It uses the FO\(^{\not \bot }\) transformation so that an instantiation with a decoder that has a DFR of \(2^{-128}\) will make it IND-CCA secure. The current BIKE design does not bind the randomness of the ciphertexts (i.e., the error vectors) to a specif...

The QC-MDPC code-based KEM BIKE is one of the Round-3 candidates of the NIST PQC standardization project. Its Round-2 specification document described variants that were claimed to have IND-CCA security. The security proof used the Fujisaki-Okamoto transformation and a decoder that targeted a Decoding Failure Rate of 2−128 (for Level-1 security). H...

The QC-MDPC code-based KEM Bit Flipping Key Encapsulation (BIKE) is one of the Round-2 candidates of the NIST PQC standardization project. It has a variant that is proved to be IND-CCA secure. The proof models the KEM with some black-box (“ideal”) primitives. Specifically, the decapsulation invokes an ideal primitive called “decoder”, required to d...

The NIST PQC standardization project evaluates multiple new designs for post-quantum Key Encapsulation Mechanisms (KEMs). Some of them present challenging tradeoffs between communication bandwidth and computational overheads. An interesting case is the set of QC-MDPC based KEMs. Here, schemes that use the Niederreiter framework require only half th...

Constant-time implementation of cryptographic algorithms is nowadays considered a prerequisite for production-level code. Achieving this property in an efficient way poses a challenge. Rollo and RQC are two code-based Key Encapsulation Mechanism schemes proposed to NIST PQC Standardization Project. They have recently released new code package versi...

QC-MDPC code-based KEMs rely on decoders that have a small or even negligible Decoding Failure Rate (DFR). These decoders should be efficient and implementable in constant-time. One example for a QC-MDPC KEM is the Round-2 candidate of the NIST PQC standardization project, “BIKE”. We have recently shown that the Black-Gray decoder achieves the requ...

The anticipated emergence of quantum computers in the foreseeable future drives the cryptographic community to start considering cryptosystems, which are based on problems that remain intractable even with large-scale quantum computers. One example is the family of code-based cryptosystems that relies on the syndrome decoding problem. Recent work b...

Continuous Key Agreement (CKA) is a two-party procedure used by Double Ratchet protocols (e. g., Signal). This is a continuous and synchronous protocol that generates a fresh key for every sent/received message. It guarantees forward secrecy and post-compromise security. Alwen et al. have recently proposed a new KEM-based CKA construction where eve...

Generating, uniformly at random, a binary or a ternary string with a fixed length \(L\) and a prescribed weight W, is a step in several quantum safe cryptosystems (e. g., BIKE, NTRUEncrypt, NTRU LPrime, Lizard, McEliece).

The introduction of the processor instructions AES-NI and VPCLMULQDQ, that are designed for speeding up encryption, and their continual performance improvements through processor generations, has significantly reduced the costs of encryption overheads. More and more applications and platforms encrypt all of their data and traffic. As an example, we...

Modular exponentiation represents a significant workload for public key cryptosystems. Examples include not only the classical RSA, DSA, and DH algorithms, but also the partially homomorphic Paillier encryption. As a result, efficient software implementations of modular exponentiation are an important target for optimization. This paper studies met...

ECDSA is a frequently used signature scheme that has attracted a great deal of software and hardware optimization efforts. In particular, the NIST P-256 curve is currently used for most of the TLS communication worldwide. This paper proposes some observations that lead to additional optimizations. The ECDSA verification includes two main bottleneck...

Various missions carried out by Unmanned Aerial Vehicles (UAVs) are concerned with permanent monitoring of a predefined set of ground targets under relative deadline constraints, i.e., the targets have to be revisited ‘indefinitely’ and there is an upper bound on the time between two consecutive successful scans of each target. A solution to the pr...

Modular exponentiation represents a significant workload for public key cryptosystems. Examples include not only the classical RSA, DSA, and DH algorithms, but also the partially homomorphic Paillier encryption. As a result, efficient software implementations of modular exponentiation are an important target for optimization. This paper studies met...

Cloud database services become very appealing solutions. They offer performance and storage capabilities that client platforms do not have. However, in order to protect the users’ confidentiality and to ensure the integrity of their computations, solutions often use one of three approaches: a) Encrypting the data prior to uploading it with some sy...

Multi-Prime (MP)RSA is an RSA construction in which the public modulus is a product of more than two primes, and its private key operations can be accelerated by using the Chinese Reminder Theorem (CRT). While MPRSA has been studied extensively, only limited information is found for other MP constructions, such as Paillier cryptosystem. This paper...

The anticipated emergence of quantum computers in the foreseeable future drives the cryptographic community to start considering cryptosystems, which are based on problems that remain intractable even with strong quantum computers. One example is the family of code-based cryptosystems that relies on the Syndrome Decoding Problem (SDP). Recent work...

Cloud computing infrastructures offer many advantages to users, including large storage and high computation power. However, offloading workloads to hosting environments raises trust and privacy concerns. Algorithms that address these concerns require multiple network transactions and have low performance.

Cloud database services offer performance and storage advantages that local client platforms do not have, and become very appealing solutions. We list three approaches that address data privacy concerns that are associated with depositing sensitive data on remote platforms. Users can protect their data privacy by locally encrypting it before upload...

Various missions carried out by Unmanned Aerial Vehicles (UAVs) are concerned with permanent monitoring of a predefined set of ground targets under relative deadline constraints, which means that there is an upper bound on the time between two consecutive scans of that target. The targets have to be revisited ‘indefinitely’ while satisfying these c...

NIST post-quantum cryptography standardization project just entered its final Round 4, where three KEMs are evaluated for standardization, as alternatives. BIKE is one of them. This paper deals with several considerations around building an isochronous and constant-time implementation of the errors-vector generation (EVG) that is used by BIKE. The...