Numerical Method for Comparison on Homomorphically Encrypted Numbers

Abstract

We propose a new method to compare numbers which are encrypted by Homomorphic Encryption (HE). Previously, comparison and min/max functions were evaluated using Boolean functions where input numbers are encrypted bit-wise. However, the bit-wise encryption methods require relatively expensive computations for basic arithmetic operations such as addition and multiplication.

In this paper, we introduce iterative algorithms that approximately compute the min/max and comparison operations of several numbers which are encrypted word-wise. From the concrete error analyses, we show that our min/max and comparison algorithms have \(\varTheta (\alpha )\) and \(\varTheta (\alpha \log \alpha )\) computational complexity to obtain approximate values within an error rate \(2^{-\alpha }\), while the previous minimax polynomial approximation method requires the exponential complexity \(\varTheta (2^{\alpha /2})\) and \(\varTheta (\sqrt{\alpha }\cdot 2^{\alpha /2})\), respectively. Our algorithms achieve (quasi-)optimality in terms of asymptotic computational complexity among polynomial approximations for min/max and comparison operations. The comparison algorithm is extended to several applications such as computing the top-k elements and counting numbers over the threshold in encrypted state.

Our method enables word-wise HEs to enjoy comparable performance in practice with bit-wise HEs for comparison operations while showing much better performance on polynomial operations. Computing an approximate maximum value of any two \(\ell \)-bit integers encrypted by HEAAN, up to error \(2^{\ell -10}\), takes only 1.14 ms in amortized running time, which is comparable to the result based on bit-wise HEs.

A Proofs

Proof of Theorem 3. By Theorem 2, the error of \(\texttt {Max}(\cdot ,\cdot ;d)\) algorithm from the true value is bounded by \(2^{(-\alpha - \log \log n)}= 2^{-\alpha }/\log n\). Note from the proof of Lemma 2 that the output of the square root algorithm \(\texttt {Sqrt}(x;d)\) is always smaller than the true value \(\sqrt{x}\), so that the same holds for the max algorithm \(\texttt {Max}(\cdot , \cdot ;d)\). This means that \(a_{i,1} = \texttt {Max}(a_{2i-1,0}, a_{2i,0};d)\) can be written \(a_{i,1} = \max (a_{2i-1,0}, a_{2i,0}) - \epsilon _i\) for \(1\le i \le n/2\) with \(0 \le \epsilon _i \le 2^{-\alpha }/\log n \). Now we have

$$\begin{aligned} \max (a_{2i-1,1},a_{2i,1})= & {} \max (\max (a_{4i-3,0},a_{4i-2,0}) - \epsilon _{2i-1}, \max (a_{4i-1,0}, a_{4i,0}) - \epsilon _{2i}) \\\ge & {} \max (a_{4i-3,0},a_{4i-2,0}, a_{4i-1,0}, a_{4i,0}) - \max (\epsilon _{2i-1}, \epsilon _{2i})\\\ge & {} \max (a_{4i-3,0},a_{4i-2,0}, a_{4i-1,0}, a_{4i,0}) - 2^{-\alpha }/\log n, \end{aligned}$$

which implies that the error of \(a_{i,2} = \texttt {Max}(a_{2i-1,1}, a_{2i,1};d)\) from \(\max (a_{2i-1,1}, a_{2i,1})\) is bounded by \(2\cdot 2^{-\alpha }/\log n\) for \(1\le i \le n/4\). We can repeat the above procedure to get the conclusion that the error of \(a_{1,\log n}\) from \(\max (a_1,..a_n)\) is bounded by \(\log n \cdot 2^{-\alpha }/\log n = 2^{-\alpha }\).

For the case of min algorithm we note that the approximate values are larger than the true values and we can apply a similar approach to the above with reversed inequalities.    \(\square \)

Proof of Theorem 5. Note that \(\texttt {MaxIdx}\) is a natural generalization of \(\texttt {Comp}\). Without loss of generality, we assume that \(a_1\) is the unique maximum element, and we only consider the error between the output \(b_1\) of \(\texttt {MaxIdx}\) and the real value 1. At Step 1–4, \((a_i)_{i=1}^n\) is scaled to \((b_i)_{i=1}^n\) whose sum is 1. Moreover, every input of \(\texttt {Inv}\) is bounded by \(\frac{n}{2^m}\) since \(\sum _{k=1}^{n} b_j\) is always set to be 1 before the \(\texttt {Inv}\) algorithm. Note that each \(b_j\) from the iterations is nothing but \(a_j^{m^t}/\sum _{i=1}^n a_i^{m^t}\) with t being increased by one as the iteration go. The error of \(\texttt {MaxIdx}\) algorithm is also composed of three parts as Theorem 4; an error from the convergence of \(\lim _{m\rightarrow \infty } a_1^m / \sum _{i=1}^n a_i^m = 1\), and an error from the approximation of \(1/(\sum _{i=1}^n b_i^m)\) by our \(\texttt {Inv}\) algorithm and an error coming from Steps 1–4.

Now, the error analysis is almost the same as the proof of Theorem 4 with minor differences in the values of errors. The first part of the error is bounded by \(n\cdot (1/c)^{m^t}\) since \(1 - \frac{a_1^N}{\sum _{i=1}^n b_i^N} = 1 - \frac{1}{1 + \sum _{i=2}^n (b_i/a_1)^N} \le n/c^N\). The second part of the error (from the \(\texttt {Inv}\) algorithm) is bounded by \((1-n^{-(m-1)})^{2^{d+1}}\) since \(n^{-(m-1)}\) is the lower bound of the denominators \(\sum _{i=1}^n b_i^m\) by Cauchy-Schwartz inequality. As a result, we can conclude that the conditions \(t \ge \frac{1}{\log m} [\log (\alpha + \log n + 1) - \log \log c]\) and \(d, d' \ge \log (\alpha + t+ 1) + (m -1)\log n - 1\) suffice to make the total error of \(\texttt {MaxIdx}\) less than \(2^{-\alpha }\) by a similar argument as in Theorem 4.    \(\square \)

Proof of Theorem 6. Without loss of generality, let \(a_i\) be the \(i^\text {th}\) maximum value \(\max _i\) for \(1\le i \le n\).

For \(1 \le i < k\), since \((1-2^{-\alpha })^{i}a_{i+1} > (1-2^{-\alpha })^{k}a_{k+1}\), we first obtain \(\frac{(1-2^{-\alpha })^i a_{i+1}}{2^{-\alpha }a_1} > c\). For \(j = 1\), the statement holds directly by Theorem 5. After obtaining \(m_1\), the algorithm takes \((\epsilon _1a_1, (1-\epsilon _2)a_2,...,(1-\epsilon _n)a_n)\) as an input of \(\texttt {MaxIdx}(\cdots ;d,d',m,t)\), where \(0 \le \epsilon _i \le 2^{-\alpha }\). Since the following inequalities

$$(1-\epsilon _2)a_2 \ge (1-2^{-\alpha })\cdot \frac{2^{-\alpha }}{1-2^{-\alpha }}\cdot ca_1 \ge c \cdot \epsilon _1a_1 \text {, and}$$

$$(1-\epsilon _2)a_2 >(1-\epsilon _2)c_2a_3 \ge ca_3 \ge c\cdot (1-\epsilon _j)a_j \text { for } 3\le j \le n$$

hold, the output \(m_2\) satisfies \((1 -2^{-\alpha })^2 a_2 \le m_2 \le a_2\) by Theorem 5.

Inductively, assume that we have obtained \(m_1,m_2,...,m_{j-1}\) satisfying the statement condition. After obtaining an approximate value \(m_{j-1}\) of the \((j-1)^\text {th}\) maximum value \(a_{j-1}\), the next input of \(\texttt {MaxIdx}\) algorithm is \((\delta _1a_1, \delta _2a_2,...,\delta _n a_n)\) where \(0 \le \delta _i \le 2^{-\alpha }\) for \(i < j\) and \((1-2^{-\alpha })^j \le \delta _i \le 1\) for otherwise. From the following inequalities

$$\delta _ja_j \ge (1-2^{-\alpha })^j\cdot \frac{2^{-\alpha }}{(1-2^{-\alpha })^j}\cdot ca_1 \ge c \cdot \delta _ia_i \text { for } 1 \le i < j \text {, and}$$

$$\delta _ja_j>\delta _jc_ja_{j+1} \ge ca_{j+1} \ge c\cdot \delta _ia_i \text { for } i > j,$$

by Theorem 5 the output \(m_{j+1}\) satisfies \((1-2^{-\alpha })\delta _ja_j \le m_j \le \delta _ja_j\) so that the statement also holds for j. Therefore, the theorem is proved by induction.    \(\square \)