듀얼모드 하이브리드 동형암호 가속기 DNA HHE

📝 Abstract

Fully homomorphic encryption (FHE) schemes like RNS-CKKS enable privacy-preserving outsourced computation (PPOC) but suffer from high computational latency and ciphertext expansion, especially on the resource-constrained edge side. Hybrid Homomorphic Encryption (HHE) mitigates these issues on the edge side by replacing HE with lightweight symmetric encryption for plaintext encryption, such as the Rubato cipher for the HHE variant of RNS-CKKS, yet it introduces transciphering overhead on the cloud. The respective strengths and limitations of FHE and HHE call for a dual-mode HHE solution with flexible algorithm switching ability. This paper presents DNA-HHE, the first dual-mode HHE accelerator with near-network coupling for edge devices. DNA-HHE supports both edge-side RNS-CKKS and Rubato within a unified architecture driven by flexible custom instructions. To realize a compact implementation for the edge side, we propose a DSP-efficient modular reduction design, a compact multi-field-adaptive butterfly unit, and parallel scheduling schemes of Rubato with a high degree of resource sharing. DNA-HHE is designed with network protocol packaging and transmission capacities and directly coupled to the network interface controller, achieving reduced overall latency of edgeside PPOC by 1.09× to 1.56×. Our evaluations on the ASIC and FPGA platforms demonstrate that DNA-HHE outperforms the state-of-the-art single-mode designs in both edge-side RNS-CKKS and symmetric cipher with better computation latency and area efficiency, while offering dual-mode functionality.

💡 Analysis

Fully homomorphic encryption (FHE) schemes like RNS-CKKS enable privacy-preserving outsourced computation (PPOC) but suffer from high computational latency and ciphertext expansion, especially on the resource-constrained edge side. Hybrid Homomorphic Encryption (HHE) mitigates these issues on the edge side by replacing HE with lightweight symmetric encryption for plaintext encryption, such as the Rubato cipher for the HHE variant of RNS-CKKS, yet it introduces transciphering overhead on the cloud. The respective strengths and limitations of FHE and HHE call for a dual-mode HHE solution with flexible algorithm switching ability. This paper presents DNA-HHE, the first dual-mode HHE accelerator with near-network coupling for edge devices. DNA-HHE supports both edge-side RNS-CKKS and Rubato within a unified architecture driven by flexible custom instructions. To realize a compact implementation for the edge side, we propose a DSP-efficient modular reduction design, a compact multi-field-adaptive butterfly unit, and parallel scheduling schemes of Rubato with a high degree of resource sharing. DNA-HHE is designed with network protocol packaging and transmission capacities and directly coupled to the network interface controller, achieving reduced overall latency of edgeside PPOC by 1.09× to 1.56×. Our evaluations on the ASIC and FPGA platforms demonstrate that DNA-HHE outperforms the state-of-the-art single-mode designs in both edge-side RNS-CKKS and symmetric cipher with better computation latency and area efficiency, while offering dual-mode functionality.

📄 Content

Fully homomorphic encryption (FHE), enabling computations on ciphertexts without decryption, has emerged as a cornerstone for privacy-preserving outsourced computation (PPOC). Current mainstream FHE algorithms include BFV [1] and BGV [2] for integer arithmetic, CKKS [3] for approximate arithmetic, and TFHE [4] for boolean circuits. Among FHE schemes, the Residue Number System (RNS) variant of CKKS (RNS-CKKS) [5] has gained particular prominence as its approximate arithmetic support makes it ideal for real/complexnumber operations such as those in signal processing and machine learning. The workflow of RNS-CKKS PPOC is shown in Fig. 1 (a), which mainly involves the homomorphic Encryption/Decryption (Enc/Dec) on the edge, the homomorphic evaluation on the cloud, and the ciphertext transfer between edge and cloud through networking equipment like network interface controller (NIC). Despite the promising potential of FHE-based PPOC, FHE schemes like RNS-CKKS face two major challenges at resource-constrained edge devices, as shown in the right of Fig. 1 (a). First, HE deployment suffers m Fig. 1. End-to-end workflow of traditional FHE and Hybrid HE scheme in PPOC with edge computing paradigm. from significant computational overhead and latency due to the complicated HE operations, particularly the HE Enc over all RNS domains. Second, the noise introduction mechanism of HE intrinsically causes serious ciphertext expansion, with sizes typically hundreds of times larger than plaintext, and this issue becomes even more severe with short-length messages. As a result, edge devices face massive bandwidth (BW) pressure for ciphertext transfer both in internal interconnections and externally to the cloud, leading to low transfer efficiency.

The drawbacks of FHE in slow Enc and ciphertext expansion on the edge side have spurred the development of Hybrid Homomorphic Encryption (HHE) schemes [6]- [8]. The key idea of HHE is to combine HE with lightweight symmetric encryption (SE) to create a more efficient scheme suitable for edge-side practical applications, such as the Rubato SE [7] tailored for RNS-CKKS and the Pasta SE [6] tailored for BFV/BGV. Fig. 1 (b) demonstrates the HHE variant of RNS-CKKS-based PPOC. On the edge, HHE utilizes the SE Enc to encrypt all the plaintexts in segments instead of the expensive HE Enc, significantly reducing computational overhead and latency. Moreover, since the SE cipher does not cause ciphertext expansion, the ciphertext size is considerably reduced, leading to substantially lower BW requirements and decreased ciphertext transfer latency. HHE mitigates the limitations of FHE on the edge but introduces cloud-side drawbacks. The cloud must convert the SE ciphertext into the homomorphic ciphertext, namely transciphering, which adds significant computational overhead.

After analyzing both FHE and HHE schemes, it becomes evident that their respective strengths and limitations call for an adaptable approach for edge-side PPOC deployment. This necessitates the demand for a dual-mode HHE solution, which can dynamically select the optimal edge-side encryption scheme based on current conditions: when edge devices face latency or bandwidth constraints, selecting HHE with SE Enc reduces computational and bandwidth demands; when the cloud experiences surging requests and elevated latency, switching to pure HE eliminates the cloud transciphering overhead. However, challenges exist in deploying dual-mode HHE on the edge side. (1) Lacking of existing works supporting dual-mode HHE. Existing hardware implementations for edge-side PPOC exclusively concentrate on the singlemode acceleration of pure HE schemes such as [9]- [11], or a single symmetric cipher such as [12], leaving the dual-mode combination unexplored. (2) Increased area overhead due to dual-mode functionality. Given the distinctions between pure HE and SE cipher in terms of numerical fields and computation patterns, dual-mode HHE may result in increased area overhead, hindering its deployment on resource-constrained edge devices. (3) Large transmission overhead of expanded ciphertext. Our evaluation shows ciphertext transmission between the accelerator and NIC accounts for 16.7% to 50.6% of the latency overhead in edge-side end-to-end PPOC under different interconnect bus specifications. However, existing designs are implemented as standalone accelerators and overlook the optimization for expanded ciphertext transfer inherent between accelerators and NIC, and this standalone approach leads to diminished efficiency.

In response to the identified challenges, we present DNA-HHE, a dual-mode HHE accelerator with near-network coupling for edge devices. DNA-HHE supports both the edgeside RNS-CKKS [5] and the latest Rubato SE cipher [7] tailored for the corresponding HHE variant, within a unified compact architecture that is tightly coupled to the NIC. Our contributions are as follows:

• Programmable Dual-mode HHE. We propose the first dual-mo

This content is AI-processed based on ArXiv data.