Download presentation

Presentation is loading. Please wait.

1
**A Simple BGN-Type Cryptosystem from LWE**

Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research

2
Perspective

3
**Homomorphic Encryption in three easy steps [G’09]**

Step 1: Encryption from linear codes SK/PK are Good/Bad representation of code Bad representation, can’t tell words close to code from random Good representation can be used to correct many errors Additive homomorphism “for free” Step 2: ECC lives inside a ring We have both additive, multiplicative sructure If code is an ideal, also multiplicative homomorphism for low-degree polynomials Step 3: Bootstrapping, Squashing, etc.

4
**Instances of this Paradigm**

Ring of polynomials [G’09] Ring of integers [vDGHV’10] This work: how about ring of matrices? Doesn’t quite work like the others We only get additive-HE + one multiplication Quadratic formulas, as in [BGN’05] But more efficient and more flexible Can be made leakage-resilient, identity-based

5
Background

6
**Learning with Errors (LWE)**

n – security parameter q poly(n) m > n log q c A s x = m + mod q random mod q small Search-LWE: Given A,c, find s,x [R’05, P’09] As hard as worst-case of some lattice problems

7
**Learning with Errors (LWE)**

n – security parameter q poly(n) m > n log q c A s x = mod q m + c close to the linear code spanned by A random mod q small Decision-LWE: Distinguish c from random [R’05] as hard as finding s,x For certain parameters

8
**Learning with Errors (LWE)**

m A S X C n = m + random mod q small Many LWE instances with same A Same hardness (easy hybrid argument)

9
**Ajtai’s Trapdoors A [A’96] Given , hard to find small s.t. tA =0 mod q**

As hard as worst-case of some lattice problems [A’99] But it is possible to generate together = 0 mod q [Alwen-Peikert’08] Even smaller T t T A small, full rank random

10
**Trapdoor Functions [GPV’08]**

(A,s,x) As+x is a trapdoor function Can use to correct errors: c = As + x Tc = T(As + x) = Tx mod q But T,x are small, so Tx << q (Tc mod q) = Tx Equality over the integers T-1(Tc mod q) = x T

11
Our Cryptosystem

12
**Step 1: Encryption from linear ECCs**

Code is the column space of mod q { As: s Zqn } Bad representation (PK) is A itself Given A, hard to distinguish words close to the code from random words (LWE) Good representation (SK) is Can use T to correct errors T

13
**Step 1: Encryption from linear ECCs**

PK: , SK: Encode plaintext is LSB of error matrix Plaintext is a binary matrix Bmxm Enc(A,B): Choose random Smxn, small Emxm Dec(T,C): Set X T-1(TC mod q) Output B = X mod 2 X C A S X = + mod q 2E+B

14
**Step 1: Encryption from linear ECCs**

Security follows from LWE (for odd q) Thm: LWE For any B, EncA(B) random Proof: Given LWE input (A,C’) Either C’=AS+E or C’ random: Set C = 2C’+B mod q If C’=AS+E then C = A(2S) + (2E+B) mod q A random encryption of B If C’ is random then so is C

15
**Step 1: Encryption from linear ECCs**

Additive homomorphism “for free” C = C1 + C2 = (AS1+(2E1+B1)) + (AS2+(2E2+B2)) = A(S1+S2) + 2(E1+E2)+(B1+B2) mod q T-1(TC mod q) = X = B1+B2 mod 2 As long as X <<q S X

16
**Step 2: ECC lives inside a ring**

Multiply C1 x C2 mod q? (AS1+(2E1+B1)) (AS2+(2E2+B2)) = A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q Not what we wanted Cannot use T to cancel out (2E1+B1)AS2 Matrix multiplication is not commutative

17
**Step 2: ECC lives inside a ring**

How about C = C1 x C2t mod q? (AS1+(2E1+B1)) (AS2+(2E2+B2))t = A(…) + (…)At + 2(…)+B1B2t mod q That’s better: TCTt = TXTt mod q X = (2E1+B1)(2E2+B2)t is still small TCTt mod q = TXTt over the integers T-1(TCTt mod q)(Tt)-1 = X = B1B2t mod 2 X

18
**What Did We Get? T A KeyGen: Generate Enc(A, B): CAS + 2E+B mod q**

Add(C1,C2): CC1+C2 mod q Mult(C1,C2): CC1C2t mod q Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2 Can decrypt any quadratic formula with polynomially many terms With appropriate parameters

19
**What Did We Get? T A KeyGen: Generate Enc(A, B): CAS + pE+B mod q**

Add(C1,C2): CC1+C2 mod q Mult(C1,C2): CC1C2t mod q Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p Can decrypt any quadratic formula with polynomially many terms With appropriate parameters Can replace 2 by any pq

20
**Extensions, Applications**

Can apply the [AMGH’10] transformation Get homomorphism for low-degree polynomials “Dual Regev encryption” [GPV’08] is a special case of our scheme* Leakage resilience IBE Efficient quadratic-formula homomorphism for polynomials, big-integers * After changing encoding of plaintext

21
Thank You

22
**2-of-2 Decryption Alice has key-pair (A1,T1), Bob has (A2,T2)**

Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q Dora encrypts B2 to Bob, [ C2A2S2+X2 ]q Zachariah Sets C* = [ C1 C2t ]q C* looks random to either Alice, Bob Pulling their keys together they can recover B1B2t B1B2t = T1-1[T1C*T2t]q (T2t)-1 mod 2 Can also “blind” C* to hide relation to C1, C2

23
**Multiplying Polynomials**

p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2 p2 p1 p0 q0 q1 q2 $ P= Q= R= p0q1+p1q0+p1q0 p0q1+p1q0 p0q0 p1q2+p2q1 $ p2q2 PQt+R=

24
**Dual Regev Encryption [GPV’08]**

Dual-Regev Cryptosystem is an instance of our scheme with T = A different input encoding than [GPV’08] T is no longer invertible But can still recover top-left entry in B It is known to be IBE, leakage-resilient Still true with new input encoding And now it supports quadratic formulas -u-

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google