Download presentation

Presentation is loading. Please wait.

1
**A Simple BGN-Type Cryptosystem from LWE**

Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research

2
Perspective

3
**Homomorphic Encryption in three easy steps [G’09]**

Step 1: Encryption from linear codes SK/PK are Good/Bad representation of code Bad representation, can’t tell words close to code from random Good representation can be used to correct many errors Additive homomorphism “for free” Step 2: ECC lives inside a ring We have both additive, multiplicative sructure If code is an ideal, also multiplicative homomorphism for low-degree polynomials Step 3: Bootstrapping, Squashing, etc.

4
**Instances of this Paradigm**

Ring of polynomials [G’09] Ring of integers [vDGHV’10] This work: how about ring of matrices? Doesn’t quite work like the others We only get additive-HE + one multiplication Quadratic formulas, as in [BGN’05] But more efficient and more flexible Can be made leakage-resilient, identity-based

5
Background

6
**Learning with Errors (LWE)**

n – security parameter q poly(n) m > n log q c A s x = m + mod q random mod q small Search-LWE: Given A,c, find s,x [R’05, P’09] As hard as worst-case of some lattice problems

7
**Learning with Errors (LWE)**

n – security parameter q poly(n) m > n log q c A s x = mod q m + c close to the linear code spanned by A random mod q small Decision-LWE: Distinguish c from random [R’05] as hard as finding s,x For certain parameters

8
**Learning with Errors (LWE)**

m A S X C n = m + random mod q small Many LWE instances with same A Same hardness (easy hybrid argument)

9
**Ajtai’s Trapdoors A [A’96] Given , hard to find small s.t. tA =0 mod q**

As hard as worst-case of some lattice problems [A’99] But it is possible to generate together = 0 mod q [Alwen-Peikert’08] Even smaller T t T A small, full rank random

10
**Trapdoor Functions [GPV’08]**

(A,s,x) As+x is a trapdoor function Can use to correct errors: c = As + x Tc = T(As + x) = Tx mod q But T,x are small, so Tx << q (Tc mod q) = Tx Equality over the integers T-1(Tc mod q) = x T

11
Our Cryptosystem

12
**Step 1: Encryption from linear ECCs**

Code is the column space of mod q { As: s Zqn } Bad representation (PK) is A itself Given A, hard to distinguish words close to the code from random words (LWE) Good representation (SK) is Can use T to correct errors T

13
**Step 1: Encryption from linear ECCs**

PK: , SK: Encode plaintext is LSB of error matrix Plaintext is a binary matrix Bmxm Enc(A,B): Choose random Smxn, small Emxm Dec(T,C): Set X T-1(TC mod q) Output B = X mod 2 X C A S X = + mod q 2E+B

14
**Step 1: Encryption from linear ECCs**

Security follows from LWE (for odd q) Thm: LWE For any B, EncA(B) random Proof: Given LWE input (A,C’) Either C’=AS+E or C’ random: Set C = 2C’+B mod q If C’=AS+E then C = A(2S) + (2E+B) mod q A random encryption of B If C’ is random then so is C

15
**Step 1: Encryption from linear ECCs**

Additive homomorphism “for free” C = C1 + C2 = (AS1+(2E1+B1)) + (AS2+(2E2+B2)) = A(S1+S2) + 2(E1+E2)+(B1+B2) mod q T-1(TC mod q) = X = B1+B2 mod 2 As long as X <<q S X

16
**Step 2: ECC lives inside a ring**

Multiply C1 x C2 mod q? (AS1+(2E1+B1)) (AS2+(2E2+B2)) = A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q Not what we wanted Cannot use T to cancel out (2E1+B1)AS2 Matrix multiplication is not commutative

17
**Step 2: ECC lives inside a ring**

How about C = C1 x C2t mod q? (AS1+(2E1+B1)) (AS2+(2E2+B2))t = A(…) + (…)At + 2(…)+B1B2t mod q That’s better: TCTt = TXTt mod q X = (2E1+B1)(2E2+B2)t is still small TCTt mod q = TXTt over the integers T-1(TCTt mod q)(Tt)-1 = X = B1B2t mod 2 X

18
**What Did We Get? T A KeyGen: Generate Enc(A, B): CAS + 2E+B mod q**

Add(C1,C2): CC1+C2 mod q Mult(C1,C2): CC1C2t mod q Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2 Can decrypt any quadratic formula with polynomially many terms With appropriate parameters

19
**What Did We Get? T A KeyGen: Generate Enc(A, B): CAS + pE+B mod q**

Add(C1,C2): CC1+C2 mod q Mult(C1,C2): CC1C2t mod q Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p Can decrypt any quadratic formula with polynomially many terms With appropriate parameters Can replace 2 by any pq

20
**Extensions, Applications**

Can apply the [AMGH’10] transformation Get homomorphism for low-degree polynomials “Dual Regev encryption” [GPV’08] is a special case of our scheme* Leakage resilience IBE Efficient quadratic-formula homomorphism for polynomials, big-integers * After changing encoding of plaintext

21
Thank You

22
**2-of-2 Decryption Alice has key-pair (A1,T1), Bob has (A2,T2)**

Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q Dora encrypts B2 to Bob, [ C2A2S2+X2 ]q Zachariah Sets C* = [ C1 C2t ]q C* looks random to either Alice, Bob Pulling their keys together they can recover B1B2t B1B2t = T1-1[T1C*T2t]q (T2t)-1 mod 2 Can also “blind” C* to hide relation to C1, C2

23
**Multiplying Polynomials**

p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2 p2 p1 p0 q0 q1 q2 $ P= Q= R= p0q1+p1q0+p1q0 p0q1+p1q0 p0q0 p1q2+p2q1 $ p2q2 PQt+R=

24
**Dual Regev Encryption [GPV’08]**

Dual-Regev Cryptosystem is an instance of our scheme with T = A different input encoding than [GPV’08] T is no longer invertible But can still recover top-left entry in B It is known to be IBE, leakage-resilient Still true with new input encoding And now it supports quadratic formulas -u-

Similar presentations

OK

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google