Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Simple BGN-Type Cryptosystem from LWE Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research.

Similar presentations


Presentation on theme: "A Simple BGN-Type Cryptosystem from LWE Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research."— Presentation transcript:

1 A Simple BGN-Type Cryptosystem from LWE Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research

2 Perspective

3 Homomorphic Encryption in three easy steps [G09] Step 1: Encryption from linear codes SK/PK are Good/Bad representation of code Bad representation, cant tell words close to code from random Good representation can be used to correct many errors Additive homomorphism for free Step 2: ECC lives inside a ring We have both additive, multiplicative sructure If code is an ideal, also multiplicative homomorphism for low-degree polynomials Step 3: Bootstrapping, Squashing, etc.

4 Instances of this Paradigm Ring of polynomials [G09] Ring of integers [vDGHV10] This work: how about ring of matrices? Doesnt quite work like the others We only get additive-HE + one multiplication Quadratic formulas, as in [BGN05] But more efficient and more flexible Can be made leakage-resilient, identity-based

5 Background

6 Learning with Errors (LWE) Search-LWE: Given A,c, find s,x [R05, P09] As hard as worst-case of some lattice problems A s x c + = n m random mod q small n – security parameter q poly( n ) m > n log q mod q

7 Learning with Errors (LWE) Decision-LWE: Distinguish c from random [R05] as hard as finding s,x For certain parameters A x c + = m random mod q small mod q c close to the linear code spanned by A s n n – security parameter q poly( n ) m > n log q

8 Learning with Errors (LWE) Many LWE instances with same A Same hardness (easy hybrid argument) A S X C + = n m random mod q small m n

9 Ajtais Trapdoors [A96] Given, hard to find small s.t. tA =0 mod q As hard as worst-case of some lattice problems [A99] But it is possible to generate together = 0 mod q [Alwen-Peikert08] Even smaller T A t AT random small, full rank

10 Trapdoor Functions [GPV08] (A,s,x) As+x is a trapdoor function Can use to correct errors: c = As + x Tc = T(As + x) = Tx mod q But T,x are small, so Tx << q (Tc mod q ) = Tx Equality over the integers T 1 (Tc mod q) = x T

11 Our Cryptosystem

12 Step 1: Encryption from linear ECCs Code is the column space of mod q { As: s Z q n } Bad representation (PK) is A itself Given A, hard to distinguish words close to the code from random words (LWE) Good representation (SK) is Can use T to correct errors A T

13 Step 1: Encryption from linear ECCs PK:, SK: Encode plaintext is LSB of error matrix Plaintext is a binary matrix B mxm Enc(A,B): Choose random S mxn, small E mxm Dec(T,C): Set X T -1 (TC mod q ) Output B = X mod 2 AT AX S + 2E+B C = mod q X

14 Step 1: Encryption from linear ECCs Security follows from LWE (for odd q ) Thm: LWE For any B, Enc A (B) random Proof: Given LWE input (A,C) Either C=AS+E or C random: Set C = 2C+B mod q If C=AS+E then C = A(2S) + (2E+B) mod q A random encryption of B If C is random then so is C

15 Step 1: Encryption from linear ECCs Additive homomorphism for free C = C 1 + C 2 = (AS 1 +(2E 1 +B 1 )) + (AS 2 +(2E 2 +B 2 )) = A(S 1 +S 2 ) + 2(E 1 +E 2 )+(B 1 +B 2 ) mod q T -1 (TC mod q) = X = B 1 +B 2 mod 2 As long as X << q XS

16 Step 2: ECC lives inside a ring Multiply C 1 x C 2 mod q? (AS 1 +(2E 1 +B 1 )) (AS 2 +(2E 2 +B 2 )) = A(…) + (2E 1 +B 1 )AS 2 + 2(…)+B 1 B 2 mod q Not what we wanted Cannot use T to cancel out (2E 1 +B 1 )AS 2 Matrix multiplication is not commutative

17 Step 2: ECC lives inside a ring How about C = C 1 x C 2 t mod q? (AS 1 +(2E 1 +B 1 )) (AS 2 +(2E 2 +B 2 )) t = A(…) + (…)A t + 2(…)+B 1 B 2 t mod q Thats better: TCT t = TXT t mod q X = (2E 1 +B 1 )(2E 2 +B 2 ) t is still small TCT t mod q = TXT t over the integers T -1 (TCT t mod q)(T t ) -1 = X = B 1 B 2 t mod 2 X

18 What Did We Get? KeyGen: Generate Enc(A, B): C AS + 2E+B mod q Add(C 1,C 2 ): C C 1 +C 2 mod q Mult(C 1,C 2 ): C C 1 C 2 t mod q Dec(T, C): B T -1 (TCT t mod q )(T t ) -1 mod 2 Can decrypt any quadratic formula with polynomially many terms With appropriate parameters AT

19 What Did We Get? KeyGen: Generate Enc(A, B): C AS + p E+B mod q Add(C 1,C 2 ): C C 1 +C 2 mod q Mult(C 1,C 2 ): C C 1 C 2 t mod q Dec(T, C): B T -1 (TCT t mod q )(T t ) -1 mod p Can decrypt any quadratic formula with polynomially many terms With appropriate parameters AT Can replace 2 by any p q

20 Extensions, Applications Can apply the [AMGH10] transformation Get homomorphism for low-degree polynomials Dual Regev encryption [GPV08] is a special case of our scheme* Leakage resilience IBE Efficient quadratic-formula homomorphism for polynomials, big-integers * After changing encoding of plaintext

21 Thank You

22 2-of-2 Decryption Alice has key-pair (A 1,T 1 ), Bob has (A 2,T 2 ) Charlie encrypts B 1 to Alice, [ C 1 A 1 S 1 +X 1 ] q Dora encrypts B 2 to Bob, [ C 2 A 2 S 2 +X 2 ] q Zachariah Sets C* = [ C 1 C 2 t ] q C* looks random to either Alice, Bob Pulling their keys together they can recover B 1 B 2 t B 1 B 2 t = T 1 -1 [T 1 C*T 2 t ] q (T 2 t ) -1 mod 2 Can also blind C* to hide relation to C 1, C 2

23 Multiplying Polynomials p (x) = p 0 + p 1 x + p 2 x 2, q (x) = q 0 + q 1 x + q 2 x 2 p2p2 p1p1 p0p0 p2p2 p1p1 p2p2 P=P= q0q0 q1q1 q2q2 q0q0 q1q1 q0q0 Q=Q= p0q1+p1q0+p1q0p0q1+p1q0+p1q0 p0q1+p1q0p0q1+p1q0 p0q0p0q0 p1q2+p2q1p1q2+p2q1 $$ p2q2p2q2 $$ PQ t +R= $$ $$ R=R=

24 Dual Regev Encryption [GPV08] Dual-Regev Cryptosystem is an instance of our scheme with T = A different input encoding than [GPV08] T is no longer invertible But can still recover top-left entry in B It is known to be IBE, leakage-resilient Still true with new input encoding And now it supports quadratic formulas u


Download ppt "A Simple BGN-Type Cryptosystem from LWE Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research."

Similar presentations


Ads by Google