Download presentation

Published byHaylie Busey Modified over 3 years ago

1
**Lattices, Cryptography and Computing with Encrypted Data**

Vinod Vaikuntanathan M.I.T

2
**Decoding Random Linear Codes**

Decoding Lattices s + e A “small” error Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)? Seems very hard!

3
**TODAY: Lattice-based Cryptography**

Decoding Lattices s + e A “small” error TODAY: Lattice-based Cryptography

4
**Learning With Errors (LWE)**

(search) LWEn,q,B [Regev’05]: For random secret s Zqn O s Find s ( a1 , b1 = a1 , s + e1 ) ( a2 , b2 = a2 , s + e2 ) … ( am , bm =am , s + em ) “noisy” random linear equation Uniformly random in Zqn “Small” error |e1| < B s + a1 a2 am … e

5
**Learning With Errors (LWE)**

(decisional) LWEn,q,B : For random secret s Zqn O s O rand ( a1 , u1 ) ( a1 , b1 = a1 , s + e1 ) ( a2 , u2 ) … ( am , um) ( a2 , b2 = a2 , s + e2 ) … ( am , bm =am , s + em ) random in Zq Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

6
**LWE/Lattice-based Cryptography**

Robust No sub-exponential or quantum attacks Based on worst-case hardness Solve LWE on average Solve in worst-case Approx. shortest vectors on worst-case lattices [Regev05, Peikert09, BLPRS13] THIS TALK Today, I will talk about building cryptography on a different foundation, namely lattice-based cryptography. There are a number of reasons why lattice-based cryptography is attractive. First of all, as far as we know, the lattice-based schemes are resistant to quantum attacks. Secondly, the basic operation in such schemes is addition and mult of small integers, and thus the schemes tend to be simple and very efficient. Thirdly, I advocate lattice-based cryptography because of my grandma’s advice: namely, never put all your eggs in the same basket. And a fourth and a theoretically very important reason is that the security of lattice-based schemes are based on worst-case hardness assumptions. Amazingly Versatile Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,… Only known constructions use lattices

7
**Warmup: Secret-key Encryption**

Message M M = Dec(sk,C) C = Enc(sk,M) secret key sk secret key sk eavesdropper Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable” Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq) decryption succeeds if e < q/4.

8
**Secret-key Encryption from LWE**

KeyGen: Sample random “short” vector t Zqn and set sk = t Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq) decryption succeeds if e < q/4.

9
**Secret-key Encryption from LWE**

KeyGen: Sample random “short” vector t Zqn and set sk = t Bit Encryption Encsk(m): Sample uniformly random a Zqn, “short” noise e Zq The ciphertext CT = (a, b = a, t + 2e + m) Zqn X Zq Semantic Security from LWE Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq) decryption succeeds if e < q/4.

10
**Secret-key Encryption from LWE**

KeyGen: Sample random “short” vector t Zqn and set sk = t Bit Encryption Encsk(m): Sample uniformly random a Zqn, “short” noise e Zq The ciphertext CT = (a, b = a, t + 2e + m) Zqn X Zq Decryption Decsk(CT): Output (b − a, t mod q) mod 2. Correctness: b − a, t mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2) Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq) decryption succeeds if e < q/4.

11
**Encryption All-or-nothing Have Secret Key, Can Decrypt**

M Message M All-or-nothing Have Secret Key, Can Decrypt No Secret Key, No Go

12
**Fully Homomorphic Encryption**

Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(Data) Enc(F(Data)) Powerful server / cloud

13
**Fully Homomorphic Encryption**

Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(data), F → Enc(F(data)) [Goldwasser-Micali’82,…]: Additively homomorphic [El Gamal’85,…]: Multiplicatively homomorphic [Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE) (all known constructions based on lattices)

14
**The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption**

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n * d = ε log n C EVAL n is a security parameter * (0 < ε < 1 is a constant, and n is the security parameter)

15
**Homomorphic enough = Can evaluate its own Dec Circuit (plus some)**

The Big Picture STEP 2 “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) Dec CT sk msg Decryption Circuit n is a security parameter C EVAL

16
**Homomorphic enough = Can evaluate its own Dec Circuit (plus some)**

The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

17
**Additive Homomorphism**

CT = (a ,b) CT’ = (a’, b’) b − a, t = 2e + m b’ − a’, t = 2e’ + m’ Look at Ciphertexts through the Decryption Lens

18
**Additive Homomorphism**

CT = (a ,b) CT’ = (a’, b’) Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1) b − a, t = 2e + m c, s = 2e + m b’ − a’, t = 2e’ + m’ c’, s = 2e’ + m’

19
**Additive Homomorphism**

CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cadd = c+c’ Proof: c, s = 2e + m c’, s = 2e’ + m’ c+c’, s = 2(e+e’) + (m+m’) Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) + Cadd E

20
**Multiplicative Homomorphism**

CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = (2e+m) ∙ (2e’+m’) X

21
**Multiplicative Homomorphism Quadratic equation in the variables s[i]**

CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’) X E Quadratic equation in the variables s[i]

22
**Multiplicative Homomorphism**

CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c c’, s s = mm’ + 2(em’+e’m+2ee’) Tensor Product: c c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) c, c’ live in (n+1) dim → c c’ lives in (n+1)2-dim KEY FACT: c, s ∙ c’, s = c c’, s s X E

23
**Problem: Ciphertext size blows up! Multiplicative Homomorphism**

(Zqn+1 → Zq(n+1)^2) Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = c c’ c, s = 2e + m c’, s = 2e’ + m’ c c’, s s = mm’ + 2(em’+e’m+2ee’) X E Dec(s s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

24
**Multiplicative Homomorphism**

cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’

25
**Multiplicative Homomorphism**

cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j Enct’ ( s[ i ]s[ j ] )

26
**Multiplicative Homomorphism**

cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j , Ei,j i,j (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ]) LWE Security still holds.

27
**Multiplicative Homomorphism**

cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j , Ei,j i,j Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]

28
**Multiplicative Homomorphism**

cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j Ci,j , s’ ≈ s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

29
**Multiplicative Homomorphism**

Cheating Alert Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Plug back into quadratic equation: cmult[i,j] ∙ Ci,j , s’ ≈ 2*Error + mm’ Linear in s’. Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j Ci,j , s’ ≈ s[ i ]s[ j ] Linear fn (in s’) Quadratic fn (in s)

30
**Multiplicative Homomorphism**

cmult, s s = 2E + mm’ Plug back into quadratic equation: cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error Linear in s’. Homomorphic Mult: First compute cmult = c c’ Compute and output cmult[i,j] ∙ Ci,j (where Ci,j are from the evaluation key)

31
**(How homomorphic is this?)**

The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) 2ξ initial noise= ξ Correctness Security noise=0

32
**(How homomorphic is this?)**

The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) initial noise= ξ noise=0

33
**Wrap Up: Somewhat Homomorphism**

“Somewhat Homomorphic” (SwHE) Encryption STEP 1 [BV11] Evaluate Boolean circuits of mult. depth D = ε log n EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor and Relinearize Mult depth D C Enc(sk1, x) Encrypt using sk1

34
**Homomorphic enough = Can evaluate its own Dec Circuit (plus some)**

The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

35
**Bootstrapping Bootstrapping Theorem [Gen09]**

If you can homomorphically evaluate depth d circuits (you have a d-HE) and the depth of your decryption circuit < d * FHE Very general theorem, independent of which enc scheme you use

36
**Bootstrapping = “Valve” at a fixed height**

Bootstrapping Theorem [Gen09] d-HE with decryption depth < d * FHE “Homomorphic enough” Encryption FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say n(Bdec)2 < q/2 noise=Bdec noise=0

37
**Bootstrapping = “Valve” at a fixed height**

Bootstrapping Theorem [Gen09] d-HE with decryption depth < d * FHE “Homomorphic enough” Encryption FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say n(Bdec)2 < q/2 noise=Bdec noise=0

38
**“Noiseless ciphertext” “Very Noisy” ciphertext**

But the evaluator does not have SK! Bootstrapping: How “Best Possible” Noise Reduction = Decryption! Dec CT SK m Decryption Circuit “Noiseless ciphertext” “Very Noisy” ciphertext

39
**Bootstrapping, Concretely**

Next Best = Homomorphic Decryption! Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) * EncPK(m) Noise = Bdec Dec CT EncPK(SK) Bdec Independent of Binput Noise = Binput

40
**Homomorphic enough = Can evaluate its own Dec Circuit (plus some)**

The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

41
**Boosting Depth from log n to nε**

(in one slide) The Culprit: Multiplication Increases error from B to about B2 Let us pause for a moment: Is B2 > B? Not if B < 1! Why not scale ciphertexts by q and work over [0,1)? Quite amazingly, this works out and gives us an error growth of B → nB Error grows singly exponentially with circuit depth

42
**Homomorphic enough = Can evaluate its own Dec Circuit (plus some)**

The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

43
Lattices are awesome! BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05] One-way functions, hash functions, public-key encryption ADVANCED CRYPTO [Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08] Trapdoor functions, Identity-based Encryption, secure computation THIS TALK [Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12] Today, I will talk about building cryptography on a different foundation, namely lattice-based cryptography. There are a number of reasons why lattice-based cryptography is attractive. First of all, as far as we know, the lattice-based schemes are resistant to quantum attacks. Secondly, the basic operation in such schemes is addition and mult of small integers, and thus the schemes tend to be simple and very efficient. Thirdly, I advocate lattice-based cryptography because of my grandma’s advice: namely, never put all your eggs in the same basket. And a fourth and a theoretically very important reason is that the security of lattice-based schemes are based on worst-case hardness assumptions. Fully Homomorphic Encryption [Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13] Attribute-based and Functional Encryption [Garg-GHRSW’13] Program Obfuscation

44
Merci Beaucoup!

45
**Shrink Noise and Noise Ceiling by same factor**

Modulus Reduction Modulus Reduction Theorem [BV11b,BGV12] SwHE that evaluates Boolean circuits of depth d = nε “Homomorphic enough” Encryption FHE CT CT’ q=B10 q’=B3 noise=B8 Wishful thinking noise’=B+p(n) noise’=B ONE MULT NO MULT Shrink Noise and Noise Ceiling by same factor

46
**Modulus Reduction Can we do this?**

Cannot arbitrarily reduce noise (because of the p(n) factor) Hardness depends only on q/B. q=B10 q’=B3 noise=B8 Wishful thinking -- B+poly(n) -- we are keeping the hardness the same noise’=B+p(n)

47
**Modulus Reduction LEVELi → LEVELi+1: Homomorphism: (q, ξ) → (q, ≈ ξ2)**

Modulus Reduction: (q, ξ2) → (q/ξ, ξ) q/ξ AFTER d LEVELS: ξ2 (q, B) → (q/(nB log q)O(d), B) Final noise= ξ initial noise= ξ d ≤ log q/log (nB) ≤ nε/log n noise=0

48
**Modulus Reduction: Details**

Modulus Reduction Algorithm [BV11b,BGV12] Transform a (q,B2) ciphertext into a (q’ ≈ q/nB, B) one “Homomorphic enough” Encryption FHE Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 Let c be a ciphertext s.t. c, s = 2e + m (mod q) Assume that the secret key s has entries bounded by B. (ok by fact 2)

49
**Modulus Reduction: Details**

Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 Let c be a ciphertext s.t. c, s = 2e + m (mod q) c, s = 2e + m + qZ Proof: (original dec eqn) (scaled) q’/q c, s = (q’/q)* (2e + m) + q’Z c’, s = (q’/q)* (2e + m) + Eround (mod q’) New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised! c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2

50
**Putting Together: Leveled FHE**

EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor , Relinearize using evki, Reduce modulus Mult depth D C n is a security parameter Enc(sk1, x) Encrypt using sk1 This works for depth D ≤ nε

51
**Putting Together: Leveled FHE**

EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor , Relinearize using evki, Reduce modulus Mult depth D C n is a security parameter Enc(sk1, x) Encrypt using sk1 Bootstrapping + Circular Security => FHE.

Similar presentations

OK

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google