Download presentation

Presentation is loading. Please wait.

Published byHaylie Busey Modified about 1 year ago

1
Lattices, Cryptography and Computing with Encrypted Data Vinod Vaikuntanathan M.I.T

2
A s e + “small” error Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)? Seems very hard! Decoding Random Linear CodesDecoding Lattices

3
TODAY: Lattice-based Cryptography A s e + “small” error Decoding Lattices

4
(search) LWE n,q,B [Regev’05]: For random secret s Z q n Learning With Errors (LWE) ( a 1, b 1 = a 1, s + e 1 ) O s ( a 2, b 2 = a 2, s + e 2 ) … ( a m, b m = a m, s + e m ) “noisy” random linear equation Uniformly random in Z q n “Small” error |e 1 | < B Find s s + a1a1 a2a2 amam … e

5
(decisional) LWE n,q,B : For random secret s Z q n Learning With Errors (LWE) ( a 1, b 1 = a 1, s + e 1 ) O s O rand ( a 1, u 1 ) ( a 2, b 2 = a 2, s + e 2 ) … ( a m, b m = a m, s + e m ) ( a 2, u 2 ) … ( a m, u m ) random in Z q Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

6
LWE/Lattice-based Cryptography Robust ─No sub-exponential or quantum attacks Based on worst-case hardness Amazingly Versatile ─Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,… ─Only known constructions use lattices ─Solve LWE on average Solve in worst-case Approx. shortest vectors on worst-case lattices [Regev05, Peikert09, BLPRS13] THIS TALK

7
Warmup: Secret-key Encryption Decryption: Dec s (a,b) = ( b - a, s ) (mod 2). –Correctness: b - a, s = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ). decryption succeeds if e < q/4. Message M secret key sk eavesdropper C = Enc(sk,M) Semantic Security [GM’82]: Encryption of any M 0 and M 1 are “computationally indistinguishable” M = Dec(sk,C)

8
Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b - a, s ) (mod 2). –Correctness: b - a, s = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ). decryption succeeds if e < q/4. KeyGen: –Sample random “short” vector t Z q n and set sk = t

9
Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b - a, s ) (mod 2). –Correctness: b - a, s = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ). decryption succeeds if e < q/4. KeyGen: –Sample random “short” vector t Z q n and set sk = t Bit Encryption Enc sk (m): –Sample uniformly random a Z q n, “short” noise e Z q –The ciphertext CT = (a, b = a, t + 2e + m) Z q n X Z q Semantic Security from LWE

10
Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b - a, s ) (mod 2). –Correctness: b - a, s = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ). decryption succeeds if e < q/4. KeyGen: –Sample random “short” vector t Z q n and set sk = t Bit Encryption Enc sk (m): –Sample uniformly random a Z q n, “short” noise e Z q –The ciphertext CT = (a, b = a, t + 2e + m) Z q n X Z q Decryption Dec sk (CT): Output (b − a, t mod q) mod 2. –Correctness: b − a, t mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2)

11
All-or-nothing Have Secret Key, Can Decrypt No Secret Key, No Go M Message M Encryption

12
Fully Homomorphic Encryption Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(Data) Enc(F(Data)) Encryption Powerful server / cloud

13
Fully Homomorphic Encryption Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(data), F → Enc(F(data)) [Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE) (all known constructions based on lattices) [Goldwasser-Micali’82,…]: Additively homomorphic [El Gamal’85,…]: Multiplicatively homomorphic

14
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n * [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] * (0 < ε < 1 is a constant, and n is the security parameter) d = ε log n C EVAL

15
The Big Picture “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) Dec CT sk msg Decryption Circuit C EVAL STEP 2

16
The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) STEP 1 STEP 2 STEP 3

17
CT = (a,b) Additive Homomorphism CT’ = (a’, b’) Look at Ciphertexts through the Decryption Lens b − a, t = 2e + m b ’ − a’, t = 2e’ + m’

18
CT = (a,b) Additive Homomorphism CT’ = (a’, b’) b − a, t = 2e + mb ’ − a’, t = 2e’ + m’ Let c = (a,b) and s = (-t, 1) Let c’ = (a’,b’) and s = (-t, 1) c, s = 2e + m c’, s = 2e’ + m’

19
CT = c Additive Homomorphism CT’ = c’ Claim: c add = c+c’ c, s = 2e + m c’, s = 2e’ + m’ c, s = 2e + m c’, s = 2e’ + m’ c+c’, s = 2(e+e’) + (m+m’) Dec s (c add ) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) + E Proof: C add

20
Multiplicative Homomorphism CT = cCT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: c mult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = (2e+m) ∙ (2e’+m’) X

21
Multiplicative Homomorphism CT = cCT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: c mult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’) X Quadratic equation in the variables s[i] E

22
Multiplicative Homomorphism CT = cCT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: c mult = ? c, s = 2e + m c’, s = 2e’ + m’ c c’, s s = mm’ + 2(em’+e’m+2ee’) X E Tensor Product: c c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) c, c’ live in (n+1) dim → c c’ lives in (n+1) 2 -dim KEY FACT: c, s ∙ c’, s = c c’, s s

23
Multiplicative Homomorphism CT = cCT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: c mult = c c’ c, s = 2e + m c’, s = 2e’ + m’ c c’, s s = mm’ + 2(em’+e’m+2ee’) X Dec(s s, c mult ) = 2E + mm’ (mod 2) = mm’ (mod 2) E Problem: Ciphertext size blows up! ( Z q n+1 → Z q (n+1)^2 )

24
Multiplicative Homomorphism Key Idea [BV’11] : Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’ c mult, s s = 2E + mm’

25
Multiplicative Homomorphism c mult, s s = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’ Z q n and set sk = (t,t’). Evaluation key evk : i,j. Enc t’ ( s [ i ] s [ j ] )

26
Multiplicative Homomorphism c mult, s s = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’ Z q n and set sk = (t,t’). Evaluation key evk : sample A i,j, E i,j i,j. ( A i,j, B i,j = A i,j, t’ + 2E i,j + s [ i ] s [ j ] ) LWE Security still holds.

27
Multiplicative Homomorphism c mult, s s = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’ Z q n and set sk = (t,t’). Evaluation key evk : sample A i,j, E i,j i,j. B i,j − A i,j, t’ = 2E i,j + s [ i ] s [ j ]

28
Multiplicative Homomorphism c mult, s s = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’ Z q n and set sk = (t,t’). Evaluation key evk : i,j. C i,j, s’ ≈ s [ i ] s [ j ] (denoting s’ = (-t’, 1) and C i,j = (A i,j, B i,j ) as before)

29
Multiplicative Homomorphism c mult, s s = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’ Z q n and set sk = (t,t’). Evaluation key evk : i,j. C i,j, s’ ≈ s [ i ] s [ j ] Linear fn (in s’) Quadratic fn (in s) Plug back into quadratic equation: c mult [i,j] ∙ C i,j, s’ ≈ 2*Error + mm’ Linear in s’. Cheating Alert

30
Multiplicative Homomorphism c mult, s s = 2E + mm’ Plug back into quadratic equation: c mult [i,j] ∙ C i,j, s’ ≈ mm’+2*Error Linear in s’. Homomorphic Mult: 1.First compute c mult = c c’ 2.Compute and output c mult [i,j] ∙ C i,j (where C i,j are from the evaluation key)

31
The Reservoir Analogy noise=0 noise=q/2 Additive Homomorphism: ξ → 2 ξ initial noise= ξ Mult. Homomorphism: ξ → ξ 2 + n 2 B log q 2ξ2ξ ~ ξ 2 AFTER d LEVELS: noise B → (worst case) Correctness Security (How homomorphic is this?)

32
The Reservoir Analogy noise=0 noise=q/2 Additive Homomorphism: ξ → 2 ξ initial noise= ξ Mult. Homomorphism: ξ → ξ 2 + n 2 B log q ~ ξ 2 AFTER d LEVELS: noise B → (worst case) (How homomorphic is this?)

33
Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption Evaluate Boolean circuits of mult. depth D = ε log n [BV11] STEP 1 EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: Tensor and Relinearize Mult depth D Decrypt using sk D

34
The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) STEP 1 STEP 2 STEP 3

35
Bootstrapping Bootstrapping Theorem [Gen09] –If you can homomorphically evaluate depth d circuits (you have a d-HE) and –the depth of your decryption circuit < d * FHE

36
Bootstrapping “Homomorphic enough” Encryption FHE Bootstrapping Theorem [Gen09] d-HE with decryption depth < d * FHE Bootstrapping = “Valve” at a fixed height noise=0 noise=q/2 (that depends on decryption depth) noise=B dec Say n(B dec ) 2 < q/2

37
Bootstrapping “Homomorphic enough” Encryption FHE Bootstrapping Theorem [Gen09] d-HE with decryption depth < d * FHE Bootstrapping = “Valve” at a fixed height noise=0 noise=q/2 (that depends on decryption depth) noise=B dec Say n(B dec ) 2 < q/2

38
Bootstrapping: How “Best Possible” Noise Reduction= Decryption! Dec CT SK m Decryption Circuit “Very Noisy” ciphertext “Noiseless ciphertext” But the evaluator does not have SK!

39
Bootstrapping, Concretely Next Best= Homomorphic Decryption! Enc PK (m) Dec CT Enc PK (SK) Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) * Noise = B input Noise = B dec B dec Independent of B input

40
The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) STEP 1 STEP 2 STEP 3

41
Boosting Depth from log n to n ε (in one slide) The Culprit: Multiplication –Increases error from B to about B 2 Let us pause for a moment: Is B 2 > B? –Not if B < 1! Why not scale ciphertexts by q and work over [0,1)? –Quite amazingly, this works out and gives us an error growth of B → nB –Error grows singly exponentially with circuit depth

42
The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) STEP 1 STEP 2 STEP 3

43
Lattices are awesome! BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser- Halevi’97, Micciancio-Regev’04, Regev’05] One-way functions, hash functions, public-key encryption [Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08] Trapdoor functions, Identity-based Encryption, secure computation [Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12] Fully Homomorphic Encryption [Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13] Attribute-based and Functional Encryption THIS TALK [Garg-GHRSW’13] Program Obfuscation ADVANCED CRYPTO

44
Merci Beaucoup!

45
Modulus Reduction “Homomorphic enough” Encryption FHE Modulus Reduction Theorem [BV11b,BGV12] Wishful thinking q=B 10 noise=B 8 q’=B 3 noise’=B Shrink Noise and Noise Ceiling by same factor SwHE that evaluates Boolean circuits of depth d = n ε NO MULT CT CT’ ONE MULT noise’=B+p(n)

46
Modulus Reduction Wishful thinking q=B 10 noise=B 8 q’=B 3 Can we do this? noise’=B+p(n) – Cannot arbitrarily reduce noise (because of the p(n) factor) – Hardness depends only on q/B.

47
Modulus Reduction noise=0 Homomorphism: (q, ξ) → (q, ≈ ξ 2 ) initial noise= ξ ξ2ξ2 AFTER d LEVELS: (q, B) → (q/(nB log q) O(d), B) LEVEL i → LEVEL i+1 : Modulus Reduction: (q, ξ 2 ) → (q/ξ, ξ) d ≤ log q/log (nB) ≤ n ε /log n q q/ξ Final noise= ξ

48
Modulus Reduction: Details “Homomorphic enough” Encryption FHE Modulus Reduction Algorithm [BV11b,BGV12] Transform a (q,B 2 ) ciphertext into a (q’ ≈ q/nB, B) one Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 c, s = 2e + m (mod q) Let c be a ciphertext s.t. Assume that the secret key s has entries bounded by B. (ok by fact 2)

49
Modulus Reduction: Details q’/q c, s = (q’/q)* (2e + m) + q’Z Proof: c, s = 2e + m + qZ c’, s = (q’/q)* (2e + m) + E round (mod q’) New Error = q’/q * (Old Error) + (E round ≤ Bn), as promised! c’ decrypts to m, since c’=c mod 2, and c’, s = c, s mod 2 (original dec eqn) (scaled) Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 c, s = 2e + m (mod q) Let c be a ciphertext s.t.

50
Putting Together: Leveled FHE EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: 1)Tensor, 2)Relinearize using evk i, 3)Reduce modulus Mult depth D Decrypt using sk D This works for depth D ≤ n ε

51
Putting Together: Leveled FHE EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: 1)Tensor, 2)Relinearize using evk i, 3)Reduce modulus Mult depth D Decrypt using sk D Bootstrapping + Circular Security => FHE.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google