Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattices, Cryptography and Computing with Encrypted Data Vinod Vaikuntanathan M.I.T.

Similar presentations


Presentation on theme: "Lattices, Cryptography and Computing with Encrypted Data Vinod Vaikuntanathan M.I.T."— Presentation transcript:

1 Lattices, Cryptography and Computing with Encrypted Data Vinod Vaikuntanathan M.I.T

2 A s e + “small” error Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)? Seems very hard! Decoding Random Linear CodesDecoding Lattices

3 TODAY: Lattice-based Cryptography A s e + “small” error Decoding Lattices

4 (search) LWE n,q,B [Regev’05]: For random secret s  Z q n Learning With Errors (LWE) ( a 1, b 1 =  a 1, s  + e 1 ) O s ( a 2, b 2 =  a 2, s  + e 2 ) … ( a m, b m =  a m, s  + e m ) “noisy” random linear equation Uniformly random in Z q n “Small” error |e 1 | < B Find s s + a1a1 a2a2 amam … e

5 (decisional) LWE n,q,B : For random secret s  Z q n Learning With Errors (LWE) ( a 1, b 1 =  a 1, s  + e 1 )  O s O rand ( a 1, u 1 ) ( a 2, b 2 =  a 2, s  + e 2 ) … ( a m, b m =  a m, s  + e m ) ( a 2, u 2 ) … ( a m, u m ) random in Z q Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

6 LWE/Lattice-based Cryptography  Robust ─No sub-exponential or quantum attacks  Based on worst-case hardness  Amazingly Versatile ─Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,… ─Only known constructions use lattices ─Solve LWE on average  Solve in worst-case  Approx. shortest vectors on worst-case lattices [Regev05, Peikert09, BLPRS13] THIS TALK

7 Warmup: Secret-key Encryption Decryption: Dec s (a,b) = ( b -  a, s  ) (mod 2). –Correctness: b -  a, s  = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ).  decryption succeeds if e < q/4. Message M secret key sk eavesdropper C = Enc(sk,M) Semantic Security [GM’82]: Encryption of any M 0 and M 1 are “computationally indistinguishable” M = Dec(sk,C)

8 Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b -  a, s  ) (mod 2). –Correctness: b -  a, s  = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ).  decryption succeeds if e < q/4. KeyGen: –Sample random “short” vector t  Z q n and set sk = t

9 Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b -  a, s  ) (mod 2). –Correctness: b -  a, s  = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ).  decryption succeeds if e < q/4. KeyGen: –Sample random “short” vector t  Z q n and set sk = t Bit Encryption Enc sk (m): –Sample uniformly random a  Z q n, “short” noise e  Z q –The ciphertext CT = (a, b =  a, t  + 2e + m)  Z q n X Z q Semantic Security from LWE

10 Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b -  a, s  ) (mod 2). –Correctness: b -  a, s  = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ).  decryption succeeds if e < q/4. KeyGen: –Sample random “short” vector t  Z q n and set sk = t Bit Encryption Enc sk (m): –Sample uniformly random a  Z q n, “short” noise e  Z q –The ciphertext CT = (a, b =  a, t  + 2e + m)  Z q n X Z q Decryption Dec sk (CT): Output (b −  a, t  mod q) mod 2. –Correctness: b −  a, t  mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2)

11 All-or-nothing Have Secret Key, Can Decrypt No Secret Key, No Go M Message M Encryption

12 Fully Homomorphic Encryption Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(Data) Enc(F(Data)) Encryption Powerful server / cloud

13 Fully Homomorphic Encryption Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(data), F → Enc(F(data)) [Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE) (all known constructions based on lattices) [Goldwasser-Micali’82,…]: Additively homomorphic [El Gamal’85,…]: Multiplicatively homomorphic

14 The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n * [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] * (0 < ε < 1 is a constant, and n is the security parameter) d = ε log n C EVAL

15 The Big Picture “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption  * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) Dec CT sk msg Decryption Circuit C EVAL STEP 2

16 The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε “Bootstrapping” Method “Homomorphic enough” Encryption  * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) STEP 1 STEP 2 STEP 3

17 CT = (a,b) Additive Homomorphism CT’ = (a’, b’) Look at Ciphertexts through the Decryption Lens b −  a, t  = 2e + m b ’ −  a’, t  = 2e’ + m’

18 CT = (a,b) Additive Homomorphism CT’ = (a’, b’) b −  a, t  = 2e + mb ’ −  a’, t  = 2e’ + m’ Let c = (a,b) and s = (-t, 1) Let c’ = (a’,b’) and s = (-t, 1)  c, s  = 2e + m  c’, s  = 2e’ + m’

19 CT = c Additive Homomorphism CT’ = c’ Claim: c add = c+c’  c, s  = 2e + m  c’, s  = 2e’ + m’  c, s  = 2e + m  c’, s  = 2e’ + m’  c+c’, s  = 2(e+e’) + (m+m’)  Dec s (c add ) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) + E Proof: C add

20 Multiplicative Homomorphism CT = cCT’ = c’  c, s  = 2e + m  c’, s  = 2e’ + m’ Claim: c mult = ?  c, s  = 2e + m  c’, s  = 2e’ + m’  c, s  ∙  c’, s  = (2e+m) ∙ (2e’+m’) X

21 Multiplicative Homomorphism CT = cCT’ = c’  c, s  = 2e + m  c’, s  = 2e’ + m’ Claim: c mult = ?  c, s  = 2e + m  c’, s  = 2e’ + m’  c, s  ∙  c’, s  = mm’ + 2(em’+e’m+2ee’) X Quadratic equation in the variables s[i] E

22 Multiplicative Homomorphism CT = cCT’ = c’  c, s  = 2e + m  c’, s  = 2e’ + m’ Claim: c mult = ?  c, s  = 2e + m  c’, s  = 2e’ + m’  c  c’, s  s  = mm’ + 2(em’+e’m+2ee’) X E Tensor Product: c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) c, c’ live in (n+1) dim → c  c’ lives in (n+1) 2 -dim KEY FACT:  c, s  ∙  c’, s  =  c  c’, s  s 

23 Multiplicative Homomorphism CT = cCT’ = c’  c, s  = 2e + m  c’, s  = 2e’ + m’ Claim: c mult = c  c’  c, s  = 2e + m  c’, s  = 2e’ + m’  c  c’, s  s  = mm’ + 2(em’+e’m+2ee’) X  Dec(s  s, c mult ) = 2E + mm’ (mod 2) = mm’ (mod 2) E Problem: Ciphertext size blows up! ( Z q n+1 → Z q (n+1)^2 )

24 Multiplicative Homomorphism Key Idea [BV’11] : Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’  c mult, s  s  = 2E + mm’

25 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j. Enc t’ ( s [ i ] s [ j ] )

26 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk : sample A i,j, E i,j  i,j. ( A i,j, B i,j =  A i,j, t’  + 2E i,j + s [ i ] s [ j ] ) LWE  Security still holds.

27 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk : sample A i,j, E i,j  i,j. B i,j −  A i,j, t’  = 2E i,j + s [ i ] s [ j ]

28 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j.  C i,j, s’  ≈ s [ i ] s [ j ] (denoting s’ = (-t’, 1) and C i,j = (A i,j, B i,j ) as before)

29 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Key Idea [BV’11] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j.  C i,j, s’  ≈ s [ i ] s [ j ] Linear fn (in s’) Quadratic fn (in s) Plug back into quadratic equation:   c mult [i,j] ∙ C i,j, s’  ≈ 2*Error + mm’ Linear in s’. Cheating Alert

30 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Plug back into quadratic equation:   c mult [i,j] ∙ C i,j, s’  ≈ mm’+2*Error Linear in s’. Homomorphic Mult: 1.First compute c mult = c  c’ 2.Compute and output  c mult [i,j] ∙ C i,j (where C i,j are from the evaluation key)

31 The Reservoir Analogy noise=0 noise=q/2 Additive Homomorphism: ξ → 2 ξ initial noise= ξ Mult. Homomorphism: ξ → ξ 2 + n 2 B log q 2ξ2ξ ~ ξ 2 AFTER d LEVELS: noise B → (worst case) Correctness Security (How homomorphic is this?)

32 The Reservoir Analogy noise=0 noise=q/2 Additive Homomorphism: ξ → 2 ξ initial noise= ξ Mult. Homomorphism: ξ → ξ 2 + n 2 B log q ~ ξ 2 AFTER d LEVELS: noise B → (worst case) (How homomorphic is this?)

33 Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption Evaluate Boolean circuits of mult. depth D = ε log n [BV11] STEP 1 EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: Tensor and Relinearize Mult depth D Decrypt using sk D

34 The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε “Bootstrapping” Method “Homomorphic enough” Encryption  * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) STEP 1 STEP 2 STEP 3

35 Bootstrapping Bootstrapping Theorem [Gen09] –If you can homomorphically evaluate depth d circuits (you have a d-HE) and –the depth of your decryption circuit < d  * FHE

36 Bootstrapping “Homomorphic enough” Encryption  FHE Bootstrapping Theorem [Gen09] d-HE with decryption depth < d  * FHE Bootstrapping = “Valve” at a fixed height noise=0 noise=q/2 (that depends on decryption depth) noise=B dec Say n(B dec ) 2 < q/2

37 Bootstrapping “Homomorphic enough” Encryption  FHE Bootstrapping Theorem [Gen09] d-HE with decryption depth < d  * FHE Bootstrapping = “Valve” at a fixed height noise=0 noise=q/2 (that depends on decryption depth) noise=B dec Say n(B dec ) 2 < q/2

38 Bootstrapping: How “Best Possible” Noise Reduction= Decryption! Dec CT SK m Decryption Circuit “Very Noisy” ciphertext “Noiseless ciphertext” But the evaluator does not have SK!

39 Bootstrapping, Concretely Next Best= Homomorphic Decryption! Enc PK (m) Dec CT Enc PK (SK) Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) * Noise = B input Noise = B dec B dec Independent of B input

40 The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε “Bootstrapping” Method “Homomorphic enough” Encryption  * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) STEP 1 STEP 2 STEP 3

41 Boosting Depth from log n to n ε (in one slide) The Culprit: Multiplication –Increases error from B to about B 2 Let us pause for a moment: Is B 2 > B? –Not if B < 1! Why not scale ciphertexts by q and work over [0,1)? –Quite amazingly, this works out and gives us an error growth of B → nB –Error grows singly exponentially with circuit depth

42 The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate arithmetic circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε “Bootstrapping” Method “Homomorphic enough” Encryption  * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) STEP 1 STEP 2 STEP 3

43 Lattices are awesome! BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser- Halevi’97, Micciancio-Regev’04, Regev’05] One-way functions, hash functions, public-key encryption [Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08] Trapdoor functions, Identity-based Encryption, secure computation [Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12] Fully Homomorphic Encryption [Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13] Attribute-based and Functional Encryption THIS TALK [Garg-GHRSW’13] Program Obfuscation ADVANCED CRYPTO

44 Merci Beaucoup!

45 Modulus Reduction “Homomorphic enough” Encryption  FHE Modulus Reduction Theorem [BV11b,BGV12] Wishful thinking q=B 10 noise=B 8 q’=B 3 noise’=B Shrink Noise and Noise Ceiling by same factor SwHE that evaluates Boolean circuits of depth d = n ε NO MULT CT CT’ ONE MULT noise’=B+p(n)

46 Modulus Reduction Wishful thinking q=B 10 noise=B 8 q’=B 3 Can we do this? noise’=B+p(n) – Cannot arbitrarily reduce noise (because of the p(n) factor) – Hardness depends only on q/B.

47 Modulus Reduction noise=0 Homomorphism: (q, ξ) → (q, ≈ ξ 2 ) initial noise= ξ ξ2ξ2 AFTER d LEVELS: (q, B) → (q/(nB log q) O(d), B) LEVEL i → LEVEL i+1 : Modulus Reduction: (q, ξ 2 ) → (q/ξ, ξ) d ≤ log q/log (nB) ≤ n ε /log n q q/ξ Final noise= ξ

48 Modulus Reduction: Details “Homomorphic enough” Encryption  FHE Modulus Reduction Algorithm [BV11b,BGV12] Transform a (q,B 2 ) ciphertext into a (q’ ≈ q/nB, B) one Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2  c, s  = 2e + m (mod q) Let c be a ciphertext s.t. Assume that the secret key s has entries bounded by B. (ok by fact 2)

49 Modulus Reduction: Details  q’/q c, s  = (q’/q)* (2e + m) + q’Z Proof:  c, s  = 2e + m + qZ  c’, s  = (q’/q)* (2e + m) + E round (mod q’) New Error = q’/q * (Old Error) + (E round ≤ Bn), as promised! c’ decrypts to m, since c’=c mod 2, and  c’, s  =  c, s  mod 2 (original dec eqn) (scaled) Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2  c, s  = 2e + m (mod q) Let c be a ciphertext s.t.

50 Putting Together: Leveled FHE EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: 1)Tensor, 2)Relinearize using evk i, 3)Reduce modulus Mult depth D Decrypt using sk D This works for depth D ≤ n ε

51 Putting Together: Leveled FHE EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: 1)Tensor, 2)Relinearize using evk i, 3)Reduce modulus Mult depth D Decrypt using sk D Bootstrapping + Circular Security => FHE.


Download ppt "Lattices, Cryptography and Computing with Encrypted Data Vinod Vaikuntanathan M.I.T."

Similar presentations


Ads by Google