Lattices, Cryptography and Computing with Encrypted Data Vinod Vaikuntanathan M.I.T

Decoding Random Linear Codes Decoding Lattices s + e A   “small” error       Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)? Seems very hard!

TODAY: Lattice-based Cryptography Decoding Lattices s + e A   “small” error       TODAY: Lattice-based Cryptography

Learning With Errors (LWE) (search) LWEn,q,B [Regev’05]: For random secret s  Zqn O s Find s ( a1 , b1 = a1 , s + e1 ) ( a2 , b2 = a2 , s + e2 ) … ( am , bm =am , s + em ) “noisy” random linear equation Uniformly random in Zqn “Small” error |e1| < B s + a1 a2 am … e

Learning With Errors (LWE) (decisional) LWEn,q,B : For random secret s  Zqn O s O rand ( a1 , u1 ) ( a1 , b1 = a1 , s + e1 )  ( a2 , u2 ) … ( am , um) ( a2 , b2 = a2 , s + e2 ) … ( am , bm =am , s + em ) random in Zq Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

LWE/Lattice-based Cryptography  Robust No sub-exponential or quantum attacks   Based on worst-case hardness Solve LWE on average  Solve in worst-case  Approx. shortest vectors on worst-case lattices [Regev05, Peikert09, BLPRS13] THIS TALK Today, I will talk about building cryptography on a different foundation, namely lattice-based cryptography. There are a number of reasons why lattice-based cryptography is attractive. First of all, as far as we know, the lattice-based schemes are resistant to quantum attacks. Secondly, the basic operation in such schemes is addition and mult of small integers, and thus the schemes tend to be simple and very efficient. Thirdly, I advocate lattice-based cryptography because of my grandma’s advice: namely, never put all your eggs in the same basket. And a fourth and a theoretically very important reason is that the security of lattice-based schemes are based on worst-case hardness assumptions. Amazingly Versatile Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,… Only known constructions use lattices

Warmup: Secret-key Encryption Message M M = Dec(sk,C) C = Enc(sk,M) secret key sk secret key sk eavesdropper Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable” Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).  decryption succeeds if e < q/4.

Secret-key Encryption from LWE KeyGen: Sample random “short” vector t  Zqn and set sk = t Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).  decryption succeeds if e < q/4.

Secret-key Encryption from LWE KeyGen: Sample random “short” vector t  Zqn and set sk = t Bit Encryption Encsk(m): Sample uniformly random a  Zqn, “short” noise e  Zq The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq Semantic Security from LWE Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).  decryption succeeds if e < q/4.

Secret-key Encryption from LWE KeyGen: Sample random “short” vector t  Zqn and set sk = t Bit Encryption Encsk(m): Sample uniformly random a  Zqn, “short” noise e  Zq The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq Decryption Decsk(CT): Output (b − a, t mod q) mod 2. Correctness: b − a, t mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2) Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).  decryption succeeds if e < q/4.

Encryption All-or-nothing Have Secret Key, Can Decrypt M Message M All-or-nothing Have Secret Key, Can Decrypt No Secret Key, No Go

Fully Homomorphic Encryption Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(Data) Enc(F(Data)) Powerful server / cloud

Fully Homomorphic Encryption Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(data), F → Enc(F(data)) [Goldwasser-Micali’82,…]: Additively homomorphic [El Gamal’85,…]: Multiplicatively homomorphic [Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE) (all known constructions based on lattices)

The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n * d = ε log n C EVAL n is a security parameter * (0 < ε < 1 is a constant, and n is the security parameter)

Homomorphic enough = Can evaluate its own Dec Circuit (plus some) The Big Picture STEP 2 “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) Dec CT sk msg Decryption Circuit n is a security parameter C EVAL  

Homomorphic enough = Can evaluate its own Dec Circuit (plus some) The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) b − a, t = 2e + m b’ − a’, t = 2e’ + m’ Look at Ciphertexts through the Decryption Lens

Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1) b − a, t = 2e + m c, s = 2e + m b’ − a’, t = 2e’ + m’ c’, s = 2e’ + m’

Additive Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cadd = c+c’ Proof: c, s = 2e + m c’, s = 2e’ + m’ c+c’, s = 2(e+e’) + (m+m’)  Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) + Cadd E

Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = (2e+m) ∙ (2e’+m’) X

Multiplicative Homomorphism Quadratic equation in the variables s[i] CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’) X E Quadratic equation in the variables s[i]

Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c  c’, s  s = mm’ + 2(em’+e’m+2ee’) Tensor Product: c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) c, c’ live in (n+1) dim → c  c’ lives in (n+1)2-dim KEY FACT: c, s ∙ c’, s = c  c’, s  s X E

Problem: Ciphertext size blows up! Multiplicative Homomorphism (Zqn+1 → Zq(n+1)^2) Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = c c’ c, s = 2e + m c’, s = 2e’ + m’ c  c’, s  s = mm’ + 2(em’+e’m+2ee’) X E  Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

Multiplicative Homomorphism cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’

Multiplicative Homomorphism cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Enct’ ( s[ i ]s[ j ] )

Multiplicative Homomorphism cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j , Ei,j i,j. (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ]) LWE  Security still holds.

Multiplicative Homomorphism cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j , Ei,j i,j. Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]

Multiplicative Homomorphism cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Ci,j , s’ ≈ s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

Multiplicative Homomorphism Cheating Alert Multiplicative Homomorphism cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Plug back into quadratic equation:   cmult[i,j] ∙ Ci,j , s’  ≈ 2*Error + mm’ Linear in s’. Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Ci,j , s’ ≈ s[ i ]s[ j ] Linear fn (in s’) Quadratic fn (in s)

Multiplicative Homomorphism cmult, s  s = 2E + mm’ Plug back into quadratic equation:   cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error Linear in s’. Homomorphic Mult: First compute cmult = c c’ Compute and output  cmult[i,j] ∙ Ci,j (where Ci,j are from the evaluation key)

(How homomorphic is this?) The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2   noise B → (worst case)     2ξ initial noise= ξ Correctness Security noise=0

(How homomorphic is this?) The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2   noise B → (worst case)     initial noise= ξ   noise=0  

Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption STEP 1 [BV11] Evaluate Boolean circuits of mult. depth D = ε log n EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor and Relinearize Mult depth D C Enc(sk1, x) Encrypt using sk1

Homomorphic enough = Can evaluate its own Dec Circuit (plus some) The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Bootstrapping Bootstrapping Theorem [Gen09] If you can homomorphically evaluate depth d circuits (you have a d-HE) and the depth of your decryption circuit < d * FHE Very general theorem, independent of which enc scheme you use

Bootstrapping = “Valve” at a fixed height Bootstrapping Theorem [Gen09] d-HE with decryption depth < d * FHE “Homomorphic enough” Encryption  FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say n(Bdec)2 < q/2 noise=Bdec noise=0

Bootstrapping = “Valve” at a fixed height Bootstrapping Theorem [Gen09] d-HE with decryption depth < d * FHE “Homomorphic enough” Encryption  FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say n(Bdec)2 < q/2 noise=Bdec noise=0

“Noiseless ciphertext” “Very Noisy” ciphertext But the evaluator does not have SK! Bootstrapping: How “Best Possible” Noise Reduction = Decryption! Dec CT SK m Decryption Circuit “Noiseless ciphertext” “Very Noisy” ciphertext

Bootstrapping, Concretely Next Best = Homomorphic Decryption! Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) * EncPK(m) Noise = Bdec Dec CT EncPK(SK) Bdec Independent of Binput Noise = Binput

Homomorphic enough = Can evaluate its own Dec Circuit (plus some) The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Boosting Depth from log n to nε (in one slide) The Culprit: Multiplication Increases error from B to about B2 Let us pause for a moment: Is B2 > B? Not if B < 1! Why not scale ciphertexts by q and work over [0,1)? Quite amazingly, this works out and gives us an error growth of B → nB Error grows singly exponentially with circuit depth

Homomorphic enough = Can evaluate its own Dec Circuit (plus some) The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Lattices are awesome! BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05] One-way functions, hash functions, public-key encryption ADVANCED CRYPTO [Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08] Trapdoor functions, Identity-based Encryption, secure computation THIS TALK [Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12] Today, I will talk about building cryptography on a different foundation, namely lattice-based cryptography. There are a number of reasons why lattice-based cryptography is attractive. First of all, as far as we know, the lattice-based schemes are resistant to quantum attacks. Secondly, the basic operation in such schemes is addition and mult of small integers, and thus the schemes tend to be simple and very efficient. Thirdly, I advocate lattice-based cryptography because of my grandma’s advice: namely, never put all your eggs in the same basket. And a fourth and a theoretically very important reason is that the security of lattice-based schemes are based on worst-case hardness assumptions. Fully Homomorphic Encryption [Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13] Attribute-based and Functional Encryption [Garg-GHRSW’13] Program Obfuscation

Merci Beaucoup!

Shrink Noise and Noise Ceiling by same factor Modulus Reduction Modulus Reduction Theorem [BV11b,BGV12] SwHE that evaluates Boolean circuits of depth d = nε “Homomorphic enough” Encryption  FHE CT CT’ q=B10 q’=B3 noise=B8 Wishful thinking noise’=B+p(n) noise’=B ONE MULT NO MULT Shrink Noise and Noise Ceiling by same factor

Modulus Reduction Can we do this? Cannot arbitrarily reduce noise (because of the p(n) factor) Hardness depends only on q/B. q=B10 q’=B3 noise=B8 Wishful thinking -- B+poly(n) -- we are keeping the hardness the same noise’=B+p(n)

Modulus Reduction LEVELi → LEVELi+1: Homomorphism: (q, ξ) → (q, ≈ ξ2) Modulus Reduction: (q, ξ2) → (q/ξ, ξ) q/ξ AFTER d LEVELS: ξ2 (q, B) → (q/(nB log q)O(d), B) Final noise= ξ initial noise= ξ d ≤ log q/log (nB) ≤ nε/log n noise=0

Modulus Reduction: Details Modulus Reduction Algorithm [BV11b,BGV12] Transform a (q,B2) ciphertext into a (q’ ≈ q/nB, B) one “Homomorphic enough” Encryption  FHE Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 Let c be a ciphertext s.t. c, s = 2e + m (mod q) Assume that the secret key s has entries bounded by B. (ok by fact 2)

Modulus Reduction: Details Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 Let c be a ciphertext s.t. c, s = 2e + m (mod q) c, s = 2e + m + qZ Proof: (original dec eqn) (scaled) q’/q c, s = (q’/q)* (2e + m) + q’Z c’, s = (q’/q)* (2e + m) + Eround (mod q’) New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised! c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2

Putting Together: Leveled FHE EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor , Relinearize using evki, Reduce modulus Mult depth D C n is a security parameter Enc(sk1, x) Encrypt using sk1 This works for depth D ≤ nε

Putting Together: Leveled FHE EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor , Relinearize using evki, Reduce modulus Mult depth D C n is a security parameter Enc(sk1, x) Encrypt using sk1 Bootstrapping + Circular Security => FHE.