Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Simple BGN-Type Cryptosystem from LWE

Published byTaylor Rooney Modified over 10 years ago

Similar presentations

Presentation on theme: "A Simple BGN-Type Cryptosystem from LWE"— Presentation transcript:

1 A Simple BGN-Type Cryptosystem from LWE
Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research

2 Perspective

3 Homomorphic Encryption in three easy steps [G’09]
Step 1: Encryption from linear codes SK/PK are Good/Bad representation of code Bad representation, can’t tell words close to code from random Good representation can be used to correct many errors Additive homomorphism “for free” Step 2: ECC lives inside a ring We have both additive, multiplicative sructure If code is an ideal, also multiplicative homomorphism for low-degree polynomials Step 3: Bootstrapping, Squashing, etc.

4 Instances of this Paradigm
Ring of polynomials [G’09] Ring of integers [vDGHV’10] This work: how about ring of matrices? Doesn’t quite work like the others We only get additive-HE + one multiplication Quadratic formulas, as in [BGN’05] But more efficient and more flexible Can be made leakage-resilient, identity-based

5 Background

6 Learning with Errors (LWE)
n – security parameter q  poly(n) m > n log q c A s x = m + mod q random mod q small Search-LWE: Given A,c, find s,x [R’05, P’09] As hard as worst-case of some lattice problems

7 Learning with Errors (LWE)
n – security parameter q  poly(n) m > n log q c A s x = mod q m + c close to the linear code spanned by A random mod q small Decision-LWE: Distinguish c from random [R’05] as hard as finding s,x For certain parameters

8 Learning with Errors (LWE)
m A S X C n = m + random mod q small Many LWE instances with same A Same hardness (easy hybrid argument)

9 Ajtai’s Trapdoors A [A’96] Given , hard to find small s.t. tA =0 mod q
As hard as worst-case of some lattice problems [A’99] But it is possible to generate together = 0 mod q [Alwen-Peikert’08] Even smaller T t T A small, full rank random

10 Trapdoor Functions [GPV’08]
(A,s,x) As+x is a trapdoor function Can use to correct errors: c = As + x Tc = T(As + x) = Tx mod q But T,x are small, so Tx << q  (Tc mod q) = Tx Equality over the integers  T-1(Tc mod q) = x T

11 Our Cryptosystem

12 Step 1: Encryption from linear ECCs
Code is the column space of mod q { As: s  Zqn } Bad representation (PK) is A itself Given A, hard to distinguish words close to the code from random words (LWE) Good representation (SK) is Can use T to correct errors T

13 Step 1: Encryption from linear ECCs
PK: , SK: Encode plaintext is LSB of error matrix Plaintext is a binary matrix Bmxm Enc(A,B): Choose random Smxn, small Emxm Dec(T,C): Set X  T-1(TC mod q) Output B = X mod 2 X C A S X = + mod q 2E+B

14 Step 1: Encryption from linear ECCs
Security follows from LWE (for odd q) Thm: LWE  For any B, EncA(B)  random Proof: Given LWE input (A,C’) Either C’=AS+E or C’ random: Set C = 2C’+B mod q If C’=AS+E then C = A(2S) + (2E+B) mod q A random encryption of B If C’ is random then so is C

15 Step 1: Encryption from linear ECCs
Additive homomorphism “for free” C = C1 + C2 = (AS1+(2E1+B1)) + (AS2+(2E2+B2)) = A(S1+S2) + 2(E1+E2)+(B1+B2) mod q T-1(TC mod q) = X = B1+B2 mod 2 As long as X <<q S X

16 Step 2: ECC lives inside a ring
Multiply C1 x C2 mod q? (AS1+(2E1+B1)) (AS2+(2E2+B2)) = A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q Not what we wanted Cannot use T to cancel out (2E1+B1)AS2 Matrix multiplication is not commutative

17 Step 2: ECC lives inside a ring
How about C = C1 x C2t mod q? (AS1+(2E1+B1)) (AS2+(2E2+B2))t = A(…) + (…)At + 2(…)+B1B2t mod q That’s better: TCTt = TXTt mod q X = (2E1+B1)(2E2+B2)t is still small  TCTt mod q = TXTt over the integers  T-1(TCTt mod q)(Tt)-1 = X = B1B2t mod 2 X

18 What Did We Get? T A KeyGen: Generate Enc(A, B): CAS + 2E+B mod q
Add(C1,C2): CC1+C2 mod q Mult(C1,C2): CC1C2t mod q Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2 Can decrypt any quadratic formula with polynomially many terms With appropriate parameters

19 What Did We Get? T A KeyGen: Generate Enc(A, B): CAS + pE+B mod q
Add(C1,C2): CC1+C2 mod q Mult(C1,C2): CC1C2t mod q Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p Can decrypt any quadratic formula with polynomially many terms With appropriate parameters Can replace 2 by any pq

20 Extensions, Applications
Can apply the [AMGH’10] transformation Get homomorphism for low-degree polynomials “Dual Regev encryption” [GPV’08] is a special case of our scheme* Leakage resilience IBE Efficient quadratic-formula homomorphism for polynomials, big-integers * After changing encoding of plaintext

21 Thank You

22 2-of-2 Decryption Alice has key-pair (A1,T1), Bob has (A2,T2)
Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q Dora encrypts B2 to Bob, [ C2A2S2+X2 ]q Zachariah Sets C* = [ C1 C2t ]q C* looks random to either Alice, Bob Pulling their keys together they can recover B1B2t B1B2t = T1-1[T1C*T2t]q (T2t)-1 mod 2 Can also “blind” C* to hide relation to C1, C2

23 Multiplying Polynomials
p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2 p2 p1 p0 q0 q1 q2 $ P= Q= R= p0q1+p1q0+p1q0 p0q1+p1q0 p0q0 p1q2+p2q1 $ p2q2 PQt+R=

24 Dual Regev Encryption [GPV’08]
Dual-Regev Cryptosystem is an instance of our scheme with T = A different input encoding than [GPV’08] T is no longer invertible But can still recover top-left entry in B It is known to be IBE, leakage-resilient Still true with new input encoding And now it supports quadratic formulas -u-

Download ppt "A Simple BGN-Type Cryptosystem from LWE"

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
CRYPTOGRAPHIC MULTILINEAR MAPS: APPLICATIONS, CONSTRUCTION, CRYPTANALYSIS Diamant Symposium, Doorn Netherlands Craig Gentry, IBM Joint with Sanjam Garg.

CRYPTOGRAPHIC MULTILINEAR MAPS: APPLICATIONS, CONSTRUCTION, CRYPTANALYSIS Diamant Symposium, Doorn Netherlands Craig Gentry, IBM Joint with Sanjam Garg.
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi June 16, 2011.

On Homomorphic Encryption and Secure Computation challenge response Shai Halevi June 16, 2011.
FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Similar presentations

Ads by Google