A Simple BGN-Type Cryptosystem from LWE

Presentation on theme: "A Simple BGN-Type Cryptosystem from LWE"— Presentation transcript:

A Simple BGN-Type Cryptosystem from LWE
Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research

Perspective

Homomorphic Encryption in three easy steps [G’09]
Step 1: Encryption from linear codes SK/PK are Good/Bad representation of code Bad representation, can’t tell words close to code from random Good representation can be used to correct many errors Additive homomorphism “for free” Step 2: ECC lives inside a ring We have both additive, multiplicative sructure If code is an ideal, also multiplicative homomorphism for low-degree polynomials Step 3: Bootstrapping, Squashing, etc.

Ring of polynomials [G’09] Ring of integers [vDGHV’10] This work: how about ring of matrices? Doesn’t quite work like the others We only get additive-HE + one multiplication Quadratic formulas, as in [BGN’05] But more efficient and more flexible Can be made leakage-resilient, identity-based

Background

Learning with Errors (LWE)
n – security parameter q  poly(n) m > n log q c A s x = m + mod q random mod q small Search-LWE: Given A,c, find s,x [R’05, P’09] As hard as worst-case of some lattice problems

Learning with Errors (LWE)
n – security parameter q  poly(n) m > n log q c A s x = mod q m + c close to the linear code spanned by A random mod q small Decision-LWE: Distinguish c from random [R’05] as hard as finding s,x For certain parameters

Learning with Errors (LWE)
m A S X C n = m + random mod q small Many LWE instances with same A Same hardness (easy hybrid argument)

Ajtai’s Trapdoors A [A’96] Given , hard to find small s.t. tA =0 mod q
As hard as worst-case of some lattice problems [A’99] But it is possible to generate together = 0 mod q [Alwen-Peikert’08] Even smaller T t T A small, full rank random

Trapdoor Functions [GPV’08]
(A,s,x) As+x is a trapdoor function Can use to correct errors: c = As + x Tc = T(As + x) = Tx mod q But T,x are small, so Tx << q  (Tc mod q) = Tx Equality over the integers  T-1(Tc mod q) = x T

Our Cryptosystem

Step 1: Encryption from linear ECCs
Code is the column space of mod q { As: s  Zqn } Bad representation (PK) is A itself Given A, hard to distinguish words close to the code from random words (LWE) Good representation (SK) is Can use T to correct errors T

Step 1: Encryption from linear ECCs
PK: , SK: Encode plaintext is LSB of error matrix Plaintext is a binary matrix Bmxm Enc(A,B): Choose random Smxn, small Emxm Dec(T,C): Set X  T-1(TC mod q) Output B = X mod 2 X C A S X = + mod q 2E+B

Step 1: Encryption from linear ECCs
Security follows from LWE (for odd q) Thm: LWE  For any B, EncA(B)  random Proof: Given LWE input (A,C’) Either C’=AS+E or C’ random: Set C = 2C’+B mod q If C’=AS+E then C = A(2S) + (2E+B) mod q A random encryption of B If C’ is random then so is C

Step 1: Encryption from linear ECCs
Additive homomorphism “for free” C = C1 + C2 = (AS1+(2E1+B1)) + (AS2+(2E2+B2)) = A(S1+S2) + 2(E1+E2)+(B1+B2) mod q T-1(TC mod q) = X = B1+B2 mod 2 As long as X <<q S X

Step 2: ECC lives inside a ring
Multiply C1 x C2 mod q? (AS1+(2E1+B1)) (AS2+(2E2+B2)) = A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q Not what we wanted Cannot use T to cancel out (2E1+B1)AS2 Matrix multiplication is not commutative

Step 2: ECC lives inside a ring
How about C = C1 x C2t mod q? (AS1+(2E1+B1)) (AS2+(2E2+B2))t = A(…) + (…)At + 2(…)+B1B2t mod q That’s better: TCTt = TXTt mod q X = (2E1+B1)(2E2+B2)t is still small  TCTt mod q = TXTt over the integers  T-1(TCTt mod q)(Tt)-1 = X = B1B2t mod 2 X

What Did We Get? T A KeyGen: Generate Enc(A, B): CAS + 2E+B mod q
Add(C1,C2): CC1+C2 mod q Mult(C1,C2): CC1C2t mod q Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2 Can decrypt any quadratic formula with polynomially many terms With appropriate parameters

What Did We Get? T A KeyGen: Generate Enc(A, B): CAS + pE+B mod q
Add(C1,C2): CC1+C2 mod q Mult(C1,C2): CC1C2t mod q Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p Can decrypt any quadratic formula with polynomially many terms With appropriate parameters Can replace 2 by any pq

Extensions, Applications
Can apply the [AMGH’10] transformation Get homomorphism for low-degree polynomials “Dual Regev encryption” [GPV’08] is a special case of our scheme* Leakage resilience IBE Efficient quadratic-formula homomorphism for polynomials, big-integers * After changing encoding of plaintext

Thank You

2-of-2 Decryption Alice has key-pair (A1,T1), Bob has (A2,T2)
Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q Dora encrypts B2 to Bob, [ C2A2S2+X2 ]q Zachariah Sets C* = [ C1 C2t ]q C* looks random to either Alice, Bob Pulling their keys together they can recover B1B2t B1B2t = T1-1[T1C*T2t]q (T2t)-1 mod 2 Can also “blind” C* to hide relation to C1, C2

Multiplying Polynomials
p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2 p2 p1 p0 q0 q1 q2 \$ P= Q= R= p0q1+p1q0+p1q0 p0q1+p1q0 p0q0 p1q2+p2q1 \$ p2q2 PQt+R=

Dual Regev Encryption [GPV’08]
Dual-Regev Cryptosystem is an instance of our scheme with T = A different input encoding than [GPV’08] T is no longer invertible But can still recover top-left entry in B It is known to be IBE, leakage-resilient Still true with new input encoding And now it supports quadratic formulas -u-