Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattices, Cryptography and Computing with Encrypted Data

Published byHaylie Busey Modified over 9 years ago

Similar presentations

Presentation on theme: "Lattices, Cryptography and Computing with Encrypted Data"— Presentation transcript:

1 Lattices, Cryptography and Computing with Encrypted Data
Vinod Vaikuntanathan M.I.T

2 Decoding Random Linear Codes
Decoding Lattices s + e A “small” error Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)? Seems very hard!

3 TODAY: Lattice-based Cryptography
Decoding Lattices s + e A “small” error TODAY: Lattice-based Cryptography

4 Learning With Errors (LWE)
(search) LWEn,q,B [Regev’05]: For random secret s  Zqn O s Find s ( a1 , b1 = a1 , s + e1 ) ( a2 , b2 = a2 , s + e2 ) … ( am , bm =am , s + em ) “noisy” random linear equation Uniformly random in Zqn “Small” error |e1| < B s + a1 a2 am e

5 Learning With Errors (LWE)
(decisional) LWEn,q,B : For random secret s  Zqn O s O rand ( a1 , u1 ) ( a1 , b1 = a1 , s + e1 ) ( a2 , u2 ) … ( am , um) ( a2 , b2 = a2 , s + e2 ) … ( am , bm =am , s + em ) random in Zq Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

6 LWE/Lattice-based Cryptography
 Robust No sub-exponential or quantum attacks Based on worst-case hardness Solve LWE on average  Solve in worst-case  Approx. shortest vectors on worst-case lattices [Regev05, Peikert09, BLPRS13] THIS TALK Today, I will talk about building cryptography on a different foundation, namely lattice-based cryptography. There are a number of reasons why lattice-based cryptography is attractive. First of all, as far as we know, the lattice-based schemes are resistant to quantum attacks. Secondly, the basic operation in such schemes is addition and mult of small integers, and thus the schemes tend to be simple and very efficient. Thirdly, I advocate lattice-based cryptography because of my grandma’s advice: namely, never put all your eggs in the same basket. And a fourth and a theoretically very important reason is that the security of lattice-based schemes are based on worst-case hardness assumptions. Amazingly Versatile Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,… Only known constructions use lattices

7 Warmup: Secret-key Encryption
Message M M = Dec(sk,C) C = Enc(sk,M) secret key sk secret key sk eavesdropper Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable” Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq)  decryption succeeds if e < q/4.

8 Secret-key Encryption from LWE
KeyGen: Sample random “short” vector t  Zqn and set sk = t Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq)  decryption succeeds if e < q/4.

9 Secret-key Encryption from LWE
KeyGen: Sample random “short” vector t  Zqn and set sk = t Bit Encryption Encsk(m): Sample uniformly random a  Zqn, “short” noise e  Zq The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq Semantic Security from LWE Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq)  decryption succeeds if e < q/4.

10 Secret-key Encryption from LWE
KeyGen: Sample random “short” vector t  Zqn and set sk = t Bit Encryption Encsk(m): Sample uniformly random a  Zqn, “short” noise e  Zq The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq Decryption Decsk(CT): Output (b − a, t mod q) mod 2. Correctness: b − a, t mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2) Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq)  decryption succeeds if e < q/4.

11 Encryption All-or-nothing Have Secret Key, Can Decrypt
M Message M All-or-nothing Have Secret Key, Can Decrypt No Secret Key, No Go

12 Fully Homomorphic Encryption
Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(Data) Enc(F(Data)) Powerful server / cloud

13 Fully Homomorphic Encryption
Compute arbitrary functions on encrypted data? [Rivest, Adleman and Dertouzos’78] Enc(data), F → Enc(F(data)) [Goldwasser-Micali’82,…]: Additively homomorphic [El Gamal’85,…]: Multiplicatively homomorphic [Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE) (all known constructions based on lattices)

14 The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n * d = ε log n C EVAL n is a security parameter * (0 < ε < 1 is a constant, and n is the security parameter)

15 Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
The Big Picture STEP 2 “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) Dec CT sk msg Decryption Circuit n is a security parameter C EVAL

16 Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

17 Additive Homomorphism
CT = (a ,b) CT’ = (a’, b’) b − a, t = 2e + m b’ − a’, t = 2e’ + m’ Look at Ciphertexts through the Decryption Lens

18 Additive Homomorphism
CT = (a ,b) CT’ = (a’, b’) Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1) b − a, t = 2e + m c, s = 2e + m b’ − a’, t = 2e’ + m’ c’, s = 2e’ + m’

19 Additive Homomorphism
CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cadd = c+c’ Proof: c, s = 2e + m c’, s = 2e’ + m’ c+c’, s = 2(e+e’) + (m+m’)  Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) + Cadd E

20 Multiplicative Homomorphism
CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = (2e+m) ∙ (2e’+m’) X

21 Multiplicative Homomorphism Quadratic equation in the variables s[i]
CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’) X E Quadratic equation in the variables s[i]

22 Multiplicative Homomorphism
CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c  c’, s  s = mm’ + 2(em’+e’m+2ee’) Tensor Product: c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) c, c’ live in (n+1) dim → c  c’ lives in (n+1)2-dim KEY FACT: c, s ∙ c’, s = c  c’, s  s X E

23 Problem: Ciphertext size blows up! Multiplicative Homomorphism
(Zqn+1 → Zq(n+1)^2) Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = c c’ c, s = 2e + m c’, s = 2e’ + m’ c  c’, s  s = mm’ + 2(em’+e’m+2ee’) X E  Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

24 Multiplicative Homomorphism
cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’

25 Multiplicative Homomorphism
cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j Enct’ ( s[ i ]s[ j ] )

26 Multiplicative Homomorphism
cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j , Ei,j i,j (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ]) LWE  Security still holds.

27 Multiplicative Homomorphism
cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j , Ei,j i,j Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]

28 Multiplicative Homomorphism
cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j Ci,j , s’ ≈ s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

29 Multiplicative Homomorphism
Cheating Alert Multiplicative Homomorphism cmult, s  s = 2E + mm’ Key Idea [BV’11]: Relinearization Plug back into quadratic equation:   cmult[i,j] ∙ Ci,j , s’  ≈ 2*Error + mm’ Linear in s’. Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j Ci,j , s’ ≈ s[ i ]s[ j ] Linear fn (in s’) Quadratic fn (in s)

30 Multiplicative Homomorphism
cmult, s  s = 2E + mm’ Plug back into quadratic equation:   cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error Linear in s’. Homomorphic Mult: First compute cmult = c c’ Compute and output  cmult[i,j] ∙ Ci,j (where Ci,j are from the evaluation key)

31 (How homomorphic is this?)
The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) initial noise= ξ Correctness Security noise=0

32 (How homomorphic is this?)
The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) initial noise= ξ noise=0

33 Wrap Up: Somewhat Homomorphism
“Somewhat Homomorphic” (SwHE) Encryption STEP 1 [BV11] Evaluate Boolean circuits of mult. depth D = ε log n EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor and Relinearize Mult depth D C Enc(sk1, x) Encrypt using sk1

34 Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

35 Bootstrapping Bootstrapping Theorem [Gen09]
If you can homomorphically evaluate depth d circuits (you have a d-HE) and the depth of your decryption circuit < d * FHE Very general theorem, independent of which enc scheme you use

36 Bootstrapping = “Valve” at a fixed height
Bootstrapping Theorem [Gen09] d-HE with decryption depth < d * FHE “Homomorphic enough” Encryption  FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say n(Bdec)2 < q/2 noise=Bdec noise=0

37 Bootstrapping = “Valve” at a fixed height
Bootstrapping Theorem [Gen09] d-HE with decryption depth < d * FHE “Homomorphic enough” Encryption  FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say n(Bdec)2 < q/2 noise=Bdec noise=0

38 “Noiseless ciphertext” “Very Noisy” ciphertext
But the evaluator does not have SK! Bootstrapping: How “Best Possible” Noise Reduction = Decryption! Dec CT SK m Decryption Circuit “Noiseless ciphertext” “Very Noisy” ciphertext

39 Bootstrapping, Concretely
Next Best = Homomorphic Decryption! Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) * EncPK(m) Noise = Bdec Dec CT EncPK(SK) Bdec Independent of Binput Noise = Binput

40 Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

41 Boosting Depth from log n to nε
(in one slide) The Culprit: Multiplication Increases error from B to about B2 Let us pause for a moment: Is B2 > B? Not if B < 1! Why not scale ciphertexts by q and work over [0,1)? Quite amazingly, this works out and gives us an error growth of B → nB Error grows singly exponentially with circuit depth

42 Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε n is a security parameter STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

43 Lattices are awesome! BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05] One-way functions, hash functions, public-key encryption ADVANCED CRYPTO [Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08] Trapdoor functions, Identity-based Encryption, secure computation THIS TALK [Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12] Today, I will talk about building cryptography on a different foundation, namely lattice-based cryptography. There are a number of reasons why lattice-based cryptography is attractive. First of all, as far as we know, the lattice-based schemes are resistant to quantum attacks. Secondly, the basic operation in such schemes is addition and mult of small integers, and thus the schemes tend to be simple and very efficient. Thirdly, I advocate lattice-based cryptography because of my grandma’s advice: namely, never put all your eggs in the same basket. And a fourth and a theoretically very important reason is that the security of lattice-based schemes are based on worst-case hardness assumptions. Fully Homomorphic Encryption [Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13] Attribute-based and Functional Encryption [Garg-GHRSW’13] Program Obfuscation

44 Merci Beaucoup!

45 Shrink Noise and Noise Ceiling by same factor
Modulus Reduction Modulus Reduction Theorem [BV11b,BGV12] SwHE that evaluates Boolean circuits of depth d = nε “Homomorphic enough” Encryption  FHE CT CT’ q=B10 q’=B3 noise=B8 Wishful thinking noise’=B+p(n) noise’=B ONE MULT NO MULT Shrink Noise and Noise Ceiling by same factor

46 Modulus Reduction Can we do this?
Cannot arbitrarily reduce noise (because of the p(n) factor) Hardness depends only on q/B. q=B10 q’=B3 noise=B8 Wishful thinking -- B+poly(n) -- we are keeping the hardness the same noise’=B+p(n)

47 Modulus Reduction LEVELi → LEVELi+1: Homomorphism: (q, ξ) → (q, ≈ ξ2)
Modulus Reduction: (q, ξ2) → (q/ξ, ξ) q/ξ AFTER d LEVELS: ξ2 (q, B) → (q/(nB log q)O(d), B) Final noise= ξ initial noise= ξ d ≤ log q/log (nB) ≤ nε/log n noise=0

48 Modulus Reduction: Details
Modulus Reduction Algorithm [BV11b,BGV12] Transform a (q,B2) ciphertext into a (q’ ≈ q/nB, B) one “Homomorphic enough” Encryption  FHE Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 Let c be a ciphertext s.t. c, s = 2e + m (mod q) Assume that the secret key s has entries bounded by B. (ok by fact 2)

49 Modulus Reduction: Details
Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 Let c be a ciphertext s.t. c, s = 2e + m (mod q) c, s = 2e + m + qZ Proof: (original dec eqn) (scaled) q’/q c, s = (q’/q)* (2e + m) + q’Z c’, s = (q’/q)* (2e + m) + Eround (mod q’) New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised! c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2

50 Putting Together: Leveled FHE
EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor , Relinearize using evki, Reduce modulus Mult depth D C n is a security parameter Enc(sk1, x) Encrypt using sk1 This works for depth D ≤ nε

51 Putting Together: Leveled FHE
EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor , Relinearize using evki, Reduce modulus Mult depth D C n is a security parameter Enc(sk1, x) Encrypt using sk1 Bootstrapping + Circular Security => FHE.

Download ppt "Lattices, Cryptography and Computing with Encrypted Data"

Similar presentations

A Simple BGN-Type Cryptosystem from LWE

A Simple BGN-Type Cryptosystem from LWE
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
CRYPTOGRAPHIC MULTILINEAR MAPS: APPLICATIONS, CONSTRUCTION, CRYPTANALYSIS Diamant Symposium, Doorn Netherlands Craig Gentry, IBM Joint with Sanjam Garg.

CRYPTOGRAPHIC MULTILINEAR MAPS: APPLICATIONS, CONSTRUCTION, CRYPTANALYSIS Diamant Symposium, Doorn Netherlands Craig Gentry, IBM Joint with Sanjam Garg.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
Manipulating Encrypted Data. You store your data in the cloud, encrypted of course. You want to use the computing power of the cloud to analyze your data.

Manipulating Encrypted Data. You store your data in the cloud, encrypted of course. You want to use the computing power of the cloud to analyze your data.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
A Brief Story of Computing on Private Data Ten H Lai Ohio State University.

A Brief Story of Computing on Private Data Ten H Lai Ohio State University.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.
FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.
The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.

The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Similar presentations

Ads by Google