1 / 43

Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data. Vinod Vaikuntanathan. M.I.T. Decoding Lattices. Decoding Random Linear Codes. +. e. s. A. “small” error. Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)?.

halia
Download Presentation

Lattices, Cryptography and Computing with Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattices, Cryptography and Computing with Encrypted Data Vinod Vaikuntanathan M.I.T

  2. Decoding Lattices Decoding Random Linear Codes + e s A “small” error Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)? Seems very hard!

  3. Decoding Lattices + e s A “small” error TODAY: Lattice-based Cryptography

  4. Learning With Errors (LWE) (search) LWEn,q,B [Regev’05]: For random secret s  Zqn O s Find s ( a1 , b1 = a1 , s + e1 ) (a2, b2= a2 , s + e2) …(am, bm=am , s + em) “noisy” random linear equation Uniformly random in Zqn “Small” error |e1| < B + s e a1 a2 am …

  5. Learning With Errors (LWE) (decisional) LWEn,q,B : For random secret s  Zqn O rand O s ( a1 , u1 ) ( a1 , b1 = a1 , s + e1 )  (a2, u2) … (am, um) (a2, b2= a2 , s + e2) …(am, bm=am , s + em) random in Zq Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

  6. LWE/Lattice-based Cryptography  Robust • No sub-exponential or quantum attacks • Based on worst-case hardness • Solve LWE on average Solve in worst-case  Approx. shortest vectors on worst-case lattices [Regev05, Peikert09, BLPRS13] THIS TALK • Amazingly Versatile • Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,… • Only known constructions use lattices

  7. Warmup: Secret-key Encryption Decryption:Decs(a,b) = ( b - a, s) (mod 2). Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4. M = Dec(sk,C) Message M C = Enc(sk,M) secret key sk secret key sk eavesdropper Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable”

  8. Secret-key Encryption from LWE Decryption:Decs(a,b) = ( b - a, s) (mod 2). Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4. • KeyGen: • Sample random “short” vector t Zqn and set sk = t

  9. Secret-key Encryption from LWE Decryption:Decs(a,b) = ( b - a, s) (mod 2). Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4. • KeyGen: • Sample random “short” vector t Zqn and set sk = t • Bit Encryption Encsk(m): • Sample uniformly random a  Zqn, “short” noise eZq • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq Semantic Security from LWE

  10. Secret-key Encryption from LWE Decryption:Decs(a,b) = ( b - a, s) (mod 2). Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4. • KeyGen: • Sample random “short” vector t Zqn and set sk = t • Bit Encryption Encsk(m): • Sample uniformly random a  Zqn, “short” noise eZq • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq • Decryption Decsk(CT): Output (b −a, t mod q) mod 2. • Correctness:b − a, t mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2)

  11. Encryption M Message M All-or-nothing Have Secret Key, Can Decrypt No Secret Key, No Go

  12. Encryption Fully Homomorphic Encryption Enc(Data) Enc(F(Data)) Compute arbitrary functions on encrypted data? Powerful server / cloud [Rivest, Adleman and Dertouzos’78]

  13. Fully Homomorphic Encryption Enc(data), F → Enc(F(data)) [Goldwasser-Micali’82,…]: Additively homomorphic [El Gamal’85,…]: Multiplicatively homomorphic Compute arbitrary functions on encrypted data? [Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE) (all known constructions based on lattices) [Rivest, Adleman and Dertouzos’78]

  14. The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n * d = ε log n C EVAL * (0 < ε < 1 is a constant, and n is the security parameter)

  15. The Big Picture STEP 2 “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) msg C Dec sk CT Decryption Circuit EVAL

  16. The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

  17. Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) b − a, t = 2e + m b’ − a’, t = 2e’ + m’ Look at Ciphertexts through the Decryption Lens

  18. Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1) b − a, t = 2e + m c, s = 2e + m b’ − a’, t = 2e’ + m’ c’, s = 2e’ + m’

  19. Additive Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cadd = c+c’ c, s = 2e + m c’, s = 2e’ + m’ c+c’, s = 2(e+e’) + (m+m’)  Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) Proof: + E Cadd

  20. Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙c’, s = (2e+m) ∙ (2e’+m’) X

  21. Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙c’, s = mm’ + 2(em’+e’m+2ee’) X E Quadratic equation in the variables s[i]

  22. Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c  c’, s  s = mm’ + 2(em’+e’m+2ee’) Tensor Product: • c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) • c, c’ live in (n+1) dim → c  c’ lives in (n+1)2-dim • KEY FACT: c, s ∙c’, s = c  c’, s  s X E

  23. Problem: Ciphertext size blows up! (Zqn+1 → Zq(n+1)^2) Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = c c’ c, s = 2e + m c’, s = 2e’ + m’ c  c’, s  s = mm’ + 2(em’+e’m+2ee’) X E  Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

  24. Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’

  25. Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j.Enct’(s[ i ]s[ j ] )

  26. Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : sample Ai,j, Ei,j i,j.(Ai,j , Bi,j = Ai,j, t’ + 2Ei,j + s[ i ]s[ j ]) LWE Security still holds.

  27. Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : sample Ai,j, Ei,j i,j.Bi,j − Ai,j, t’ = 2Ei,j + s[ i ]s[ j ]

  28. Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j.Ci,j, s’ ≈ s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

  29. Cheating Alert Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Plug back into quadratic equation:  cmult[i,j] ∙ Ci,j , s’  ≈ 2*Error + mm’ Linear in s’. Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j.Ci,j, s’ ≈ s[ i ]s[ j ] Linear fn(in s’) Quadratic fn(in s)

  30. Multiplicative Homomorphism cmult, s s = 2E + mm’ Plug back into quadratic equation:  cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error Linear in s’. Homomorphic Mult: • First compute cmult = c c’ • Compute and output  cmult[i,j] ∙ Ci,j (where Ci,j are from the evaluation key)

  31. The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) 2ξ initial noise= ξ Correctness Security noise=0

  32. The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) initial noise= ξ noise=0

  33. The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

  34. Bootstrapping Bootstrapping Theorem [Gen09] • If you can homomorphically evaluate depth d circuits (you have a d-HE) and • the depth of your decryption circuit < d • *FHE

  35. Bootstrapping “Homomorphic enough” Encryption FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Bootstrapping Theorem [Gen09] Say n(Bdec)2 < q/2 d-HE with decryption depth < d *FHE noise=Bdec noise=0

  36. Bootstrapping “Homomorphic enough” Encryption FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Bootstrapping Theorem [Gen09] Say n(Bdec)2 < q/2 d-HE with decryption depth < d *FHE noise=Bdec noise=0

  37. But the evaluator does not have SK! Bootstrapping: How “Best Possible” Noise Reduction = Decryption! “Noiseless ciphertext” m “Very Noisy” ciphertext Dec CT SK Decryption Circuit

  38. Bootstrapping, Concretely Next Best = Homomorphic Decryption! * Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) EncPK(m) Noise = Bdec Bdec Independent of Binput Dec Noise = Binput CT EncPK(SK)

  39. The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

  40. Boosting Depth from log n to nε (in one slide) • The Culprit: Multiplication • Increases error from B to about B2 • Let us pause for a moment: Is B2 > B? • Not if B < 1! • Why not scale ciphertexts by q and work over [0,1)? • Quite amazingly, this works out and gives us an error growth of B → nB • Error grows singly exponentially with circuit depth

  41. The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

  42. Lattices are awesome! BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05] One-way functions, hash functions, public-key encryption ADVANCED CRYPTO [Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08] Trapdoor functions, Identity-based Encryption, secure computation THIS TALK [Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12] Fully Homomorphic Encryption [Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13] Attribute-based and Functional Encryption [Garg-GHRSW’13] Program Obfuscation

  43. Merci Beaucoup!

More Related