- 99 Views
- Uploaded on
- Presentation posted in: General

Lattices, Cryptography and Computing with Encrypted Data

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Lattices, Cryptography and

Computing with Encrypted Data

Vinod Vaikuntanathan

M.I.T

Decoding Lattices

+

e

s

A

“small” error

Combinatorially nice: Optimal rate etc.

Can we decode efficiently (even in the unique decoding regime)?

Seems very hard!

+

e

s

A

“small” error

TODAY: Lattice-based Cryptography

(search) LWEn,q,B [Regev’05]: For random secret s Zqn

O s

Find s

( a1 , b1 = a1 , s + e1 )

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

“noisy” random linear equation

Uniformly random in Zqn

“Small” error

|e1| < B

+

s

e

a1

a2

am

…

(decisional) LWEn,q,B : For random secret s Zqn

O rand

O s

( a1 , u1 )

( a1 , b1 = a1 , s + e1 )

(a2, u2) … (am, um)

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

random in Zq

Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

Robust

- No sub-exponential or quantum attacks

- Based on worst-case hardness

- Solve LWE on average Solve in worst-case Approx. shortest vectors on worst-case lattices

[Regev05, Peikert09, BLPRS13]

THIS TALK

- Amazingly Versatile

- Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,…

- Only known constructions use lattices

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

M = Dec(sk,C)

Message M

C = Enc(sk,M)

secret key sk

secret key sk

eavesdropper

Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable”

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

- KeyGen:
- Sample random “short” vector t Zqn and set sk = t

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

- KeyGen:
- Sample random “short” vector t Zqn and set sk = t

- Bit Encryption Encsk(m):
- Sample uniformly random a Zqn, “short” noise eZq
- The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

Semantic Security from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

- KeyGen:
- Sample random “short” vector t Zqn and set sk = t

- Bit Encryption Encsk(m):
- Sample uniformly random a Zqn, “short” noise eZq
- The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

- Decryption Decsk(CT): Output (b −a, t mod q) mod 2.

- Correctness:b − a, t mod q = 2e + m mod q

= 2e + m

(as long as |2e+m| < q/2)

M

Message M

All-or-nothing

Have Secret Key, Can Decrypt

No Secret Key, No Go

Encryption

Enc(Data)

Enc(F(Data))

Compute arbitrary functions on encrypted data?

Powerful server / cloud

[Rivest, Adleman and Dertouzos’78]

Enc(data), F → Enc(F(data))

[Goldwasser-Micali’82,…]: Additively homomorphic

[El Gamal’85,…]: Multiplicatively homomorphic

Compute arbitrary functions on encrypted data?

[Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE)

(all known constructions based on lattices)

[Rivest, Adleman and Dertouzos’78]

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n *

d = ε log n

C

EVAL

* (0 < ε < 1 is a constant, and n is the security parameter)

The Big Picture

STEP 2

“Bootstrapping” Theorem [Gen09] (Qualitative)

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

msg

C

Dec

sk

CT

Decryption Circuit

EVAL

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Additive Homomorphism

CT = (a ,b)

CT’ = (a’, b’)

b − a, t = 2e + m

b’ − a’, t = 2e’ + m’

Look at Ciphertexts through the Decryption Lens

Additive Homomorphism

CT = (a ,b)

CT’ = (a’, b’)

Let c = (a ,b) and s = (-t, 1)

Let c’ = (a’ ,b’) and s = (-t, 1)

b − a, t = 2e + m

c, s = 2e + m

b’ − a’, t = 2e’ + m’

c’, s = 2e’ + m’

Additive Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cadd = c+c’

c, s = 2e + m

c’, s = 2e’ + m’

c+c’, s = 2(e+e’) + (m+m’)

Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)

Proof:

+

E

Cadd

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = (2e+m) ∙ (2e’+m’)

X

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = mm’ + 2(em’+e’m+2ee’)

X

E

Quadratic equation in the variables s[i]

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c c’, s s = mm’ + 2(em’+e’m+2ee’)

Tensor Product:

- c c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])
- c, c’ live in (n+1) dim → c c’ lives in (n+1)2-dim
- KEY FACT: c, s ∙c’, s = c c’, s s

X

E

Problem: Ciphertext size blows up!

(Zqn+1 → Zq(n+1)^2)

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = c c’

c, s = 2e + m

c’, s = 2e’ + m’

c c’, s s = mm’ + 2(em’+e’m+2ee’)

X

E

Dec(s s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s that represents these quadratic func.

or, of new secret s’

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

- Sample t,t’Zqn and set sk = (t,t’).
- Evaluation key evk :
i,j.Enct’(s[ i ]s[ j ] )

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

- Sample t,t’Zqn and set sk = (t,t’).
- Evaluation key evk : sample Ai,j, Ei,j
i,j.(Ai,j , Bi,j = Ai,j, t’ + 2Ei,j + s[ i ]s[ j ])

LWE Security still holds.

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

- Sample t,t’Zqn and set sk = (t,t’).
- Evaluation key evk : sample Ai,j, Ei,j
i,j.Bi,j − Ai,j, t’ = 2Ei,j + s[ i ]s[ j ]

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

- Sample t,t’Zqn and set sk = (t,t’).
- Evaluation key evk :
i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

Cheating Alert

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Plug back into quadratic equation:

cmult[i,j] ∙ Ci,j , s’ ≈ 2*Error + mm’

Linear in s’.

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

- Sample t,t’Zqn and set sk = (t,t’).
- Evaluation key evk :
i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

Linear fn(in s’)

Quadratic fn(in s)

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Plug back into quadratic equation:

cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error

Linear in s’.

Homomorphic Mult:

- First compute cmult = c c’
- Compute and output cmult[i,j] ∙ Ci,j
(where Ci,j are from the evaluation key)

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

2ξ

initial noise= ξ

Correctness

Security

noise=0

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

noise=0

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Bootstrapping Theorem [Gen09]

- If you can homomorphically evaluate depth d circuits (you have a d-HE) and
- the depth of your decryption circuit < d
- *FHE

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0

But the evaluator

does not have SK!

“Best Possible” Noise Reduction

= Decryption!

“Noiseless ciphertext”

m

“Very Noisy” ciphertext

Dec

CT

SK

Decryption Circuit

Next Best

= Homomorphic Decryption!

*

Assume Enc(SK) is public.

(OK assuming the scheme is “circular secure”)

EncPK(m)

Noise = Bdec

Bdec Independent of Binput

Dec

Noise = Binput

CT

EncPK(SK)

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

(in one slide)

- The Culprit: Multiplication
- Increases error from B to about B2

- Let us pause for a moment: Is B2 > B?
- Not if B < 1!

- Why not scale ciphertexts by q and work over [0,1)?
- Quite amazingly, this works out and gives us an error growth of B → nB
- Error grows singly exponentially with circuit depth

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05]

One-way functions, hash functions, public-key encryption

ADVANCED CRYPTO

[Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08]

Trapdoor functions, Identity-based Encryption, secure computation

THIS TALK

[Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12]

Fully Homomorphic Encryption

[Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13]

Attribute-based and Functional Encryption

[Garg-GHRSW’13] Program Obfuscation