slide1
Download
Skip this Video
Download Presentation
Lattices, Cryptography and Computing with Encrypted Data

Loading in 2 Seconds...

play fullscreen
1 / 43

Lattices, Cryptography and Computing with Encrypted Data - PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on

Lattices, Cryptography and Computing with Encrypted Data. Vinod Vaikuntanathan. M.I.T. Decoding Lattices. Decoding Random Linear Codes. +. e. s. A. “small” error. Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Lattices, Cryptography and Computing with Encrypted Data' - tacey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Lattices, Cryptography and

Computing with Encrypted Data

Vinod Vaikuntanathan

M.I.T

decoding random linear codes

Decoding Lattices

Decoding Random Linear Codes

+

e

s

A

“small” error

Combinatorially nice: Optimal rate etc.

Can we decode efficiently (even in the unique decoding regime)?

Seems very hard!

decoding lattices
Decoding Lattices

+

e

s

A

“small” error

TODAY: Lattice-based Cryptography

learning with errors lwe
Learning With Errors (LWE)

(search) LWEn,q,B [Regev’05]: For random secret s  Zqn

O s

Find s

( a1 , b1 = a1 , s + e1 )

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

“noisy” random linear equation

Uniformly random in Zqn

“Small” error

|e1| < B

+

s

e

a1

a2

am

learning with errors lwe1
Learning With Errors (LWE)

(decisional) LWEn,q,B : For random secret s  Zqn

O rand

O s

( a1 , u1 )

( a1 , b1 = a1 , s + e1 )

(a2, u2) … (am, um)

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

random in Zq

Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

lwe lattice based cryptography
LWE/Lattice-based Cryptography

 Robust

  • No sub-exponential or quantum attacks
  • Based on worst-case hardness
  • Solve LWE on average Solve in worst-case  Approx. shortest vectors on worst-case lattices

[Regev05, Peikert09, BLPRS13]

THIS TALK

  • Amazingly Versatile
  • Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,…
  • Only known constructions use lattices
warmup secret key encryption
Warmup: Secret-key Encryption

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4.

M = Dec(sk,C)

Message M

C = Enc(sk,M)

secret key sk

secret key sk

eavesdropper

Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable”

secret key encryption from lwe
Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4.

  • KeyGen:
    • Sample random “short” vector t Zqn and set sk = t
secret key encryption from lwe1
Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4.

  • KeyGen:
    • Sample random “short” vector t Zqn and set sk = t
  • Bit Encryption Encsk(m):
    • Sample uniformly random a  Zqn, “short” noise eZq
    • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

Semantic Security from LWE

secret key encryption from lwe2
Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4.

  • KeyGen:
    • Sample random “short” vector t Zqn and set sk = t
  • Bit Encryption Encsk(m):
    • Sample uniformly random a  Zqn, “short” noise eZq
    • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq
  • Decryption Decsk(CT): Output (b −a, t mod q) mod 2.
  • Correctness:b − a, t mod q = 2e + m mod q

= 2e + m

(as long as |2e+m| < q/2)

encryption
Encryption

M

Message M

All-or-nothing

Have Secret Key, Can Decrypt

No Secret Key, No Go

fully homomorphic encryption

Encryption

Fully Homomorphic Encryption

Enc(Data)

Enc(F(Data))

Compute arbitrary functions on encrypted data?

Powerful server / cloud

[Rivest, Adleman and Dertouzos’78]

fully homomorphic encryption1
Fully Homomorphic Encryption

Enc(data), F → Enc(F(data))

[Goldwasser-Micali’82,…]: Additively homomorphic

[El Gamal’85,…]: Multiplicatively homomorphic

Compute arbitrary functions on encrypted data?

[Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE)

(all known constructions based on lattices)

[Rivest, Adleman and Dertouzos’78]

slide14

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n *

d = ε log n

C

EVAL

* (0 < ε < 1 is a constant, and n is the security parameter)

slide15

The Big Picture

STEP 2

“Bootstrapping” Theorem [Gen09] (Qualitative)

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

msg

C

Dec

sk

CT

Decryption Circuit

EVAL

slide16

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

slide17

Additive Homomorphism

CT = (a ,b)

CT’ = (a’, b’)

b − a, t = 2e + m

b’ − a’, t = 2e’ + m’

Look at Ciphertexts through the Decryption Lens

slide18

Additive Homomorphism

CT = (a ,b)

CT’ = (a’, b’)

Let c = (a ,b) and s = (-t, 1)

Let c’ = (a’ ,b’) and s = (-t, 1)

b − a, t = 2e + m

c, s = 2e + m

b’ − a’, t = 2e’ + m’

c’, s = 2e’ + m’

slide19

Additive Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cadd = c+c’

c, s = 2e + m

c’, s = 2e’ + m’

c+c’, s = 2(e+e’) + (m+m’)

 Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)

Proof:

+

E

Cadd

slide20

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = (2e+m) ∙ (2e’+m’)

X

slide21

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = mm’ + 2(em’+e’m+2ee’)

X

E

Quadratic equation in the variables s[i]

slide22

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c  c’, s  s = mm’ + 2(em’+e’m+2ee’)

Tensor Product:

  • c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])
  • c, c’ live in (n+1) dim → c  c’ lives in (n+1)2-dim
  • KEY FACT: c, s ∙c’, s = c  c’, s  s

X

E

slide23

Problem: Ciphertext size blows up!

(Zqn+1 → Zq(n+1)^2)

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = c c’

c, s = 2e + m

c’, s = 2e’ + m’

c  c’, s  s = mm’ + 2(em’+e’m+2ee’)

X

E

 Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

slide24

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s that represents these quadratic func.

or, of new secret s’

slide25

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).
  • Evaluation key evk :

i,j.Enct’(s[ i ]s[ j ] )

slide26

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).
  • Evaluation key evk : sample Ai,j, Ei,j

i,j.(Ai,j , Bi,j = Ai,j, t’ + 2Ei,j + s[ i ]s[ j ])

LWE Security still holds.

slide27

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).
  • Evaluation key evk : sample Ai,j, Ei,j

i,j.Bi,j − Ai,j, t’ = 2Ei,j + s[ i ]s[ j ]

slide28

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).
  • Evaluation key evk :

i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

slide29

Cheating Alert

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Plug back into quadratic equation:

 cmult[i,j] ∙ Ci,j , s’  ≈ 2*Error + mm’

Linear in s’.

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).
  • Evaluation key evk :

i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

Linear fn(in s’)

Quadratic fn(in s)

slide30

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Plug back into quadratic equation:

 cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error

Linear in s’.

Homomorphic Mult:

  • First compute cmult = c c’
  • Compute and output  cmult[i,j] ∙ Ci,j

(where Ci,j are from the evaluation key)

the reservoir analogy
The Reservoir Analogy

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

Correctness

Security

noise=0

the reservoir analogy1
The Reservoir Analogy

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

noise=0

slide33

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

bootstrapping
Bootstrapping

Bootstrapping Theorem [Gen09]

  • If you can homomorphically evaluate depth d circuits (you have a d-HE) and
  • the depth of your decryption circuit < d
  • *FHE
bootstrapping1
Bootstrapping

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0

bootstrapping2
Bootstrapping

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0

bootstrapping how

But the evaluator

does not have SK!

Bootstrapping: How

“Best Possible” Noise Reduction

= Decryption!

“Noiseless ciphertext”

m

“Very Noisy” ciphertext

Dec

CT

SK

Decryption Circuit

bootstrapping concretely
Bootstrapping, Concretely

Next Best

= Homomorphic Decryption!

*

Assume Enc(SK) is public.

(OK assuming the scheme is “circular secure”)

EncPK(m)

Noise = Bdec

Bdec Independent of Binput

Dec

Noise = Binput

CT

EncPK(SK)

slide39

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

boosting depth from log n to n
Boosting Depth from log n to nε

(in one slide)

  • The Culprit: Multiplication
    • Increases error from B to about B2
  • Let us pause for a moment: Is B2 > B?
    • Not if B < 1!
  • Why not scale ciphertexts by q and work over [0,1)?
    • Quite amazingly, this works out and gives us an error growth of B → nB
    • Error grows singly exponentially with circuit depth
slide41

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

lattices are awesome
Lattices are awesome!

BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05]

One-way functions, hash functions, public-key encryption

ADVANCED CRYPTO

[Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08]

Trapdoor functions, Identity-based Encryption, secure computation

THIS TALK

[Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12]

Fully Homomorphic Encryption

[Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13]

Attribute-based and Functional Encryption

[Garg-GHRSW’13] Program Obfuscation

ad