Lattices, Cryptography and
This presentation is the property of its rightful owner.
Sponsored Links
1 / 43

Lattices, Cryptography and Computing with Encrypted Data PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on
  • Presentation posted in: General

Lattices, Cryptography and Computing with Encrypted Data. Vinod Vaikuntanathan. M.I.T. Decoding Lattices. Decoding Random Linear Codes. +. e. s. A. “small” error. Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)?.

Download Presentation

Lattices, Cryptography and Computing with Encrypted Data

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Lattices cryptography and computing with encrypted data

Lattices, Cryptography and

Computing with Encrypted Data

Vinod Vaikuntanathan

M.I.T


Decoding random linear codes

Decoding Lattices

Decoding Random Linear Codes

+

e

s

A

“small” error

Combinatorially nice: Optimal rate etc.

Can we decode efficiently (even in the unique decoding regime)?

Seems very hard!


Decoding lattices

Decoding Lattices

+

e

s

A

“small” error

TODAY: Lattice-based Cryptography


Learning with errors lwe

Learning With Errors (LWE)

(search) LWEn,q,B [Regev’05]: For random secret s  Zqn

O s

Find s

( a1 , b1 = a1 , s + e1 )

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

“noisy” random linear equation

Uniformly random in Zqn

“Small” error

|e1| < B

+

s

e

a1

a2

am


Learning with errors lwe1

Learning With Errors (LWE)

(decisional) LWEn,q,B : For random secret s  Zqn

O rand

O s

( a1 , u1 )

( a1 , b1 = a1 , s + e1 )

(a2, u2) … (am, um)

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

random in Zq

Theorem [Reg05,Pei09]: Decisional LWE as hard as Search


Lwe lattice based cryptography

LWE/Lattice-based Cryptography

 Robust

  • No sub-exponential or quantum attacks

  • Based on worst-case hardness

  • Solve LWE on average Solve in worst-case  Approx. shortest vectors on worst-case lattices

[Regev05, Peikert09, BLPRS13]

THIS TALK

  • Amazingly Versatile

  • Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,…

  • Only known constructions use lattices


Warmup secret key encryption

Warmup: Secret-key Encryption

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

M = Dec(sk,C)

Message M

C = Enc(sk,M)

secret key sk

secret key sk

eavesdropper

Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable”


Secret key encryption from lwe

Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

  • KeyGen:

    • Sample random “short” vector t Zqn and set sk = t


Secret key encryption from lwe1

Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

  • KeyGen:

    • Sample random “short” vector t Zqn and set sk = t

  • Bit Encryption Encsk(m):

    • Sample uniformly random a  Zqn, “short” noise eZq

    • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

Semantic Security from LWE


Secret key encryption from lwe2

Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

  • KeyGen:

    • Sample random “short” vector t Zqn and set sk = t

  • Bit Encryption Encsk(m):

    • Sample uniformly random a  Zqn, “short” noise eZq

    • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

  • Decryption Decsk(CT): Output (b −a, t mod q) mod 2.

  • Correctness:b − a, t mod q = 2e + m mod q

= 2e + m

(as long as |2e+m| < q/2)


Encryption

Encryption

M

Message M

All-or-nothing

Have Secret Key, Can Decrypt

No Secret Key, No Go


Fully homomorphic encryption

Encryption

Fully Homomorphic Encryption

Enc(Data)

Enc(F(Data))

Compute arbitrary functions on encrypted data?

Powerful server / cloud

[Rivest, Adleman and Dertouzos’78]


Fully homomorphic encryption1

Fully Homomorphic Encryption

Enc(data), F → Enc(F(data))

[Goldwasser-Micali’82,…]: Additively homomorphic

[El Gamal’85,…]: Multiplicatively homomorphic

Compute arbitrary functions on encrypted data?

[Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE)

(all known constructions based on lattices)

[Rivest, Adleman and Dertouzos’78]


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n *

d = ε log n

C

EVAL

* (0 < ε < 1 is a constant, and n is the security parameter)


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 2

“Bootstrapping” Theorem [Gen09] (Qualitative)

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

msg

C

Dec

sk

CT

Decryption Circuit

EVAL


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)


Lattices cryptography and computing with encrypted data

Additive Homomorphism

CT = (a ,b)

CT’ = (a’, b’)

b − a, t = 2e + m

b’ − a’, t = 2e’ + m’

Look at Ciphertexts through the Decryption Lens


Lattices cryptography and computing with encrypted data

Additive Homomorphism

CT = (a ,b)

CT’ = (a’, b’)

Let c = (a ,b) and s = (-t, 1)

Let c’ = (a’ ,b’) and s = (-t, 1)

b − a, t = 2e + m

c, s = 2e + m

b’ − a’, t = 2e’ + m’

c’, s = 2e’ + m’


Lattices cryptography and computing with encrypted data

Additive Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cadd = c+c’

c, s = 2e + m

c’, s = 2e’ + m’

c+c’, s = 2(e+e’) + (m+m’)

 Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)

Proof:

+

E

Cadd


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = (2e+m) ∙ (2e’+m’)

X


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = mm’ + 2(em’+e’m+2ee’)

X

E

Quadratic equation in the variables s[i]


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c  c’, s  s = mm’ + 2(em’+e’m+2ee’)

Tensor Product:

  • c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])

  • c, c’ live in (n+1) dim → c  c’ lives in (n+1)2-dim

  • KEY FACT: c, s ∙c’, s = c  c’, s  s

X

E


Lattices cryptography and computing with encrypted data

Problem: Ciphertext size blows up!

(Zqn+1 → Zq(n+1)^2)

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = c c’

c, s = 2e + m

c’, s = 2e’ + m’

c  c’, s  s = mm’ + 2(em’+e’m+2ee’)

X

E

 Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s that represents these quadratic func.

or, of new secret s’


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk :

    i,j.Enct’(s[ i ]s[ j ] )


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk : sample Ai,j, Ei,j

    i,j.(Ai,j , Bi,j = Ai,j, t’ + 2Ei,j + s[ i ]s[ j ])

LWE Security still holds.


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk : sample Ai,j, Ei,j

    i,j.Bi,j − Ai,j, t’ = 2Ei,j + s[ i ]s[ j ]


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk :

    i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

    (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)


Lattices cryptography and computing with encrypted data

Cheating Alert

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Plug back into quadratic equation:

 cmult[i,j] ∙ Ci,j , s’  ≈ 2*Error + mm’

Linear in s’.

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk :

    i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

Linear fn(in s’)

Quadratic fn(in s)


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Plug back into quadratic equation:

 cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error

Linear in s’.

Homomorphic Mult:

  • First compute cmult = c c’

  • Compute and output  cmult[i,j] ∙ Ci,j

    (where Ci,j are from the evaluation key)


The reservoir analogy

The Reservoir Analogy

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

Correctness

Security

noise=0


The reservoir analogy1

The Reservoir Analogy

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

noise=0


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)


Bootstrapping

Bootstrapping

Bootstrapping Theorem [Gen09]

  • If you can homomorphically evaluate depth d circuits (you have a d-HE) and

  • the depth of your decryption circuit < d

  • *FHE


Bootstrapping1

Bootstrapping

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0


Bootstrapping2

Bootstrapping

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0


Bootstrapping how

But the evaluator

does not have SK!

Bootstrapping: How

“Best Possible” Noise Reduction

= Decryption!

“Noiseless ciphertext”

m

“Very Noisy” ciphertext

Dec

CT

SK

Decryption Circuit


Bootstrapping concretely

Bootstrapping, Concretely

Next Best

= Homomorphic Decryption!

*

Assume Enc(SK) is public.

(OK assuming the scheme is “circular secure”)

EncPK(m)

Noise = Bdec

Bdec Independent of Binput

Dec

Noise = Binput

CT

EncPK(SK)


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)


Boosting depth from log n to n

Boosting Depth from log n to nε

(in one slide)

  • The Culprit: Multiplication

    • Increases error from B to about B2

  • Let us pause for a moment: Is B2 > B?

    • Not if B < 1!

  • Why not scale ciphertexts by q and work over [0,1)?

    • Quite amazingly, this works out and gives us an error growth of B → nB

    • Error grows singly exponentially with circuit depth


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)


Lattices are awesome

Lattices are awesome!

BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05]

One-way functions, hash functions, public-key encryption

ADVANCED CRYPTO

[Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08]

Trapdoor functions, Identity-based Encryption, secure computation

THIS TALK

[Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12]

Fully Homomorphic Encryption

[Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13]

Attribute-based and Functional Encryption

[Garg-GHRSW’13] Program Obfuscation


Merci beaucoup

Merci Beaucoup!


  • Login