# Lattices, Cryptography and Computing with Encrypted Data - PowerPoint PPT Presentation

1 / 43

Lattices, Cryptography and Computing with Encrypted Data. Vinod Vaikuntanathan. M.I.T. Decoding Lattices. Decoding Random Linear Codes. +. e. s. A. “small” error. Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Lattices, Cryptography and Computing with Encrypted Data

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

#### Presentation Transcript

Lattices, Cryptography and

Computing with Encrypted Data

Vinod Vaikuntanathan

M.I.T

Decoding Lattices

### Decoding Random Linear Codes

+

e

s

A

“small” error

Combinatorially nice: Optimal rate etc.

Can we decode efficiently (even in the unique decoding regime)?

Seems very hard!

### Decoding Lattices

+

e

s

A

“small” error

TODAY: Lattice-based Cryptography

### Learning With Errors (LWE)

(search) LWEn,q,B [Regev’05]: For random secret s  Zqn

O s

Find s

( a1 , b1 = a1 , s + e1 )

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

“noisy” random linear equation

Uniformly random in Zqn

“Small” error

|e1| < B

+

s

e

a1

a2

am

### Learning With Errors (LWE)

(decisional) LWEn,q,B : For random secret s  Zqn

O rand

O s

( a1 , u1 )

( a1 , b1 = a1 , s + e1 )

(a2, u2) … (am, um)

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

random in Zq

Theorem [Reg05,Pei09]: Decisional LWE as hard as Search

### LWE/Lattice-based Cryptography

 Robust

• No sub-exponential or quantum attacks

• Based on worst-case hardness

• Solve LWE on average Solve in worst-case  Approx. shortest vectors on worst-case lattices

[Regev05, Peikert09, BLPRS13]

THIS TALK

• Amazingly Versatile

• Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,…

• Only known constructions use lattices

### Warmup: Secret-key Encryption

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

M = Dec(sk,C)

Message M

C = Enc(sk,M)

secret key sk

secret key sk

eavesdropper

Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable”

### Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

• KeyGen:

• Sample random “short” vector t Zqn and set sk = t

### Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

• KeyGen:

• Sample random “short” vector t Zqn and set sk = t

• Bit Encryption Encsk(m):

• Sample uniformly random a  Zqn, “short” noise eZq

• The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

Semantic Security from LWE

### Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4.

• KeyGen:

• Sample random “short” vector t Zqn and set sk = t

• Bit Encryption Encsk(m):

• Sample uniformly random a  Zqn, “short” noise eZq

• The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

• Decryption Decsk(CT): Output (b −a, t mod q) mod 2.

• Correctness:b − a, t mod q = 2e + m mod q

= 2e + m

(as long as |2e+m| < q/2)

### Encryption

M

Message M

All-or-nothing

Have Secret Key, Can Decrypt

No Secret Key, No Go

Encryption

### Fully Homomorphic Encryption

Enc(Data)

Enc(F(Data))

Compute arbitrary functions on encrypted data?

Powerful server / cloud

### Fully Homomorphic Encryption

Enc(data), F → Enc(F(data))

[El Gamal’85,…]: Multiplicatively homomorphic

Compute arbitrary functions on encrypted data?

[Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE)

(all known constructions based on lattices)

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n *

d = ε log n

C

EVAL

* (0 < ε < 1 is a constant, and n is the security parameter)

The Big Picture

STEP 2

“Bootstrapping” Theorem [Gen09] (Qualitative)

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

msg

C

Dec

sk

CT

Decryption Circuit

EVAL

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

CT = (a ,b)

CT’ = (a’, b’)

b − a, t = 2e + m

b’ − a’, t = 2e’ + m’

Look at Ciphertexts through the Decryption Lens

CT = (a ,b)

CT’ = (a’, b’)

Let c = (a ,b) and s = (-t, 1)

Let c’ = (a’ ,b’) and s = (-t, 1)

b − a, t = 2e + m

c, s = 2e + m

b’ − a’, t = 2e’ + m’

c’, s = 2e’ + m’

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

c, s = 2e + m

c’, s = 2e’ + m’

c+c’, s = 2(e+e’) + (m+m’)

 Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)

Proof:

+

E

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = (2e+m) ∙ (2e’+m’)

X

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = mm’ + 2(em’+e’m+2ee’)

X

E

Quadratic equation in the variables s[i]

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c  c’, s  s = mm’ + 2(em’+e’m+2ee’)

Tensor Product:

• c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])

• c, c’ live in (n+1) dim → c  c’ lives in (n+1)2-dim

• KEY FACT: c, s ∙c’, s = c  c’, s  s

X

E

Problem: Ciphertext size blows up!

(Zqn+1 → Zq(n+1)^2)

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = c c’

c, s = 2e + m

c’, s = 2e’ + m’

c  c’, s  s = mm’ + 2(em’+e’m+2ee’)

X

E

 Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s that represents these quadratic func.

or, of new secret s’

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

• Sample t,t’Zqn and set sk = (t,t’).

• Evaluation key evk :

i,j.Enct’(s[ i ]s[ j ] )

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

• Sample t,t’Zqn and set sk = (t,t’).

• Evaluation key evk : sample Ai,j, Ei,j

i,j.(Ai,j , Bi,j = Ai,j, t’ + 2Ei,j + s[ i ]s[ j ])

LWE Security still holds.

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

• Sample t,t’Zqn and set sk = (t,t’).

• Evaluation key evk : sample Ai,j, Ei,j

i,j.Bi,j − Ai,j, t’ = 2Ei,j + s[ i ]s[ j ]

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

• Sample t,t’Zqn and set sk = (t,t’).

• Evaluation key evk :

i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

 cmult[i,j] ∙ Ci,j , s’  ≈ 2*Error + mm’

Linear in s’.

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

• Sample t,t’Zqn and set sk = (t,t’).

• Evaluation key evk :

i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

Linear fn(in s’)

Multiplicative Homomorphism

cmult, s s = 2E + mm’

 cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error

Linear in s’.

Homomorphic Mult:

• First compute cmult = c c’

• Compute and output  cmult[i,j] ∙ Ci,j

(where Ci,j are from the evaluation key)

### The Reservoir Analogy

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

Correctness

Security

noise=0

### The Reservoir Analogy

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

noise=0

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

### Bootstrapping

Bootstrapping Theorem [Gen09]

• If you can homomorphically evaluate depth d circuits (you have a d-HE) and

• the depth of your decryption circuit < d

• *FHE

### Bootstrapping

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0

### Bootstrapping

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0

But the evaluator

does not have SK!

### Bootstrapping: How

“Best Possible” Noise Reduction

= Decryption!

“Noiseless ciphertext”

m

“Very Noisy” ciphertext

Dec

CT

SK

Decryption Circuit

### Bootstrapping, Concretely

Next Best

= Homomorphic Decryption!

*

Assume Enc(SK) is public.

(OK assuming the scheme is “circular secure”)

EncPK(m)

Noise = Bdec

Bdec Independent of Binput

Dec

Noise = Binput

CT

EncPK(SK)

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

### Boosting Depth from log n to nε

(in one slide)

• The Culprit: Multiplication

• Increases error from B to about B2

• Let us pause for a moment: Is B2 > B?

• Not if B < 1!

• Why not scale ciphertexts by q and work over [0,1)?

• Quite amazingly, this works out and gives us an error growth of B → nB

• Error grows singly exponentially with circuit depth

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

### Lattices are awesome!

BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05]

One-way functions, hash functions, public-key encryption

[Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08]

Trapdoor functions, Identity-based Encryption, secure computation

THIS TALK

[Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12]

Fully Homomorphic Encryption

[Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13]

Attribute-based and Functional Encryption

[Garg-GHRSW’13] Program Obfuscation