1 / 24

A Simple BGN-Type Cryptosystem from LWE

A Simple BGN-Type Cryptosystem from LWE. Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research. Perspective. Homomorphic Encryption in three easy steps [G’09]. Step 1: Encryption from linear codes SK/PK are Good/Bad representation of code

garry
Download Presentation

A Simple BGN-Type Cryptosystem from LWE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Simple BGN-Type Cryptosystem from LWE Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research

  2. Perspective

  3. Homomorphic Encryptionin three easy steps [G’09] • Step 1: Encryption from linear codes • SK/PK are Good/Bad representation of code • Bad representation, can’t tell words close to code from random • Good representation can be used to correct many errors • Additive homomorphism “for free” • Step 2: ECC lives inside a ring • We have both additive, multiplicative sructure • If code is an ideal, also multiplicative homomorphism • for low-degree polynomials • Step 3: Bootstrapping, Squashing, etc.

  4. Instances of this Paradigm • Ring of polynomials [G’09] • Ring of integers [vDGHV’10] • This work: how about ring of matrices? • Doesn’t quite work like the others • We only get additive-HE + one multiplication • Quadratic formulas, as in [BGN’05] • But more efficient and more flexible • Can be made leakage-resilient, identity-based

  5. Background

  6. Learning with Errors (LWE) n Search-LWE: Given A,c, find s,x • [R’05, P’09] As hard as worst-case of some lattice problems • n – security parameter • q poly(n) • m > n log q c A s x = mod q + m random mod q small

  7. Learning with Errors (LWE) n Decision-LWE: Distinguish c from random • [R’05] as hard as finding s,x • For certain parameters • n – security parameter • q poly(n) • m > n log q c A s x = mod q + m c close to the linear code spanned by A random mod q small

  8. Learning with Errors (LWE) n m • Many LWE instances with same A • Same hardness (easy hybrid argument) S X A C n = + m random mod q small

  9. Ajtai’s Trapdoors • [A’96] Given , hard to find small s.t. tA =0 mod q • As hard as worst-case of some lattice problems • [A’99] But it is possible to generate together = 0 mod q • [Alwen-Peikert’08] Even smaller T A t T A small, full rank random

  10. Trapdoor Functions [GPV’08] • (A,s,x) As+x is a trapdoor function • Can use to correct errors: • c = As + x • Tc = T(As + x) = Tx mod q • But T,x are small, so Tx << q  (Tc mod q) = Tx • Equality over the integers  T-1(Tc mod q) = x T

  11. Our Cryptosystem

  12. Step 1: Encryption from linear ECCs • Code is the column space of mod q • { As: s Zqn } • Bad representation (PK) is A itself • Given A, hard to distinguish words closeto the code from random words (LWE) • Good representation (SK) is • Can use T to correct errors A T

  13. Step 1: Encryption from linear ECCs • PK: , SK: • Encode plaintext is LSB of error matrix • Plaintext is a binary matrix Bmxm • Enc(A,B): Choose random Smxn, small Emxm • Dec(T,C): Set X  T-1(TC mod q) • Output B = X mod 2 A T X C A S X mod q = + 2E+B

  14. Step 1: Encryption from linear ECCs • Security follows from LWE (for odd q) Thm: LWE  For any B, EncA(B)  random Proof: Given LWE input (A,C’) • Either C’=AS+E or C’ random: • Set C = 2C’+B mod q • If C’=AS+E then C = A(2S) + (2E+B) mod q • A random encryption of B • If C’ is random then so is C

  15. Step 1: Encryption from linear ECCs Additive homomorphism “for free” • C = C1 + C2 = (AS1+(2E1+B1)) + (AS2+(2E2+B2)) = A(S1+S2) + 2(E1+E2)+(B1+B2) mod q • T-1(TC mod q) = X = B1+B2 mod 2 • As long as X <<q S X

  16. Step 2: ECC lives inside a ring • Multiply C1 x C2 mod q? • (AS1+(2E1+B1)) (AS2+(2E2+B2)) = A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q • Not what we wanted • Cannot use T to cancel out (2E1+B1)AS2 • Matrix multiplication is not commutative

  17. Step 2: ECC lives inside a ring • How about C = C1 x C2t mod q? • (AS1+(2E1+B1)) (AS2+(2E2+B2))t = A(…) + (…)At + 2(…)+B1B2t mod q • That’s better: • TCTt = TXTt mod q • X = (2E1+B1)(2E2+B2)t is still small  TCTt mod q = TXTt over the integers  T-1(TCTt mod q)(Tt)-1 = X = B1B2t mod 2 X

  18. What Did We Get? T A • KeyGen: Generate • Enc(A, B): CAS + 2E+B mod q • Add(C1,C2): CC1+C2 mod q • Mult(C1,C2): CC1C2t mod q • Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2 • Can decrypt any quadratic formula with polynomially many terms • With appropriate parameters

  19. What Did We Get? T A • KeyGen: Generate • Enc(A, B): CAS + pE+B mod q • Add(C1,C2): CC1+C2 mod q • Mult(C1,C2): CC1C2t mod q • Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p • Can decrypt any quadratic formula with polynomially many terms • With appropriate parameters Can replace 2 by any pq

  20. Extensions, Applications • Can apply the [AMGH’10] transformation • Get homomorphism for low-degree polynomials • “Dual Regev encryption” [GPV’08] is a special case of our scheme* • Leakage resilience • IBE • Efficient quadratic-formula homomorphism for polynomials, big-integers * After changing encoding of plaintext

  21. Thank You

  22. 2-of-2 Decryption • Alice has key-pair (A1,T1), Bob has (A2,T2) • Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q • Dora encrypts B2 to Bob, [ C2A2S2+X2 ]q • Zachariah Sets C* = [ C1 C2t]q • C* looks random to either Alice, Bob • Pulling their keys together they can recover B1B2t • B1B2t = T1-1[T1C*T2t]q (T2t)-1 mod 2 • Can also “blind” C* to hide relation to C1, C2

  23. Multiplying Polynomials • p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2 P= Q= R= PQt+R=

  24. -u- 0 Dual Regev Encryption [GPV’08] • Dual-Regev Cryptosystem is an instanceof our scheme with T = • A different input encoding than [GPV’08] • T is no longer invertible • But can still recover top-left entry in B • It is known to be IBE, leakage-resilient • Still true with new input encoding • And now it supports quadratic formulas

More Related