Lattices, Cryptography and
Download
1 / 43

Lattices, Cryptography and Computing with Encrypted Data - PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on

Lattices, Cryptography and Computing with Encrypted Data. Vinod Vaikuntanathan. M.I.T. Decoding Lattices. Decoding Random Linear Codes. +. e. s. A. “small” error. Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lattices, Cryptography and Computing with Encrypted Data' - tacey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Lattices cryptography and computing with encrypted data

Lattices, Cryptography and

Computing with Encrypted Data

Vinod Vaikuntanathan

M.I.T


Decoding random linear codes

Decoding Lattices

Decoding Random Linear Codes

+

e

s

A

“small” error

Combinatorially nice: Optimal rate etc.

Can we decode efficiently (even in the unique decoding regime)?

Seems very hard!


Decoding lattices
Decoding Lattices

+

e

s

A

“small” error

TODAY: Lattice-based Cryptography


Learning with errors lwe
Learning With Errors (LWE)

(search) LWEn,q,B [Regev’05]: For random secret s  Zqn

O s

Find s

( a1 , b1 = a1 , s + e1 )

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

“noisy” random linear equation

Uniformly random in Zqn

“Small” error

|e1| < B

+

s

e

a1

a2

am


Learning with errors lwe1
Learning With Errors (LWE)

(decisional) LWEn,q,B : For random secret s  Zqn

O rand

O s

( a1 , u1 )

( a1 , b1 = a1 , s + e1 )

(a2, u2) … (am, um)

(a2, b2= a2 , s + e2) …(am, bm=am , s + em)

random in Zq

Theorem [Reg05,Pei09]: Decisional LWE as hard as Search


Lwe lattice based cryptography
LWE/Lattice-based Cryptography

 Robust

  • No sub-exponential or quantum attacks

  • Based on worst-case hardness

  • Solve LWE on average Solve in worst-case  Approx. shortest vectors on worst-case lattices

[Regev05, Peikert09, BLPRS13]

THIS TALK

  • Amazingly Versatile

  • Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,…

  • Only known constructions use lattices


Warmup secret key encryption
Warmup: Secret-key Encryption

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4.

M = Dec(sk,C)

Message M

C = Enc(sk,M)

secret key sk

secret key sk

eavesdropper

Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable”


Secret key encryption from lwe
Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4.

  • KeyGen:

    • Sample random “short” vector t Zqn and set sk = t


Secret key encryption from lwe1
Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4.

  • KeyGen:

    • Sample random “short” vector t Zqn and set sk = t

  • Bit Encryption Encsk(m):

    • Sample uniformly random a  Zqn, “short” noise eZq

    • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

Semantic Security from LWE


Secret key encryption from lwe2
Secret-key Encryption from LWE

Decryption:Decs(a,b) = ( b - a, s) (mod 2).

Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq).  decryption succeeds if e < q/4.

  • KeyGen:

    • Sample random “short” vector t Zqn and set sk = t

  • Bit Encryption Encsk(m):

    • Sample uniformly random a  Zqn, “short” noise eZq

    • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq

  • Decryption Decsk(CT): Output (b −a, t mod q) mod 2.

  • Correctness:b − a, t mod q = 2e + m mod q

= 2e + m

(as long as |2e+m| < q/2)


Encryption
Encryption

M

Message M

All-or-nothing

Have Secret Key, Can Decrypt

No Secret Key, No Go


Fully homomorphic encryption

Encryption

Fully Homomorphic Encryption

Enc(Data)

Enc(F(Data))

Compute arbitrary functions on encrypted data?

Powerful server / cloud

[Rivest, Adleman and Dertouzos’78]


Fully homomorphic encryption1
Fully Homomorphic Encryption

Enc(data), F → Enc(F(data))

[Goldwasser-Micali’82,…]: Additively homomorphic

[El Gamal’85,…]: Multiplicatively homomorphic

Compute arbitrary functions on encrypted data?

[Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE)

(all known constructions based on lattices)

[Rivest, Adleman and Dertouzos’78]


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n *

d = ε log n

C

EVAL

* (0 < ε < 1 is a constant, and n is the security parameter)


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 2

“Bootstrapping” Theorem [Gen09] (Qualitative)

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

msg

C

Dec

sk

CT

Decryption Circuit

EVAL


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)


Lattices cryptography and computing with encrypted data

Additive Homomorphism

CT = (a ,b)

CT’ = (a’, b’)

b − a, t = 2e + m

b’ − a’, t = 2e’ + m’

Look at Ciphertexts through the Decryption Lens


Lattices cryptography and computing with encrypted data

Additive Homomorphism

CT = (a ,b)

CT’ = (a’, b’)

Let c = (a ,b) and s = (-t, 1)

Let c’ = (a’ ,b’) and s = (-t, 1)

b − a, t = 2e + m

c, s = 2e + m

b’ − a’, t = 2e’ + m’

c’, s = 2e’ + m’


Lattices cryptography and computing with encrypted data

Additive Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cadd = c+c’

c, s = 2e + m

c’, s = 2e’ + m’

c+c’, s = 2(e+e’) + (m+m’)

 Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)

Proof:

+

E

Cadd


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = (2e+m) ∙ (2e’+m’)

X


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙c’, s = mm’ + 2(em’+e’m+2ee’)

X

E

Quadratic equation in the variables s[i]


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c  c’, s  s = mm’ + 2(em’+e’m+2ee’)

Tensor Product:

  • c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])

  • c, c’ live in (n+1) dim → c  c’ lives in (n+1)2-dim

  • KEY FACT: c, s ∙c’, s = c  c’, s  s

X

E


Lattices cryptography and computing with encrypted data

Problem: Ciphertext size blows up!

(Zqn+1 → Zq(n+1)^2)

Multiplicative Homomorphism

CT = c

CT’ = c’

c, s = 2e + m

c’, s = 2e’ + m’

Claim: cmult = c c’

c, s = 2e + m

c’, s = 2e’ + m’

c  c’, s  s = mm’ + 2(em’+e’m+2ee’)

X

E

 Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s that represents these quadratic func.

or, of new secret s’


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk :

    i,j.Enct’(s[ i ]s[ j ] )


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk : sample Ai,j, Ei,j

    i,j.(Ai,j , Bi,j = Ai,j, t’ + 2Ei,j + s[ i ]s[ j ])

LWE Security still holds.


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk : sample Ai,j, Ei,j

    i,j.Bi,j − Ai,j, t’ = 2Ei,j + s[ i ]s[ j ]


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk :

    i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

    (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)


Lattices cryptography and computing with encrypted data

Cheating Alert

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Key Idea [BV’11]: Relinearization

Plug back into quadratic equation:

 cmult[i,j] ∙ Ci,j , s’  ≈ 2*Error + mm’

Linear in s’.

Find linear functions of s’ that represent these quadratic func.

New KeyGen:

  • Sample t,t’Zqn and set sk = (t,t’).

  • Evaluation key evk :

    i,j.Ci,j, s’ ≈ s[ i ]s[ j ]

Linear fn(in s’)

Quadratic fn(in s)


Lattices cryptography and computing with encrypted data

Multiplicative Homomorphism

cmult, s s = 2E + mm’

Plug back into quadratic equation:

 cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error

Linear in s’.

Homomorphic Mult:

  • First compute cmult = c c’

  • Compute and output  cmult[i,j] ∙ Ci,j

    (where Ci,j are from the evaluation key)


The reservoir analogy
The Reservoir Analogy

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

Correctness

Security

noise=0


The reservoir analogy1
The Reservoir Analogy

(How homomorphic is this?)

Additive Homomorphism: ξ → 2 ξ

noise=q/2

Mult. Homomorphism: ξ → ξ2 + n2B log q

AFTER d LEVELS:

~ ξ2

noise B →

(worst case)

initial noise= ξ

noise=0


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)


Bootstrapping
Bootstrapping

Bootstrapping Theorem [Gen09]

  • If you can homomorphically evaluate depth d circuits (you have a d-HE) and

  • the depth of your decryption circuit < d

  • *FHE


Bootstrapping1
Bootstrapping

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0


Bootstrapping2
Bootstrapping

“Homomorphic enough” Encryption FHE

Bootstrapping = “Valve” at a fixed height

(that depends on decryption depth)

noise=q/2

Bootstrapping Theorem [Gen09]

Say n(Bdec)2 < q/2

d-HE with decryption depth < d *FHE

noise=Bdec

noise=0


Bootstrapping how

But the evaluator

does not have SK!

Bootstrapping: How

“Best Possible” Noise Reduction

= Decryption!

“Noiseless ciphertext”

m

“Very Noisy” ciphertext

Dec

CT

SK

Decryption Circuit


Bootstrapping concretely
Bootstrapping, Concretely

Next Best

= Homomorphic Decryption!

*

Assume Enc(SK) is public.

(OK assuming the scheme is “circular secure”)

EncPK(m)

Noise = Bdec

Bdec Independent of Binput

Dec

Noise = Binput

CT

EncPK(SK)


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)


Boosting depth from log n to n
Boosting Depth from log n to nε

(in one slide)

  • The Culprit: Multiplication

    • Increases error from B to about B2

  • Let us pause for a moment: Is B2 > B?

    • Not if B < 1!

  • Why not scale ciphertexts by q and work over [0,1)?

    • Quite amazingly, this works out and gives us an error growth of B → nB

    • Error grows singly exponentially with circuit depth


Lattices cryptography and computing with encrypted data

The Big Picture

STEP 1

“Somewhat Homomorphic” (SwHE) Encryption

[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]

Evaluate arithmetic circuits of depth d = ε log n

STEP 3

Depth Boosting / Modulus Reduction [BV11b]

Boost the SwHE to depth d = nε

STEP 2

“Bootstrapping” Method

“Homomorphic enough” Encryption*FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)


Lattices are awesome
Lattices are awesome!

BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05]

One-way functions, hash functions, public-key encryption

ADVANCED CRYPTO

[Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08]

Trapdoor functions, Identity-based Encryption, secure computation

THIS TALK

[Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12]

Fully Homomorphic Encryption

[Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13]

Attribute-based and Functional Encryption

[Garg-GHRSW’13] Program Obfuscation