field switching in homomorphic encryption n.
Skip this Video
Loading SlideShow in 5 Seconds..
Field-Switching in Homomorphic Encryption PowerPoint Presentation
Download Presentation
Field-Switching in Homomorphic Encryption

Loading in 2 Seconds...

play fullscreen
1 / 37

Field-Switching in Homomorphic Encryption - PowerPoint PPT Presentation

  • Uploaded on

Field-Switching in Homomorphic Encryption. Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart. HE Over Cyclotomic Rings. Denote the field Its ring of integers is M od- denoted “ N ative plaintext space” is Ciphertexts , secret-keys are vectors over

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Field-Switching in Homomorphic Encryption' - yule

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
field switching in homomorphic encryption

Field-Switching inHomomorphic Encryption

Craig GentryShaiHaleviChris PeikertNigel P. Smart

he over cyclotomic rings
HE Over Cyclotomic Rings
  • Denote the field
    • Its ring of integers is
    • Mod- denoted
  • “Native plaintext space” is
  • Ciphertexts, secret-keys are vectors over
  • wrt encrypts if (for representatives in ) we have for small
    • Decryption via
    • Using “appropriate” -bases of




* Not exactly

he over cyclotomic rings1
HE Over Cyclotomic Rings
  • “Native plaintexts” encode vectors of values
    • (more on that later)
  • Homomorphic Operations
    • Addition: encrypts , encoding
    • Multiplication: encrypts , encoding
    • Automorphism:encrypts , encoding some permutation of
      • Relative to key
he over cyclotomic rings2
HE Over Cyclotomic Rings
  • Also a key-switching operation
  • For any two we can publish akey-switching gadget
  • used to translate valid wrt into wrt
    • encrypt the same plaintext

for some small

how large are
How Large are ?
  • Ciphertexts are “noisy” (for security)
    • noise grows during homomorphic computation
    • Decryption error if noise grows larger than

Must set “much larger” than initial noise

Security relies on LWE-hardness with very large modulus/noise ratio

Dimension () must be large to get hardness

  • Asymptotically
    • For realistic settings,
switching to smaller
Switching to Smaller ?
  • As we compute, the noise grows
    • Cipehrtexts have smaller modulus/noise ratio
    • From a security perspective, it becomes permissible to switch to smaller values of
  • How to do this?
  • Not even clear what outcome we want here:
    • Have wrt , encrypting some
    • Want wrt for
      • Encrypting ??
ring switching the goal
Ring-Switching: The Goal
  • We cannot get since ,
  • We want to be “related” to
    • encodes
    • encodes
  • May want to encode a subset of the ’s?
    • E.g., the first of them
    • Not always possible, only if
  • What relations between the ’s are possible?
prior work
Prior Work
  • A limited ring-switching technique was described in [BGV’12]
    • Only for
  • Transforms big-ring into small-rings.t. (encrypted in ) can be recovered from (encrypted in ).
  • Used only for bootstrapping
our transformation overview
Our Transformation: Overview
  • Work for any as long as
  • wrtwrt
  • , encrypt , that encode vectors:
    • ,
    • Necessarily , so a subfield of
  • Each is a -linear function of some ‘s
    • We can choose the linear functions, but not the subset of ‘s that correspond to each
    • If , can use projections (so ’s a subset of ’s)
our transformation overview1
Our Transformation: Overview


  • Key-switching to map wrtwrt
    • and
    • over the big field, wrt subfield key
  • Compute a small that depends only on the desired linear functions
  • Apply the trace function,
  • Output
geometry of
Geometry of
  • Use canonical-embedding to associate with a -vector of complex numbers
    • Thinking of as a polynomial, associate with the vector
      • , the principal complex ’th root of unity
      • E.g., if then
  • We can talk about the “size of ”
    • say the or norm of
    • For decryption, the “noise element” must be
geometry of1
Geometry of
  • can be expressed as a vector-space over
    • Similarly over , over , etc.
  • Every -basis induces a transformation

coefficients in element of

    • With canonical embedding on both sides, we havea-linear transformation
  • We want a “good basis”, where is “short”and “nearly orthogonal”
geometry of2
Geometry of
  • Lemma 1: There exists -basis of R for which all the singular values of are nearly the same.
    • Specifically where primes that divide but not
  • The proof follows techniques from [LPR13],the basis is essentially a tensor of DFT matrices
the trace function
The Trace Function
  • For ,
    • By definition: if is small then so is
  • is
    • is -linear if ,


  • The trace is a “universal” -linear function:
    • For every -linear function there exists such that
the trace function1
The Trace Function
  • The trace Implies also a -linear map , and -linear map
  • Every -linear map can be written as
    • But need not be in
    • More on that later
the intermediate trace function
The Intermediate Trace Function
  • when is an extension of
    • Satisfies
  • Lemma 2: if is small then so is
    • Less trivial than for but still true
  • is a “universal” -linear function:
    • is
    • For every -linear function there exists such that
  • Similarly implies -linear map and -linear map
some complications
Some Complications
  • Often we get
  • Also for many linear functions we get where is not in
  • In our setting this will cause problems when we apply the trace to ciphertext elements
    • That’s (one reason) why ciphertexts are not really vectors over
    • Hence the *‘s throughout the slides
the dual of
The Dual of
  • Instead of , ciphertext are vectors over the dual
    • , for some
  • We have
    • Also every -linear can be written as for some
    • In the rest of this talk we ignore this point, and pretend that everything is over
prime splitting
Prime Splitting
  • The integer 2 splits over as
      • ranges over
    • is generated by
    • In this talk we assume =1 (i.e., is odd)
    • prime ideals, each
  • Using CRT, each encodes the vector
prime splitting1
Prime Splitting
  • Similarly 2 splits over as
    • Again we assume
    • Using CRT, each encodes the vector
  • When then also , , and each split over as a product of some of the ’s
prime splitting2
Prime Splitting
  • Example for

Lie over

Lie over

Lie over 2


plaintext slot representation
Plaintext-Slot Representation
  • Recall that for all the ’s
    • But the isomorphisms are not unique
  • To fix the isomorphisms:
    • Fix a primitive -th root of unity
    • Fix representatives for all
    • defined via
  • Same for isomorphisms
    • Define by fixing and
plaintext slot representation1
Plaintext-Slot Representation
  • Making the ’s and ‘s “consistent”
    • Fix and set
    • Fix , then that lies over ,choose s.t.
  • Fact: if lies over and , then
    • In words: for a sub-ring plaintext, the slots mod and all the ’s lie over it, hold the same value
plaintext slot representation2
Plaintext-Slot Representation
  • Lemma 3: collection of -linear functions a unique -linear function s.t.


holds and , and

    • The ’s range over all the ’s that lie over
illustration of lemma 3
Illustration of Lemma 3
  • s.t. and
  • Can express for some


* Not exactly

step 1 key switching
Step 1, Key Switching
  • Let (chosen at keygen)
  • Publish a key-switching matrix
  • Given ctxtwrt, use W to get wrt
    • Just plain key-switching in the big ring
    • still over the big ring, but wrt a sub-ring key
    • encrypts the same -element as
security of key swicthing
Security of Key-Swicthing
  • Security of usual big-ring key-switching relies on the secret being drawn from
    • Then constrains only LWE-instance over
    • What can we say when it is drawn from ?
  • We devise LWE instances over with secret from , with security relying on LWE in
    • Instead of one small error element in , choose many small elements in ,use an -basis of to combine them into a single error element in
lwe with secret in
-LWE With Secret in
  • Let be any -basis of
  • Given the LWE secret
    • Choose uniform and small
    • Set and output
  • If the basis B is “good” (short, orthogonal) then is not much larger than the ’s
    • This is where we use Lemma 1 ( good basis)
lwe with secret in1
-LWE With Secret in
  • Theorem: If decision-LWE is hard in , then is indistinguishable from uniform in
  • Proof:
    • We can consider for uniform
      • Induces the same uniform distribution on
    • Then we would get .
    • If the were uniform in , then would be uniform in .
steps 2 3 ring switching
Steps 2,3: Ring Switching
  • encrypts wrt
    • encodes a vector
    • We view it as
  • target functions,
    • Want small-ring ciphertext encrypting that encodes
    • For each ,
steps 2 3 ring switching1
Steps 2,3: Ring Switching
  • By Lemma 2, that induces the ’s
    • Expressed as for
    • We identify with a short representative in
      • One must exists since 2 is “short”
      • Thus identify with over
    • Further identify as a representative of
  • Apply the trace,
    • Recall that is valid wrt


* Not exactly

  • Recall over
    • For some (with small) and over
  • Thus we have the equalities (over ):
    • encodes the ’s that we want
  • We have
  • This looks like a valid encryption of
  • It remains to show that is short
  • is short (from the input), is short (reduced mod 2)
  • So is short
  • By Lemma 3 also is short
  • We have a general ring-switching technique
    • Converts over to over for
    • The plaintext slots in can contain any linear functions of the slots in
      • A -slot is a function of the -slots that lie above it
    • We may choose projection functions to have contain subset of the slots of
  • Lets us to speed up computation by switching to a smaller ring
epilog the ap13 work
Epilog: The [AP13] Work

Alperin-Sheriff & Peikert described a clever use of ring-switching for efficient homomorphic computation of DFT-like transformations:

  • Decompose it to an FFT-like network of “local” linear functions
  • Use ring-switching for each level
  • Then switch back up before the next level

Yields fastest bootstrapping procedure to date