Field-Switching in Homomorphic Encryption

1 / 37

# Field-Switching in Homomorphic Encryption - PowerPoint PPT Presentation

Field-Switching in Homomorphic Encryption. Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart. HE Over Cyclotomic Rings. Denote the field Its ring of integers is M od- denoted “ N ative plaintext space” is Ciphertexts , secret-keys are vectors over

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Field-Switching in Homomorphic Encryption' - yule

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Field-Switching inHomomorphic Encryption

Craig GentryShaiHaleviChris PeikertNigel P. Smart

HE Over Cyclotomic Rings
• Denote the field
• Its ring of integers is
• Mod- denoted
• “Native plaintext space” is
• Ciphertexts, secret-keys are vectors over
• wrt encrypts if (for representatives in ) we have for small
• Decryption via
• Using “appropriate” -bases of

*

*

*

* Not exactly

HE Over Cyclotomic Rings
• “Native plaintexts” encode vectors of values
• (more on that later)
• Homomorphic Operations
• Multiplication: encrypts , encoding
• Automorphism:encrypts , encoding some permutation of
• Relative to key
HE Over Cyclotomic Rings
• Also a key-switching operation
• For any two we can publish akey-switching gadget
• used to translate valid wrt into wrt
• encrypt the same plaintext

for some small

How Large are ?
• Ciphertexts are “noisy” (for security)
• noise grows during homomorphic computation
• Decryption error if noise grows larger than

Must set “much larger” than initial noise

Security relies on LWE-hardness with very large modulus/noise ratio

Dimension () must be large to get hardness

• Asymptotically
• For realistic settings,
Switching to Smaller ?
• As we compute, the noise grows
• Cipehrtexts have smaller modulus/noise ratio
• From a security perspective, it becomes permissible to switch to smaller values of
• How to do this?
• Not even clear what outcome we want here:
• Have wrt , encrypting some
• Want wrt for
• Encrypting ??
Ring-Switching: The Goal
• We cannot get since ,
• We want to be “related” to
• encodes
• encodes
• May want to encode a subset of the ’s?
• E.g., the first of them
• Not always possible, only if
• What relations between the ’s are possible?
Prior Work
• A limited ring-switching technique was described in [BGV’12]
• Only for
• Transforms big-ring into small-rings.t. (encrypted in ) can be recovered from (encrypted in ).
• Used only for bootstrapping
Our Transformation: Overview
• Work for any as long as
• wrtwrt
• , encrypt , that encode vectors:
• ,
• Necessarily , so a subfield of
• Each is a -linear function of some ‘s
• We can choose the linear functions, but not the subset of ‘s that correspond to each
• If , can use projections (so ’s a subset of ’s)
Our Transformation: Overview

Denote

• Key-switching to map wrtwrt
• and
• over the big field, wrt subfield key
• Compute a small that depends only on the desired linear functions
• Apply the trace function,
• Output
Geometry of
• Use canonical-embedding to associate with a -vector of complex numbers
• Thinking of as a polynomial, associate with the vector
• , the principal complex ’th root of unity
• E.g., if then
• We can talk about the “size of ”
• say the or norm of
• For decryption, the “noise element” must be
Geometry of
• can be expressed as a vector-space over
• Similarly over , over , etc.
• Every -basis induces a transformation

coefficients in element of

• With canonical embedding on both sides, we havea-linear transformation
• We want a “good basis”, where is “short”and “nearly orthogonal”
Geometry of
• Lemma 1: There exists -basis of R for which all the singular values of are nearly the same.
• Specifically where primes that divide but not
• The proof follows techniques from [LPR13],the basis is essentially a tensor of DFT matrices
The Trace Function
• For ,
• By definition: if is small then so is
• is
• is -linear if ,

and

• The trace is a “universal” -linear function:
• For every -linear function there exists such that
The Trace Function
• The trace Implies also a -linear map , and -linear map
• Every -linear map can be written as
• But need not be in
• More on that later
The Intermediate Trace Function
• when is an extension of
• Satisfies
• Lemma 2: if is small then so is
• Less trivial than for but still true
• is a “universal” -linear function:
• is
• For every -linear function there exists such that
• Similarly implies -linear map and -linear map
Some Complications
• Often we get
• Also for many linear functions we get where is not in
• In our setting this will cause problems when we apply the trace to ciphertext elements
• That’s (one reason) why ciphertexts are not really vectors over
• Hence the *‘s throughout the slides
The Dual of
• Instead of , ciphertext are vectors over the dual
• , for some
• We have
• Also every -linear can be written as for some
• In the rest of this talk we ignore this point, and pretend that everything is over
Prime Splitting
• The integer 2 splits over as
• ranges over
• is generated by
• In this talk we assume =1 (i.e., is odd)
• prime ideals, each
• Using CRT, each encodes the vector
Prime Splitting
• Similarly 2 splits over as
• Again we assume
• Using CRT, each encodes the vector
• When then also , , and each split over as a product of some of the ’s
Prime Splitting
• Example for

Lie over

Lie over

Lie over 2

2

Plaintext-Slot Representation
• Recall that for all the ’s
• But the isomorphisms are not unique
• To fix the isomorphisms:
• Fix a primitive -th root of unity
• Fix representatives for all
• defined via
• Same for isomorphisms
• Define by fixing and
Plaintext-Slot Representation
• Making the ’s and ‘s “consistent”
• Fix and set
• Fix , then that lies over ,choose s.t.
• Fact: if lies over and , then
• In words: for a sub-ring plaintext, the slots mod and all the ’s lie over it, hold the same value
Plaintext-Slot Representation
• Lemma 3: collection of -linear functions a unique -linear function s.t.

=

holds and , and

• The ’s range over all the ’s that lie over
Illustration of Lemma 3
• s.t. and
• Can express for some

*

* Not exactly

Step 1, Key Switching
• Let (chosen at keygen)
• Publish a key-switching matrix
• Given ctxtwrt, use W to get wrt
• Just plain key-switching in the big ring
• still over the big ring, but wrt a sub-ring key
• encrypts the same -element as
Security of Key-Swicthing
• Security of usual big-ring key-switching relies on the secret being drawn from
• Then constrains only LWE-instance over
• What can we say when it is drawn from ?
• We devise LWE instances over with secret from , with security relying on LWE in
• Instead of one small error element in , choose many small elements in ,use an -basis of to combine them into a single error element in
-LWE With Secret in
• Let be any -basis of
• Given the LWE secret
• Choose uniform and small
• Set and output
• If the basis B is “good” (short, orthogonal) then is not much larger than the ’s
• This is where we use Lemma 1 ( good basis)
-LWE With Secret in
• Theorem: If decision-LWE is hard in , then is indistinguishable from uniform in
• Proof:
• We can consider for uniform
• Induces the same uniform distribution on
• Then we would get .
• If the were uniform in , then would be uniform in .
Steps 2,3: Ring Switching
• encrypts wrt
• encodes a vector
• We view it as
• target functions,
• Want small-ring ciphertext encrypting that encodes
• For each ,
Steps 2,3: Ring Switching
• By Lemma 2, that induces the ’s
• Expressed as for
• We identify with a short representative in
• One must exists since 2 is “short”
• Thus identify with over
• Further identify as a representative of
• Apply the trace,
• Recall that is valid wrt

*

* Not exactly

Correctness
• Recall over
• For some (with small) and over
• Thus we have the equalities (over ):
• encodes the ’s that we want
Correctness
• We have
• This looks like a valid encryption of
• It remains to show that is short
• is short (from the input), is short (reduced mod 2)
• So is short
• By Lemma 3 also is short
Conclusions
• We have a general ring-switching technique
• Converts over to over for
• The plaintext slots in can contain any linear functions of the slots in
• A -slot is a function of the -slots that lie above it
• We may choose projection functions to have contain subset of the slots of
• Lets us to speed up computation by switching to a smaller ring
Epilog: The [AP13] Work

Alperin-Sheriff & Peikert described a clever use of ring-switching for efficient homomorphic computation of DFT-like transformations:

• Decompose it to an FFT-like network of “local” linear functions
• Use ring-switching for each level
• Then switch back up before the next level

Yields fastest bootstrapping procedure to date