CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption - PowerPoint PPT Presentation

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1 2 Joint work with: C. Boura, N. Gama, D. Jetchev 1 / 30

Homomorphic encryption Given ( c 1 , c 2 , . . . , c k ) = ( E ( m 1 ) , E ( m 2 ) , . . . , E ( m k )) The homomorphic computation consists to compute E ( f ( m 1 , m 2 , . . . , m k )) without decryption. A scheme that can homomorphically evaluate all function is said Fully Homomorphic 2 / 30

Model of computations 1 Binary, circuit computations 2 Integer arithmetic 3 Approximated (Fixed-point) computations 3 / 30

Geometry of the ciphertext Plan Geometry of the ciphertext 1 The Chimera framework 2 4 / 30

Geometry of the ciphertext Integer/Real/Complex polynomials R Z = Z [ X ] / ( X N + 1) : the ring of polynomials with integer coefficients module X N + 1 R R = R [ X ] / ( X N + 1) : the ring of polynomials with real coefficients modulo X N + 1 R C = C [ X ] / ( X N + 1) : the ring of polynomials with complex coefficients modulo X N + 1 Examples (Real): N = 2 (1 . 2 + 2 . 3 X ) · (3 . 2 + 4 . 1 X ) = 3 . 84 + 12 . 28 X + 9 . 43 X 2 = 12 . 28 X − 5 . 59 mod ( X 2 + 1) ( R Z , + , × ), ( R R , + , × ) and ( R C , + , × ) are well defined as Ring ✔ ( R Z , + ), ( R R , + ) and ( R C , + ) are groups ✔ It is a Ring: x × y is defined! 5 / 30

Geometry of the ciphertext Torus T and Torus polynomials T R ( T , + , · ) = R mod 1 is a Z -module ( · : Z × T → T a valid external product) ✔ It is a group x + y mod 1 , and − x mod 1 ✔ It is a Z -module: 0 · 1 2 = 0 is defined! ✘ It is not a Ring: 0 × 1 2 is not defined! 0 3 1 4 4 1 2 ( T R , + , · ) is a R Z -module Here, R Z = Z [ X ] mod ( X N + 1) And T R = R [ X ] mod ( X N + 1) mod 1 6 / 30

Geometry of the ciphertext Torus T and Torus polynomials T R ( T , + , · ) = R mod 1 is a Z -module ( · : Z × T → T a valid external product) ✔ It is a group x + y mod 1 , and − x mod 1 ✔ It is a Z -module: 0 · 1 2 = 0 is defined! ✘ It is not a Ring: 0 × 1 2 is not defined! 0 3 1 4 4 1 2 ( T R , + , · ) is a R Z -module Here, R Z = Z [ X ] mod ( X N + 1) And T R = R [ X ] mod ( X N + 1) mod 1 6 / 30

Geometry of the ciphertext Torus T and Torus polynomials T R ( T , + , · ) = R mod 1 is a Z -module ( · : Z × T → T a valid external product) ✔ It is a group x + y mod 1 , and − x mod 1 ✔ It is a Z -module: 0 · 1 2 = 0 is defined! ✘ It is not a Ring: 0 × 1 2 is not defined! 0 3 1 4 4 1 2 ( T R , + , · ) is a R Z -module Here, R Z = Z [ X ] mod ( X N + 1) And T R = R [ X ] mod ( X N + 1) mod 1 6 / 30

Geometry of the ciphertext Torus T and Torus polynomials T R ( T , + , · ) = R mod 1 is a Z -module ( · : Z × T → T a valid external product) ✔ It is a group x + y mod 1 , and − x mod 1 ✔ It is a Z -module: 0 · 1 2 = 0 is defined! ✘ It is not a Ring: 0 × 1 2 is not defined! 0 3 1 4 4 1 2 ( T R , + , · ) is a R Z -module Here, R Z = Z [ X ] mod ( X N + 1) And T R = R [ X ] mod ( X N + 1) mod 1 6 / 30

Geometry of the ciphertext LWE Encryption over the torus ( T = R / Z = R mod 1 ) 2 / 3 1 / 3 0 Example: M = { 0 , 1 / 3 , 2 / 3 } mod 1 µ = 1 / 3 mod 1 ∈ M 7 / 30

Geometry of the ciphertext LWE Encryption over the torus ( T = R / Z = R mod 1 ) message ciphertext key lin. combin. product TLWE T 2 / 3 1 / 3 0 ( , ϕ ) Example: M = { 0 , 1 / 3 , 2 / 3 } mod 1 µ = 1 / 3 mod 1 ∈ M ϕ = µ + Gaussian Error 1 Random tag a ∈ T n 2 7 / 30

Geometry of the ciphertext LWE Encryption over the torus ( T = R / Z = R mod 1 ) message ciphertext key lin. combin. product T n +1 TLWE T secret key : s ∈ { 0 , 1 } n 2 / 3 1 / 3 a 0 ( a , ϕ ) Example: M = { 0 , 1 / 3 , 2 / 3 } mod 1 µ = 1 / 3 mod 1 ∈ M ϕ = µ + Gaussian Error 1 Random tag a ∈ T n 2 7 / 30

Geometry of the ciphertext LWE Encryption over the torus ( T = R / Z = R mod 1 ) message ciphertext key lin. combin. product T n +1 TLWE T secret key : s ∈ { 0 , 1 } n b = s · a + ϕ 2 / 3 1 / 3 a a 0 ( a , ϕ ) ( a , b ) Example: M = { 0 , 1 / 3 , 2 / 3 } mod 1 µ = 1 / 3 mod 1 ∈ M ϕ = µ + Gaussian Error 1 Random tag a ∈ T n 2 7 / 30

Geometry of the ciphertext LWE Encryption over the torus ( T = R / Z = R mod 1 ) message ciphertext key lin. combin. product T n +1 B n TLWE T secret key : s ∈ { 0 , 1 } n 2 / 3 1 / 3 a a ϕ = b − s · a 0 ( a , ϕ ) ( a , b ) Example: M = { 0 , 1 / 3 , 2 / 3 } mod 1 µ = 1 / 3 mod 1 ∈ M Unlock the representation ( a , ϕ ) 1 Round ϕ to the nearest message µ ∈ M 2 7 / 30

Geometry of the ciphertext LWE Encryption over the torus ( T = R / Z = R mod 1 ) message ciphertext key lin. combin. product T n +1 B n TLWE T secret key : s ∈ { 0 , 1 } n 2 / 3 1 / 3 a a ϕ = b − s · a 0 ( a , ϕ ) ( a , b ) Unlock the representation ( a , ϕ ) 1 Round ϕ to the nearest message µ ∈ M 2 7 / 30

Geometry of the ciphertext LWE Encryption over the torus message ciphertext key lin. combin. product T n +1 B n TLWE T T k +1 B k TRLWE T R R a ′′ = x · a + y · a ′ x y a ′ = a ′′ a + b ′′ = x · b + y · b ′ b b ′ b ′′ x a + y a ′ = a ′′ ϕ ′′ = x · ϕ + y · ϕ ′ ϕ ϕ ′ ϕ ′′ α ′′ 2 = x 2 α 2 + y 2 α ′ 2 α = stdev( ϕ ) α ′ α ′′ 8 / 30

Geometry of the ciphertext LWE Encryption over the torus message ciphertext key lin. combin. product T n +1 B n TLWE T ✔ ✘ T k +1 B k TRLWE T R ✔ ✘ R a ′′ = x · a + y · a ′ x y a ′ = a ′′ a + b ′′ = x · b + y · b ′ b b ′ b ′′ x a + y a ′ = a ′′ ϕ ′′ = x · ϕ + y · ϕ ′ ϕ ϕ ′ ϕ ′′ α ′′ 2 = x 2 α 2 + y 2 α ′ 2 α = stdev( ϕ ) α ′ α ′′ 8 / 30

Geometry of the ciphertext message ciphertext key lin. combin. product T n +1 B n TLWE T ✔ ✘ T k +1 B k TRLWE T R ✔ ✘ R B k TRGSW R Z ℓ -vector of TRLWE TR(GSW) ciphertexts of µ ∈ R Z   TRLWE K ( K · µ 2 ) TRLWE K ( K · µ 4 )   TRLWE K ( K · µ  8 )  TRGSW ( µ ) =   TRLWE K (1 · µ 2 )   TRLWE K (1 · µ   4 ) TRLWE K (1 · µ 8 ) Internal Product (classical) : ⊠ : TRGSW × TRGSW − → TRGSW (Ring Structure) 1 External product (Asiacrypt 2016) : ⊡ : TRGSW × TRLWE − → TRLWE (Module Structure) 2 ( µ A , µ b ) �− → µ A · µ b ( ǫ A , ǫ b ) �− → || µ A || 1 ∗ ǫ b + O ( ǫ A ) If || µ A || 1 = 1 the noise propagation is linear! 9 / 30

Geometry of the ciphertext message ciphertext key lin. combin. product T n +1 B n TLWE T ✔ ✘ T k +1 B k TRLWE T R ✔ ✘ R B k TRGSW R Z ℓ -vector of TRLWE ✔ ✔ TR(GSW) ciphertexts of µ ∈ R Z   TRLWE K ( K · µ 2 ) TRLWE K ( K · µ 4 )   TRLWE K ( K · µ  8 )  TRGSW ( µ ) =   TRLWE K (1 · µ 2 )   TRLWE K (1 · µ   4 ) TRLWE K (1 · µ 8 ) Internal Product (classical) : ⊠ : TRGSW × TRGSW − → TRGSW (Ring Structure) 1 External product (Asiacrypt 2016) : ⊡ : TRGSW × TRLWE − → TRLWE (Module Structure) 2 ( µ A , µ b ) �− → µ A · µ b ( ǫ A , ǫ b ) �− → || µ A || 1 ∗ ǫ b + O ( ǫ A ) If || µ A || 1 = 1 the noise propagation is linear! 9 / 30

Geometry of the ciphertext message ciphertext key lin. combin. product T n +1 B n TLWE T ✔ ✘ T k +1 B k TRLWE T R ✔ ✘ R B k TRGSW R Z ℓ -vector of TRLWE ✔ ✔ TR(GSW) ciphertexts of µ ∈ R Z   TRLWE K ( K · µ 2 ) TRLWE K ( K · µ 4 )   TRLWE K ( K · µ  8 )  TRGSW ( µ ) =   TRLWE K (1 · µ 2 )   TRLWE K (1 · µ   4 ) TRLWE K (1 · µ 8 ) Internal Product (classical) : ⊠ : TRGSW × TRGSW − → TRGSW (Ring Structure) 1 External product (Asiacrypt 2016) : ⊡ : TRGSW × TRLWE − → TRLWE (Module Structure) 2 ( µ A , µ b ) �− → µ A · µ b ( ǫ A , ǫ b ) �− → || µ A || 1 ∗ ǫ b + O ( ǫ A ) If || µ A || 1 = 1 the noise propagation is linear! 9 / 30

Geometry of the ciphertext Homomorphic scheme message ciphertext key lin. combin. product T n +1 B n TLWE T ✔ ✘ T k +1 B k TRLWE T R ✔ ✘ R B k TRGSW R Z ℓ -vector of TRLWE ✔ ✔ (Gate) Bootstrapping TLWE T + Key Extract Switching* Circuit Bootstrapping T R * Change the key and TRLWE evaluate morphisms (private or public) + External product TRLWE ⊡ Key switching R Z Z TRGSW + , ⊠ 10 / 30

Geometry of the ciphertext Homomorphic scheme message ciphertext key lin. combin. product T n +1 B n TLWE T ✔ ✘ T k +1 B k TRLWE T R ✔ ✘ R B k TRGSW R Z ℓ -vector of TRLWE ✔ ✔ (Gate) Bootstrapping TLWE T + Key Extract Switching* Circuit Bootstrapping T R * Change the key and TRLWE evaluate morphisms (private or public) + External product TRLWE ⊡ Key switching R Z Z TRGSW + , ⊠ 10 / 30

Geometry of the ciphertext Homomorphic scheme message ciphertext key lin. combin. product T n +1 B n TLWE T ✔ ✘ T k +1 B k TRLWE T R ✔ ✘ R B k TRGSW R Z ℓ -vector of TRLWE ✔ ✔ (Gate) Bootstrapping TLWE T + Key Extract Switching* Circuit Bootstrapping T R * Change the key and TRLWE evaluate morphisms (private or public) + External product TRLWE ⊡ Key switching R Z Z TRGSW + , ⊠ 10 / 30