Craig Gentry IBM Watson Bar-Ilan University Dept. of Computer - PowerPoint PPT Presentation

Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Dept. of Computer Science Craig Gentry IBM Watson

Bar-Ilan University Dept. of Computer Science  Optimizations of Somewhat Homomorphic Encryption (SWHE)  Constructions of Fully Homomorphic Encryption (FHE) Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science And Better Management of Ciphertext Noise…

Bar-Ilan University Dept. of Computer Science Focusing on the “noise problem”… Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Noisy Polly Cracker Version: ◦ Let χ be an error distribution. ◦ Distinguish these distributions:  Generate uniform s ← Z q n . For many i, generate e i ← χ and a linear polynomial f i (x 1 , …, x n ) = f 0 +f 1 x 1 +…+ f n x n (from Z q n+1 ) such that [f i (s 1 , …, s n )] q = e i .  For many i, generate and output a uniformly random linear polynomial f i (x 1 , …, x n ) (from Z q n+1 ). Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Parameters: q such that gcd(q,2)=1.  KeyGen: Secret = uniform s 2 Z q n . Public key: linear polys {f i (x 1 ,…, x n )} s.t. [f i (s)] q =2e i , |e i | ¿ q.  Encrypt: Set g(x 1 ,…, x n ) as a random subset sum of {f i (x 1 ,…, x n )}. Output c(x 1 ,…, x n )=m+g(x 1 ,…, x n ).  Decrypt: [c(s)] q = m+smeven. Reduce mod 2.  ADD and MULT:  Output sum or product of ciphertext polynomials.  Relinearize / Key-Switch Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  ADD: c(x) = c 1 (x) + c 2 (x). ◦ Noise of c(x) – namely, [c(s)] q – is sum of noises.  MULT: c(x) = c 1 (x) ∙ c 2 (x). ◦ Noise [c(s)] q is product of noises. ◦ Sort of… After MULT, there is “ relinearization ” step that adds a small amount to the noise.  Function F: c(x) ≈ F(c 1 (x ),…,c t (x)). ◦ Noise [c(s)] q ≈ f(c 1 (s ),…,c t (s)) – i.e., F applied to noises. ◦ Rough approximation:  If F has degree d and fresh noises are bounded by B, c(x) has noise B d .  Noise magnitude increases exponentially with degree. Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  SWHE ciphertexts must be large to let noise “room to grow”.  “Noise” grows exponentially with degree. To successfully evaluate degree-d poly, noise B Ã B d without “wrapping”.  So, coefficients of lattice vectors have > d bits.  For security, we need it to be hard to B d-1 > 2 d -approximate lattice problems in 2 k time.  Requires lattice dim > d ∙ k.  Total ciphertext length > d 2 ∙ k bits. Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Since total ciphertext length ≈ d 2 ∙ k bits, we have SWHE for bounded degree:  SWHE for bounded degree: A family of schemes E (d) , d ∈ Z, that for security parameter k, ◦ E (d) can homomorphically evaluate functions of degree d. ◦ KeyGen, Enc, Dec, ADD, MULT are all poly(k,d). ◦ Eval has complexity polynomial in k, d, and circuit size. This is the best we can hope for when noise grows exponentially with degree. Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  “Leveled FHE” [Gen09]: Relaxation of FHE… A family of schemes E (L) , L ∈ Z, is “leveled fully homomorphic ” if, for security parameter k, ◦ E (L) can homomorphically evaluate circuits of depth L, ◦ The Dec (decrypt) function is the same for all L, ◦ KeyGen, Enc, Dec, ADD, MULT are all poly(k,L). ◦ Eval has complexity polyomial in k, L, and circuit size.  Humbler name for it: “SWHE for bounded depth circuits”. Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Our fantasy: ◦ Noise doesn’t grow exponentially with degree. ◦ There is some simple trick to reduce noise after MULTs. ◦ We get better noise management, hence shorter ciphertexts and SWHE for bounded depth. Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Crazy Idea [BV11b, BGV12]: ◦ Suppose c encrypts m – that is, m = [[c(s)] q ] 2 . ◦ Let’s pick p<q and set c*( x) = (p/q) ¢ c(x), rounded. ◦ Maybe it is true that:  c*(x) encrypts m: m = [[c*(s)] p ] 2 (new inner modulus).  |[c*(s)] p | ≈ (p/q) ¢ |[c(s)] q | (noise is smaller). ◦ This really shouldn’t work… Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Scaling lemma: Let p < q be odd moduli. ◦ Given c with m = [[<c,s>] q ] 2 . Set c’ = (p/q)c. Set c” to be  the integer vector closest to c’  such that c” = c mod 2. ◦ If |[<c,s>] q | < q/2 - (q/p) ¢ l 1 (s), then c” is a valid encryption of m with possibly much less noise!  m = [< c” ,s>] p ] 2 .  |[< c” ,s>] p | < (p/q) ¢ |[<c,s>] q | + l 1 (s), where l 1 (s) is l 1 -norm of s. Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science Annotated Proof 1. Imagine <c,s> is close to kq. 1. For some k, [<c,s>] q =<c,s>-kq. 2. (p/q)[<c,s>] q = < c’ ,s>-kp. 2. Then < c’ ,s> is close to kp. 3. |< c” - c’ ,s>| < l 1 (s). 3. < c” ,s> close to kp if s is small. 4. Thus, |< c” ,s>-kp|< (p/q) |[<c,s>] q | + l 1 (s) < p/2. 5. So, [< c” ,s>] p = < c” ,s> – kp. 6. Since c’ = c and p = q mod 2, we have [< c” ,s>] p ] 2 =[<c,s>] q ] 2 . Scaling lemma:Let p<q be odd moduli. ◦ Given c with m = [[<c,s>] q ] 2 . Set c’ = (p/q)c. Set c” to be  the integer (ring) vector closest to c’ such that c” = c mod 2. ◦ If |[<c,s>] q | < q/2 - (q/p) ¢ l 1 (s), then:  c” is a valid encryption of m with possibly much less noise!  m = [< c” ,s>] p ] 2 , and |[< c” ,s>] p | < (p/q) ¢ |[<c,s>] q | + l 1 (s).

Bar-Ilan University Dept. of Computer Science  Example: q=127, p=29, c=(175,212), s=(2,3)  <c,s> mod q = 986-8 ∙ 127 = -30  c’ = (p/q) ∙ c = (39.9,48.4) ◦ To get c” , we round down both values (39,48).  < c” ,s> mod p = 222-8 ∙ 29 = -10  k=8 in both cases, and -30=-10 mod 2.  The noise magnitude decreases from 30 to 10. ◦ But relative magnitude increases: 10/29 > 30/127. Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Recall |[< c” ,s>] p | < (p/q) ¢ |[<c,s>] q | + l 1 (s).  Luckily [ACPS 2009] proved that LWE is hard even when s is small ◦ chosen from the error distribution χ . ◦ So we use this distribution for the secret keys. Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Scaling lemma also holds for LPR10, BV11a.  [LPR10]: Ring-LWE encryption scheme can can also have small secret keys, from the error distribution χ . Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science To evaluate a circuit of depth L…  Start with a large modulus q L and noise η « q L .  After first MULT, noise grows to η 2 .  Switch the modulus to q L-1 ≈ q L / η . ◦ Noise reduced to η 2 / η ≈ η .  After next MULT, noise again grows to η 2 . Switch to q L-2 ≈ q L-1 / η to reduce the noise to η .  Keep switching moduli after each layer. ◦ Setting q i-1 ≈ q i / η. (“Ladder” of decreasing moduli.) ◦ Until the last modulus just barely satisfies q 1 > η . Lattice-Based Crypto & Applications Bar-Ilan University, Israel 2012

Bar-Ilan University Dept. of Computer Science  Example: q 9 ≈ n 9 with modulus reduction. Noise Modulus Fresh ciphertexts η q 9 = η 9 Level-1, Degree=2 η q 8 = η 8 Level-2, Degree=4 η q 7 = η 7 Level-3, Degree=8 η q 6 = η 6 Level-4, Degree=16 η q 5 = η 5 Level-5, Degree=32 η q 4 = η 4 Level-6, Degree=64 η q 3 = η 3 Level-7, Degree=128 η q 2 = η 2 Level-8, Degree=256 η q 1 = η 2/29/2012

Bar-Ilan University Dept. of Computer Science  Example: q 9 ≈ n 9 with no modulus reduction. Noise Modulus Fresh ciphertexts η q 9 = η 9 Level-1, Degree=2 η 2 q 9 = η 9 Decryption Level-2, Degree=4 η 4 q 9 = η 9 error Level-3, Degree=8 η 8 q 9 = η 9 Level-4, Degree=16 η 16 q 9 = η 9 Level-5, Degree=32 η 32 Level-6, Degree=64 η 64 Level-7, Degree=128 η 128 Level-8, Degree=256 η 256 2/29/2012