FIELD-SWITCHING IN HOMOMORPHIC ENCRYPTION Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart
HE Over Cyclotomic Rings ๏จ Denote the field ๐ฟ ๐ = ๐ (๐ ๐ ) โ ๐ ๐ /(ฮฆ ๐ ๐ ) ๏ค Its ring of integers is ๐ ๐ = ๐(๐ ๐ ) โ ๐ ๐ /(ฮฆ ๐ ๐ ) ๏ค Mod- ๐ denoted ๐ ๐,๐ = ๐ ๐ /๐๐ ๐ โ ๐ ๐ ๐ /(ฮฆ ๐ (๐)) ๏จ โ N ative plaintext spaceโ is ๐ ๐,2 ๏จ Ciphertexts , secret-keys are vectors over ๐ ๐,๐ * ๏จ ๐ wrt ๐ encrypts ๐ if (for representatives in ๐ ๐ ) we ๐ * have ๐, ๐ = ๐ โ 2 + ๐ (๐๐๐ ๐) for small ๐ * ๏ค Decryption via ๐ โ ๐๐๐ถ( ๐, ๐ ) ๏ค Using โappropriateโ ๐ -bases of ๐ ๐,2 , ๐ ๐,๐ * Not exactly
HE Over Cyclotomic Rings ๏จ โNative plaintextsโ encode vectors of values ๏ค ๐ โ ๐ ๐,2 โ ๐ฝ 1 โฆ ๐ฝ โ โ ๐ป๐บ 2 ๐ โ (more on that later) ๏จ Homomorphic Operations ๏ค Addition: ๐ โ ๐ โฒ encrypts ๐ + ๐ โฒ โ ๐ ๐,2 , encoding โฒ โฆ ๐ฝ โ + ๐ฝ โ โฒ ) (๐ฝ 1 + ๐ฝ 1 ๏ค Multiplication: ๐ ร ๐ โฒ encrypts ๐ ร ๐ โฒ โ ๐ ๐,2 , encoding โฒ โฆ ๐ฝ โ ร ๐ฝ โ โฒ ) (๐ฝ 1 ร ๐ฝ 1 ๏ค Automorphism: ๐ (๐ ๐ข ) encrypts ๐(๐ ๐ข ) โ ๐ ๐,2 , encoding some permutation of (๐ฝ 1 โฆ ๐ฝ โ ) ๏ฎ Relative to key ๐(๐ ๐ข )
HE Over Cyclotomic Rings ๏จ Also a key-switching operation ๏จ For any two ๐ญ, ๐ญ โฒ โ (๐ ๐,๐ ) 2 we can publish a key-switching gadget ๐[๐ โ ๐ โฒ ] ๏จ ๐ used to translate valid ๐ wrt ๐ญ into ๐ โฒ wrt ๐ญ โฒ ๏ค ๐, ๐ โฒ encrypt the same plaintext ๐, ๐ = ๐ โฒ , ๐ โฒ + ๐ (๐๐๐ ๐) for some small ๐
How Large are ๐, ๐ ? ๏จ Ciphertexts are โnoisyโ (for security) ๏ค noise grows during homomorphic computation ๏ค Decryption error if noise grows larger than ๐ ๏จ Must set ๐ โmuch largerโ than initial noise ๏จ Security relies on LWE-hardness with very large modulus/noise ratio ๏จ Dimension ( ๐ ) must be large to get hardness (๐) ๏จ Asymptotically ๐ = ๐๐๐๐ง๐๐๐ ๐ , ๐ = ฮฉ ๏ค For realistic settings, ๐ โ 1000, ๐ > 10000
Switching to Smaller ๐ ? ๏จ As we compute, the noise grows ๏ค Cipehrtexts have smaller modulus/noise ratio ๏ค From a security perspective, it becomes permissible to switch to smaller values of ๐ ๏จ How to do this? ๏จ Not even clear what outcome we want here: ๏ค Have ๐ wrt ๐ โ (๐ ๐,๐ ) 2 , encrypting some ๐ โ ๐ ๐,2 ๏ค Want ๐ โฒ wrt ๐โฒ โ (๐ ๐ โฒ ,๐ ) 2 for ๐ โฒ < ๐ ๏ฎ Encrypting ๐ โฒ โ ๐ ๐ โฒ ,2 ??
Ring-Switching: The Goal ๏จ We cannot get ๐ โฒ = ๐ since ๐ โฒ โ ๐ ๐ โฒ ,2 , ๐ โ ๐ ๐,2 ๏จ We want ๐ โฒ to be โrelatedโ to ๐ ๏ค ๐ โ ๐ ๐,2 encodes ๐ฝ 1 โฆ ๐ฝ โ โ ๐ป๐บ 2 ๐ โ โ ๐ป๐บ 2 ๐ โฒ โ โฒ โฒ โฆ ๐ฝ โ โฒ ๏ค ๐ โฒ โ ๐ ๐ โฒ ,2 encodes ๐ฝ 1 โฒ ๏จ May want ๐ โฒ to encode a subset of the ๐ฝ ๐ โs? ๏ค E.g., the first โ โฒ of them ๏ค Not always possible, only if ๐ โฒ = ๐ ๏จ What relations between the ๐ฝโฒ ๐ , ๐ฝ ๐ โs are possible?
Prior Work ๏จ A limited ring-switching technique was described in [BGVโ12] ๏ค Only for ๐ = 2 ๐ , ๐ โฒ = 2 ๐โ1 โฒ , ๐ ๐ โฒ ๏จ Transforms big-ring ๐ into small-ring ๐ ๐ s.t. ๐ (encrypted in ๐ ) can be recovered from โฒ , ๐ 2 โฒ , ๐ ๐ โฒ (encrypted in ๐ ๐ โฒ ). ๐ 1 ๏จ Used only for bootstrapping
Our Transformation: Overview ๏จ Work for any ๐, ๐ โฒ as long as ๐ โฒ |๐ ๏จ ๐ wrt ๐ญ โ (๐ ๐,๐ ) 2 ๏จ ๐ โฒ wrt ๐ญ โฒ โ (๐ ๐ โฒ ,๐ ) 2 ๏จ ๐ , ๐ โฒ encrypt ๐, ๐โฒ , that encode vectors: โฒ โ ๐ป๐บ 2 ๐ โฒ โ โฒ ๏ค ๐ โ ๐ฝ ๐ โ ๐ป๐บ 2 ๐ โ , ๐ โฒ โ ๐ฝ ๐ ๏ค Necessarily ๐ โฒ |๐ , so ๐ป๐บ 2 ๐ โฒ a subfield of ๐ป๐บ(2 ๐ ) โฒ is a ๐ป๐บ 2 ๐ โฒ -linear function of some ๐ฝ ๐ โs ๏จ Each ๐ฝ ๐ ๏ค We can choose the linear functions, but not the subset of ๐ฝ ๐ โ s โฒ that correspond to each ๐ฝ ๐ ๏ค If ๐ โฒ = ๐ , can use projections (so ๐ฝ ๐ โฒ โs a subset of ๐ฝ ๐ โs)
Our Transformation: Overview Denote ๐ฟ = ๐ฟ ๐ , ๐ = ๐ ๐ , ๐ฟ โฒ = ๐ฟ ๐ โฒ , ๐ โฒ = ๐ ๐ โฒ Key-switching to map ๐ wrt ๐ ๏จ ๐ โฒ โฒ wrt ๐โฒ 1. โฒ 2 โ ๐ ๐ 2 and ๐ โฒ โ ๐ ๐ 2 ๐ โ ๐ ๐ ๏ค ๐ โฒ โฒ = (๐ 0 โฒโฒ , ๐ 1 โฒโฒ ) over the big field, wrt subfield key ๏ค Compute a small ๐ โ ๐ ๐ that depends only on the 2. desired linear functions โฒ = Tr ๐ฟ/๐ฟโฒ ๐ โ ๐ ๐ โฒโฒ Apply the trace function, ๐ ๐ 3. Output ๐ โฒ = (๐ 0 โฒ , ๐ 1 โฒ ) 4.
Algebra
Geometry of ๐ฟ ๏จ Use canonical-embedding to associate ๐ฃ โ ๐ฟ with a ๐(๐) -vector of complex numbers ๏ค Thinking of ๐ฃ = ๐ฃ(๐) as a polynomial, associate ๐ฃ with the vector ๐ ๐ฃ = ๐ฃ ๐ ๐ โ ๐โ๐ ๐ ๏ฎ ๐ = ๐ 2๐๐/๐ , the principal complex ๐ โth root of unity ๏ฎ E.g., if ๐ฃ โ ๐ โ ๐ฟ then ๐ ๐ฃ = ๐ฃ, ๐ฃ, โฆ , ๐ฃ ๏จ W e can talk about the โsize of ๐ฃ โ ๏ค say the ๐ 2 or ๐ โ norm of ๐ ๐ฃ ๏ค For decryption, the โnoise elementโ must be โช ๐
Geometry of ๐ฟ, ๐ฟ โฒ ๏จ ๐ฟ can be expressed as a vector-space over ๐ฟ โฒ โฒ , etc. ๏ค Similarly ๐ over ๐ โฒ , ๐ ๐ over ๐ ๐ ๏จ Every ๐ โฒ -basis ๐ถ induces a transformation ๐ ๐ถ : coefficients in ๐ โฒ โฆ element of ๐ ๏ค With canonical embedding on both sides, we have a ๐ท -linear transformation ๐ ๐ถ : ๐ท ๐(๐) โ ๐ท ๐(๐) ๏จ We want a โgood basisโ, where ๐ ๐ถ is โshortโ and โnearly orthogonalโ
Geometry of ๐ฟ, ๐ฟ โฒ ๏จ Lemma 1: There exists ๐โฒ -basis ๐ถ of R for which all the singular values of ๐ ๐ถ are nearly the same. ๏ค Specifically ๐ก 1 ๐ = ๐ก ๐ ๐ โ ๐ where ๐ ๐๐ ๐ ๐ ๐๐ ๐ โฒ = โ primes that divide ๐ but not ๐ โฒ ๐ โค ๏จ The proof follows techniques from [LPR13], the basis ๐ถ is essentially a tensor of DFT matrices
The Trace Function ๏จ For ๐ฃ โ ๐ฟ , Tr ๐ฃ = ๐ ๐ฃ ๐ โ ๐ โ ๐โ๐ ๐ ๏ค By definition: if ๐ฃ is small then so is Tr ๐ฃ ๏จ Tr: ๐ฟ โ ๐ is ๐ โ linear ๏ค ๐: ๐ฟ โ ๐ is ๐ -linear if โ๐ฃ, ๐ค โ ๐ฟ, ๐ โ ๐ , ๐ ๐ฃ + ๐ ๐ค = ๐(๐ฃ + ๐ค) and ๐ ๐ โ ๐ฃ = ๐ โ ๐(๐ฃ) ๏จ The trace is a โuniversalโ ๐ -linear function: ๏ค For every ๐ -linear function ๐ there exists ๐ โ ๐ฟ such that ๐ ๐ฃ = Tr ๐ โ ๐ฃ โ๐ฃ โ ๐ฟ
The Trace Function ๏จ The trace Implies also a ๐ -linear map Tr: ๐ โ ๐ , and ๐ ๐ -linear map Tr: ๐ ๐ โ ๐ ๐ ๏จ Every ๐ -linear map L โถ ๐ โ ๐ can be written as ๐ ๐ = Tr ๐ โ ๐ ๏ค But ๐ need not be in ๐ ๏ค More on that later
The Intermediate Trace Function ๏จ ๐๐ ๐ฟ/๐ฟ โฒ : ๐ฟ โ ๐ฟโฒ when ๐ฟ is an extension of ๐ฟโฒ ๏ค Satisfies ๐๐ ๐ฟ/๐ = ๐๐ ๐ฟ/๐ฟ โฒ โ ๐๐ ๐ฟ โฒ /๐ ๏จ Lemma 2: if ๐ฃ is small then so is Tr ๐ฟ/๐ฟ โฒ ๐ฃ ๏ค Less trivial than for Tr ๐ฟ/๐ but still true ๏จ Tr ๐ฟ/๐ฟ โฒ is a โuniversalโ ๐ฟโฒ -linear function: ๏ค Tr ๐ฟ/๐ฟ โฒ : ๐ฟ โ ๐ฟ โฒ is ๐ฟ โฒ โ linear ๏ค For every ๐ฟ โฒ -linear function ๐ there exists ๐ โ ๐ฟ ๐ such that ๐ ๐ฃ = Tr K/K โฒ ๐ โ ๐ฃ โ๐ฃ โ ๐ฟ ๐ ๏จ Similarly implies ๐โฒ -linear map ๐๐ ๐ฟ/๐ฟ โฒ : ๐ โ ๐โฒ and โฒ -linear map ๐๐ ๐ฟ/๐ฟ โฒ : ๐ ๐ โ ๐ ๐ โฒ ๐ ๐
Some Complications ๐ โ ๐ โฒ ๏จ Often we get Tr ๐ฟ ๐ฟ โฒ ๏จ Also for many linear functions we get ๐ ๐ฃ = Tr K/K โฒ ๐ โ ๐ฃ where ๐ is not in ๐ ๏จ In our setting this will cause problems when we apply the trace to ciphertext elements ๏ค Thatโs (one reason) why ciphertexts are not really vectors over R ๏ค Hence the * โs throughout the slides
The Dual of ๐ ๏จ Instead of ๐ , ciphertext are vectors over the dual ๐ โจ = {๐ โ ๐ฟ: โ ๐ โ ๐, Tr ๐๐ โ ๐} ๏ค R โจ = R/t , R โฒโจ = R โฒ /t โฒ for some t โ ๐, ๐ข โฒ โ ๐ โฒ R โจ = ๐ โฒโจ ๏จ We have Tr ๐ฟ ๐ฟ โฒ ๏ค Also every R โฒ -linear ๐: ๐ โจ โ ๐ โฒโจ can be written as ๐ ๐ = ๐๐ ๐ฟ/๐ฟ โฒ (๐ โ ๐) for some ๐ โ ๐ ๏จ In the rest of this talk we ignore this point, and pretend that everything is over ๐
Prime Splitting ๐ ๏จ The integer 2 splits over ๐ as 2 = โ ๐ ๐ ๐ โ /(2) ๏ฎ ๐ ranges over ๐ป = ๐ ๐ ๐โ 2 ๐ ๏ค ๐ ๐ is generated by (2, ๐บ ๐ ๐ = โ ๐ โ ๐ ๐ ) ๐ ๏ค In this talk we assume ๐ =1 (i.e., ๐ is odd) ๏ค โ = |๐ป| prime ideals, each ๐/๐ ๐ โ ๐ป๐บ(2 ๐ ) ๏ค R 2 = ๐/(2) โ โ ๐ ๐/๐ ๐ โ โ ๐ ๐ป๐บ(2 ๐ ) ๏จ Using CRT, each ๐ โ ๐ 2 encodes the vector ) โ ๐ป๐บ 2 ๐ โ (๐ ๐๐๐ ๐ ๐ 1 , โฆ , ๐ ๐๐๐ ๐ ๐ โ ๐ฝ 1 ๐ฝ โ
Recommend
More recommend