How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos´ e VIAL PRADO December 10, 2014 Ph.D. advisor : Louis GOUBIN
Introduction Gentry’s IL scheme Other FHE schemes Open questions This talk Introduction Gentry’s Ideal Lattices scheme Further advances, others schemes and open problems Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Fully Homomorphic Encryption Question : “Is it possible to compute blindfolded?” Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Fully Homomorphic Encryption Question : “Is it possible to compute blindfolded?” Example : A public-key cryptosystem E verifying : ∀ a , b ∈ P ( E ), a + b = D E (E E ( a ) + E E ( b )) , a × b = D E (E E ( a ) × E E ( b )) . Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Formal definition Def. 1 : A homomorphic scheme is a public-key scheme E with four PPT algorithms : KeyGen : λ �→ ( sk , pk ); Enc : ( m , pk ) �→ c ; Dec : ( c , sk ) �→ m ; Eval :( C , c 1 , . . . , c n , pk ) �→ m . Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Formal definition Def. 1 : A homomorphic scheme is a public-key scheme E with four PPT algorithms : KeyGen : λ �→ ( sk , pk ); Enc : ( m , pk ) �→ c ; Dec : ( c , sk ) �→ m ; Eval :( C , c 1 , . . . , c n , pk ) �→ m . Def. 2 : A homomorphic scheme is correct for a set of circuits C if, for every circuit in C , ψ ← Eval ( C , ψ 1 , . . . , ψ n , pk ) ⇒ Dec ( ψ, sk ) = C ( π 1 , . . . , π n ) where ψ i = Enc ( π i , pk ) , i = 1 , . . . , n . Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions A Fully Homomorphic Scheme is a homomorphic scheme that is correct for all circuits. Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Starting point Let I be an ideal of some ring R , m ∈ R the message. Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Starting point Let I be an ideal of some ring R , m ∈ R the message. Encryption : Enc ( m ) = m + xI for some x ∈ R . Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Search an ideal I that allows Random sampling from α + I , α ∈ R . Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Search an ideal I that allows Random sampling from α + I , α ∈ R . Noise annihilation m + xI �→ m . Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Search an ideal I that allows Random sampling from α + I , α ∈ R . Noise annihilation m + xI �→ m . And strong security properties. Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Ideals + lattices = Ideal lattices Let R = Z [ X ] / ( X n + 1) where n is a power of 2, and consider the mapping α : R → Z n , α ( v 0 + v 1 X + · · · + v n − 1 X n − 1 ) = ( v 0 , v 1 , · · · , v n − 1 ) Let I = ( P ( X )) be a principal ideal of R : Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Ideals + lattices = Ideal lattices Let R = Z [ X ] / ( X n + 1) where n is a power of 2, and consider the mapping α : R → Z n , α ( v 0 + v 1 X + · · · + v n − 1 X n − 1 ) = ( v 0 , v 1 , · · · , v n − 1 ) Let I = ( P ( X )) be a principal ideal of R : An ideal lattice is the image of a principal ideal of R by α , i.e. L = α ( I ). Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Ideals + lattices = Ideal lattices Let R = Z [ X ] / ( X n + 1) where n is a power of 2, and consider the mapping α : R → Z n , α ( v 0 + v 1 X + · · · + v n − 1 X n − 1 ) = ( v 0 , v 1 , · · · , v n − 1 ) Let I = ( P ( X )) be a principal ideal of R : An ideal lattice is the image of a principal ideal of R by α , i.e. L = α ( I ). For instance, if n = 3, α ((2 + X )) is generated by � α (2 + X ) , α ( X (2 + X )) , α ( X 2 (2 + X )) � . Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Ideals + lattices = Ideal lattices Let R = Z [ X ] / ( X n + 1) where n is a power of 2, and consider the mapping α : R → Z n , α ( v 0 + v 1 X + · · · + v n − 1 X n − 1 ) = ( v 0 , v 1 , · · · , v n − 1 ) Let I = ( P ( X )) be a principal ideal of R : An ideal lattice is the image of a principal ideal of R by α , i.e. L = α ( I ). For instance, if n = 3, α ((2 + X )) is generated by � α (2 + X ) , α ( X (2 + X )) , α ( X 2 (2 + X )) � . 2 0 − 1 . I.e., the columns of 1 2 0 0 1 2 Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Operations in an ideal lattice Let L be an ideal lattice with base B L = { b 1 , . . . , b n } . Define x i b i ∈ R n ; x i ∈ [ − 1 / 2 , 1 / 2) � P ( B L ) = . i ≤ n Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Operations in an ideal lattice Let L be an ideal lattice with base B L = { b 1 , . . . , b n } . Define x i b i ∈ R n ; x i ∈ [ − 1 / 2 , 1 / 2) � P ( B L ) = . i ≤ n Base reduction in Z n : x mod B L = x − B L ⌊ B − 1 L x ⌉ ∈ P ( B L ) Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Operations in an ideal lattice Let L be an ideal lattice with base B L = { b 1 , . . . , b n } . Define x i b i ∈ R n ; x i ∈ [ − 1 / 2 , 1 / 2) � P ( B L ) = . i ≤ n Base reduction in Z n : x mod B L = x − B L ⌊ B − 1 L x ⌉ ∈ P ( B L ) Addition in Z n : ( x , y ) �→ x + y Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Operations in an ideal lattice Let L be an ideal lattice with base B L = { b 1 , . . . , b n } . Define x i b i ∈ R n ; x i ∈ [ − 1 / 2 , 1 / 2) � P ( B L ) = . i ≤ n Base reduction in Z n : x mod B L = x − B L ⌊ B − 1 L x ⌉ ∈ P ( B L ) Addition in Z n : ( x , y ) �→ x + y Product in Z n : ( x , y ) �→ α ( x ( X ) × y ( X )) Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Gentry’s solution J , B pk Let J be an ideal lattice, generated by two bases B sk J . P ⊆ { 0 , 1 } n , pk = { B pk J } , sk = { B sk J } Let Samp ( π ) be a (bounded) random algorithm that samples from π + 2 Z n . Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Gentry’s solution Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Gentry’s solution Encryption : π Samp � − − − − → � π +2 � e Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Gentry’s solution Encryption : mod B pk π Samp � J � − − − − → � π +2 � − − − − − − → � π +2 � e + i . e Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Gentry’s solution Encryption : mod B pk π Samp � J � − − − − → � π +2 � − − − − − − → � π +2 � e + i . e Decryption : mod B sk � → � � J i ′ ψ − − − − − − ψ − Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Gentry’s solution Encryption : mod B pk π Samp � J � − − − − → � π +2 � − − − − − − → � π +2 � e + i . e Decryption : mod B sk mod 2 � → � � � i ′ − � J i ′ 2 e ′ . ψ − − − − − − ψ − − − − → � π − Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Introduction Gentry’s IL scheme Other FHE schemes Open questions Homomorphic properties e + i , ψ ′ = � π ′ + 2 � e ′ + i ′ π + 2 � ψ = � Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE
Recommend
More recommend
