P OLYNOMIAL PLAINTEXT MODULUS [CLPX18] Replace t by X b : = Z / b n - PowerPoint PPT Presentation

E FFICIENTLY PROCESSING COMPLEX - VALUED DATA IN HOMOMORPHIC ENCRYPTION C. Bootland, W. Castryck, I. Iliashenko and F . Vercauteren M ATHCRYPT 2018, A UG 19, 2018

H OMOMORPHIC ENCRYPTION ct ( msg 1 ) ⋆ ct ( msg 2 ) = ct ( msg 1 ∗ msg 2 ) 1/18

H OMOMORPHIC ENCRYPTION ct ( msg 1 ) ⋆ ct ( msg 2 ) = ct ( msg 1 ∗ msg 2 ) Most schemes ( BGV , Bra − FV , HEAAN ) are defined over R q = Z [ X ] / � q, X n + 1 � . and based on Decision Ring-LWE $ Sample a ← − R q , secret s ← χ k and noise e ← χ e . Compute b = a · s + e. Distinguish ( b, a ) ∈ R 2 q from a uniformly random pair. 1/18

H OMOMORPHIC ENCRYPTION General approach: Encrypt ( msg ∈ P ⊆ R q ) : ct = ( msg , 0) + ( b, a ) Evaluate ( ct , . . . ) = ct ′ Decrypt ( ct ′ ∈ R 2 q ) : ct ′ [0] − ct ′ [1] · s = msg ′ + e ′ → msg ′ � e ′ � < B , where B depends on P . 2/18

H OMOMORPHIC ENCRYPTION General approach: Encrypt ( msg ∈ P ⊆ R q ) : ct = ( msg , 0) + ( b, a ) Evaluate ( ct , . . . ) = ct ′ Decrypt ( ct ′ ∈ R 2 q ) : ct ′ [0] − ct ′ [1] · s = msg ′ + e ′ → msg ′ � e ′ � < B , where B depends on P . Typical choice: Ciphertext : R q = Z [ X ] / � q, X n + 1 � with q ≃ poly ( n ) Plaintext : R t = Z [ X ] / � t, X n + 1 � for some t ≥ 2 and t ≪ q Coefficient representatives are taken in [ q/ 2 , q/ 2) and [ t/ 2 , t/ 2) , respectively. 2/18

D ATA ENCODING Z → R t ( Bra − FV , BGV ) : 0 . . . 0 a 0 0 0 0 0 0 [ a ] t – Bijective as long as | a | < t/ 2 . 3/18

D ATA ENCODING Z → R t ( Bra − FV , BGV ) : 0 . . . 0 a 0 0 0 0 0 0 [ a ] t – Bijective as long as | a | < t/ 2 . Q → R t ( Bra − FV , BGV ) : [ – a – 1 ] t . . . [ – a – f ] t 0 . . . . . . a 0 a – 1 . . . a – f . . . a i 0 [ a i ] t [ a 0 ] t int. part frac. part – Bijective as long as plaintext coefficients < t/ 2 and i + f < n . 3/18

D ATA ENCODING Z → R t ( Bra − FV , BGV ) : 0 . . . 0 a 0 0 0 0 0 0 [ a ] t – Bijective as long as | a | < t/ 2 . Q → R t ( Bra − FV , BGV ) : [ – a – 1 ] t . . . [ – a – f ] t 0 . . . . . . a 0 a – 1 . . . a – f . . . a i 0 [ a i ] t [ a 0 ] t int. part frac. part – Bijective as long as plaintext coefficients < t/ 2 and i + f < n . C n/ 2 → R (HEAAN) : � FFT − 1 ( a 1 , . . . , a n/ 2 , a n/ 2 , . . . , a 1 ) ∗ � ( a 1 , . . . , a n/ 2 ) �→ * with primitive roots of unity and scaling – Introduces approximation error. 3/18

P OLYNOMIAL PLAINTEXT MODULUS [CLPX18] Replace t by X − b : = Z / � b n + 1 � . R X − b = R/ � X − b � ∼ 4/18

P OLYNOMIAL PLAINTEXT MODULUS [CLPX18] Replace t by X − b : = Z / � b n + 1 � . R X − b = R/ � X − b � ∼ Encoding: Z → R X − b : a �→ small a ( x ) ≡ a mod ( X − b ) 4/18

P OLYNOMIAL PLAINTEXT MODULUS [CLPX18] Replace t by X − b : = Z / � b n + 1 � . R X − b = R/ � X − b � ∼ Encoding: Z → R X − b : a �→ small a ( x ) ≡ a mod ( X − b ) + Bijective as long as | a | ≤ ( b n + 1) / 2 (often exponential!). + Noise depends on b (can be just 2!). – Not applicable to BGV: q i ’s must be in Θ( b n + 1) . 4/18

G OING FURTHER : ARBITRARY PLAINTEXT MODULUS ? R g ( X ) = R/ � g ( X ) � ∼ =??? 5/18

G OING FURTHER : ARBITRARY PLAINTEXT MODULUS ? R g ( X ) = R/ � g ( X ) � ∼ =??? If g ( X ) = X 2 + b , � b n/ 2 + 1 , X 2 + b � R g ( X ) ∼ = Z [ X ] / . 5/18

G OING FURTHER : ARBITRARY PLAINTEXT MODULUS ? R g ( X ) = R/ � g ( X ) � ∼ =??? If g ( X ) = X 2 + b , � b n/ 2 + 1 , X 2 + b � R g ( X ) ∼ = Z [ X ] / . Moreover, if b ≡ α 2 mod ( b n/ 2 + 1) , the map i �→ α − 1 · X defines an isomorphism � b n/ 2 + 1 � R g ( X ) ∼ = Z [ i ] / . 5/18

G OING FURTHER : ARBITRARY PLAINTEXT MODULUS ? R g ( X ) = R/ � g ( X ) � ∼ =??? If g ( X ) = X 2 + b , � b n/ 2 + 1 , X 2 + b � R g ( X ) ∼ = Z [ X ] / . Moreover, if b ≡ α 2 mod ( b n/ 2 + 1) , the map i �→ α − 1 · X defines an isomorphism � b n/ 2 + 1 � R g ( X ) ∼ = Z [ i ] / . We can encode big Gaussian integers! 5/18

G ENERALIZATION TO CYCLOTOMIC INTEGERS Use g ( X ) = X m + b with b ≡ α m mod ( b n/m + 1) , then � b n/m + 1 � ∼ Z [ ζ 2 m ] / = R X m + b . 6/18

G ENERALIZATION TO CYCLOTOMIC INTEGERS Use g ( X ) = X m + b with b ≡ α m mod ( b n/m + 1) , then � b n/m + 1 � ∼ Z [ ζ 2 m ] / = R X m + b . Encoding: 1. Encode 2 m -th roots of unity: a i · α − i · X i a i · ζ i � 2 m �→ � i<m i<m 6/18

G ENERALIZATION TO CYCLOTOMIC INTEGERS Use g ( X ) = X m + b with b ≡ α m mod ( b n/m + 1) , then � b n/m + 1 � ∼ Z [ ζ 2 m ] / = R X m + b . Encoding: 1. Encode 2 m -th roots of unity: a i · α − i · X i a i · ζ i � 2 m �→ � i<m i<m 2. Expand coefficients in base b : a i · α − i X i �→ � c ij b j X i � � i<m i<m j<n/m 6/18

G ENERALIZATION TO CYCLOTOMIC INTEGERS Use g ( X ) = X m + b with b ≡ α m mod ( b n/m + 1) , then � b n/m + 1 � ∼ Z [ ζ 2 m ] / = R X m + b . Encoding: 1. Encode 2 m -th roots of unity: a i · α − i · X i a i · ζ i � 2 m �→ � i<m i<m 2. Expand coefficients in base b : a i · α − i X i �→ � c ij b j X i � � i<m i<m j<n/m 3. Use b ≡ − X m mod ( X m + b ) j c ij b j X i �→ � c ij ( − X ) mj X i � � � i i j 6/18

G ENERALIZATION TO CYCLOTOMIC INTEGERS Use g ( X ) = X m + b with b ≡ α m mod ( b n/m + 1) , then � b n/m + 1 � ∼ Z [ ζ 2 m ] / = R X m + b . Encoding: 1. Encode 2 m -th roots of unity: a i · α − i · X i a i · ζ i � 2 m �→ � i<m i<m 2. Expand coefficients in base b : a i · α − i X i �→ � c ij b j X i � � i<m i<m j<n/m 3. Use b ≡ − X m mod ( X m + b ) j c ij b j X i �→ � c ij ( − X ) mj X i � � � i i j As a result, | c ij | ≤ ⌊ ( b + 1) / 2 ⌋ . 6/18

G ENERALIZATION TO C YCLOTOMIC I NTEGERS Decoding: 1. Reduction modulo X m + b c i X i �→ � c i X i mod ( X m + b ) � i<n i<n 7/18

G ENERALIZATION TO C YCLOTOMIC I NTEGERS Decoding: 1. Reduction modulo X m + b c i X i �→ � c i X i mod ( X m + b ) � i<n i<n 2. Decode 2 m -th roots of unity: i X i �→ � i α i ζ i � c ′ c ′ 2 m i<m i<m 7/18

G ENERALIZATION TO C YCLOTOMIC I NTEGERS Decoding: 1. Reduction modulo X m + b c i X i �→ � c i X i mod ( X m + b ) � i<n i<n 2. Decode 2 m -th roots of unity: i X i �→ � i α i ζ i � c ′ c ′ 2 m i<m i<m i α i in � � b n/m / 2 � � b n/m / 2 �� 3. Take a representative of c ′ − , 7/18

H OW TO CHOOSE b ? If b = 2 m/ 2 , then α ≡ b n/ 4 m ( b n/ 2 m − 1) mod ( b n/m + 1) . 8/18

H OW TO CHOOSE b ? If b = 2 m/ 2 , then α ≡ b n/ 4 m ( b n/ 2 m − 1) mod ( b n/m + 1) . If an odd b satisfies b ≡ α m mod ( b n/m + 1) , then b ≡ ± 1 mod 4 m. 8/18

H OW TO CHOOSE b ? If b = 2 m/ 2 , then α ≡ b n/ 4 m ( b n/ 2 m − 1) mod ( b n/m + 1) . If an odd b satisfies b ≡ α m mod ( b n/m + 1) , then b ≡ ± 1 mod 4 m. Finding b requires factorization of generalized Fermat numbers. 8/18

H OW TO ENCODE ARBITRARY COMPLEX NUMBERS ? Z [ ζ 2 m ] → R X m + b 9/18

H OW TO ENCODE ARBITRARY COMPLEX NUMBERS ? C ? − → Z [ ζ 2 m ] → R X m + b 9/18

H OW TO ENCODE ARBITRARY COMPLEX NUMBERS ? C ? − → Z [ ζ 2 m ] → R X m + b Fractional encoding [CLPX18] approximates C → P + i · P , where P ⊂ Q encodes elements of P to Z b n/ 2 +1 (i.e. m = 2 ) Integer coefficient approximation [CSV17] solves a CVP instance in the lattice Z [ ζ 2 m ] 9/18

F RACTIONAL ENCODING Encoding � d � 1. Choose P = c + ⊂ Q with c, d ∈ Z b n/ 4 | c | , | d | ≤ b n/ 4 − 1 , for even b 2 | c | ≤ ( b n/ 4 − 1 − 1) b ; | d | ≤ ( b n/ 4 − 1) b 2( b − 1) , for odd b 2( b − 1) 10/18

F RACTIONAL ENCODING Encoding � d � 1. Choose P = c + ⊂ Q with c, d ∈ Z b n/ 4 | c | , | d | ≤ b n/ 4 − 1 , for even b 2 | c | ≤ ( b n/ 4 − 1 − 1) b ; | d | ≤ ( b n/ 4 − 1) b 2( b − 1) , for odd b 2( b − 1) 2. Approximate z ∈ C to some x 0 y 0 + i · x 1 y 1 with x 0 y 0 , x 1 y 1 ∈ P . 10/18

F RACTIONAL ENCODING Encoding � d � 1. Choose P = c + ⊂ Q with c, d ∈ Z b n/ 4 | c | , | d | ≤ b n/ 4 − 1 , for even b 2 | c | ≤ ( b n/ 4 − 1 − 1) b ; | d | ≤ ( b n/ 4 − 1) b 2( b − 1) , for odd b 2( b − 1) 2. Approximate z ∈ C to some x 0 y 0 + i · x 1 y 1 with x 0 y 0 , x 1 y 1 ∈ P . 3. Encode � x 0 � � x 1 � x 0 + i · x 1 � b n/ 2 + 1 � �→ + i · ∈ Z [ i ] / . y 0 y 1 y 0 y 1 b n/ 2 +1 b n/ 2 +1 10/18