Ring Switching and Bootstrapping FHE Chris Peikert School of - PowerPoint PPT Presentation

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech Oberwolfach Crypto Workshop 29 July 2014 1 / 22

Agenda 1 A homomorphic encryption tool: ring switching 2 An application: (practical!) bootstrapping FHE in ˜ O ( λ ) time Bibliography: GHPS’12 C. Gentry, S. Halevi, C. Peikert, N. Smart, “Ring Switching in BGV-Style Homomorphic Encryption,” SCN’12 / JCS’13. AP’13 J. Alperin-Sheriff, C. Peikert, “Practical Bootstrapping in Quasilinear Time,” CRYPTO’13. 2 / 22

Part 1: Ring Switching 3 / 22

Notation ◮ Let R ( ℓ ) / · · · /R (2) /R (1) / Z be a tower of cyclotomic ring extensions. 4 / 22

Notation ◮ Let R ( ℓ ) / · · · /R (2) /R (1) / Z be a tower of cyclotomic ring extensions. ◮ Let’s go slower. 4 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). 5 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). ⋆ O 1 = Z [1] = Z . Z -basis { 1 } . 5 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). ⋆ O 1 = Z [1] = Z . Z -basis { 1 } . ⋆ O 2 = Z [ − 1] = Z . 5 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). ⋆ O 1 = Z [1] = Z . Z -basis { 1 } . ⋆ O 2 = Z [ − 1] = Z . ⋆ O 4 ∼ = Z [ i ] ∼ = Z [ X ] / (1 + X 2 ) , Z -basis { 1 , ζ 4 } . 5 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). ⋆ O 1 = Z [1] = Z . Z -basis { 1 } . ⋆ O 2 = Z [ − 1] = Z . ⋆ O 4 ∼ = Z [ i ] ∼ = Z [ X ] / (1 + X 2 ) , Z -basis { 1 , ζ 4 } . ⋆ O 3 = Z [ ζ 3 ] ∼ = Z [ X ] / (1 + X + X 2 ) , Z -basis { 1 , ζ 3 } . 5 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). ⋆ O 1 = Z [1] = Z . Z -basis { 1 } . ⋆ O 2 = Z [ − 1] = Z . ⋆ O 4 ∼ = Z [ i ] ∼ = Z [ X ] / (1 + X 2 ) , Z -basis { 1 , ζ 4 } . ⋆ O 3 = Z [ ζ 3 ] ∼ = Z [ X ] / (1 + X + X 2 ) , Z -basis { 1 , ζ 3 } . = Z [ X ] / (1 + X + X 2 + X 3 + X 4 ) , ⋆ O 5 = Z [ ζ 5 ] ∼ Z -basis { 1 , ζ, ζ 2 , ζ 3 } . 5 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). ⋆ O 1 = Z [1] = Z . Z -basis { 1 } . ⋆ O 2 = Z [ − 1] = Z . ⋆ O 4 ∼ = Z [ i ] ∼ = Z [ X ] / (1 + X 2 ) , Z -basis { 1 , ζ 4 } . ⋆ O 3 = Z [ ζ 3 ] ∼ = Z [ X ] / (1 + X + X 2 ) , Z -basis { 1 , ζ 3 } . = Z [ X ] / (1 + X + X 2 + X 3 + X 4 ) , ⋆ O 5 = Z [ ζ 5 ] ∼ Z -basis { 1 , ζ, ζ 2 , ζ 3 } . Facts 1 For prime p , O p ∼ = Z [ X ] / (1 + X + · · · + X p − 1 { 1 , ζ, . . . , ζ p − 2 } . ) ; � �� � Φ p ( X ) 5 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). ⋆ O 1 = Z [1] = Z . Z -basis { 1 } . ⋆ O 2 = Z [ − 1] = Z . ⋆ O 4 ∼ = Z [ i ] ∼ = Z [ X ] / (1 + X 2 ) , Z -basis { 1 , ζ 4 } . ⋆ O 3 = Z [ ζ 3 ] ∼ = Z [ X ] / (1 + X + X 2 ) , Z -basis { 1 , ζ 3 } . = Z [ X ] / (1 + X + X 2 + X 3 + X 4 ) , ⋆ O 5 = Z [ ζ 5 ] ∼ Z -basis { 1 , ζ, ζ 2 , ζ 3 } . Facts 1 For prime p , O p ∼ = Z [ X ] / (1 + X + · · · + X p − 1 { 1 , ζ, . . . , ζ p − 2 } . ) ; � �� � Φ p ( X ) 2 For prime power p e , O p e ∼ = Z [ X ] / (Φ p ( X p e − 1 )) ; { 1 , ζ, . . . , ζ ϕ ( p e ) − 1 } . 5 / 22

Cyclotomic Rings ◮ Define O k = Z [ ζ k ] , where ζ k has order k (so ζ k k = 1 ). ⋆ O 1 = Z [1] = Z . Z -basis { 1 } . ⋆ O 2 = Z [ − 1] = Z . ⋆ O 4 ∼ = Z [ i ] ∼ = Z [ X ] / (1 + X 2 ) , Z -basis { 1 , ζ 4 } . ⋆ O 3 = Z [ ζ 3 ] ∼ = Z [ X ] / (1 + X + X 2 ) , Z -basis { 1 , ζ 3 } . = Z [ X ] / (1 + X + X 2 + X 3 + X 4 ) , ⋆ O 5 = Z [ ζ 5 ] ∼ Z -basis { 1 , ζ, ζ 2 , ζ 3 } . Facts 1 For prime p , O p ∼ = Z [ X ] / (1 + X + · · · + X p − 1 { 1 , ζ, . . . , ζ p − 2 } . ) ; � �� � Φ p ( X ) 2 For prime power p e , O p e ∼ = Z [ X ] / (Φ p ( X p e − 1 )) ; { 1 , ζ, . . . , ζ ϕ ( p e ) − 1 } . 3 For distinct primes p 1 , p 2 , . . . , = Z [ X 1 , X 2 , . . . ] / (Φ p 1 ( X p e 1 − 1 ) , Φ p 2 ( X p e 2 − 1 2 ··· ∼ O p e 1 1 2 ) , . . . ) . 1 p e 2 1 2 5 / 22

Cyclotomic Extensions ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ 6 / 22

Cyclotomic Extensions ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ ◮ Example: tower of quadratic extensions O k / O k/ 2 / · · · / O 4 / Z : 6 / 22

Cyclotomic Extensions ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ ◮ Example: tower of quadratic extensions O k / O k/ 2 / · · · / O 4 / Z : ζ 2 O k/ 2 -basis B ′ k = ζ k/ 2 O k = O k/ 2 [ ζ k ] k = { 1 , ζ k } ζ 2 O 4 -basis B ′ 8 = ζ 4 O 8 = O 4 [ ζ 8 ] 8 = { 1 , ζ 8 } ζ 2 O 2 -basis B ′ 4 = ζ 2 O 4 = O 2 [ ζ 4 ] 4 = { 1 , ζ 4 } ζ 2 Z -basis B ′ 2 = 1 O 2 = Z [ ζ 2 ] = Z 2 = { 1 } 6 / 22

Cyclotomic Extensions ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ ◮ Example: tower of quadratic extensions O k / O k/ 2 / · · · / O 4 / Z : ζ 2 O k/ 2 -basis B ′ k = ζ k/ 2 O k = O k/ 2 [ ζ k ] k = { 1 , ζ k } ζ 2 O 4 -basis B ′ 8 = ζ 4 O 8 = O 4 [ ζ 8 ] 8 = { 1 , ζ 8 } ζ 2 O 2 -basis B ′ 4 = ζ 2 O 4 = O 2 [ ζ 4 ] 4 = { 1 , ζ 4 } ζ 2 Z -basis B ′ 2 = 1 O 2 = Z [ ζ 2 ] = Z 2 = { 1 } ◮ “Product” Z -basis of O k : B k := B ′ k · B k/ 2 = B ′ k · B ′ k/ 2 · · · B ′ 2 6 / 22

Cyclotomic Extensions ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ ◮ Example: tower of quadratic extensions O k / O k/ 2 / · · · / O 4 / Z : ζ 2 O k/ 2 -basis B ′ k = ζ k/ 2 O k = O k/ 2 [ ζ k ] k = { 1 , ζ k } ζ 2 O 4 -basis B ′ 8 = ζ 4 O 8 = O 4 [ ζ 8 ] 8 = { 1 , ζ 8 } ζ 2 O 2 -basis B ′ 4 = ζ 2 O 4 = O 2 [ ζ 4 ] 4 = { 1 , ζ 4 } ζ 2 Z -basis B ′ 2 = 1 O 2 = Z [ ζ 2 ] = Z 2 = { 1 } ◮ “Product” Z -basis of O k : B k := B ′ k · B k/ 2 = B ′ k · B ′ k/ 2 · · · B ′ 2 = { 1 , ζ, ζ 2 , . . . , ζ k/ 2 − 1 } . 6 / 22

Cyclotomic Extensions: Trace ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ 7 / 22

Cyclotomic Extensions: Trace ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ ◮ The trace Tr = Tr R ′ /R : R ′ → R is a “universal” R -linear function: 7 / 22

Cyclotomic Extensions: Trace ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ ◮ The trace Tr = Tr R ′ /R : R ′ → R is a “universal” R -linear function: 1 R -linear: for any r j ∈ R and r ′ j ∈ R ′ , Tr( r 1 · r ′ 1 + r 2 · r ′ 2 ) = r 1 · Tr( r ′ 1 ) + r 2 · Tr( r ′ 2 ) . 7 / 22

Cyclotomic Extensions: Trace ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ ◮ The trace Tr = Tr R ′ /R : R ′ → R is a “universal” R -linear function: 1 R -linear: for any r j ∈ R and r ′ j ∈ R ′ , Tr( r 1 · r ′ 1 + r 2 · r ′ 2 ) = r 1 · Tr( r ′ 1 ) + r 2 · Tr( r ′ 2 ) . 2 Universal: any R -linear function L : R ′ → R can be written as L ( x ) = Tr( r ′ L · x ) for some r ′ L depending only on L . 7 / 22

Cyclotomic Extensions: Trace ◮ If k | k ′ , can view R = Z [ ζ k ] as a subring of R ′ = Z [ ζ k ′ ] , via ζ k �→ ζ ( k ′ /k ) . (still has order k ) k ′ ◮ The trace Tr = Tr R ′ /R : R ′ → R is a “universal” R -linear function: 1 R -linear: for any r j ∈ R and r ′ j ∈ R ′ , Tr( r 1 · r ′ 1 + r 2 · r ′ 2 ) = r 1 · Tr( r ′ 1 ) + r 2 · Tr( r ′ 2 ) . 2 Universal: any R -linear function L : R ′ → R can be written as L ( x ) = Tr( r ′ L · x ) for some r ′ L depending only on L . ◮ Any R -linear function is uniquely defined by its values on an R -basis { b ′ j } of R ′ , and vice versa: �� � � r j · b ′ r j · Tr( b ′ Tr = j ) . j j j 7 / 22

Homomorphic Encryption over Rings [LPR’10,BV’11,BGV’12] ◮ Let R := O k , e.g., Z [ X ] / (1 + X k/ 2 ) for k a power of 2. 8 / 22

Homomorphic Encryption over Rings [LPR’10,BV’11,BGV’12] ◮ Let R := O k , e.g., Z [ X ] / (1 + X k/ 2 ) for k a power of 2. Denote R q := R/qR = Z q [ X ] / (1 + X k/ 2 ) for any integer q . 8 / 22

Homomorphic Encryption over Rings [LPR’10,BV’11,BGV’12] ◮ Let R := O k , e.g., Z [ X ] / (1 + X k/ 2 ) for k a power of 2. Denote R q := R/qR = Z q [ X ] / (1 + X k/ 2 ) for any integer q . ◮ Plaintext ring is R 2 , ciphertext ring is R q for some q ≫ 2 . 8 / 22