Sparse-secret Ring-LWE in FHE: Is It Really Needed? Ilia Iliashenko (joint work with Hao Chen, Kim Laine, Yongsoo Song) Lattice Coding & Crypto Meeting, Royal Holloway 20 Nov
Learning with Errors (LWE) π = π© β π + π 0Γ2 is uniformly random, π β β€ / 0 and π β β€ / 0 is small. π© β β€ / Decision: distinguish between (π©, π) and uniformly random (π΅, π) . Search: find π .
Sample π and π coefficient-wise π π π π β¦ π π6π π = π© β π + π Uniformly random π 8 over 0,1 0 . Uniformly random π < over β1,0,1 0 . 0 . Uniformly random π / over β€ / 0 . Discrete Gaussian π / over β€ /
Hardness of LWE π π π π β¦ π π6π π = π© β π + π Uniformly random π 8 over 0,1 0 . Uniformly random π < over β1,0,1 0 . 0 . Uniformly random π / over β€ / 0 . Discrete Gaussian π / over β€ / π β π / , or π 8 , or π / LWE is as hard as classical lattice problems (GapSVP, DGS) π β π / with π β Ξ© π
Sparse-secret LWE π π π π β¦ π π6π π = π© β π + π Uniformly random π 8 over 0,1 0 . Uniformly random π < over β1,0,1 0 . 0 . Uniformly random π / over β€ / 0 . Discrete Gaussian π / over β€ / π β π < β : π₯π’ π = β ??? π β π /
Ring-LWE π π βπ π6π β¦ π π π π π = β π + π π π π π β¦ β¦ π π6π π π6π
Ring-LWE π = π β π‘ + π π, π, π‘, π β π / = β€[π]/(π, π 0 + 1) ( π must be a power of two)
Hardness of Ring-LWE π = π β π‘ + π π, π, π‘, π β π / = β€[π]/(π, π 0 + 1) ( π must be a power of two) π‘ β π / or π / Ring-LWE is at least as hard as SIVP
Attacks on sparse-secret LWE Albrecht, Eurocryptβ17 Albrecht et al., Asiacrypt β17 Cheon et al., IEEE Accessβ19 Curtis and Player, WAHCβ19 Cheon and Son, WAHCβ19 β¦
Efficient FHE schemes need sparse secrets for bootstrapping plaintext computation bootstrapping noise Bootstrapping performs decryption homomorphically.
Efficient FHE schemes need sparse secrets for bootstrapping Multiplicative depth of bootstrapping depends on π₯π’ π‘ : β’ FV: log π₯π’ π‘ + log(log π₯π’ π‘ + log π’) β’ BGV: log π₯π’ π‘ + log π’ Reference: Chen and Han, Eurocryptβ18 TFHE bootstrapping does not have this dependency.
Approximate HE ππ’ π Z β ππ’ π 8 = ππ’ β π Z β π 8
Approximate HE (HEAAN/CKKS) Idea: consider ciphertext noise as a part of a message. Decrypt ππ’ = π + π β π. Reference: Cheon et al., Asiacryptβ17
HEAAN bootstrapping computation Mult plaintext noise undecryptable
HEAAN bootstrapping computation bootstrapping plaintext noise
HEAAN βbootstrappingβ bootstrapping plaintext is lost
HEAAN βbootstrappingβ Correctness of Homomorphic Encryption HE scheme πΉ is correct for a circuit π· if for any plaintexts π Z , β¦ , π k it holds: If ct = Evaluate e (π·, Enc π Z , β¦ , Enc π k ) , bootstrapping then Dec e ππ’ = π· π Z , β¦ , π k . Bootstrappable Encryption Scheme Let π· e be the set of circuits that πΉ can plaintext is lost compactly and correctly evaluate. We say that πΉ is bootstrappable with the respect to gate Ξ if πΈππ e Ξ β π· e .
HEAAN βbootstrappingβ Correctness of Homomorphic Encryption HE scheme πΉ is correct for a circuit π· if for any plaintexts π Z , β¦ , π k it holds: If ct = Evaluate e (π·, Enc π Z , β¦ , Enc π k ) , bootstrapping then Dec e ππ’ = π· π Z , β¦ , π k . Bootstrappable Encryption Scheme Let π· e be the set of circuits that πΉ can plaintext is lost compactly and correctly evaluate. We say that πΉ is bootstrappable with the respect to gate Ξ if πΈππ e Ξ β π· e .
HEAAN works with complex vectors β 0 β 0/8 π¨ Z π¨ 8 β¦ π¨ 0/8 π¨ Z β¦ π¨ 0/8 π¨ 0/8 β¦ π¨ Z s Inverse DFT* π u π 06Z β¦ β β β¦ β β Ξ β π€ u Ξ β π€ 06Z π€ u β¦ π€ 06Z β 0 π / *with primitive roots of unity
How to encode less than π/2 values? β { β€[π] π u π Z π 8{6Z β¦ π¨ Z π¨ 8 β¦ π¨ { π€ u π€ Z β¦ π€ 8{6Z π must divide n /2 π β¦ π 0/8{ π (0/8{)(8{6Z) π u π 0/8{ π€ u 0 β¦ π€ Z β¦ π€ 8{6Z β¦ 0 π /
Decoding π u π 06Z π u π 06Z computation ~ ~ π u β¦ π 06Z π u β¦ π 06Z DFT* 1/β ~ β ~ β π π + π π β ~ β π π/π + π π/π β π¨ Z β¦ β π¨ 0/8 β¦ *with primitive roots of unity
Rotation of encoded vectors π u π u π 06Z π 06Z π β π β β¦ π / π u β¦ π 06Z π u β¦ π 06Z β β/8 π¨ β β‘Z π¨ β β‘8 β¦ π¨ β π¨ Z π¨ 8 β¦ π¨ 0/8
Rotation of encoded vectors π u π u π 06Z π 06Z π β π β Λ π / π u β¦ π 06Z π u β¦ π 06Z β { π¨ Z π¨ 8 β¦ π¨ { π¨ Z π¨ 8 β¦ π¨ { Ε Rotations by ππ slots are automorphisms of π fixing π ~ = β€ π βΉΛ /(π, π 0 + 1) , π ~ β π.
Key generation, encryption and decryption Key generation π / π < (β) π / π β π + π‘ β = π secret key public key
Key generation, encryption and decryption Key generation Encryption Given a public key ππ and an encoding π β π / compute π / π / π < π / π < (β) π / π + π£ β ππ β’ + π u π£ β ππ β’ + π Z π u π Z π β π + π‘ β = π secret key public key
Key generation, encryption and decryption Key generation Encryption Given a public key ππ and an encoding π β π / compute π / π / π < π / π < (β) π / π + π£ β ππ β’ + π u π£ β ππ β’ + π Z π u π Z π β π + π‘ β = π Decryption secret key public key Given a secret key π‘ and a ciphertext ππ’ = (π u , π Z ) compute ππ’ π‘ / = π u + π Z β π‘ mod π = π + π noise
Rescaling Let Ξ divide π . π / π //β π u Ξ , π Z π u , π Z Ξ π¦ 8 β π¨ Z π¦ β π¨ Z π¦ 8 β π¨ 8 π¦ β π¨ 8 β 0/8 β¦ β¦ π¦ 8 β π¨ 0/8 π¦ β π¨ 0/8
HEAAN bootstrapping Ciphertext Plaintext Cleartext vector 0 π π = ππ’ π‘ 8{ 8 π π β¦ π π6π ππ’ β π / / Input 0 8 , πβ² > π π π β¦ π π6π β π(π 8{ ) ππ’β² β π / β Output
CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 π π = ππ’ π‘ β π½ π β π 8{ 8 π π β¦ π π6π ππ’ β π / Input 0 8 , πβ² > π π π β¦ π π6π β π(π 8{ ) ππ’β² β π / β Output
CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 π π = ππ’ π‘ β π½ π β π 8{ 8 π π β¦ π π6π ππ’ β π / Input 0 8 , π u > π 8{ + π½ π β π ππ’ β π Ε‘ βΊ π π ModRaise Ε‘ βΊ 0 8 , πβ² > π π π β¦ π π6π β π(π 8{ ) ππ’β² β π / β Output
CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 π π = ππ’ π‘ β π½ π β π 8{ 8 π π β¦ π π6π ππ’ β π / Input 0 8 , π u > π 8{ + π½ π β π ππ’ β π Ε‘ βΊ π π ModRaise Ε‘ βΊ 0 0 8 ππ’ Z β π Ε‘ β’ SubSum 8{ + π½ π 8{ β π β π π Ε‘ β’ 0 8 , πβ² > π π π β¦ π π6π β π(π 8{ ) ππ’β² β π / β Output
CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 π π = ππ’ π‘ β π½ π β π 8{ 8 π π β¦ π π6π ππ’ β π / Input 0 8 , π u > π 8{ + π½ π β π ππ’ β π Ε‘ βΊ π π ModRaise Ε‘ βΊ 0 8 ππ’ Z β π Ε‘ β’ SubSum β π’(π 8{ ) Ε‘ β’ 0 8 , πβ² > π π π β¦ π π6π β π(π 8{ ) ππ’β² β π / β Output
CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 π π = ππ’ π‘ β π½ π β π 8{ 8 π π β¦ π π6π ππ’ β π / Input 0 8 , π u > π 8{ + π½ π β π ππ’ β π Ε‘ βΊ π π ModRaise Ε‘ βΊ 0 8 ππ’ Z β π Ε‘ β’ SubSum β π’(π 8{ ) Ε‘ β’ 8 ππ’ 8 β π Ε‘ βΉ CoefToSlot (inverse DFT) π π β¦ π ππ6π 0 8 , πβ² > π π π β¦ π π6π β π(π 8{ ) ππ’β² β π / β Output
Recommend
More recommend