sparse secret ring lwe in fhe is it really needed
play

Sparse-secret Ring-LWE in FHE: Is It Really Needed? Ilia Iliashenko - PowerPoint PPT Presentation

Sparse-secret Ring-LWE in FHE: Is It Really Needed? Ilia Iliashenko (joint work with Hao Chen, Kim Laine, Yongsoo Song) Lattice Coding & Crypto Meeting, Royal Holloway 20 Nov Learning with Errors (LWE) = + 02


  1. Sparse-secret Ring-LWE in FHE: Is It Really Needed? Ilia Iliashenko (joint work with Hao Chen, Kim Laine, Yongsoo Song) Lattice Coding & Crypto Meeting, Royal Holloway 20 Nov

  2. Learning with Errors (LWE) 𝒄 = 𝑩 β‹… 𝒕 + 𝒇 0Γ—2 is uniformly random, 𝒕 ∈ β„€ / 0 and 𝒇 ∈ β„€ / 0 is small. 𝑩 ∈ β„€ / Decision: distinguish between (𝑩, 𝒄) and uniformly random (𝑡, π’˜) . Search: find 𝒕 .

  3. Sample 𝒕 and 𝒇 coefficient-wise 𝒕 𝟏 𝒕 𝟐 … 𝒕 𝒐6𝟐 𝒄 = 𝑩 β‹… 𝒕 + 𝒇 Uniformly random 𝑉 8 over 0,1 0 . Uniformly random 𝑉 < over βˆ’1,0,1 0 . 0 . Uniformly random 𝑉 / over β„€ / 0 . Discrete Gaussian 𝒠 / over β„€ /

  4. Hardness of LWE 𝒕 𝟏 𝒕 𝟐 … 𝒕 𝒐6𝟐 𝒄 = 𝑩 β‹… 𝒕 + 𝒇 Uniformly random 𝑉 8 over 0,1 0 . Uniformly random 𝑉 < over βˆ’1,0,1 0 . 0 . Uniformly random 𝑉 / over β„€ / 0 . Discrete Gaussian 𝒠 / over β„€ / 𝒕 ← 𝑉 / , or 𝑉 8 , or 𝒠 / LWE is as hard as classical lattice problems (GapSVP, DGS) 𝒇 ← 𝒠 / with 𝜏 ∈ Ξ© π‘œ

  5. Sparse-secret LWE 𝒕 𝟏 𝒕 𝟐 … 𝒕 𝒐6𝟐 𝒄 = 𝑩 β‹… 𝒕 + 𝒇 Uniformly random 𝑉 8 over 0,1 0 . Uniformly random 𝑉 < over βˆ’1,0,1 0 . 0 . Uniformly random 𝑉 / over β„€ / 0 . Discrete Gaussian 𝒠 / over β„€ / 𝒕 ← 𝑉 < β„Ž : π‘₯𝑒 𝒕 = β„Ž ??? 𝒇 ← 𝒠 /

  6. Ring-LWE 𝒃 𝟏 βˆ’π’ƒ 𝒐6𝟐 … 𝒃 𝟐 𝒃 𝟏 𝒄 = β‹… 𝒕 + 𝒇 𝒃 πŸ‘ 𝒃 𝟐 … … 𝒃 𝒐6𝟐 𝒃 𝒐6πŸ‘

  7. Ring-LWE 𝑐 = 𝑏 β‹… 𝑑 + 𝑓 𝑏, 𝑐, 𝑑, 𝑓 ∈ 𝑆 / = β„€[π‘Œ]/(π‘Ÿ, π‘Œ 0 + 1) ( π‘œ must be a power of two)

  8. Hardness of Ring-LWE 𝑐 = 𝑏 β‹… 𝑑 + 𝑓 𝑏, 𝑐, 𝑑, 𝑓 ∈ 𝑆 / = β„€[π‘Œ]/(π‘Ÿ, π‘Œ 0 + 1) ( π‘œ must be a power of two) 𝑑 ← 𝑉 / or 𝒠 / Ring-LWE is at least as hard as SIVP

  9. Attacks on sparse-secret LWE Albrecht, Eurocrypt’17 Albrecht et al., Asiacrypt ’17 Cheon et al., IEEE Access’19 Curtis and Player, WAHC’19 Cheon and Son, WAHC’19 …

  10. Efficient FHE schemes need sparse secrets for bootstrapping plaintext computation bootstrapping noise Bootstrapping performs decryption homomorphically.

  11. Efficient FHE schemes need sparse secrets for bootstrapping Multiplicative depth of bootstrapping depends on π‘₯𝑒 𝑑 : β€’ FV: log π‘₯𝑒 𝑑 + log(log π‘₯𝑒 𝑑 + log 𝑒) β€’ BGV: log π‘₯𝑒 𝑑 + log 𝑒 Reference: Chen and Han, Eurocrypt’18 TFHE bootstrapping does not have this dependency.

  12. Approximate HE 𝑑𝑒 𝑛 Z ⋆ 𝑑𝑒 𝑛 8 = 𝑑𝑒 ≃ 𝑛 Z βŠ™ 𝑛 8

  13. Approximate HE (HEAAN/CKKS) Idea: consider ciphertext noise as a part of a message. Decrypt 𝑑𝑒 = 𝑛 + 𝑓 ≃ 𝑛. Reference: Cheon et al., Asiacrypt’17

  14. HEAAN bootstrapping computation Mult plaintext noise undecryptable

  15. HEAAN bootstrapping computation bootstrapping plaintext noise

  16. HEAAN β€œbootstrapping” bootstrapping plaintext is lost

  17. HEAAN β€œbootstrapping” Correctness of Homomorphic Encryption HE scheme 𝐹 is correct for a circuit 𝐷 if for any plaintexts 𝜌 Z , … , 𝜌 k it holds: If ct = Evaluate e (𝐷, Enc 𝜌 Z , … , Enc 𝜌 k ) , bootstrapping then Dec e 𝑑𝑒 = 𝐷 𝜌 Z , … , 𝜌 k . Bootstrappable Encryption Scheme Let 𝐷 e be the set of circuits that 𝐹 can plaintext is lost compactly and correctly evaluate. We say that 𝐹 is bootstrappable with the respect to gate Ξ“ if 𝐸𝑓𝑑 e Ξ“ βŠ† 𝐷 e .

  18. HEAAN β€œbootstrapping” Correctness of Homomorphic Encryption HE scheme 𝐹 is correct for a circuit 𝐷 if for any plaintexts 𝜌 Z , … , 𝜌 k it holds: If ct = Evaluate e (𝐷, Enc 𝜌 Z , … , Enc 𝜌 k ) , bootstrapping then Dec e 𝑑𝑒 = 𝐷 𝜌 Z , … , 𝜌 k . Bootstrappable Encryption Scheme Let 𝐷 e be the set of circuits that 𝐹 can plaintext is lost compactly and correctly evaluate. We say that 𝐹 is bootstrappable with the respect to gate Ξ“ if 𝐸𝑓𝑑 e Ξ“ βŠ† 𝐷 e .

  19. HEAAN works with complex vectors β„‚ 0 β„‚ 0/8 𝑨 Z 𝑨 8 … 𝑨 0/8 𝑨 Z … 𝑨 0/8 𝑨 0/8 … 𝑨 Z s Inverse DFT* π‘Œ u π‘Œ 06Z … ⌊ βŒ‰ … ⌊ βŒ‰ Ξ” β‹… 𝑀 u Ξ” β‹… 𝑀 06Z 𝑀 u … 𝑀 06Z ℝ 0 𝑆 / *with primitive roots of unity

  20. How to encode less than π‘œ/2 values? β„‚ { β„€[𝑍] 𝑍 u 𝑍 Z 𝑍 8{6Z … 𝑨 Z 𝑨 8 … 𝑨 { 𝑀 u 𝑀 Z … 𝑀 8{6Z 𝑛 must divide n /2 𝑍 ↦ π‘Œ 0/8{ π‘Œ (0/8{)(8{6Z) π‘Œ u π‘Œ 0/8{ 𝑀 u 0 … 𝑀 Z … 𝑀 8{6Z … 0 𝑆 /

  21. Decoding π‘Œ u π‘Œ 06Z π‘Œ u π‘Œ 06Z computation ~ ~ 𝑏 u … 𝑏 06Z 𝑏 u … 𝑏 06Z DFT* 1/βˆ† ~ βˆ† ~ β‹… π’œ 𝟐 + 𝒇 𝟐 βˆ† ~ β‹… π’œ 𝒐/πŸ‘ + 𝒇 𝒐/πŸ‘ β‰ˆ 𝑨 Z … β‰ˆ 𝑨 0/8 … *with primitive roots of unity

  22. Rotation of encoded vectors π‘Œ u π‘Œ u π‘Œ 06Z π‘Œ 06Z π‘Œ β†’ π‘Œ β€ž … 𝑆 / 𝑏 u … 𝑏 06Z 𝑐 u … 𝑐 06Z β„‚ β€š/8 𝑨 †‑Z 𝑨 †‑8 … 𝑨 † 𝑨 Z 𝑨 8 … 𝑨 0/8

  23. Rotation of encoded vectors π‘Œ u π‘Œ u π‘Œ 06Z π‘Œ 06Z π‘Œ β†’ π‘Œ β€ž Λ† 𝑆 / 𝑏 u … 𝑏 06Z 𝑐 u … 𝑐 06Z β„‚ { 𝑨 Z 𝑨 8 … 𝑨 { 𝑨 Z 𝑨 8 … 𝑨 { Ε  Rotations by 𝑙𝑛 slots are automorphisms of 𝑆 fixing 𝑆 ~ = β„€ π‘Œ β€ΉΛ† /(π‘Ÿ, π‘Œ 0 + 1) , 𝑆 ~ βŠ‚ 𝑆.

  24. Key generation, encryption and decryption Key generation 𝒠 / 𝑉 < (β„Ž) 𝑉 / 𝑏 βˆ’ 𝑓 + 𝑑 β‹… = 𝑐 secret key public key

  25. Key generation, encryption and decryption Key generation Encryption Given a public key π‘žπ‘™ and an encoding 𝑛 ∈ 𝑆 / compute 𝒠 / 𝒠 / 𝑉 < 𝒠 / 𝑉 < (β„Ž) 𝑉 / 𝑛 + 𝑣 β‹… π‘žπ‘™ β€’ + 𝑓 u 𝑣 β‹… π‘žπ‘™ β€’ + 𝑓 Z 𝑑 u 𝑑 Z 𝑏 βˆ’ 𝑓 + 𝑑 β‹… = 𝑐 secret key public key

  26. Key generation, encryption and decryption Key generation Encryption Given a public key π‘žπ‘™ and an encoding 𝑛 ∈ 𝑆 / compute 𝒠 / 𝒠 / 𝑉 < 𝒠 / 𝑉 < (β„Ž) 𝑉 / 𝑛 + 𝑣 β‹… π‘žπ‘™ β€’ + 𝑓 u 𝑣 β‹… π‘žπ‘™ β€’ + 𝑓 Z 𝑑 u 𝑑 Z 𝑏 βˆ’ 𝑓 + 𝑑 β‹… = 𝑐 Decryption secret key public key Given a secret key 𝑑 and a ciphertext 𝑑𝑒 = (𝑑 u , 𝑑 Z ) compute 𝑑𝑒 𝑑 / = 𝑑 u + 𝑑 Z β‹… 𝑑 mod π‘Ÿ = 𝑛 + 𝑓 noise

  27. Rescaling Let Ξ” divide π‘Ÿ . 𝑆 / 𝑆 //” 𝑑 u Ξ” , 𝑑 Z 𝑑 u , 𝑑 Z Ξ” 𝛦 8 β‹… 𝑨 Z 𝛦 β‹… 𝑨 Z 𝛦 8 β‹… 𝑨 8 𝛦 β‹… 𝑨 8 β„‚ 0/8 … … 𝛦 8 β‹… 𝑨 0/8 𝛦 β‹… 𝑨 0/8

  28. HEAAN bootstrapping Ciphertext Plaintext Cleartext vector 0 𝑛 π‘Œ = 𝑑𝑒 𝑑 8{ 8 π’œ 𝟏 … π’œ 𝒏6𝟐 𝑑𝑒 ∈ 𝑆 / / Input 0 8 , π‘Ÿβ€² > π‘Ÿ π’œ 𝟏 … π’œ 𝒏6𝟐 ≃ 𝑛(π‘Œ 8{ ) 𝑑𝑒′ ∈ 𝑆 / – Output

  29. CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 𝑛 π‘Œ = 𝑑𝑒 𝑑 βˆ’ 𝐽 π‘Œ β‹… π‘Ÿ 8{ 8 π’œ 𝟏 … π’œ 𝒏6𝟐 𝑑𝑒 ∈ 𝑆 / Input 0 8 , π‘Ÿβ€² > π‘Ÿ π’œ 𝟏 … π’œ 𝒏6𝟐 ≃ 𝑛(π‘Œ 8{ ) 𝑑𝑒′ ∈ 𝑆 / – Output

  30. CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 𝑛 π‘Œ = 𝑑𝑒 𝑑 βˆ’ 𝐽 π‘Œ β‹… π‘Ÿ 8{ 8 π’œ 𝟏 … π’œ 𝒏6𝟐 𝑑𝑒 ∈ 𝑆 / Input 0 8 , 𝑅 u > π‘Ÿ 8{ + 𝐽 π‘Œ β‹… π‘Ÿ 𝑑𝑒 ∈ 𝑆 Ε‘ β€Ί 𝑛 π‘Œ ModRaise Ε‘ β€Ί 0 8 , π‘Ÿβ€² > π‘Ÿ π’œ 𝟏 … π’œ 𝒏6𝟐 ≃ 𝑛(π‘Œ 8{ ) 𝑑𝑒′ ∈ 𝑆 / – Output

  31. CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 𝑛 π‘Œ = 𝑑𝑒 𝑑 βˆ’ 𝐽 π‘Œ β‹… π‘Ÿ 8{ 8 π’œ 𝟏 … π’œ 𝒏6𝟐 𝑑𝑒 ∈ 𝑆 / Input 0 8 , 𝑅 u > π‘Ÿ 8{ + 𝐽 π‘Œ β‹… π‘Ÿ 𝑑𝑒 ∈ 𝑆 Ε‘ β€Ί 𝑛 π‘Œ ModRaise Ε‘ β€Ί 0 0 8 𝑑𝑒 Z ∈ 𝑆 Ε‘ β€’ SubSum 8{ + 𝐽 π‘Œ 8{ β‹… π‘Ÿ ≃ 𝑛 π‘Œ Ε‘ β€’ 0 8 , π‘Ÿβ€² > π‘Ÿ π’œ 𝟏 … π’œ 𝒏6𝟐 ≃ 𝑛(π‘Œ 8{ ) 𝑑𝑒′ ∈ 𝑆 / – Output

  32. CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 𝑛 π‘Œ = 𝑑𝑒 𝑑 βˆ’ 𝐽 π‘Œ β‹… π‘Ÿ 8{ 8 π’œ 𝟏 … π’œ 𝒏6𝟐 𝑑𝑒 ∈ 𝑆 / Input 0 8 , 𝑅 u > π‘Ÿ 8{ + 𝐽 π‘Œ β‹… π‘Ÿ 𝑑𝑒 ∈ 𝑆 Ε‘ β€Ί 𝑛 π‘Œ ModRaise Ε‘ β€Ί 0 8 𝑑𝑒 Z ∈ 𝑆 Ε‘ β€’ SubSum ≃ 𝑒(π‘Œ 8{ ) Ε‘ β€’ 0 8 , π‘Ÿβ€² > π‘Ÿ π’œ 𝟏 … π’œ 𝒏6𝟐 ≃ 𝑛(π‘Œ 8{ ) 𝑑𝑒′ ∈ 𝑆 / – Output

  33. CKKS bootstrapping Ciphertext Plaintext Cleartext vector 0 𝑛 π‘Œ = 𝑑𝑒 𝑑 βˆ’ 𝐽 π‘Œ β‹… π‘Ÿ 8{ 8 π’œ 𝟏 … π’œ 𝒏6𝟐 𝑑𝑒 ∈ 𝑆 / Input 0 8 , 𝑅 u > π‘Ÿ 8{ + 𝐽 π‘Œ β‹… π‘Ÿ 𝑑𝑒 ∈ 𝑆 Ε‘ β€Ί 𝑛 π‘Œ ModRaise Ε‘ β€Ί 0 8 𝑑𝑒 Z ∈ 𝑆 Ε‘ β€’ SubSum ≃ 𝑒(π‘Œ 8{ ) Ε‘ β€’ 8 𝑑𝑒 8 ∈ 𝑆 Ε‘ β€Ή CoefToSlot (inverse DFT) 𝒖 𝟏 … 𝒖 πŸ‘π’6𝟐 0 8 , π‘Ÿβ€² > π‘Ÿ π’œ 𝟏 … π’œ 𝒏6𝟐 ≃ 𝑛(π‘Œ 8{ ) 𝑑𝑒′ ∈ 𝑆 / – Output

Recommend


More recommend