Lattices, Cryptography and Computing with Encrypted Data
description
Transcript of Lattices, Cryptography and Computing with Encrypted Data
Lattices, Cryptography and Computing with Encrypted Data
Vinod VaikuntanathanM.I.T
As e+
“small” error
Combinatorially nice: Optimal rate etc.
Can we decode efficiently (even in the unique decoding regime)?
Seems very hard!
Decoding Random Linear CodesDecoding Lattices
TODAY: Lattice-based Cryptography
As e+
“small” error
Decoding Lattices
(search) LWEn,q,B [Regev’05]: For random secret s Zqn
Learning With Errors (LWE)
( a1 , b1 = a1 , s + e1 )
O s
( a2 , b2 = a2 , s + e2 ) …
( am , bm =am , s + em )
“noisy” random linear equation
Uniformly random in Zq
n
“Small” error |e1| < B
Find s
s +a1 a2 am…e
(decisional) LWEn,q,B : For random secret s Zqn
Learning With Errors (LWE)
¡~a= (a[1]; : : : ;a[n]);b= h~a;~si +e
¢¼¡~a;u
¢
( a1 , b1 = a1 , s + e1 )
O sO rand
( a1 , u1 )
( a2 , b2 = a2 , s + e2 ) …
( am , bm =am , s + em )
( a2 , u2 ) … ( am , um)
random in Zq
Theorem [Reg05,Pei09]: Decisional LWE as hard as Search
LWE/Lattice-based Cryptography
Robust
─ No sub-exponential or quantum attacks
Based on worst-case hardness
Amazingly Versatile─ Advanced Crypto: Homomorphic Encryption,
Functional Encryption, Software Obfuscation,…
─ Only known constructions use lattices
─ Solve LWE on average Solve in worst-case Approx. shortest vectors on worst-case lattices[Regev05, Peikert09, BLPRS13] THIS TALK
Warmup: Secret-key Encryption
• Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
Message M
secret key sksecret key sk
eavesdropper
C = Enc(sk,M)
Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable”
M = Dec(sk,C)
Secret-key Encryption from LWE
• Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
• KeyGen:– Sample random “short” vector t Zq
n and set sk = t
Secret-key Encryption from LWE
• Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
• KeyGen:– Sample random “short” vector t Zq
n and set sk = t
• Bit Encryption Encsk(m):
– Sample uniformly random a Zqn, “short” noise e Zq
– The ciphertext CT = (a, b = a, t + 2e + m) Zq
n X Zq
Semantic Security from LWE
Secret-key Encryption from LWE
• Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
• KeyGen:– Sample random “short” vector t Zq
n and set sk = t
• Bit Encryption Encsk(m):
– Sample uniformly random a Zqn, “short” noise e Zq
– The ciphertext CT = (a, b = a, t + 2e + m) Zq
n X Zq
• Decryption Decsk(CT): Output (b − a, t mod q) mod 2.
– Correctness: b − a, t mod q = 2e + m mod q = 2e + m
(as long as |2e+m| < q/2)
All-or-nothingHave Secret Key, Can Decrypt
No Secret Key, No Go
M
Message M
Encryption
Fully Homomorphic Encryption
Compute arbitrary functions on encrypted data?
[Rivest, Adleman and Dertouzos’78]
Enc(Data)
Enc(F(Data))
Encryption
Powerful server / cloud
Fully Homomorphic Encryption
Compute arbitrary functions on encrypted data?
[Rivest, Adleman and Dertouzos’78]
Enc(data), F → Enc(F(data))
[Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE)
(all known constructions based on lattices)
[Goldwasser-Micali’82,…]: Additively homomorphic
[El Gamal’85,…]: Multiplicatively homomorphic
The Big PictureSTEP 1 “Somewhat Homomorphic” (SwHE) Encryption
Evaluate arithmetic circuits of depth d = ε log n *
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
* (0 < ε < 1 is a constant, and n is the security parameter)
d =
ε lo
g n
C
EVAL
The Big Picture
“Bootstrapping” Theorem [Gen09] (Qualitative)
“Homomorphic enough” Encryption * FHE
Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
Dec
CT sk
msg
Decryption Circuit
C
EVAL
STEP 2
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate arithmetic circuits of depth d = ε log n
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
Depth Boosting / Modulus Reduction [BV11b]
Boost the SwHE to depth d = nε
“Bootstrapping” Method
“Homomorphic enough” Encryption * FHE
Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
STEP 1
STEP 2
STEP 3
CT = (a ,b)
Additive Homomorphism
CT’ = (a’, b’)
Look at Ciphertexts through the Decryption Lens
b − a, t = 2e + m b’ − a’, t = 2e’ + m’
CT = (a ,b)
Additive Homomorphism
CT’ = (a’, b’)
b − a, t = 2e + m b’ − a’, t = 2e’ + m’
Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1)
c, s = 2e + m c’, s = 2e’ + m’
CT = c
Additive Homomorphism
CT’ = c’
Claim: cadd = c+c’
c, s = 2e + m c’, s = 2e’ + m’
c, s = 2e + m
c’, s = 2e’ + m’
c+c’, s = 2(e+e’) + (m+m’)
Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)
+
E
Proof:
Cadd
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = (2e+m) ∙ (2e’+m’)
X
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’)
X
Quadratic equation in the variables s[i]
E
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c c’, s s = mm’ + 2(em’+e’m+2ee’)
X
E
Tensor Product:
• c c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])
• c, c’ live in (n+1) dim → c c’ lives in (n+1)2-dim
• KEY FACT: c, s ∙ c’, s = c c’, s s
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = c c’
c, s = 2e + m
c’, s = 2e’ + m’
c c’, s s = mm’ + 2(em’+e’m+2ee’)
X
Dec(s s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)
E
Problem: Ciphertext size blows up!
(Zqn+1 → Zq
(n+1)^2)
Multiplicative Homomorphism
Key Idea [BV’11]: RelinearizationFind linear functions of s that represents these quadratic func.
or, of new secret s’
cmult, s s = 2E + mm’
Multiplicative Homomorphismcmult, s s = 2E + mm’
Key Idea [BV’11]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :i,j. Enct’ ( s[ i ]s[ j ] )
Multiplicative Homomorphismcmult, s s = 2E + mm’
Key Idea [BV’11]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j. (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ])
LWE Security still
holds.
Multiplicative Homomorphismcmult, s s = 2E + mm’
Key Idea [BV’11]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j. Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]
Multiplicative Homomorphismcmult, s s = 2E + mm’
Key Idea [BV’11]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j , s’ ≈ s[ i ]s[ j ]
(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
Multiplicative Homomorphismcmult, s s = 2E + mm’
Key Idea [BV’11]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j , s’ ≈ s[ i ]s[ j ]
Linear fn(in s’)
Quadratic fn(in s)
Plug back into quadratic equation:
cmult[i,j] ∙ Ci,j , s’ ≈ 2*Error + mm’
Linear in s’.
Cheating Alert
Multiplicative Homomorphismcmult, s s = 2E + mm’
Plug back into quadratic equation:
cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error
Linear in s’.
Homomorphic Mult:
1.First compute cmult = c c’
2.Compute and output cmult[i,j] ∙ Ci,j
(where Ci,j are from the evaluation key)
The Reservoir Analogy
noise=0
noise=q/2Additive Homomorphism: ξ → 2 ξ
initial noise= ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
2ξ
~ ξ2
AFTER d LEVELS:
noise B → (worst case)
Correctness Security
(How homomorphic is this?)
The Reservoir Analogy
noise=0
noise=q/2Additive Homomorphism: ξ → 2 ξ
initial noise= ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
~ ξ2
AFTER d LEVELS:
noise B → (worst case)
(How homomorphic is this?)
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate arithmetic circuits of depth d = ε log n
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
Depth Boosting / Modulus Reduction [BV11b]
Boost the SwHE to depth d = nε
“Bootstrapping” Method
“Homomorphic enough” Encryption * FHE
Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
STEP 1
STEP 2
STEP 3
Bootstrapping
Bootstrapping Theorem [Gen09]
– If you can homomorphically evaluate depth d circuits (you have a d-HE) and
– the depth of your decryption circuit < d
* FHE
Bootstrapping
“Homomorphic enough” Encryption FHE
Bootstrapping Theorem [Gen09]
d-HE with decryption depth < d * FHE
Bootstrapping = “Valve” at a fixed height
noise=0
noise=q/2
(that depends on decryption depth)
noise=Bdec
Say n(Bdec)2 < q/2
Bootstrapping
“Homomorphic enough” Encryption FHE
Bootstrapping Theorem [Gen09]
d-HE with decryption depth < d * FHE
Bootstrapping = “Valve” at a fixed height
noise=0
noise=q/2
(that depends on decryption depth)
noise=Bdec
Say n(Bdec)2 < q/2
Bootstrapping: How
“Best Possible” Noise Reduction = Decryption!
Dec
CT SK
m
Decryption Circuit
“Very Noisy” ciphertext
“Noiseless ciphertext”
But the evaluatordoes not have SK!
Bootstrapping, Concretely
Next Best = Homomorphic Decryption!
EncPK(m)
Dec
CT EncPK(SK)
Assume Enc(SK) is public.
(OK assuming the scheme is “circular secure”)
*
Noise = Binput
Noise = Bdec
Bdec Independent of Binput
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate arithmetic circuits of depth d = ε log n
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
Depth Boosting / Modulus Reduction [BV11b]
Boost the SwHE to depth d = nε
“Bootstrapping” Method
“Homomorphic enough” Encryption * FHE
Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
STEP 1
STEP 2
STEP 3
Boosting Depth from log n to nε
(in one slide)
• The Culprit: Multiplication– Increases error from B to about B2
• Let us pause for a moment: Is B2 > B?– Not if B < 1!
• Why not scale ciphertexts by q and work over [0,1)?– Quite amazingly, this works out and gives us an error
growth of B → nB– Error grows singly exponentially with circuit depth
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate arithmetic circuits of depth d = ε log n
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
Depth Boosting / Modulus Reduction [BV11b]
Boost the SwHE to depth d = nε
“Bootstrapping” Method
“Homomorphic enough” Encryption * FHE
Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
STEP 1
STEP 2
STEP 3
Lattices are awesome!
BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05]
One-way functions, hash functions, public-key encryption
[Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08]
Trapdoor functions, Identity-based Encryption, secure computation
[Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12]
Fully Homomorphic Encryption
[Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13]
Attribute-based and Functional Encryption
THIS TALK
[Garg-GHRSW’13] Program Obfuscation
ADVANCED CRYPTO
Merci Beaucoup!