Transcript a[ i ]∙s[ i ]

Lattices, Cryptography and
Computing with Encrypted Data
Vinod Vaikuntanathan
M.I.T
Decoding
Decoding
RandomLattices
Linear Codes
s
A
+
e
“small” error
Combinatorially nice: Optimal rate etc.
Can we decode efficiently (even in the unique decoding regime)?
Seems very hard!
Decoding Lattices
s
A
+
e
“small” error
TODAY: Lattice-based Cryptography
Learning With Errors (LWE)
(search) LWEn,q,B [Regev’05]: For random secret s  Zqn
Os
( a1 , b1 = a1 , s + e1 )
( a2 “noisy”
, b2 =random
a2 , linear
s +equation
e2 )
Uniformly
“Small” error
… |e1| < B
random in Zqn
( am , bm =am , s + em )
Find s
s
a1 a2 … a m
+
e
Learning With Errors (LWE)
(decisional) LWEn,q,B : For random secret s  Zqn
O rand
Os
( a1 , b1 = a1 , s + e1 )
( a2 , b2 = a2 , s + e2 )
…
( am , bm =am , s + em )

( a1 , u1 )
( a2 , u2 )
…
( am , um)
random in Zq
Theorem [Reg05,Pei09]: Decisional LWE as hard as Search
LWE/Lattice-based Cryptography
 Robust
─ No sub-exponential or quantum attacks
 Based on worst-case hardness
─ Solve LWE on average  Solve in worst-case 
Approx. shortest vectors on worst-case lattices
[Regev05, Peikert09, BLPRS13]
THIS TALK
 Amazingly Versatile
─ Advanced Crypto: Homomorphic Encryption,
Functional Encryption, Software Obfuscation,…
─ Only known constructions use lattices
Warmup: Secret-key Encryption
M = Dec(sk,C)
Message M
C = Enc(sk,M)
secret key sk
secret key sk
eavesdropper
Semantic Security [GM’82]: Encryption of any M0 and
M1 are “computationally indistinguishable”
Secret-key Encryption from LWE
• KeyGen:
– Sample random “short” vector t  Zqn and set sk = t
Secret-key Encryption from LWE
• KeyGen:
– Sample random “short” vector t  Zqn and set sk = t
• Bit Encryption Encsk(m):
– Sample uniformly random a  Zqn, “short” noise e  Zq
– The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq
Semantic Security from LWE
Secret-key Encryption from LWE
• KeyGen:
– Sample random “short” vector t  Zqn and set sk = t
• Bit Encryption Encsk(m):
– Sample uniformly random a  Zqn, “short” noise e  Zq
– The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq
• Decryption Decsk(CT): Output (b − a, t mod q) mod 2.
– Correctness: b − a, t mod q = 2e + m mod q = 2e + m
(as long as |2e+m| < q/2)
Encryption
M
Message M
All-or-nothing
Have Secret Key, Can Decrypt
No Secret Key, No Go
Fully Homomorphic
EncryptionEncryption
Compute arbitrary functions
on encrypted data?
[Rivest, Adleman and Dertouzos’78]
Enc(Data)
Enc(F(Data))
Powerful server / cloud
Fully Homomorphic Encryption
Compute arbitrary functions
on encrypted data?
[Rivest, Adleman and Dertouzos’78]
Enc(data), F → Enc(F(data))
[Goldwasser-Micali’82,…]: Additively homomorphic
[El Gamal’85,…]: Multiplicatively homomorphic
[Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE)
(all known constructions based on lattices)
The Big Picture
STEP 1 “Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
C
d = ε log n
Evaluate arithmetic circuits of depth d = ε log n *
EVAL
* (0 < ε < 1 is a constant, and n is the security parameter)
The Big Picture
STEP 2 “Bootstrapping” Theorem [Gen09] (Qualitative)
“Homomorphic enough” Encryption * FHE
Homomorphic enough =
Can evaluate its own Dec Circuit (plus some)
msg
Dec
CT
C
sk
Decryption Circuit
EVAL
The Big Picture
STEP 1 “Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
Evaluate arithmetic circuits of depth d = ε log n
STEP 3 Depth Boosting / Modulus Reduction [BV11b]
Boost the SwHE to depth d = nε
STEP 2 “Bootstrapping” Method
“Homomorphic enough” Encryption * FHE
Homomorphic enough =
Can evaluate its own Dec Circuit (plus some)
Additive Homomorphism
CT = (a ,b)
b − a, t = 2e + m
CT’ = (a’, b’)
b’ − a’, t = 2e’ + m’
Look at Ciphertexts through the Decryption Lens
Additive Homomorphism
CT = (a ,b)
CT’ = (a’, b’)
Let c = (a ,b) and s = (-t, 1)
Let c’ = (a’ ,b’) and s = (-t, 1)
b c,
− a,
st= =2e2e+ +mm
b’ c’,
− a’,
s t= =2e’
2e’+ +m’m’
Additive Homomorphism
CT = c
CT’ = c’
c, s = 2e + m
c’, s = 2e’ + m’
Claim: cadd = c+c’
Proof:
c, s = 2e + m
+
c’, s = 2e’ + m’
c+c’, s = 2(e+e’) + (m+m’)
Cadd
E
 Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)
Multiplicative Homomorphism
CT = c
c, s = 2e + m
CT’ = c’
c’, s = 2e’ + m’
Claim: cmult = ?
X
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = (2e+m) ∙ (2e’+m’)
Multiplicative Homomorphism
CT = c
c, s = 2e + m
CT’ = c’
c’, s = 2e’ + m’
Claim: cmult = ?
X
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’)
E
Quadratic equation in the variables s[i]
Multiplicative Homomorphism
CT = c
c, s = 2e + m
CT’ = c’
c’, s = 2e’ + m’
Claim: cmult = ?
Tensor Product:
X
c, s = 2e + m
c’,c[i]∙c’[j],…,
s = 2e’ +c[n+1]∙c’[n+1])
m’
•c  c’ = (c[1]∙c’[1], …,
c’, sdim
 s
2(em’+e’m+2ee’)
•c, c’ livec
in 
(n+1)
→=cmm’
 c’+lives
in (n+1)2-dim
•KEY FACT: c, s ∙ c’, s = c  c’, s E s
Multiplicative Homomorphism
Problem: Ciphertext
CT’ = c’
size blows up!
c, s = 2e + m
c’, s = 2e’ + m’
(Zqn+1 → Zq(n+1)^2)
CT = c
Claim: cmult = c c’
X
c, s = 2e + m
c’, s = 2e’ + m’
c  c’, s  s = mm’ + 2(em’+e’m+2ee’)
E
 Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Key Idea [BV’11]: Relinearization
Find linear functions of s that represents these quadratic func.
or, of new secret s’
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Key Idea [BV’11]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Enct’ ( s[ i ]s[ j ] )
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Key Idea [BV’11]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j.
(Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ])
LWE 
Security still
holds.
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Key Idea [BV’11]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j.
Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Key Idea [BV’11]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j.
Ci,j , s’
≈
s[ i ]s[ j ]
(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
Cheating Alert
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Plug back into quadratic equation:
Key Idea [BV’11]: Relinearization
Find linear functions of s’ that represent these quadratic func.
c
mult[i,j]
∙ Ci,j , s’

≈ 2*Error + mm’
Linear in s’.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j.
Ci,j , s’
Linear fn
(in s’)
≈
s[ i ]s[ j ]
Quadratic fn
(in s)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Plug back into quadratic equation:
c
mult[i,j]
∙ Ci,j , s’

≈ mm’+2*Error
Linear in s’.
Homomorphic Mult:
1.First compute cmult = c c’
2.Compute and output
 cmult[i,j] ∙ Ci,j
(where Ci,j are from the evaluation key)
The Reservoir Analogy
(How homomorphic is this?)
noise=q/2
Additive Homomorphism: ξ → 2 ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
AFTER d LEVELS:
~ ξ2
noise B →
(worst case)
2ξ
initial noise= ξ
noise=0
Correctness
Security
The Reservoir Analogy
(How homomorphic is this?)
noise=q/2
Additive Homomorphism: ξ → 2 ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
AFTER d LEVELS:
~ ξ2
initial noise= ξ
noise=0
noise B →
(worst case)
The Big Picture
STEP 1 “Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
Evaluate arithmetic circuits of depth d = ε log n
STEP 3 Depth Boosting / Modulus Reduction [BV11b]
Boost the SwHE to depth d = nε
STEP 2 “Bootstrapping” Method
“Homomorphic enough” Encryption * FHE
Homomorphic enough =
Can evaluate its own Dec Circuit (plus some)
Bootstrapping
Bootstrapping Theorem [Gen09]
– If you can homomorphically evaluate depth d
circuits (you have a d-HE) and
– the depth of your decryption circuit < d
* FHE
Bootstrapping
Bootstrapping Theorem [Gen09]
“Homomorphic
enough”
Encryption
 FHE
d-HE with decryption
depth
< d * FHE
Bootstrapping = “Valve” at a fixed height
(that depends on decryption depth)
noise=q/2
Say n(Bdec)2 < q/2
noise=Bdec
noise=0
Bootstrapping
Bootstrapping Theorem [Gen09]
“Homomorphic
enough”
Encryption
 FHE
d-HE with decryption
depth
< d * FHE
Bootstrapping = “Valve” at a fixed height
(that depends on decryption depth)
noise=q/2
Say n(Bdec)2 < q/2
noise=Bdec
noise=0
Bootstrapping: How
But the evaluator
have SK!
“Best Possible”does
Noisenot
Reduction
= Decryption!
“Noiseless ciphertext”
m
Dec
“Very Noisy” ciphertext
CT
SK
Decryption Circuit
Bootstrapping, Concretely
Next Best = Homomorphic Decryption!
*
Assume Enc(SK) is public.
(OK assuming the scheme is “circular secure”)
EncPK(m)
Noise = Bdec
Bdec Independent of Binput
Dec
Noise = Binput
CT
EncPK(SK)
The Big Picture
STEP 1 “Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
Evaluate arithmetic circuits of depth d = ε log n
STEP 3 Depth Boosting / Modulus Reduction [BV11b]
Boost the SwHE to depth d = nε
STEP 2 “Bootstrapping” Method
“Homomorphic enough” Encryption * FHE
Homomorphic enough =
Can evaluate its own Dec Circuit (plus some)
Boosting Depth from log n to nε
(in one slide)
• The Culprit: Multiplication
– Increases error from B to about B2
• Let us pause for a moment: Is B2 > B?
– Not if B < 1!
• Why not scale ciphertexts by q and work over [0,1)?
– Quite amazingly, this works out and gives us an error
growth of B → nB
– Error grows singly exponentially with circuit depth
The Big Picture
STEP 1 “Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12]
Evaluate arithmetic circuits of depth d = ε log n
STEP 3 Depth Boosting / Modulus Reduction [BV11b]
Boost the SwHE to depth d = nε
STEP 2 “Bootstrapping” Method
“Homomorphic enough” Encryption * FHE
Homomorphic enough =
Can evaluate its own Dec Circuit (plus some)
Lattices are awesome!
BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-GoldwasserHalevi’97, Micciancio-Regev’04, Regev’05]
One-way functions, hash functions, public-key encryption
ADVANCED CRYPTO
[Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08]
Trapdoor functions, Identity-based Encryption, secure computation
[Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12]
Fully Homomorphic Encryption
[Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13]
Attribute-based and Functional Encryption
[Garg-GHRSW’13] Program Obfuscation
THIS
TALK
Merci Beaucoup!