  1. A Simple BGN-Type Cryptosystem from LWE Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research

  2. Perspective

  3. Homomorphic Encryptionin three easy steps [G’09] • Step 1: Encryption from linear codes • SK/PK are Good/Bad representation of code • Bad representation, can’t tell words close to code from random • Good representation can be used to correct many errors • Additive homomorphism “for free” • Step 2: ECC lives inside a ring • We have both additive, multiplicative sructure • If code is an ideal, also multiplicative homomorphism • for low-degree polynomials • Step 3: Bootstrapping, Squashing, etc.

  4. Instances of this Paradigm • Ring of polynomials [G’09] • Ring of integers [vDGHV’10] • This work: how about ring of matrices? • Doesn’t quite work like the others • We only get additive-HE + one multiplication • Quadratic formulas, as in [BGN’05] • But more efficient and more flexible • Can be made leakage-resilient, identity-based

  5. Background

  6. Learning with Errors (LWE) n Search-LWE: Given A,c, find s,x • [R’05, P’09] As hard as worst-case of some lattice problems • n – security parameter • q poly(n) • m > n log q c A s x = mod q + m random mod q small

  7. Learning with Errors (LWE) n Decision-LWE: Distinguish c from random • [R’05] as hard as finding s,x • For certain parameters • n – security parameter • q poly(n) • m > n log q c A s x = mod q + m c close to the linear code spanned by A random mod q small

  8. Learning with Errors (LWE) n m • Many LWE instances with same A • Same hardness (easy hybrid argument) S X A C n = + m random mod q small

  9. Ajtai’s Trapdoors • [A’96] Given , hard to find small s.t. tA =0 mod q • As hard as worst-case of some lattice problems • [A’99] But it is possible to generate together = 0 mod q • [Alwen-Peikert’08] Even smaller T A t T A small, full rank random

  10. Trapdoor Functions [GPV’08] • (A,s,x) As+x is a trapdoor function • Can use to correct errors: • c = As + x • Tc = T(As + x) = Tx mod q • But T,x are small, so Tx << q  (Tc mod q) = Tx • Equality over the integers  T-1(Tc mod q) = x T

  11. Our Cryptosystem

  12. Step 1: Encryption from linear ECCs • Code is the column space of mod q • { As: s Zqn } • Bad representation (PK) is A itself • Given A, hard to distinguish words closeto the code from random words (LWE) • Good representation (SK) is • Can use T to correct errors A T

  13. Step 1: Encryption from linear ECCs • PK: , SK: • Encode plaintext is LSB of error matrix • Plaintext is a binary matrix Bmxm • Enc(A,B): Choose random Smxn, small Emxm • Dec(T,C): Set X  T-1(TC mod q) • Output B = X mod 2 A T X C A S X mod q = + 2E+B

  14. Step 1: Encryption from linear ECCs • Security follows from LWE (for odd q) Thm: LWE  For any B, EncA(B)  random Proof: Given LWE input (A,C’) • Either C’=AS+E or C’ random: • Set C = 2C’+B mod q • If C’=AS+E then C = A(2S) + (2E+B) mod q • A random encryption of B • If C’ is random then so is C

  15. Step 1: Encryption from linear ECCs Additive homomorphism “for free” • C = C1 + C2 = (AS1+(2E1+B1)) + (AS2+(2E2+B2)) = A(S1+S2) + 2(E1+E2)+(B1+B2) mod q • T-1(TC mod q) = X = B1+B2 mod 2 • As long as X <<q S X

  16. Step 2: ECC lives inside a ring • Multiply C1 x C2 mod q? • (AS1+(2E1+B1)) (AS2+(2E2+B2)) = A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q • Not what we wanted • Cannot use T to cancel out (2E1+B1)AS2 • Matrix multiplication is not commutative

  17. Step 2: ECC lives inside a ring • How about C = C1 x C2t mod q? • (AS1+(2E1+B1)) (AS2+(2E2+B2))t = A(…) + (…)At + 2(…)+B1B2t mod q • That’s better: • TCTt = TXTt mod q • X = (2E1+B1)(2E2+B2)t is still small  TCTt mod q = TXTt over the integers  T-1(TCTt mod q)(Tt)-1 = X = B1B2t mod 2 X

  18. What Did We Get? T A • KeyGen: Generate • Enc(A, B): CAS + 2E+B mod q • Add(C1,C2): CC1+C2 mod q • Mult(C1,C2): CC1C2t mod q • Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2 • Can decrypt any quadratic formula with polynomially many terms • With appropriate parameters

  19. What Did We Get? T A • KeyGen: Generate • Enc(A, B): CAS + pE+B mod q • Add(C1,C2): CC1+C2 mod q • Mult(C1,C2): CC1C2t mod q • Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p • Can decrypt any quadratic formula with polynomially many terms • With appropriate parameters Can replace 2 by any pq

  20. Extensions, Applications • Can apply the [AMGH’10] transformation • Get homomorphism for low-degree polynomials • “Dual Regev encryption” [GPV’08] is a special case of our scheme* • Leakage resilience • IBE • Efficient quadratic-formula homomorphism for polynomials, big-integers * After changing encoding of plaintext

  21. Thank You

  22. 2-of-2 Decryption • Alice has key-pair (A1,T1), Bob has (A2,T2) • Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q • Dora encrypts B2 to Bob, [ C2A2S2+X2 ]q • Zachariah Sets C* = [ C1 C2t]q • C* looks random to either Alice, Bob • Pulling their keys together they can recover B1B2t • B1B2t = T1-1[T1C*T2t]q (T2t)-1 mod 2 • Can also “blind” C* to hide relation to C1, C2

  23. Multiplying Polynomials • p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2 P= Q= R= PQt+R=

  24. -u- 0 Dual Regev Encryption [GPV’08] • Dual-Regev Cryptosystem is an instanceof our scheme with T = • A different input encoding than [GPV’08] • T is no longer invertible • But can still recover top-left entry in B • It is known to be IBE, leakage-resilient • Still true with new input encoding • And now it supports quadratic formulas

