440 likes | 588 Views
Lattices, Cryptography and Computing with Encrypted Data. Vinod Vaikuntanathan. M.I.T. Decoding Lattices. Decoding Random Linear Codes. +. e. s. A. “small” error. Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)?.
E N D
Lattices, Cryptography and Computing with Encrypted Data Vinod Vaikuntanathan M.I.T
Decoding Lattices Decoding Random Linear Codes + e s A “small” error Combinatorially nice: Optimal rate etc. Can we decode efficiently (even in the unique decoding regime)? Seems very hard!
Decoding Lattices + e s A “small” error TODAY: Lattice-based Cryptography
Learning With Errors (LWE) (search) LWEn,q,B [Regev’05]: For random secret s Zqn O s Find s ( a1 , b1 = a1 , s + e1 ) (a2, b2= a2 , s + e2) …(am, bm=am , s + em) “noisy” random linear equation Uniformly random in Zqn “Small” error |e1| < B + s e a1 a2 am …
Learning With Errors (LWE) (decisional) LWEn,q,B : For random secret s Zqn O rand O s ( a1 , u1 ) ( a1 , b1 = a1 , s + e1 ) (a2, u2) … (am, um) (a2, b2= a2 , s + e2) …(am, bm=am , s + em) random in Zq Theorem [Reg05,Pei09]: Decisional LWE as hard as Search
LWE/Lattice-based Cryptography Robust • No sub-exponential or quantum attacks • Based on worst-case hardness • Solve LWE on average Solve in worst-case Approx. shortest vectors on worst-case lattices [Regev05, Peikert09, BLPRS13] THIS TALK • Amazingly Versatile • Advanced Crypto: Homomorphic Encryption, Functional Encryption, Software Obfuscation,… • Only known constructions use lattices
Warmup: Secret-key Encryption Decryption:Decs(a,b) = ( b - a, s) (mod 2). Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4. M = Dec(sk,C) Message M C = Enc(sk,M) secret key sk secret key sk eavesdropper Semantic Security [GM’82]: Encryption of any M0 and M1 are “computationally indistinguishable”
Secret-key Encryption from LWE Decryption:Decs(a,b) = ( b - a, s) (mod 2). Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4. • KeyGen: • Sample random “short” vector t Zqn and set sk = t
Secret-key Encryption from LWE Decryption:Decs(a,b) = ( b - a, s) (mod 2). Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4. • KeyGen: • Sample random “short” vector t Zqn and set sk = t • Bit Encryption Encsk(m): • Sample uniformly random a Zqn, “short” noise eZq • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq Semantic Security from LWE
Secret-key Encryption from LWE Decryption:Decs(a,b) = ( b - a, s) (mod 2). Correctness:b - a, s =b - ∑a[ i ]∙s[ i ]= m + 2e(over Zq). decryption succeeds if e < q/4. • KeyGen: • Sample random “short” vector t Zqn and set sk = t • Bit Encryption Encsk(m): • Sample uniformly random a Zqn, “short” noise eZq • The ciphertext CT = (a, b = a, t+ 2e + m) Zqn X Zq • Decryption Decsk(CT): Output (b −a, t mod q) mod 2. • Correctness:b − a, t mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2)
Encryption M Message M All-or-nothing Have Secret Key, Can Decrypt No Secret Key, No Go
Encryption Fully Homomorphic Encryption Enc(Data) Enc(F(Data)) Compute arbitrary functions on encrypted data? Powerful server / cloud [Rivest, Adleman and Dertouzos’78]
Fully Homomorphic Encryption Enc(data), F → Enc(F(data)) [Goldwasser-Micali’82,…]: Additively homomorphic [El Gamal’85,…]: Multiplicatively homomorphic Compute arbitrary functions on encrypted data? [Gentry’09, BV’11, LTV’12]: Fully homomorphic (FHE) (all known constructions based on lattices) [Rivest, Adleman and Dertouzos’78]
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n * d = ε log n C EVAL * (0 < ε < 1 is a constant, and n is the security parameter)
The Big Picture STEP 2 “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) msg C Dec sk CT Decryption Circuit EVAL
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) b − a, t = 2e + m b’ − a’, t = 2e’ + m’ Look at Ciphertexts through the Decryption Lens
Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1) b − a, t = 2e + m c, s = 2e + m b’ − a’, t = 2e’ + m’ c’, s = 2e’ + m’
Additive Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cadd = c+c’ c, s = 2e + m c’, s = 2e’ + m’ c+c’, s = 2(e+e’) + (m+m’) Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) Proof: + E Cadd
Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙c’, s = (2e+m) ∙ (2e’+m’) X
Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙c’, s = mm’ + 2(em’+e’m+2ee’) X E Quadratic equation in the variables s[i]
Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c c’, s s = mm’ + 2(em’+e’m+2ee’) Tensor Product: • c c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) • c, c’ live in (n+1) dim → c c’ lives in (n+1)2-dim • KEY FACT: c, s ∙c’, s = c c’, s s X E
Problem: Ciphertext size blows up! (Zqn+1 → Zq(n+1)^2) Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = c c’ c, s = 2e + m c’, s = 2e’ + m’ c c’, s s = mm’ + 2(em’+e’m+2ee’) X E Dec(s s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)
Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’
Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j.Enct’(s[ i ]s[ j ] )
Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : sample Ai,j, Ei,j i,j.(Ai,j , Bi,j = Ai,j, t’ + 2Ei,j + s[ i ]s[ j ]) LWE Security still holds.
Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : sample Ai,j, Ei,j i,j.Bi,j − Ai,j, t’ = 2Ei,j + s[ i ]s[ j ]
Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j.Ci,j, s’ ≈ s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
Cheating Alert Multiplicative Homomorphism cmult, s s = 2E + mm’ Key Idea [BV’11]: Relinearization Plug back into quadratic equation: cmult[i,j] ∙ Ci,j , s’ ≈ 2*Error + mm’ Linear in s’. Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j.Ci,j, s’ ≈ s[ i ]s[ j ] Linear fn(in s’) Quadratic fn(in s)
Multiplicative Homomorphism cmult, s s = 2E + mm’ Plug back into quadratic equation: cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error Linear in s’. Homomorphic Mult: • First compute cmult = c c’ • Compute and output cmult[i,j] ∙ Ci,j (where Ci,j are from the evaluation key)
The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) 2ξ initial noise= ξ Correctness Security noise=0
The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) initial noise= ξ noise=0
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
Bootstrapping Bootstrapping Theorem [Gen09] • If you can homomorphically evaluate depth d circuits (you have a d-HE) and • the depth of your decryption circuit < d • *FHE
Bootstrapping “Homomorphic enough” Encryption FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Bootstrapping Theorem [Gen09] Say n(Bdec)2 < q/2 d-HE with decryption depth < d *FHE noise=Bdec noise=0
Bootstrapping “Homomorphic enough” Encryption FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Bootstrapping Theorem [Gen09] Say n(Bdec)2 < q/2 d-HE with decryption depth < d *FHE noise=Bdec noise=0
But the evaluator does not have SK! Bootstrapping: How “Best Possible” Noise Reduction = Decryption! “Noiseless ciphertext” m “Very Noisy” ciphertext Dec CT SK Decryption Circuit
Bootstrapping, Concretely Next Best = Homomorphic Decryption! * Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) EncPK(m) Noise = Bdec Bdec Independent of Binput Dec Noise = Binput CT EncPK(SK)
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
Boosting Depth from log n to nε (in one slide) • The Culprit: Multiplication • Increases error from B to about B2 • Let us pause for a moment: Is B2 > B? • Not if B < 1! • Why not scale ciphertexts by q and work over [0,1)? • Quite amazingly, this works out and gives us an error growth of B → nB • Error grows singly exponentially with circuit depth
The Big Picture STEP 1 “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS’12] Evaluate arithmetic circuits of depth d = ε log n STEP 3 Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = nε STEP 2 “Bootstrapping” Method “Homomorphic enough” Encryption*FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
Lattices are awesome! BASIC CRYPTO [Ajtai’96,Ajtai-Dwork’97, Goldreich-Goldwasser-Halevi’97, Micciancio-Regev’04, Regev’05] One-way functions, hash functions, public-key encryption ADVANCED CRYPTO [Ajtai’99,Gentry-Peikert-V’08, Peikert-V-Waters’08] Trapdoor functions, Identity-based Encryption, secure computation THIS TALK [Gentry’09, Brakerski-V’11, Brakerski-Gentry-V’12] Fully Homomorphic Encryption [Gorbunov-V-Wee’13, Goldwasser-KP-V-Z’13] Attribute-based and Functional Encryption [Garg-GHRSW’13] Program Obfuscation