1 / 37

Field-Switching in Homomorphic Encryption

Field-Switching in Homomorphic Encryption. Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart. HE Over Cyclotomic Rings. Denote the field Its ring of integers is M od- denoted “ N ative plaintext space” is Ciphertexts , secret-keys are vectors over

yule
Download Presentation

Field-Switching in Homomorphic Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Field-Switching inHomomorphic Encryption Craig GentryShaiHaleviChris PeikertNigel P. Smart

  2. HE Over Cyclotomic Rings • Denote the field • Its ring of integers is • Mod- denoted • “Native plaintext space” is • Ciphertexts, secret-keys are vectors over • wrt encrypts if (for representatives in ) we have for small • Decryption via • Using “appropriate” -bases of * * * * Not exactly

  3. HE Over Cyclotomic Rings • “Native plaintexts” encode vectors of values • (more on that later) • Homomorphic Operations • Addition: encrypts , encoding • Multiplication: encrypts , encoding • Automorphism:encrypts , encoding some permutation of • Relative to key

  4. HE Over Cyclotomic Rings • Also a key-switching operation • For any two we can publish akey-switching gadget • used to translate valid wrt into wrt • encrypt the same plaintext for some small

  5. How Large are ? • Ciphertexts are “noisy” (for security) • noise grows during homomorphic computation • Decryption error if noise grows larger than Must set “much larger” than initial noise Security relies on LWE-hardness with very large modulus/noise ratio Dimension () must be large to get hardness • Asymptotically • For realistic settings,

  6. Switching to Smaller ? • As we compute, the noise grows • Cipehrtexts have smaller modulus/noise ratio • From a security perspective, it becomes permissible to switch to smaller values of • How to do this? • Not even clear what outcome we want here: • Have wrt , encrypting some • Want wrt for • Encrypting ??

  7. Ring-Switching: The Goal • We cannot get since , • We want to be “related” to • encodes • encodes • May want to encode a subset of the ’s? • E.g., the first of them • Not always possible, only if • What relations between the ’s are possible?

  8. Prior Work • A limited ring-switching technique was described in [BGV’12] • Only for • Transforms big-ring into small-rings.t. (encrypted in ) can be recovered from (encrypted in ). • Used only for bootstrapping

  9. Our Transformation: Overview • Work for any as long as • wrtwrt • , encrypt , that encode vectors: • , • Necessarily , so a subfield of • Each is a -linear function of some ‘s • We can choose the linear functions, but not the subset of ‘s that correspond to each • If , can use projections (so ’s a subset of ’s)

  10. Our Transformation: Overview Denote • Key-switching to map wrtwrt • and • over the big field, wrt subfield key • Compute a small that depends only on the desired linear functions • Apply the trace function, • Output

  11. Algebra

  12. Geometry of • Use canonical-embedding to associate with a -vector of complex numbers • Thinking of as a polynomial, associate with the vector • , the principal complex ’th root of unity • E.g., if then • We can talk about the “size of ” • say the or norm of • For decryption, the “noise element” must be

  13. Geometry of • can be expressed as a vector-space over • Similarly over , over , etc. • Every -basis induces a transformation coefficients in element of • With canonical embedding on both sides, we havea-linear transformation • We want a “good basis”, where is “short”and “nearly orthogonal”

  14. Geometry of • Lemma 1: There exists -basis of R for which all the singular values of are nearly the same. • Specifically where primes that divide but not • The proof follows techniques from [LPR13],the basis is essentially a tensor of DFT matrices

  15. The Trace Function • For , • By definition: if is small then so is • is • is -linear if , and • The trace is a “universal” -linear function: • For every -linear function there exists such that

  16. The Trace Function • The trace Implies also a -linear map , and -linear map • Every -linear map can be written as • But need not be in • More on that later

  17. The Intermediate Trace Function • when is an extension of • Satisfies • Lemma 2: if is small then so is • Less trivial than for but still true • is a “universal” -linear function: • is • For every -linear function there exists such that • Similarly implies -linear map and -linear map

  18. Some Complications • Often we get • Also for many linear functions we get where is not in • In our setting this will cause problems when we apply the trace to ciphertext elements • That’s (one reason) why ciphertexts are not really vectors over • Hence the *‘s throughout the slides

  19. The Dual of • Instead of , ciphertext are vectors over the dual • , for some • We have • Also every -linear can be written as for some • In the rest of this talk we ignore this point, and pretend that everything is over

  20. Prime Splitting • The integer 2 splits over as • ranges over • is generated by • In this talk we assume =1 (i.e., is odd) • prime ideals, each • Using CRT, each encodes the vector

  21. Prime Splitting • Similarly 2 splits over as • Again we assume • Using CRT, each encodes the vector • When then also , , and each split over as a product of some of the ’s

  22. Prime Splitting • Example for Lie over Lie over Lie over 2 2

  23. Plaintext-Slot Representation • Recall that for all the ’s • But the isomorphisms are not unique • To fix the isomorphisms: • Fix a primitive -th root of unity • Fix representatives for all • defined via • Same for isomorphisms • Define by fixing and

  24. Plaintext-Slot Representation • Making the ’s and ‘s “consistent” • Fix and set • Fix , then that lies over ,choose s.t. • Fact: if lies over and , then • In words: for a sub-ring plaintext, the slots mod and all the ’s lie over it, hold the same value

  25. Plaintext-Slot Representation • Lemma 3: collection of -linear functions a unique -linear function s.t. = holds and , and • The ’s range over all the ’s that lie over

  26. Illustration of Lemma 3 • s.t. and • Can express for some * * Not exactly

  27. The Transformation

  28. Step 1, Key Switching • Let (chosen at keygen) • Publish a key-switching matrix • Given ctxtwrt, use W to get wrt • Just plain key-switching in the big ring • still over the big ring, but wrt a sub-ring key • encrypts the same -element as

  29. Security of Key-Swicthing • Security of usual big-ring key-switching relies on the secret being drawn from • Then constrains only LWE-instance over • What can we say when it is drawn from ? • We devise LWE instances over with secret from , with security relying on LWE in • Instead of one small error element in , choose many small elements in ,use an -basis of to combine them into a single error element in

  30. -LWE With Secret in • Let be any -basis of • Given the LWE secret • Choose uniform and small • Set and output • If the basis B is “good” (short, orthogonal) then is not much larger than the ’s • This is where we use Lemma 1 ( good basis)

  31. -LWE With Secret in • Theorem: If decision-LWE is hard in , then is indistinguishable from uniform in • Proof: • We can consider for uniform • Induces the same uniform distribution on • Then we would get . • If the were uniform in , then would be uniform in .

  32. Steps 2,3: Ring Switching • encrypts wrt • encodes a vector • We view it as • target functions, • Want small-ring ciphertext encrypting that encodes • For each ,

  33. Steps 2,3: Ring Switching • By Lemma 2, that induces the ’s • Expressed as for • We identify with a short representative in • One must exists since 2 is “short” • Thus identify with over • Further identify as a representative of • Apply the trace, • Recall that is valid wrt * * Not exactly

  34. Correctness • Recall over • For some (with small) and over • Thus we have the equalities (over ): • encodes the ’s that we want

  35. Correctness • We have • This looks like a valid encryption of • It remains to show that is short • is short (from the input), is short (reduced mod 2) • So is short • By Lemma 3 also is short

  36. Conclusions • We have a general ring-switching technique • Converts over to over for • The plaintext slots in can contain any linear functions of the slots in • A -slot is a function of the -slots that lie above it • We may choose projection functions to have contain subset of the slots of • Lets us to speed up computation by switching to a smaller ring

  37. Epilog: The [AP13] Work Alperin-Sheriff & Peikert described a clever use of ring-switching for efficient homomorphic computation of DFT-like transformations: • Decompose it to an FFT-like network of “local” linear functions • Use ring-switching for each level • Then switch back up before the next level Yields fastest bootstrapping procedure to date

More Related