Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | jasmin-cox |
View: | 227 times |
Download: | 0 times |
China Summer School on Lattices and Cryptography
Craig Gentry and Shai Halevi
June 4, 2014
Homomorphic Encryption over Polynomial Rings
The Ring LWE Problem (RLWE)
Recall LWE
LWE (traditional formulation): Hard to distinguish between (A, b = As+e) and (A, b = uniform).
LWE (alternative formulation): Hard to distinguish whether matrix B = (b, A) is uniform, or there exists a vector t = (1, -s) such that e = B·t is short.
Matrices and vectors are over the ring Zq.
What if we put the matrices and vectors over a different ring – e.g., a polynomial ring?
Polynomial Rings
Example: Zq[x]/(xN-1) – polynomials of degree N-1 (which have N coefficients) over Zq. Addition: Add the polynomials modulo q. Multiplication: Multiply the 2 polynomials, reduce
the result modulo q and modulo xN-1, so that the final result has degree at most N-1 again. a(x)b(x) = Σ aj· bk · xj+k mod N.
Example: Zq[x]/ФN(x) – polynomials modulo q and the N-th cyclotomic polynomial E.g., ФN(x) = (xN/2+1) when N is a power of 2
RLWE: LWE over Polynomial Rings
RLWE: Hard to distinguish between (A, b = As+e) and (A, b = uniform) when: A Rmx1, s R, and e Rm is a vector of “small” R-elements R is an appropriate polynomial ring
A cyclotomic ring where ФN(x) has degree n=φ(N) suitably larger than the security parameter.
RLWE (alternative formulation): Hard to distinguish whether matrix B Rmx2 is uniform, or there exists a vector t = (1, -s) R2 such that e = B·t is short, where R is a polynomial ring.
“Hardness” comes from high dimension of ring, rather than high dimension of vectors. [LPR10]: Worst-case/average-case reduction for “ideal
lattices”
Pros and Cons of RLWE (vs LWE) Con: Security
LWE is as hard on average as worst-case problems over general (any) lattices
RLWE is as hard on average as worst-case problems over ideal lattices (a special type of lattice)
Pro: Efficiency Fast Fourier Transform (FFT): multiplying ring elements
is fast even if ring has high dimension Takes O(n log n) time for rings of dimension n
Also, RLWE permits smaller public keys, larger plaintexts, and more efficient homomorphic computation.
Regev’s Encryption Scheme with RLWE
In LWE-Regev, m = O(n log q). For RLWE-Regev,
m = O(log q).
Regev’s Encryption Scheme with RLWE
If R has dimension n, Encryption takes time
quasilinear in n. (In LWE-Regev with vectors of dim n, the time is quasi-
quadratic in n.)
The plaintext space is larger: R2 instead of just
{0,1}.
Regev’s Encryption Scheme with RLWE
The NTRU Encryption Scheme
NTRU: Even Simpler Encryption Using Polynomial Rings
Secret key: Single small element s R.
Ciphertext: c encrypts μ {0,1} if: c = (μ+2·small)/s mod q
Security intuition: In a mod-q polynomial ring, ratios of small elements look random.
NTRU Details
NTRU Homomorphic Operations
Key Switching from s1 to s2.
Homomorphic Computation on Encrypted Arrays (SIMD Operations)
Encrypted Arrays
Suppose we use a mod-15 plaintext space (not mod-2) Z15 = Z3 × Z5. Chinese Remainder Theorem (CRT). From one “big” plaintext space we get 2 independent
“small” plaintext spaces. We call them two “plaintext slots”.
Suppose two ciphertexts c and c’ have (r3,r5) and (r3’,r5’) in their respective mod-3 and mod-5 “plaintext slots” cADD = ADD(c,c’) has (r3+r3’, r5+r5’) in its slots. cMULT = MULT(c,c’) has (r3∙r3’, r5∙r5’) in its slots. Homomorphic ops act component-wise, in parallel, on
slots.
Our Weird Cyclotomic Plaintext Space
SWHE in Polynomial Rings Plaintext space is R2 = Z2[x]/ФN(x).
The message μ(x) is a polynomial in R2. μ has n bits, where n is the degree of ФN(x). NTRU example: μ = [[c·s]q]2 over the ring R.
Can we get many “plaintext slots” out of R2? Sure…
Our Weird Cyclotomic Plaintext Space
Via CRT, R2 decomposes into about N/log(N) plaintext slots of about log(N) bits apiece (for well-chosen N). ADD and MULT work in parallel across the slots.
Via ring automorphisms, encrypted data can be moved between slots. We have ADD, MULT, and PERMUTE.
Can evaluate boolean circuits with ciphertexts “packed”. Reduces overhead.
The plaintext space R2 = Z2[x]/ФN(x) has amazing properties! Much better than a
mod-15 plaintext space!
Chinese Remainder Theorem for Cyclotomic Rings
Choose N so that ФN(x) factors mod 2 into t factors. ФN(x) = fi(x) mod 2. Degrees of f1, …, ft are d=φ(N)/t.
Chinese Remainder Theorem (CRT) – polynomial version Z2[x]/ФN(x) = Z2[x]/f1(x) × … × Z2[x]/ft(x)
If ciphertexts c and c’ have (r1(x),…,rt(x)) and (r1’(x),…,rt’(x)) in their respective plaintext slots cADD = ADD(c,c’) has (r1(x)+r1’(x), …, rt(x)+rt’(x)). cMULT = MULT(c,c’) has (r1(x)∙r1’(x) mod f1(x), …, rt(x)∙rt’(x) mod
ft(x)). Homomorphic ops act component-wise, in parallel, on slots.
SIMD (Single Instruction Multiple Data): Working on Data Arrays
8 2 0 9 3 8 0 1 … 4 4
2 1 9 5 0 7 3 6 … 1 2n-ADD
Array of length n
10
3 9 14
3 15
3 7 … 5 6
SIMD (Single Instruction Multiple Data): Working on Data Arrays
16
2 0 45
0 56
0 6 … 4 8
8 2 0 9 3 8 0 1 … 4 4
2 1 9 5 0 7 3 6 … 1 2n-MULT
Array of length n
SIMD (Single Instruction Multiple Data): Working on Data Arrays
% % % % % % % % … % %
Great for computing same function F on n different input strings.
We can do SIMD homomorphically.
8 2 0 9 3 8 0 1 … 4 4
2 1 9 5 0 7 3 6 … 1 2
Function F
Array of length n
3 6 3 3 4 1 7 8 … 8 5
…
Permuting Encrypted Arrays and Ring Automorphisms
Beyond SIMD Computation
Goal: To reduce overhead for a single computation (rather than multiple computations in parallel): Pack all input bits in just a few ciphertexts Compute while keeping everything packed
How to do this?
Are ADD and MULT a Complete Set of Operations? Yes, for bits.
+ + + + + + + + + + + + +
× × × × × × × × × × ×
+ + + + + + + + +
0 1
1
1
x1 x2 x3 x4 x5 x7 x8x9 x10 x11 x12 x14 x15 x16 x17 x18 x19
ADD and MULT are a complete set of
operations.
+ + + + + + + + + + + + +
× × × × × × × × × × ×
+ + + + + + + + +
0 1
1
1
x1 x2 x3 x4 x5 x7 x8x9 x10 x11 x12 x14 x15 x16 x17 x18 x19
x8 x9 x10 x11 x12 x14x1 x2 x3 x4 x5 x7
n-ADD and n-MULT are NOT a complete set of
operations.
Are ADD and MULT a Complete Set of Operations? No, for SIMD arrays.
x1 x2 x3 x4 x5 x7 x1 x2 x3 x4 x5 x7
1 0 1 0 0 0 0n-MULT
x1 0 x3 0 0 0 0
0 1 0 1 0 0 0
0 x2 0 x4 0 0 0
x1 x3 0 0 0 0 0 x2 x4 0 0 0 0 0n-PERMUTE(π)
n-ADD, n-MULT, n-PERMUTE: a complete set of SIMD ops on n-arrays
+ +
x1 x2 x3 x4
n-ADD
How do we Evaluate n-Permute(π) homomorphically, without
“decompressing” the packed ciphertexts?
Ring Automorphisms!
Ring Automorphisms
For simplicity, let R = Z[x]/(xn-1), n prime Consider the map φk: R → R given by:
φk(a(x)) = a(xk) If gcd(k,p) = 1, φk permutes the coefficients of a(x):
If a(x) is “small”, then φk(a(x)) is also “small”.
Ring Automorphisms
For simplicity, let R = Z[x]/(xn-1), n prime Consider the map φk: R → R given by:
φk(a(x)) = a(xk) If gcd(k,p) = 1, φk permutes the coefficients of a(x):
φk permutes the evaluations of a(x) at roots of unity:
We can use φk to permute our plaintext slots.
Homomorphic Automorphisms
Which Permutations Do the Automorphisms Give Us?
The “Basic” Permutations (a(x) → a(xk)): Only n (out of n!) of the possible
permutations. Think of the automorphisms as n-
ROTATE(i), which rotates the n items i steps clockwise, like a dial.
Claim: For any permutation π, we can build n-PERMUTE(π) “efficiently” from n-ADD, n-MULT, and n-ROTATE(i).Benes
permutation network
Overhead of HE = (encrypted comp. time)/(unencrypted
comp. time)
With ciphertext packing, the overhead of RLWE-based or NTRU-based SWHE for security parameter k:
Overhead = poly(log qL, log w) = poly(L, log k, log w),
where L and w are circuit depth and width.
Asymptotic Efficiency Results
The Multikey FHE scheme of Lopez-Alt, Tromer, Vaikuntanathan
Key Homomorphism and Multikey FHE
Recall NTRU Homomorphic Operations
Key Homomorphism in NTRU
LATV Multikey FHE Scheme
[LATV12]: Cloud can (noninteractively) combine data encrypted under different keys. Individual secret keys are s1, …, sn. Combined secret key is s1···sn.
To decrypt, all users whose data was used must cooperate.
Getting FHE: I showed how to combine keys to get multikey SWHE. LATV show how to get multikey FHE.
?Thank You! Questions?
?TIME
EXPIRED
Parameters and Running Times
Parameter Sizes
L (levels)
N n = φ(N) (slot size, #slots)
log(qL)
10 11441 10752 (48,224) 177
20 34323 21504 (48,448) 368
30 31609 31104 (72,432) 564
40 54485 40960 (64,640) 762
50 59527 51840 (72,720) 962
60 68561 62208 (72,864) 1163
70 82603 75264 (56,1344) 1366
80 92837 84672 (56,1512) 1570
For L=60, ciphertext size is about 2n log q = 2×62208×1163 ≈ 14 million bits.
Running Times
Run a one-core machine with lots of RAM (256GB)Number of Levels
Needed60
Key Generation 43 minutes
Encrypt AES State 2 minutes
Encrypt AES Key Schedule
23 minutes
Evaluate AES Round 1 7 hours
Evaluate AES Round 9 2 hours
Evaluate AES Round 10
28 minutes
Evaluate AES total 34 hours
Number of SIMD Blocks
54
Time Per Block 37 minutes
Parameter Sizes
L (levels)
N n = φ(N) (slot size, #slots)
log(qL)
10 11441 10752 (48,224) 177
20 34323 21504 (48,448) 368
30 31609 31104 (72,432) 564
40 54485 40960 (64,640) 762
50 59527 51840 (72,720) 962
60 68561 62208 (72,864) 1163
70 82603 75264 (56,1344) 1366
80 92837 84672 (56,1512) 1570
For L=60, ciphertext size is about 2n log q = 2×62208×1163 ≈ 14 million bits.
Running Times
Run a one-core machine with lots of RAM (256GB)Number of Levels
Needed60
Key Generation 43 minutes
Encrypt AES State 2 minutes
Encrypt AES Key Schedule
23 minutes
Evaluate AES Round 1 7 hours
Evaluate AES Round 9 2 hours
Evaluate AES Round 10
28 minutes
Evaluate AES total 34 hours
Number of SIMD Blocks
54
Time Per Block 37 minutes