China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 4, 2014 Homomorphic Encryption over Polynomial Rings

The Ring LWE Problem (RLWE)

Recall LWE  LWE (traditional formulation): Hard to distinguish between (A, b = As+e) and (A, b = uniform).  LWE (alternative formulation): Hard to distinguish whether matrix B = (b, A) is uniform, or there exists a vector t = (1, -s) such that e = B·t is short.  Matrices and vectors are over the ring Z q.  What if we put the matrices and vectors over a different ring – e.g., a polynomial ring?

Polynomial Rings  Example: Z q [x]/(x N -1) – polynomials of degree N-1 (which have N coefficients) over Z q.  Addition: Add the polynomials modulo q.  Multiplication: Multiply the 2 polynomials, reduce the result modulo q and modulo x N -1, so that the final result has degree at most N-1 again. a(x)b(x) = Σ a j · b k · x j+k mod N.  Example: Z q [x]/ Ф N (x) – polynomials modulo q and the N-th cyclotomic polynomial  E.g., Ф N (x) = (x N/2 +1) when N is a power of 2

RLWE: LWE over Polynomial Rings

Pros and Cons of RLWE (vs LWE)  Con: Security  LWE is as hard on average as worst-case problems over general (any) lattices  RLWE is as hard on average as worst-case problems over ideal lattices (a special type of lattice)  Pro: Efficiency  Fast Fourier Transform (FFT): multiplying ring elements is fast even if ring has high dimension Takes O(n log n) time for rings of dimension n  Also, RLWE permits smaller public keys, larger plaintexts, and more efficient homomorphic computation.

Regev’s Encryption Scheme with RLWE In LWE-Regev, m = O(n log q). For RLWE-Regev, m = O(log q).

Regev’s Encryption Scheme with RLWE If R has dimension n, Encryption takes time quasilinear in n. (In LWE-Regev with vectors of dim n, the time is quasi-quadratic in n.) The plaintext space is larger: R 2 instead of just {0,1}.

Regev’s Encryption Scheme with RLWE

The NTRU Encryption Scheme

NTRU: Even Simpler Encryption Using Polynomial Rings

NTRU Details

NTRU Homomorphic Operations

Key Switching from s 1 to s 2.

Homomorphic Computation on Encrypted Arrays (SIMD Operations)

Encrypted Arrays  Suppose we use a mod-15 plaintext space (not mod-2)  Z 15 = Z 3 × Z 5. Chinese Remainder Theorem (CRT).  From one “big” plaintext space we get 2 independent “small” plaintext spaces. We call them two “plaintext slots”.  Suppose two ciphertexts c and c’ have (r 3,r 5 ) and (r 3 ’,r 5 ’) in their respective mod-3 and mod-5 “plaintext slots”  c ADD = ADD(c,c’) has (r 3 +r 3 ’, r 5 +r 5 ’) in its slots.  c MULT = MULT(c,c’) has (r 3 ∙ r 3 ’, r 5 ∙ r 5 ’) in its slots.  Homomorphic ops act component-wise, in parallel, on slots.

Our Weird Cyclotomic Plaintext Space  SWHE in Polynomial Rings  Plaintext space is R 2 = Z 2 [x]/ Ф N (x). The message μ (x) is a polynomial in R 2. μ has n bits, where n is the degree of Ф N (x). NTRU example: μ = [[c·s] q ] 2 over the ring R.  Can we get many “plaintext slots” out of R 2 ?  Sure…

Our Weird Cyclotomic Plaintext Space  Via CRT, R 2 decomposes into about N/log(N) plaintext slots of about log(N) bits apiece (for well-chosen N).  ADD and MULT work in parallel across the slots.  Via ring automorphisms, encrypted data can be moved between slots.  We have ADD, MULT, and PERMUTE.  Can evaluate boolean circuits with ciphertexts “packed”.  Reduces overhead. The plaintext space R 2 = Z 2 [x]/ Ф N (x) has amazing properties! Much better than a mod-15 plaintext space!

Chinese Remainder Theorem for Cyclotomic Rings  Choose N so that Ф N (x) factors mod 2 into t factors.  Ф N (x) =  f i (x) mod 2. Degrees of f 1, …, f t are d= φ (N)/t.  Chinese Remainder Theorem (CRT) – polynomial version  Z 2 [x]/ Ф N (x) = Z 2 [x]/f 1 (x) × … × Z 2 [x]/f t (x)  If ciphertexts c and c’ have (r 1 (x),…,r t (x)) and (r 1 ’(x),…,r t ’(x)) in their respective plaintext slots  c ADD = ADD(c,c’) has (r 1 (x)+r 1 ’(x), …, r t (x)+r t ’(x)).  c MULT = MULT(c,c’) has (r 1 (x) ∙ r 1 ’(x) mod f 1 (x), …, r t (x) ∙ r t ’(x) mod f t (x)).  Homomorphic ops act component-wise, in parallel, on slots.

SIMD (Single Instruction Multiple Data): Working on Data Arrays … …12 n-ADD Array of length n …56

SIMD (Single Instruction Multiple Data): Working on Data Arrays … … …12 n-MULT Array of length n

SIMD (Single Instruction Multiple Data): Working on Data Arrays %%%%…%  Great for computing same function F on n different input strings.  We can do SIMD homomorphically … …12 Function F Array of length n …85 …

Permuting Encrypted Arrays and Ring Automorphisms

Beyond SIMD Computation  Goal: To reduce overhead for a single computation (rather than multiple computations in parallel):  Pack all input bits in just a few ciphertexts  Compute while keeping everything packed  How to do this?

Are ADD and MULT a Complete Set of Operations? Yes, for bits ××××××××××× x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 ADD and MULT are a complete set of operations.

××××××××××× x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x8x8 x9x9 x 10 x 11 x 12 x 14 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 n-ADD and n-MULT are NOT a complete set of operations. Are ADD and MULT a Complete Set of Operations? No, for SIMD arrays.

x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x1x1 x2x2 x3x3 x4x4 x5x5 x7x n-MULT x1x1 0x3x x2x2 0x4x4 000 x1x1 x3x x2x2 x4x n-PERMUTE( π ) n-ADD, n-MULT, n-PERMUTE: a complete set of SIMD ops on n-arrays ++ x1x1 x2x2 x3x3 x4x4 n-ADD

How do we Evaluate n-Permute( π ) homomorphically, without “decompressing” the packed ciphertexts? Ring Automorphisms!

Ring Automorphisms  For simplicity, let R = Z[x]/(x n -1), n prime  Consider the map φ k : R → R given by: φ k (a(x)) = a(x k )  If gcd(k,p) = 1, φ k permutes the coefficients of a(x): If a(x) is “small”, then φ k (a(x)) is also “small”.

Ring Automorphisms  For simplicity, let R = Z[x]/(x n -1), n prime  Consider the map φ k : R → R given by: φ k (a(x)) = a(x k )  If gcd(k,p) = 1, φ k permutes the coefficients of a(x):  φ k permutes the evaluations of a(x) at roots of unity:  We can use φ k to permute our plaintext slots.

Homomorphic Automorphisms

Which Permutations Do the Automorphisms Give Us?  The “Basic” Permutations (a(x) → a(x k )) :  Only n (out of n!) of the possible permutations.  Think of the automorphisms as n-ROTATE(i), which rotates the n items i steps clockwise, like a dial.  Claim: For any permutation π, we can build n- PERMUTE( π ) “efficiently” from n-ADD, n-MULT, and n-ROTATE(i). Benes permutation network

 Overhead of HE = (encrypted comp. time)/(unencrypted comp. time)  With ciphertext packing, the overhead of RLWE-based or NTRU-based SWHE for security parameter k: Overhead = poly(log q L, log w) = poly(L, log k, log w), where L and w are circuit depth and width. Asymptotic Efficiency Results

The Multikey FHE scheme of Lopez-Alt, Tromer, Vaikuntanathan Key Homomorphism and Multikey FHE

Recall NTRU Homomorphic Operations

Key Homomorphism in NTRU

LATV Multikey FHE Scheme  [LATV12]: Cloud can (noninteractively) combine data encrypted under different keys.  Individual secret keys are s 1, …, s n.  Combined secret key is s 1 ···s n.  To decrypt, all users whose data was used must cooperate.  Getting FHE:  I showed how to combine keys to get multikey SWHE.  LATV show how to get multikey FHE.

? Thank You! Questions? ? TIME EXPIRED

Parameters and Running Times

Parameter Sizes L (levels)N n = φ (N) (slot size, #slots) log(q L ) (48,224) (48,448) (72,432) (64,640) (72,720) (72,864) (56,1344) (56,1512)1570  For L=60, ciphertext size is about 2n log q = 2 × × 1163 ≈ 14 million bits.

Running Times  Run a one-core machine with lots of RAM (256GB) Number of Levels Needed60 Key Generation43 minutes Encrypt AES State2 minutes Encrypt AES Key Schedule23 minutes Evaluate AES Round 17 hours Evaluate AES Round 92 hours Evaluate AES Round 1028 minutes Evaluate AES total34 hours Number of SIMD Blocks54 Time Per Block37 minutes

Parameter Sizes L (levels)N n = φ (N) (slot size, #slots) log(q L ) (48,224) (48,448) (72,432) (64,640) (72,720) (72,864) (56,1344) (56,1512)1570  For L=60, ciphertext size is about 2n log q = 2 × × 1163 ≈ 14 million bits.

Running Times  Run a one-core machine with lots of RAM (256GB) Number of Levels Needed60 Key Generation43 minutes Encrypt AES State2 minutes Encrypt AES Key Schedule23 minutes Evaluate AES Round 17 hours Evaluate AES Round 92 hours Evaluate AES Round 1028 minutes Evaluate AES total34 hours Number of SIMD Blocks54 Time Per Block37 minutes