Presentation is loading. Please wait.

Presentation is loading. Please wait.

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 4, 2014 Homomorphic Encryption over Polynomial Rings.

Published byJasmin Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 4, 2014 Homomorphic Encryption over Polynomial Rings."— Presentation transcript:

1 China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 4, 2014 Homomorphic Encryption over Polynomial Rings

2 The Ring LWE Problem (RLWE)

3 Recall LWE  LWE (traditional formulation): Hard to distinguish between (A, b = As+e) and (A, b = uniform).  LWE (alternative formulation): Hard to distinguish whether matrix B = (b, A) is uniform, or there exists a vector t = (1, -s) such that e = B·t is short.  Matrices and vectors are over the ring Z q.  What if we put the matrices and vectors over a different ring – e.g., a polynomial ring?

4 Polynomial Rings  Example: Z q [x]/(x N -1) – polynomials of degree N-1 (which have N coefficients) over Z q.  Addition: Add the polynomials modulo q.  Multiplication: Multiply the 2 polynomials, reduce the result modulo q and modulo x N -1, so that the final result has degree at most N-1 again. a(x)b(x) = Σ a j · b k · x j+k mod N.  Example: Z q [x]/ Ф N (x) – polynomials modulo q and the N-th cyclotomic polynomial  E.g., Ф N (x) = (x N/2 +1) when N is a power of 2

5 RLWE: LWE over Polynomial Rings

6 Pros and Cons of RLWE (vs LWE)  Con: Security  LWE is as hard on average as worst-case problems over general (any) lattices  RLWE is as hard on average as worst-case problems over ideal lattices (a special type of lattice)  Pro: Efficiency  Fast Fourier Transform (FFT): multiplying ring elements is fast even if ring has high dimension Takes O(n log n) time for rings of dimension n  Also, RLWE permits smaller public keys, larger plaintexts, and more efficient homomorphic computation.

7 Regev’s Encryption Scheme with RLWE In LWE-Regev, m = O(n log q). For RLWE-Regev, m = O(log q).

8 Regev’s Encryption Scheme with RLWE If R has dimension n, Encryption takes time quasilinear in n. (In LWE-Regev with vectors of dim n, the time is quasi-quadratic in n.) The plaintext space is larger: R 2 instead of just {0,1}.

9 Regev’s Encryption Scheme with RLWE

10 The NTRU Encryption Scheme

11 NTRU: Even Simpler Encryption Using Polynomial Rings

12 NTRU Details

13 NTRU Homomorphic Operations

14 Key Switching from s 1 to s 2.

15 Homomorphic Computation on Encrypted Arrays (SIMD Operations)

16 Encrypted Arrays  Suppose we use a mod-15 plaintext space (not mod-2)  Z 15 = Z 3 × Z 5. Chinese Remainder Theorem (CRT).  From one “big” plaintext space we get 2 independent “small” plaintext spaces. We call them two “plaintext slots”.  Suppose two ciphertexts c and c’ have (r 3,r 5 ) and (r 3 ’,r 5 ’) in their respective mod-3 and mod-5 “plaintext slots”  c ADD = ADD(c,c’) has (r 3 +r 3 ’, r 5 +r 5 ’) in its slots.  c MULT = MULT(c,c’) has (r 3 ∙ r 3 ’, r 5 ∙ r 5 ’) in its slots.  Homomorphic ops act component-wise, in parallel, on slots.

17 Our Weird Cyclotomic Plaintext Space  SWHE in Polynomial Rings  Plaintext space is R 2 = Z 2 [x]/ Ф N (x). The message μ (x) is a polynomial in R 2. μ has n bits, where n is the degree of Ф N (x). NTRU example: μ = [[c·s] q ] 2 over the ring R.  Can we get many “plaintext slots” out of R 2 ?  Sure…

18 Our Weird Cyclotomic Plaintext Space  Via CRT, R 2 decomposes into about N/log(N) plaintext slots of about log(N) bits apiece (for well-chosen N).  ADD and MULT work in parallel across the slots.  Via ring automorphisms, encrypted data can be moved between slots.  We have ADD, MULT, and PERMUTE.  Can evaluate boolean circuits with ciphertexts “packed”.  Reduces overhead. The plaintext space R 2 = Z 2 [x]/ Ф N (x) has amazing properties! Much better than a mod-15 plaintext space!

19 Chinese Remainder Theorem for Cyclotomic Rings  Choose N so that Ф N (x) factors mod 2 into t factors.  Ф N (x) =  f i (x) mod 2. Degrees of f 1, …, f t are d= φ (N)/t.  Chinese Remainder Theorem (CRT) – polynomial version  Z 2 [x]/ Ф N (x) = Z 2 [x]/f 1 (x) × … × Z 2 [x]/f t (x)  If ciphertexts c and c’ have (r 1 (x),…,r t (x)) and (r 1 ’(x),…,r t ’(x)) in their respective plaintext slots  c ADD = ADD(c,c’) has (r 1 (x)+r 1 ’(x), …, r t (x)+r t ’(x)).  c MULT = MULT(c,c’) has (r 1 (x) ∙ r 1 ’(x) mod f 1 (x), …, r t (x) ∙ r t ’(x) mod f t (x)).  Homomorphic ops act component-wise, in parallel, on slots.

20 SIMD (Single Instruction Multiple Data): Working on Data Arrays 82093801…44 21950736…12 n-ADD Array of length n 10391431537…56

21 SIMD (Single Instruction Multiple Data): Working on Data Arrays 16204505606…48 82093801…44 21950736…12 n-MULT Array of length n

22 SIMD (Single Instruction Multiple Data): Working on Data Arrays %%%%…%  Great for computing same function F on n different input strings.  We can do SIMD homomorphically. 82093801…44 21950736…12 Function F Array of length n 36334178…85 …

23 Permuting Encrypted Arrays and Ring Automorphisms

24 Beyond SIMD Computation  Goal: To reduce overhead for a single computation (rather than multiple computations in parallel):  Pack all input bits in just a few ciphertexts  Compute while keeping everything packed  How to do this?

25 Are ADD and MULT a Complete Set of Operations? Yes, for bits. +++++++++++++ ××××××××××× +++++++++ 01 1 1 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 ADD and MULT are a complete set of operations.

26 +++++++++++++ ××××××××××× +++++++++ 01 1 1 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x8x8 x9x9 x 10 x 11 x 12 x 14 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 n-ADD and n-MULT are NOT a complete set of operations. Are ADD and MULT a Complete Set of Operations? No, for SIMD arrays.

27 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 1010000 n-MULT x1x1 0x3x3 0000 0101000 0x2x2 0x4x4 000 x1x1 x3x3 00000x2x2 x4x4 00000 n-PERMUTE( π ) n-ADD, n-MULT, n-PERMUTE: a complete set of SIMD ops on n-arrays ++ x1x1 x2x2 x3x3 x4x4 n-ADD

28 How do we Evaluate n-Permute( π ) homomorphically, without “decompressing” the packed ciphertexts? Ring Automorphisms!

29 Ring Automorphisms  For simplicity, let R = Z[x]/(x n -1), n prime  Consider the map φ k : R → R given by: φ k (a(x)) = a(x k )  If gcd(k,p) = 1, φ k permutes the coefficients of a(x): If a(x) is “small”, then φ k (a(x)) is also “small”.

30 Ring Automorphisms  For simplicity, let R = Z[x]/(x n -1), n prime  Consider the map φ k : R → R given by: φ k (a(x)) = a(x k )  If gcd(k,p) = 1, φ k permutes the coefficients of a(x):  φ k permutes the evaluations of a(x) at roots of unity:  We can use φ k to permute our plaintext slots.

31 Homomorphic Automorphisms

32 Which Permutations Do the Automorphisms Give Us?  The “Basic” Permutations (a(x) → a(x k )) :  Only n (out of n!) of the possible permutations.  Think of the automorphisms as n-ROTATE(i), which rotates the n items i steps clockwise, like a dial.  Claim: For any permutation π, we can build n- PERMUTE( π ) “efficiently” from n-ADD, n-MULT, and n-ROTATE(i). Benes permutation network

33  Overhead of HE = (encrypted comp. time)/(unencrypted comp. time)  With ciphertext packing, the overhead of RLWE-based or NTRU-based SWHE for security parameter k: Overhead = poly(log q L, log w) = poly(L, log k, log w), where L and w are circuit depth and width. Asymptotic Efficiency Results

34 The Multikey FHE scheme of Lopez-Alt, Tromer, Vaikuntanathan Key Homomorphism and Multikey FHE

35 Recall NTRU Homomorphic Operations

36 Key Homomorphism in NTRU

37 LATV Multikey FHE Scheme  [LATV12]: Cloud can (noninteractively) combine data encrypted under different keys.  Individual secret keys are s 1, …, s n.  Combined secret key is s 1 ···s n.  To decrypt, all users whose data was used must cooperate.  Getting FHE:  I showed how to combine keys to get multikey SWHE.  LATV show how to get multikey FHE.

38 ? Thank You! Questions? ? TIME EXPIRED

39 Parameters and Running Times

40 Parameter Sizes L (levels)N n = φ (N) (slot size, #slots) log(q L ) 101144110752(48,224)177 203432321504(48,448)368 303160931104(72,432)564 405448540960(64,640)762 505952751840(72,720)962 606856162208(72,864)1163 708260375264(56,1344)1366 809283784672(56,1512)1570  For L=60, ciphertext size is about 2n log q = 2 × 62208 × 1163 ≈ 14 million bits.

41 Running Times  Run a one-core machine with lots of RAM (256GB) Number of Levels Needed60 Key Generation43 minutes Encrypt AES State2 minutes Encrypt AES Key Schedule23 minutes Evaluate AES Round 17 hours Evaluate AES Round 92 hours Evaluate AES Round 1028 minutes Evaluate AES total34 hours Number of SIMD Blocks54 Time Per Block37 minutes

42 Parameter Sizes L (levels)N n = φ (N) (slot size, #slots) log(q L ) 101144110752(48,224)177 203432321504(48,448)368 303160931104(72,432)564 405448540960(64,640)762 505952751840(72,720)962 606856162208(72,864)1163 708260375264(56,1344)1366 809283784672(56,1512)1570  For L=60, ciphertext size is about 2n log q = 2 × 62208 × 1163 ≈ 14 million bits.

43 Running Times  Run a one-core machine with lots of RAM (256GB) Number of Levels Needed60 Key Generation43 minutes Encrypt AES State2 minutes Encrypt AES Key Schedule23 minutes Evaluate AES Round 17 hours Evaluate AES Round 92 hours Evaluate AES Round 1028 minutes Evaluate AES total34 hours Number of SIMD Blocks54 Time Per Block37 minutes

Download ppt "China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 4, 2014 Homomorphic Encryption over Polynomial Rings."

Similar presentations

A Simple BGN-Type Cryptosystem from LWE

A Simple BGN-Type Cryptosystem from LWE
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Manipulating Encrypted Data. You store your data in the cloud, encrypted of course. You want to use the computing power of the cloud to analyze your data.

Manipulating Encrypted Data. You store your data in the cloud, encrypted of course. You want to use the computing power of the cloud to analyze your data.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Lattice-Based Cryptography

Lattice-Based Cryptography
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
The Algebra of Encryption CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 20 July 2011.

The Algebra of Encryption CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 20 July 2011.
Cryptography & Number Theory

Cryptography & Number Theory
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

Similar presentations

Ads by Google