Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
CSE208: Advanced Cryptography
Daniele Micciancio
UCSD
Fall 2020
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 1
Introduction
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
CSE208: Advanced Cryptography
Graduate Level Advanced CryptographyPrerequisites:
CSE207 or equivalentSolid theoretical background, cryptographic definitions, etc.Some programming
Past topics: Zero Knowledge, Functional Encryption,Secure Computation, etc.Not required: CSE206A (Lattice Algorithms)
Reading:no textbookmostly research paperssee course webpage, canvas, etc.
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
CSE208: Advanced Cryptography
Graduate Level Advanced CryptographyPrerequisites:
CSE207 or equivalentSolid theoretical background, cryptographic definitions, etc.Some programming
Past topics: Zero Knowledge, Functional Encryption,Secure Computation, etc.Not required: CSE206A (Lattice Algorithms)
Reading:no textbookmostly research paperssee course webpage, canvas, etc.
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
CSE208: Advanced Cryptography
Graduate Level Advanced CryptographyPrerequisites:
CSE207 or equivalentSolid theoretical background, cryptographic definitions, etc.Some programming
Past topics: Zero Knowledge, Functional Encryption,Secure Computation, etc.Not required: CSE206A (Lattice Algorithms)
Reading:no textbookmostly research paperssee course webpage, canvas, etc.
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Fall 2020 Topic
Fully Homomorphic Encryption:Encryption schemes that supports the evaluation ofarbitrary programs on encrypted inputs
Applications:secure outsourced computingbuilding block for MPC and more
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Brief History of Homomorphic Encryption
1978: Rivest, Adleman & Dertouzos posed the problem2009: Gentry 2009 proposed the first candidate solution2010-2020: Work towards more efficient solutions based onstandard complexity assumptions (Brakerski,Vaikuntanathan, Gentry, Halevi, Smart, . . . )
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Software libraries
IBM HElib (Halevi & Shoup)Microsoft SEALNJIT/Duality PALISADE (Rohloff, Cousins & Polyakov)Functional Lattice Cryptography LoL (Crockett & Peikert)Fastest FHE of the West FHEW (Ducas & Micciancio)FHE over the Torus TFHE (Chillotti, Gama, Georgieva &Izabachene)Approximate FHE HEAAN (Cheon, Kim, Kim & Song)
In the News:February 21, 2019: Microsoft SEAL open sourcehomomorphic encryption library gets even better for .NETdevelopers!June 4, 2020: IBM releases FHE toolkit for MacOS andiOS; Linux and Android Coming Soon
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Software libraries
IBM HElib (Halevi & Shoup)Microsoft SEALNJIT/Duality PALISADE (Rohloff, Cousins & Polyakov)Functional Lattice Cryptography LoL (Crockett & Peikert)Fastest FHE of the West FHEW (Ducas & Micciancio)FHE over the Torus TFHE (Chillotti, Gama, Georgieva &Izabachene)Approximate FHE HEAAN (Cheon, Kim, Kim & Song)
In the News:February 21, 2019: Microsoft SEAL open sourcehomomorphic encryption library gets even better for .NETdevelopers!June 4, 2020: IBM releases FHE toolkit for MacOS andiOS; Linux and Android Coming Soon
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Homework and Evaluation
Homework assignments:3 assignments, due within one week from assignment dateCover theoretical/mathematical topics
Small Project:Goal: Try to use one of the many HE librariesNot much coding, but you will have to write and compile afew lines of codeEvaluated primarily based on written report
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Homework and Evaluation
Homework assignments:3 assignments, due within one week from assignment dateCover theoretical/mathematical topics
Small Project:Goal: Try to use one of the many HE librariesNot much coding, but you will have to write and compile afew lines of codeEvaluated primarily based on written report
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Administrivia:
Course webpage: http://cseweb.ucsd.edu/classes/fa20/general course informationpointers to papers and other reading material
Canvas:recording of lectureshomework distribution/collectiongradesdiscussion board
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Course Schedule (Tentative)
Week 1: Introduction and Definition
FHE DefinitionGentry’s Boostrapping theoremHomework 1 out
Week 2-4: Fundamental techniques based on general lattices
LWE encryptionLinear Homomorphic computationsKey Switching and Proxy re-encryptionNested encryption and homomorphic multiplicationCiphertext Tensoring and homomorphic multiplicationHomomorphic Decryption and Bootstrapping algorithmsHomework 2 out
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Week 5: Algebraic Number Theory
I really hope you like math!Homework 3 out
Week 6-10: Efficient FHE from Ring LWE
Message packing techniquesLinear transformations on structured matricesOther FHE schemes: GHS, BFV,FHEW, AP13, TFHE,CKKS . . .
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 2
Defining FHE
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Public Key Encryption
PKE(Gen ,Enc ,Dec)Gen: () → (pk,sk)Enc: (pk,m) → cDec: (sk,c) → m
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness of PKE
For every (sk,pk)← Gen() and m ← [M], r ← [R]:
Dec(sk,Enc(pk,m;r)) = m
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Chosen Plaintext Attack (CPA) security
Ciphertext Indistinguishability under Chosen PlaintextAttackExperiment:INDCPAgame(b:{0 ,1})
(sk,pk) ← Gen()A(pk) → (m0,m1)b' ← A(Enc(pk,mb))return b':{0 ,1}
Definition
Adv(A) = |Pr(Game (0)=1) - Pr(Game (1)=1)|
DefinitionAn encryption scheme (Gen,Enc,Dec) is IND-CPA secure if anypolynomial time A has advantage Adv(A)~ 0
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Chosen Plaintext Attack (CPA) security
Ciphertext Indistinguishability under Chosen PlaintextAttackExperiment:INDCPAgame(b:{0 ,1})
(sk,pk) ← Gen()A(pk) → (m0,m1)b' ← A(Enc(pk,mb))return b':{0 ,1}
Definition
Adv(A) = |Pr(Game (0)=1) - Pr(Game (1)=1)|
DefinitionAn encryption scheme (Gen,Enc,Dec) is IND-CPA secure if anypolynomial time A has advantage Adv(A)~ 0
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Significance of CPA security
Adversary can choose messages m0, m1
No assumption about input distributionAdversary may have partial information about messagesAdversary may influence the choice of messages
Ciphertext c = Enc(pk,mb) is computed honestly
Adversary cannot tamper with ciphertexts
Adversary models a passive attacker
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Definition of CCA security
DefinitionAn encryption scheme (Gen,Enc,Dec) is IND-CCA secure if anypolynomial time A has advantage Adv(A)≈0 in the followinggame.
Game(b:{0 ,1})(sk,pk) ← Gen()A[D](pk) → (m0,m1)c ← Enc(pk,mb)b' ← A[D'](c)return b':{0 ,1}
A[D] is an adversary with oracle access toD(x) = Dec(sk,x)
A[D'] uses a modified oracle (next slide)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
IND-CCA1 vs IND-CCA2
There are two variants of CCA security, depending on the typeof oracle given to the adversary after receiving the challengeciphertext:
IND-CCA1 security: No decryption oracle after receivingthe challengeD'(x) = Nil
IND-CCA2 security: decrypt any ciphertext, except thechallenge c
D'(x) =
if (x?= c)
then Nilelse Dec(sk,x)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Significance of CCA security
Goal: model active attacks, where adversary can tamperwith ciphertexts
Standard notion for regular encryption schemes
IND-CCA2 theoretically equivalent to non-malleableencryption
Any attempt to modify a ciphertext should be detected
Seems incompatible with homomorphic encryption
Ability to modify ciphertexts can be a useful featureHomomorphic encryption is perfectly malleable
We will not consider CCA security
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Significance of CCA security
Goal: model active attacks, where adversary can tamperwith ciphertexts
Standard notion for regular encryption schemes
IND-CCA2 theoretically equivalent to non-malleableencryption
Any attempt to modify a ciphertext should be detected
Seems incompatible with homomorphic encryption
Ability to modify ciphertexts can be a useful featureHomomorphic encryption is perfectly malleable
We will not consider CCA security
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Homomorphic Encryption: first attempt
Assume f: M →M
f(Enc(pk,m)) = Enc(pk,f(m))
Eval(pk,f, Enc(pk,m)) = Enc(pk,f(m))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Homomorphic Encryption: second attempt
Dec(sk,Eval(pk,f, Enc(pk,m))) = f(m)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Multi-input functions
Many inputs are encrypted independentlyc1 ← Enc(pk,m1)...ck ← Enc(pk,mk )
k-ary function f: (m1,...,mk) →m
Eval(pk, f, c1 ,...,ck ))= Enc(pk,f(m1 ,...,mk )) ???
Dec(sk,Eval(pk, f, c1 ,...ck ))= f(m1 ,...,mk )
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Multi-input functions
Many inputs are encrypted independentlyc1 ← Enc(pk,m1)...ck ← Enc(pk,mk )
k-ary function f: (m1,...,mk) →m
Eval(pk, f, c1 ,...,ck ))= Enc(pk,f(m1 ,...,mk )) ???
Dec(sk ,Eval(pk, f, c1 ,...ck ))= f(m1 ,...,mk )
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Multi-key Homomorphic encryption
Assume multiple users: P1,P2, ...Each user has a key (pair): Pi : (pki , ski )Data is encrypted and sent to different usersc1 ← Enc(pk1,m1)...ct ← Enc(pkt ,mt )
Users pool data together to perform a joint computation onc1, ..., ct
Final result is an encryption of f (m1, ...,mt) under whatkey?Eval (???,f,c1 ,...,ct ))
~ Enc(???, f(m1 ,...,mt ))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Multi-key Homomorphic encryption
Assume multiple users: P1,P2, ...Each user has a key (pair): Pi : (pki , ski )Data is encrypted and sent to different usersc1 ← Enc(pk1,m1)...ct ← Enc(pkt ,mt )
Users pool data together to perform a joint computation onc1, ..., ct
Final result is an encryption of f (m1, ...,mt) under whatkey?Eval (???,f,c1 ,...,ct ))
~ Enc(???, f(m1 ,...,mt ))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Restricting Homomorphic Encryption
FHE is a useful and challenging problem already in thesingle key setting
In order to appropach the problem we will further restrict itby parametrizing by a set of allowedcomputations/functions Func = {f: ....} where eachf: (M,...,M)→ M may take a different number of arguments
More generally, one many consider functionsf:(M1, ...,Mk) →M taking inputs from different sets (types),e.g., ifThenElse: (Bool,Int,Int)→Int
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Restricting Homomorphic Encryption
FHE is a useful and challenging problem already in thesingle key setting
In order to appropach the problem we will further restrict itby parametrizing by a set of allowedcomputations/functions Func = {f: ....} where eachf: (M,...,M)→ M may take a different number of arguments
More generally, one many consider functionsf:(M1, ...,Mk) →M taking inputs from different sets (types),e.g., ifThenElse: (Bool,Int,Int)→Int
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Restricting Homomorphic Encryption
FHE is a useful and challenging problem already in thesingle key setting
In order to appropach the problem we will further restrict itby parametrizing by a set of allowedcomputations/functions Func = {f: ....} where eachf: (M,...,M)→ M may take a different number of arguments
More generally, one many consider functionsf:(M1, ...,Mk) →M taking inputs from different sets (types),e.g., ifThenElse: (Bool,Int,Int)→Int
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Examples and Function Composition
(M,+, 0): abelian group, e.g., “fixed size” integers(modulo N)Addition: f (x1, ...xt) = x1 + ...+ xtScalar multiplication: ga(x) = a · xLinear combinations: h(x1, ...xt) =
∑i 2i−1xi
1-hop, n-hop, multi-hop: can functions f be composed?
h(x1, ..., xt) = f (g1(x1), ..., g2t−1(xt))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Examples and Function Composition
(M,+, 0): abelian group, e.g., “fixed size” integers(modulo N)Addition: f (x1, ...xt) = x1 + ...+ xtScalar multiplication: ga(x) = a · xLinear combinations: h(x1, ...xt) =
∑i 2i−1xi
1-hop, n-hop, multi-hop: can functions f be composed?
h(x1, ..., xt) = f (g1(x1), ..., g2t−1(xt))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness of Function Composition
Let x , y , z ∈ M be messages and f , g : M → M twofunctions such that y = f (x) and z = g(y) = (g ◦ f )(x)Assume (Gen,Enc,Dec,Eval) can evaluate f and g correctly:Dec(sk,Eval(pk,f, Enc(pk,x))) = f(x)Dec(sk,Eval(pk,g, Enc(pk,y))) = g(y)
QuestionDoes it follow that
ctX ← Enc(pk,x)ctY ← Eval(pk,f,ctX)ctZ ← Eval(pk,g,ctY)
Dec(sk,ctZ)?= z
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness of Function Composition
Let x , y , z ∈ M be messages and f , g : M → M twofunctions such that y = f (x) and z = g(y) = (g ◦ f )(x)Assume (Gen,Enc,Dec,Eval) can evaluate f and g correctly:Dec(sk,Eval(pk,f, Enc(pk,x))) = f(x)Dec(sk,Eval(pk,g, Enc(pk,y))) = g(y)
QuestionDoes it follow that
ctX ← Enc(pk,x)ctY ← Eval(pk,f,ctX)ctZ ← Eval(pk,g,ctY)
Dec(sk ,ctZ)?= z
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Formalizing Restricted Composition
Restrict scheme to a set F of strongly typed functions:
f : M1 × . . .Mk → M0
Enc,Dec,Eval are given type information
We can use types to bound computation depth:
Start from f : M → MDefine Mi = M for i = 1, ..., nDefine fi : Mi → Mi+1, where fi (x) = f (x)
F = {f } allows arbitrary composition
F = {f0}: no composition
F = {f0, f1, ..., fn}: bounded depth composition
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Formalizing Restricted Composition
Restrict scheme to a set F of strongly typed functions:
f : M1 × . . .Mk → M0
Enc,Dec,Eval are given type information
We can use types to bound computation depth:
Start from f : M → MDefine Mi = M for i = 1, ..., nDefine fi : Mi → Mi+1, where fi (x) = f (x)
F = {f } allows arbitrary composition
F = {f0}: no composition
F = {f0, f1, ..., fn}: bounded depth composition
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
(Multi-hop) Correctness Game
State: (initially empty) list L of message-ciphertext pairsCorrectFHEgame () = (sk,pk) ← Gen()
L ← []A[E,F](pk)(m,c) ← last(L)return (Dec(sk,c) 6= m)
E(m) = c ← Enc(pk,m)L ← L;(m,c)return c
F(f,I) = (ms,cs) ← unzip L[I]m ← f(ms)c ← Eval(pk,f,cs)L ← L;(m,c)return c
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Terminology
Reading papers, you will find references to
Fully Homomorphic EncryptionSomewhat Homomorphic EncryptionLeveled Fully Homomorphic Encryptionetc.
We will use FHE as a catchall term
Definition is parametrized by a set of functions FFunctions in F can be composed only if their types matchF is closed under compositionCan use “phantom” types to limit composition
We will rarely define F formally, but it is a useful exercise
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Terminology
Reading papers, you will find references to
Fully Homomorphic EncryptionSomewhat Homomorphic EncryptionLeveled Fully Homomorphic Encryptionetc.
We will use FHE as a catchall term
Definition is parametrized by a set of functions FFunctions in F can be composed only if their types matchF is closed under compositionCan use “phantom” types to limit composition
We will rarely define F formally, but it is a useful exercise
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Security of Homomorphic Encryption
INDCPAgame(b:{0 ,1})(sk,pk) ← Gen()A(pk) → (m0,m1)return A(Enc(pk,mb)): {0,1}
RemarkThe IND-CPA security definition depends only on Gen and Enc,but not on Dec (or Eval)
QuestionCan the IND-CPA security definition be applied as it is to FHEschemes (Gen,Enc,Dec,Eval)?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
A trivial FHE scheme
Consider the following FHE scheme:
Let (Gen,Enc,Dec) be IND-CPA secureDefine TrivialFHE = (Gen,Enc',Dec',Eval)
Enc '(pk,m) = (Enc(pk,m) ,[])Dec '(sk ,(ct ,[])) = Dec(sk,ct)Dec '(sk ,(ct ,[f;fs])) = f(Dec '(sk ,(ct,fs)))Eval(pk,f,(ct ,[fs])) = (ct ,[f;fs])
QuestionIs TrivialFHE a correct FHE scheme?Is TrivialFHE a secure FHE scheme?What makes the above scheme “trivial”?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Compactness
The TrivialFHE scheme is both correct and secure
The problem with TrivialFHE is that it is not efficient:
Computation is performed by Dec, not Eval!
DefinitionA FHE scheme is compact if the size of ciphertextct = Eval(pk,f,Enc(pk,m)) is independent of Size(f)
Weaker forms of compactness:
Ciphertext size may grow logarithmic with Size(f)Ciphertext size may depend on Depth(f)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Function Privacy
f0(x,y) = x + yf1(x,y) = y + x
Game[A](b: {0,1})(sk,pk) ← Gen()ctX ← Enc(pk,x)ctY ← Enc(pk,y)ct ← Eval(pk,fb,ctX ,ctY)return A(ct)
QuestionAssume (Gen,Enc,Dec,Eval) is a secure FHE scheme. Can anefficient adversary A recover the bit b = Game[A](b) ?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Passive Attacks to FHE
Game[A](b: {0,1})(sk,pk) ← Gen()State ← []b' ← A[E,D,F](pk)return b'
Adversary has access to three stateful oracles:
Encryption oracle: E(m0,m1)
Function Evaluation oracle: F(f0,f1,I)Decryption oracle: D(i)
Joint State: List of message-message-ciphertext triplets(m0,m1,ct)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Passive Attack (oracles)
E(m0,m1) = ct ← Enc(pk,mb)State ← (State;(m0,m1,ct))return ct
F(f0,f1,I) = (ms0,ms1,cts) ← unzip State[I]ct ← Eval(pk,fb,cts)m0 ← f0(ms0)m1 ← f1(ms1)State ← State;(m0,m1,ct)return ct
D(i): (m0,m1,ct) ← State[i]if (m0 ≡m1)
then return Dec(sk,ct)else return Nil
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Passive Attack with/without function privacy
The game we just described guarantees function privacyA similar definition without function privacy can beobtained by requiring f0≡f1 in the function evaluationqueries
F'(f,I): (ms0,ms1,cts) ← unzip State[I]ct ← Eval(pk,f,cts)m0 = f(ms0)m1 = f(ms1)State ← (State;(m0,m1,ct))return ct
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Example: Circuit Privacy
Assume messages are single bits m: {0,1}
Let FHE=(Gen,Enc,Dec,Eval) a function private FHEscheme supporting NAND(x,y)= not (x && y)
EvalC(pk,C,...): evaluates boolean circuitC: {0, 1}n →{0,1} one gate at a time usingEval(pk,NAND,...)
Let C0,C1 : NAND circuits with the same number ofinputs and NAND gates(sk,ps)← Gen()
Let xs0, xs1 be input bits such that C0(xs0) = C1(xs1)
QuestionAre the following two distributions indistinguishable?
(pk ,EvalC(pk, C0, Enc(pk,xs0)))(pk ,EvalC(pk, C1, Enc(pk,xs1)))
% CSE208: Advanced Cryptography % Daniele Micciancio %Fall 2020
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 3
Bootstrapping
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Bootstrapping
For simplicity: fix message space to {0, 1}
HE=(Gen,Enc,Dec,Eval)
Homomorphic functions: Func = { nand }Supports only bounded computations: Depth(C)< D
QuestionCan we use HE to build a FHE scheme supporting arbitrarycircuits/functions?
The process of building FHE from HE is called“bootstrapping”
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Bootstrapping
For simplicity: fix message space to {0, 1}
HE=(Gen,Enc,Dec,Eval)
Homomorphic functions: Func = { nand }Supports only bounded computations: Depth(C)< D
QuestionCan we use HE to build a FHE scheme supporting arbitrarycircuits/functions?
The process of building FHE from HE is called“bootstrapping”
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decryption as a boolean function
Everything is a sequence of bits
Secret key sk: {0, 1}k
Ciphertext ct: {0, 1}l
Dec(sk,ct): {0,1}
Usually we think of Dec as a function
described by secret key skmapping ciphertext ct to message bit Dec(sk,ct): {0,1}
But we can also think of Dec as a function
described by ciphertext ctmapping secret key sk to message bit Dec(sk,ct): {0,1}
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decryption as a boolean function
Everything is a sequence of bits
Secret key sk: {0, 1}k
Ciphertext ct: {0, 1}l
Dec(sk,ct): {0,1}
Usually we think of Dec as a function
described by secret key skmapping ciphertext ct to message bit Dec(sk,ct): {0,1}
But we can also think of Dec as a function
described by ciphertext ctmapping secret key sk to message bit Dec(sk,ct): {0,1}
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decryption as a boolean function
Everything is a sequence of bits
Secret key sk: {0, 1}k
Ciphertext ct: {0, 1}l
Dec(sk,ct): {0,1}
Usually we think of Dec as a function
described by secret key skmapping ciphertext ct to message bit Dec(sk,ct): {0,1}
But we can also think of Dec as a function
described by ciphertext ctmapping secret key sk to message bit Dec(sk,ct): {0,1}
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Homomorphic Decryption
Fix a ciphertext cDefine fc : sk 7→ Dec(sk, c)Assume Size(fc) < S, Depth(fc) < DLet bk[1..k] = Enc(pk,sk[1..k])
QuestionWhat is the result of the following computation?
EvalC(pk,fc ,bk[1..k])
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Proxy Re-encryption
Primary key: (pk,sk)
Secondary key: (pk1,sk1)
Re-encryption key: rk = Enc(pk1,sk[1..k])
Input ciphertext c = Enc(pk,m)
Decryption function fc(sk) = Dec(sk,c)
QuestionWhat is the result of the following computation?
EvalC(pk1 ,fc ,rk)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decrypt and compute (unary)
Homomorphic Encryption (Gen,Enc,Dec,Eval)
Assume Func = { fc | c: CipherText } wherefc (sk) = not (Dec(sk,c))
(pk,sk) ← Gen()ek = Enc(pk,sk)c = Enc(pk,m)
QuestionWhat is the result of the following computation?
EvalC(pk,fc ,ek)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decrypt and compute (unary)
Homomorphic Encryption (Gen,Enc,Dec,Eval)
Assume Func = { fc | c: CipherText } wherefc (sk) = not (Dec(sk,c))
(pk,sk) ← Gen()ek = Enc(pk,sk)c = Enc(pk,m)
QuestionWhat is the result of the following computation?
EvalC(pk,fc ,ek)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decrypt and compute (binary)
Homomorphic Encryption (Gen,Enc,Dec,Eval)
Assume Func = { fc,c′ | c,c': CipherText } wherefc,c′(sk) = Dec(sk,c) nand Dec(sk,c')
(pk,sk) ← Gen()ek ← Enc(pk,sk)c ← Enc(pk,m)c' ← Enc(pk,m')
QuestionWhat is the result of the following computation?
EvalC(pk,fc,c′ ,ek)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decrypt and compute (binary)
Homomorphic Encryption (Gen,Enc,Dec,Eval)
Assume Func = { fc,c′ | c,c': CipherText } wherefc,c′(sk) = Dec(sk,c) nand Dec(sk,c')
(pk,sk) ← Gen()ek ← Enc(pk,sk)c ← Enc(pk,m)c' ← Enc(pk,m')
QuestionWhat is the result of the following computation?
EvalC(pk,fc,c′ ,ek)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Bootstrapping
Given (1-hop) (Gen,Enc,Dec,Eval) supporting functionsfc,c′(sk) = Dec(sk,c) nand Dec(sk,c')
Define (multi-hop) FHE scheme with Func = { nand }
Gen '() = (sk,pk) ← Gen()ek ← Enc(pk,sk)return (sk ,(pk,ek))
Enc '((pk,ek),m) = Enc(pk,m)
Eval '((pk,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Bootstrapping
Given (1-hop) (Gen,Enc,Dec,Eval) supporting functionsfc,c′(sk) = Dec(sk,c) nand Dec(sk,c')
Define (multi-hop) FHE scheme with Func = { nand }
Gen '() = (sk,pk) ← Gen()ek ← Enc(pk,sk)return (sk ,(pk,ek))
Enc '((pk,ek),m) = Enc(pk,m)
Eval '((pk ,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness
Let (Gen',Enc',Dec,Eval') be the new encryption scheme
TheoremIf Dec(sk,c)= m and Dec(sk,c')= m', then
Dec(sk ,Eval '((pk,ek),nand ,c,c') = m nand m'
Strong correctness property:Dec(sk,Eval '((pk,ek),nand ,c,c')
= Dec(sk,c) nand Dec(sk,c')
for any ciphertexts c,c' !
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness
Let (Gen',Enc',Dec,Eval') be the new encryption scheme
TheoremIf Dec(sk,c)= m and Dec(sk,c')= m', then
Dec(sk ,Eval '((pk,ek),nand ,c,c') = m nand m'
Strong correctness property:Dec(sk ,Eval '((pk,ek),nand ,c,c')
= Dec(sk,c) nand Dec(sk,c')
for any ciphertexts c,c' !
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Security
Assume FHE = (Gen,Enc,Dec,Eval) is IND-CPA secureBuild new scheme FHE':
Gen '() = (sk,pk) ← Gen()ek ← Enc(pk,sk)return (sk ,(pk,ek))
Enc '((pk,ek),m) = Enc(pk,m)
Is FHE' IND-CPA secure?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Leveled Homomorphic Encryption
Goal: build a FHE supporting NAND circuits of depth upto L, for any given LKey generation procedure takes L as input:
Gen '(L) =for (i=0..L)
(sk[i],pk[i]) ← Gen()for (i=1..L)
ek[i] = Enc(pk[i],sk[i-1])sk' = sk[0..L]pk' = pk[0..L],ek[1..L]return (sk ',pk ')
Enc '(pk',m) = Enc(pk[0],m)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Leveled Homomorphic Encryption
Goal: build a FHE supporting NAND circuits of depth upto L, for any given LKey generation procedure takes L as input:
Gen '(L) =for (i=0..L)
(sk[i],pk[i]) ← Gen()for (i=1..L)
ek[i] = Enc(pk[i],sk[i-1])sk' = sk[0..L]pk' = pk[0..L],ek[1..L]return (sk ',pk ')
Enc '(pk',m) = Enc(pk[0],m)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
FHE Today
State of the artWe can build leveled FHE from standard LWE assumption
Built using bootstrappingInefficient, but better than nothing
Open problemBuild (non-leveled) FHE from standard LWE
In practice, one can apply bootstrapping withek = Enc(pk,sk)
Much smaller key than leveled FHENo known attacks to circular securityStill, it is not known how to prove security
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 4
LWE
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linear equations
q: integer modulusZq: integers modulo qA ∈ Zn×m
q : matrixb ∈ Zn
q
ProblemGiven A, b, find x ∈ Zm such that Ax = b (mod q)
ProblemGiven A, b, find x ∈ {0, 1}m such that Ax = b (mod q)
QuestionWhich problem can be efficiently solved?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Worst-case vs Average-case hardness
ProblemGiven A, b, find x ∈ {0, 1}m such that Ax = b (mod q)
NP-hard: no polynomial time algorithm unless P=NP
Is it hard to solve on the average?
For what probability distribution?
A← Zn×mq
x ← {0, 1}m
b = Ax (mod q)
Is f : (A, x) 7→ (A,Ax mod q) is a One-Way Function?
For what values of n,m, q?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
One-Way Functions
Definitionf : D → R is a one-way function if for any PPT algorithm IPr{InvertGame(I)} ≈0 whereInvertGame:
x ← Dy = f(x)x' ← I(y)
return (f(x')?= y)
D = Zn×mq × {0, 1}m
R = Znq
f (A, x) = Ax mod qAsymptotics: q(m) = 2poly(m), n(m) = poly(m)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
One-Way?
A← Zn×m
x ← {0, 1}mf (A, x) = Ax mod q
QuestionIs f a one-way function when
1 q = 2m, n = m2 q = 2m, n = m/23 q = m, n = m/24 q = m, n =
√m
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Short Integer Solution (SIS) problem
Parameters:
modulus qdimensions n < mbound β
ProblemSIS: Given A ∈ Zn×m
q and b ∈ Znq, find x ∈ Zm such that
Ax = b (mod q) and ‖x‖ ≤ β
More generally: x ∈ S ⊂ Zm
Special cases:
S = {x : ‖x‖ ≤ β}S = {0, 1}m
S = {x : ‖x‖∞ ≤ β}
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Systematic Form
Assume n < m (e.g., n = m/2)Let A = [I,A′] ∈ Zn×m for some A′ ∈ Zn×(m−n)
LemmaIf SIS is hard, then SIS’ is hard
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Learning With Errors
SIS’: A = [I,A′] ∈ Zn×m where n < m (say, n = m/2)Let x = (e, s)Ax = [I,A′](e, s) = A′s + e
ProblemLWE: Given A′ and b, find small e, s such that A′s + e = b
ProblemLWE: Given A′ and b, find small e, s such that A′s ≈ b
Notice:
A′ ∈ Zn×nq
A′s = b is easy to solveA′s ≈ b seems hard
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LWE problem
Notation:
secret s ← Znq, usually chosen at random
modulus q(n) = poly(n)A← Zm×n
qerror e ← χm, usually |ei | ≈
√n
b = As + e ∈ Zmq
ProblemSearch LWE: Given A and b, find s
Each row of A gives an approximate equation 〈a, s〉 ≈ bif m� n, then s is uniquely determinedStill, hard to find s
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Uniform vs Small secrets
LemmaIf LWE is hard for s ← χn, then it is hard for s ← Zn
q
Proof: Assume Adv solves LWE with uniform s ← Znq
Adv '(A,b)s ← Zn
qb' = b + Ass' = Adv(A,b')return (s' - s)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Uniform vs Small secrets
LemmaIf LWE is hard for s ← χn, then it is hard for s ← Zn
q
Proof: Assume Adv solves LWE with uniform s ← Znq
Adv '(A,b)s ← Zn
qb' = b + Ass' = Adv(A,b')return (s' - s)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decisional LWE (DLWE)
DefinitionLWE distribution:
LWE[q,n,m] =do A ← Zm×n
qs ← Zn
qe ← χm
b = As+ereturn (A,b)
DefinitionDecisional LWE (DLWE): distinguish LWE[q,n,m] fromUniform(Zm×(n+1)
q )
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decision to Search reduction
TheoremIf DLWE is hard, then LWE is hard
Proof:
Assume Adv solves LWEGiven Adv' that solves DLWE
Adv '(A,b):s ← Adv(A,b)if (As ≈ b)
then return "LWE"else return "random"
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decision to Search reduction
TheoremIf DLWE is hard, then LWE is hard
Proof:
Assume Adv solves LWEGiven Adv' that solves DLWE
Adv '(A,b):s ← Adv(A,b)if (As ≈ b)
then return "LWE"else return "random"
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Search vs Decision
Is (Search) LWE harder than DLWE?
TheoremIf Seach LWE is hard for any m = poly(n), then DLWE is alsohard for any m = poly(n)
TheoremFor any m = poly(n), if Seach LWE is hard, then DLWE is alsohard for any m = poly(n)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LWE Search to Decision reduction (easy version)
Assume Adv can distinguish LWE from uniformTask: Given A,b, find s such that As ≈b (mod q)
Assumption: s is unique (holds with very high probability)We show how to check if si = γ:
Adv(A,b):a ← Zm
A' = A + [0..0,a ,0..0]b' = b + γ acase Adv(A',b') of
"LWE" : return si = c"random" : return si 6= c
Recover all entries of s, one at a time
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
(Decisional) LWE Assumption
In the rest of the course we will just assume that DLWE ishard
There are several variants of the assumption:
Uniform vs. small secret sDifferent (always small) error distributions e ← χFixed vs unbounded number of samples mDifferent values of qConcrete hardness assumptions
By and large all variants are equivalent up to polynomialreductions
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
How to Encrypt with LWE
Fix secret s in Znq
LWE samples (ai , bi ) where ai ∈ Znq and bi ∈ Z
Polynomially many samples (ai , bi ) for i = 1, 2, ...DLWE: the bi values are pseudorandomIdea: use bi as a one-time pad to encrypt a messate m
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LWE Symmetric Encryption
Gen():s ← Zn
qreturn s
Enc(s,m):a ← Zn
qe ← χb = 〈a, s〉 + e + m
Dec(s,(a,b)):return (b - 〈a, s〉)
Is this a valid encryption scheme?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Symmetric Encryption
SKE(Gen ,Enc ,Dec)Gen: () → skEnc: (sk,m) → cDec: (sk,c) → m
Correctness: for every sk ← Gen() and m ← [M], r ← [R]:
Dec(sk,Enc(sk,m;r)) = m
QuestionIs this a valid encryption scheme?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correcting from errors
Ciphertext modulus qMessage modulus p (assume p divides q)Message space: m ∈ Zp
Enc(s,m) = (a,b) wherea ← Zn
q, e ←χ
b = 〈a, s〉 + e + (q/p)m
Dec(s,(a,b)) = round(c*p/q)) wherec = b - 〈a, s〉 mod q
LemmaIf |e| < β then Dec(s,Enc(s,m;a,e))= m
QuestionFor what value of β is the lemma correct?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
IND-CPA security for symmetric encryption
INDCPAgameSKE(b:{0 ,1})sk ← Gen()b' ← A[LR]return b':{0 ,1}
LR(m0,m1):ct ← Enc(sk,mb)return ct
Similar LR security definition can be given also for PKE:A[LR](pk) is given pk and oracle access to LR
Previous PKE INDCPAgame allows only one query to LR
QuestionWhy can restrict PKE INDCPAgame to one query?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Security of LWE symmetric encryption
Assume |e| < β = q/(2p) for all e ← χIs LWE INDCPAgameSKE secure?
TheoremAssume DLWE holds for a given q(n) and any m = poly(n).Then LWE symmetric encryption is INDCPA secure, i.e., anyadversary Adv has negligible advantage in the INDCPAgameSKEdistinguishing game.
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
RR-CPA security
LWE encryption satisfies a stronger security property:ciphertext indistinguishability from random
INDCPAgameSKE(b:{0 ,1})sk ← Gen()b' ← A[RR]return b':{0 ,1}
RR(m):ct0 ← Enc(sk,m)ct1 ←Zn+1
qreturn ctb
“Real or Random” oracle RR
RR-CPA security also provides a form of anonimity
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LeftRight vs RealRand security
TheoremIf a (SKE or PKE) scheme is INDCPA-RR secure, then it is alsoINDCPA-LR secure.
RemarkA (SKE or PKE) scheme can be INDCPA-LR secure, but notINDCPA-RR secure.
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Compact LWE Encryption
Ciphertext expansion: bitsize(ct)/ bitsize(m)
Compact LWE SKE (Gen,Enc,Dec)
Gen():
S ← Zl×nq
return S
Enc(S,m) = (a,b)a ← Zn
qe ← χl
b = Sa + e + round((p/q)m)
Dec(S,(a,b)):c ← b - St a) mod qreturn round(c*p/q)
TheoremCompact LWE SKE is correct and INDCPA-RR secure
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Ciphertext Expansion
Compact LWE encryption:
Key S ∈ Zl×nq
Message m ∈ Zlp
Encryption Enc(S,m)= (a,b) where b = Sa + e + mp/q
Ciphertext (a, b) ∈ Zn+lq
QuestionWhat is the ciphertext/plaintext size ratio?
Example:
Enc(f,x;r)= (f(r),H(r)⊕m) where f : {0, 1}k → {0, 1}k
Enc(f,.):{0, 1}m→{0, 1}m+k
Ciphertext expansion: (m + k)/m = 1 + (k/m)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 5
Linearity
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LWE Symmetric Encryption
Gen():s ← Zn
qreturn s
Enc(s,m):a ← Zn
qe ← χb = 〈a, s〉 + e + (q/p)mreturn (a,b)
Dec(s,(a,b)):d = b - 〈a, s〉 mod qreturn (round(d*p/q))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Compact (Matrix) LWE
Gen():
S ← Zl×nq
return S
Enc(S,M) = (A,B)A ← Zn×w
qE ← χl×w
B = SA + E + round((p/q)M) mod q
Dec(S,(A,B)):D ← B - SA mod qreturn round(D*p/q)
Notation:
[A,B]: horizontal concatenation(A,B): vertical concatenation
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linearity of the LWE function
Let LWE(S,X;A,E)= SA + X + E be the raw LWE functionEncryption: Enc(S,M)= LWE(S,(q/p)M; A,E) for random A,E
Linear properties:LWE(S,X;A,E) + LWE(S,X';A',E')
= LWE(S,X+X';A+A',E+E')
LWE(S,X;A,E) - LWE(S,X';A',E')= LWE(S,X-X';A-A',E-E')
c*LWE(S,X;A,E) = LWE(S,c*X; c*A,c*E)
Key Homomorphism:LWE(S,X;A,E) + LWE(S',X';A,E')
= LWE(S+S',X+X'; A, E+E')
Ciphertexts must use the same A!
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linearity of the LWE function
Let LWE(S,X;A,E)= SA + X + E be the raw LWE functionEncryption: Enc(S,M)= LWE(S,(q/p)M; A,E) for random A,E
Linear properties:LWE(S,X;A,E) + LWE(S,X';A',E')
= LWE(S,X+X';A+A',E+E')
LWE(S,X;A,E) - LWE(S,X';A',E')= LWE(S,X-X';A-A',E-E')
c*LWE(S,X;A,E) = LWE(S,c*X; c*A,c*E)
Key Homomorphism:LWE(S,X;A,E) + LWE(S',X';A,E')
= LWE(S+S',X+X'; A, E+E')
Ciphertexts must use the same A!
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linearity of Ciphertexts
Ciphertexts that “encrypt” X under S with error E.
DefinitionLWE(S,X;E) = { (A,B): B = LWE(S,X;A,E)}
LWE(S,X;β) = { (A,B) : B = LWE(S,X;A,E), |E |∞ < β }
LWE(S,X;E)+ LWE(S,X';E')⊆ LWE(S,X+X';E+E')
LWE(S,X;E)- LWE(S,X';E')⊆ LWE(S,X-X';E-E')
c*LWE(S,X;E)⊆ LWE(S,c*X; c*E)
QuestionLWE(S,X;β) + LWE(S,X';β′) ⊆LWE(S,X+X';β + β′) ?
QuestionLWE(S,X;β) - LWE(S,X';β′) ⊆LWE(S,X+X';β − β′) ?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linearity of Ciphertexts
Ciphertexts that “encrypt” X under S with error E.
DefinitionLWE(S,X;E) = { (A,B): B = LWE(S,X;A,E)}
LWE(S,X;β) = { (A,B) : B = LWE(S,X;A,E), |E |∞ < β }
LWE(S,X;E)+ LWE(S,X';E')⊆ LWE(S,X+X';E+E')
LWE(S,X;E)- LWE(S,X';E')⊆ LWE(S,X-X';E-E')
c*LWE(S,X;E)⊆ LWE(S,c*X; c*E)
QuestionLWE(S,X;β) + LWE(S,X';β′) ⊆LWE(S,X+X';β + β′) ?
QuestionLWE(S,X;β) - LWE(S,X';β′) ⊆LWE(S,X+X';β − β′) ?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linearity of Ciphertexts
Ciphertexts that “encrypt” X under S with error E.
DefinitionLWE(S,X;E) = { (A,B): B = LWE(S,X;A,E)}
LWE(S,X;β) = { (A,B) : B = LWE(S,X;A,E), |E |∞ < β }
LWE(S,X;E)+ LWE(S,X';E')⊆ LWE(S,X+X';E+E')
LWE(S,X;E)- LWE(S,X';E')⊆ LWE(S,X-X';E-E')
c*LWE(S,X;E)⊆ LWE(S,c*X; c*E)
QuestionLWE(S,X;β) + LWE(S,X';β′) ⊆LWE(S,X+X';β + β′) ?
QuestionLWE(S,X;β) - LWE(S,X';β′) ⊆LWE(S,X+X';β − β′) ?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Message and Ciphertext Operations
Addition:
M0 + M1 ∈ Zl×wq
(A0,B0) + (A1,B1) = (A0 + A1,B0 + B1) ∈ Z(n+l)×wq
Subtraction
M0 −M1 ∈ Zl×wq
(A0,B0)− (A1,B1) = (A0 − A1,B0 − B1) ∈ Z(n+l)×wq
Scalar multiplication
c ·M ∈ Zl×wq
c · (A,B) = (c · A, c · B) ∈ Z(n+l)×wq
Arbitrary linear transformations . . .
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Additive Homomorphism Encryption
Homomorphic Encryption supporting the addition ofciphertexts
sk ← Gen()c0 ← Enc(sk, m0)c1 ← Enc(sk, m1)c = c0 + c1m = m0 + m1
Dec(sk,c)?= m
QuestionDoes LWE encryption satisfy the addititive homomorphicproperty? For what error bound |χ| < β?
QuestionIs ciphertext c distributed according to Enc(m0+m1)?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Summation
Homomorphic Encryption supporting the addition ofciphertexts
sk ← Gen()c1 ← Enc(sk, m1)c2 ← Enc(sk, m2)...ck ← Enc(sk, mk )c = c1 + c2 + ... + ckm = m1 + m2 + ... + mk
Dec(sk,c)?= m
QuestionFor any given bound |χ| < β, what is the largest value of k forwhich one can add k ciphertexts?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Subtraction and Scalar multiplication
Subtraction m0 −m1 : similar to addition m0 + m1±1-linear combinations: similar to summationScalar multiplication c ·m: error grows by a factor cCiphertexts can be multiplied only by small scalars!
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Concatenation
LWE(S,X;A,E)= SA + X + E
S ∈ Zk×nq
A ∈ Zn×wq
X ,E ∈ Zk×wq
The same S can be used with messages X with any numberof columns w
Message Concatenation X | X' = [X,X']
Definition(A,B) | (A',B')= ([A,A'],[B,B'])
TheoremLWE(S,X;A,E)| LWE(S,X';A',E)⊆LWE(S,[X,X'];[A,A'],[E,E'])
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linear Transforms
Left multiplication by a constant matrix: M → M T
Ciphertext C = LWE(S,M;E)
Notice: M and C have the same number of columnsWe can apply T to C: C → CT
TheoremLWE(S,X;A,E)*T ⊆LWE(S,XT;AT,ET)LWE(S,X;E)*T ⊆LWE(S,XT;ET)
Special case:
Addition: C + C' = [C|C']T for T=(I,I)Subtraction: C - C' = [C|C']T for T=(I,-I)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Constant Messages
QuestionCan you compute an LWE encryption of a message M withoutknowing the secret key S?
I pick S ← Gen() and keep it secretGoal: find ciphertext C such that Dec(S,C)= M
Let (A,B) = (O,(q/p)M)
Dec(S,(A,B))= (p/q)(B - SA)= M
We write Const(M) for the constant ciphertext (O,(q/p)M)
Remarks:
The ciphertext C is independent of SC = LWE((q/p)M;0) is a “noiseless” encryption of M
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Constant Messages
QuestionCan you compute an LWE encryption of a message M withoutknowing the secret key S?
I pick S ← Gen() and keep it secretGoal: find ciphertext C such that Dec(S,C)= M
Let (A,B) = (O,(q/p)M)
Dec(S,(A,B))= (p/q)(B - SA)= M
We write Const(M) for the constant ciphertext (O,(q/p)M)
Remarks:
The ciphertext C is independent of SC = LWE((q/p)M;0) is a “noiseless” encryption of M
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Constant Messages as Homomorphic properties
LWE(S,M;E)+ LWE((q/p)M';0)= LWE(S,M+M';E)
Homomorphism for “nullary functions” fM() = M
Given an empty sequence of ciphertexts [], produce anencryption of fM([]) = M
Homomorphism for unary functions fM(M ′) = M + M ′
Given an encryption of M ′, produce an encryption of theshifted message M + M ′
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Circular security
A PKE scheme is “circular secure” if one can securlypublish the encryption Enc(pk,sk).A SKE scheme is “circular secure” if one can securlypublish the encryption Enc(sk,sk).
DefinitionA PKE scheme (Gen,Enc,Dec) is circular secure if(Gen',Enc',Dec) is IND-CPA secure where
Gen '():(sk ,pk) ← Gen()ct ← Enc(pk,sk)pk' = (pk,ct)
Enc '((pk ,ct),msg) = Enc(pk,msg)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Application: Public key encryption
Can we transform Secret Key Encryption to Public KeyEncryption?
Not in general: black box separationsImpagliazzo’s worlds: Minicrypt vs Cryptomania
What if we start from an Additively Homomorphic SKEscheme?
Black box separation results break down
What about a weakly (bounded) additive scheme?
What about our LWE SKE scheme?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Application: Public key encryption
Can we transform Secret Key Encryption to Public KeyEncryption?
Not in general: black box separationsImpagliazzo’s worlds: Minicrypt vs Cryptomania
What if we start from an Additively Homomorphic SKEscheme?
Black box separation results break down
What about a weakly (bounded) additive scheme?
What about our LWE SKE scheme?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
PKE: Construction
Start from SKE (Gen,Enc,Dec)
Construct a PKE (Gen',Enc',Dec)
Gen '():sk ← Gen()for i=1..n
pk[i] ← Enc(sk ,0)pk = pk[1..n]return (sk,pk)
Enc '(pk,msg):for i=1..n
r[i] ← {0,1}ct = Const(msg) + sum { pk[i] : r[i] = 1 }return ct
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness of PKE
Dec(sk, msg+Enc(sk ,0) +...+ Enc(sk ,0))= msg + 0 + ... + 0 = msg
TheoremIf SKE is (1-hop) homomorphic under constant increment andn-summation, then PKE is correct.
TheoremIf SKE is (1-hop) homomorphic under constant increment andhn-summation, then PKE is correct and homomorphic underconstant increment and n-summation.
QuestionAssume SKE is an IND-CPA secure and homomorphic. Is PKEsecure?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness of PKE
Dec(sk, msg+Enc(sk ,0) +...+ Enc(sk ,0))= msg + 0 + ... + 0 = msg
TheoremIf SKE is (1-hop) homomorphic under constant increment andn-summation, then PKE is correct.
TheoremIf SKE is (1-hop) homomorphic under constant increment andhn-summation, then PKE is correct and homomorphic underconstant increment and n-summation.
QuestionAssume SKE is an IND-CPA secure and homomorphic. Is PKEsecure?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
For what value of n?
Certainly not secure for n = 1 (or even n = 0!)
What about large n?
How large?
Answer: Secure, for large enough n and any additivelyhomomorphic SKE [Rothblum, TCC 2011]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
The case of LWE SKE
Consider the PKE scheme obtained from our LWE-basedSKEGen '():
S ← Gen()P = Enc(S,0) |..| Enc(S,0) = Enc(S ,[0..0])return (S,P)
Enc '(P,M):R ← {0, 1}∗PR + Const(M)
TheoremLWE PKE is RR-IND secure.
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Universal Hashing
DefinitionA function family H = {h : X → Y |h} is 2-universal if for anya, b ∈ X ,
{(h(a), h(b))|h ∈ H} ≡ {(f (a), f (b))|f : X → Y }
Let (X ,+) be an additive groupFor any vector a ∈ Xn, define the subset-sum functionh(a, S) =
∑{ai : i ∈ S}
QuestionWhich of the following function families is 2-universal?
1 {ha : S → h(a,S)|a ∈ Xn}2 {hS : a→ h(a,S)|S ⊆ {1, .., n}}3 Both4 Neither
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Universal Hashing (continued)
ha(S) =∑
i∈S ai is not 2-universal
What about ga,b(S) = b + ha(S)?
Yes, this is 2-universalProve it as an exercise
{ha : {0, 1}n → X}a still satisfies a weaker property whichis enough for our purposes
DefinitionFor any a 6= b, Prh{h(a) = h(b)} = 1/|X |
We will refer to this weaker property as 2-universal’
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Universal Hashing: proof
LemmaFor any group (X ,+), the function family {ha(S) =
∑i∈S ai}a
is 2-universal’, i.e., for all S 6= T we havePrh{h(S) = h(T )} = 1/|X |
Proof.
Let j ∈ S \ TFix ai for all i 6= jLet T ′ = T \ S and S ′ = S \ (T ∪ {i})c =
∑i∈T ′ ai −
∑i∈S′ ai does not depend on aj
ha(S) = ha(T ) iff aj = cPr{aj = c} = 1/|X |
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Leftover Hash Lemma
LemmaFor any 2-universal’ family {h : X → Y |h ∈ H}, the distributions{(h, h(x))|h← H, x ← X}{(h, y)|h← H, y ← Y }
are within statistical distance ∆ ≤√|Y |/|X |.
Proof Steps:
1 If H is 2-universal’, then (H,H(X )) has small collisionprobability
2 If (H,H(X )) has small collision probability, then it isstatistically close to uniform
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Collision Probability and Uniformity
Z ,Z ′ i.i.d., with Pr{Z = z} = p(z)
DefinitionCollision Probability:C(Z ) = Pr{Z = Z ′} =
∑z p(z)2
∑z(p(z)− 1/|Z |)2 = C(Z )− 1/|Z |
Norm inequality: ∀v ∈ Rn.‖v‖1 ≤√n‖v‖2
∆(Z ,U) = 12
∑z |p(z)− 1/|Z ||
∆ ≤ 12√|Z |
√∑z(p(z)− 1/|Z |)2
∆ ≤ 12√|Z |C(Z )− 1
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Collision Probability and Uniformity
Z ,Z ′ i.i.d., with Pr{Z = z} = p(z)
DefinitionCollision Probability:C(Z ) = Pr{Z = Z ′} =
∑z p(z)2
∑z(p(z)− 1/|Z |)2 = C(Z )− 1/|Z |
Norm inequality: ∀v ∈ Rn.‖v‖1 ≤√n‖v‖2
∆(Z ,U) = 12
∑z |p(z)− 1/|Z ||
∆ ≤ 12√|Z |
√∑z(p(z)− 1/|Z |)2
∆ ≤ 12√|Z |C(Z )− 1
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Collision Probability of Universal Hashing
Z = (H,H(X )), 2-universal function family H : X → Y
Collision Probability of Z :
C(Z ) = Pr(h = h′, h(x) = h′(x ′)|h, h′ ← H, x , x ′ ← X )
C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]
Union bound:
Pr(x = x ′) = 1/|X |If x 6= x ′, then Prh(h(x) = h(x ′)) ≤ 1/|Y |
C ≤ 1H ( 1|X | + 1
|Y |)
Using |Z | = |H| · |Y | we get
∆ ≤ 12√|Z |C − 1 = 1
2√|Y |/|X |
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Collision Probability of Universal Hashing
Z = (H,H(X )), 2-universal function family H : X → Y
Collision Probability of Z :
C(Z ) = Pr(h = h′, h(x) = h′(x ′)|h, h′ ← H, x , x ′ ← X )
C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]
Union bound:
Pr(x = x ′) = 1/|X |If x 6= x ′, then Prh(h(x) = h(x ′)) ≤ 1/|Y |
C ≤ 1H ( 1|X | + 1
|Y |)
Using |Z | = |H| · |Y | we get
∆ ≤ 12√|Z |C − 1 = 1
2√|Y |/|X |
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Collision Probability of Universal Hashing
Z = (H,H(X )), 2-universal function family H : X → Y
Collision Probability of Z :
C(Z ) = Pr(h = h′, h(x) = h′(x ′)|h, h′ ← H, x , x ′ ← X )
C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]
Union bound:
Pr(x = x ′) = 1/|X |If x 6= x ′, then Prh(h(x) = h(x ′)) ≤ 1/|Y |
C ≤ 1H ( 1|X | + 1
|Y |)
Using |Z | = |H| · |Y | we get
∆ ≤ 12√|Z |C − 1 = 1
2√|Y |/|X |
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Collision Probability of Universal Hashing
Z = (H,H(X )), 2-universal function family H : X → Y
Collision Probability of Z :
C(Z ) = Pr(h = h′, h(x) = h′(x ′)|h, h′ ← H, x , x ′ ← X )
C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]
Union bound:
Pr(x = x ′) = 1/|X |If x 6= x ′, then Prh(h(x) = h(x ′)) ≤ 1/|Y |
C ≤ 1H ( 1|X | + 1
|Y |)
Using |Z | = |H| · |Y | we get
∆ ≤ 12√|Z |C − 1 = 1
2√|Y |/|X |
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Security of LWE PKE
Gen(): S,E ← ...P = Enc(S ,[0..0]) = (A,SA+E)return (S,P)
Enc(P,M): R ← {0, 1}∗return PR + Const(M)
TheoremLWE PKE is RR-IND secure.
Proof:
1 Assume Adv breaks PKE2 LWE Assumption: P = (A,SA+E)≈(A,B)3 Adv breaks RR-CPA when P is uniform4 If P is uniform, then (P,PR) is close to uniform
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Security of LWE PKE
Gen(): S,E ← ...P = Enc(S ,[0..0]) = (A,SA+E)return (S,P)
Enc(P,M): R ← {0, 1}∗return PR + Const(M)
TheoremLWE PKE is RR-IND secure.
Proof:
1 Assume Adv breaks PKE2 LWE Assumption: P = (A,SA+E)≈(A,B)3 Adv breaks RR-CPA when P is uniform4 If P is uniform, then (P,PR) is close to uniform
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Details
Claim: (P,PR) is close to uniform
Enough to look at a single column (P,Pr)
Statement for matrix (P,PR) follows by hybrid argument
P: r →Pr is 2-universal
Columns of P belong to a group (Zn+lq ,+)
r selects a subset of the columns of PApply Leftover Hash Lemma
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Homomorphic PKE
Enc(P,M)= PR + Const(M)
Enc(P,M)+ Enc(P,M')= PR + Const(M)+ PR' + Const(M')=
P(R+R')+ Const(M+M')
Enc(P,M)+ Enc(P,M')≈Enc(P,M+M')
Noise: E+E'
[ Enc(P,M)| Enc(P,M')] = Enc(P,[M|M'])
Noise: [E|E']
Enc(P,M)T ≈Enc(P,MT)
Noise: ETT must be small
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Homomorphic PKE
Enc(P,M)= PR + Const(M)
Enc(P,M)+ Enc(P,M')= PR + Const(M)+ PR' + Const(M')=
P(R+R')+ Const(M+M')
Enc(P,M)+ Enc(P,M')≈Enc(P,M+M')
Noise: E+E'
[ Enc(P,M)| Enc(P,M')] = Enc(P,[M|M'])
Noise: [E|E']
Enc(P,M)T ≈Enc(P,MT)
Noise: ETT must be small
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Encoding modulo q
Ciphertext modulus q. Assume q = 2k
Plaintest modulus p � q, e.g., p=2. Use scalingConst(msg)= (O,(q/p)msg) to allow error correction andcorrect decryption
What if we want to encrypt msg ∈ Zq?
Idea:
write msg =∑
i mi2i , where mi ∈ {0, 1}Encrypt each bit individually: Enc(m0),...,Enc(mk)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Encoding modulo q
Ciphertext modulus q. Assume q = 2k
Plaintest modulus p � q, e.g., p=2. Use scalingConst(msg)= (O,(q/p)msg) to allow error correction andcorrect decryption
What if we want to encrypt msg ∈ Zq?
Idea:
write msg =∑
i mi2i , where mi ∈ {0, 1}Encrypt each bit individually: Enc(m0),...,Enc(mk)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Encoding modulo q
Ciphertext modulus q. Assume q = 2k
Plaintest modulus p � q, e.g., p=2. Use scalingConst(msg)= (O,(q/p)msg) to allow error correction andcorrect decryption
What if we want to encrypt msg ∈ Zq?
Idea:
write msg =∑
i mi2i , where mi ∈ {0, 1}Encrypt each bit individually: Enc(m0),...,Enc(mk)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Encoding modulo q
Ciphertext modulus q. Assume q = 2k
Plaintest modulus p � q, e.g., p=2. Use scalingConst(msg)= (O,(q/p)msg) to allow error correction andcorrect decryptionEnc(m: {0, 1}k ) = (a,Sa+e+(q/2)m)
bitDecomp(msg: Zq) =for i=0..k-1
m[i] = (msg >> i) mod 2return m[]
Enc '(msg: Zq) =return (Enc(bitDecomp(msg))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linear Encoding
Bit encoding: (msg:Zq)→(m[*]:{0, 1}k)
good: works for any message spacebad: breaks linear homomorphic properties
We need to use a linear encoding function:
(msg:Zq)→(m[*]:Zkq)
msg → msg*(1,2,4,8,...)
Column encoding:
pow2col = (1,2,4,8,...)Enc'(S,msg)= LWE(S,msg*pow2col)= (a,b)
Row encoding:
pow2row = [1,2,4,8,...]Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Linear Encoding
Bit encoding: (msg:Zq)→(m[*]:{0, 1}k)
good: works for any message spacebad: breaks linear homomorphic properties
We need to use a linear encoding function:
(msg:Zq)→(m[*]:Zkq)
msg → msg*(1,2,4,8,...)
Column encoding:
pow2col = (1,2,4,8,...)Enc'(S,msg)= LWE(S,msg*pow2col)= (a,b)
Row encoding:
pow2row = [1,2,4,8,...]Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decoding modulo q
QuestionCan you decryptEnc'(S,msg)= LWE(S,msg*pow2col)= (a,b)?Can you decryptEnc'(s,msg)= LWE(s,msg*pow2row)= (A,b)?For what error bound |e|∞ < β?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decryption algorithm
Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b) whereb = sA+e+msg*pow2row
Dec '(s,(A,b)):msg ← 0for i=0...(k-1)
ct ← (A[k-i-1],b[k-i-1] - msg*2k−i )m[i] ← Dec(s,ct)msg ← msg+m[i]<<(i)
return msg
Theorem(Gen,Enc',Dec') is a valid encryption algorithm for β = q/4
QuestionDoes a similar algorithm work for pow2col?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Decryption algorithm
Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b) whereb = sA+e+msg*pow2row
Dec '(s,(A,b)):msg ← 0for i=0...(k-1)
ct ← (A[k-i-1],b[k-i-1] - msg*2k−i )m[i] ← Dec(s,ct)msg ← msg+m[i]<<(i)
return msg
Theorem(Gen,Enc',Dec') is a valid encryption algorithm for β = q/4
QuestionDoes a similar algorithm work for pow2col?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Arbitrary linear transformations
Starting point: Enc() linearly homomorphic for small t
Enc(P,m)*t ≈Enc(P,mt)problem: error grows by a factor t
What about computations modulo q?
pow2row = [1,2,4,8,...]Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b)
Multiplying by any t ∈ Zq
Compute tBin[] = bitDecomp(t)Compute scalar product with vector tBin[]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Arbitrary linear transformations
Starting point: Enc() linearly homomorphic for small t
Enc(P,m)*t ≈Enc(P,mt)problem: error grows by a factor t
What about computations modulo q?
pow2row = [1,2,4,8,...]Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b)
Multiplying by any t ∈ Zq
Compute tBin[] = bitDecomp(t)Compute scalar product with vector tBin[]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness of scalar multiplication
Enc '(s,msg) * tBin[]= LWE(s,msg*pow2row;e) * tBin[]= LWE(s,msg*pow2row*tBin [];e*tBin [])= LWE(s,msg*t;e')
pow2row * tBin[] =∑
i 2i ·tBin[i] = t
if |e| < β, then |e′| = |∑
i ei · tBin[i ]| ≤ k · βError grows only by k = log q
Problem:
result msg*t is a value modulo qEnc(s,msg*t;e') is not properly encodedwe need an encryption of msg*t*pow2row
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness of scalar multiplication
Enc '(s,msg) * tBin[]= LWE(s,msg*pow2row;e) * tBin[]= LWE(s,msg*pow2row*tBin [];e*tBin [])= LWE(s,msg*t;e')
pow2row * tBin[] =∑
i 2i ·tBin[i] = t
if |e| < β, then |e′| = |∑
i ei · tBin[i ]| ≤ k · βError grows only by k = log q
Problem:
result msg*t is a value modulo qEnc(s,msg*t;e') is not properly encodedwe need an encryption of msg*t*pow2row
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness of scalar multiplication
Enc '(s,msg) * tBin[]= LWE(s,msg*pow2row;e) * tBin[]= LWE(s,msg*pow2row*tBin [];e*tBin [])= LWE(s,msg*t;e')
pow2row * tBin[] =∑
i 2i ·tBin[i] = t
if |e| < β, then |e′| = |∑
i ei · tBin[i ]| ≤ k · βError grows only by k = log q
Problem:
result msg*t is a value modulo qEnc(s,msg*t;e') is not properly encodedwe need an encryption of msg*t*pow2row
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Constant Multiplication algorithm
Enc'(s,msg)= LWE(s,msg*pow2row)
Enc'(s,msg)* bitDecomp(t)= LWE(s,msg*t;e')
CMul(C,t):T = bitDecomp(t * pow2row)return C * T
Proof:
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Extensions and Generalizations
Matrix messagesM ⊗ pow2row = [M,M*2,M*4,M*8 ,...]
Arbitrary message modulus:round(m*(q/p),m*(q/p)/2,m*(q/p)*4 ,...)
Other gadgets, e.g., based on Chinese Remainder Theorem
q =∏
i pi product of small primesencoding vector crtRow = [q/p1,q/p2,...,q/pk]crtRow * crtDecomp(t)= t
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Summary
At this point we have an encryption algorithmEnc '(S,M) = LWE(S,M ⊗ pow2row)
with message space Zw×lq , and supporting the homomorphic
evaluation of the following operations:
Const(M): noiseless encryption of M(+): addition of ciphertexts(-): subtraction of ciphertextsCMul(.,T): multiplication by any linear transformationmodulo q
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 6
Key Switching
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remember Proxy Re-encryption?
Primary key: (pk,sk)
Secondary key: (pk1,sk1)
Re-encryption key: rk = Enc(pk1,sk[1..k])
Input ciphertext c = Enc(pk,m)
Decryption function fc(sk) = Dec(sk,c)
QuestionWhat is the result of the following computation?
Eval(pk1 ,fc ,rk)
QuestionCan you implement proxy re-encryption using LWE?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remember Proxy Re-encryption?
Primary key: (pk,sk)
Secondary key: (pk1,sk1)
Re-encryption key: rk = Enc(pk1,sk[1..k])
Input ciphertext c = Enc(pk,m)
Decryption function fc(sk) = Dec(sk,c)
QuestionWhat is the result of the following computation?
Eval(pk1 ,fc ,rk)
QuestionCan you implement proxy re-encryption using LWE?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LWE-based Proxy Re-encryption?
sk[1..n] ∈ Znq
sk '[1..n] ∈ Znq
Enc(sk,msg) = LWE(sk,msg*pow2row) = (A[],b[])rk[i] = Enc(sk ',sk[i])
Dec '(sk ,(A,b))[j] = b[j] -∑
i sk[i] * A[i,j]≈ msg*pow2row
Dec(sk ,(A,b)) = decode(Dec '(sk ,(A,b)))
QuestionCan you compute Dec' homomorphically?Does it give you a proxy re-encryption scheme?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LWE-based Proxy Re-encryption
Enc(sk,msg) = LWE(sk,msg*pow2row)rk[i] = Enc(sk ',sk[i])Dec '(sk ,(A,b)) = b[j] -
∑i sk[i] * A[i,j]
Goal: homomorphically evaluate the functionfA,b(sk) = Dec '(sk ,(A,b))Eval(fA,b,rk) = ?
Solution: Eval(fA,b,rk) = ct
ct[j] = Const(b[j]) -∑
i CMul(rk[i],A[i,j])
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LWE-based Proxy Re-encryption
Enc(sk,msg) = LWE(sk,msg*pow2row)rk[i] = Enc(sk ',sk[i])Dec '(sk ,(A,b)) = b[j] -
∑i sk[i] * A[i,j]
Goal: homomorphically evaluate the functionfA,b(sk) = Dec '(sk ,(A,b))Eval(fA,b,rk) = ?
Solution: Eval(fA,b,rk) = ct
ct[j] = Const(b[j]) -∑
i CMul(rk[i],A[i,j])
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Key Switching
Generalize proxy re-encryption:
sk,sk' may have different dimensions and moduliEnc(sk,.), Enc'(sk',.) may use different plaintextmoduli and message encodings
Example
Message space msg: ZpCiphertext modulus qsk[1..n], sk'[1..n] ∈ Zn
qEnc(sk,m)= LWE(sk,(q/p)*msg) mod qEvaluation key: rk[i] = Enc(sk',sk[i])
Do you see any problem?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Key Switching
Source scheme:msg: Zpsk[1..n] ∈ Zn
qEnc(sk,msg) = LWE(sk, q
p msg) = (a[],b) mod q
Target scheme:msg ': Zq
sk '[1..n'] ∈ Zn′q
Enc '(sk',msg ') = LWE(sk',msg '* pow2row)
Evaluation:ek[i] = Enc '(sk',sk[i])KeySwitch(ek ,(a[],b)) =
Const(b) -∑
i CMul(a[i],ek[i])
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness
msg: Zp; sk[1..n] ∈ Znq
msg ': Zq; sk '[1..n'] ∈ Zn′q
Enc(sk,msg) = LWE(sk, qp msg) = (a[],b) mod q
Enc '(sk',msg ') = LWE(sk',msg '* pow2row)
ek[i] = Enc '(sk',sk[i])
KeySwitch(ek ,(a[],b))= Const(b) -
∑i CMul(a[i],ek[i])
= Const(b) -∑
i CMul(a[i],Enc '(sk',sk[i]))
= LWE(sk ',b -∑
i a[i]*sk[i])= LWE(sk ', q
p msg + e)
= Enc(sk ',msg)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness
msg: Zp; sk[1..n] ∈ Znq
msg ': Zq; sk '[1..n'] ∈ Zn′q
Enc(sk,msg) = LWE(sk, qp msg) = (a[],b) mod q
Enc '(sk',msg ') = LWE(sk',msg '* pow2row)
ek[i] = Enc '(sk',sk[i])
KeySwitch(ek ,(a[],b))= Const(b) -
∑i CMul(a[i],ek[i])
= Const(b) -∑
i CMul(a[i],Enc '(sk',sk[i]))
= LWE(sk ',b -∑
i a[i]*sk[i])= LWE(sk ', q
p msg + e)
= Enc(sk ',msg)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Correctness
msg: Zp; sk[1..n] ∈ Znq
msg ': Zq; sk '[1..n'] ∈ Zn′q
Enc(sk,msg) = LWE(sk, qp msg) = (a[],b) mod q
Enc '(sk',msg ') = LWE(sk',msg '* pow2row)
ek[i] = Enc '(sk',sk[i])
KeySwitch(ek ,(a[],b))= Const(b) -
∑i CMul(a[i],ek[i])
= Const(b) -∑
i CMul(a[i],Enc '(sk',sk[i]))
= LWE(sk ',b -∑
i a[i]*sk[i])= LWE(sk ', q
p msg + e)
= Enc(sk ',msg)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remarks
Source and Target schemes may use different moduli
Enc'(sk',msg')= LWE(sk', qqmsg'*pow2row)
Input ciphertext may use compact (matrix) LWE
Enc(SK,msg[])= LWE(SK, qp msg[])
RK' = Enc'(SK',SK)
Key Switching:
Input: Enc(sk,msg: mod p): mod qSwitching Key: Enc'(sk',sk: mod q): mod q'Output: Enc(sk',msg: mod p): mod q'
Input/Output can use arbitrary encoding, e.g.,
Input: Enc(sk,msg)= LWE(sk,msg*pow2row)Output: Enc(sk',msg)= LWE(sk',msg*pow2row)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remarks
Source and Target schemes may use different moduli
Enc'(sk',msg')= LWE(sk', qqmsg'*pow2row)
Input ciphertext may use compact (matrix) LWE
Enc(SK,msg[])= LWE(SK, qp msg[])
RK' = Enc'(SK',SK)
Key Switching:
Input: Enc(sk,msg: mod p): mod qSwitching Key: Enc'(sk',sk: mod q): mod q'Output: Enc(sk',msg: mod p): mod q'
Input/Output can use arbitrary encoding, e.g.,
Input: Enc(sk,msg)= LWE(sk,msg*pow2row)Output: Enc(sk',msg)= LWE(sk',msg*pow2row)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remarks
Source and Target schemes may use different moduli
Enc'(sk',msg')= LWE(sk', qqmsg'*pow2row)
Input ciphertext may use compact (matrix) LWE
Enc(SK,msg[])= LWE(SK, qp msg[])
RK' = Enc'(SK',SK)
Key Switching:
Input: Enc(sk,msg: mod p): mod qSwitching Key: Enc'(sk',sk: mod q): mod q'Output: Enc(sk',msg: mod p): mod q'
Input/Output can use arbitrary encoding, e.g.,
Input: Enc(sk,msg)= LWE(sk,msg*pow2row)Output: Enc(sk',msg)= LWE(sk',msg*pow2row)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remarks
Source and Target schemes may use different moduli
Enc'(sk',msg')= LWE(sk', qqmsg'*pow2row)
Input ciphertext may use compact (matrix) LWE
Enc(SK,msg[])= LWE(SK, qp msg[])
RK' = Enc'(SK',SK)
Key Switching:
Input: Enc(sk,msg: mod p): mod qSwitching Key: Enc'(sk',sk: mod q): mod q'Output: Enc(sk',msg: mod p): mod q'
Input/Output can use arbitrary encoding, e.g.,
Input: Enc(sk,msg)= LWE(sk,msg*pow2row)Output: Enc(sk',msg)= LWE(sk',msg*pow2row)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Sub-key Switching
Application: reduce key size SK → SK'
Always: SK,SK' must have the same number of rowsOften SK is a “sub-matrix” of SK = [SK',SK'']
Switching Key[RK',RK"] = Enc '(SK',SK)
= Enc '(SK ',[SK ' | SK ''])= [Enc '(SK',SK ') | Enc '(SK',SK")]
But RK' is publicly known! (remeber circular security?)Can use a smaller switching key RK" = Enc'(SK',SK")
QuestionDoes it work? What if SK"=[]? Then, RK"=[] and SK = SK'!Is it trivial? Is it useful?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Modulus switching
Subkey switching from SK to SK'=SK can still be useful tochange the ciphertext modulus from q to q'
So far we used the simplifying assumption that p|q
Switching from q to q' requires a switching key with
plainext modulus qciphertexst modulus q'but if q|q', this only allows to increase the modulus
(Sub-)Key Switching works also for p 6 |q
but introduces a “small” rounding errorfor subkey switching the rounding error if proportional to SKswitching to a smaller modulus requires “small” key SK
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Subkey and Modulus Switching
Subkey switching
Input: ct = Enc([SK',SK"],m) and RK = Enc'(SK',SK")SubkeySwitch(RK,ct)= ct' such that Dec(SK',ct')= m
QuestionGive explicit description of SubkeySwitch algorithm
Modulus switching
Assume SK has small entriesInput: ct = Enc(SK,m)mod q and nothing elseModSwitch(ct)= ct' mod q' such that Dec(SK,ct')= m
QuestionGive explicit description of ModSwitch algorithm
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Subkey and Modulus Switching
Subkey switching
Input: ct = Enc([SK',SK"],m) and RK = Enc'(SK',SK")SubkeySwitch(RK,ct)= ct' such that Dec(SK',ct')= m
QuestionGive explicit description of SubkeySwitch algorithm
Modulus switching
Assume SK has small entriesInput: ct = Enc(SK,m)mod q and nothing elseModSwitch(ct)= ct' mod q' such that Dec(SK,ct')= m
QuestionGive explicit description of ModSwitch algorithm
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Subkey and Modulus Switching
Subkey switching
Input: ct = Enc([SK',SK"],m) and RK = Enc'(SK',SK")SubkeySwitch(RK,ct)= ct' such that Dec(SK',ct')= m
QuestionGive explicit description of SubkeySwitch algorithm
Modulus switching
Assume SK has small entriesInput: ct = Enc(SK,m)mod q and nothing elseModSwitch(ct)= ct' mod q' such that Dec(SK,ct')= m
QuestionGive explicit description of ModSwitch algorithm
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Subkey and Modulus Switching
Subkey switching
Input: ct = Enc([SK',SK"],m) and RK = Enc'(SK',SK")SubkeySwitch(RK,ct)= ct' such that Dec(SK',ct')= m
QuestionGive explicit description of SubkeySwitch algorithm
Modulus switching
Assume SK has small entriesInput: ct = Enc(SK,m)mod q and nothing elseModSwitch(ct)= ct' mod q' such that Dec(SK,ct')= m
QuestionGive explicit description of ModSwitch algorithm
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 7
Multiplication
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
What we have done so far
Simple LWE Encryption: private key encryption supporting
small message modulus (p � q)homomorphic additionhomomorphic multiplication by small constantsenough to obtain public key encryptioncircular security (for small keys)
Extended LWE Encryption to support
large message modulus (p = q)homomorphic multiplication by arbitray constantscircular security (for arbitary keys)key switching
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Next: Homomorphic Multiplication
ProblemGiven Enc(sk,msg[0]) and Enc(sk,msg[1]), compute aciphertext ct such that Dec(sk,ct)= msg[0]*msg[1]
Can this be done for our LWE encryption scheme?
Can it be done with the help of some additional keymaterial?
Yes, in fact, there are multiple ways to do it
Nested encryptionHomomorphic decryptionTensor product
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Method 1: Nested Encryption
msg[0],msg[1] ∈ Zqct[0] = Enc(sk[0],msg[0])
ct[1] = Enc(sk[1],msg[1])
Multiply encryption of msg[0] by ct[1]
ct[0] * ct[1]= Enc(sk[0],msg [0]) * ct[1]= Enc(sk[0],msg [0]*ct[1])
Inner multiplication:msg [0]*ct[1]= msg [0]* Enc(sk[1],msg [1])= Enc(sk[1],msg [0]* msg [1])
Final result: Enc(sk[0],Enc(sk[1],msg[0]*msg[1]))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Details
ct[1] = Enc(sk[1],msg[1]) is a vector!
ct[0] = Enc(sk[0],msg[0]*I)(msg[0]*I)*ct[1] = msg[0]*ct[1]
msg[0]*Enc(sk[1],msg[1];e[1])= Enc(sk[1],msg[0]*msg
[1]; msg[0]*e[1])
Assume msg[0] is small (e.g., ,10,1)May set Enc(sk[1],msg[1])= LWE(sk[1],(q/2)*msg[1])
Using Enc(sk[0],Enc(sk[1],msg))
Keep nesting?Ciphertexts get larger and larger!
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Key Nesting
Recall: Enc(S,M)= LWE(S,M)= (A,S*A + E + M)
Claim: Nested encryption Enc(Z,Enc(S,M))= Enc(Z�S,M)
QuestionFor what key Z�S?
S:Z[k,n], Z:Z[n+k,n]Z = (Zn,Zk) where Zn[n,n] and Zk[k,n]
Z�S = [S*Zn + Zk, S] = [S,I]ZEnc(Z,Enc(S,m;e);e')= Enc(Z�S,m; e")e" = e + [S,I]e'Key S needs to be small!
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Key Nesting
Recall: Enc(S,M)= LWE(S,M)= (A,S*A + E + M)
Claim: Nested encryption Enc(Z,Enc(S,M))= Enc(Z�S,M)
QuestionFor what key Z�S?
S:Z[k,n], Z:Z[n+k,n]Z = (Zn,Zk) where Zn[n,n] and Zk[k,n]
Z�S = [S*Zn + Zk, S] = [S,I]ZEnc(Z,Enc(S,m;e);e')= Enc(Z�S,m; e")e" = e + [S,I]e'Key S needs to be small!
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Nested Encryption + (Sub)Key Switching
Combine nested multiplication with key switching:
Input keys: Z,S
Evaluation key: W = Enc(S,[S,I]Z;F)
Input ciphertexts:CT[0] = Enc(Z,msg[0]*I;E[0])CT[1] = Enc(S,msg[1]*I;E[1])
Output: SubkeySwitch(W,CT[0]*CT[1])= Enc(S,msg*I;E)msg = msg[0]*msg[1]E = msg[0]*E[1] + [S,I]*E[0]*X + F*Y for binarymatrices X,Y
Key S needs to be small!Security Assumption: Standard LWE
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Method 1.5: Homomorphic Decryption
Assume both ciphertexts use the same key S
Nested Encryption:1 Homomorphic multiplication: Enc(S,msg[0])*CT[1]2 Key Switching: Homomorphic multiplication by [S,I]
Method 1: Eval([S,I],Enc(S,msg[0])*CT[1])
Combine the two homomorphic multiplications:Bring [S,I] inside the first ciphertextEnc(S,msg[0]*[S,I])* CT[1]
Define a new LWE encryption variant:Enc#(S,msg) = Enc(S,msg*[S,I])
Enc#(S,msg [0]) * Enc(S,msg [1])= Enc(S,msg [0]*[S,I]*Enc(S,msg [1]))= Enc(S,msg [0]* msg [1])
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Security
Enc#(S,msg) = Enc(S,msg*[S,I])= [Enc(S,msg*S),Enc(S,msg*I)]
Circular security:
Can compute Enc(S,msg*S)= msg*Enc(S,S) withoutknowing SProblem: msg*(-I,0) reveals msg!Solution: Enc(S,0)+ msg*Enc(S,S)
TheoremEnc is secure under the LWE assumption
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remarks
Second encryption scheme can be chosen arbitrarilyEnc#(S,m0)*Enc(S,m1) = Enc(S,m0m1)
Enc#(S,m0)*Enc#(S,m1) = Enc#(S,m0m1)
No need for key switchingProduct Enc(S,m0m1) uses the same key as the inputKey S does not have to be smallNo evaluation key!
Enc is a homomorphic encryption scheme supportingCiphertext additionCiphertext multiplicationwithout any evaluation key!
Too good to be true?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Error growth
Enc#(m0;E0) * Enc#(m1;E1) = Enc#(m0m1;E)Error: E ≈ m0 ∗ E1 + E0 ∗ X
Multiplying many ciphertextsCT[i] = Enc#(mi;Ei)Assume mi ∈ 0, 1Given CT[1],...,CT[k]Goal: compute CT[1]*...*CT[k] = Enc#(
∏i mi)
How? Several options (multiplication is associative):Left to right multiplication chainRight to left multiplication chainBinary tree (minize circuit depth)
QuestionWhat order is best?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Arithmetic and Boolean operations
AdditionCan add polynomially many ciphertextsError grows by polymomial factor (e.g., O(log(n)) bits)
MultiplicationAssume binary message spaceCan multiply polynomially many ciphertexts in a chainError grows by polymomial factor (e.g., O(log(n)) bits)
Bit operations:m0,m1 ∈ {0, 1}m0 ∧m1 = m0 ·m1¬m0 = 1−m0m0 ∨m1 = ¬(¬m0 ∧ ¬m1)
Conditional: (b,m0,m1) 7→ mbmb = (1− b) ·m0 + b ·m1
Arbitrary log-depth boolean circuits
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Arithmetic and Boolean operations
AdditionCan add polynomially many ciphertextsError grows by polymomial factor (e.g., O(log(n)) bits)
MultiplicationAssume binary message spaceCan multiply polynomially many ciphertexts in a chainError grows by polymomial factor (e.g., O(log(n)) bits)
Bit operations:m0,m1 ∈ {0, 1}m0 ∧m1 = m0 ·m1¬m0 = 1−m0m0 ∨m1 = ¬(¬m0 ∧ ¬m1)
Conditional: (b,m0,m1) 7→ mbmb = (1− b) ·m0 + b ·m1
Arbitrary log-depth boolean circuits
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Method 2: Tensor and Key Switch
Why? Efficiency! Allows SIMD operations using polynomialrings
Ciphertext as a function
fC(S)= Dec'(S,C)= [S,I]CfC is linear in [S,I]
Product ciphertext C = C0*C1
Goal: Dec'(S,C)= Dec'(S,C0)*Dec'(S,C1)fC0,C1(S)= Dec'(S,C0)*Dec'(S,C1) is bilinear in [S,I]
Tensor product: Z = [S,I]⊗[S,I] = [S⊗S,S,S,I]
Any bilinear function of [S,I] is linear in ZC = C0⊗C1 decrypts to m0 ·m1 under Z
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Mixed product property
TheoremFor any A,B,X ,Y ,
(A⊗ B) · (X ⊗ Y ) = (A · X )⊗ (B · Y )
([S, I]⊗ [S, I]) · (C0 ⊗ C1) = ([S, I]C0)⊗ ([S, I]C1)= (X0 + E0)⊗ (X1 + E1)
Result: X0 ⊗ X1 + X0 ⊗ E1 + E0 ⊗ X1 + E0 ⊗ E1
Assume scalar messages: x0 ⊗ x1 = x0 · x1Messages must be encoded: xi = q
pmi
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Mixed product property
TheoremFor any A,B,X ,Y ,
(A⊗ B) · (X ⊗ Y ) = (A · X )⊗ (B · Y )
([S, I]⊗ [S, I]) · (C0 ⊗ C1) = ([S, I]C0)⊗ ([S, I]C1)= (X0 + E0)⊗ (X1 + E1)
Result: X0 ⊗ X1 + X0 ⊗ E1 + E0 ⊗ X1 + E0 ⊗ E1
Assume scalar messages: x0 ⊗ x1 = x0 · x1Messages must be encoded: xi = q
pmi
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Encoding issues
Encode scalar messages: xi = qpmi
Product: (x0 + e0)(x1 + e1) = x0x1 + x0e1 + e0x1 + e0e1Issues:
Error terms x0e1 + e0x1 = qp (m0e1 + e0m1) are too large
Main term x0x1 = (q/p)2m0m1 is not properly encodedSolutions:
Modular arithmetics: assume gcd(q, p) = 1, and multiplyresult by p (mod q)Modulus lifting: Compute the product modulo q2, andthen switch to smaller modulus q
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Modular arithmetics
Compute c = p · c0 ⊗ c1 (mod q)Output c decrypts (under sk⊗sk) to
p(x0 + e0)(x1 + e1) = qp (−qm0m1) + pe0e1
Assume q = −1 (mod p)Error growth: β 7→ pβ2
Arbitrary q, pMultiply result by (−q)−1 (mod p)Error growth: β 7→ p2β2
Modulus switching can be used to reduce β to a fixedpolynomial σ = ‖s‖1 = O(n), and substantially slow downthe error growth
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Modular arithmetics
Compute c = p · c0 ⊗ c1 (mod q)Output c decrypts (under sk⊗sk) to
p(x0 + e0)(x1 + e1) = qp (−qm0m1) + pe0e1
Assume q = −1 (mod p)Error growth: β 7→ pβ2
Arbitrary q, pMultiply result by (−q)−1 (mod p)Error growth: β 7→ p2β2
Modulus switching can be used to reduce β to a fixedpolynomial σ = ‖s‖1 = O(n), and substantially slow downthe error growth
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Modulus Lifting
Compute c = p · c0 ⊗ c1 (mod q2)Assume key ‖s‖1 < σ has small entriesAnalyze the relative error: ci= Enc(mi;(q/p)ei)
TheoremThe product p(c0 mod q)⊗ (c1 mod q) is an encryption ofm0m1 (mod p) under key s ⊗ s (mod q2) with error (q2/p)e
e ≤ 3e0e1 + p2 (σ + 1)(e0 + e1)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Relative error growth
Fixed polynonials β ≈√n, σ = ‖s‖1 ≈ O(n1.5)
Modulus lifting error growth
relative error: input (q/p)ei , output (q2/p)eassume |ei | < εoutput (multiplication) error ≈ pσε
After L levels of multiplications, error ≈ (pσ)Lε < 1
Input ciphertext modulus must be q ≈ (pσ)L
Better than modular arithmetics approach q > (pβ)2L
Similar growth to modular arithmetics + modulus switching
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Tensoring + Key Switching
Both methods produce a ciphertext under key[S⊗S,I⊗S,S⊗I]For scalar messages I = [1] and I⊗S = S⊗I = S
Can use subkey switching from [S⊗S,S] to S
Evaluation key: Enc(S,S⊗S)Security:
Does not follow from circular security of LWEUsing standard LWE:
Evaluation key Enc(Z,S⊗S)Use a sequence of keys S0, ...,SL, one for eachmultiplicative level of circuit/computationCan you still use subkey switching?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Arithmetic computations using Tensor products
Message encoding: (q/p)m
Plaintext arithmetic modulo p (both addition andmultiplication)
Error grows with multiplicative depth of the circuit
Use small key ‖s‖1 < σ to use modulus switching and slowdown error growth
Error at depth L: ≈ (pσ)L < q
L = O(log n): q = nO(log n)
L = poly(n): q = 2poly(n)
Impact of modulus:
Efficiency: running time poly(log q)Security: requires hardness of of approximating latticeproblems within γ ≈ q/β
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 8
FHE!!
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Bootstrapping
Given (1-hop) (Gen,Enc,Dec,Eval) supporting functionsfc,c′(sk) = Dec(sk,c) nand Dec(sk,c')
Define (multi-hop) FHE scheme with Func = { nand }
Gen '() = (sk,pk) ← Gen()ek ← Enc(pk,sk)return (sk ,(pk,ek))
Enc '((pk,ek),m) = Enc(pk,m)
Eval '((pk,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
LWE Homomorphic Encryption
Goal: homomorphic evaluation offc,c′(sk) = Dec(sk,c) nand Dec(sk,c')
LWE-based cryptosystem
Supports bounded depth addition and multiplicationBit operations: x nand y = 1 - (1-x)\cdot (1-y)
Key Switchingek[i] = Enc '(sk',sk[i])KeySwitch(ek ,(a[],b)) =
Const(b) -∑
i CMul(a[i],ek[i])
Homomorphic evaluation of Dec'(a,b)= b - Sa
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Not enough
Key switching only computes the linear part of Dec
We also need to round the result to decode(b - Sa)
Is this really needed?
Yes, b - Sa = (q/p)m + eKey switching gives a noisy encryption of (q/p)+eWithout rounding, noise keeps getting bigger
QuestionsCan we express rounding as a polynomial function (mod q)?What is the degree of the polynomial?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Error growth and bounded computation
We have seen two methods to multiply ciphertexts:
Tensor products
error growth ∼ β → βσcan evaluate arbirary circuits with multiplicative depth Leven for L = log n, requires superpolynomial modulusq > σL ≈ nO(log n)
Nested Encryption / Homomorphic Decryption
asymmetric error growth: (m0, e0)× (m1, e1)→ m0e1 + e0βcan evaluate arbitrary multiplication chains of L freshencryptions of binary messageseven for large L, polynomial modulus q ≈ Lβ2 is enough
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Roadmap
For each multiplication method
1 Describe/analyze a bootstrapping algorithm
2 Homomorphically evaluate the algorithm using anappropriate cryptographic data structure (encryptedaccumulator)
3 Implement the cryptographic data structure using LWE
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Cryptographic accumulators
Cryptographic Data Structure ACC[v]
Holds a value v ∈ V in encrypted formInput Encryption scheme: Enc'Output Encryption scheme: Enc''
Operations on ACC[v]
Given Enc'(x), update ACC[v] →ACC[f(v,x)]Given ACC[v], output Enc''(f(v))
Bootstrapping:
Bootstrapping key: Enc'(s)Final output: Enc''(m)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Boostrapping problem
Assume p = 2,m ∈ {0, 1}
Decryption Algorithm:
Input: a[1..n] ∈ Znq, b ∈ Zq
Secret key: s[1..n] ∈ Zn
Compute d = b −∑
i a[i ]s[i ] + (q/4) (mod q)Round d to MSB(d) = b2d/qc
Homomorphic Computation:
Given Enc(s[i])Compute Enc(MSB(d))
Simplifying assumption:
s[i ] ∈ {0, 1}without loss of generality using (a, 2a, 4a, ...)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Ripple-carry addition
Standard schoolbook method
using binary digitsadd n numbers at a timecarry in {0, . . . , n}
Input digits are encrypted
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Ripple-carry accumulator
Parameters:
Message space V = {v',...,v''}
Input: Enc'(x)= Enc#(x)
Output: Enc''(x)= LWE(x)
ACC[x] = (Enc''("x=v"): v ∈ V)
Init(v)= ACC[v]Function application: f(ACC[v])= ACC[f(v)]Selection:Enc'(b)? ACC[v0] : ACC[v1] = ACC[b?v0:v1]Output: p(ACC[v])= Enc''(p(b))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Bootstrapping algorithm
b+q/4 =∑
j 2j b[j]
a[i] =∑
j 2j a[i,j]
ACC ← ACC[0]for h = 0..k-1
ACC[x] ← f(ACC[x]) where f (x) = (x/2) + b[h]forall i,j
if (a[i,j] = 1)ACC[x + s[i]] ← Enc '(s[i]) ? ACC[x] :
ACC[x+1]return (even(ACC[x])) = Enc ''(even(x))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Carry-save accumulator
Parameters: bit length k
ACC[x] = (x0,x1)
x = x0+x1 (modulo 2k)x0[0,..,k-1] and x1[0,..,k-1]redundant representation
Operations:
add y to ACCcompute MSB(ACC)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Carry-save addition
Add(ACC(x0,x1),y):x0 '[i] = (x0[i] + x1[i] + y[i]) mod 2x1 '[i+1] = (x0[i] + x1[i] + y[i] > 1)return ACC(x0 ',x1 ')
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
MSB computation
Standard MSB computation
addition x0+x1 with carry propagationO(log(k)) depth circuit where k=log(q)
Can also add in log(k) depth
Compute both MSB(ACC) and MSB(ACC+1)ACC[k]: k-bit accumulatorRecursive algorithm: splitACC[k] = (HiACC[k/2],LoACC[k/2])
MSBs(ACC=(HiACC ,LoACC)):parallel:
hi[0,1] = MSBs(HiACC)lo[0,1] = MSBs(LoACC)
out[0] = hi[lo[0]]out[1] = hi[lo[1]]return out
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Bootstrapping algorithm
ACC[0] = b+q/4for i=1..n
ACC[i] = s[i]*a[i]ACC = Sum(ACC[0],...,ACC[n])return MSB(ACC)
Sum(ACC [0..n])if n=0
then return ACC[0]else h=n/2
ACC0 = Sum(ACC [0..h-1])ACC1 = Sum(ACC[h..n])(x0,x1) = ACC1return (ACC0 + x0) + x1
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Summary
Bootstrapping functions can be computed by
1 O(n log q)-long sequence of multiplications, or2 log(n) + log log(q)-depth arithmetic circuits
Error growth:
1 Using LWE �: final error ≈ O(n) · β2 Using LWE ⊗: final error ≈ σlog n+log log q = σO(log n)
Parameters β(n), σ(n): fixed polynomials in n
Modulus:
1 polynomial modulus q(n) ≈ O(n)β = nO(1)
2 quasipolynomial q(n) = nO(log n)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Summary (security)
Hardness of lattice problems within factor γ ≈ q/β
1 LWE �: polynomial γ = nO(1)
2 LWE ⊗: quasipolynomial γ = nO(log n)
Circular security assumption
Needed by tensor product multiplication / keyswitchingNeeded to apply bootstrappingNot needed for leveled homomorphic encryption
QuestionRemove circular security assumption:
Can you build (unbounded) FHE from standard LWE?Can you build (unbounded) linearly homomorphic HE?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Summary (security)
Hardness of lattice problems within factor γ ≈ q/β
1 LWE �: polynomial γ = nO(1)
2 LWE ⊗: quasipolynomial γ = nO(log n)
Circular security assumption
Needed by tensor product multiplication / keyswitchingNeeded to apply bootstrappingNot needed for leveled homomorphic encryption
QuestionRemove circular security assumption:
Can you build (unbounded) FHE from standard LWE?Can you build (unbounded) linearly homomorphic HE?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Efficiency
Main security parameter n > 100 (typically, n ≈ 1000)Modulus q(n) < 2n has bitsize log q < nAssume 1GHz, arithmetic operations modulo qBootstrapping: homomorphically evaluate decryptionalgorithm (once or twice per gate)
QuestionCan you estimate the cost of a single FHE operation?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 9
Project Info
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Implementation and Libraries
Libraries:
SEALHElibPALISADELattigo. . .
Interface:
try to hide math as much as possibleoffer encoding, decoding and SIMD operations
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Project:
Use one of the librariesOpen ended, do anything you wantGoal: demonstrate you managed to use the libraryExtra points: do something interestingSubmission: pdf report describing your work + supportingcode
Teams:
You can work in pairs if you likeLarger teams only if doing something more substantialIndivudual project required to use for master competency
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Project Deadlines:
Deadlines:
Next lecture (Tue, Dec 1): need to know what you aredoing (team, library)End of finals week (Fri, Dec 18): project submission(canvas, pdf+code)
In the meantime:
in class, mathematics underlying Ring LWEused by the librariesuseful to understand/improve the librariesnot required to use the libraries
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 10
Ring LWE
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
(In)efficiency of LWE
Standard LWE
Ciphertexts: (a, b) ∈ Z(n+1)×log qq store one value (mod p)
Ciphertext size: O(n log q)Addition, Scalar multiplication: T ≈ n log qCiphertext multiplication: T ≈ n2 log2 q
Compact LWE
Ciphertexts: (a, b) ∈ Z(2n)×log qq store n values (mod p)
Amortized ciphertext size: O(log q)Amortized addition, scalar multiplication: T ≈ log qCiphertext multiplication?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Ring LWE
Generalize LWE using a ring R instead of Z
Ring of polynomials Z[X ]
Monic irreducible p(X ) of degree n
e.g., p(X ) = X n − 1
Quotient ring R = Z[X ]/p(X )
isomorphic to (Zn,+)convolution productRq = R/qR
Ring LWE
Key: s(X ) ∈ RCiphertexts (a, b) ∈ R2
qMessages: m ∈ Rp
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Ring LWE vs Compact LWE
Both methods:
Encrypt n values (mod p) using O(n) values (mod q)Efficient (linear time) vector addition and scalarmultiplication
Multiplication:
Compact LWE: tensor multiplication, cost O(n2)Ring LWE: polynomial multiplication, cost O(n log n) usingFFT
Applications / Programming model:
Addition, scalar multiplication: SIMDMultiplication: convolution is usually not what you wantEncode data to perform SIMD multiplication
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Data encoding
Polynomial representation
p(x1), . . . , p(xn) ∈ Znq
p(x) = a0 + a1x1 + . . . an−1xn−1 ≡ Znq
Polynomial multiplication: SIMD multiplication ofevaluation representations
Quasilinear time transformations:
(y1, . . . , yn)→ (a0, . . . , an−1): polynomial interpolation(a0, . . . , an−1)→ (y1, . . . , yn): polynomial evaluation
Other operations:
SIMD: great to run same program on n data setsNeed also to pack,unpack,shuffle, etc. for generalcomputations
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Security
Is Ring LWE secure?For what rings?
Short answer:
Working modulo p(X ) = Xn − 1 is not a good ideaBetter to work with cyclotomic polynomialsSWIFFT ring: p(X ) = Xn + 1 where n = 2k
Useful both for
security, pseudorandomness, search/decision reductionsefficient implementation using Number Theoretic Transform(NTT)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Implementation and Libraries
Libraries:
SEALHElibPALISADELattigo. . .
Interface:
try to hide math as much as possibleoffer encoding, decoding and SIMD operations
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Cyclic lattices
A lattice is cyclic if it is closed underrot(v1, ..., vn) = (vn, v1, v2, ..., vn−1)
Equivalently
view vectors as coefficients of a polynomiallattice is closed under rot(v(X )) = X ∗ v(X ) mod (X n − 1)
Commonly used in coding theory (over finite fields)
cyclic codes: linear code, closed under rotationequivalently, set of polynomials in F[X ]/(X n − 1), closedunder multiplication by X
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Generators
TheoremAny cyclic code over finite a field F can be written as
C = {g(X ) · f (X ) mod (Xn − 1)|f (X )}
for some g(X )
Proof.
QuestionIs the same true for cyclic lattices?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Generators
TheoremAny cyclic code over finite a field F can be written as
C = {g(X ) · f (X ) mod (Xn − 1)|f (X )}
for some g(X )
Proof.QuestionIs the same true for cyclic lattices?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Cyclic lattices and one-way functions
NTRU (1998): public key encryption, efficient, no proof
First provable construction, (M., FOCS 2002): one-wayfunction
Rq = Z[X ]/(q,X n − 1)key: a1(X ), . . . , am(X ) ∈ Rqinput: v1(X ), . . . , vm(X ) ∈ {0, 1}n ⊂ Rqoutput: w(X ) =
∑i ai (X ) · vi (X ) ∈ Rq
compression function: m = 2n log2(q)
One-way: given a1, . . . , am and w ,
easy to find v1, . . . , vm ∈ Rq such that∑
i aivi = w ∈ Rqhard to find v1, . . . , vm ∈ {0, 1}n
Intuition: Compact knapsack, circulant matrices
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Compact knapsack, circulant matrices
Polynomials: a(X ) ∈ Z[X ]/(Xn − 1)
Equivalently: A ∈ Zn×n circulant matrix
a1 + a2 ≡ A1 + A2a1 · a2 ≡ A1 · A2
Compact knapsack
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Collision resistance?
Regular knapsack:
given random a1, . . . , am ∈ Zqm = 2 log2(q)collisions existcollisions are hard to find
Compact knapsack:
given random a1, . . . , am ∈ Zq[X ]/(X n − 1)m = 2n log2(q)collisions exist
QuestionAre collisions hard to find?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Collisions in compact knapsacks
Multiply each “circulant” matrix ai by the all-one vector
Find collision in Zq
Algebraic decription:
multiply each ai (X ) by u(X ) = (1 + X + X 2 + ....)Notice (X n − 1) = u(X ) · (X − 1)CRT: R ≡ (Z[X ]/(X − 1))× (Z[X ]/u(X ))Multiplication by u(X ) maps R to Z[X ]/(X − 1) ≡ Z
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Anti-Cyclic lattices
A lattice is anticyclic if it is closed underrot(x1, ..., xn) = (−xn, x1, x2, ..., xn−1)
Equivalently: work in R = Z[X ]/(Xn + 1)
Questions:
1 Are compact knapsacks over R collision resistant?2 Does (X n + 1) have small degree factors?
TheoremXn + 1 is irreducible if and only if n is a power of 2
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Anti-Cyclic lattices
A lattice is anticyclic if it is closed underrot(x1, ..., xn) = (−xn, x1, x2, ..., xn−1)
Equivalently: work in R = Z[X ]/(Xn + 1)
Questions:
1 Are compact knapsacks over R collision resistant?2 Does (X n + 1) have small degree factors?
TheoremXn + 1 is irreducible if and only if n is a power of 2
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Roots of Unity
ωm = exp(2πı/m) ∈ C, primitive mth root of unity
Observation: Xm − 1 =∏m−1
k=0 (X − ωkm)
Xm − 1 =∏d |m
∏gcd(k,m)=d
(X − ωkm)
=∏d |m
∏k∈Z∗m/d
(X − ωkm/d )
DefinitionCyclotomic Polynomial: Φm(X ) =
∏k∈Z∗m (X − ωk
m) ∈ C[X ]
Question: does Φm have integer coefficients?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Division Theorem
(R,+, ∗, 0, 1): any ring
R[X ]: polynomials with coefficients in X
TheoremFor any a(X ) ∈ R[X ] and monic b(X ) ∈ R[X ], there existsunique q(X ), r(X ) ∈ R[X ] such that
a(X ) = q(X ) ∗ b(X ) + r(X )deg(r(X )) < deg(b(X ))
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Division Algorithm
divRem :: Poly → Poly → PolydivRem a b =
if (deg a < deg b)then (0,a)else let aL = leadingTerm a
bL = leadingTerm bqL = aL / bLa' = a - b*qL(q',r) = divRem a' bq = qL + q'
in divRem (q, r)
Dividing by b(X ) requires divisions by the leadingcoefficient of bIf R is a field, we can divide by any non-zero b(X ):If b(X ) is monic, division is possible in any ring R
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Polynomial Division: Example
QuestionDivide a(X ) = 5X 8 + 4X 6 − 5X 3 + 4 by b(X ) = X 3 − X + 7
Solution:
quotient: q(X ) = 5X 5 + 9X 3 − 35X 2 + 9X − 103remainder: r(X ) = 254X 2 − 166X + 725
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Polynomial Division: Example
QuestionDivide a(X ) = 5X 8 + 4X 6 − 5X 3 + 4 by b(X ) = X 3 − X + 7
Solution:
quotient: q(X ) = 5X 5 + 9X 3 − 35X 2 + 9X − 103remainder: r(X ) = 254X 2 − 166X + 725
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remarks about Division Algorithm
Division Algorithm:(a(X ), b(X ) ∈ R[X ]) 7→ (q(X ), r(X ) ∈ R[X ])
For any subring S ⊆ R, and a(X ), b(X ) ∈ S[X ]
Result of dividing a(X ) by b(X ) is in S[X ]Division as polynomials in R[X ] or as polynomials in S[X ]produces the same result
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Polynomial GCD
F[X ]: polynomials with coefficients in a field F
The Greatest Common Divisor (gcd) of a(X ), b(X ) ∈ F[X ]is a polynomial g(X ) ∈ F[X ] such that
g(X ) divides a(X ) and b(X )any d(X ) ∈ F[X ] that divides both a(X ) and b(X ) alsodivides g(X )
TheoremFor any a(X ), b(X ) ∈ F[X ]
gcd(a(X ), b(X )) = u(X )a(X ) + v(X )b(X )
for some u(X ), v(X ) ∈ F[X ].
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Euclid’s Algorithm
Input: a(X ), b(X ) ∈ F[X ]
Output: u(X ), v(X ) ∈ F[X ] such thatu(X )a(X ) + v(X )b(X ) = gcd(a(X ), b(X ))
Invariant: gcd(a(X ), b(X )) = gcd(b(X ), a(X ) mod b(X ))euclid :: (Poly ,Poly) → (Poly ,Poly)euclid (a,b) =
if (deg b ≡ 0)then (1,0)else let (q,r) = divRem b a
(u,v) = euclid (b,r)in (-q*v , u+v)
Base case: 1*a+0*b = a = gcd(a,b)
Indunction: (-qv)a+(u+v)b = ub + v(b-qa)= ub+vr
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Remarks about Euclid Algorithm
euclid :: (Poly ,Poly) → (Poly ,Poly)euclid (a,b) =
if (deg b ≡ 0)then (1,0)else let (q,r) = divRem b a
(u,v) = euclid (b,r)in (-q*v , u+v)
Euclid Algorithm works over a field:
Even if b(X ) is monic, r(X ) = b(X ) mod a(X ) may not be
If a(X ), b(X ) ∈ R[X ] have coefficients in a domain R ⊆ F ,then we can compute gcd(a(X ), b(X )) ∈ F[X ]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Cyclotomic Polynomials
Xm − 1 =∏
d |m Φm(X )
Theorem
Φm(X ) ∈ Z[X ]
Proof:
For m = 1, Φ1(X ) = (X − 1)
For m > 1, b(X ) =∏
m>d |m Φd (X ) is in Z[X ] by induction
Compute (q(X ), r(X )) = divRem(Xm − 1, b(X )) in Z[X ]
r(X ) = 0 because b(X ) divides Xm − 1
Φm(X ) = q(X ) is in Z[X ]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Cyclotomic Polynomials
Xm − 1 =∏
d |m Φm(X )
Theorem
Φm(X ) ∈ Z[X ]
Proof:
For m = 1, Φ1(X ) = (X − 1)
For m > 1, b(X ) =∏
m>d |m Φd (X ) is in Z[X ] by induction
Compute (q(X ), r(X )) = divRem(Xm − 1, b(X )) in Z[X ]
r(X ) = 0 because b(X ) divides Xm − 1
Φm(X ) = q(X ) is in Z[X ]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Irreducibility of Cyclotomics
TheoremΦm(X ) ∈ Z[X ] is irreducible
TheoremCm ≡ Z[X ]/Φm(X ) = Z[ωm]
simple proof, helps intuition
Algebraic Number Fields
finite dimentional extensions of Qkey concepts: field extensions, vector spaces
Algebraic Number Rings
finite dimensional extensions of Z, i.e., latticeskey concepts: ring extensions, modules over a ring
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Factoring primes in Cyclotomic rings
Φm(X ) ∈ Z[X ]: mth cyclotomic polynomialΦm(X ) is irreducible in Z[X ]Let p be a prime, and assume gcd(m, p) = 1Question: if Φm(X ) irreducible also in Zp[X ]?Answer: no, and this is very useful
QuestionQuestion: What’s the factorization of Φm(X ) modulo p?
Technically, this is the problem of factoring (the ideal generatedby) the prime p in the ring of polynomials modulo Φm(X )
“The obvious mathematical breakthrough would be de-velopment of an easy way to factor large prime numbers”(Bill Gates, The Road Ahead, p. 265)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Factoring primes in Cyclotomic rings
Φm(X ) ∈ Z[X ]: mth cyclotomic polynomialΦm(X ) is irreducible in Z[X ]Let p be a prime, and assume gcd(m, p) = 1Question: if Φm(X ) irreducible also in Zp[X ]?Answer: no, and this is very useful
QuestionQuestion: What’s the factorization of Φm(X ) modulo p?
Technically, this is the problem of factoring (the ideal generatedby) the prime p in the ring of polynomials modulo Φm(X )
“The obvious mathematical breakthrough would be de-velopment of an easy way to factor large prime numbers”(Bill Gates, The Road Ahead, p. 265)
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Motivation
R = Z[X ]/Φm(X )
Rp = R/(pR) ≡ Z[X ]/〈Φm(X ), p〉Z[X ]
Equivalently, Rp ≡ Zp[X ]/Φm(X )
The structure of Rp is equivalently described by
the factorization of (pR) in R, orthe factorization of Φm in Zp[X ]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Section 11
ANT
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Basic Algebra
Review of basic algebraic structures:
(Commutative) monoids and groupsRings and FieldsModules and Vector spaces
Some common examples:
Q ⊂ R ⊂ C: the fields of rational, real and complexnumbersZ,Zn: the rings of integers, and integers modulo nR[X ]: The ring of polynomials with coefficients in R
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Monoids and Groups
A monoid (A, ∗, 1) is a set A with a binary operation(∗) : A× A→ A and unit element 1 ∈ A such that
(x ∗ y) ∗ z = x ∗ (y ∗ z) (associativity)1 ∗ x = x ∗ 1 = x (identity)
A monoid is commutative if
x ∗ y = y ∗ x (commutativity)
An element x is invertible if there is a y such thatx ∗ y = y ∗ x = 1
A group is a monoid such that all elements are invertible
Abelian group: commutative groups, additive notation(A,+, 0), additive inverse −x
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Rings and Fields
A (commutative) Ring (R,+, ∗, 1, 0) is a set with twobinary operations such that
(R,+, 0) is an abelian group
(R, ∗, 1) is a (commutative) monoid
x ∗ (y + z) = x ∗ y + x ∗ z and (x + y) ∗ z = x ∗ z + y ∗ z(distributivity)
Subring S ⊆ R, subset of a ring closed under +, ∗, 0, 1
A commutative ring (F ,+, ∗, 1, 0) such that all nonzeroelements are invertible is called a Field
A subring of a field R ⊆ F is called an Integral Domain
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Modules and Vector Spaces
Let (R,+, ∗, 0, 1) be a commutative ring
An R-module is an additive group (A,+, 0) with a scalarmultiplication operation (∗) : R × A→ A such that
r ∗ (s ∗ a) = (r ∗ s) ∗ a(r + s) ∗ a = r ∗ a + s ∗ ar ∗ (a + b) = r ∗ a + r ∗ b
If R is a field, then A is called a Vector Space
Linear independenceDimensionBasis
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Submodules and Quotients
Let (A,+, 0) be an R-module
An R-submodule of is
a subgroup B ⊆ Aclosed under scalar multiplication: R ∗ B ⊆ B
Quotient group: A/B = {[a]B : a ∈ A}, [a]B = a + B
also an R-module with r ∗ [a]B = [r ∗ a]B
Special case:
R is an R-moduleR-submodules I ⊆ R are called idealsR/I is also a ring with [a] ∗ [b] = [a ∗ b]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Integral and Algebraic Numbers
Domain R ⊆ F : subring of a field F
α ∈ F is algebraic over R if m(α) = 0 for somem(X ) ∈ R[X ]
α ∈ F is integral over R if m(α) = 0 for some monicm(X ) ∈ R[X ]
Examples:
α =√2 is integral over Z because m(α) = 0 for
m(X ) = X 2 − 2α = 1/
√2 is algebraic over Z because m(α) = 0 for
m(X ) = 2X 2 − 1, but is it not integral
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Minimal Polynomial
Field Extension F ⊆ E
Let α ∈ E be algebraic over F
Ring homomorphism: hα : F [X ]→ E , wherehα(p(X )) = p(α)
I = ker(hα): set of polynomials p such that p(α) = 0
I ⊆ F [X ] is a non-zero ideal
Minimal polynomial: smallest degree monic polynomialm(X ) ∈ I
I = F [X ] ·m(X ), i.e., p(α) = 0 iff m(X )|p(X )
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Irreducibility
Let m(X ) be the minimal polynomial of α
m(X ) is irreducible:
If m(X ) = a(X ) · b(X ), then a(α) · b(α) = m(α) = 0,
either a(α) = 0 or b(α) = 0.
either a(X ) = c ·m(X ) or b(X ) = c ·m(X )
F [α] ≡ F [X ]/m(X ) are isomorphic
isomorphism: hα : F [X ]/m(X )→ F [α]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Algebraic Extensions
Algebraic α ∈ E ⊆ F
Minimal polynomial m(α) = 0 of degree n = deg(m(X ))
F [α] ≡ F n as an F -vector space with basisα0, α1, . . . , αn−1:
α0, α1, . . . , αn−1 are linearly independentα0, α1, . . . , αn−1 generate F [α]
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Extension fields
TheoremF [α] = F (α) is a field
Proof:- Let p(α) ∈ F [α] for some p(X ) ∈ F [α], deg(p) < n- gcd(p(X ),m(X )) ∈ {1,m(X )} because m(X ) is
irreducible- If gcd = m(X ), then p(X ) = m(X ) and p(α) = 0- If gcd = 1, then u(X )p(X ) + v(X )m(X ) = 1- u(α) · p(α) = 1
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Factoring primes in Cyclotomic rings
Φm(X ) ∈ Z[X ]: mth cyclotomic polynomialΦm(X ) is irreducible in Z[X ]Let p be a prime, and assume gcd(m, p) = 1Question: if Φm(X ) irreducible also in Zp[X ]?Answer: no, and this is very useful
QuestionQuestion: What’s the factorization of Φm(X ) modulo p?
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Since gcd(m, p) = 1, we have p ∈ Z∗mLet d = o(p) be the order of p in Z∗mpd = 1 mod m, equivalently, m|(pd − 1)Let GF (pd ) be the finite field with pd elementsThe multiplicative group GF (pd )∗ is cyclic of order pd − 1There is an element ζ ∈ GF (pd ) of order mζd = 1 in GF (pd )o(ζk) = m for all k ∈ Z∗mΦm(X ) =
∏k∈Z∗m (X − ζk) splits in GF (pd )
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
TheoremThe minimal polynomials of all ζk over Zp have degree d
Let l(X ) ∈ Zp[X ] be the minimal polynomial of ζ
Zp[ζ] ≡ Zp[X ]/l(X ) is a field
of size pdeg(l)
containing an element ζ of order m
m = o(ζ) divides pdeg(l) − 1 = |Zp[ζ]∗|
pdeg(l) = 1 mod m
by definition of d = o(p) and deg(l) = d
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
When gcd(m, p) = 1 Φm(X ) ∈ Zp[X ] factors into a productof ϕ(m)/d distinct degree d = o(p mod m) polynomials
For arbitrary m, factorization of Φm(X ) modulo p isobtained using the following theorem.
TheoremFor any m′ = mpk with gcd(m, p) = 1,
Φm′(X ) = (Φm(X ))ϕ(pk) mod p
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Proof
Frobenius map (x 7→ xp) : GF (pk)→ GF (pk) satisfies:
(x + y)p = xp + yp (from binomial expansion)ap = a for a ∈ Zp ⊆ GF (pk) (Lagrange)
Zp[X ] is a domain:
a(X )b(X ) = a(X )c(X ) cancels to b(X ) = c(X )
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Using these two properties:
(Xmpk − 1) = (Xm − 1)pk =∏
d|m Φd (X )pk
(Xmpk − 1) =∏
d|m∏
i≤k Φdpi (X )So, by induction on m:∏
i≤kΦmpi (X ) = Φm(X )pk
Canceling equality for k − 1 from equality for k:
Φmpk (X ) = Φm(X )pk−pk−1= Φm(X )ϕ(pk )
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Factoring modulo a prime power
Φm(X ) =∏
i Fi (X ) mod p with irredudible Fi (X ) ∈ Zp[X ]Lift each Fi (X ) mod p to a factor Gi (X ) mod pk
Φm(X ) =∏
i Gi (X ) mod pk with Fi (X ) = Gi (X ) mod pGi (X ) is irreducible, because any factorization mod pk
gives also a factorization mod p
Theorem(Lifting) Let a(X )b(X ) = c(X ) mod p withgcd(a(X ), b(X )) = 1. For every k, there are a′(X ) = a(X )mod p and b′(X ) = b(X ) mod p such that a′(X )b′(X ) = c(X )mod pk
CSE208:Advanced
Cryptography
DanieleMicciancio
Introduction
Defining FHE
Bootstrapping
LWE
Linearity
Key Switching
Multiplication
FHE!!
Project Info
Ring LWE
ANT
Let u(X ), v(X ) such that a(X )u(X ) + b(X )v(X ) = 1mod pAssume a(X )b(X ) = c(X ) + pkd(X ) by inductionLet a′(X ) = a(X )− pkv(X )d(X ) andb′(X ) = b(X )− pku(X )d(X )a′(X )b′(X )mod pk+1 = a(X )b(X )−pk(a(X )u(X )+b(X )v(X ))d(X ) =a(X )b(X )− pkd(X ) = c(X )