China Summer School on Lattices and Cryptography

Craig Gentry and Shai Halevi

June 4, 2014

Homomorphic Encryption over

Polynomial Rings

The Ring LWE Problem (RLWE)

Recall LWE

LWE (traditional formulation): Hard to distinguish between (A, b = As+e) and (A, b = uniform).

LWE (alternative formulation): Hard to distinguish whether matrix B = (b, A) is uniform, or there exists a vector t = (1, -s) such that e = B·t is short.

Matrices and vectors are over the ring Zq.

What if we put the matrices and vectors over a different ring – e.g., a polynomial ring?

Polynomial Rings

Example: Zq[x]/(xN-1) – polynomials of degree N-1 (which have N coefficients) over Zq.

Addition: Add the polynomials modulo q.

Multiplication: Multiply the 2 polynomials, reduce the result modulo q and modulo xN-1, so that the final result has degree at most N-1 again.

a(x)b(x) = Σ aj· bk · xj+k mod N.

Example: Zq[x]/ФN(x) – polynomials modulo q and the N-th cyclotomic polynomial

E.g., ФN(x) = (xN/2+1) when N is a power of 2

RLWE: LWE over Polynomial Rings

RLWE: Hard to distinguish between (A, b = As+e) and (A, b = uniform) when:

A ∈ Rmx1, s ∈ R, and e ∈ Rm is a vector of “small” R-elements

R is an appropriate polynomial ring A cyclotomic ring where ФN(x) has degree n=φ(N) suitably larger than

the security parameter.

RLWE (alternative formulation): Hard to distinguish whether matrix B ∈ Rmx2 is uniform, or there exists a vector t = (1, -s) ∈ R2 such that e = B·t is short, where R is a polynomial ring.

“Hardness” comes from high dimension of ring, rather than high dimension of vectors.

[LPR10]: Worst-case/average-case reduction for “ideal lattices”

Pros and Cons of RLWE (vs LWE)

Con: Security

LWE is as hard on average as worst-case problems over general (any) lattices

RLWE is as hard on average as worst-case problems over ideal lattices (a special type of lattice)

Pro: Efficiency

Fast Fourier Transform (FFT): multiplying ring elements is fast even if ring has high dimension

Takes O(n log n) time for rings of dimension n

Also, RLWE permits smaller public keys, larger plaintexts, and more efficient homomorphic computation.

Regev’s Encryption Scheme with RLWE

In LWE-Regev, m = O(n log q).

For RLWE-Regev, m = O(log q).

Regev’s Encryption Scheme with RLWE

If R has dimension n, Encryption

takes time quasilinear in n.

(In LWE-Regev with vectors of dim n,

the time is quasi-quadratic in n.)

The plaintext space is larger:

R2 instead of just {0,1}.

Regev’s Encryption Scheme with RLWE

The NTRU Encryption Scheme

NTRU: Even Simpler Encryption Using Polynomial Rings

Secret key: Single small element s ∈ R.

Ciphertext: c encrypts μ ∈ {0,1} if:

c = (μ+2·small)/s mod q

Security intuition: In a mod-q polynomial ring,

ratios of small elements look random.

NTRU Details

NTRU Homomorphic Operations

Key Switching from s1 to s2.

Homomorphic Computation on Encrypted Arrays (SIMD Operations)

Encrypted Arrays

Suppose we use a mod-15 plaintext space (not mod-2)

Z15 = Z3 × Z5. Chinese Remainder Theorem (CRT).

From one “big” plaintext space we get 2 independent “small”

plaintext spaces. We call them two “plaintext slots”.

Suppose two ciphertexts c and c’ have (r3,r5) and (r3’,r5’)

in their respective mod-3 and mod-5 “plaintext slots”

cADD = ADD(c,c’) has (r3+r3’, r5+r5’) in its slots.

cMULT = MULT(c,c’) has (r3∙r3’, r5∙r5’) in its slots.

Homomorphic ops act component-wise, in parallel, on slots.

Our Weird Cyclotomic Plaintext Space

SWHE in Polynomial Rings

Plaintext space is R2 = Z2[x]/ФN(x).

The message μ(x) is a polynomial in R2.

μ has n bits, where n is the degree of ФN(x).

NTRU example: μ = [[c·s]q]2 over the ring R.

Can we get many “plaintext slots” out of R2?

Sure…

Our Weird Cyclotomic Plaintext Space

Via CRT, R2 decomposes into about N/log(N) plaintext slots of about log(N) bits apiece (for well-chosen N).

ADD and MULT work in parallel across the slots.

Via ring automorphisms, encrypted data can be moved between slots.

We have ADD, MULT, and PERMUTE.

Can evaluate boolean circuits with ciphertexts “packed”.

Reduces overhead.

The plaintext space R2 = Z2[x]/ФN(x) has amazing

properties! Much better than a mod-15 plaintext space!

Chinese Remainder Theorem for Cyclotomic Rings

Choose N so that ФN(x) factors mod 2 into t factors.

ФN(x) = fi(x) mod 2. Degrees of f1, …, ft are d=φ(N)/t.

Chinese Remainder Theorem (CRT) – polynomial version

Z2[x]/ФN(x) = Z2[x]/f1(x) × … × Z2[x]/ft(x)

If ciphertexts c and c’ have (r1(x),…,rt(x)) and (r1’(x),…,rt’(x)) in their respective plaintext slots

cADD = ADD(c,c’) has (r1(x)+r1’(x), …, rt(x)+rt’(x)).

cMULT = MULT(c,c’) has (r1(x)∙r1’(x) mod f1(x), …, rt(x)∙rt’(x) mod ft(x)).

Homomorphic ops act component-wise, in parallel, on slots.

SIMD (Single Instruction Multiple Data):

Working on Data Arrays

8 2 0 9 3 8 0 1 … 4 4

2 1 9 5 0 7 3 6 … 1 2

n-ADD

Array of length n

10 3 9 14 3 15 3 7 … 5 6

SIMD (Single Instruction Multiple Data):

Working on Data Arrays

16 2 0 45 0 56 0 6 … 4 8

8 2 0 9 3 8 0 1 … 4 4

2 1 9 5 0 7 3 6 … 1 2

n-MULT

Array of length n

SIMD (Single Instruction Multiple Data):

Working on Data Arrays

% % % % % % % % … % %

Great for computing same function F on n different input strings.

We can do SIMD homomorphically.

8 2 0 9 3 8 0 1 … 4 4

2 1 9 5 0 7 3 6 … 1 2

Function F

Array of length n

3 6 3 3 4 1 7 8 … 8 5

…

Permuting Encrypted Arrays and Ring Automorphisms

Beyond SIMD Computation

Goal: To reduce overhead for a single computation

(rather than multiple computations in parallel):

Pack all input bits in just a few ciphertexts

Compute while keeping everything packed

How to do this?

Are ADD and MULT a Complete Set of

Operations? Yes, for bits. +

+

+

+

+

+

+

+

+

+

+

+

+

×

×

×

×

×

×

×

×

×

×

×

+

+

+

+

+

+

+

+

+

0 1

1

1

x1 x2 x3 x4 x5 x7 x8 x9 x10 x11 x12 x14 x15 x16 x17 x18 x19

ADD and MULT are a complete

set of operations.

+

+

+

+

+

+

+

+

+

+

+

+

+

×

×

×

×

×

×

×

×

×

×

×

+

+

+

+

+

+

+

+

+

0 1

1

1

x1 x2 x3 x4 x5 x7 x8 x9 x10 x11 x12 x14 x15 x16 x17 x18 x19

x8 x9 x10 x11 x12 x14 x1 x2 x3 x4 x5 x7

n-ADD and n-MULT are NOT a

complete set of operations.

Are ADD and MULT a Complete Set of

Operations? No, for SIMD arrays.

x1 x2 x3 x4 x5 x7 x1 x2 x3 x4 x5 x7

1 0 1 0 0 0 0 n-MULT

x1 0 x3 0 0 0 0

0 1 0 1 0 0 0

0 x2 0 x4 0 0 0

x1 x3 0 0 0 0 0 x2 x4 0 0 0 0 0

n-PERMUTE(π)

n-ADD, n-MULT, n-PERMUTE: a

complete set of SIMD ops on n-arrays +

+

x1 x2 x3 x4

n-ADD

How do we Evaluate n-Permute(π)

homomorphically, without “decompressing”

the packed ciphertexts?

Ring Automorphisms!

Ring Automorphisms

For simplicity, let R = Z[x]/(xn-1), n prime

Consider the map φk: R → R given by:

φk(a(x)) = a(xk)

If gcd(k,p) = 1, φk permutes the coefficients of a(x):

If a(x) is “small”, then

φk(a(x)) is also “small”.

Ring Automorphisms

For simplicity, let R = Z[x]/(xn-1), n prime

Consider the map φk: R → R given by:

φk(a(x)) = a(xk)

If gcd(k,p) = 1, φk permutes the coefficients of a(x):

φk permutes the evaluations of a(x) at roots of unity:

We can use φk to permute our plaintext slots.

Homomorphic Automorphisms

Which Permutations Do the

Automorphisms Give Us?

The “Basic” Permutations (a(x) → a(xk)):

Only n (out of n!) of the possible permutations.

Think of the automorphisms as n-ROTATE(i), which

rotates the n items i steps clockwise, like a dial.

Claim: For any permutation π, we can build n-

PERMUTE(π) “efficiently” from n-ADD, n-MULT, and

n-ROTATE(i).

Benes

permutation

network

Overhead of HE

= (encrypted comp. time)/(unencrypted comp. time)

With ciphertext packing, the overhead of RLWE-based or

NTRU-based SWHE for security parameter k:

Overhead = poly(log qL, log w) = poly(L, log k, log w),

where L and w are circuit depth and width.

Asymptotic Efficiency Results

The Multikey FHE scheme of Lopez-Alt, Tromer,

Vaikuntanathan

Key Homomorphism and Multikey FHE

Recall NTRU Homomorphic Operations

Key Homomorphism in NTRU

LATV Multikey FHE Scheme

[LATV12]: Cloud can (noninteractively) combine data encrypted under different keys. Individual secret keys are s1, …, sn.

Combined secret key is s1···sn.

To decrypt, all users whose data was used must cooperate.

Getting FHE: I showed how to combine keys to get multikey SWHE.

LATV show how to get multikey FHE.

Thank You! Questions?

Parameters and Running Times

Parameter Sizes

L (levels) N n = φ(N) (slot size,

#slots)

log(qL)

10 11441 10752 (48,224) 177

20 34323 21504 (48,448) 368

30 31609 31104 (72,432) 564

40 54485 40960 (64,640) 762

50 59527 51840 (72,720) 962

60 68561 62208 (72,864) 1163

70 82603 75264 (56,1344) 1366

80 92837 84672 (56,1512) 1570

For L=60, ciphertext size is about

2n log q = 2×62208×1163 ≈ 14 million bits.

Running Times

Run a one-core machine with lots of RAM (256GB)

Number of Levels Needed 60

Key Generation 43 minutes

Encrypt AES State 2 minutes

Encrypt AES Key Schedule 23 minutes

Evaluate AES Round 1 7 hours

Evaluate AES Round 9 2 hours

Evaluate AES Round 10 28 minutes

Evaluate AES total 34 hours

Number of SIMD Blocks 54

Time Per Block 37 minutes

Parameter Sizes

L (levels) N n = φ(N) (slot size,

#slots)

log(qL)

10 11441 10752 (48,224) 177

20 34323 21504 (48,448) 368

30 31609 31104 (72,432) 564

40 54485 40960 (64,640) 762

50 59527 51840 (72,720) 962

60 68561 62208 (72,864) 1163

70 82603 75264 (56,1344) 1366

80 92837 84672 (56,1512) 1570

For L=60, ciphertext size is about

2n log q = 2×62208×1163 ≈ 14 million bits.

Running Times

Run a one-core machine with lots of RAM (256GB)

Number of Levels Needed 60

Key Generation 43 minutes

Encrypt AES State 2 minutes

Encrypt AES Key Schedule 23 minutes

Evaluate AES Round 1 7 hours

Evaluate AES Round 9 2 hours

Evaluate AES Round 10 28 minutes

Evaluate AES total 34 hours

Number of SIMD Blocks 54

Time Per Block 37 minutes