Craig Gentry and Shai Halevi June 4 2014 Homomorphic Encryption over Polynomial Rings The Ring LWE Problem RLWE Recall LWE LWE traditional formulation Hard to distinguish between A b ID: 363907
Download Presentation The PPT/PDF document "China Summer School on Lattices and Cryp..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
China Summer School on Lattices and Cryptography
Craig Gentry and Shai Halevi
June 4, 2014
Homomorphic
Encryption over Polynomial Rings Slide2
The Ring LWE Problem (RLWE)Slide3
Recall LWE
LWE (traditional formulation): Hard to distinguish between (A, b = As+e) and (A, b = uniform).LWE (alternative formulation): Hard to distinguish whether matrix B = (b, A) is uniform, or there exists a vector t = (1, -s) such that e = B·t is short.Matrices and vectors are over the ring Z
q. What if we put the matrices and vectors over a different ring – e.g., a polynomial ring?Slide4
Polynomial Rings
Example: Zq[x]/(xN-1) – polynomials of degree N-1 (which have N coefficients) over Zq.Addition: Add the polynomials modulo q.Multiplication: Multiply the 2 polynomials, reduce the result modulo q and modulo xN-1, so that the final result has degree at most N-1 again.a(x)b(x) = Σ
aj· bk · xj+k mod N.Example: Zq[x]/ФN(x) – polynomials modulo q and the N-th cyclotomic polynomialE.g., ФN(x) = (xN/2+1) when N is a power of 2Slide5
RLWE: LWE over Polynomial Rings
RLWE: Hard to distinguish between (A, b = As+e) and (A, b = uniform) when:A Rmx1, s
R, and e Rm is a vector of “small” R-elementsR is an appropriate polynomial ringA cyclotomic ring where ФN(x) has degree n=φ(N) suitably larger than the security parameter.RLWE (alternative formulation): Hard to distinguish whether matrix B Rmx2 is uniform, or there exists a vector t = (1, -s) R2 such that e = B·t is short, where R is a polynomial ring.
“Hardness” comes from high dimension of ring, rather than high dimension of vectors.
[LPR10]: Worst-case/average-case reduction for “ideal lattices”
Slide6
Pros and Cons of RLWE (vs LWE)
Con: SecurityLWE is as hard on average as worst-case problems over general (any) latticesRLWE is as hard on average as worst-case problems over ideal lattices (a special type of lattice)Pro: EfficiencyFast Fourier Transform (FFT): multiplying ring elements is fast even if ring has high dimensionTakes O(n log n) time for rings of dimension nAlso, RLWE permits smaller public keys, larger plaintexts, and more efficient homomorphic computation.Slide7
Regev’s
Encryption Scheme with RLWEIn LWE-Regev,
m = O(n log q). For RLWE-Regev, m = O(log q).Slide8
Regev’s
Encryption Scheme with RLWE
If R has dimension n, Encryption takes time quasilinear in n. (In LWE-Regev with vectors of dim n, the time is quasi-quadratic in n.)The plaintext space is larger: R2 instead of just {0,1}.Slide9
Regev’s
Encryption Scheme with RLWESlide10
The NTRU Encryption SchemeSlide11
NTRU: Even Simpler Encryption Using Polynomial Rings
Secret key: Single small element s R.Ciphertext: c encrypts μ
{0,1} if: c = (μ+2·small)/s mod qSecurity intuition: In a mod-q polynomial ring, ratios of small elements look random. Slide12
NTRU DetailsSlide13
NTRU Homomorphic OperationsSlide14
Key Switching from s1 to s2
.Slide15
Homomorphic
Computation on Encrypted Arrays (SIMD Operations)Slide16
Encrypted Arrays
Suppose we use a mod-15 plaintext space (not mod-2) Z15 = Z3 × Z5. Chinese Remainder Theorem (CRT).From one “big” plaintext space we get 2 independent “small” plaintext spaces. We call them two “plaintext slots”.Suppose two ciphertexts
c and c’ have (r3,r5) and (r3’,r5’) in their respective mod-3 and mod-5 “plaintext slots”cADD = ADD(c,c’) has (r3+r3’, r5+r5’) in its slots. cMULT = MULT(c,c’) has (r3∙r3’, r5∙r5’) in its slots. Homomorphic ops act component-wise, in parallel, on slots.Slide17
Our Weird Cyclotomic Plaintext Space
SWHE in Polynomial RingsPlaintext space is R2 = Z2[x]/ФN(x).The message μ(x) is a polynomial in R
2.μ has n bits, where n is the degree of ФN(x).NTRU example: μ = [[c·s]q]2 over the ring R.Can we get many “plaintext slots” out of R2? Sure…Slide18
Our Weird Cyclotomic Plaintext Space
Via CRT, R2 decomposes into about N/log(N) plaintext slots of about log(N) bits apiece (for well-chosen N).ADD and MULT work in parallel across the slots.Via ring automorphisms, encrypted data can be moved between slots.We have ADD, MULT, and PERMUTE.Can evaluate boolean
circuits with ciphertexts “packed”.Reduces overhead.The plaintext space R2 = Z2[x]/ФN(x) has amazing properties! Much better than a mod-15 plaintext space!Slide19
Chinese Remainder Theorem for Cyclotomic
RingsChoose N so that ФN(x) factors mod 2 into t factors.ФN(x) = fi
(x) mod 2. Degrees of f1, …, ft are d=φ(N)/t.Chinese Remainder Theorem (CRT) – polynomial versionZ2[x]/ФN(x) = Z2[x]/f1(x) × … × Z2[x]/ft(x)If ciphertexts c and c’ have (r1(x),…,rt(x)) and (r1’(x),…,rt’(x)) in their respective plaintext slotscADD = ADD(c,c’) has (r1(x)+r1
’(x), …,
r
t
(x)+
r
t
’(x)).
c
MULT
= MULT(
c,c
’) has (r
1
(x)
∙
r
1
’(x) mod f
1
(x), …,
r
t
(x)
∙
r
t
’(x) mod f
t
(x)).
Homomorphic
ops act component-wise, in parallel, on slots.Slide20
SIMD (Single Instruction Multiple Data): Working on Data Arrays
8209
3801…4421950736…12
n-ADD
Array of length n
10
3
9
14
3
15
3
7
…
5
6Slide21
SIMD (Single Instruction Multiple Data): Working on Data Arrays
162045
05606…4882093801…44
2
1
9
5
0
7
3
6
…
1
2
n-MULT
Array of length nSlide22
SIMD (Single Instruction Multiple Data): Working on Data Arrays
%%%%
%%%%…%%Great for computing same function F on n different input strings. We can do SIMD
homomorphically
.
8
2
0
9
3
8
0
1
…
4
4
2
1
9
5
0
7
3
6
…
1
2
Function F
Array of length n
3
6
3
3
4
1
7
8
…
8
5
…Slide23
Permuting Encrypted Arrays and Ring
AutomorphismsSlide24
Beyond SIMD Computation
Goal: To reduce overhead for a single computation (rather than multiple computations in parallel): Pack all input bits in just a few ciphertexts Compute while keeping everything packed How to do this? Slide25
Are ADD and MULT a Complete Set of Operations? Yes, for bits.
+
++
+
+
+
+
+
+
+
+
+
+
×
×
×
×
×
×
×
×
×
×
×
+
+
+
+
+
+
+
+
+
0
1
1
1
x
1
x
2
x
3
x
4
x
5
x
7
x
8
x
9
x
10
x
11
x
12
x
14
x
15
x
16
x
17
x
18
x
19
ADD and MULT are a
complete
set of operations.Slide26
+
+
+
+
+
+
+
+
+
+
+
+
+
×
×
×
×
×
×
×
×
×
×
×
+
+
+
+
+
+
+
+
+
0
1
1
1
x
1
x
2
x
3
x
4
x
5
x
7
x
8
x
9
x
10
x
11
x
12
x
14
x
15
x
16
x
17
x
18
x
19
x
8
x
9
x
10
x
11
x
12
x
14
x
1
x
2
x
3
x
4
x
5
x
7
n-ADD and n-MULT are
NOT
a
complete
set of operations.
Are ADD and MULT a Complete Set of Operations?
No, for SIMD arrays.Slide27
x
1x
2x3x4x5
x
7
x
1
x
2
x
3
x
4
x
5
x
7
1
0
1
0
0
0
0
n-MULT
x
1
0
x
3
0
0
0
0
0
1
0
1
0
0
0
0
x
2
0
x
4
0
0
0
x
1
x
3
0
0
0
0
0
x
2
x
4
0
0
0
0
0
n-PERMUTE(
π
)
n-ADD, n-MULT,
n-PERMUTE
: a complete set of SIMD ops on n-arrays
+
+
x
1
x
2
x
3
x
4
n-ADDSlide28
How do we Evaluate n-Permute(
π) homomorphically, without “decompressing” the packed ciphertexts?
Ring Automorphisms!Slide29
Ring Automorphisms
For simplicity, let R = Z[x]/(xn-1), n primeConsider the map φk: R → R given by: φk(a(x)) = a(xk)If gcd
(k,p) = 1, φk permutes the coefficients of a(x):If a(x) is “small”, then φk(a(x)) is also “small”. Slide30
Ring Automorphisms
For simplicity, let R = Z[x]/(xn-1), n primeConsider the map φk: R → R given by: φk(a(x)) = a(xk)If gcd
(k,p) = 1, φk permutes the coefficients of a(x):
φ
k
permutes the
evaluations of
a(x
) at roots of unity:
We can use
φ
k
to permute our plaintext slots.Slide31
Homomorphic AutomorphismsSlide32
Which Permutations Do the Automorphisms Give Us?
The “Basic” Permutations (a(x) → a(xk)):Only n (out of n!) of the possible permutations.Think of the automorphisms as n-ROTATE(i), which rotates the n items i steps clockwise, like a dial.
Claim: For any permutation π, we can build n-PERMUTE(π) “efficiently” from n-ADD, n-MULT, and n-ROTATE(i).Benes permutation networkSlide33
Overhead of HE
= (encrypted comp. time)/(unencrypted comp. time)With ciphertext packing, the overhead of RLWE-based or NTRU-based SWHE for security parameter k: Overhead = poly(log qL, log w) = poly(L, log k, log w), where L and w are circuit depth and width.
Asymptotic Efficiency ResultsSlide34
The Multikey FHE scheme of Lopez-Alt, Tromer
, VaikuntanathanKey Homomorphism and Multikey FHESlide35
Recall NTRU Homomorphic OperationsSlide36
Key Homomorphism in NTRUSlide37
LATV Multikey FHE Scheme
[LATV12]: Cloud can (noninteractively) combine data encrypted under different keys.Individual secret keys are s1, …, sn.Combined secret key is s1···s
n.To decrypt, all users whose data was used must cooperate.Getting FHE:I showed how to combine keys to get multikey SWHE.LATV show how to get multikey FHE. Slide38
?
Thank You! Questions??
TIME EXPIREDSlide39
Parameters and Running TimesSlide40
Parameter Sizes
L (levels)Nn = φ(N)(
slot size, #slots)log(qL)101144110752(48,224)177203432321504(48,448)368303160931104(72,432)5644054485
40960
(64,640)
762
50
59527
51840
(72,720)
962
60
68561
62208
(72,864)
1163
70
82603
75264
(56,1344)
1366
80
92837
84672
(56,1512)
1570
For L=60,
ciphertext
size is about 2n
log q = 2
×
62208
×
1163
≈ 14 million bits.Slide41
Running Times
Run a one-core machine with lots of RAM (256GB)Number of Levels Needed60Key Generation
43 minutesEncrypt AES State2 minutesEncrypt AES Key Schedule23 minutesEvaluate AES Round 17 hoursEvaluate AES Round 92 hoursEvaluate AES Round 1028 minutesEvaluate AES total34 hoursNumber of SIMD Blocks54
Time Per Block
37 minutesSlide42
Parameter Sizes
L (levels)Nn = φ(N)(
slot size, #slots)log(qL)101144110752(48,224)177203432321504(48,448)368303160931104(72,432)5644054485
40960
(64,640)
762
50
59527
51840
(72,720)
962
60
68561
62208
(72,864)
1163
70
82603
75264
(56,1344)
1366
80
92837
84672
(56,1512)
1570
For L=60,
ciphertext
size is about 2n
log q = 2
×
62208
×
1163
≈ 14 million bits.Slide43
Running Times
Run a one-core machine with lots of RAM (256GB)Number of Levels Needed60Key Generation
43 minutesEncrypt AES State2 minutesEncrypt AES Key Schedule23 minutesEvaluate AES Round 17 hoursEvaluate AES Round 92 hoursEvaluate AES Round 1028 minutesEvaluate AES total34 hoursNumber of SIMD Blocks54
Time Per Block
37 minutes