cse208: advanced cryptographycseweb.ucsd.edu/classes/fa20/cse208-a/slides.pdf · 2020. 12. 10. ·...

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

CSE208: Advanced Cryptography

Daniele Micciancio

Fall 2020

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 1

Introduction

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Graduate Level Advanced CryptographyPrerequisites:

CSE207 or equivalentSolid theoretical background, cryptographic definitions, etc.Some programming

Past topics: Zero Knowledge, Functional Encryption,Secure Computation, etc.Not required: CSE206A (Lattice Algorithms)

Reading:no textbookmostly research paperssee course webpage, canvas, etc.

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Fall 2020 Topic

Fully Homomorphic Encryption:Encryption schemes that supports the evaluation ofarbitrary programs on encrypted inputs

Applications:secure outsourced computingbuilding block for MPC and more

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Brief History of Homomorphic Encryption

1978: Rivest, Adleman & Dertouzos posed the problem2009: Gentry 2009 proposed the first candidate solution2010-2020: Work towards more efficient solutions based onstandard complexity assumptions (Brakerski,Vaikuntanathan, Gentry, Halevi, Smart, . . . )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Software libraries

IBM HElib (Halevi & Shoup)Microsoft SEALNJIT/Duality PALISADE (Rohloff, Cousins & Polyakov)Functional Lattice Cryptography LoL (Crockett & Peikert)Fastest FHE of the West FHEW (Ducas & Micciancio)FHE over the Torus TFHE (Chillotti, Gama, Georgieva &Izabachene)Approximate FHE HEAAN (Cheon, Kim, Kim & Song)

In the News:February 21, 2019: Microsoft SEAL open sourcehomomorphic encryption library gets even better for .NETdevelopers!June 4, 2020: IBM releases FHE toolkit for MacOS andiOS; Linux and Android Coming Soon

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Software libraries

IBM HElib (Halevi & Shoup)Microsoft SEALNJIT/Duality PALISADE (Rohloff, Cousins & Polyakov)Functional Lattice Cryptography LoL (Crockett & Peikert)Fastest FHE of the West FHEW (Ducas & Micciancio)FHE over the Torus TFHE (Chillotti, Gama, Georgieva &Izabachene)Approximate FHE HEAAN (Cheon, Kim, Kim & Song)

In the News:February 21, 2019: Microsoft SEAL open sourcehomomorphic encryption library gets even better for .NETdevelopers!June 4, 2020: IBM releases FHE toolkit for MacOS andiOS; Linux and Android Coming Soon

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Homework and Evaluation

Homework assignments:3 assignments, due within one week from assignment dateCover theoretical/mathematical topics

Small Project:Goal: Try to use one of the many HE librariesNot much coding, but you will have to write and compile afew lines of codeEvaluated primarily based on written report

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Homework and Evaluation

Homework assignments:3 assignments, due within one week from assignment dateCover theoretical/mathematical topics

Small Project:Goal: Try to use one of the many HE librariesNot much coding, but you will have to write and compile afew lines of codeEvaluated primarily based on written report

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Administrivia:

Course webpage: http://cseweb.ucsd.edu/classes/fa20/general course informationpointers to papers and other reading material

Canvas:recording of lectureshomework distribution/collectiongradesdiscussion board

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Course Schedule (Tentative)

Week 1: Introduction and Definition

FHE DefinitionGentry’s Boostrapping theoremHomework 1 out

Week 2-4: Fundamental techniques based on general lattices

LWE encryptionLinear Homomorphic computationsKey Switching and Proxy re-encryptionNested encryption and homomorphic multiplicationCiphertext Tensoring and homomorphic multiplicationHomomorphic Decryption and Bootstrapping algorithmsHomework 2 out

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Week 5: Algebraic Number Theory

I really hope you like math!Homework 3 out

Week 6-10: Efficient FHE from Ring LWE

Message packing techniquesLinear transformations on structured matricesOther FHE schemes: GHS, BFV,FHEW, AP13, TFHE,CKKS . . .

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 2

Defining FHE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Public Key Encryption

PKE(Gen ,Enc ,Dec)Gen: () → (pk,sk)Enc: (pk,m) → cDec: (sk,c) → m

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness of PKE

For every (sk,pk)← Gen() and m ← [M], r ← [R]:

Dec(sk,Enc(pk,m;r)) = m

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Chosen Plaintext Attack (CPA) security

Ciphertext Indistinguishability under Chosen PlaintextAttackExperiment:INDCPAgame(b:{0 ,1})

(sk,pk) ← Gen()A(pk) → (m0,m1)b' ← A(Enc(pk,mb))return b':{0 ,1}

Definition

Adv(A) = |Pr(Game (0)=1) - Pr(Game (1)=1)|

DefinitionAn encryption scheme (Gen,Enc,Dec) is IND-CPA secure if anypolynomial time A has advantage Adv(A)~ 0

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Chosen Plaintext Attack (CPA) security

Ciphertext Indistinguishability under Chosen PlaintextAttackExperiment:INDCPAgame(b:{0 ,1})

(sk,pk) ← Gen()A(pk) → (m0,m1)b' ← A(Enc(pk,mb))return b':{0 ,1}

Definition

Adv(A) = |Pr(Game (0)=1) - Pr(Game (1)=1)|

DefinitionAn encryption scheme (Gen,Enc,Dec) is IND-CPA secure if anypolynomial time A has advantage Adv(A)~ 0

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Significance of CPA security

Adversary can choose messages m0, m1

No assumption about input distributionAdversary may have partial information about messagesAdversary may influence the choice of messages

Ciphertext c = Enc(pk,mb) is computed honestly

Adversary cannot tamper with ciphertexts

Adversary models a passive attacker

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Definition of CCA security

DefinitionAn encryption scheme (Gen,Enc,Dec) is IND-CCA secure if anypolynomial time A has advantage Adv(A)≈0 in the followinggame.

Game(b:{0 ,1})(sk,pk) ← Gen()A[D](pk) → (m0,m1)c ← Enc(pk,mb)b' ← A[D'](c)return b':{0 ,1}

A[D] is an adversary with oracle access toD(x) = Dec(sk,x)

A[D'] uses a modified oracle (next slide)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

IND-CCA1 vs IND-CCA2

There are two variants of CCA security, depending on the typeof oracle given to the adversary after receiving the challengeciphertext:

IND-CCA1 security: No decryption oracle after receivingthe challengeD'(x) = Nil

IND-CCA2 security: decrypt any ciphertext, except thechallenge c

D'(x) =

if (x?= c)

then Nilelse Dec(sk,x)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Significance of CCA security

Goal: model active attacks, where adversary can tamperwith ciphertexts

Standard notion for regular encryption schemes

IND-CCA2 theoretically equivalent to non-malleableencryption

Any attempt to modify a ciphertext should be detected

Seems incompatible with homomorphic encryption

Ability to modify ciphertexts can be a useful featureHomomorphic encryption is perfectly malleable

We will not consider CCA security

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Significance of CCA security

Goal: model active attacks, where adversary can tamperwith ciphertexts

Standard notion for regular encryption schemes

IND-CCA2 theoretically equivalent to non-malleableencryption

Any attempt to modify a ciphertext should be detected

Seems incompatible with homomorphic encryption

Ability to modify ciphertexts can be a useful featureHomomorphic encryption is perfectly malleable

We will not consider CCA security

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Homomorphic Encryption: first attempt

Assume f: M →M

f(Enc(pk,m)) = Enc(pk,f(m))

Eval(pk,f, Enc(pk,m)) = Enc(pk,f(m))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Homomorphic Encryption: second attempt

Dec(sk,Eval(pk,f, Enc(pk,m))) = f(m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Multi-input functions

Many inputs are encrypted independentlyc1 ← Enc(pk,m1)...ck ← Enc(pk,mk )

k-ary function f: (m1,...,mk) →m

Eval(pk, f, c1 ,...,ck ))= Enc(pk,f(m1 ,...,mk )) ???

Dec(sk,Eval(pk, f, c1 ,...ck ))= f(m1 ,...,mk )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Multi-input functions

Many inputs are encrypted independentlyc1 ← Enc(pk,m1)...ck ← Enc(pk,mk )

k-ary function f: (m1,...,mk) →m

Eval(pk, f, c1 ,...,ck ))= Enc(pk,f(m1 ,...,mk )) ???

Dec(sk ,Eval(pk, f, c1 ,...ck ))= f(m1 ,...,mk )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Multi-key Homomorphic encryption

Assume multiple users: P1,P2, ...Each user has a key (pair): Pi : (pki , ski )Data is encrypted and sent to different usersc1 ← Enc(pk1,m1)...ct ← Enc(pkt ,mt )

Users pool data together to perform a joint computation onc1, ..., ct

Final result is an encryption of f (m1, ...,mt) under whatkey?Eval (???,f,c1 ,...,ct ))

~ Enc(???, f(m1 ,...,mt ))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Multi-key Homomorphic encryption

Assume multiple users: P1,P2, ...Each user has a key (pair): Pi : (pki , ski )Data is encrypted and sent to different usersc1 ← Enc(pk1,m1)...ct ← Enc(pkt ,mt )

Users pool data together to perform a joint computation onc1, ..., ct

Final result is an encryption of f (m1, ...,mt) under whatkey?Eval (???,f,c1 ,...,ct ))

~ Enc(???, f(m1 ,...,mt ))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Restricting Homomorphic Encryption

FHE is a useful and challenging problem already in thesingle key setting

In order to appropach the problem we will further restrict itby parametrizing by a set of allowedcomputations/functions Func = {f: ....} where eachf: (M,...,M)→ M may take a different number of arguments

More generally, one many consider functionsf:(M1, ...,Mk) →M taking inputs from different sets (types),e.g., ifThenElse: (Bool,Int,Int)→Int

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Examples and Function Composition

(M,+, 0): abelian group, e.g., “fixed size” integers(modulo N)Addition: f (x1, ...xt) = x1 + ...+ xtScalar multiplication: ga(x) = a · xLinear combinations: h(x1, ...xt) =

∑i 2i−1xi

1-hop, n-hop, multi-hop: can functions f be composed?

h(x1, ..., xt) = f (g1(x1), ..., g2t−1(xt))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Examples and Function Composition

(M,+, 0): abelian group, e.g., “fixed size” integers(modulo N)Addition: f (x1, ...xt) = x1 + ...+ xtScalar multiplication: ga(x) = a · xLinear combinations: h(x1, ...xt) =

∑i 2i−1xi

1-hop, n-hop, multi-hop: can functions f be composed?

h(x1, ..., xt) = f (g1(x1), ..., g2t−1(xt))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness of Function Composition

Let x , y , z ∈ M be messages and f , g : M → M twofunctions such that y = f (x) and z = g(y) = (g ◦ f )(x)Assume (Gen,Enc,Dec,Eval) can evaluate f and g correctly:Dec(sk,Eval(pk,f, Enc(pk,x))) = f(x)Dec(sk,Eval(pk,g, Enc(pk,y))) = g(y)

QuestionDoes it follow that

ctX ← Enc(pk,x)ctY ← Eval(pk,f,ctX)ctZ ← Eval(pk,g,ctY)

Dec(sk,ctZ)?= z

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness of Function Composition

Let x , y , z ∈ M be messages and f , g : M → M twofunctions such that y = f (x) and z = g(y) = (g ◦ f )(x)Assume (Gen,Enc,Dec,Eval) can evaluate f and g correctly:Dec(sk,Eval(pk,f, Enc(pk,x))) = f(x)Dec(sk,Eval(pk,g, Enc(pk,y))) = g(y)

QuestionDoes it follow that

ctX ← Enc(pk,x)ctY ← Eval(pk,f,ctX)ctZ ← Eval(pk,g,ctY)

Dec(sk ,ctZ)?= z

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Formalizing Restricted Composition

Restrict scheme to a set F of strongly typed functions:

f : M1 × . . .Mk → M0

Enc,Dec,Eval are given type information

We can use types to bound computation depth:

Start from f : M → MDefine Mi = M for i = 1, ..., nDefine fi : Mi → Mi+1, where fi (x) = f (x)

F = {f } allows arbitrary composition

F = {f0}: no composition

F = {f0, f1, ..., fn}: bounded depth composition

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Formalizing Restricted Composition

Restrict scheme to a set F of strongly typed functions:

f : M1 × . . .Mk → M0

Enc,Dec,Eval are given type information

We can use types to bound computation depth:

Start from f : M → MDefine Mi = M for i = 1, ..., nDefine fi : Mi → Mi+1, where fi (x) = f (x)

F = {f } allows arbitrary composition

F = {f0}: no composition

F = {f0, f1, ..., fn}: bounded depth composition

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

(Multi-hop) Correctness Game

State: (initially empty) list L of message-ciphertext pairsCorrectFHEgame () = (sk,pk) ← Gen()

L ← []A[E,F](pk)(m,c) ← last(L)return (Dec(sk,c) 6= m)

E(m) = c ← Enc(pk,m)L ← L;(m,c)return c

F(f,I) = (ms,cs) ← unzip L[I]m ← f(ms)c ← Eval(pk,f,cs)L ← L;(m,c)return c

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Terminology

Reading papers, you will find references to

Fully Homomorphic EncryptionSomewhat Homomorphic EncryptionLeveled Fully Homomorphic Encryptionetc.

We will use FHE as a catchall term

Definition is parametrized by a set of functions FFunctions in F can be composed only if their types matchF is closed under compositionCan use “phantom” types to limit composition

We will rarely define F formally, but it is a useful exercise

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Terminology

Reading papers, you will find references to

Fully Homomorphic EncryptionSomewhat Homomorphic EncryptionLeveled Fully Homomorphic Encryptionetc.

We will use FHE as a catchall term

Definition is parametrized by a set of functions FFunctions in F can be composed only if their types matchF is closed under compositionCan use “phantom” types to limit composition

We will rarely define F formally, but it is a useful exercise

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Security of Homomorphic Encryption

INDCPAgame(b:{0 ,1})(sk,pk) ← Gen()A(pk) → (m0,m1)return A(Enc(pk,mb)): {0,1}

RemarkThe IND-CPA security definition depends only on Gen and Enc,but not on Dec (or Eval)

QuestionCan the IND-CPA security definition be applied as it is to FHEschemes (Gen,Enc,Dec,Eval)?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

A trivial FHE scheme

Consider the following FHE scheme:

Let (Gen,Enc,Dec) be IND-CPA secureDefine TrivialFHE = (Gen,Enc',Dec',Eval)

Enc '(pk,m) = (Enc(pk,m) ,[])Dec '(sk ,(ct ,[])) = Dec(sk,ct)Dec '(sk ,(ct ,[f;fs])) = f(Dec '(sk ,(ct,fs)))Eval(pk,f,(ct ,[fs])) = (ct ,[f;fs])

QuestionIs TrivialFHE a correct FHE scheme?Is TrivialFHE a secure FHE scheme?What makes the above scheme “trivial”?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Compactness

The TrivialFHE scheme is both correct and secure

The problem with TrivialFHE is that it is not efficient:

Computation is performed by Dec, not Eval!

DefinitionA FHE scheme is compact if the size of ciphertextct = Eval(pk,f,Enc(pk,m)) is independent of Size(f)

Weaker forms of compactness:

Ciphertext size may grow logarithmic with Size(f)Ciphertext size may depend on Depth(f)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Function Privacy

f0(x,y) = x + yf1(x,y) = y + x

Game[A](b: {0,1})(sk,pk) ← Gen()ctX ← Enc(pk,x)ctY ← Enc(pk,y)ct ← Eval(pk,fb,ctX ,ctY)return A(ct)

QuestionAssume (Gen,Enc,Dec,Eval) is a secure FHE scheme. Can anefficient adversary A recover the bit b = Game[A](b) ?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Passive Attacks to FHE

Game[A](b: {0,1})(sk,pk) ← Gen()State ← []b' ← A[E,D,F](pk)return b'

Adversary has access to three stateful oracles:

Encryption oracle: E(m0,m1)

Function Evaluation oracle: F(f0,f1,I)Decryption oracle: D(i)

Joint State: List of message-message-ciphertext triplets(m0,m1,ct)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Passive Attack (oracles)

E(m0,m1) = ct ← Enc(pk,mb)State ← (State;(m0,m1,ct))return ct

F(f0,f1,I) = (ms0,ms1,cts) ← unzip State[I]ct ← Eval(pk,fb,cts)m0 ← f0(ms0)m1 ← f1(ms1)State ← State;(m0,m1,ct)return ct

D(i): (m0,m1,ct) ← State[i]if (m0 ≡m1)

then return Dec(sk,ct)else return Nil

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Passive Attack with/without function privacy

The game we just described guarantees function privacyA similar definition without function privacy can beobtained by requiring f0≡f1 in the function evaluationqueries

F'(f,I): (ms0,ms1,cts) ← unzip State[I]ct ← Eval(pk,f,cts)m0 = f(ms0)m1 = f(ms1)State ← (State;(m0,m1,ct))return ct

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Example: Circuit Privacy

Assume messages are single bits m: {0,1}

Let FHE=(Gen,Enc,Dec,Eval) a function private FHEscheme supporting NAND(x,y)= not (x && y)

EvalC(pk,C,...): evaluates boolean circuitC: {0, 1}n →{0,1} one gate at a time usingEval(pk,NAND,...)

Let C0,C1 : NAND circuits with the same number ofinputs and NAND gates(sk,ps)← Gen()

Let xs0, xs1 be input bits such that C0(xs0) = C1(xs1)

QuestionAre the following two distributions indistinguishable?

(pk ,EvalC(pk, C0, Enc(pk,xs0)))(pk ,EvalC(pk, C1, Enc(pk,xs1)))

% CSE208: Advanced Cryptography % Daniele Micciancio %Fall 2020

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 3

Bootstrapping

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Bootstrapping

For simplicity: fix message space to {0, 1}

HE=(Gen,Enc,Dec,Eval)

Homomorphic functions: Func = { nand }Supports only bounded computations: Depth(C)< D

QuestionCan we use HE to build a FHE scheme supporting arbitrarycircuits/functions?

The process of building FHE from HE is called“bootstrapping”

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Bootstrapping

For simplicity: fix message space to {0, 1}

HE=(Gen,Enc,Dec,Eval)

Homomorphic functions: Func = { nand }Supports only bounded computations: Depth(C)< D

QuestionCan we use HE to build a FHE scheme supporting arbitrarycircuits/functions?

The process of building FHE from HE is called“bootstrapping”

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decryption as a boolean function

Everything is a sequence of bits

Secret key sk: {0, 1}k

Ciphertext ct: {0, 1}l

Dec(sk,ct): {0,1}

Usually we think of Dec as a function

described by secret key skmapping ciphertext ct to message bit Dec(sk,ct): {0,1}

But we can also think of Dec as a function

described by ciphertext ctmapping secret key sk to message bit Dec(sk,ct): {0,1}

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Dec(sk,ct): {0,1}

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Dec(sk,ct): {0,1}

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Homomorphic Decryption

Fix a ciphertext cDefine fc : sk 7→ Dec(sk, c)Assume Size(fc) < S, Depth(fc) < DLet bk[1..k] = Enc(pk,sk[1..k])

QuestionWhat is the result of the following computation?

EvalC(pk,fc ,bk[1..k])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Proxy Re-encryption

Primary key: (pk,sk)

Secondary key: (pk1,sk1)

Re-encryption key: rk = Enc(pk1,sk[1..k])

Input ciphertext c = Enc(pk,m)

Decryption function fc(sk) = Dec(sk,c)

EvalC(pk1 ,fc ,rk)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decrypt and compute (unary)

Homomorphic Encryption (Gen,Enc,Dec,Eval)

Assume Func = { fc | c: CipherText } wherefc (sk) = not (Dec(sk,c))

(pk,sk) ← Gen()ek = Enc(pk,sk)c = Enc(pk,m)

EvalC(pk,fc ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decrypt and compute (unary)

Assume Func = { fc | c: CipherText } wherefc (sk) = not (Dec(sk,c))

(pk,sk) ← Gen()ek = Enc(pk,sk)c = Enc(pk,m)

EvalC(pk,fc ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decrypt and compute (binary)

Assume Func = { fc,c′ | c,c': CipherText } wherefc,c′(sk) = Dec(sk,c) nand Dec(sk,c')

(pk,sk) ← Gen()ek ← Enc(pk,sk)c ← Enc(pk,m)c' ← Enc(pk,m')

EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decrypt and compute (binary)

Assume Func = { fc,c′ | c,c': CipherText } wherefc,c′(sk) = Dec(sk,c) nand Dec(sk,c')

(pk,sk) ← Gen()ek ← Enc(pk,sk)c ← Enc(pk,m)c' ← Enc(pk,m')

EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Bootstrapping

Given (1-hop) (Gen,Enc,Dec,Eval) supporting functionsfc,c′(sk) = Dec(sk,c) nand Dec(sk,c')

Define (multi-hop) FHE scheme with Func = { nand }

Gen '() = (sk,pk) ← Gen()ek ← Enc(pk,sk)return (sk ,(pk,ek))

Enc '((pk,ek),m) = Enc(pk,m)

Eval '((pk,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Bootstrapping

Eval '((pk ,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness

Let (Gen',Enc',Dec,Eval') be the new encryption scheme

TheoremIf Dec(sk,c)= m and Dec(sk,c')= m', then

Dec(sk ,Eval '((pk,ek),nand ,c,c') = m nand m'

Strong correctness property:Dec(sk,Eval '((pk,ek),nand ,c,c')

= Dec(sk,c) nand Dec(sk,c')

for any ciphertexts c,c' !

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness

Let (Gen',Enc',Dec,Eval') be the new encryption scheme

TheoremIf Dec(sk,c)= m and Dec(sk,c')= m', then

Dec(sk ,Eval '((pk,ek),nand ,c,c') = m nand m'

Strong correctness property:Dec(sk ,Eval '((pk,ek),nand ,c,c')

= Dec(sk,c) nand Dec(sk,c')

for any ciphertexts c,c' !

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Security

Assume FHE = (Gen,Enc,Dec,Eval) is IND-CPA secureBuild new scheme FHE':

Is FHE' IND-CPA secure?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Leveled Homomorphic Encryption

Goal: build a FHE supporting NAND circuits of depth upto L, for any given LKey generation procedure takes L as input:

Gen '(L) =for (i=0..L)

(sk[i],pk[i]) ← Gen()for (i=1..L)

ek[i] = Enc(pk[i],sk[i-1])sk' = sk[0..L]pk' = pk[0..L],ek[1..L]return (sk ',pk ')

Enc '(pk',m) = Enc(pk[0],m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Leveled Homomorphic Encryption

Goal: build a FHE supporting NAND circuits of depth upto L, for any given LKey generation procedure takes L as input:

Gen '(L) =for (i=0..L)

(sk[i],pk[i]) ← Gen()for (i=1..L)

ek[i] = Enc(pk[i],sk[i-1])sk' = sk[0..L]pk' = pk[0..L],ek[1..L]return (sk ',pk ')

Enc '(pk',m) = Enc(pk[0],m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

FHE Today

State of the artWe can build leveled FHE from standard LWE assumption

Built using bootstrappingInefficient, but better than nothing

Open problemBuild (non-leveled) FHE from standard LWE

In practice, one can apply bootstrapping withek = Enc(pk,sk)

Much smaller key than leveled FHENo known attacks to circular securityStill, it is not known how to prove security

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 4

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Linear equations

q: integer modulusZq: integers modulo qA ∈ Zn×m

q : matrixb ∈ Zn

ProblemGiven A, b, find x ∈ Zm such that Ax = b (mod q)

ProblemGiven A, b, find x ∈ {0, 1}m such that Ax = b (mod q)

QuestionWhich problem can be efficiently solved?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Worst-case vs Average-case hardness

ProblemGiven A, b, find x ∈ {0, 1}m such that Ax = b (mod q)

NP-hard: no polynomial time algorithm unless P=NP

Is it hard to solve on the average?

For what probability distribution?

A← Zn×mq

x ← {0, 1}m

b = Ax (mod q)

Is f : (A, x) 7→ (A,Ax mod q) is a One-Way Function?

For what values of n,m, q?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

One-Way Functions

Definitionf : D → R is a one-way function if for any PPT algorithm IPr{InvertGame(I)} ≈0 whereInvertGame:

x ← Dy = f(x)x' ← I(y)

return (f(x')?= y)

D = Zn×mq × {0, 1}m

R = Znq

f (A, x) = Ax mod qAsymptotics: q(m) = 2poly(m), n(m) = poly(m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

One-Way?

A← Zn×m

x ← {0, 1}mf (A, x) = Ax mod q

QuestionIs f a one-way function when

1 q = 2m, n = m2 q = 2m, n = m/23 q = m, n = m/24 q = m, n =

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Short Integer Solution (SIS) problem

Parameters:

modulus qdimensions n < mbound β

ProblemSIS: Given A ∈ Zn×m

q and b ∈ Znq, find x ∈ Zm such that

Ax = b (mod q) and ‖x‖ ≤ β

More generally: x ∈ S ⊂ Zm

Special cases:

S = {x : ‖x‖ ≤ β}S = {0, 1}m

S = {x : ‖x‖∞ ≤ β}

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Systematic Form

Assume n < m (e.g., n = m/2)Let A = [I,A′] ∈ Zn×m for some A′ ∈ Zn×(m−n)

LemmaIf SIS is hard, then SIS’ is hard

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Learning With Errors

SIS’: A = [I,A′] ∈ Zn×m where n < m (say, n = m/2)Let x = (e, s)Ax = [I,A′](e, s) = A′s + e

ProblemLWE: Given A′ and b, find small e, s such that A′s + e = b

ProblemLWE: Given A′ and b, find small e, s such that A′s ≈ b

Notice:

A′ ∈ Zn×nq

A′s = b is easy to solveA′s ≈ b seems hard

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LWE problem

Notation:

secret s ← Znq, usually chosen at random

modulus q(n) = poly(n)A← Zm×n

qerror e ← χm, usually |ei | ≈

b = As + e ∈ Zmq

ProblemSearch LWE: Given A and b, find s

Each row of A gives an approximate equation 〈a, s〉 ≈ bif m� n, then s is uniquely determinedStill, hard to find s

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Uniform vs Small secrets

LemmaIf LWE is hard for s ← χn, then it is hard for s ← Zn

Proof: Assume Adv solves LWE with uniform s ← Znq

Adv '(A,b)s ← Zn

qb' = b + Ass' = Adv(A,b')return (s' - s)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Uniform vs Small secrets

LemmaIf LWE is hard for s ← χn, then it is hard for s ← Zn

Proof: Assume Adv solves LWE with uniform s ← Znq

Adv '(A,b)s ← Zn

qb' = b + Ass' = Adv(A,b')return (s' - s)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decisional LWE (DLWE)

DefinitionLWE distribution:

LWE[q,n,m] =do A ← Zm×n

qs ← Zn

qe ← χm

b = As+ereturn (A,b)

DefinitionDecisional LWE (DLWE): distinguish LWE[q,n,m] fromUniform(Zm×(n+1)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decision to Search reduction

TheoremIf DLWE is hard, then LWE is hard

Proof:

Assume Adv solves LWEGiven Adv' that solves DLWE

Adv '(A,b):s ← Adv(A,b)if (As ≈ b)

then return "LWE"else return "random"

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decision to Search reduction

TheoremIf DLWE is hard, then LWE is hard

Proof:

Assume Adv solves LWEGiven Adv' that solves DLWE

Adv '(A,b):s ← Adv(A,b)if (As ≈ b)

then return "LWE"else return "random"

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Search vs Decision

Is (Search) LWE harder than DLWE?

TheoremIf Seach LWE is hard for any m = poly(n), then DLWE is alsohard for any m = poly(n)

TheoremFor any m = poly(n), if Seach LWE is hard, then DLWE is alsohard for any m = poly(n)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LWE Search to Decision reduction (easy version)

Assume Adv can distinguish LWE from uniformTask: Given A,b, find s such that As ≈b (mod q)

Assumption: s is unique (holds with very high probability)We show how to check if si = γ:

Adv(A,b):a ← Zm

A' = A + [0..0,a ,0..0]b' = b + γ acase Adv(A',b') of

"LWE" : return si = c"random" : return si 6= c

Recover all entries of s, one at a time

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

(Decisional) LWE Assumption

In the rest of the course we will just assume that DLWE ishard

There are several variants of the assumption:

Uniform vs. small secret sDifferent (always small) error distributions e ← χFixed vs unbounded number of samples mDifferent values of qConcrete hardness assumptions

By and large all variants are equivalent up to polynomialreductions

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

How to Encrypt with LWE

Fix secret s in Znq

LWE samples (ai , bi ) where ai ∈ Znq and bi ∈ Z

Polynomially many samples (ai , bi ) for i = 1, 2, ...DLWE: the bi values are pseudorandomIdea: use bi as a one-time pad to encrypt a messate m

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LWE Symmetric Encryption

Gen():s ← Zn

qreturn s

Enc(s,m):a ← Zn

qe ← χb = 〈a, s〉 + e + m

Dec(s,(a,b)):return (b - 〈a, s〉)

Is this a valid encryption scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Symmetric Encryption

SKE(Gen ,Enc ,Dec)Gen: () → skEnc: (sk,m) → cDec: (sk,c) → m

Correctness: for every sk ← Gen() and m ← [M], r ← [R]:

Dec(sk,Enc(sk,m;r)) = m

QuestionIs this a valid encryption scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correcting from errors

Ciphertext modulus qMessage modulus p (assume p divides q)Message space: m ∈ Zp

Enc(s,m) = (a,b) wherea ← Zn

q, e ←χ

b = 〈a, s〉 + e + (q/p)m

Dec(s,(a,b)) = round(c*p/q)) wherec = b - 〈a, s〉 mod q

LemmaIf |e| < β then Dec(s,Enc(s,m;a,e))= m

QuestionFor what value of β is the lemma correct?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

IND-CPA security for symmetric encryption

INDCPAgameSKE(b:{0 ,1})sk ← Gen()b' ← A[LR]return b':{0 ,1}

LR(m0,m1):ct ← Enc(sk,mb)return ct

Similar LR security definition can be given also for PKE:A[LR](pk) is given pk and oracle access to LR

Previous PKE INDCPAgame allows only one query to LR

QuestionWhy can restrict PKE INDCPAgame to one query?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Security of LWE symmetric encryption

Assume |e| < β = q/(2p) for all e ← χIs LWE INDCPAgameSKE secure?

TheoremAssume DLWE holds for a given q(n) and any m = poly(n).Then LWE symmetric encryption is INDCPA secure, i.e., anyadversary Adv has negligible advantage in the INDCPAgameSKEdistinguishing game.

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

RR-CPA security

LWE encryption satisfies a stronger security property:ciphertext indistinguishability from random

INDCPAgameSKE(b:{0 ,1})sk ← Gen()b' ← A[RR]return b':{0 ,1}

RR(m):ct0 ← Enc(sk,m)ct1 ←Zn+1

qreturn ctb

“Real or Random” oracle RR

RR-CPA security also provides a form of anonimity

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LeftRight vs RealRand security

TheoremIf a (SKE or PKE) scheme is INDCPA-RR secure, then it is alsoINDCPA-LR secure.

RemarkA (SKE or PKE) scheme can be INDCPA-LR secure, but notINDCPA-RR secure.

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Compact LWE Encryption

Ciphertext expansion: bitsize(ct)/ bitsize(m)

Compact LWE SKE (Gen,Enc,Dec)

Gen():

S ← Zl×nq

return S

Enc(S,m) = (a,b)a ← Zn

qe ← χl

b = Sa + e + round((p/q)m)

Dec(S,(a,b)):c ← b - St a) mod qreturn round(c*p/q)

TheoremCompact LWE SKE is correct and INDCPA-RR secure

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Ciphertext Expansion

Compact LWE encryption:

Key S ∈ Zl×nq

Message m ∈ Zlp

Encryption Enc(S,m)= (a,b) where b = Sa + e + mp/q

Ciphertext (a, b) ∈ Zn+lq

QuestionWhat is the ciphertext/plaintext size ratio?

Example:

Enc(f,x;r)= (f(r),H(r)⊕m) where f : {0, 1}k → {0, 1}k

Enc(f,.):{0, 1}m→{0, 1}m+k

Ciphertext expansion: (m + k)/m = 1 + (k/m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 5

Linearity

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LWE Symmetric Encryption

Gen():s ← Zn

qreturn s

Enc(s,m):a ← Zn

qe ← χb = 〈a, s〉 + e + (q/p)mreturn (a,b)

Dec(s,(a,b)):d = b - 〈a, s〉 mod qreturn (round(d*p/q))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Compact (Matrix) LWE

Gen():

S ← Zl×nq

return S

Enc(S,M) = (A,B)A ← Zn×w

qE ← χl×w

B = SA + E + round((p/q)M) mod q

Dec(S,(A,B)):D ← B - SA mod qreturn round(D*p/q)

Notation:

[A,B]: horizontal concatenation(A,B): vertical concatenation

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Linearity of the LWE function

Let LWE(S,X;A,E)= SA + X + E be the raw LWE functionEncryption: Enc(S,M)= LWE(S,(q/p)M; A,E) for random A,E

Linear properties:LWE(S,X;A,E) + LWE(S,X';A',E')

= LWE(S,X+X';A+A',E+E')

LWE(S,X;A,E) - LWE(S,X';A',E')= LWE(S,X-X';A-A',E-E')

c*LWE(S,X;A,E) = LWE(S,c*X; c*A,c*E)

Key Homomorphism:LWE(S,X;A,E) + LWE(S',X';A,E')

= LWE(S+S',X+X'; A, E+E')

Ciphertexts must use the same A!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Linearity of the LWE function

Let LWE(S,X;A,E)= SA + X + E be the raw LWE functionEncryption: Enc(S,M)= LWE(S,(q/p)M; A,E) for random A,E

Linear properties:LWE(S,X;A,E) + LWE(S,X';A',E')

= LWE(S,X+X';A+A',E+E')

LWE(S,X;A,E) - LWE(S,X';A',E')= LWE(S,X-X';A-A',E-E')

c*LWE(S,X;A,E) = LWE(S,c*X; c*A,c*E)

Key Homomorphism:LWE(S,X;A,E) + LWE(S',X';A,E')

= LWE(S+S',X+X'; A, E+E')

Ciphertexts must use the same A!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Linearity of Ciphertexts

Ciphertexts that “encrypt” X under S with error E.

DefinitionLWE(S,X;E) = { (A,B): B = LWE(S,X;A,E)}

LWE(S,X;β) = { (A,B) : B = LWE(S,X;A,E), |E |∞ < β }

LWE(S,X;E)+ LWE(S,X';E')⊆ LWE(S,X+X';E+E')

LWE(S,X;E)- LWE(S,X';E')⊆ LWE(S,X-X';E-E')

c*LWE(S,X;E)⊆ LWE(S,c*X; c*E)

QuestionLWE(S,X;β) + LWE(S,X';β′) ⊆LWE(S,X+X';β + β′) ?

QuestionLWE(S,X;β) - LWE(S,X';β′) ⊆LWE(S,X+X';β − β′) ?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Message and Ciphertext Operations

Addition:

M0 + M1 ∈ Zl×wq

(A0,B0) + (A1,B1) = (A0 + A1,B0 + B1) ∈ Z(n+l)×wq

Subtraction

M0 −M1 ∈ Zl×wq

(A0,B0)− (A1,B1) = (A0 − A1,B0 − B1) ∈ Z(n+l)×wq

Scalar multiplication

c ·M ∈ Zl×wq

c · (A,B) = (c · A, c · B) ∈ Z(n+l)×wq

Arbitrary linear transformations . . .

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Additive Homomorphism Encryption

Homomorphic Encryption supporting the addition ofciphertexts

sk ← Gen()c0 ← Enc(sk, m0)c1 ← Enc(sk, m1)c = c0 + c1m = m0 + m1

Dec(sk,c)?= m

QuestionDoes LWE encryption satisfy the addititive homomorphicproperty? For what error bound |χ| < β?

QuestionIs ciphertext c distributed according to Enc(m0+m1)?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Summation

Homomorphic Encryption supporting the addition ofciphertexts

sk ← Gen()c1 ← Enc(sk, m1)c2 ← Enc(sk, m2)...ck ← Enc(sk, mk )c = c1 + c2 + ... + ckm = m1 + m2 + ... + mk

Dec(sk,c)?= m

QuestionFor any given bound |χ| < β, what is the largest value of k forwhich one can add k ciphertexts?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Subtraction and Scalar multiplication

Subtraction m0 −m1 : similar to addition m0 + m1±1-linear combinations: similar to summationScalar multiplication c ·m: error grows by a factor cCiphertexts can be multiplied only by small scalars!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Concatenation

LWE(S,X;A,E)= SA + X + E

S ∈ Zk×nq

A ∈ Zn×wq

X ,E ∈ Zk×wq

The same S can be used with messages X with any numberof columns w

Message Concatenation X | X' = [X,X']

Definition(A,B) | (A',B')= ([A,A'],[B,B'])

TheoremLWE(S,X;A,E)| LWE(S,X';A',E)⊆LWE(S,[X,X'];[A,A'],[E,E'])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Linear Transforms

Left multiplication by a constant matrix: M → M T

Ciphertext C = LWE(S,M;E)

Notice: M and C have the same number of columnsWe can apply T to C: C → CT

TheoremLWE(S,X;A,E)*T ⊆LWE(S,XT;AT,ET)LWE(S,X;E)*T ⊆LWE(S,XT;ET)

Special case:

Addition: C + C' = [C|C']T for T=(I,I)Subtraction: C - C' = [C|C']T for T=(I,-I)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Constant Messages

QuestionCan you compute an LWE encryption of a message M withoutknowing the secret key S?

I pick S ← Gen() and keep it secretGoal: find ciphertext C such that Dec(S,C)= M

Let (A,B) = (O,(q/p)M)

Dec(S,(A,B))= (p/q)(B - SA)= M

We write Const(M) for the constant ciphertext (O,(q/p)M)

Remarks:

The ciphertext C is independent of SC = LWE((q/p)M;0) is a “noiseless” encryption of M

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Constant Messages

QuestionCan you compute an LWE encryption of a message M withoutknowing the secret key S?

I pick S ← Gen() and keep it secretGoal: find ciphertext C such that Dec(S,C)= M

Let (A,B) = (O,(q/p)M)

Dec(S,(A,B))= (p/q)(B - SA)= M

We write Const(M) for the constant ciphertext (O,(q/p)M)

Remarks:

The ciphertext C is independent of SC = LWE((q/p)M;0) is a “noiseless” encryption of M

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Constant Messages as Homomorphic properties

LWE(S,M;E)+ LWE((q/p)M';0)= LWE(S,M+M';E)

Homomorphism for “nullary functions” fM() = M

Given an empty sequence of ciphertexts [], produce anencryption of fM([]) = M

Homomorphism for unary functions fM(M ′) = M + M ′

Given an encryption of M ′, produce an encryption of theshifted message M + M ′

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Circular security

A PKE scheme is “circular secure” if one can securlypublish the encryption Enc(pk,sk).A SKE scheme is “circular secure” if one can securlypublish the encryption Enc(sk,sk).

DefinitionA PKE scheme (Gen,Enc,Dec) is circular secure if(Gen',Enc',Dec) is IND-CPA secure where

Gen '():(sk ,pk) ← Gen()ct ← Enc(pk,sk)pk' = (pk,ct)

Enc '((pk ,ct),msg) = Enc(pk,msg)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Application: Public key encryption

Can we transform Secret Key Encryption to Public KeyEncryption?

Not in general: black box separationsImpagliazzo’s worlds: Minicrypt vs Cryptomania

What if we start from an Additively Homomorphic SKEscheme?

Black box separation results break down

What about a weakly (bounded) additive scheme?

What about our LWE SKE scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Application: Public key encryption

Can we transform Secret Key Encryption to Public KeyEncryption?

Not in general: black box separationsImpagliazzo’s worlds: Minicrypt vs Cryptomania

What if we start from an Additively Homomorphic SKEscheme?

Black box separation results break down

What about a weakly (bounded) additive scheme?

What about our LWE SKE scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

PKE: Construction

Start from SKE (Gen,Enc,Dec)

Construct a PKE (Gen',Enc',Dec)

Gen '():sk ← Gen()for i=1..n

pk[i] ← Enc(sk ,0)pk = pk[1..n]return (sk,pk)

Enc '(pk,msg):for i=1..n

r[i] ← {0,1}ct = Const(msg) + sum { pk[i] : r[i] = 1 }return ct

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness of PKE

Dec(sk, msg+Enc(sk ,0) +...+ Enc(sk ,0))= msg + 0 + ... + 0 = msg

TheoremIf SKE is (1-hop) homomorphic under constant increment andn-summation, then PKE is correct.

TheoremIf SKE is (1-hop) homomorphic under constant increment andhn-summation, then PKE is correct and homomorphic underconstant increment and n-summation.

QuestionAssume SKE is an IND-CPA secure and homomorphic. Is PKEsecure?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness of PKE

Dec(sk, msg+Enc(sk ,0) +...+ Enc(sk ,0))= msg + 0 + ... + 0 = msg

TheoremIf SKE is (1-hop) homomorphic under constant increment andn-summation, then PKE is correct.

TheoremIf SKE is (1-hop) homomorphic under constant increment andhn-summation, then PKE is correct and homomorphic underconstant increment and n-summation.

QuestionAssume SKE is an IND-CPA secure and homomorphic. Is PKEsecure?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

For what value of n?

Certainly not secure for n = 1 (or even n = 0!)

What about large n?

How large?

Answer: Secure, for large enough n and any additivelyhomomorphic SKE [Rothblum, TCC 2011]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

The case of LWE SKE

Consider the PKE scheme obtained from our LWE-basedSKEGen '():

S ← Gen()P = Enc(S,0) |..| Enc(S,0) = Enc(S ,[0..0])return (S,P)

Enc '(P,M):R ← {0, 1}∗PR + Const(M)

TheoremLWE PKE is RR-IND secure.

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Universal Hashing

DefinitionA function family H = {h : X → Y |h} is 2-universal if for anya, b ∈ X ,

{(h(a), h(b))|h ∈ H} ≡ {(f (a), f (b))|f : X → Y }

Let (X ,+) be an additive groupFor any vector a ∈ Xn, define the subset-sum functionh(a, S) =

∑{ai : i ∈ S}

QuestionWhich of the following function families is 2-universal?

1 {ha : S → h(a,S)|a ∈ Xn}2 {hS : a→ h(a,S)|S ⊆ {1, .., n}}3 Both4 Neither

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Universal Hashing (continued)

ha(S) =∑

i∈S ai is not 2-universal

What about ga,b(S) = b + ha(S)?

Yes, this is 2-universalProve it as an exercise

{ha : {0, 1}n → X}a still satisfies a weaker property whichis enough for our purposes

DefinitionFor any a 6= b, Prh{h(a) = h(b)} = 1/|X |

We will refer to this weaker property as 2-universal’

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Universal Hashing: proof

LemmaFor any group (X ,+), the function family {ha(S) =

∑i∈S ai}a

is 2-universal’, i.e., for all S 6= T we havePrh{h(S) = h(T )} = 1/|X |

Proof.

Let j ∈ S \ TFix ai for all i 6= jLet T ′ = T \ S and S ′ = S \ (T ∪ {i})c =

∑i∈T ′ ai −

∑i∈S′ ai does not depend on aj

ha(S) = ha(T ) iff aj = cPr{aj = c} = 1/|X |

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Leftover Hash Lemma

LemmaFor any 2-universal’ family {h : X → Y |h ∈ H}, the distributions{(h, h(x))|h← H, x ← X}{(h, y)|h← H, y ← Y }

are within statistical distance ∆ ≤√|Y |/|X |.

Proof Steps:

1 If H is 2-universal’, then (H,H(X )) has small collisionprobability

2 If (H,H(X )) has small collision probability, then it isstatistically close to uniform

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Collision Probability and Uniformity

Z ,Z ′ i.i.d., with Pr{Z = z} = p(z)

DefinitionCollision Probability:C(Z ) = Pr{Z = Z ′} =

∑z p(z)2

∑z(p(z)− 1/|Z |)2 = C(Z )− 1/|Z |

Norm inequality: ∀v ∈ Rn.‖v‖1 ≤√n‖v‖2

∆(Z ,U) = 12

∑z |p(z)− 1/|Z ||

∆ ≤ 12√|Z |

√∑z(p(z)− 1/|Z |)2

∆ ≤ 12√|Z |C(Z )− 1

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Collision Probability and Uniformity

Z ,Z ′ i.i.d., with Pr{Z = z} = p(z)

DefinitionCollision Probability:C(Z ) = Pr{Z = Z ′} =

∑z p(z)2

∑z(p(z)− 1/|Z |)2 = C(Z )− 1/|Z |

Norm inequality: ∀v ∈ Rn.‖v‖1 ≤√n‖v‖2

∆(Z ,U) = 12

∑z |p(z)− 1/|Z ||

∆ ≤ 12√|Z |

√∑z(p(z)− 1/|Z |)2

∆ ≤ 12√|Z |C(Z )− 1

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Collision Probability of Universal Hashing

Z = (H,H(X )), 2-universal function family H : X → Y

Collision Probability of Z :

C(Z ) = Pr(h = h′, h(x) = h′(x ′)|h, h′ ← H, x , x ′ ← X )

C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]

Union bound:

Pr(x = x ′) = 1/|X |If x 6= x ′, then Prh(h(x) = h(x ′)) ≤ 1/|Y |

C ≤ 1H ( 1|X | + 1

Using |Z | = |H| · |Y | we get

∆ ≤ 12√|Z |C − 1 = 1

2√|Y |/|X |

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]

Union bound:

C ≤ 1H ( 1|X | + 1

∆ ≤ 12√|Z |C − 1 = 1

2√|Y |/|X |

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]

Union bound:

C ≤ 1H ( 1|X | + 1

∆ ≤ 12√|Z |C − 1 = 1

2√|Y |/|X |

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]

Union bound:

C ≤ 1H ( 1|X | + 1

∆ ≤ 12√|Z |C − 1 = 1

2√|Y |/|X |

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Security of LWE PKE

Gen(): S,E ← ...P = Enc(S ,[0..0]) = (A,SA+E)return (S,P)

Enc(P,M): R ← {0, 1}∗return PR + Const(M)

Proof:

1 Assume Adv breaks PKE2 LWE Assumption: P = (A,SA+E)≈(A,B)3 Adv breaks RR-CPA when P is uniform4 If P is uniform, then (P,PR) is close to uniform

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Security of LWE PKE

Gen(): S,E ← ...P = Enc(S ,[0..0]) = (A,SA+E)return (S,P)

Enc(P,M): R ← {0, 1}∗return PR + Const(M)

Proof:

1 Assume Adv breaks PKE2 LWE Assumption: P = (A,SA+E)≈(A,B)3 Adv breaks RR-CPA when P is uniform4 If P is uniform, then (P,PR) is close to uniform

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Details

Claim: (P,PR) is close to uniform

Enough to look at a single column (P,Pr)

Statement for matrix (P,PR) follows by hybrid argument

P: r →Pr is 2-universal

Columns of P belong to a group (Zn+lq ,+)

r selects a subset of the columns of PApply Leftover Hash Lemma

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Homomorphic PKE

Enc(P,M)= PR + Const(M)

Enc(P,M)+ Enc(P,M')= PR + Const(M)+ PR' + Const(M')=

P(R+R')+ Const(M+M')

Enc(P,M)+ Enc(P,M')≈Enc(P,M+M')

Noise: E+E'

[ Enc(P,M)| Enc(P,M')] = Enc(P,[M|M'])

Noise: [E|E']

Enc(P,M)T ≈Enc(P,MT)

Noise: ETT must be small

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Homomorphic PKE

Enc(P,M)= PR + Const(M)

Enc(P,M)+ Enc(P,M')= PR + Const(M)+ PR' + Const(M')=

P(R+R')+ Const(M+M')

Enc(P,M)+ Enc(P,M')≈Enc(P,M+M')

Noise: E+E'

[ Enc(P,M)| Enc(P,M')] = Enc(P,[M|M'])

Noise: [E|E']

Enc(P,M)T ≈Enc(P,MT)

Noise: ETT must be small

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Encoding modulo q

Ciphertext modulus q. Assume q = 2k

Plaintest modulus p � q, e.g., p=2. Use scalingConst(msg)= (O,(q/p)msg) to allow error correction andcorrect decryption

What if we want to encrypt msg ∈ Zq?

write msg =∑

i mi2i , where mi ∈ {0, 1}Encrypt each bit individually: Enc(m0),...,Enc(mk)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Encoding modulo q

write msg =∑

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Encoding modulo q

write msg =∑

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Encoding modulo q

Plaintest modulus p � q, e.g., p=2. Use scalingConst(msg)= (O,(q/p)msg) to allow error correction andcorrect decryptionEnc(m: {0, 1}k ) = (a,Sa+e+(q/2)m)

bitDecomp(msg: Zq) =for i=0..k-1

m[i] = (msg >> i) mod 2return m[]

Enc '(msg: Zq) =return (Enc(bitDecomp(msg))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Linear Encoding

Bit encoding: (msg:Zq)→(m[*]:{0, 1}k)

good: works for any message spacebad: breaks linear homomorphic properties

We need to use a linear encoding function:

(msg:Zq)→(m[*]:Zkq)

msg → msg*(1,2,4,8,...)

Column encoding:

pow2col = (1,2,4,8,...)Enc'(S,msg)= LWE(S,msg*pow2col)= (a,b)

Row encoding:

pow2row = [1,2,4,8,...]Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Linear Encoding

Bit encoding: (msg:Zq)→(m[*]:{0, 1}k)

good: works for any message spacebad: breaks linear homomorphic properties

We need to use a linear encoding function:

(msg:Zq)→(m[*]:Zkq)

msg → msg*(1,2,4,8,...)

Column encoding:

pow2col = (1,2,4,8,...)Enc'(S,msg)= LWE(S,msg*pow2col)= (a,b)

Row encoding:

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decoding modulo q

QuestionCan you decryptEnc'(S,msg)= LWE(S,msg*pow2col)= (a,b)?Can you decryptEnc'(s,msg)= LWE(s,msg*pow2row)= (A,b)?For what error bound |e|∞ < β?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decryption algorithm

Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b) whereb = sA+e+msg*pow2row

Dec '(s,(A,b)):msg ← 0for i=0...(k-1)

ct ← (A[k-i-1],b[k-i-1] - msg*2k−i )m[i] ← Dec(s,ct)msg ← msg+m[i]<<(i)

return msg

Theorem(Gen,Enc',Dec') is a valid encryption algorithm for β = q/4

QuestionDoes a similar algorithm work for pow2col?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Decryption algorithm

Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b) whereb = sA+e+msg*pow2row

Dec '(s,(A,b)):msg ← 0for i=0...(k-1)

ct ← (A[k-i-1],b[k-i-1] - msg*2k−i )m[i] ← Dec(s,ct)msg ← msg+m[i]<<(i)

return msg

Theorem(Gen,Enc',Dec') is a valid encryption algorithm for β = q/4

QuestionDoes a similar algorithm work for pow2col?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Arbitrary linear transformations

Starting point: Enc() linearly homomorphic for small t

Enc(P,m)*t ≈Enc(P,mt)problem: error grows by a factor t

What about computations modulo q?

Multiplying by any t ∈ Zq

Compute tBin[] = bitDecomp(t)Compute scalar product with vector tBin[]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Arbitrary linear transformations

Starting point: Enc() linearly homomorphic for small t

Enc(P,m)*t ≈Enc(P,mt)problem: error grows by a factor t

What about computations modulo q?

Multiplying by any t ∈ Zq

Compute tBin[] = bitDecomp(t)Compute scalar product with vector tBin[]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness of scalar multiplication

Enc '(s,msg) * tBin[]= LWE(s,msg*pow2row;e) * tBin[]= LWE(s,msg*pow2row*tBin [];e*tBin [])= LWE(s,msg*t;e')

pow2row * tBin[] =∑

i 2i ·tBin[i] = t

if |e| < β, then |e′| = |∑

i ei · tBin[i ]| ≤ k · βError grows only by k = log q

Problem:

result msg*t is a value modulo qEnc(s,msg*t;e') is not properly encodedwe need an encryption of msg*t*pow2row

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

i 2i ·tBin[i] = t

if |e| < β, then |e′| = |∑

Problem:

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

i 2i ·tBin[i] = t

if |e| < β, then |e′| = |∑

Problem:

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Constant Multiplication algorithm

Enc'(s,msg)= LWE(s,msg*pow2row)

Enc'(s,msg)* bitDecomp(t)= LWE(s,msg*t;e')

CMul(C,t):T = bitDecomp(t * pow2row)return C * T

Proof:

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Extensions and Generalizations

Matrix messagesM ⊗ pow2row = [M,M*2,M*4,M*8 ,...]

Arbitrary message modulus:round(m*(q/p),m*(q/p)/2,m*(q/p)*4 ,...)

Other gadgets, e.g., based on Chinese Remainder Theorem

q =∏

i pi product of small primesencoding vector crtRow = [q/p1,q/p2,...,q/pk]crtRow * crtDecomp(t)= t

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Summary

At this point we have an encryption algorithmEnc '(S,M) = LWE(S,M ⊗ pow2row)

with message space Zw×lq , and supporting the homomorphic

evaluation of the following operations:

Const(M): noiseless encryption of M(+): addition of ciphertexts(-): subtraction of ciphertextsCMul(.,T): multiplication by any linear transformationmodulo q

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 6

Key Switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remember Proxy Re-encryption?

Eval(pk1 ,fc ,rk)

QuestionCan you implement proxy re-encryption using LWE?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remember Proxy Re-encryption?

Eval(pk1 ,fc ,rk)

QuestionCan you implement proxy re-encryption using LWE?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LWE-based Proxy Re-encryption?

sk[1..n] ∈ Znq

sk '[1..n] ∈ Znq

Enc(sk,msg) = LWE(sk,msg*pow2row) = (A[],b[])rk[i] = Enc(sk ',sk[i])

Dec '(sk ,(A,b))[j] = b[j] -∑

i sk[i] * A[i,j]≈ msg*pow2row

Dec(sk ,(A,b)) = decode(Dec '(sk ,(A,b)))

QuestionCan you compute Dec' homomorphically?Does it give you a proxy re-encryption scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LWE-based Proxy Re-encryption

Enc(sk,msg) = LWE(sk,msg*pow2row)rk[i] = Enc(sk ',sk[i])Dec '(sk ,(A,b)) = b[j] -

∑i sk[i] * A[i,j]

Goal: homomorphically evaluate the functionfA,b(sk) = Dec '(sk ,(A,b))Eval(fA,b,rk) = ?

Solution: Eval(fA,b,rk) = ct

ct[j] = Const(b[j]) -∑

i CMul(rk[i],A[i,j])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LWE-based Proxy Re-encryption

Enc(sk,msg) = LWE(sk,msg*pow2row)rk[i] = Enc(sk ',sk[i])Dec '(sk ,(A,b)) = b[j] -

∑i sk[i] * A[i,j]

Goal: homomorphically evaluate the functionfA,b(sk) = Dec '(sk ,(A,b))Eval(fA,b,rk) = ?

Solution: Eval(fA,b,rk) = ct

ct[j] = Const(b[j]) -∑

i CMul(rk[i],A[i,j])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Key Switching

Generalize proxy re-encryption:

sk,sk' may have different dimensions and moduliEnc(sk,.), Enc'(sk',.) may use different plaintextmoduli and message encodings

Example

Message space msg: ZpCiphertext modulus qsk[1..n], sk'[1..n] ∈ Zn

qEnc(sk,m)= LWE(sk,(q/p)*msg) mod qEvaluation key: rk[i] = Enc(sk',sk[i])

Do you see any problem?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Key Switching

Source scheme:msg: Zpsk[1..n] ∈ Zn

qEnc(sk,msg) = LWE(sk, q

p msg) = (a[],b) mod q

Target scheme:msg ': Zq

sk '[1..n'] ∈ Zn′q

Enc '(sk',msg ') = LWE(sk',msg '* pow2row)

Evaluation:ek[i] = Enc '(sk',sk[i])KeySwitch(ek ,(a[],b)) =

Const(b) -∑

i CMul(a[i],ek[i])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness

msg: Zp; sk[1..n] ∈ Znq

msg ': Zq; sk '[1..n'] ∈ Zn′q

Enc(sk,msg) = LWE(sk, qp msg) = (a[],b) mod q

ek[i] = Enc '(sk',sk[i])

KeySwitch(ek ,(a[],b))= Const(b) -

∑i CMul(a[i],ek[i])

= Const(b) -∑

i CMul(a[i],Enc '(sk',sk[i]))

= LWE(sk ',b -∑

i a[i]*sk[i])= LWE(sk ', q

p msg + e)

= Enc(sk ',msg)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness

msg ': Zq; sk '[1..n'] ∈ Zn′q

= Const(b) -∑

= LWE(sk ',b -∑

p msg + e)

= Enc(sk ',msg)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Correctness

msg ': Zq; sk '[1..n'] ∈ Zn′q

= Const(b) -∑

= LWE(sk ',b -∑

p msg + e)

= Enc(sk ',msg)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remarks

Source and Target schemes may use different moduli

Enc'(sk',msg')= LWE(sk', qqmsg'*pow2row)

Input ciphertext may use compact (matrix) LWE

Enc(SK,msg[])= LWE(SK, qp msg[])

RK' = Enc'(SK',SK)

Key Switching:

Input: Enc(sk,msg: mod p): mod qSwitching Key: Enc'(sk',sk: mod q): mod q'Output: Enc(sk',msg: mod p): mod q'

Input/Output can use arbitrary encoding, e.g.,

Input: Enc(sk,msg)= LWE(sk,msg*pow2row)Output: Enc(sk',msg)= LWE(sk',msg*pow2row)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remarks

RK' = Enc'(SK',SK)

Key Switching:

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remarks

RK' = Enc'(SK',SK)

Key Switching:

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remarks

RK' = Enc'(SK',SK)

Key Switching:

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Sub-key Switching

Application: reduce key size SK → SK'

Always: SK,SK' must have the same number of rowsOften SK is a “sub-matrix” of SK = [SK',SK'']

Switching Key[RK',RK"] = Enc '(SK',SK)

= Enc '(SK ',[SK ' | SK ''])= [Enc '(SK',SK ') | Enc '(SK',SK")]

But RK' is publicly known! (remeber circular security?)Can use a smaller switching key RK" = Enc'(SK',SK")

QuestionDoes it work? What if SK"=[]? Then, RK"=[] and SK = SK'!Is it trivial? Is it useful?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Modulus switching

Subkey switching from SK to SK'=SK can still be useful tochange the ciphertext modulus from q to q'

So far we used the simplifying assumption that p|q

Switching from q to q' requires a switching key with

plainext modulus qciphertexst modulus q'but if q|q', this only allows to increase the modulus

(Sub-)Key Switching works also for p 6 |q

but introduces a “small” rounding errorfor subkey switching the rounding error if proportional to SKswitching to a smaller modulus requires “small” key SK

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Subkey and Modulus Switching

Subkey switching

Input: ct = Enc([SK',SK"],m) and RK = Enc'(SK',SK")SubkeySwitch(RK,ct)= ct' such that Dec(SK',ct')= m

QuestionGive explicit description of SubkeySwitch algorithm

Modulus switching

Assume SK has small entriesInput: ct = Enc(SK,m)mod q and nothing elseModSwitch(ct)= ct' mod q' such that Dec(SK,ct')= m

QuestionGive explicit description of ModSwitch algorithm

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Subkey switching

Modulus switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Subkey switching

Modulus switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Subkey switching

Modulus switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 7

Multiplication

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

What we have done so far

Simple LWE Encryption: private key encryption supporting

small message modulus (p � q)homomorphic additionhomomorphic multiplication by small constantsenough to obtain public key encryptioncircular security (for small keys)

Extended LWE Encryption to support

large message modulus (p = q)homomorphic multiplication by arbitray constantscircular security (for arbitary keys)key switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Next: Homomorphic Multiplication

ProblemGiven Enc(sk,msg[0]) and Enc(sk,msg[1]), compute aciphertext ct such that Dec(sk,ct)= msg[0]*msg[1]

Can this be done for our LWE encryption scheme?

Can it be done with the help of some additional keymaterial?

Yes, in fact, there are multiple ways to do it

Nested encryptionHomomorphic decryptionTensor product

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Method 1: Nested Encryption

msg[0],msg[1] ∈ Zqct[0] = Enc(sk[0],msg[0])

ct[1] = Enc(sk[1],msg[1])

Multiply encryption of msg[0] by ct[1]

ct[0] * ct[1]= Enc(sk[0],msg [0]) * ct[1]= Enc(sk[0],msg [0]*ct[1])

Inner multiplication:msg [0]*ct[1]= msg [0]* Enc(sk[1],msg [1])= Enc(sk[1],msg [0]* msg [1])

Final result: Enc(sk[0],Enc(sk[1],msg[0]*msg[1]))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Details

ct[1] = Enc(sk[1],msg[1]) is a vector!

ct[0] = Enc(sk[0],msg[0]*I)(msg[0]*I)*ct[1] = msg[0]*ct[1]

msg[0]*Enc(sk[1],msg[1];e[1])= Enc(sk[1],msg[0]*msg

[1]; msg[0]*e[1])

Assume msg[0] is small (e.g., ,10,1)May set Enc(sk[1],msg[1])= LWE(sk[1],(q/2)*msg[1])

Using Enc(sk[0],Enc(sk[1],msg))

Keep nesting?Ciphertexts get larger and larger!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Key Nesting

Recall: Enc(S,M)= LWE(S,M)= (A,S*A + E + M)

Claim: Nested encryption Enc(Z,Enc(S,M))= Enc(Z�S,M)

QuestionFor what key Z�S?

S:Z[k,n], Z:Z[n+k,n]Z = (Zn,Zk) where Zn[n,n] and Zk[k,n]

Z�S = [S*Zn + Zk, S] = [S,I]ZEnc(Z,Enc(S,m;e);e')= Enc(Z�S,m; e")e" = e + [S,I]e'Key S needs to be small!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Key Nesting

Recall: Enc(S,M)= LWE(S,M)= (A,S*A + E + M)

Claim: Nested encryption Enc(Z,Enc(S,M))= Enc(Z�S,M)

QuestionFor what key Z�S?

S:Z[k,n], Z:Z[n+k,n]Z = (Zn,Zk) where Zn[n,n] and Zk[k,n]

Z�S = [S*Zn + Zk, S] = [S,I]ZEnc(Z,Enc(S,m;e);e')= Enc(Z�S,m; e")e" = e + [S,I]e'Key S needs to be small!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Nested Encryption + (Sub)Key Switching

Combine nested multiplication with key switching:

Input keys: Z,S

Evaluation key: W = Enc(S,[S,I]Z;F)

Input ciphertexts:CT[0] = Enc(Z,msg[0]*I;E[0])CT[1] = Enc(S,msg[1]*I;E[1])

Output: SubkeySwitch(W,CT[0]*CT[1])= Enc(S,msg*I;E)msg = msg[0]*msg[1]E = msg[0]*E[1] + [S,I]*E[0]*X + F*Y for binarymatrices X,Y

Key S needs to be small!Security Assumption: Standard LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Method 1.5: Homomorphic Decryption

Assume both ciphertexts use the same key S

Nested Encryption:1 Homomorphic multiplication: Enc(S,msg[0])*CT[1]2 Key Switching: Homomorphic multiplication by [S,I]

Method 1: Eval([S,I],Enc(S,msg[0])*CT[1])

Combine the two homomorphic multiplications:Bring [S,I] inside the first ciphertextEnc(S,msg[0]*[S,I])* CT[1]

Define a new LWE encryption variant:Enc#(S,msg) = Enc(S,msg*[S,I])

Enc#(S,msg [0]) * Enc(S,msg [1])= Enc(S,msg [0]*[S,I]*Enc(S,msg [1]))= Enc(S,msg [0]* msg [1])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Security

Enc#(S,msg) = Enc(S,msg*[S,I])= [Enc(S,msg*S),Enc(S,msg*I)]

Circular security:

Can compute Enc(S,msg*S)= msg*Enc(S,S) withoutknowing SProblem: msg*(-I,0) reveals msg!Solution: Enc(S,0)+ msg*Enc(S,S)

TheoremEnc is secure under the LWE assumption

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remarks

Second encryption scheme can be chosen arbitrarilyEnc#(S,m0)*Enc(S,m1) = Enc(S,m0m1)

Enc#(S,m0)*Enc#(S,m1) = Enc#(S,m0m1)

No need for key switchingProduct Enc(S,m0m1) uses the same key as the inputKey S does not have to be smallNo evaluation key!

Enc is a homomorphic encryption scheme supportingCiphertext additionCiphertext multiplicationwithout any evaluation key!

Too good to be true?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Error growth

Enc#(m0;E0) * Enc#(m1;E1) = Enc#(m0m1;E)Error: E ≈ m0 ∗ E1 + E0 ∗ X

Multiplying many ciphertextsCT[i] = Enc#(mi;Ei)Assume mi ∈ 0, 1Given CT[1],...,CT[k]Goal: compute CT[1]*...*CT[k] = Enc#(

∏i mi)

How? Several options (multiplication is associative):Left to right multiplication chainRight to left multiplication chainBinary tree (minize circuit depth)

QuestionWhat order is best?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Arithmetic and Boolean operations

AdditionCan add polynomially many ciphertextsError grows by polymomial factor (e.g., O(log(n)) bits)

MultiplicationAssume binary message spaceCan multiply polynomially many ciphertexts in a chainError grows by polymomial factor (e.g., O(log(n)) bits)

Bit operations:m0,m1 ∈ {0, 1}m0 ∧m1 = m0 ·m1¬m0 = 1−m0m0 ∨m1 = ¬(¬m0 ∧ ¬m1)

Conditional: (b,m0,m1) 7→ mbmb = (1− b) ·m0 + b ·m1

Arbitrary log-depth boolean circuits

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Arithmetic and Boolean operations

AdditionCan add polynomially many ciphertextsError grows by polymomial factor (e.g., O(log(n)) bits)

MultiplicationAssume binary message spaceCan multiply polynomially many ciphertexts in a chainError grows by polymomial factor (e.g., O(log(n)) bits)

Bit operations:m0,m1 ∈ {0, 1}m0 ∧m1 = m0 ·m1¬m0 = 1−m0m0 ∨m1 = ¬(¬m0 ∧ ¬m1)

Conditional: (b,m0,m1) 7→ mbmb = (1− b) ·m0 + b ·m1

Arbitrary log-depth boolean circuits

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Method 2: Tensor and Key Switch

Why? Efficiency! Allows SIMD operations using polynomialrings

Ciphertext as a function

fC(S)= Dec'(S,C)= [S,I]CfC is linear in [S,I]

Product ciphertext C = C0*C1

Goal: Dec'(S,C)= Dec'(S,C0)*Dec'(S,C1)fC0,C1(S)= Dec'(S,C0)*Dec'(S,C1) is bilinear in [S,I]

Tensor product: Z = [S,I]⊗[S,I] = [S⊗S,S,S,I]

Any bilinear function of [S,I] is linear in ZC = C0⊗C1 decrypts to m0 ·m1 under Z

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Mixed product property

TheoremFor any A,B,X ,Y ,

(A⊗ B) · (X ⊗ Y ) = (A · X )⊗ (B · Y )

([S, I]⊗ [S, I]) · (C0 ⊗ C1) = ([S, I]C0)⊗ ([S, I]C1)= (X0 + E0)⊗ (X1 + E1)

Result: X0 ⊗ X1 + X0 ⊗ E1 + E0 ⊗ X1 + E0 ⊗ E1

Assume scalar messages: x0 ⊗ x1 = x0 · x1Messages must be encoded: xi = q

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Mixed product property

TheoremFor any A,B,X ,Y ,

(A⊗ B) · (X ⊗ Y ) = (A · X )⊗ (B · Y )

([S, I]⊗ [S, I]) · (C0 ⊗ C1) = ([S, I]C0)⊗ ([S, I]C1)= (X0 + E0)⊗ (X1 + E1)

Result: X0 ⊗ X1 + X0 ⊗ E1 + E0 ⊗ X1 + E0 ⊗ E1

Assume scalar messages: x0 ⊗ x1 = x0 · x1Messages must be encoded: xi = q

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Encoding issues

Encode scalar messages: xi = qpmi

Product: (x0 + e0)(x1 + e1) = x0x1 + x0e1 + e0x1 + e0e1Issues:

Error terms x0e1 + e0x1 = qp (m0e1 + e0m1) are too large

Main term x0x1 = (q/p)2m0m1 is not properly encodedSolutions:

Modular arithmetics: assume gcd(q, p) = 1, and multiplyresult by p (mod q)Modulus lifting: Compute the product modulo q2, andthen switch to smaller modulus q

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Modular arithmetics

Compute c = p · c0 ⊗ c1 (mod q)Output c decrypts (under sk⊗sk) to

p(x0 + e0)(x1 + e1) = qp (−qm0m1) + pe0e1

Assume q = −1 (mod p)Error growth: β 7→ pβ2

Arbitrary q, pMultiply result by (−q)−1 (mod p)Error growth: β 7→ p2β2

Modulus switching can be used to reduce β to a fixedpolynomial σ = ‖s‖1 = O(n), and substantially slow downthe error growth

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Modular arithmetics

Compute c = p · c0 ⊗ c1 (mod q)Output c decrypts (under sk⊗sk) to

p(x0 + e0)(x1 + e1) = qp (−qm0m1) + pe0e1

Assume q = −1 (mod p)Error growth: β 7→ pβ2

Arbitrary q, pMultiply result by (−q)−1 (mod p)Error growth: β 7→ p2β2

Modulus switching can be used to reduce β to a fixedpolynomial σ = ‖s‖1 = O(n), and substantially slow downthe error growth

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Modulus Lifting

Compute c = p · c0 ⊗ c1 (mod q2)Assume key ‖s‖1 < σ has small entriesAnalyze the relative error: ci= Enc(mi;(q/p)ei)

TheoremThe product p(c0 mod q)⊗ (c1 mod q) is an encryption ofm0m1 (mod p) under key s ⊗ s (mod q2) with error (q2/p)e

e ≤ 3e0e1 + p2 (σ + 1)(e0 + e1)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Relative error growth

Fixed polynonials β ≈√n, σ = ‖s‖1 ≈ O(n1.5)

Modulus lifting error growth

relative error: input (q/p)ei , output (q2/p)eassume |ei | < εoutput (multiplication) error ≈ pσε

After L levels of multiplications, error ≈ (pσ)Lε < 1

Input ciphertext modulus must be q ≈ (pσ)L

Better than modular arithmetics approach q > (pβ)2L

Similar growth to modular arithmetics + modulus switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Tensoring + Key Switching

Both methods produce a ciphertext under key[S⊗S,I⊗S,S⊗I]For scalar messages I = [1] and I⊗S = S⊗I = S

Can use subkey switching from [S⊗S,S] to S

Evaluation key: Enc(S,S⊗S)Security:

Does not follow from circular security of LWEUsing standard LWE:

Evaluation key Enc(Z,S⊗S)Use a sequence of keys S0, ...,SL, one for eachmultiplicative level of circuit/computationCan you still use subkey switching?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Arithmetic computations using Tensor products

Message encoding: (q/p)m

Plaintext arithmetic modulo p (both addition andmultiplication)

Error grows with multiplicative depth of the circuit

Use small key ‖s‖1 < σ to use modulus switching and slowdown error growth

Error at depth L: ≈ (pσ)L < q

L = O(log n): q = nO(log n)

L = poly(n): q = 2poly(n)

Impact of modulus:

Efficiency: running time poly(log q)Security: requires hardness of of approximating latticeproblems within γ ≈ q/β

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 8

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Bootstrapping

Eval '((pk,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

LWE Homomorphic Encryption

Goal: homomorphic evaluation offc,c′(sk) = Dec(sk,c) nand Dec(sk,c')

LWE-based cryptosystem

Supports bounded depth addition and multiplicationBit operations: x nand y = 1 - (1-x)\cdot (1-y)

Key Switchingek[i] = Enc '(sk',sk[i])KeySwitch(ek ,(a[],b)) =

Const(b) -∑

i CMul(a[i],ek[i])

Homomorphic evaluation of Dec'(a,b)= b - Sa

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Not enough

Key switching only computes the linear part of Dec

We also need to round the result to decode(b - Sa)

Is this really needed?

Yes, b - Sa = (q/p)m + eKey switching gives a noisy encryption of (q/p)+eWithout rounding, noise keeps getting bigger

QuestionsCan we express rounding as a polynomial function (mod q)?What is the degree of the polynomial?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Error growth and bounded computation

We have seen two methods to multiply ciphertexts:

Tensor products

error growth ∼ β → βσcan evaluate arbirary circuits with multiplicative depth Leven for L = log n, requires superpolynomial modulusq > σL ≈ nO(log n)

Nested Encryption / Homomorphic Decryption

asymmetric error growth: (m0, e0)× (m1, e1)→ m0e1 + e0βcan evaluate arbitrary multiplication chains of L freshencryptions of binary messageseven for large L, polynomial modulus q ≈ Lβ2 is enough

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Roadmap

For each multiplication method

1 Describe/analyze a bootstrapping algorithm

2 Homomorphically evaluate the algorithm using anappropriate cryptographic data structure (encryptedaccumulator)

3 Implement the cryptographic data structure using LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Cryptographic accumulators

Cryptographic Data Structure ACC[v]

Holds a value v ∈ V in encrypted formInput Encryption scheme: Enc'Output Encryption scheme: Enc''

Operations on ACC[v]

Given Enc'(x), update ACC[v] →ACC[f(v,x)]Given ACC[v], output Enc''(f(v))

Bootstrapping:

Bootstrapping key: Enc'(s)Final output: Enc''(m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Boostrapping problem

Assume p = 2,m ∈ {0, 1}

Decryption Algorithm:

Input: a[1..n] ∈ Znq, b ∈ Zq

Secret key: s[1..n] ∈ Zn

Compute d = b −∑

i a[i ]s[i ] + (q/4) (mod q)Round d to MSB(d) = b2d/qc

Homomorphic Computation:

Given Enc(s[i])Compute Enc(MSB(d))

Simplifying assumption:

s[i ] ∈ {0, 1}without loss of generality using (a, 2a, 4a, ...)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Ripple-carry addition

Standard schoolbook method

using binary digitsadd n numbers at a timecarry in {0, . . . , n}

Input digits are encrypted

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Ripple-carry accumulator

Parameters:

Message space V = {v',...,v''}

Input: Enc'(x)= Enc#(x)

Output: Enc''(x)= LWE(x)

ACC[x] = (Enc''("x=v"): v ∈ V)

Init(v)= ACC[v]Function application: f(ACC[v])= ACC[f(v)]Selection:Enc'(b)? ACC[v0] : ACC[v1] = ACC[b?v0:v1]Output: p(ACC[v])= Enc''(p(b))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Bootstrapping algorithm

b+q/4 =∑

j 2j b[j]

a[i] =∑

j 2j a[i,j]

ACC ← ACC[0]for h = 0..k-1

ACC[x] ← f(ACC[x]) where f (x) = (x/2) + b[h]forall i,j

if (a[i,j] = 1)ACC[x + s[i]] ← Enc '(s[i]) ? ACC[x] :

ACC[x+1]return (even(ACC[x])) = Enc ''(even(x))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Carry-save accumulator

Parameters: bit length k

ACC[x] = (x0,x1)

x = x0+x1 (modulo 2k)x0[0,..,k-1] and x1[0,..,k-1]redundant representation

Operations:

add y to ACCcompute MSB(ACC)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Carry-save addition

Add(ACC(x0,x1),y):x0 '[i] = (x0[i] + x1[i] + y[i]) mod 2x1 '[i+1] = (x0[i] + x1[i] + y[i] > 1)return ACC(x0 ',x1 ')

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

MSB computation

Standard MSB computation

addition x0+x1 with carry propagationO(log(k)) depth circuit where k=log(q)

Can also add in log(k) depth

Compute both MSB(ACC) and MSB(ACC+1)ACC[k]: k-bit accumulatorRecursive algorithm: splitACC[k] = (HiACC[k/2],LoACC[k/2])

MSBs(ACC=(HiACC ,LoACC)):parallel:

hi[0,1] = MSBs(HiACC)lo[0,1] = MSBs(LoACC)

out[0] = hi[lo[0]]out[1] = hi[lo[1]]return out

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Bootstrapping algorithm

ACC[0] = b+q/4for i=1..n

ACC[i] = s[i]*a[i]ACC = Sum(ACC[0],...,ACC[n])return MSB(ACC)

Sum(ACC [0..n])if n=0

then return ACC[0]else h=n/2

ACC0 = Sum(ACC [0..h-1])ACC1 = Sum(ACC[h..n])(x0,x1) = ACC1return (ACC0 + x0) + x1

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Summary

Bootstrapping functions can be computed by

1 O(n log q)-long sequence of multiplications, or2 log(n) + log log(q)-depth arithmetic circuits

Error growth:

1 Using LWE �: final error ≈ O(n) · β2 Using LWE ⊗: final error ≈ σlog n+log log q = σO(log n)

Parameters β(n), σ(n): fixed polynomials in n

Modulus:

1 polynomial modulus q(n) ≈ O(n)β = nO(1)

2 quasipolynomial q(n) = nO(log n)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Summary (security)

Hardness of lattice problems within factor γ ≈ q/β

1 LWE �: polynomial γ = nO(1)

2 LWE ⊗: quasipolynomial γ = nO(log n)

Circular security assumption

Needed by tensor product multiplication / keyswitchingNeeded to apply bootstrappingNot needed for leveled homomorphic encryption

QuestionRemove circular security assumption:

Can you build (unbounded) FHE from standard LWE?Can you build (unbounded) linearly homomorphic HE?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Summary (security)

Hardness of lattice problems within factor γ ≈ q/β

1 LWE �: polynomial γ = nO(1)

2 LWE ⊗: quasipolynomial γ = nO(log n)

Circular security assumption

Needed by tensor product multiplication / keyswitchingNeeded to apply bootstrappingNot needed for leveled homomorphic encryption

QuestionRemove circular security assumption:

Can you build (unbounded) FHE from standard LWE?Can you build (unbounded) linearly homomorphic HE?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Efficiency

Main security parameter n > 100 (typically, n ≈ 1000)Modulus q(n) < 2n has bitsize log q < nAssume 1GHz, arithmetic operations modulo qBootstrapping: homomorphically evaluate decryptionalgorithm (once or twice per gate)

QuestionCan you estimate the cost of a single FHE operation?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 9

Project Info

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Implementation and Libraries

Libraries:

SEALHElibPALISADELattigo. . .

Interface:

try to hide math as much as possibleoffer encoding, decoding and SIMD operations

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Project:

Use one of the librariesOpen ended, do anything you wantGoal: demonstrate you managed to use the libraryExtra points: do something interestingSubmission: pdf report describing your work + supportingcode

Teams:

You can work in pairs if you likeLarger teams only if doing something more substantialIndivudual project required to use for master competency

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Project Deadlines:

Deadlines:

Next lecture (Tue, Dec 1): need to know what you aredoing (team, library)End of finals week (Fri, Dec 18): project submission(canvas, pdf+code)

In the meantime:

in class, mathematics underlying Ring LWEused by the librariesuseful to understand/improve the librariesnot required to use the libraries

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 10

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

(In)efficiency of LWE

Standard LWE

Ciphertexts: (a, b) ∈ Z(n+1)×log qq store one value (mod p)

Ciphertext size: O(n log q)Addition, Scalar multiplication: T ≈ n log qCiphertext multiplication: T ≈ n2 log2 q

Compact LWE

Ciphertexts: (a, b) ∈ Z(2n)×log qq store n values (mod p)

Amortized ciphertext size: O(log q)Amortized addition, scalar multiplication: T ≈ log qCiphertext multiplication?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Generalize LWE using a ring R instead of Z

Ring of polynomials Z[X ]

Monic irreducible p(X ) of degree n

e.g., p(X ) = X n − 1

Quotient ring R = Z[X ]/p(X )

isomorphic to (Zn,+)convolution productRq = R/qR

Ring LWE

Key: s(X ) ∈ RCiphertexts (a, b) ∈ R2

qMessages: m ∈ Rp

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Ring LWE vs Compact LWE

Both methods:

Encrypt n values (mod p) using O(n) values (mod q)Efficient (linear time) vector addition and scalarmultiplication

Multiplication:

Compact LWE: tensor multiplication, cost O(n2)Ring LWE: polynomial multiplication, cost O(n log n) usingFFT

Applications / Programming model:

Addition, scalar multiplication: SIMDMultiplication: convolution is usually not what you wantEncode data to perform SIMD multiplication

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Data encoding

Polynomial representation

p(x1), . . . , p(xn) ∈ Znq

p(x) = a0 + a1x1 + . . . an−1xn−1 ≡ Znq

Polynomial multiplication: SIMD multiplication ofevaluation representations

Quasilinear time transformations:

(y1, . . . , yn)→ (a0, . . . , an−1): polynomial interpolation(a0, . . . , an−1)→ (y1, . . . , yn): polynomial evaluation

Other operations:

SIMD: great to run same program on n data setsNeed also to pack,unpack,shuffle, etc. for generalcomputations

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Security

Is Ring LWE secure?For what rings?

Short answer:

Working modulo p(X ) = Xn − 1 is not a good ideaBetter to work with cyclotomic polynomialsSWIFFT ring: p(X ) = Xn + 1 where n = 2k

Useful both for

security, pseudorandomness, search/decision reductionsefficient implementation using Number Theoretic Transform(NTT)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Implementation and Libraries

Libraries:

SEALHElibPALISADELattigo. . .

Interface:

try to hide math as much as possibleoffer encoding, decoding and SIMD operations

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Cyclic lattices

A lattice is cyclic if it is closed underrot(v1, ..., vn) = (vn, v1, v2, ..., vn−1)

Equivalently

view vectors as coefficients of a polynomiallattice is closed under rot(v(X )) = X ∗ v(X ) mod (X n − 1)

Commonly used in coding theory (over finite fields)

cyclic codes: linear code, closed under rotationequivalently, set of polynomials in F[X ]/(X n − 1), closedunder multiplication by X

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Generators

TheoremAny cyclic code over finite a field F can be written as

C = {g(X ) · f (X ) mod (Xn − 1)|f (X )}

for some g(X )

Proof.

QuestionIs the same true for cyclic lattices?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Generators

TheoremAny cyclic code over finite a field F can be written as

C = {g(X ) · f (X ) mod (Xn − 1)|f (X )}

for some g(X )

Proof.QuestionIs the same true for cyclic lattices?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Cyclic lattices and one-way functions

NTRU (1998): public key encryption, efficient, no proof

First provable construction, (M., FOCS 2002): one-wayfunction

Rq = Z[X ]/(q,X n − 1)key: a1(X ), . . . , am(X ) ∈ Rqinput: v1(X ), . . . , vm(X ) ∈ {0, 1}n ⊂ Rqoutput: w(X ) =

∑i ai (X ) · vi (X ) ∈ Rq

compression function: m = 2n log2(q)

One-way: given a1, . . . , am and w ,

easy to find v1, . . . , vm ∈ Rq such that∑

i aivi = w ∈ Rqhard to find v1, . . . , vm ∈ {0, 1}n

Intuition: Compact knapsack, circulant matrices

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Compact knapsack, circulant matrices

Polynomials: a(X ) ∈ Z[X ]/(Xn − 1)

Equivalently: A ∈ Zn×n circulant matrix

a1 + a2 ≡ A1 + A2a1 · a2 ≡ A1 · A2

Compact knapsack

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Collision resistance?

Regular knapsack:

given random a1, . . . , am ∈ Zqm = 2 log2(q)collisions existcollisions are hard to find

Compact knapsack:

given random a1, . . . , am ∈ Zq[X ]/(X n − 1)m = 2n log2(q)collisions exist

QuestionAre collisions hard to find?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Collisions in compact knapsacks

Multiply each “circulant” matrix ai by the all-one vector

Find collision in Zq

Algebraic decription:

multiply each ai (X ) by u(X ) = (1 + X + X 2 + ....)Notice (X n − 1) = u(X ) · (X − 1)CRT: R ≡ (Z[X ]/(X − 1))× (Z[X ]/u(X ))Multiplication by u(X ) maps R to Z[X ]/(X − 1) ≡ Z

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Anti-Cyclic lattices

A lattice is anticyclic if it is closed underrot(x1, ..., xn) = (−xn, x1, x2, ..., xn−1)

Equivalently: work in R = Z[X ]/(Xn + 1)

Questions:

1 Are compact knapsacks over R collision resistant?2 Does (X n + 1) have small degree factors?

TheoremXn + 1 is irreducible if and only if n is a power of 2

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Anti-Cyclic lattices

A lattice is anticyclic if it is closed underrot(x1, ..., xn) = (−xn, x1, x2, ..., xn−1)

Equivalently: work in R = Z[X ]/(Xn + 1)

Questions:

1 Are compact knapsacks over R collision resistant?2 Does (X n + 1) have small degree factors?

TheoremXn + 1 is irreducible if and only if n is a power of 2

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Roots of Unity

ωm = exp(2πı/m) ∈ C, primitive mth root of unity

Observation: Xm − 1 =∏m−1

k=0 (X − ωkm)

Xm − 1 =∏d |m

∏gcd(k,m)=d

(X − ωkm)

=∏d |m

∏k∈Z∗m/d

(X − ωkm/d )

DefinitionCyclotomic Polynomial: Φm(X ) =

∏k∈Z∗m (X − ωk

m) ∈ C[X ]

Question: does Φm have integer coefficients?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Division Theorem

(R,+, ∗, 0, 1): any ring

R[X ]: polynomials with coefficients in X

TheoremFor any a(X ) ∈ R[X ] and monic b(X ) ∈ R[X ], there existsunique q(X ), r(X ) ∈ R[X ] such that

a(X ) = q(X ) ∗ b(X ) + r(X )deg(r(X )) < deg(b(X ))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Division Algorithm

divRem :: Poly → Poly → PolydivRem a b =

if (deg a < deg b)then (0,a)else let aL = leadingTerm a

bL = leadingTerm bqL = aL / bLa' = a - b*qL(q',r) = divRem a' bq = qL + q'

in divRem (q, r)

Dividing by b(X ) requires divisions by the leadingcoefficient of bIf R is a field, we can divide by any non-zero b(X ):If b(X ) is monic, division is possible in any ring R

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Polynomial Division: Example

QuestionDivide a(X ) = 5X 8 + 4X 6 − 5X 3 + 4 by b(X ) = X 3 − X + 7

Solution:

quotient: q(X ) = 5X 5 + 9X 3 − 35X 2 + 9X − 103remainder: r(X ) = 254X 2 − 166X + 725

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Polynomial Division: Example

QuestionDivide a(X ) = 5X 8 + 4X 6 − 5X 3 + 4 by b(X ) = X 3 − X + 7

Solution:

quotient: q(X ) = 5X 5 + 9X 3 − 35X 2 + 9X − 103remainder: r(X ) = 254X 2 − 166X + 725

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remarks about Division Algorithm

Division Algorithm:(a(X ), b(X ) ∈ R[X ]) 7→ (q(X ), r(X ) ∈ R[X ])

For any subring S ⊆ R, and a(X ), b(X ) ∈ S[X ]

Result of dividing a(X ) by b(X ) is in S[X ]Division as polynomials in R[X ] or as polynomials in S[X ]produces the same result

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Polynomial GCD

F[X ]: polynomials with coefficients in a field F

The Greatest Common Divisor (gcd) of a(X ), b(X ) ∈ F[X ]is a polynomial g(X ) ∈ F[X ] such that

g(X ) divides a(X ) and b(X )any d(X ) ∈ F[X ] that divides both a(X ) and b(X ) alsodivides g(X )

TheoremFor any a(X ), b(X ) ∈ F[X ]

gcd(a(X ), b(X )) = u(X )a(X ) + v(X )b(X )

for some u(X ), v(X ) ∈ F[X ].

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Euclid’s Algorithm

Input: a(X ), b(X ) ∈ F[X ]

Output: u(X ), v(X ) ∈ F[X ] such thatu(X )a(X ) + v(X )b(X ) = gcd(a(X ), b(X ))

Invariant: gcd(a(X ), b(X )) = gcd(b(X ), a(X ) mod b(X ))euclid :: (Poly ,Poly) → (Poly ,Poly)euclid (a,b) =

if (deg b ≡ 0)then (1,0)else let (q,r) = divRem b a

(u,v) = euclid (b,r)in (-q*v , u+v)

Base case: 1*a+0*b = a = gcd(a,b)

Indunction: (-qv)a+(u+v)b = ub + v(b-qa)= ub+vr

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Remarks about Euclid Algorithm

euclid :: (Poly ,Poly) → (Poly ,Poly)euclid (a,b) =

if (deg b ≡ 0)then (1,0)else let (q,r) = divRem b a

(u,v) = euclid (b,r)in (-q*v , u+v)

Euclid Algorithm works over a field:

Even if b(X ) is monic, r(X ) = b(X ) mod a(X ) may not be

If a(X ), b(X ) ∈ R[X ] have coefficients in a domain R ⊆ F ,then we can compute gcd(a(X ), b(X )) ∈ F[X ]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Cyclotomic Polynomials

Xm − 1 =∏

d |m Φm(X )

Theorem

Φm(X ) ∈ Z[X ]

Proof:

For m = 1, Φ1(X ) = (X − 1)

For m > 1, b(X ) =∏

m>d |m Φd (X ) is in Z[X ] by induction

Compute (q(X ), r(X )) = divRem(Xm − 1, b(X )) in Z[X ]

r(X ) = 0 because b(X ) divides Xm − 1

Φm(X ) = q(X ) is in Z[X ]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Cyclotomic Polynomials

Xm − 1 =∏

d |m Φm(X )

Theorem

Φm(X ) ∈ Z[X ]

Proof:

For m = 1, Φ1(X ) = (X − 1)

For m > 1, b(X ) =∏

m>d |m Φd (X ) is in Z[X ] by induction

Compute (q(X ), r(X )) = divRem(Xm − 1, b(X )) in Z[X ]

r(X ) = 0 because b(X ) divides Xm − 1

Φm(X ) = q(X ) is in Z[X ]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Irreducibility of Cyclotomics

TheoremΦm(X ) ∈ Z[X ] is irreducible

TheoremCm ≡ Z[X ]/Φm(X ) = Z[ωm]

simple proof, helps intuition

Algebraic Number Fields

finite dimentional extensions of Qkey concepts: field extensions, vector spaces

Algebraic Number Rings

finite dimensional extensions of Z, i.e., latticeskey concepts: ring extensions, modules over a ring

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Factoring primes in Cyclotomic rings

Φm(X ) ∈ Z[X ]: mth cyclotomic polynomialΦm(X ) is irreducible in Z[X ]Let p be a prime, and assume gcd(m, p) = 1Question: if Φm(X ) irreducible also in Zp[X ]?Answer: no, and this is very useful

QuestionQuestion: What’s the factorization of Φm(X ) modulo p?

Technically, this is the problem of factoring (the ideal generatedby) the prime p in the ring of polynomials modulo Φm(X )

“The obvious mathematical breakthrough would be de-velopment of an easy way to factor large prime numbers”(Bill Gates, The Road Ahead, p. 265)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Technically, this is the problem of factoring (the ideal generatedby) the prime p in the ring of polynomials modulo Φm(X )

“The obvious mathematical breakthrough would be de-velopment of an easy way to factor large prime numbers”(Bill Gates, The Road Ahead, p. 265)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Motivation

R = Z[X ]/Φm(X )

Rp = R/(pR) ≡ Z[X ]/〈Φm(X ), p〉Z[X ]

Equivalently, Rp ≡ Zp[X ]/Φm(X )

The structure of Rp is equivalently described by

the factorization of (pR) in R, orthe factorization of Φm in Zp[X ]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Section 11

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Basic Algebra

Review of basic algebraic structures:

(Commutative) monoids and groupsRings and FieldsModules and Vector spaces

Some common examples:

Q ⊂ R ⊂ C: the fields of rational, real and complexnumbersZ,Zn: the rings of integers, and integers modulo nR[X ]: The ring of polynomials with coefficients in R

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Monoids and Groups

A monoid (A, ∗, 1) is a set A with a binary operation(∗) : A× A→ A and unit element 1 ∈ A such that

(x ∗ y) ∗ z = x ∗ (y ∗ z) (associativity)1 ∗ x = x ∗ 1 = x (identity)

A monoid is commutative if

x ∗ y = y ∗ x (commutativity)

An element x is invertible if there is a y such thatx ∗ y = y ∗ x = 1

A group is a monoid such that all elements are invertible

Abelian group: commutative groups, additive notation(A,+, 0), additive inverse −x

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Rings and Fields

A (commutative) Ring (R,+, ∗, 1, 0) is a set with twobinary operations such that

(R,+, 0) is an abelian group

(R, ∗, 1) is a (commutative) monoid

x ∗ (y + z) = x ∗ y + x ∗ z and (x + y) ∗ z = x ∗ z + y ∗ z(distributivity)

Subring S ⊆ R, subset of a ring closed under +, ∗, 0, 1

A commutative ring (F ,+, ∗, 1, 0) such that all nonzeroelements are invertible is called a Field

A subring of a field R ⊆ F is called an Integral Domain

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Modules and Vector Spaces

Let (R,+, ∗, 0, 1) be a commutative ring

An R-module is an additive group (A,+, 0) with a scalarmultiplication operation (∗) : R × A→ A such that

r ∗ (s ∗ a) = (r ∗ s) ∗ a(r + s) ∗ a = r ∗ a + s ∗ ar ∗ (a + b) = r ∗ a + r ∗ b

If R is a field, then A is called a Vector Space

Linear independenceDimensionBasis

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Submodules and Quotients

Let (A,+, 0) be an R-module

An R-submodule of is

a subgroup B ⊆ Aclosed under scalar multiplication: R ∗ B ⊆ B

Quotient group: A/B = {[a]B : a ∈ A}, [a]B = a + B

also an R-module with r ∗ [a]B = [r ∗ a]B

Special case:

R is an R-moduleR-submodules I ⊆ R are called idealsR/I is also a ring with [a] ∗ [b] = [a ∗ b]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Integral and Algebraic Numbers

Domain R ⊆ F : subring of a field F

α ∈ F is algebraic over R if m(α) = 0 for somem(X ) ∈ R[X ]

α ∈ F is integral over R if m(α) = 0 for some monicm(X ) ∈ R[X ]

Examples:

α =√2 is integral over Z because m(α) = 0 for

m(X ) = X 2 − 2α = 1/

√2 is algebraic over Z because m(α) = 0 for

m(X ) = 2X 2 − 1, but is it not integral

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Minimal Polynomial

Field Extension F ⊆ E

Let α ∈ E be algebraic over F

Ring homomorphism: hα : F [X ]→ E , wherehα(p(X )) = p(α)

I = ker(hα): set of polynomials p such that p(α) = 0

I ⊆ F [X ] is a non-zero ideal

Minimal polynomial: smallest degree monic polynomialm(X ) ∈ I

I = F [X ] ·m(X ), i.e., p(α) = 0 iff m(X )|p(X )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Irreducibility

Let m(X ) be the minimal polynomial of α

m(X ) is irreducible:

If m(X ) = a(X ) · b(X ), then a(α) · b(α) = m(α) = 0,

either a(α) = 0 or b(α) = 0.

either a(X ) = c ·m(X ) or b(X ) = c ·m(X )

F [α] ≡ F [X ]/m(X ) are isomorphic

isomorphism: hα : F [X ]/m(X )→ F [α]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Algebraic Extensions

Algebraic α ∈ E ⊆ F

Minimal polynomial m(α) = 0 of degree n = deg(m(X ))

F [α] ≡ F n as an F -vector space with basisα0, α1, . . . , αn−1:

α0, α1, . . . , αn−1 are linearly independentα0, α1, . . . , αn−1 generate F [α]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Extension fields

TheoremF [α] = F (α) is a field

Proof:- Let p(α) ∈ F [α] for some p(X ) ∈ F [α], deg(p) < n- gcd(p(X ),m(X )) ∈ {1,m(X )} because m(X ) is

irreducible- If gcd = m(X ), then p(X ) = m(X ) and p(α) = 0- If gcd = 1, then u(X )p(X ) + v(X )m(X ) = 1- u(α) · p(α) = 1

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Since gcd(m, p) = 1, we have p ∈ Z∗mLet d = o(p) be the order of p in Z∗mpd = 1 mod m, equivalently, m|(pd − 1)Let GF (pd ) be the finite field with pd elementsThe multiplicative group GF (pd )∗ is cyclic of order pd − 1There is an element ζ ∈ GF (pd ) of order mζd = 1 in GF (pd )o(ζk) = m for all k ∈ Z∗mΦm(X ) =

∏k∈Z∗m (X − ζk) splits in GF (pd )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

TheoremThe minimal polynomials of all ζk over Zp have degree d

Let l(X ) ∈ Zp[X ] be the minimal polynomial of ζ

Zp[ζ] ≡ Zp[X ]/l(X ) is a field

of size pdeg(l)

containing an element ζ of order m

m = o(ζ) divides pdeg(l) − 1 = |Zp[ζ]∗|

pdeg(l) = 1 mod m

by definition of d = o(p) and deg(l) = d

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

When gcd(m, p) = 1 Φm(X ) ∈ Zp[X ] factors into a productof ϕ(m)/d distinct degree d = o(p mod m) polynomials

For arbitrary m, factorization of Φm(X ) modulo p isobtained using the following theorem.

TheoremFor any m′ = mpk with gcd(m, p) = 1,

Φm′(X ) = (Φm(X ))ϕ(pk) mod p

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Frobenius map (x 7→ xp) : GF (pk)→ GF (pk) satisfies:

(x + y)p = xp + yp (from binomial expansion)ap = a for a ∈ Zp ⊆ GF (pk) (Lagrange)

Zp[X ] is a domain:

a(X )b(X ) = a(X )c(X ) cancels to b(X ) = c(X )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Using these two properties:

(Xmpk − 1) = (Xm − 1)pk =∏

d|m Φd (X )pk

(Xmpk − 1) =∏

d|m∏

i≤k Φdpi (X )So, by induction on m:∏

i≤kΦmpi (X ) = Φm(X )pk

Canceling equality for k − 1 from equality for k:

Φmpk (X ) = Φm(X )pk−pk−1= Φm(X )ϕ(pk )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Factoring modulo a prime power

Φm(X ) =∏

i Fi (X ) mod p with irredudible Fi (X ) ∈ Zp[X ]Lift each Fi (X ) mod p to a factor Gi (X ) mod pk

Φm(X ) =∏

i Gi (X ) mod pk with Fi (X ) = Gi (X ) mod pGi (X ) is irreducible, because any factorization mod pk

gives also a factorization mod p

Theorem(Lifting) Let a(X )b(X ) = c(X ) mod p withgcd(a(X ), b(X )) = 1. For every k, there are a′(X ) = a(X )mod p and b′(X ) = b(X ) mod p such that a′(X )b′(X ) = c(X )mod pk

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

Linearity

Key Switching

Multiplication

Project Info

Ring LWE

Let u(X ), v(X ) such that a(X )u(X ) + b(X )v(X ) = 1mod pAssume a(X )b(X ) = c(X ) + pkd(X ) by inductionLet a′(X ) = a(X )− pkv(X )d(X ) andb′(X ) = b(X )− pku(X )d(X )a′(X )b′(X )mod pk+1 = a(X )b(X )−pk(a(X )u(X )+b(X )v(X ))d(X ) =a(X )b(X )− pkd(X ) = c(X )

cse208: advanced cryptographycseweb.ucsd.edu/classes/fa20/cse208-a/slides.pdf · 2020. 12. 10. ·...

Documents

multigraded hilbert...

practical byzantine fault...

university of california, san...

optimal communication complexity of generic multicast key...

lattice-based...

1 the unique-svp world 1. ajtai-dwork’97/07, regev’03 ...

chapter 22 -...

lecture 24: code...

main bearing installation for 2011-2018 subaru/toyota 2.0l...

search to decision reductions for knapsacks and lwe 1...

rc vn vnsg 1301 200 backus fa20

data sheet acquired from harris semiconductor schs018c...

tachyon: fast signatures from compact...

daniele micciancio

polar fa20 manual del usuario - heart rate monitors ... ·...

daniele micciancio uc san diego...

shortest vector in a lattice is np-hard to approximate...

the geometry of lattice cryptography - uniurb · 2011. 10....

web mining and recommender...

osher fa20 highlights brochure digital