cse208: advanced cryptographycseweb.ucsd.edu/classes/fa20/cse208-a/slides.pdf · 2020. 12. 10. ·...

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

CSE208: Advanced Cryptography

Daniele Micciancio

UCSD

Fall 2020

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 1

Introduction

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

CSE208: Advanced Cryptography

Graduate Level Advanced CryptographyPrerequisites:

CSE207 or equivalentSolid theoretical background, cryptographic definitions, etc.Some programming

Past topics: Zero Knowledge, Functional Encryption,Secure Computation, etc.Not required: CSE206A (Lattice Algorithms)

Reading:no textbookmostly research paperssee course webpage, canvas, etc.

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Fall 2020 Topic

Fully Homomorphic Encryption:Encryption schemes that supports the evaluation ofarbitrary programs on encrypted inputs

Applications:secure outsourced computingbuilding block for MPC and more

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Brief History of Homomorphic Encryption

1978: Rivest, Adleman & Dertouzos posed the problem2009: Gentry 2009 proposed the first candidate solution2010-2020: Work towards more efficient solutions based onstandard complexity assumptions (Brakerski,Vaikuntanathan, Gentry, Halevi, Smart, . . . )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Software libraries

IBM HElib (Halevi & Shoup)Microsoft SEALNJIT/Duality PALISADE (Rohloff, Cousins & Polyakov)Functional Lattice Cryptography LoL (Crockett & Peikert)Fastest FHE of the West FHEW (Ducas & Micciancio)FHE over the Torus TFHE (Chillotti, Gama, Georgieva &Izabachene)Approximate FHE HEAAN (Cheon, Kim, Kim & Song)

In the News:February 21, 2019: Microsoft SEAL open sourcehomomorphic encryption library gets even better for .NETdevelopers!June 4, 2020: IBM releases FHE toolkit for MacOS andiOS; Linux and Android Coming Soon

https://github.com/homenc/HElib

https://www.microsoft.com/en-us/research/project/microsoft-seal/

http://palisade-crypto.org/

https://github.com/cpeikert/Lol

https://github.com/lducas/FHEW

https://tfhe.github.io/tfhe/

https://github.com/snucrypto/HEAAN

https://www.microsoft.com/en-us/research/blog/microsoft-seal-open-source-homomorphic-encryption-library-gets-even-better-for-net-developers/



https://www.ibm.com/blogs/research/2020/06/ibm-releases-fully-homomorphic-encryption-toolkit-for-macos-and-ios-linux-and-android-coming-soon/

https://www.ibm.com/blogs/research/2020/06/ibm-releases-fully-homomorphic-encryption-toolkit-for-macos-and-ios-linux-and-android-coming-soon/

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Homework and Evaluation

Homework assignments:3 assignments, due within one week from assignment dateCover theoretical/mathematical topics

Small Project:Goal: Try to use one of the many HE librariesNot much coding, but you will have to write and compile afew lines of codeEvaluated primarily based on written report

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Administrivia:

Course webpage: http://cseweb.ucsd.edu/classes/fa20/general course informationpointers to papers and other reading material

Canvas:recording of lectureshomework distribution/collectiongradesdiscussion board

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Course Schedule (Tentative)

Week 1: Introduction and Definition

FHE DefinitionGentry’s Boostrapping theoremHomework 1 out

Week 2-4: Fundamental techniques based on general lattices

LWE encryptionLinear Homomorphic computationsKey Switching and Proxy re-encryptionNested encryption and homomorphic multiplicationCiphertext Tensoring and homomorphic multiplicationHomomorphic Decryption and Bootstrapping algorithmsHomework 2 out

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Week 5: Algebraic Number Theory

I really hope you like math!Homework 3 out

Week 6-10: Efficient FHE from Ring LWE

Message packing techniquesLinear transformations on structured matricesOther FHE schemes: GHS, BFV,FHEW, AP13, TFHE,CKKS . . .

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 2

Defining FHE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Public Key Encryption

PKE(Gen ,Enc ,Dec)Gen: () → (pk,sk)Enc: (pk,m) → cDec: (sk,c) → m

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correctness of PKE

For every (sk,pk)← Gen() and m ← [M], r ← [R]:

Dec(sk,Enc(pk,m;r)) = m

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Chosen Plaintext Attack (CPA) security

Ciphertext Indistinguishability under Chosen PlaintextAttackExperiment:INDCPAgame(b:{0 ,1})

(sk,pk) ← Gen()A(pk) → (m0,m1)b' ← A(Enc(pk,mb))return b':{0 ,1}

Definition

Adv(A) = |Pr(Game (0)=1) - Pr(Game (1)=1)|

DefinitionAn encryption scheme (Gen,Enc,Dec) is IND-CPA secure if anypolynomial time A has advantage Adv(A)~ 0

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Significance of CPA security

Adversary can choose messages m0, m1

No assumption about input distributionAdversary may have partial information about messagesAdversary may influence the choice of messages

Ciphertext c = Enc(pk,mb) is computed honestly

Adversary cannot tamper with ciphertexts

Adversary models a passive attacker

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Definition of CCA security

DefinitionAn encryption scheme (Gen,Enc,Dec) is IND-CCA secure if anypolynomial time A has advantage Adv(A)≈0 in the followinggame.

Game(b:{0 ,1})(sk,pk) ← Gen()A[D](pk) → (m0,m1)c ← Enc(pk,mb)b' ← A[D'](c)return b':{0 ,1}

A[D] is an adversary with oracle access toD(x) = Dec(sk,x)

A[D'] uses a modified oracle (next slide)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

IND-CCA1 vs IND-CCA2

There are two variants of CCA security, depending on the typeof oracle given to the adversary after receiving the challengeciphertext:

IND-CCA1 security: No decryption oracle after receivingthe challengeD'(x) = Nil

IND-CCA2 security: decrypt any ciphertext, except thechallenge c

D'(x) =

if (x?= c)

then Nilelse Dec(sk,x)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Significance of CCA security

Goal: model active attacks, where adversary can tamperwith ciphertexts

Standard notion for regular encryption schemes

IND-CCA2 theoretically equivalent to non-malleableencryption

Any attempt to modify a ciphertext should be detected

Seems incompatible with homomorphic encryption

Ability to modify ciphertexts can be a useful featureHomomorphic encryption is perfectly malleable

We will not consider CCA security

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Homomorphic Encryption: first attempt

Assume f: M →M

f(Enc(pk,m)) = Enc(pk,f(m))

Eval(pk,f, Enc(pk,m)) = Enc(pk,f(m))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Homomorphic Encryption: second attempt

Dec(sk,Eval(pk,f, Enc(pk,m))) = f(m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Multi-input functions

Many inputs are encrypted independentlyc1 ← Enc(pk,m1)...ck ← Enc(pk,mk )

k-ary function f: (m1,...,mk) →m

Eval(pk, f, c1 ,...,ck ))= Enc(pk,f(m1 ,...,mk )) ???

Dec(sk,Eval(pk, f, c1 ,...ck ))= f(m1 ,...,mk )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Multi-input functions

Many inputs are encrypted independentlyc1 ← Enc(pk,m1)...ck ← Enc(pk,mk )

k-ary function f: (m1,...,mk) →m

Eval(pk, f, c1 ,...,ck ))= Enc(pk,f(m1 ,...,mk )) ???

Dec(sk ,Eval(pk, f, c1 ,...ck ))= f(m1 ,...,mk )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Multi-key Homomorphic encryption

Assume multiple users: P1,P2, ...Each user has a key (pair): Pi : (pki , ski )Data is encrypted and sent to different usersc1 ← Enc(pk1,m1)...ct ← Enc(pkt ,mt )

Users pool data together to perform a joint computation onc1, ..., ct

Final result is an encryption of f (m1, ...,mt) under whatkey?Eval (???,f,c1 ,...,ct ))

~ Enc(???, f(m1 ,...,mt ))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Restricting Homomorphic Encryption

FHE is a useful and challenging problem already in thesingle key setting

In order to appropach the problem we will further restrict itby parametrizing by a set of allowedcomputations/functions Func = {f: ....} where eachf: (M,...,M)→ M may take a different number of arguments

More generally, one many consider functionsf:(M1, ...,Mk) →M taking inputs from different sets (types),e.g., ifThenElse: (Bool,Int,Int)→Int

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Examples and Function Composition

(M,+, 0): abelian group, e.g., “fixed size” integers(modulo N)Addition: f (x1, ...xt) = x1 + ...+ xtScalar multiplication: ga(x) = a · xLinear combinations: h(x1, ...xt) =

∑i 2i−1xi

1-hop, n-hop, multi-hop: can functions f be composed?

h(x1, ..., xt) = f (g1(x1), ..., g2t−1(xt))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correctness of Function Composition

Let x , y , z ∈ M be messages and f , g : M → M twofunctions such that y = f (x) and z = g(y) = (g ◦ f )(x)Assume (Gen,Enc,Dec,Eval) can evaluate f and g correctly:Dec(sk,Eval(pk,f, Enc(pk,x))) = f(x)Dec(sk,Eval(pk,g, Enc(pk,y))) = g(y)

QuestionDoes it follow that

ctX ← Enc(pk,x)ctY ← Eval(pk,f,ctX)ctZ ← Eval(pk,g,ctY)

Dec(sk,ctZ)?= z

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correctness of Function Composition

Let x , y , z ∈ M be messages and f , g : M → M twofunctions such that y = f (x) and z = g(y) = (g ◦ f )(x)Assume (Gen,Enc,Dec,Eval) can evaluate f and g correctly:Dec(sk,Eval(pk,f, Enc(pk,x))) = f(x)Dec(sk,Eval(pk,g, Enc(pk,y))) = g(y)

QuestionDoes it follow that

ctX ← Enc(pk,x)ctY ← Eval(pk,f,ctX)ctZ ← Eval(pk,g,ctY)

Dec(sk ,ctZ)?= z

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Formalizing Restricted Composition

Restrict scheme to a set F of strongly typed functions:

f : M1 × . . .Mk → M0

Enc,Dec,Eval are given type information

We can use types to bound computation depth:

Start from f : M → MDefine Mi = M for i = 1, ..., nDefine fi : Mi → Mi+1, where fi (x) = f (x)

F = {f } allows arbitrary composition

F = {f0}: no composition

F = {f0, f1, ..., fn}: bounded depth composition

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

(Multi-hop) Correctness Game

State: (initially empty) list L of message-ciphertext pairsCorrectFHEgame () = (sk,pk) ← Gen()

L ← []A[E,F](pk)(m,c) ← last(L)return (Dec(sk,c) 6= m)

E(m) = c ← Enc(pk,m)L ← L;(m,c)return c

F(f,I) = (ms,cs) ← unzip L[I]m ← f(ms)c ← Eval(pk,f,cs)L ← L;(m,c)return c

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Terminology

Reading papers, you will find references to

Fully Homomorphic EncryptionSomewhat Homomorphic EncryptionLeveled Fully Homomorphic Encryptionetc.

We will use FHE as a catchall term

Definition is parametrized by a set of functions FFunctions in F can be composed only if their types matchF is closed under compositionCan use “phantom” types to limit composition

We will rarely define F formally, but it is a useful exercise

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Security of Homomorphic Encryption

INDCPAgame(b:{0 ,1})(sk,pk) ← Gen()A(pk) → (m0,m1)return A(Enc(pk,mb)): {0,1}

RemarkThe IND-CPA security definition depends only on Gen and Enc,but not on Dec (or Eval)

QuestionCan the IND-CPA security definition be applied as it is to FHEschemes (Gen,Enc,Dec,Eval)?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

A trivial FHE scheme

Consider the following FHE scheme:

Let (Gen,Enc,Dec) be IND-CPA secureDefine TrivialFHE = (Gen,Enc',Dec',Eval)

Enc '(pk,m) = (Enc(pk,m) ,[])Dec '(sk ,(ct ,[])) = Dec(sk,ct)Dec '(sk ,(ct ,[f;fs])) = f(Dec '(sk ,(ct,fs)))Eval(pk,f,(ct ,[fs])) = (ct ,[f;fs])

QuestionIs TrivialFHE a correct FHE scheme?Is TrivialFHE a secure FHE scheme?What makes the above scheme “trivial”?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Compactness

The TrivialFHE scheme is both correct and secure

The problem with TrivialFHE is that it is not efficient:

Computation is performed by Dec, not Eval!

DefinitionA FHE scheme is compact if the size of ciphertextct = Eval(pk,f,Enc(pk,m)) is independent of Size(f)

Weaker forms of compactness:

Ciphertext size may grow logarithmic with Size(f)Ciphertext size may depend on Depth(f)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Function Privacy

f0(x,y) = x + yf1(x,y) = y + x

Game[A](b: {0,1})(sk,pk) ← Gen()ctX ← Enc(pk,x)ctY ← Enc(pk,y)ct ← Eval(pk,fb,ctX ,ctY)return A(ct)

QuestionAssume (Gen,Enc,Dec,Eval) is a secure FHE scheme. Can anefficient adversary A recover the bit b = Game[A](b) ?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Passive Attacks to FHE

Game[A](b: {0,1})(sk,pk) ← Gen()State ← []b' ← A[E,D,F](pk)return b'

Adversary has access to three stateful oracles:

Encryption oracle: E(m0,m1)

Function Evaluation oracle: F(f0,f1,I)Decryption oracle: D(i)

Joint State: List of message-message-ciphertext triplets(m0,m1,ct)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Passive Attack (oracles)

E(m0,m1) = ct ← Enc(pk,mb)State ← (State;(m0,m1,ct))return ct

F(f0,f1,I) = (ms0,ms1,cts) ← unzip State[I]ct ← Eval(pk,fb,cts)m0 ← f0(ms0)m1 ← f1(ms1)State ← State;(m0,m1,ct)return ct

D(i): (m0,m1,ct) ← State[i]if (m0 ≡m1)

then return Dec(sk,ct)else return Nil

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Passive Attack with/without function privacy

The game we just described guarantees function privacyA similar definition without function privacy can beobtained by requiring f0≡f1 in the function evaluationqueries

F'(f,I): (ms0,ms1,cts) ← unzip State[I]ct ← Eval(pk,f,cts)m0 = f(ms0)m1 = f(ms1)State ← (State;(m0,m1,ct))return ct

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Example: Circuit Privacy

Assume messages are single bits m: {0,1}

Let FHE=(Gen,Enc,Dec,Eval) a function private FHEscheme supporting NAND(x,y)= not (x && y)

EvalC(pk,C,...): evaluates boolean circuitC: {0, 1}n →{0,1} one gate at a time usingEval(pk,NAND,...)

Let C0,C1 : NAND circuits with the same number ofinputs and NAND gates(sk,ps)← Gen()

Let xs0, xs1 be input bits such that C0(xs0) = C1(xs1)

QuestionAre the following two distributions indistinguishable?

(pk ,EvalC(pk, C0, Enc(pk,xs0)))(pk ,EvalC(pk, C1, Enc(pk,xs1)))

% CSE208: Advanced Cryptography % Daniele Micciancio %Fall 2020

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 3

Bootstrapping

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Bootstrapping

For simplicity: fix message space to {0, 1}

HE=(Gen,Enc,Dec,Eval)

Homomorphic functions: Func = { nand }Supports only bounded computations: Depth(C)< D

QuestionCan we use HE to build a FHE scheme supporting arbitrarycircuits/functions?

The process of building FHE from HE is called“bootstrapping”

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Decryption as a boolean function

Everything is a sequence of bits

Secret key sk: {0, 1}k

Ciphertext ct: {0, 1}l

Dec(sk,ct): {0,1}

Usually we think of Dec as a function

described by secret key skmapping ciphertext ct to message bit Dec(sk,ct): {0,1}

But we can also think of Dec as a function

described by ciphertext ctmapping secret key sk to message bit Dec(sk,ct): {0,1}

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Homomorphic Decryption

Fix a ciphertext cDefine fc : sk 7→ Dec(sk, c)Assume Size(fc) < S, Depth(fc) < DLet bk[1..k] = Enc(pk,sk[1..k])

QuestionWhat is the result of the following computation?

EvalC(pk,fc ,bk[1..k])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Proxy Re-encryption

Primary key: (pk,sk)

Secondary key: (pk1,sk1)

Re-encryption key: rk = Enc(pk1,sk[1..k])

Input ciphertext c = Enc(pk,m)

Decryption function fc(sk) = Dec(sk,c)


EvalC(pk1 ,fc ,rk)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Decrypt and compute (unary)

Homomorphic Encryption (Gen,Enc,Dec,Eval)

Assume Func = { fc | c: CipherText } wherefc (sk) = not (Dec(sk,c))

(pk,sk) ← Gen()ek = Enc(pk,sk)c = Enc(pk,m)


EvalC(pk,fc ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Decrypt and compute (binary)

Homomorphic Encryption (Gen,Enc,Dec,Eval)

Assume Func = { fc,c′ | c,c': CipherText } wherefc,c′(sk) = Dec(sk,c) nand Dec(sk,c')

(pk,sk) ← Gen()ek ← Enc(pk,sk)c ← Enc(pk,m)c' ← Enc(pk,m')


EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Bootstrapping

Given (1-hop) (Gen,Enc,Dec,Eval) supporting functionsfc,c′(sk) = Dec(sk,c) nand Dec(sk,c')

Define (multi-hop) FHE scheme with Func = { nand }

Gen '() = (sk,pk) ← Gen()ek ← Enc(pk,sk)return (sk ,(pk,ek))

Enc '((pk,ek),m) = Enc(pk,m)

Eval '((pk,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Bootstrapping





Eval '((pk ,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correctness

Let (Gen',Enc',Dec,Eval') be the new encryption scheme

TheoremIf Dec(sk,c)= m and Dec(sk,c')= m', then

Dec(sk ,Eval '((pk,ek),nand ,c,c') = m nand m'

Strong correctness property:Dec(sk,Eval '((pk,ek),nand ,c,c')

= Dec(sk,c) nand Dec(sk,c')

for any ciphertexts c,c' !

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correctness

Let (Gen',Enc',Dec,Eval') be the new encryption scheme

TheoremIf Dec(sk,c)= m and Dec(sk,c')= m', then

Dec(sk ,Eval '((pk,ek),nand ,c,c') = m nand m'

Strong correctness property:Dec(sk ,Eval '((pk,ek),nand ,c,c')

= Dec(sk,c) nand Dec(sk,c')

for any ciphertexts c,c' !

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Security

Assume FHE = (Gen,Enc,Dec,Eval) is IND-CPA secureBuild new scheme FHE':



Is FHE' IND-CPA secure?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Leveled Homomorphic Encryption

Goal: build a FHE supporting NAND circuits of depth upto L, for any given LKey generation procedure takes L as input:

Gen '(L) =for (i=0..L)

(sk[i],pk[i]) ← Gen()for (i=1..L)

ek[i] = Enc(pk[i],sk[i-1])sk' = sk[0..L]pk' = pk[0..L],ek[1..L]return (sk ',pk ')

Enc '(pk',m) = Enc(pk[0],m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

FHE Today

State of the artWe can build leveled FHE from standard LWE assumption

Built using bootstrappingInefficient, but better than nothing

Open problemBuild (non-leveled) FHE from standard LWE

In practice, one can apply bootstrapping withek = Enc(pk,sk)

Much smaller key than leveled FHENo known attacks to circular securityStill, it is not known how to prove security

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 4

LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Linear equations

q: integer modulusZq: integers modulo qA ∈ Zn×m

q : matrixb ∈ Zn

q

ProblemGiven A, b, find x ∈ Zm such that Ax = b (mod q)

ProblemGiven A, b, find x ∈ {0, 1}m such that Ax = b (mod q)

QuestionWhich problem can be efficiently solved?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Worst-case vs Average-case hardness

ProblemGiven A, b, find x ∈ {0, 1}m such that Ax = b (mod q)

NP-hard: no polynomial time algorithm unless P=NP

Is it hard to solve on the average?

For what probability distribution?

A← Zn×mq

x ← {0, 1}m

b = Ax (mod q)

Is f : (A, x) 7→ (A,Ax mod q) is a One-Way Function?

For what values of n,m, q?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

One-Way Functions

Definitionf : D → R is a one-way function if for any PPT algorithm IPr{InvertGame(I)} ≈0 whereInvertGame:

x ← Dy = f(x)x' ← I(y)

return (f(x')?= y)

D = Zn×mq × {0, 1}m

R = Znq

f (A, x) = Ax mod qAsymptotics: q(m) = 2poly(m), n(m) = poly(m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

One-Way?

A← Zn×m

x ← {0, 1}mf (A, x) = Ax mod q

QuestionIs f a one-way function when

1 q = 2m, n = m2 q = 2m, n = m/23 q = m, n = m/24 q = m, n =

√m

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Short Integer Solution (SIS) problem

Parameters:

modulus qdimensions n < mbound β

ProblemSIS: Given A ∈ Zn×m

q and b ∈ Znq, find x ∈ Zm such that

Ax = b (mod q) and ‖x‖ ≤ β

More generally: x ∈ S ⊂ Zm

Special cases:

S = {x : ‖x‖ ≤ β}S = {0, 1}m

S = {x : ‖x‖∞ ≤ β}

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Systematic Form

Assume n < m (e.g., n = m/2)Let A = [I,A′] ∈ Zn×m for some A′ ∈ Zn×(m−n)

LemmaIf SIS is hard, then SIS’ is hard

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Learning With Errors

SIS’: A = [I,A′] ∈ Zn×m where n < m (say, n = m/2)Let x = (e, s)Ax = [I,A′](e, s) = A′s + e

ProblemLWE: Given A′ and b, find small e, s such that A′s + e = b

ProblemLWE: Given A′ and b, find small e, s such that A′s ≈ b

Notice:

A′ ∈ Zn×nq

A′s = b is easy to solveA′s ≈ b seems hard

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

LWE problem

Notation:

secret s ← Znq, usually chosen at random

modulus q(n) = poly(n)A← Zm×n

qerror e ← χm, usually |ei | ≈

√n

b = As + e ∈ Zmq

ProblemSearch LWE: Given A and b, find s

Each row of A gives an approximate equation 〈a, s〉 ≈ bif m� n, then s is uniquely determinedStill, hard to find s

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Uniform vs Small secrets

LemmaIf LWE is hard for s ← χn, then it is hard for s ← Zn

q

Proof: Assume Adv solves LWE with uniform s ← Znq

Adv '(A,b)s ← Zn

qb' = b + Ass' = Adv(A,b')return (s' - s)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Decisional LWE (DLWE)

DefinitionLWE distribution:

LWE[q,n,m] =do A ← Zm×n

qs ← Zn

qe ← χm

b = As+ereturn (A,b)

DefinitionDecisional LWE (DLWE): distinguish LWE[q,n,m] fromUniform(Zm×(n+1)

q )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Decision to Search reduction

TheoremIf DLWE is hard, then LWE is hard

Proof:

Assume Adv solves LWEGiven Adv' that solves DLWE

Adv '(A,b):s ← Adv(A,b)if (As ≈ b)

then return "LWE"else return "random"

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Search vs Decision

Is (Search) LWE harder than DLWE?

TheoremIf Seach LWE is hard for any m = poly(n), then DLWE is alsohard for any m = poly(n)

TheoremFor any m = poly(n), if Seach LWE is hard, then DLWE is alsohard for any m = poly(n)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

LWE Search to Decision reduction (easy version)

Assume Adv can distinguish LWE from uniformTask: Given A,b, find s such that As ≈b (mod q)

Assumption: s is unique (holds with very high probability)We show how to check if si = γ:

Adv(A,b):a ← Zm

A' = A + [0..0,a ,0..0]b' = b + γ acase Adv(A',b') of

"LWE" : return si = c"random" : return si 6= c

Recover all entries of s, one at a time

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

(Decisional) LWE Assumption

In the rest of the course we will just assume that DLWE ishard

There are several variants of the assumption:

Uniform vs. small secret sDifferent (always small) error distributions e ← χFixed vs unbounded number of samples mDifferent values of qConcrete hardness assumptions

By and large all variants are equivalent up to polynomialreductions

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

How to Encrypt with LWE

Fix secret s in Znq

LWE samples (ai , bi ) where ai ∈ Znq and bi ∈ Z

Polynomially many samples (ai , bi ) for i = 1, 2, ...DLWE: the bi values are pseudorandomIdea: use bi as a one-time pad to encrypt a messate m

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

LWE Symmetric Encryption

Gen():s ← Zn

qreturn s

Enc(s,m):a ← Zn

qe ← χb = 〈a, s〉 + e + m

Dec(s,(a,b)):return (b - 〈a, s〉)

Is this a valid encryption scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Symmetric Encryption

SKE(Gen ,Enc ,Dec)Gen: () → skEnc: (sk,m) → cDec: (sk,c) → m

Correctness: for every sk ← Gen() and m ← [M], r ← [R]:

Dec(sk,Enc(sk,m;r)) = m

QuestionIs this a valid encryption scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correcting from errors

Ciphertext modulus qMessage modulus p (assume p divides q)Message space: m ∈ Zp

Enc(s,m) = (a,b) wherea ← Zn

q, e ←χ

b = 〈a, s〉 + e + (q/p)m

Dec(s,(a,b)) = round(c*p/q)) wherec = b - 〈a, s〉 mod q

LemmaIf |e| < β then Dec(s,Enc(s,m;a,e))= m

QuestionFor what value of β is the lemma correct?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

IND-CPA security for symmetric encryption

INDCPAgameSKE(b:{0 ,1})sk ← Gen()b' ← A[LR]return b':{0 ,1}

LR(m0,m1):ct ← Enc(sk,mb)return ct

Similar LR security definition can be given also for PKE:A[LR](pk) is given pk and oracle access to LR

Previous PKE INDCPAgame allows only one query to LR

QuestionWhy can restrict PKE INDCPAgame to one query?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Security of LWE symmetric encryption

Assume |e| < β = q/(2p) for all e ← χIs LWE INDCPAgameSKE secure?

TheoremAssume DLWE holds for a given q(n) and any m = poly(n).Then LWE symmetric encryption is INDCPA secure, i.e., anyadversary Adv has negligible advantage in the INDCPAgameSKEdistinguishing game.

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

RR-CPA security

LWE encryption satisfies a stronger security property:ciphertext indistinguishability from random

INDCPAgameSKE(b:{0 ,1})sk ← Gen()b' ← A[RR]return b':{0 ,1}

RR(m):ct0 ← Enc(sk,m)ct1 ←Zn+1

qreturn ctb

“Real or Random” oracle RR

RR-CPA security also provides a form of anonimity

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

LeftRight vs RealRand security

TheoremIf a (SKE or PKE) scheme is INDCPA-RR secure, then it is alsoINDCPA-LR secure.

RemarkA (SKE or PKE) scheme can be INDCPA-LR secure, but notINDCPA-RR secure.

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Compact LWE Encryption

Ciphertext expansion: bitsize(ct)/ bitsize(m)

Compact LWE SKE (Gen,Enc,Dec)

Gen():

S ← Zl×nq

return S

Enc(S,m) = (a,b)a ← Zn

qe ← χl

b = Sa + e + round((p/q)m)

Dec(S,(a,b)):c ← b - St a) mod qreturn round(c*p/q)

TheoremCompact LWE SKE is correct and INDCPA-RR secure

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Ciphertext Expansion

Compact LWE encryption:

Key S ∈ Zl×nq

Message m ∈ Zlp

Encryption Enc(S,m)= (a,b) where b = Sa + e + mp/q

Ciphertext (a, b) ∈ Zn+lq

QuestionWhat is the ciphertext/plaintext size ratio?

Example:

Enc(f,x;r)= (f(r),H(r)⊕m) where f : {0, 1}k → {0, 1}k

Enc(f,.):{0, 1}m→{0, 1}m+k

Ciphertext expansion: (m + k)/m = 1 + (k/m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 5

Linearity

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

LWE Symmetric Encryption

Gen():s ← Zn

qreturn s

Enc(s,m):a ← Zn

qe ← χb = 〈a, s〉 + e + (q/p)mreturn (a,b)

Dec(s,(a,b)):d = b - 〈a, s〉 mod qreturn (round(d*p/q))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Compact (Matrix) LWE

Gen():

S ← Zl×nq

return S

Enc(S,M) = (A,B)A ← Zn×w

qE ← χl×w

B = SA + E + round((p/q)M) mod q

Dec(S,(A,B)):D ← B - SA mod qreturn round(D*p/q)

Notation:

[A,B]: horizontal concatenation(A,B): vertical concatenation

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Linearity of the LWE function

Let LWE(S,X;A,E)= SA + X + E be the raw LWE functionEncryption: Enc(S,M)= LWE(S,(q/p)M; A,E) for random A,E

Linear properties:LWE(S,X;A,E) + LWE(S,X';A',E')

= LWE(S,X+X';A+A',E+E')

LWE(S,X;A,E) - LWE(S,X';A',E')= LWE(S,X-X';A-A',E-E')

c*LWE(S,X;A,E) = LWE(S,c*X; c*A,c*E)

Key Homomorphism:LWE(S,X;A,E) + LWE(S',X';A,E')

= LWE(S+S',X+X'; A, E+E')

Ciphertexts must use the same A!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Linearity of Ciphertexts

Ciphertexts that “encrypt” X under S with error E.

DefinitionLWE(S,X;E) = { (A,B): B = LWE(S,X;A,E)}

LWE(S,X;β) = { (A,B) : B = LWE(S,X;A,E), |E |∞ < β }

LWE(S,X;E)+ LWE(S,X';E')⊆ LWE(S,X+X';E+E')

LWE(S,X;E)- LWE(S,X';E')⊆ LWE(S,X-X';E-E')

c*LWE(S,X;E)⊆ LWE(S,c*X; c*E)

QuestionLWE(S,X;β) + LWE(S,X';β′) ⊆LWE(S,X+X';β + β′) ?

QuestionLWE(S,X;β) - LWE(S,X';β′) ⊆LWE(S,X+X';β − β′) ?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Message and Ciphertext Operations

Addition:

M0 + M1 ∈ Zl×wq

(A0,B0) + (A1,B1) = (A0 + A1,B0 + B1) ∈ Z(n+l)×wq

Subtraction

M0 −M1 ∈ Zl×wq

(A0,B0)− (A1,B1) = (A0 − A1,B0 − B1) ∈ Z(n+l)×wq

Scalar multiplication

c ·M ∈ Zl×wq

c · (A,B) = (c · A, c · B) ∈ Z(n+l)×wq

Arbitrary linear transformations . . .

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Additive Homomorphism Encryption

Homomorphic Encryption supporting the addition ofciphertexts

sk ← Gen()c0 ← Enc(sk, m0)c1 ← Enc(sk, m1)c = c0 + c1m = m0 + m1

Dec(sk,c)?= m

QuestionDoes LWE encryption satisfy the addititive homomorphicproperty? For what error bound |χ| < β?

QuestionIs ciphertext c distributed according to Enc(m0+m1)?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Summation

Homomorphic Encryption supporting the addition ofciphertexts

sk ← Gen()c1 ← Enc(sk, m1)c2 ← Enc(sk, m2)...ck ← Enc(sk, mk )c = c1 + c2 + ... + ckm = m1 + m2 + ... + mk

Dec(sk,c)?= m

QuestionFor any given bound |χ| < β, what is the largest value of k forwhich one can add k ciphertexts?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Subtraction and Scalar multiplication

Subtraction m0 −m1 : similar to addition m0 + m1±1-linear combinations: similar to summationScalar multiplication c ·m: error grows by a factor cCiphertexts can be multiplied only by small scalars!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Concatenation

LWE(S,X;A,E)= SA + X + E

S ∈ Zk×nq

A ∈ Zn×wq

X ,E ∈ Zk×wq

The same S can be used with messages X with any numberof columns w

Message Concatenation X | X' = [X,X']

Definition(A,B) | (A',B')= ([A,A'],[B,B'])

TheoremLWE(S,X;A,E)| LWE(S,X';A',E)⊆LWE(S,[X,X'];[A,A'],[E,E'])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Linear Transforms

Left multiplication by a constant matrix: M → M T

Ciphertext C = LWE(S,M;E)

Notice: M and C have the same number of columnsWe can apply T to C: C → CT

TheoremLWE(S,X;A,E)*T ⊆LWE(S,XT;AT,ET)LWE(S,X;E)*T ⊆LWE(S,XT;ET)

Special case:

Addition: C + C' = [C|C']T for T=(I,I)Subtraction: C - C' = [C|C']T for T=(I,-I)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Constant Messages

QuestionCan you compute an LWE encryption of a message M withoutknowing the secret key S?

I pick S ← Gen() and keep it secretGoal: find ciphertext C such that Dec(S,C)= M

Let (A,B) = (O,(q/p)M)

Dec(S,(A,B))= (p/q)(B - SA)= M

We write Const(M) for the constant ciphertext (O,(q/p)M)

Remarks:

The ciphertext C is independent of SC = LWE((q/p)M;0) is a “noiseless” encryption of M

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Constant Messages as Homomorphic properties

LWE(S,M;E)+ LWE((q/p)M';0)= LWE(S,M+M';E)

Homomorphism for “nullary functions” fM() = M

Given an empty sequence of ciphertexts [], produce anencryption of fM([]) = M

Homomorphism for unary functions fM(M ′) = M + M ′

Given an encryption of M ′, produce an encryption of theshifted message M + M ′

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Circular security

A PKE scheme is “circular secure” if one can securlypublish the encryption Enc(pk,sk).A SKE scheme is “circular secure” if one can securlypublish the encryption Enc(sk,sk).

DefinitionA PKE scheme (Gen,Enc,Dec) is circular secure if(Gen',Enc',Dec) is IND-CPA secure where

Gen '():(sk ,pk) ← Gen()ct ← Enc(pk,sk)pk' = (pk,ct)

Enc '((pk ,ct),msg) = Enc(pk,msg)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Application: Public key encryption

Can we transform Secret Key Encryption to Public KeyEncryption?

Not in general: black box separationsImpagliazzo’s worlds: Minicrypt vs Cryptomania

What if we start from an Additively Homomorphic SKEscheme?

Black box separation results break down

What about a weakly (bounded) additive scheme?

What about our LWE SKE scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

PKE: Construction

Start from SKE (Gen,Enc,Dec)

Construct a PKE (Gen',Enc',Dec)

Gen '():sk ← Gen()for i=1..n

pk[i] ← Enc(sk ,0)pk = pk[1..n]return (sk,pk)

Enc '(pk,msg):for i=1..n

r[i] ← {0,1}ct = Const(msg) + sum { pk[i] : r[i] = 1 }return ct

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correctness of PKE

Dec(sk, msg+Enc(sk ,0) +...+ Enc(sk ,0))= msg + 0 + ... + 0 = msg

TheoremIf SKE is (1-hop) homomorphic under constant increment andn-summation, then PKE is correct.

TheoremIf SKE is (1-hop) homomorphic under constant increment andhn-summation, then PKE is correct and homomorphic underconstant increment and n-summation.

QuestionAssume SKE is an IND-CPA secure and homomorphic. Is PKEsecure?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

For what value of n?

Certainly not secure for n = 1 (or even n = 0!)

What about large n?

How large?

Answer: Secure, for large enough n and any additivelyhomomorphic SKE [Rothblum, TCC 2011]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

The case of LWE SKE

Consider the PKE scheme obtained from our LWE-basedSKEGen '():

S ← Gen()P = Enc(S,0) |..| Enc(S,0) = Enc(S ,[0..0])return (S,P)

Enc '(P,M):R ← {0, 1}∗PR + Const(M)

TheoremLWE PKE is RR-IND secure.

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Universal Hashing

DefinitionA function family H = {h : X → Y |h} is 2-universal if for anya, b ∈ X ,

{(h(a), h(b))|h ∈ H} ≡ {(f (a), f (b))|f : X → Y }

Let (X ,+) be an additive groupFor any vector a ∈ Xn, define the subset-sum functionh(a, S) =

∑{ai : i ∈ S}

QuestionWhich of the following function families is 2-universal?

1 {ha : S → h(a,S)|a ∈ Xn}2 {hS : a→ h(a,S)|S ⊆ {1, .., n}}3 Both4 Neither

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Universal Hashing (continued)

ha(S) =∑

i∈S ai is not 2-universal

What about ga,b(S) = b + ha(S)?

Yes, this is 2-universalProve it as an exercise

{ha : {0, 1}n → X}a still satisfies a weaker property whichis enough for our purposes

DefinitionFor any a 6= b, Prh{h(a) = h(b)} = 1/|X |

We will refer to this weaker property as 2-universal’

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Universal Hashing: proof

LemmaFor any group (X ,+), the function family {ha(S) =

∑i∈S ai}a

is 2-universal’, i.e., for all S 6= T we havePrh{h(S) = h(T )} = 1/|X |

Proof.

Let j ∈ S \ TFix ai for all i 6= jLet T ′ = T \ S and S ′ = S \ (T ∪ {i})c =

∑i∈T ′ ai −

∑i∈S′ ai does not depend on aj

ha(S) = ha(T ) iff aj = cPr{aj = c} = 1/|X |

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Leftover Hash Lemma

LemmaFor any 2-universal’ family {h : X → Y |h ∈ H}, the distributions{(h, h(x))|h← H, x ← X}{(h, y)|h← H, y ← Y }

are within statistical distance ∆ ≤√|Y |/|X |.

Proof Steps:

1 If H is 2-universal’, then (H,H(X )) has small collisionprobability

2 If (H,H(X )) has small collision probability, then it isstatistically close to uniform

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Collision Probability and Uniformity

Z ,Z ′ i.i.d., with Pr{Z = z} = p(z)

DefinitionCollision Probability:C(Z ) = Pr{Z = Z ′} =

∑z p(z)2

∑z(p(z)− 1/|Z |)2 = C(Z )− 1/|Z |

Norm inequality: ∀v ∈ Rn.‖v‖1 ≤√n‖v‖2

∆(Z ,U) = 12

∑z |p(z)− 1/|Z ||

∆ ≤ 12√|Z |

√∑z(p(z)− 1/|Z |)2

∆ ≤ 12√|Z |C(Z )− 1

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Collision Probability of Universal Hashing

Z = (H,H(X )), 2-universal function family H : X → Y

Collision Probability of Z :

C(Z ) = Pr(h = h′, h(x) = h′(x ′)|h, h′ ← H, x , x ′ ← X )

C = 1|H| Prx ,x ′ [Prh(h(x) = h(x ′))]

Union bound:

Pr(x = x ′) = 1/|X |If x 6= x ′, then Prh(h(x) = h(x ′)) ≤ 1/|Y |

C ≤ 1H ( 1|X | + 1

|Y |)

Using |Z | = |H| · |Y | we get

∆ ≤ 12√|Z |C − 1 = 1

2√|Y |/|X |

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Security of LWE PKE

Gen(): S,E ← ...P = Enc(S ,[0..0]) = (A,SA+E)return (S,P)

Enc(P,M): R ← {0, 1}∗return PR + Const(M)

TheoremLWE PKE is RR-IND secure.

Proof:

1 Assume Adv breaks PKE2 LWE Assumption: P = (A,SA+E)≈(A,B)3 Adv breaks RR-CPA when P is uniform4 If P is uniform, then (P,PR) is close to uniform

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Details

Claim: (P,PR) is close to uniform

Enough to look at a single column (P,Pr)

Statement for matrix (P,PR) follows by hybrid argument

P: r →Pr is 2-universal

Columns of P belong to a group (Zn+lq ,+)

r selects a subset of the columns of PApply Leftover Hash Lemma

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Homomorphic PKE

Enc(P,M)= PR + Const(M)

Enc(P,M)+ Enc(P,M')= PR + Const(M)+ PR' + Const(M')=

P(R+R')+ Const(M+M')

Enc(P,M)+ Enc(P,M')≈Enc(P,M+M')

Noise: E+E'

[ Enc(P,M)| Enc(P,M')] = Enc(P,[M|M'])

Noise: [E|E']

Enc(P,M)T ≈Enc(P,MT)

Noise: ETT must be small

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Encoding modulo q

Ciphertext modulus q. Assume q = 2k

Plaintest modulus p � q, e.g., p=2. Use scalingConst(msg)= (O,(q/p)msg) to allow error correction andcorrect decryption

What if we want to encrypt msg ∈ Zq?

Idea:

write msg =∑

i mi2i , where mi ∈ {0, 1}Encrypt each bit individually: Enc(m0),...,Enc(mk)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Encoding modulo q

Ciphertext modulus q. Assume q = 2k

Plaintest modulus p � q, e.g., p=2. Use scalingConst(msg)= (O,(q/p)msg) to allow error correction andcorrect decryptionEnc(m: {0, 1}k ) = (a,Sa+e+(q/2)m)

bitDecomp(msg: Zq) =for i=0..k-1

m[i] = (msg >> i) mod 2return m[]

Enc '(msg: Zq) =return (Enc(bitDecomp(msg))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Linear Encoding

Bit encoding: (msg:Zq)→(m[*]:{0, 1}k)

good: works for any message spacebad: breaks linear homomorphic properties

We need to use a linear encoding function:

(msg:Zq)→(m[*]:Zkq)

msg → msg*(1,2,4,8,...)

Column encoding:

pow2col = (1,2,4,8,...)Enc'(S,msg)= LWE(S,msg*pow2col)= (a,b)

Row encoding:

pow2row = [1,2,4,8,...]Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Decoding modulo q

QuestionCan you decryptEnc'(S,msg)= LWE(S,msg*pow2col)= (a,b)?Can you decryptEnc'(s,msg)= LWE(s,msg*pow2row)= (A,b)?For what error bound |e|∞ < β?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Decryption algorithm

Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b) whereb = sA+e+msg*pow2row

Dec '(s,(A,b)):msg ← 0for i=0...(k-1)

ct ← (A[k-i-1],b[k-i-1] - msg*2k−i )m[i] ← Dec(s,ct)msg ← msg+m[i]<<(i)

return msg

Theorem(Gen,Enc',Dec') is a valid encryption algorithm for β = q/4

QuestionDoes a similar algorithm work for pow2col?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Arbitrary linear transformations

Starting point: Enc() linearly homomorphic for small t

Enc(P,m)*t ≈Enc(P,mt)problem: error grows by a factor t

What about computations modulo q?

pow2row = [1,2,4,8,...]Enc'(s,msg)= LWE(s,msg*pow2row)= (A,b)

Multiplying by any t ∈ Zq

Compute tBin[] = bitDecomp(t)Compute scalar product with vector tBin[]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correctness of scalar multiplication

Enc '(s,msg) * tBin[]= LWE(s,msg*pow2row;e) * tBin[]= LWE(s,msg*pow2row*tBin [];e*tBin [])= LWE(s,msg*t;e')

pow2row * tBin[] =∑

i 2i ·tBin[i] = t

if |e| < β, then |e′| = |∑

i ei · tBin[i ]| ≤ k · βError grows only by k = log q

Problem:

result msg*t is a value modulo qEnc(s,msg*t;e') is not properly encodedwe need an encryption of msg*t*pow2row

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Constant Multiplication algorithm

Enc'(s,msg)= LWE(s,msg*pow2row)

Enc'(s,msg)* bitDecomp(t)= LWE(s,msg*t;e')

CMul(C,t):T = bitDecomp(t * pow2row)return C * T

Proof:

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Extensions and Generalizations

Matrix messagesM ⊗ pow2row = [M,M*2,M*4,M*8 ,...]

Arbitrary message modulus:round(m*(q/p),m*(q/p)/2,m*(q/p)*4 ,...)

Other gadgets, e.g., based on Chinese Remainder Theorem

q =∏

i pi product of small primesencoding vector crtRow = [q/p1,q/p2,...,q/pk]crtRow * crtDecomp(t)= t

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Summary

At this point we have an encryption algorithmEnc '(S,M) = LWE(S,M ⊗ pow2row)

with message space Zw×lq , and supporting the homomorphic

evaluation of the following operations:

Const(M): noiseless encryption of M(+): addition of ciphertexts(-): subtraction of ciphertextsCMul(.,T): multiplication by any linear transformationmodulo q

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 6

Key Switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Remember Proxy Re-encryption?

Primary key: (pk,sk)

Secondary key: (pk1,sk1)

Re-encryption key: rk = Enc(pk1,sk[1..k])

Input ciphertext c = Enc(pk,m)

Decryption function fc(sk) = Dec(sk,c)


Eval(pk1 ,fc ,rk)

QuestionCan you implement proxy re-encryption using LWE?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

LWE-based Proxy Re-encryption?

sk[1..n] ∈ Znq

sk '[1..n] ∈ Znq

Enc(sk,msg) = LWE(sk,msg*pow2row) = (A[],b[])rk[i] = Enc(sk ',sk[i])

Dec '(sk ,(A,b))[j] = b[j] -∑

i sk[i] * A[i,j]≈ msg*pow2row

Dec(sk ,(A,b)) = decode(Dec '(sk ,(A,b)))

QuestionCan you compute Dec' homomorphically?Does it give you a proxy re-encryption scheme?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

LWE-based Proxy Re-encryption

Enc(sk,msg) = LWE(sk,msg*pow2row)rk[i] = Enc(sk ',sk[i])Dec '(sk ,(A,b)) = b[j] -

∑i sk[i] * A[i,j]

Goal: homomorphically evaluate the functionfA,b(sk) = Dec '(sk ,(A,b))Eval(fA,b,rk) = ?

Solution: Eval(fA,b,rk) = ct

ct[j] = Const(b[j]) -∑

i CMul(rk[i],A[i,j])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Key Switching

Generalize proxy re-encryption:

sk,sk' may have different dimensions and moduliEnc(sk,.), Enc'(sk',.) may use different plaintextmoduli and message encodings

Example

Message space msg: ZpCiphertext modulus qsk[1..n], sk'[1..n] ∈ Zn

qEnc(sk,m)= LWE(sk,(q/p)*msg) mod qEvaluation key: rk[i] = Enc(sk',sk[i])

Do you see any problem?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Key Switching

Source scheme:msg: Zpsk[1..n] ∈ Zn

qEnc(sk,msg) = LWE(sk, q

p msg) = (a[],b) mod q

Target scheme:msg ': Zq

sk '[1..n'] ∈ Zn′q

Enc '(sk',msg ') = LWE(sk',msg '* pow2row)

Evaluation:ek[i] = Enc '(sk',sk[i])KeySwitch(ek ,(a[],b)) =

Const(b) -∑

i CMul(a[i],ek[i])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Correctness

msg: Zp; sk[1..n] ∈ Znq

msg ': Zq; sk '[1..n'] ∈ Zn′q

Enc(sk,msg) = LWE(sk, qp msg) = (a[],b) mod q

Enc '(sk',msg ') = LWE(sk',msg '* pow2row)

ek[i] = Enc '(sk',sk[i])

KeySwitch(ek ,(a[],b))= Const(b) -

∑i CMul(a[i],ek[i])

= Const(b) -∑

i CMul(a[i],Enc '(sk',sk[i]))

= LWE(sk ',b -∑

i a[i]*sk[i])= LWE(sk ', q

p msg + e)

= Enc(sk ',msg)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Remarks

Source and Target schemes may use different moduli

Enc'(sk',msg')= LWE(sk', qqmsg'*pow2row)

Input ciphertext may use compact (matrix) LWE

Enc(SK,msg[])= LWE(SK, qp msg[])

RK' = Enc'(SK',SK)

Key Switching:

Input: Enc(sk,msg: mod p): mod qSwitching Key: Enc'(sk',sk: mod q): mod q'Output: Enc(sk',msg: mod p): mod q'

Input/Output can use arbitrary encoding, e.g.,

Input: Enc(sk,msg)= LWE(sk,msg*pow2row)Output: Enc(sk',msg)= LWE(sk',msg*pow2row)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Sub-key Switching

Application: reduce key size SK → SK'

Always: SK,SK' must have the same number of rowsOften SK is a “sub-matrix” of SK = [SK',SK'']

Switching Key[RK',RK"] = Enc '(SK',SK)

= Enc '(SK ',[SK ' | SK ''])= [Enc '(SK',SK ') | Enc '(SK',SK")]

But RK' is publicly known! (remeber circular security?)Can use a smaller switching key RK" = Enc'(SK',SK")

QuestionDoes it work? What if SK"=[]? Then, RK"=[] and SK = SK'!Is it trivial? Is it useful?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Modulus switching

Subkey switching from SK to SK'=SK can still be useful tochange the ciphertext modulus from q to q'

So far we used the simplifying assumption that p|q

Switching from q to q' requires a switching key with

plainext modulus qciphertexst modulus q'but if q|q', this only allows to increase the modulus

(Sub-)Key Switching works also for p 6 |q

but introduces a “small” rounding errorfor subkey switching the rounding error if proportional to SKswitching to a smaller modulus requires “small” key SK

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Subkey and Modulus Switching

Subkey switching

Input: ct = Enc([SK',SK"],m) and RK = Enc'(SK',SK")SubkeySwitch(RK,ct)= ct' such that Dec(SK',ct')= m

QuestionGive explicit description of SubkeySwitch algorithm

Modulus switching

Assume SK has small entriesInput: ct = Enc(SK,m)mod q and nothing elseModSwitch(ct)= ct' mod q' such that Dec(SK,ct')= m

QuestionGive explicit description of ModSwitch algorithm

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 7

Multiplication

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

What we have done so far

Simple LWE Encryption: private key encryption supporting

small message modulus (p � q)homomorphic additionhomomorphic multiplication by small constantsenough to obtain public key encryptioncircular security (for small keys)

Extended LWE Encryption to support

large message modulus (p = q)homomorphic multiplication by arbitray constantscircular security (for arbitary keys)key switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Next: Homomorphic Multiplication

ProblemGiven Enc(sk,msg[0]) and Enc(sk,msg[1]), compute aciphertext ct such that Dec(sk,ct)= msg[0]*msg[1]

Can this be done for our LWE encryption scheme?

Can it be done with the help of some additional keymaterial?

Yes, in fact, there are multiple ways to do it

Nested encryptionHomomorphic decryptionTensor product

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Method 1: Nested Encryption

msg[0],msg[1] ∈ Zqct[0] = Enc(sk[0],msg[0])

ct[1] = Enc(sk[1],msg[1])

Multiply encryption of msg[0] by ct[1]

ct[0] * ct[1]= Enc(sk[0],msg [0]) * ct[1]= Enc(sk[0],msg [0]*ct[1])

Inner multiplication:msg [0]*ct[1]= msg [0]* Enc(sk[1],msg [1])= Enc(sk[1],msg [0]* msg [1])

Final result: Enc(sk[0],Enc(sk[1],msg[0]*msg[1]))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Details

ct[1] = Enc(sk[1],msg[1]) is a vector!

ct[0] = Enc(sk[0],msg[0]*I)(msg[0]*I)*ct[1] = msg[0]*ct[1]

msg[0]*Enc(sk[1],msg[1];e[1])= Enc(sk[1],msg[0]*msg

[1]; msg[0]*e[1])

Assume msg[0] is small (e.g., ,10,1)May set Enc(sk[1],msg[1])= LWE(sk[1],(q/2)*msg[1])

Using Enc(sk[0],Enc(sk[1],msg))

Keep nesting?Ciphertexts get larger and larger!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Key Nesting

Recall: Enc(S,M)= LWE(S,M)= (A,S*A + E + M)

Claim: Nested encryption Enc(Z,Enc(S,M))= Enc(Z�S,M)

QuestionFor what key Z�S?

S:Z[k,n], Z:Z[n+k,n]Z = (Zn,Zk) where Zn[n,n] and Zk[k,n]

Z�S = [S*Zn + Zk, S] = [S,I]ZEnc(Z,Enc(S,m;e);e')= Enc(Z�S,m; e")e" = e + [S,I]e'Key S needs to be small!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Nested Encryption + (Sub)Key Switching

Combine nested multiplication with key switching:

Input keys: Z,S

Evaluation key: W = Enc(S,[S,I]Z;F)

Input ciphertexts:CT[0] = Enc(Z,msg[0]*I;E[0])CT[1] = Enc(S,msg[1]*I;E[1])

Output: SubkeySwitch(W,CT[0]*CT[1])= Enc(S,msg*I;E)msg = msg[0]*msg[1]E = msg[0]*E[1] + [S,I]*E[0]*X + F*Y for binarymatrices X,Y

Key S needs to be small!Security Assumption: Standard LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Method 1.5: Homomorphic Decryption

Assume both ciphertexts use the same key S

Nested Encryption:1 Homomorphic multiplication: Enc(S,msg[0])*CT[1]2 Key Switching: Homomorphic multiplication by [S,I]

Method 1: Eval([S,I],Enc(S,msg[0])*CT[1])

Combine the two homomorphic multiplications:Bring [S,I] inside the first ciphertextEnc(S,msg[0]*[S,I])* CT[1]

Define a new LWE encryption variant:Enc#(S,msg) = Enc(S,msg*[S,I])

Enc#(S,msg [0]) * Enc(S,msg [1])= Enc(S,msg [0]*[S,I]*Enc(S,msg [1]))= Enc(S,msg [0]* msg [1])

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Security

Enc#(S,msg) = Enc(S,msg*[S,I])= [Enc(S,msg*S),Enc(S,msg*I)]

Circular security:

Can compute Enc(S,msg*S)= msg*Enc(S,S) withoutknowing SProblem: msg*(-I,0) reveals msg!Solution: Enc(S,0)+ msg*Enc(S,S)

TheoremEnc is secure under the LWE assumption

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Remarks

Second encryption scheme can be chosen arbitrarilyEnc#(S,m0)*Enc(S,m1) = Enc(S,m0m1)

Enc#(S,m0)*Enc#(S,m1) = Enc#(S,m0m1)

No need for key switchingProduct Enc(S,m0m1) uses the same key as the inputKey S does not have to be smallNo evaluation key!

Enc is a homomorphic encryption scheme supportingCiphertext additionCiphertext multiplicationwithout any evaluation key!

Too good to be true?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Error growth

Enc#(m0;E0) * Enc#(m1;E1) = Enc#(m0m1;E)Error: E ≈ m0 ∗ E1 + E0 ∗ X

Multiplying many ciphertextsCT[i] = Enc#(mi;Ei)Assume mi ∈ 0, 1Given CT[1],...,CT[k]Goal: compute CT[1]*...*CT[k] = Enc#(

∏i mi)

How? Several options (multiplication is associative):Left to right multiplication chainRight to left multiplication chainBinary tree (minize circuit depth)

QuestionWhat order is best?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Arithmetic and Boolean operations

AdditionCan add polynomially many ciphertextsError grows by polymomial factor (e.g., O(log(n)) bits)

MultiplicationAssume binary message spaceCan multiply polynomially many ciphertexts in a chainError grows by polymomial factor (e.g., O(log(n)) bits)

Bit operations:m0,m1 ∈ {0, 1}m0 ∧m1 = m0 ·m1¬m0 = 1−m0m0 ∨m1 = ¬(¬m0 ∧ ¬m1)

Conditional: (b,m0,m1) 7→ mbmb = (1− b) ·m0 + b ·m1

Arbitrary log-depth boolean circuits

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Method 2: Tensor and Key Switch

Why? Efficiency! Allows SIMD operations using polynomialrings

Ciphertext as a function

fC(S)= Dec'(S,C)= [S,I]CfC is linear in [S,I]

Product ciphertext C = C0*C1

Goal: Dec'(S,C)= Dec'(S,C0)*Dec'(S,C1)fC0,C1(S)= Dec'(S,C0)*Dec'(S,C1) is bilinear in [S,I]

Tensor product: Z = [S,I]⊗[S,I] = [S⊗S,S,S,I]

Any bilinear function of [S,I] is linear in ZC = C0⊗C1 decrypts to m0 ·m1 under Z

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Mixed product property

TheoremFor any A,B,X ,Y ,

(A⊗ B) · (X ⊗ Y ) = (A · X )⊗ (B · Y )

([S, I]⊗ [S, I]) · (C0 ⊗ C1) = ([S, I]C0)⊗ ([S, I]C1)= (X0 + E0)⊗ (X1 + E1)

Result: X0 ⊗ X1 + X0 ⊗ E1 + E0 ⊗ X1 + E0 ⊗ E1

Assume scalar messages: x0 ⊗ x1 = x0 · x1Messages must be encoded: xi = q

pmi

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Encoding issues

Encode scalar messages: xi = qpmi

Product: (x0 + e0)(x1 + e1) = x0x1 + x0e1 + e0x1 + e0e1Issues:

Error terms x0e1 + e0x1 = qp (m0e1 + e0m1) are too large

Main term x0x1 = (q/p)2m0m1 is not properly encodedSolutions:

Modular arithmetics: assume gcd(q, p) = 1, and multiplyresult by p (mod q)Modulus lifting: Compute the product modulo q2, andthen switch to smaller modulus q

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Modular arithmetics

Compute c = p · c0 ⊗ c1 (mod q)Output c decrypts (under sk⊗sk) to

p(x0 + e0)(x1 + e1) = qp (−qm0m1) + pe0e1

Assume q = −1 (mod p)Error growth: β 7→ pβ2

Arbitrary q, pMultiply result by (−q)−1 (mod p)Error growth: β 7→ p2β2

Modulus switching can be used to reduce β to a fixedpolynomial σ = ‖s‖1 = O(n), and substantially slow downthe error growth

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Modulus Lifting

Compute c = p · c0 ⊗ c1 (mod q2)Assume key ‖s‖1 < σ has small entriesAnalyze the relative error: ci= Enc(mi;(q/p)ei)

TheoremThe product p(c0 mod q)⊗ (c1 mod q) is an encryption ofm0m1 (mod p) under key s ⊗ s (mod q2) with error (q2/p)e

e ≤ 3e0e1 + p2 (σ + 1)(e0 + e1)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Relative error growth

Fixed polynonials β ≈√n, σ = ‖s‖1 ≈ O(n1.5)

Modulus lifting error growth

relative error: input (q/p)ei , output (q2/p)eassume |ei | < εoutput (multiplication) error ≈ pσε

After L levels of multiplications, error ≈ (pσ)Lε < 1

Input ciphertext modulus must be q ≈ (pσ)L

Better than modular arithmetics approach q > (pβ)2L

Similar growth to modular arithmetics + modulus switching

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Tensoring + Key Switching

Both methods produce a ciphertext under key[S⊗S,I⊗S,S⊗I]For scalar messages I = [1] and I⊗S = S⊗I = S

Can use subkey switching from [S⊗S,S] to S

Evaluation key: Enc(S,S⊗S)Security:

Does not follow from circular security of LWEUsing standard LWE:

Evaluation key Enc(Z,S⊗S)Use a sequence of keys S0, ...,SL, one for eachmultiplicative level of circuit/computationCan you still use subkey switching?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Arithmetic computations using Tensor products

Message encoding: (q/p)m

Plaintext arithmetic modulo p (both addition andmultiplication)

Error grows with multiplicative depth of the circuit

Use small key ‖s‖1 < σ to use modulus switching and slowdown error growth

Error at depth L: ≈ (pσ)L < q

L = O(log n): q = nO(log n)

L = poly(n): q = 2poly(n)

Impact of modulus:

Efficiency: running time poly(log q)Security: requires hardness of of approximating latticeproblems within γ ≈ q/β

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 8

FHE!!

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Bootstrapping





Eval '((pk,ek),nand ,c,c')= EvalC(pk,fc,c′ ,ek)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

LWE Homomorphic Encryption

Goal: homomorphic evaluation offc,c′(sk) = Dec(sk,c) nand Dec(sk,c')

LWE-based cryptosystem

Supports bounded depth addition and multiplicationBit operations: x nand y = 1 - (1-x)\cdot (1-y)

Key Switchingek[i] = Enc '(sk',sk[i])KeySwitch(ek ,(a[],b)) =

Const(b) -∑

i CMul(a[i],ek[i])

Homomorphic evaluation of Dec'(a,b)= b - Sa

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Not enough

Key switching only computes the linear part of Dec

We also need to round the result to decode(b - Sa)

Is this really needed?

Yes, b - Sa = (q/p)m + eKey switching gives a noisy encryption of (q/p)+eWithout rounding, noise keeps getting bigger

QuestionsCan we express rounding as a polynomial function (mod q)?What is the degree of the polynomial?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Error growth and bounded computation

We have seen two methods to multiply ciphertexts:

Tensor products

error growth ∼ β → βσcan evaluate arbirary circuits with multiplicative depth Leven for L = log n, requires superpolynomial modulusq > σL ≈ nO(log n)

Nested Encryption / Homomorphic Decryption

asymmetric error growth: (m0, e0)× (m1, e1)→ m0e1 + e0βcan evaluate arbitrary multiplication chains of L freshencryptions of binary messageseven for large L, polynomial modulus q ≈ Lβ2 is enough

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Roadmap

For each multiplication method

1 Describe/analyze a bootstrapping algorithm

2 Homomorphically evaluate the algorithm using anappropriate cryptographic data structure (encryptedaccumulator)

3 Implement the cryptographic data structure using LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Cryptographic accumulators

Cryptographic Data Structure ACC[v]

Holds a value v ∈ V in encrypted formInput Encryption scheme: Enc'Output Encryption scheme: Enc''

Operations on ACC[v]

Given Enc'(x), update ACC[v] →ACC[f(v,x)]Given ACC[v], output Enc''(f(v))

Bootstrapping:

Bootstrapping key: Enc'(s)Final output: Enc''(m)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Boostrapping problem

Assume p = 2,m ∈ {0, 1}

Decryption Algorithm:

Input: a[1..n] ∈ Znq, b ∈ Zq

Secret key: s[1..n] ∈ Zn

Compute d = b −∑

i a[i ]s[i ] + (q/4) (mod q)Round d to MSB(d) = b2d/qc

Homomorphic Computation:

Given Enc(s[i])Compute Enc(MSB(d))

Simplifying assumption:

s[i ] ∈ {0, 1}without loss of generality using (a, 2a, 4a, ...)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Ripple-carry addition

Standard schoolbook method

using binary digitsadd n numbers at a timecarry in {0, . . . , n}

Input digits are encrypted

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Ripple-carry accumulator

Parameters:

Message space V = {v',...,v''}

Input: Enc'(x)= Enc#(x)

Output: Enc''(x)= LWE(x)

ACC[x] = (Enc''("x=v"): v ∈ V)

Init(v)= ACC[v]Function application: f(ACC[v])= ACC[f(v)]Selection:Enc'(b)? ACC[v0] : ACC[v1] = ACC[b?v0:v1]Output: p(ACC[v])= Enc''(p(b))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Bootstrapping algorithm

b+q/4 =∑

j 2j b[j]

a[i] =∑

j 2j a[i,j]

ACC ← ACC[0]for h = 0..k-1

ACC[x] ← f(ACC[x]) where f (x) = (x/2) + b[h]forall i,j

if (a[i,j] = 1)ACC[x + s[i]] ← Enc '(s[i]) ? ACC[x] :

ACC[x+1]return (even(ACC[x])) = Enc ''(even(x))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Carry-save accumulator

Parameters: bit length k

ACC[x] = (x0,x1)

x = x0+x1 (modulo 2k)x0[0,..,k-1] and x1[0,..,k-1]redundant representation

Operations:

add y to ACCcompute MSB(ACC)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Carry-save addition

Add(ACC(x0,x1),y):x0 '[i] = (x0[i] + x1[i] + y[i]) mod 2x1 '[i+1] = (x0[i] + x1[i] + y[i] > 1)return ACC(x0 ',x1 ')

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

MSB computation

Standard MSB computation

addition x0+x1 with carry propagationO(log(k)) depth circuit where k=log(q)

Can also add in log(k) depth

Compute both MSB(ACC) and MSB(ACC+1)ACC[k]: k-bit accumulatorRecursive algorithm: splitACC[k] = (HiACC[k/2],LoACC[k/2])

MSBs(ACC=(HiACC ,LoACC)):parallel:

hi[0,1] = MSBs(HiACC)lo[0,1] = MSBs(LoACC)

out[0] = hi[lo[0]]out[1] = hi[lo[1]]return out

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Bootstrapping algorithm

ACC[0] = b+q/4for i=1..n

ACC[i] = s[i]*a[i]ACC = Sum(ACC[0],...,ACC[n])return MSB(ACC)

Sum(ACC [0..n])if n=0

then return ACC[0]else h=n/2

ACC0 = Sum(ACC [0..h-1])ACC1 = Sum(ACC[h..n])(x0,x1) = ACC1return (ACC0 + x0) + x1

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Summary

Bootstrapping functions can be computed by

1 O(n log q)-long sequence of multiplications, or2 log(n) + log log(q)-depth arithmetic circuits

Error growth:

1 Using LWE �: final error ≈ O(n) · β2 Using LWE ⊗: final error ≈ σlog n+log log q = σO(log n)

Parameters β(n), σ(n): fixed polynomials in n

Modulus:

1 polynomial modulus q(n) ≈ O(n)β = nO(1)

2 quasipolynomial q(n) = nO(log n)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Summary (security)

Hardness of lattice problems within factor γ ≈ q/β

1 LWE �: polynomial γ = nO(1)

2 LWE ⊗: quasipolynomial γ = nO(log n)

Circular security assumption

Needed by tensor product multiplication / keyswitchingNeeded to apply bootstrappingNot needed for leveled homomorphic encryption

QuestionRemove circular security assumption:

Can you build (unbounded) FHE from standard LWE?Can you build (unbounded) linearly homomorphic HE?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Efficiency

Main security parameter n > 100 (typically, n ≈ 1000)Modulus q(n) < 2n has bitsize log q < nAssume 1GHz, arithmetic operations modulo qBootstrapping: homomorphically evaluate decryptionalgorithm (once or twice per gate)

QuestionCan you estimate the cost of a single FHE operation?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 9

Project Info

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Implementation and Libraries

Libraries:

SEALHElibPALISADELattigo. . .

Interface:

try to hide math as much as possibleoffer encoding, decoding and SIMD operations

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Project:

Use one of the librariesOpen ended, do anything you wantGoal: demonstrate you managed to use the libraryExtra points: do something interestingSubmission: pdf report describing your work + supportingcode

Teams:

You can work in pairs if you likeLarger teams only if doing something more substantialIndivudual project required to use for master competency

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Project Deadlines:

Deadlines:

Next lecture (Tue, Dec 1): need to know what you aredoing (team, library)End of finals week (Fri, Dec 18): project submission(canvas, pdf+code)

In the meantime:

in class, mathematics underlying Ring LWEused by the librariesuseful to understand/improve the librariesnot required to use the libraries

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 10

Ring LWE

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

(In)efficiency of LWE

Standard LWE

Ciphertexts: (a, b) ∈ Z(n+1)×log qq store one value (mod p)

Ciphertext size: O(n log q)Addition, Scalar multiplication: T ≈ n log qCiphertext multiplication: T ≈ n2 log2 q

Compact LWE

Ciphertexts: (a, b) ∈ Z(2n)×log qq store n values (mod p)

Amortized ciphertext size: O(log q)Amortized addition, scalar multiplication: T ≈ log qCiphertext multiplication?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Ring LWE

Generalize LWE using a ring R instead of Z

Ring of polynomials Z[X ]

Monic irreducible p(X ) of degree n

e.g., p(X ) = X n − 1

Quotient ring R = Z[X ]/p(X )

isomorphic to (Zn,+)convolution productRq = R/qR

Ring LWE

Key: s(X ) ∈ RCiphertexts (a, b) ∈ R2

qMessages: m ∈ Rp

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Ring LWE vs Compact LWE

Both methods:

Encrypt n values (mod p) using O(n) values (mod q)Efficient (linear time) vector addition and scalarmultiplication

Multiplication:

Compact LWE: tensor multiplication, cost O(n2)Ring LWE: polynomial multiplication, cost O(n log n) usingFFT

Applications / Programming model:

Addition, scalar multiplication: SIMDMultiplication: convolution is usually not what you wantEncode data to perform SIMD multiplication

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Data encoding

Polynomial representation

p(x1), . . . , p(xn) ∈ Znq

p(x) = a0 + a1x1 + . . . an−1xn−1 ≡ Znq

Polynomial multiplication: SIMD multiplication ofevaluation representations

Quasilinear time transformations:

(y1, . . . , yn)→ (a0, . . . , an−1): polynomial interpolation(a0, . . . , an−1)→ (y1, . . . , yn): polynomial evaluation

Other operations:

SIMD: great to run same program on n data setsNeed also to pack,unpack,shuffle, etc. for generalcomputations

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Security

Is Ring LWE secure?For what rings?

Short answer:

Working modulo p(X ) = Xn − 1 is not a good ideaBetter to work with cyclotomic polynomialsSWIFFT ring: p(X ) = Xn + 1 where n = 2k

Useful both for

security, pseudorandomness, search/decision reductionsefficient implementation using Number Theoretic Transform(NTT)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Implementation and Libraries

Libraries:

SEALHElibPALISADELattigo. . .

Interface:

try to hide math as much as possibleoffer encoding, decoding and SIMD operations

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Cyclic lattices

A lattice is cyclic if it is closed underrot(v1, ..., vn) = (vn, v1, v2, ..., vn−1)

Equivalently

view vectors as coefficients of a polynomiallattice is closed under rot(v(X )) = X ∗ v(X ) mod (X n − 1)

Commonly used in coding theory (over finite fields)

cyclic codes: linear code, closed under rotationequivalently, set of polynomials in F[X ]/(X n − 1), closedunder multiplication by X

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Generators

TheoremAny cyclic code over finite a field F can be written as

C = {g(X ) · f (X ) mod (Xn − 1)|f (X )}

for some g(X )

Proof.

QuestionIs the same true for cyclic lattices?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Generators

TheoremAny cyclic code over finite a field F can be written as

C = {g(X ) · f (X ) mod (Xn − 1)|f (X )}

for some g(X )

Proof.QuestionIs the same true for cyclic lattices?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Cyclic lattices and one-way functions

NTRU (1998): public key encryption, efficient, no proof

First provable construction, (M., FOCS 2002): one-wayfunction

Rq = Z[X ]/(q,X n − 1)key: a1(X ), . . . , am(X ) ∈ Rqinput: v1(X ), . . . , vm(X ) ∈ {0, 1}n ⊂ Rqoutput: w(X ) =

∑i ai (X ) · vi (X ) ∈ Rq

compression function: m = 2n log2(q)

One-way: given a1, . . . , am and w ,

easy to find v1, . . . , vm ∈ Rq such that∑

i aivi = w ∈ Rqhard to find v1, . . . , vm ∈ {0, 1}n

Intuition: Compact knapsack, circulant matrices

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Compact knapsack, circulant matrices

Polynomials: a(X ) ∈ Z[X ]/(Xn − 1)

Equivalently: A ∈ Zn×n circulant matrix

a1 + a2 ≡ A1 + A2a1 · a2 ≡ A1 · A2

Compact knapsack

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Collision resistance?

Regular knapsack:

given random a1, . . . , am ∈ Zqm = 2 log2(q)collisions existcollisions are hard to find

Compact knapsack:

given random a1, . . . , am ∈ Zq[X ]/(X n − 1)m = 2n log2(q)collisions exist

QuestionAre collisions hard to find?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Collisions in compact knapsacks

Multiply each “circulant” matrix ai by the all-one vector

Find collision in Zq

Algebraic decription:

multiply each ai (X ) by u(X ) = (1 + X + X 2 + ....)Notice (X n − 1) = u(X ) · (X − 1)CRT: R ≡ (Z[X ]/(X − 1))× (Z[X ]/u(X ))Multiplication by u(X ) maps R to Z[X ]/(X − 1) ≡ Z

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Anti-Cyclic lattices

A lattice is anticyclic if it is closed underrot(x1, ..., xn) = (−xn, x1, x2, ..., xn−1)

Equivalently: work in R = Z[X ]/(Xn + 1)

Questions:

1 Are compact knapsacks over R collision resistant?2 Does (X n + 1) have small degree factors?

TheoremXn + 1 is irreducible if and only if n is a power of 2

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Roots of Unity

ωm = exp(2πı/m) ∈ C, primitive mth root of unity

Observation: Xm − 1 =∏m−1

k=0 (X − ωkm)

Xm − 1 =∏d |m

∏gcd(k,m)=d

(X − ωkm)

=∏d |m

∏k∈Z∗m/d

(X − ωkm/d )

DefinitionCyclotomic Polynomial: Φm(X ) =

∏k∈Z∗m (X − ωk

m) ∈ C[X ]

Question: does Φm have integer coefficients?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Division Theorem

(R,+, ∗, 0, 1): any ring

R[X ]: polynomials with coefficients in X

TheoremFor any a(X ) ∈ R[X ] and monic b(X ) ∈ R[X ], there existsunique q(X ), r(X ) ∈ R[X ] such that

a(X ) = q(X ) ∗ b(X ) + r(X )deg(r(X )) < deg(b(X ))

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Division Algorithm

divRem :: Poly → Poly → PolydivRem a b =

if (deg a < deg b)then (0,a)else let aL = leadingTerm a

bL = leadingTerm bqL = aL / bLa' = a - b*qL(q',r) = divRem a' bq = qL + q'

in divRem (q, r)

Dividing by b(X ) requires divisions by the leadingcoefficient of bIf R is a field, we can divide by any non-zero b(X ):If b(X ) is monic, division is possible in any ring R

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Polynomial Division: Example

QuestionDivide a(X ) = 5X 8 + 4X 6 − 5X 3 + 4 by b(X ) = X 3 − X + 7

Solution:

quotient: q(X ) = 5X 5 + 9X 3 − 35X 2 + 9X − 103remainder: r(X ) = 254X 2 − 166X + 725

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Remarks about Division Algorithm

Division Algorithm:(a(X ), b(X ) ∈ R[X ]) 7→ (q(X ), r(X ) ∈ R[X ])

For any subring S ⊆ R, and a(X ), b(X ) ∈ S[X ]

Result of dividing a(X ) by b(X ) is in S[X ]Division as polynomials in R[X ] or as polynomials in S[X ]produces the same result

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Polynomial GCD

F[X ]: polynomials with coefficients in a field F

The Greatest Common Divisor (gcd) of a(X ), b(X ) ∈ F[X ]is a polynomial g(X ) ∈ F[X ] such that

g(X ) divides a(X ) and b(X )any d(X ) ∈ F[X ] that divides both a(X ) and b(X ) alsodivides g(X )

TheoremFor any a(X ), b(X ) ∈ F[X ]

gcd(a(X ), b(X )) = u(X )a(X ) + v(X )b(X )

for some u(X ), v(X ) ∈ F[X ].

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Euclid’s Algorithm

Input: a(X ), b(X ) ∈ F[X ]

Output: u(X ), v(X ) ∈ F[X ] such thatu(X )a(X ) + v(X )b(X ) = gcd(a(X ), b(X ))

Invariant: gcd(a(X ), b(X )) = gcd(b(X ), a(X ) mod b(X ))euclid :: (Poly ,Poly) → (Poly ,Poly)euclid (a,b) =

if (deg b ≡ 0)then (1,0)else let (q,r) = divRem b a

(u,v) = euclid (b,r)in (-q*v , u+v)

Base case: 1*a+0*b = a = gcd(a,b)

Indunction: (-qv)a+(u+v)b = ub + v(b-qa)= ub+vr

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Remarks about Euclid Algorithm

euclid :: (Poly ,Poly) → (Poly ,Poly)euclid (a,b) =

if (deg b ≡ 0)then (1,0)else let (q,r) = divRem b a

(u,v) = euclid (b,r)in (-q*v , u+v)

Euclid Algorithm works over a field:

Even if b(X ) is monic, r(X ) = b(X ) mod a(X ) may not be

If a(X ), b(X ) ∈ R[X ] have coefficients in a domain R ⊆ F ,then we can compute gcd(a(X ), b(X )) ∈ F[X ]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Cyclotomic Polynomials

Xm − 1 =∏

d |m Φm(X )

Theorem

Φm(X ) ∈ Z[X ]

Proof:

For m = 1, Φ1(X ) = (X − 1)

For m > 1, b(X ) =∏

m>d |m Φd (X ) is in Z[X ] by induction

Compute (q(X ), r(X )) = divRem(Xm − 1, b(X )) in Z[X ]

r(X ) = 0 because b(X ) divides Xm − 1

Φm(X ) = q(X ) is in Z[X ]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Irreducibility of Cyclotomics

TheoremΦm(X ) ∈ Z[X ] is irreducible

TheoremCm ≡ Z[X ]/Φm(X ) = Z[ωm]

simple proof, helps intuition

Algebraic Number Fields

finite dimentional extensions of Qkey concepts: field extensions, vector spaces

Algebraic Number Rings

finite dimensional extensions of Z, i.e., latticeskey concepts: ring extensions, modules over a ring

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Factoring primes in Cyclotomic rings

Φm(X ) ∈ Z[X ]: mth cyclotomic polynomialΦm(X ) is irreducible in Z[X ]Let p be a prime, and assume gcd(m, p) = 1Question: if Φm(X ) irreducible also in Zp[X ]?Answer: no, and this is very useful

QuestionQuestion: What’s the factorization of Φm(X ) modulo p?

Technically, this is the problem of factoring (the ideal generatedby) the prime p in the ring of polynomials modulo Φm(X )

“The obvious mathematical breakthrough would be de-velopment of an easy way to factor large prime numbers”(Bill Gates, The Road Ahead, p. 265)

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Motivation

R = Z[X ]/Φm(X )

Rp = R/(pR) ≡ Z[X ]/〈Φm(X ), p〉Z[X ]

Equivalently, Rp ≡ Zp[X ]/Φm(X )

The structure of Rp is equivalently described by

the factorization of (pR) in R, orthe factorization of Φm in Zp[X ]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Section 11

ANT

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Basic Algebra

Review of basic algebraic structures:

(Commutative) monoids and groupsRings and FieldsModules and Vector spaces

Some common examples:

Q ⊂ R ⊂ C: the fields of rational, real and complexnumbersZ,Zn: the rings of integers, and integers modulo nR[X ]: The ring of polynomials with coefficients in R

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Monoids and Groups

A monoid (A, ∗, 1) is a set A with a binary operation(∗) : A× A→ A and unit element 1 ∈ A such that

(x ∗ y) ∗ z = x ∗ (y ∗ z) (associativity)1 ∗ x = x ∗ 1 = x (identity)

A monoid is commutative if

x ∗ y = y ∗ x (commutativity)

An element x is invertible if there is a y such thatx ∗ y = y ∗ x = 1

A group is a monoid such that all elements are invertible

Abelian group: commutative groups, additive notation(A,+, 0), additive inverse −x

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Rings and Fields

A (commutative) Ring (R,+, ∗, 1, 0) is a set with twobinary operations such that

(R,+, 0) is an abelian group

(R, ∗, 1) is a (commutative) monoid

x ∗ (y + z) = x ∗ y + x ∗ z and (x + y) ∗ z = x ∗ z + y ∗ z(distributivity)

Subring S ⊆ R, subset of a ring closed under +, ∗, 0, 1

A commutative ring (F ,+, ∗, 1, 0) such that all nonzeroelements are invertible is called a Field

A subring of a field R ⊆ F is called an Integral Domain

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Modules and Vector Spaces

Let (R,+, ∗, 0, 1) be a commutative ring

An R-module is an additive group (A,+, 0) with a scalarmultiplication operation (∗) : R × A→ A such that

r ∗ (s ∗ a) = (r ∗ s) ∗ a(r + s) ∗ a = r ∗ a + s ∗ ar ∗ (a + b) = r ∗ a + r ∗ b

If R is a field, then A is called a Vector Space

Linear independenceDimensionBasis

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Submodules and Quotients

Let (A,+, 0) be an R-module

An R-submodule of is

a subgroup B ⊆ Aclosed under scalar multiplication: R ∗ B ⊆ B

Quotient group: A/B = {[a]B : a ∈ A}, [a]B = a + B

also an R-module with r ∗ [a]B = [r ∗ a]B

Special case:

R is an R-moduleR-submodules I ⊆ R are called idealsR/I is also a ring with [a] ∗ [b] = [a ∗ b]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Integral and Algebraic Numbers

Domain R ⊆ F : subring of a field F

α ∈ F is algebraic over R if m(α) = 0 for somem(X ) ∈ R[X ]

α ∈ F is integral over R if m(α) = 0 for some monicm(X ) ∈ R[X ]

Examples:

α =√2 is integral over Z because m(α) = 0 for

m(X ) = X 2 − 2α = 1/

√2 is algebraic over Z because m(α) = 0 for

m(X ) = 2X 2 − 1, but is it not integral

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Minimal Polynomial

Field Extension F ⊆ E

Let α ∈ E be algebraic over F

Ring homomorphism: hα : F [X ]→ E , wherehα(p(X )) = p(α)

I = ker(hα): set of polynomials p such that p(α) = 0

I ⊆ F [X ] is a non-zero ideal

Minimal polynomial: smallest degree monic polynomialm(X ) ∈ I

I = F [X ] ·m(X ), i.e., p(α) = 0 iff m(X )|p(X )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Irreducibility

Let m(X ) be the minimal polynomial of α

m(X ) is irreducible:

If m(X ) = a(X ) · b(X ), then a(α) · b(α) = m(α) = 0,

either a(α) = 0 or b(α) = 0.

either a(X ) = c ·m(X ) or b(X ) = c ·m(X )

F [α] ≡ F [X ]/m(X ) are isomorphic

isomorphism: hα : F [X ]/m(X )→ F [α]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Algebraic Extensions

Algebraic α ∈ E ⊆ F

Minimal polynomial m(α) = 0 of degree n = deg(m(X ))

F [α] ≡ F n as an F -vector space with basisα0, α1, . . . , αn−1:

α0, α1, . . . , αn−1 are linearly independentα0, α1, . . . , αn−1 generate F [α]

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Extension fields

TheoremF [α] = F (α) is a field

Proof:- Let p(α) ∈ F [α] for some p(X ) ∈ F [α], deg(p) < n- gcd(p(X ),m(X )) ∈ {1,m(X )} because m(X ) is

irreducible- If gcd = m(X ), then p(X ) = m(X ) and p(α) = 0- If gcd = 1, then u(X )p(X ) + v(X )m(X ) = 1- u(α) · p(α) = 1

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Factoring primes in Cyclotomic rings

Φm(X ) ∈ Z[X ]: mth cyclotomic polynomialΦm(X ) is irreducible in Z[X ]Let p be a prime, and assume gcd(m, p) = 1Question: if Φm(X ) irreducible also in Zp[X ]?Answer: no, and this is very useful

QuestionQuestion: What’s the factorization of Φm(X ) modulo p?

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Since gcd(m, p) = 1, we have p ∈ Z∗mLet d = o(p) be the order of p in Z∗mpd = 1 mod m, equivalently, m|(pd − 1)Let GF (pd ) be the finite field with pd elementsThe multiplicative group GF (pd )∗ is cyclic of order pd − 1There is an element ζ ∈ GF (pd ) of order mζd = 1 in GF (pd )o(ζk) = m for all k ∈ Z∗mΦm(X ) =

∏k∈Z∗m (X − ζk) splits in GF (pd )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

TheoremThe minimal polynomials of all ζk over Zp have degree d

Let l(X ) ∈ Zp[X ] be the minimal polynomial of ζ

Zp[ζ] ≡ Zp[X ]/l(X ) is a field

of size pdeg(l)

containing an element ζ of order m

m = o(ζ) divides pdeg(l) − 1 = |Zp[ζ]∗|

pdeg(l) = 1 mod m

by definition of d = o(p) and deg(l) = d

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

When gcd(m, p) = 1 Φm(X ) ∈ Zp[X ] factors into a productof ϕ(m)/d distinct degree d = o(p mod m) polynomials

For arbitrary m, factorization of Φm(X ) modulo p isobtained using the following theorem.

TheoremFor any m′ = mpk with gcd(m, p) = 1,

Φm′(X ) = (Φm(X ))ϕ(pk) mod p

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Proof

Frobenius map (x 7→ xp) : GF (pk)→ GF (pk) satisfies:

(x + y)p = xp + yp (from binomial expansion)ap = a for a ∈ Zp ⊆ GF (pk) (Lagrange)

Zp[X ] is a domain:

a(X )b(X ) = a(X )c(X ) cancels to b(X ) = c(X )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Using these two properties:

(Xmpk − 1) = (Xm − 1)pk =∏

d|m Φd (X )pk

(Xmpk − 1) =∏

d|m∏

i≤k Φdpi (X )So, by induction on m:∏

i≤kΦmpi (X ) = Φm(X )pk

Canceling equality for k − 1 from equality for k:

Φmpk (X ) = Φm(X )pk−pk−1= Φm(X )ϕ(pk )

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Factoring modulo a prime power

Φm(X ) =∏

i Fi (X ) mod p with irredudible Fi (X ) ∈ Zp[X ]Lift each Fi (X ) mod p to a factor Gi (X ) mod pk

Φm(X ) =∏

i Gi (X ) mod pk with Fi (X ) = Gi (X ) mod pGi (X ) is irreducible, because any factorization mod pk

gives also a factorization mod p

Theorem(Lifting) Let a(X )b(X ) = c(X ) mod p withgcd(a(X ), b(X )) = 1. For every k, there are a′(X ) = a(X )mod p and b′(X ) = b(X ) mod p such that a′(X )b′(X ) = c(X )mod pk

CSE208:Advanced

Cryptography

DanieleMicciancio

Introduction

Defining FHE

Bootstrapping

LWE

Linearity

Key Switching

Multiplication

FHE!!

Project Info

Ring LWE

ANT

Let u(X ), v(X ) such that a(X )u(X ) + b(X )v(X ) = 1mod pAssume a(X )b(X ) = c(X ) + pkd(X ) by inductionLet a′(X ) = a(X )− pkv(X )d(X ) andb′(X ) = b(X )− pku(X )d(X )a′(X )b′(X )mod pk+1 = a(X )b(X )−pk(a(X )u(X )+b(X )v(X ))d(X ) =a(X )b(X )− pkd(X ) = c(X )

cse208: advanced cryptographycseweb.ucsd.edu/classes/fa20/cse208-a/slides.pdf · 2020. 12. 10. ·...

Documents