Gentry s ideal-lattice based encryption scheme. Gentry s STOC 09 paper - Part III

Transcription

1 Getry s ideal-lattice based ecryptio scheme Getry s STOC 09 paper - Part 1

2 From Micciacio's paper

3 Why ideal lattices --- as opposed to just ideals or lattices? We described a ideal-based ecryptio scheme Σ. Ec ( B ) Recall X Samp, P ad X R mod B. The scheme is correct for circuit C if x,, x X, g( C) x,, x X. Dec ( ) 1 t Ec 1 t Dec For Σ to be correct as a ordiary ecryptio scheme, we require: X X. For Σ Ec Dec to be additively ad multiplicatively homomorphic, we require: XEc + XEc XDec ad XEc XEc XDec. 3

4 Our goal is to have gc ( ) ( X ) Ec Dec circuits C, icludig the decryptio circuit D. X for deep eough Σ So, we wat to aalyze, for example, how ( ) ( ) ( ) X + X X + X X X Ec Ec Ec Ec expad, ad how to esure ( ) ( ) ( ) Ec X + X X + X X X Ec Ec Ec Ec Ec Ec Ec X Dec. Coectig ideals with lattices makes such aalysis possible, because, with R= [ x] ( f( x)), X ad X become subsets of Ec Dec ad we ca aalyze them geometrically. 4

5 statiate the ideal-based scheme To istatiate the (abstract) ideal-based ecryptio scheme usig ideal lattices, we will do the followig. Choose a polyomial ( ) let rig R= [ x] f( x). f( x) with iteger coefficiets ad Choose a elemet s R, ideal = s, B = the rotatio basis. Plaitext space M: a subset of C( B ), cetered parallelepiped. Samp: choose a rage for Samp. Samp ( ) Choose a ideal ad a good basis B. pk Let B = HNF( B ). 5

6 deal Lattices 6

7 [ x] ( f( x ) ) : a polyomial rig [ x]: the rig of all polyomials with iteger coefficiets. f( x): a moic polyomial of degree i [ x] Moic meas the leadig coefficiet is 1 Ofte choose f( x) to be irreducible. ( f( x) ) : the ideal geerated by f( x). ( f( x) ) = f( x) [ x] = { f( x) g( x): g x x } ( ) [ ]. gx ( ) h( x)mod f( x) iff g( x) hx ( ) is divisible by f( x). [ x] is divided ito classes (cosets) such that gx ( ) ad hx ( ) are i the same class (coset) iff gx ( ) hx ( )mod f( x). 7

8 [ x] ( f( x) ): [ x] ( f( x)) deotes the set of those classes (cosets). Each class has exactly oe polyomial of degree 1. Thus, [ x] ( f x ) ( ) may also be polyomials of degree 1, i.e., defied as the set of all ( ) { 1 = } a1x + a0 ai [ x] f( x) a x : Additio ad multiplicatio i [ x] ( f ( x)) are like regular polyomial additio ad multiplicatio except that the result is reduced modulo f( x). ( f x ) [ x] ( ) is a commutative rig with idetity.. 8

9 f a( x) = a x + + ax+ a ad b( x) = b x + + bx+ b, the ax ( ) + bx ( ) = ( a + b ) x + + ( a+ b) x+ ( a + b). The group [ x] ( f( x)) [x] ( f ( x)) as a additive group is isomorphic to the lattice. a + ax+ + a x ( a, a,, a ). Defie multiplicatio i by way of multiplicatio i [ x] ( f( x)), ad the we have multiplicatio i. Each ideal i [x] ( f( x)) defies a sublattice i. Lattices correspodig to ideals are ideal latti ces. 9

10 Rotatio basis for pricipal ideal ( v) Sice R= [ x] ( f( x)), we do ot distiguish betwee rig elemets i R ad lattice poits/vectors i. Ay ideal i R correspods to a lattice i. ( ) [ ] particular, the ideal v geerated by 0 v R defies a lattice with basis B= v,, v, where v i = v 0 1 x i mod f( x). This basis is called the rotatio basis for the ideal lattice ( v). Not every ideal has a rotatio basis. 10

11 Examples ( ) = R = e = [ e e v ] deal Rotatio basis,,,. deal lattice = ( ) = R= { R eve } [ e e v ] deal 2 2 all polyomials i with coefficiets. Rotatio basis: 2, 2,, all lattice poits i Correspodig lattice, 2 =. with eve coordiates ( + x) ( + ) Q: Fid the rotatio basis of 2 or 2 e e

12 [ x] ( f( x)) ad fractioal ideals [ x]: the rig of polyomials with ratioal coefficiets. { 1 } i [ x] ( f( x)) = a x + + ax+ a : a. R= x f x 1 { v [ x] ( f( x)) : v R} R. 1 f is a ideal i [ ] ( ( )), defie as 1 is a fractioal ideal. t behaves like a ideal of except that it is ot ecessarily cotaied i R.. is said to be ivertible if =. 1 1 R R All ivertible (fractioal) ideals form a group with as the idetity. R R 12

13 [x] ( f( x)) ad fractioal ideals ( ) ( ) f, the is geerated by [ ] ( ( )). = v = v v x f x v 1 exists if f( x) is irreducible. 1 defies a lattice i, ot ecessarily i. ( t ) We have de ( 1 det ) = 1. [ ] ( ) ( ) Recall: det = det B = det L( B ) = vol P( B ), the volum of the fudametal parallelepiped of the lattice defied by. det = the idex R: the umber of elemets i R. 13

14 Review Hermite oral form (HNF): a basis which is iy, ew, ad will be used as a pk. Cetered [ ) [ ] fudametal parallelepiped: // B= b,, b // P( B) xibi : xi 12, 12 i= 1 t mod B the uique t P( B) with t t L( B). tmod B ca be efficietly computed as t B B t x x rouded to the earest iteger. { } B max b : b B. i i 14

15 statiatig the ideal-based scheme usig ideal lattices 15

16 From Micciacio's paper

17 Recall: To istatiate the (abstract) ideal-based ecryptio scheme usig (ideal) lattices, we will do the followig. ( ) Choose a polyomial f( x) ad let rig R= [ x] f(). x Choose a vector s, let ideal = s, let B = the rotatio basis. ( ) Plaitext space M: a subset of P( B ). Samp: choose a rage Samp for Samp. Choose a ideal ad a good basis B. pk Let B = HNF( B ). Our goal is to have gc ( ) ( X ) circuits C, icludig the decryptio circui t D. Ec X Dec for deep eough Σ 17

18 Balls: Ec Dec B( r ) ad B( r ) Ec Ec ( M) X Samp B,. Dec X R mod B = P( B ). Defie: r the smallest radius s.t. X B ( r ), Ec r the largest radius s.t. B ( r ) X Ec Dec Dec Dec. Theorem ( a sufficiet coditio for permitted circuits): A mod B -circuit C (icludig the idetity circuit) with t 1 iputs is a permitted circuit for the schecme if: x,, x ( r ), gc ( ) 1 t Ec B ( ) x,, x B ( r ). 1 t Dec 18

19 X Ec X Dec B ( r ) Ec B ( r ) Dec 19

20 20

21 Expasio of vectors with operatios Startig from B : = B( r ), how does B expad with Ec additio ad multiplicatio? u+v u + v for all u, v R (triagle iequality). u v γ u v for all uv, R, where Mult is a factor depedet o R. Let m = γ. Mult γ Mult f iput vectors are i B( r), the after a m-fa-i additio or a 2-fa-i multiplicatio, the output vecto 2 r is i ( mr ). B 21

22 By iductio, if iput vectors are i B( r Ec ( ) Ec Ec ), the after k levels of m-fa-i additio ad/or 2-fa-i multiplicatio, k k k the result is i B( m r ) B ( mr ). We will have ( mr ) Ec 2 k r if k log log r log log mr. Dec Dec Ec Theorem: The proposed scheme correctly evaluates ( γ r ) circuits of depth up to log log r log log. To maximize the depth attempt to subject of Σ Dec Mult Ec permitted circuits, we will miimize r ad γ ad maximize to security costraits. Ec Mult Dec r 22

23 Security costraits Roughly: the ratio r r must be subexpoetial. Dec Ec Recall: the security of the abstract scheme relies o the hardess of CP. the settig of ideal lattices (where π is chose to be pk shorter tha rec ad t: = mod B ), CP becomes: Decide whether t is withi a small distace ( rec) of lattice, or is uiformly radom modulo. This is a decisio versio of BDDP, which is ot surprisig sice the abstract scheme is a variat of GGH ad the security of GGH relies o the hardess of BDDP. 23

24 Roughly: the ratio r r must be sub-expoetial. Dec Ec f r is too small, say r λ ( ) 2, BDDP ca be Ec Ec 1 solved usig, for example, the LLL algorithm. No algorithm is kow to solve BDDP if rec λ1 ( ) 2, c < 1. O the other had, by defiitio, we have rde c λ1( ). Thus, for BDDP to be hard, we require r r 2, c< 1 //sub-expoetial// Dec Ec 1 f we choose 2 c, r = Dec c γ Mult r = Ec ca hadle circuits of depth up to ( c 2 c2 c 1 2, the the scheme )log. c 24

25 Miimizig γ ( R) Mult Goal: Set f( x) so that R= [ x] ( f( x)) has a small γ ( R). Mult To this ed, we oly have to choose f( x) such that f( x) ad gx ( ) have small orms, due to the followig theorem. Theorem: f f( x) is a moic polyomial of degree the γ Mult ( ) ( R) f g, gx= Fx x x x where ( ) ( ) mod //iverse i [ ] ( ) // F( x) = x f(1 x) //reversig the coefficiets of f( x)// 2 = i = + + p a for px ( ) ax a //polyomial orm// 0 25

26 Theorem: f f( x) = x hx ( ) where hx ( ) has degree at most ( 1) k, k 2, the, for R= [ x] ( f( x)), γ Mult ( ( ) k ) ( R) ( k 1) f. Theorem: Let f( x) = x ± 1 ad R= [ x] ( f ( x)). The, γ Mult ( R). There are o-fatal attacks o hard problems over this rig. 26

27 Miimizig r Ec ( ) Let R= [ x] f( x) with f( x) = x 1 ad so γ ( R). Let s R, ad = ( s) the ideal geerated by s, Mult ( ) { } B = s,, s the rotatio basis of s, B = max s, 0 1 i L( B ) the lattice geerated by B, P( B ) the cetered fudametal parallelepiped, M P( B ) the message space, x M a message, ( ) = + 1 ( R) ( B, ) Samp B,x : x Samp s. We wat Samp M X B( r ). Samp 1 Ec Let be a upper boud o r, Ec r 1 ( R) Samp. 27

28 Theorem: r B + B. Proof : Ec Samp 1 ( ) { x r s x r } r = max + : M, Samp R. Ec 1 1 Sice x M P( B ) x s 2 B x+ r s x + i i= 0 r s B + B Samp 1. May choose s= 2 e to make B small. Q: why ot s = e? The size of Samp Samp 1 is a security. t eeds to be large eough to pk make t Samp ( R) mod B i CP sufficietly radom. May set = ad let Samp sample uiformly i B( ). 1.5 With this settig, rec

29 Maximizig r Dec Dec Dec Dec ( ψ B ) Recall: the decryptio equatio: π mod mod B. We wat B( r ) X P( B ). r To have a large, the shape of P( B ) is importat. We wat it to be "fat" (i.e. cotaiig a large ball). The "fattest" parallelepiped is that associated with basis ( ) t E= t e,, t e, cotaiig a ball of radius t. 1 So, we will choose our B to be "close" to t E. Q: why ot simply lettig B = t e,, t e? B ( ) 1 29

30 Theorem: Let t 4 s γ ( R). Suppose v t e + B( s), Mult 1 1 i.e., withi distace s of t e. Let B be the rotatio basis of v. The, P( B Proof: 1 1 ) circumscribes a ball of radius at least t 4. ( ) i 1 We have = 1,,, with i 1. The differece ( ) has legth z = v t e = v t e x s γ ( R). j j j j Mult For every poit a o the surface of P( B ), we have 1 a=± vi + 2 z = v t e a v j i B v v v = v j j j for some i ad a 1 2. j j j We will show a t 4, from which the theorem will follow. x 30

31 1 a=± vi + ajv j, aj j i 1 a ae, v, e + a v, e 2 i i i j j i j i = 1 1 t+ z, e + a z, e 2 2 i i j j i j i t 2 z, e t 2 z t 2 s γ ( R) j i j t 2 t 4 t 4, where we have used v, e = z + t e, e = t+ z, e i i i i i i i v, e = z + t e, e = z, e j i j j i j i Mult 31

32 Geeratig B ad B pk pk By the theorem, we may geerate B ad B as follows: Radomly geerate a vector v withi distace s of t e. Let B be the rotatio basis of v. Let B pk be the HNF of B. We have to choose s, t, to esure that r r is sub-expoetial. Samp Dec Ec 1 32

33 A example istatiatio of the abstract scheme ( ) γ Mult ( ) B ( e1 e) Ec { x x x } Rig: R= [ x] f( x), f( x) = x 1,. 32 deal: = 2 = 2. = 2,, 2. r Plaitext space: (a subset of) (,, ) : {0, 1}. Samp 1: samples uiformly i B( ). Samp( B, π): π+ 2 r with r Samp 1. deal: 1 i 33

34 How good is it? A improvemet over previous work. Boeh-Goh-Nissim (2005): quadratic formulas with ay umber of moomials. plaitext space: log λ bits for security prameter λ. Getry (2009): polyomials of degree log. plaitext space: larger. Not bootstrappable ye t! 34

35 Why ot bootstrappable? ( 1 ψ B B ) ψ ) Decryptio ( mod B ivolves addig vectors. Addig [ ) k-bit umbers i 0,1 requires a costat fa-i boolea circuit of depth Ω (log + log k) : 3-for-2: covert 3 umbers to 2 umbers with the same sum; this ca be doe with a circuit of costat depth, say depth c. t takes a circuit of depth clog to covert umbers to 2 umbers with the same sum. t eeds depth Ω(log k) to add the fial two umbers. The proposed scheme permits circuits of depth O(log )

36 Tweak 1 to simplify the decryptio circuit Tweak: Narrow the permitted circuits from B( r Dec ) o tb( r 2). Purpose: To esure that the ciphertexts vectors are closer to the lattice eeded to esure the correctess of decryptio. 1 Allowig the coefficiets of ( ) ψ to be very close to half-itegrs (i.e., tha they strictly eed to be, so that less precisio B ψ very close to the sphere of B( r Dec Dec is )) would require high precisio (large k) to esure correct roudig. 36

37 Lemma: f ψ is a valid ciphertext after tweak 1, 1 i.e., ψ < rdec 2, the each coefficiet of ( B ) ψ is withi 1 4 of a iteger. With Tweak 1, we ca reduce the precisio to ad cut the the circuit depth of addig Ω(log + log log ) =Ω(log ). ( r ) g( γ r ) Dec Mult Ec umbers to The ew maximum depth of permitted circuits is log log 2 loglo, origial O(log ) bits, almost the same as the depth, which ca be as large as O(log ). Ufortuately, the costat hidde i Ω (log ) is > 1, while that i O(log ) < 1. So, still ot bootstrappable. 37

38 Tweak 2, optioal, more techical, less essetial Tweak: Modify Decrypt (, ψ ) ( 1 ) ( ψ ( ψ ψ ψ ) 1 for some vector. from B B ) mod B v mod B v Purpose: To reduce the secret key size ( as well as public key size i bootstrappig) ad per-gate computatio i decryptio (from matrix-vector mult to rig mult). To use this tweak, we will eed to replace B ( rdec ) ( B 2 r ) Dec ( γ Mult B ) 38

39 Decryptio complexity of the tweaked scheme Decrypt, : ( ) ( ψ π ψ v ) ψ B = B 1 2 f Tweak 2 is used, ad is some rotatio matrix, otherwise, B = B ad B = B. ( ) mod B Split the computatio of decryptio ito three steps: 2 Step 1: Geerate vectors xi with sum B ψ. Step 2: From the vectors x, geerate iteger vectors y,, y, y with sum i xi. ( 1 ψ ) Step 3: Compute π B y mod B. i 39

40 Plaitext space As a somewhat homomorphic scheme, Getry's scheme provides a large plaitext space, However, i order to make the scheme bootstrappable, Getry Evaluate Rmod B = P( B ). has to limit the plaitext space to 0,1 mod B. evaluates mod B { } -circuits. For bootstrappig, the decryptio circuit must be composed of mod B -gates. Ordiary boolea operatios B mod operatios. ca be esaily emulated with 40

41 Decryptio complexity of the tweaked scheme Decrypt, : ( ) ( 1 2 ψ π ψ B B ψ ) 1 2 f Tweak 2 is used, B ad B is some rotatio matrix, otherwise, = B = B ad B ( k B ) 1 2 s 1. md o B Split the computatio of decryptio ito three steps: 2 Step 1: Geerate vectors i with i = ψ. Step 2: From the vectors x, geerate i teger vectors y,, y, y with i = x x B. yi = xi ( 1 ψ ) Step 3: Compute π B y mod B. i 41

42 Squashig the Decryptio Circuit 42

43 Squashig A techique to lower the complexity of the decryptio circuit, so as to make the ecryptio scheme bootstrapable. Basic idea is to split the decryptio algorithm ito two phases: computatioally itesive, secret-key idepedet, by the ecrypter. computatioally lightweight, secret-key depedet, by the decrypter : Properties: Does ot reduce the evaluatio capacity (i.e., the set of permitted circuits remais the same), but may potetially weakes security. 43

44 Squashig: geeric versio ε ε : the origial ecryptio scheme. : to be costructed from usig two algorithms, SplitKey ad ExpadCT. KeyGe( λ): ( pk, ) KeyGe ( λ) ε ( pk, ) SplitKey( pk, ) where is the (ew) secret key ad pk : = ( pk, τ ). Ecrypt( pk, π) : ψ Ecrypt ( pk, π ) x ExpadCT( pk, ψ ) //heavy use of τ // ψ (, x) ψ 44

45 Decrypt(, ψ) : decrypts ψ makig use of ad x. t is desired that Decrypt(, ψ ) works wheever Decrypt (, ψ ) does. Add( pk, ψ, ψ ) : ( ψ, ψ ) extracted from ( ψ, ψ ) Mult( pk, ψ, ψ ) : similar. 1 2 ψ Add ( pk, ψ, ψ ) x 1 2 ExpadCT( pk, ψ ) ψ ( ψ, x) 45

46 Squash: cocrete scheme ε Let be the ecryptio scheme with Tweak 2. Let v be 1 the secret key, which is a elemet of the fractioal ideal. Recall the decryptio equatio: π : = ψ ψ v mod B 1 Let ti u mod B, i U. //uiformly geerate a set of ti // Let S U be a sparse subset s.t. t = v mod B i S i SplitKey( pk, ) : { t } τ : =. pk : = ( pk, i i U τ ). : = S (ecodig of S). 46

47 ExpadCT( pk, ψ ) : //recall pk = ( pk, τ )// Compute c : = t ψ mod B for i U. i i { c } ( ψ ) i The expaded ciphertext is ψ : =,. i U Decrypt( pk, ψ ) : Recall π : = ψ ψ v mod B Recall v t mod B. i S Thus, v ψ t ψ c mod B. Thus, π : = ψ c i mod B. i S i i S i i S i 47