Increased efficiency and functionality through lattice-based cryptography

Transcription

1 Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, INRIA, PSL Research University RESEARCH UNIVERSITY PARIS ECRYPT-NET Cloud Summer School Leuven, Belgium Thursday, 22 September 26

2 Why lattice-based cryptography?

3 Why lattice-based cryptography? Conjectured hardness against quantum attacks

4 Why lattice-based cryptography? Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc.

5 Why lattice-based cryptography? Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc. Strong security guarantees from worst-case hardness

6 Why lattice-based cryptography? Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc. Strong security guarantees from worst-case hardness Versatility

7 Learning with Errors [Reg5] fix s Z n q, sample A $ Z m n q, e χ m

8 Learning with Errors [Reg5] fix s Z n q, sample A $ Z m n q, e χ m n m A

9 Learning with Errors [Reg5] fix s Z n q, sample A $ Z m n q, e χ m n m A s

10 Learning with Errors [Reg5] fix s Z n q, sample A $ Z m n q, e χ m n m A s + e

11 Learning with Errors [Reg5] fix s Z n q, sample A $ Z m n q, e χ m n m A s + e = b

12 Learning with Errors [Reg5] fix s Z n q, sample A $ Z m n q, e χ m n m A s + e = b (A, b) c (A, $)

13 LWE is versatile With LWE we can build Secret key encryption

14 LWE is versatile With LWE we can build Secret key encryption Public key encryption

15 LWE is versatile With LWE we can build Secret key encryption Public key encryption Attribute-based encryption

16 LWE is versatile With LWE we can build Secret key encryption Public key encryption Attribute-based encryption Identity-based encryption

17 LWE is versatile With LWE we can build Secret key encryption Public key encryption Attribute-based encryption Identity-based encryption Oblivious transfer

18 LWE is versatile With LWE we can build Secret key encryption Public key encryption Attribute-based encryption Identity-based encryption Oblivious transfer FHE...

19 LWE is versatile With LWE we can build Secret key encryption Public key encryption Attribute-based encryption Identity-based encryption Oblivious transfer FHE [BDMW6]...

20 Example: online diagnosis

21 Example: online diagnosis

22 Example: online diagnosis diagnosis

23 Protecting the input diagnosis

24 Protecting the input diagnosis Data privacy (informal) The server should not learn anything about the user s data.

25 Data privacy: FHE diagnosis

26 Protecting the algorithm diagnosis

27 Protecting the algorithm diagnosis Circuit privacy (informal) The result should not reveal anything about the circuit applied.

28 Prior works reference standard LWE poly hardness multi hop circuitprivate [BV4, AP4] [Gen9] [GHV, OPP4] [DS6] this work

29 GSW encryption scheme [GenSahWat3] G : G ( ) : public matrix Z n m q algorithm s.t. v Z n q, G (v) is small and G G (v) = v

30 GSW encryption scheme [GenSahWat3] G : G ( ) : public matrix Z n m q algorithm s.t. v Z n q, G (v) is small and G G (v) = v C Enc(µ) = ( ) A + µg Z n m q sa + e s Z n q is the key A $ Z (n ) m q e χ m, for χ small distribution over Z

31 GSW encryption scheme [GenSahWat3] G : G ( ) : public matrix Z n m q algorithm s.t. v Z n q, G (v) is small and G G (v) = v C Enc(µ) = ( ) A + µg Z n m q sa + e s Z n q is the key A $ Z (n ) m q e χ m, for χ small distribution over Z Sum Enc(µ ) + Enc(µ 2 ) Product Enc(µ ) G (Enc(µ 2 ))

32 Branching programs x = x 2 = v v v 2

33 Branching programs x = x 2 = v v v 2 v t [i] = v t [mux (x t, j, k)]

34 Branching programs x = x 2 = v v v 2 v t [i] = x t v t [j] + ( x t ) v t [k]

35 Branching programs x = x 2 = v v v 2 result v t [i] = x t v t [j] + ( x t ) v t [k] result = v L []

36 Homomorphic evaluation of branching programs C C 2 Enc(result) V V V 2 V t [i] = C t G (V t [j]) + (G C t ) G (V t [k])

37 Homomorphic evaluation of branching programs C C 2 Enc(result) V V V 2 V t [i] = V t [mux (x t, j, k)] + ( ) A G sa + e (V t [j] V t [k])

38 Homomorphic evaluation of branching programs C C 2 Enc(result) V V V 2 V t [i] = V t [mux (x t, j, k)] + ( ) A G sa + e (V t [j] V t [k]) additional noise

39 Our core lemma Let g Z log q q be a public vector and g ( ) : Z q Z log q q g (v) is a discrete Gaussian g, g (v) = v mod q s.t.

40 Our core lemma Let g Z log q q be a public vector and g ( ) : Z q Z log q q g (v) is a discrete Gaussian g, g (v) = v mod q s.t. For any small e Z log q q and any v Z q e, g (v) + y s y where y discrete Gaussian with same parameter as g ( ) y discrete Gaussian with parameter Õ ( e )

41 Our core lemma Let g Z log q q be a public vector and g ( ) : Z q Z log q q g (v) is a discrete Gaussian g, g (v) = v mod q s.t. For any small e Z log q q and any v Z q e, g (v) + y s y where y discrete Gaussian with same parameter as g ( ) y discrete Gaussian with parameter Õ ( e ) y does not depend on v.

42 Rerandomizing GSW ciphertexts Let C = ( ) A + µg be a GSW ciphertext sa + e

43 Rerandomizing GSW ciphertexts Let C = Then ( ) A + µg be a GSW ciphertext sa + e C C G (G) + ( ) y looks like a fresh encryption of µ with (slightly) bigger noise.

44 Rerandomizing GSW ciphertexts Let C = Then ( ) A + µg be a GSW ciphertext sa + e C C G (G) + ( ) y looks like a fresh encryption of µ with (slightly) bigger noise. We need to rerandomize ciphertexts of : for any matrix V Z n m q ( ) C C G (V) + y looks like a fresh encryption of with (slightly) bigger noise.

45 Modified evaluation of BP s C G (V) + ( ) y s C C C 2 Enc(result) ( ) A V t [i] = V t [mux (x t, j, k)]+ G sa + e (V t [j] V t [k])

46 Modified evaluation of BP s C G (V) + ( ) y s C C C 2 Enc(result) ( ) A V t [i] = V t [mux (x t, j, k)]+ G sa + e (V t [j] V t [k])

47 Modified evaluation of BP s C G (V) + ( ) y s C C C 2 Enc(result) ( ) ( ) A V t [i] = V t [mux (x t, j, k)]+ G sa + e (V t [j] V t [k]) + y

48 Modified evaluation of BP s C G (V) + ( ) y s C C C 2 Enc(result) ( ) ( ) A V t [i] = V t [mux (x t, j, k)]+ G sa + e (V t [j] V t [k]) + y s C (depends only on C t)

49 Achieving circuit privacy Proof by induction: Noise (V [i]) = Noise (V t[i]) = Noise (V t [...]) + ( ) A G (V sa + e t [j] V t [k]) + ( ) z t

50 Achieving circuit privacy Proof by induction: Noise (V [i]) = Noise (V t[i]) = Noise (V t [...]) + ( ) A G (V sa + e t [j] V t [k]) + ( ) z t Noise (V L [i]) s L k= C k where C k is a fresh encryption of with noise O ( e k ).

51 Achieving circuit privacy Proof by induction: Noise (V [i]) = Noise (V t[i]) = Noise (V t [...]) + ( ) A G (V sa + e t [j] V t [k]) + ( ) z t Noise (V L [i]) s L k= C k where C k is a fresh encryption of with noise O ( e k ).

52 Achieving circuit privacy Proof by induction: Noise (V [i]) = Noise (V t[i]) = Noise (V t [...]) + ( ) A G (V sa + e t [j] V t [k]) + ( ) z t Noise (V L [i]) s L k= C k where C k is a fresh encryption of with noise O ( e k ). We need to pad the BP

53 Circuit privacy for general circuits

54 Circuit privacy for general circuits scheme

55 Circuit privacy for general circuits f scheme

56 Circuit privacy for general circuits ( Enc ), x f scheme

57 Circuit privacy for general circuits f ( Enc ), x scheme Enc ( ), f (x)

58 Circuit privacy for general circuits f ( Enc ), x scheme ( Enc ), f (x) scheme 2

59 Circuit privacy for general circuits f ( Enc ), x scheme ( Enc ), f (x) ( Enc, ) scheme 2

60 Circuit privacy for general circuits f ciphertext hardwired ( Enc ), x scheme ( Enc ), f (x) scheme.dec (, C) ( Enc, ) scheme 2

61 Circuit privacy for general circuits f ciphertext hardwired ( Enc ), x scheme ( Enc ), f (x) scheme.dec (, C) ( Enc, ) scheme 2 ( Enc ), f (x)

62 Conclusions and open problems Variant of the DGLHL for rerand LWE samples

63 Conclusions and open problems Variant of the DGLHL for rerand LWE samples Multi-hop CP for circuits in NC with poly-lwe

64 Conclusions and open problems Variant of the DGLHL for rerand LWE samples Multi-hop CP for circuits in NC with poly-lwe Extension to general circuits

65 Conclusions and open problems Variant of the DGLHL for rerand LWE samples Multi-hop CP for circuits in NC with poly-lwe Extension to general circuits Only for semi-honest adversaries

66 Conclusions and open problems Variant of the DGLHL for rerand LWE samples Multi-hop CP for circuits in NC with poly-lwe Extension to general circuits Only for semi-honest adversaries Only for GSW cryptosystem

67 Conclusions and open problems Variant of the DGLHL for rerand LWE samples Multi-hop CP for circuits in NC with poly-lwe Extension to general circuits Only for semi-honest adversaries Only for GSW cryptosystem Questions?