Practical Bootstrapping in Quasilinear Time
|
|
- Kristian Atkins
- 5 years ago
- Views:
Transcription
1 Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April / 21
2 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE lets you do this: µ Eval ( ) f, µ f(µ) where f(µ) and decryption time don t depend on f. A cryptographic holy grail with tons of applications. 2 / 21
3 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE lets you do this: µ Eval ( ) f, µ f(µ) where f(µ) and decryption time don t depend on f. A cryptographic holy grail with tons of applications. Naturally occurring schemes are somewhat homomorphic (SHE): they can only evaluate functions of an a priori bounded depth. ( ) µ Eval f, µ f(µ) ( ) Eval g, f(µ) g(f(µ)) 2 / 21
4 Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ 3 / 21
5 Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). 3 / 21
6 Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). Intensive study, many techniques [G 09,GH 11a,GH 11b,GHS 12b], but still very inefficient the main bottleneck in FHE, by far. 3 / 21
7 Bootstrapping: SHE FHE [Gen 09] Homomorphically evaluates the SHE decryption function to refresh a ciphertext µ, allowing further homomorphic operations. sk ( Eval f(x) = Dec x ( µ ), sk ) µ The only known way of obtaining unbounded FHE. Goal: Efficiency! Minimize depth d and size s of decryption circuit. Best SHEs [BGV 12] can evaluate in time Õ(d s λ). Intensive study, many techniques [G 09,GH 11a,GH 11b,GHS 12b], but still very inefficient the main bottleneck in FHE, by far. The asymptotically most efficient methods on packed ciphertexts [GHS 12a,GHS 12b] are very complex, and appear practically worse than asymptotically slower methods. 3 / 21
8 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime 4 / 21
9 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts 4 / 21
10 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. 4 / 21
11 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? 4 / 21
12 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure 4 / 21
13 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure Log-depth mod-φ m (X) circuit is complex, w/large hidden constants. 4 / 21
14 Milestones in Bootstrapping [Gen 09]: Õ(λ 4 ) runtime [BGV 12]: Õ(λ 2 ) runtime, or Õ(λ) amortized over λ ciphertexts Mainly via improved SHE homomorphic capacity. Amortized method requires exotic plaintext rings, emulating Z 2 arithmetic in Z p. [GHS 12b]: Õ(λ) runtime, for packed plaintexts. Declare victory? Dec circuit mod Φ m (X) [GHS 12a] compiler Bootstrapping Procedure Log-depth mod-φ m (X) circuit is complex, w/large hidden constants. [GHS 12a] compiler is very complex, w/large polylog overhead factor. 4 / 21
15 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 5 / 21
16 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). 5 / 21
17 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 5 / 21
18 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: 5 / 21
19 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. 5 / 21
20 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. 5 / 21
21 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. Special purpose, completely algebraic description no circuits. 5 / 21
22 Our Results Practical bootstrapping algorithms with quasi-linear Õ(λ) runtimes: 1 For unpacked (single-bit) plaintexts: Extremely simple! Uses only power-of-2 cyclotomic rings (fast, easy to implement). Cf. [BGV 12]: Õ(λ) amortized across λ ciphertexts, exotic rings. 2 For packed (many-bit) plaintexts: Based on a substantial enhancement of ring-switching [GHPS 12] to non-subrings. Appears quite practical, avoids both main inefficiencies of [GHS 12b]: no homomorphic reduction modulo Φ m (X), no generic compilation. Special purpose, completely algebraic description no circuits. Completely decouples the algebraic structure of SHE plaintext ring from that needed for bootstrapping. 5 / 21
23 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) 6 / 21
24 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. 6 / 21
25 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. 6 / 21
26 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). 6 / 21
27 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). 6 / 21
28 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). Unpacked plaintext µ Z 2 R 2, i.e., just a constant polynomial. 6 / 21
29 Setting the Stage: Decryption in SHE [LPR 10,BV 11,BGV 12] Let R = Z[X]/(X k/2 + 1), for k a power of 2. (The kth cyclotomic ring.) Let R q = R/qR = Z q [X]/(X k/2 + 1) for any integer q. Plaintext ring is R 2, ciphertext ring is R q for q 2. Can assume k, q = Õ(λ) by ring- and modulus-switching. Ciphertext c = (c 0, c 1 ) Rq 2 encrypting µ R 2 under s R satisfies v = c 0 + c 1 s q 2 µ (mod qr). Define the decryption function Dec s (c) := v = µ R 2, where rounding : Z q Z 2 is applied to coeffs of v = v(x). Unpacked plaintext µ Z 2 R 2, i.e., just a constant polynomial. Packed plaintext uses more of R 2, e.g., multiple slots [SV 11]. 6 / 21
30 Warm-Up: Bootstrapping Unpacked Ciphertexts 7 / 21
31 Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) 8 / 21
32 Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) v 0 + v 1 X + v 2 X 2 + v k 1 X k 1 Z q [X]/(X k + 1) v 0 + 0X + v 2 X 2 + 0X k 1 Z q [X 2 ]/(X k + 1) v 0 + v k/4 X k/4 + + v 3k/4 X 3k/4 Z q [X k/4 ]/(X k + 1) v 0 + v k/2 X k/2 Z q [X k/2 ]/(X k + 1) v 0 Z q 8 / 21
33 Bootstrapping Unpacked Ciphertexts: Main Idea 1 Isolate message-carrying coefficient v 0 of v(x) by homomorphically tracing down a tower of cyclotomic rings O 2k /O k / /O 4 /Z. (Trace = sum of the two automorphisms of O 2i /O i.) v 0 + v 1 X + v 2 X 2 + v k 1 X k 1 Z q [X]/(X k + 1) v 0 + 0X + v 2 X 2 + 0X k 1 Z q [X 2 ]/(X k + 1) v 0 + v k/4 X k/4 + + v 3k/4 X 3k/4 Z q [X k/4 ]/(X k + 1) v 0 + v k/2 X k/2 Z q [X k/2 ]/(X k + 1) v 0 Z q 2 Homomorphically round v 0 Z q to the message bit 2 q v 0 Z 2. 8 / 21
34 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. 9 / 21
35 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. 9 / 21
36 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: 9 / 21
37 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: ζk 2 = ζ k/2 O k = O k/2 [ζ k ] O k/2 -basis B k = {1, ζ k} ζ 2 8 = ζ 4 O 8 = O 4 [ζ 8 ] O 4 -basis B 8 = {1, ζ 8} ζ 2 4 = ζ 2 O 4 = O 2 [ζ 4 ] O 2 -basis B 4 = {1, ζ 4} ζ 2 2 = 1 O 2 = Z[ζ 2 ] = Z Z-basis B 2 = {1} 9 / 21
38 Algebra: Cyclotomic Towers and Product Bases Let ζ = ζ k have order k, a power of 2. Its min. poly: ζ k/2 + 1 = 0. So O k = Z[ζ] = Z[X]/(X k/2 + 1) has Z-basis {1, ζ, ζ 2,..., ζ k/2 1 }. Tower of quadratic extensions O k /O k/2 / /O 4 /Z: ζk 2 = ζ k/2 O k = O k/2 [ζ k ] O k/2 -basis B k = {1, ζ k} ζ 2 8 = ζ 4 O 8 = O 4 [ζ 8 ] O 4 -basis B 8 = {1, ζ 8} ζ 2 4 = ζ 2 O 4 = O 2 [ζ 4 ] O 2 -basis B 4 = {1, ζ 4} ζ 2 2 = 1 O 2 = Z[ζ 2 ] = Z Z-basis B 2 = {1} Product Z-basis of O k : B k := B k B k/2 = B k B k/2 B 2 = {1, ζ, ζ 2,..., ζ k/2 1 }. 9 / 21
39 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζ 2 i = ζ i/2. 10 / 21
40 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. 10 / 21
41 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. 10 / 21
42 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: 10 / 21
43 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i 10 / 21
44 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i Tr Oi/O i (O i ) = deg(o i /O i ) O i. 10 / 21
45 Algebra: The Trace Tower of quadratic extensions O k /O k/2 / /O 4 /Z, where ζi 2 = ζ i/2. O i has exactly two automorphisms that fix O i/2 : ζ i ± ζ i. The trace function Tr: O i O i/2 simply sums these automorphisms. Let v = v v 1 ζ i O i for v 0, v 1 O i/2. Then Tr(v) = 2 v 0. So Tr(O i ) = 2 O i/2. More generally, Tr Oi /O i sums the automorphisms of O i that fix O i. Key facts: Tr Oi/O i = Tr Oi /O i Tr Oi/O i Tr Oi/O i (O i ) = deg(o i /O i ) O i. Tr Oi/Z(v) = i 2 v 0, where v 0 Z is the coeff of ζ 0 i = / 21
46 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R / 21
47 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext v = q q v + 0 = c 0 + c 1 s R q. Plaintext ring is now R q, not R 2! 11 / 21
48 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 11 / 21
49 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 11 / 21
50 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 3 Round: homomorphically evaluate v 0 = µ Z 2. Uses algebraic procedure of depth lg(q/2) & size lg 2 (q/2) [GHS 12b] 11 / 21
51 Bootstrapping Unpacked Ciphertexts: Overview Recall: R = O k, and v = c 0 + c 1 s q 2 µ R q for message µ Z 2 R 2. 1 Prepare: View c as a noiseless encryption of plaintext Plaintext ring is now R q, not R 2! v = q q v + 0 = c 0 + c 1 s R q. (Switch to larger ciphertext modulus Q q and ring R R, to support upcoming homomorphic operations.) 2 Extract constant term v 0 Z q of v: homomorphically evaluate Tr R/Z (v) deg(r/z) = v 0 q 2 µ Z q. Fast, increases noise rate by only k factor. 3 Round: homomorphically evaluate v 0 = µ Z 2. Uses algebraic procedure of depth lg(q/2) & size lg 2 (q/2) [GHS 12b] Now have an encryption of v 0 = µ. Done! 11 / 21
52 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. 12 / 21
53 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z. 12 / 21
54 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) 12 / 21
55 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space 12 / 21
56 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. 12 / 21
57 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. 12 / 21
58 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. Detail #1: ciphertexts are over R R, so use automorphisms of R that coincide with those of O i /O i/2. 12 / 21
59 Evaluating Trace R/Z Homomorphically?? Use ring switching [GHPS 12]? Computes Tr R/R homomorphically, by taking Tr R/R of ciphertext. Requires hardness of ring-lwe in R... but here R = Z.?? Directly apply all automorphisms τ of R/Z to ciphertext, then sum? τ(c 0 ) + τ(c 1 ) τ(s) = τ(v) key-switch = c 0 + c 1 s τ(v) k/2 automorphisms & key-switches: quadratic work & space Iteratively trace down R = O k O k/2 Z. Only need to apply the two automorphisms of each O i /O i/2. Total lg(k) automorphisms & key-switches Õ(k) work. Detail #1: ciphertexts are over R R, so use automorphisms of R that coincide with those of O i /O i/2. Detail #2: each Tr(O i ) = 2O i/2, so lift to plaintext modulus 2q, then halve result. 12 / 21
60 Main Result: Bootstrapping Packed Ciphertexts 13 / 21
61 Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 14 / 21
62 Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 14 / 21
63 Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 3 Batch-round: homom ly apply on all Z q -slots at once [SV 11]: vj c j S q v j c j S / 21
64 Bootstrapping Packed Ciphertexts: Overview 1 Prepare: as before, view c as a noiseless encryption of plaintext v = c 0 + c 1 s = v j b j R q. j Recall: µ = v = j v j b j R 2 (where b j = ζ j ). 2 Homomorphically map coeffs v j to Z q -slots of certain ring S q : vj b j R q v j c j S q. (Change of basis, analogous to homomorphic DFT.) 3 Batch-round: homom ly apply on all Z q -slots at once [SV 11]: vj c j S q v j c j S 2. 4 Homomorphically reverse-map Z 2 -slots back to B-coeffs: vj c j S 2 v j b j = µ R 2. (Akin to homomorphic DFT 1.) 14 / 21
65 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. 15 / 21
66 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O / 21
67 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism / 21
68 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 2 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S / 21
69 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 2 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S 2. Can factor C i = C i C i 1: let c k = 1 (mod p,k), = 0 (mod p, k ). 15 / 21
70 Algebra: Slots and CRT Sets Let 1 = l 0 l 1 l 2 (all odd), and S (i) = O li = Z[ζ li ]. Identifying ζ l i/l i 1 l i = ζ li 1, we get a tower S (i) /S (i 1) / /Z. In S = S (i), 2 factors into distinct prime ideals, like so: S (2) = O 91 p 1,1 p 1,2 p 1,3 p 2,1 p 2,2 p 2,3 S (1) = O 7 p 1 p 2 Z = O 1 By Chinese Rem Thm, S 2 = j (S/p j) via natural homomorphism. CRT set: C = {c j } S s.t. c j = 1 (mod p j ), = 0 (mod p j ). Mapping v j Z 2 v j c j S 2 embeds Z 2 into jth slot of S 2. Can factor C i = C i C i 1: let c k = 1 (mod p,k), = 0 (mod p, k ). Similarly for S q = j (S/plg q j ) / 21
71 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. 16 / 21
72 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. 16 / 21
73 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21
74 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21
75 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R... but only for a subring R R. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21
76 Mapping Coeffs to Slots: Overview Choose S so that S q has deg(r/z) Z q -slots, via: (v j ) Z k/2 q v j c j mod q for an appropriate CRT set C = {c j } S of size k/2. Our goal: homomorphically map v j b j R q v j c j S q. Equivalently, evaluate the Z-linear map L: R S defined by L(b j ) = c j. Ring-switching [GHPS 12] lets us eval any R -linear map L: R R... but only for a subring R R. Goal for Remainder of Talk Extend ring-switching to (efficiently) handle Z-linear maps L: R S. Z-linear: L(b + b ) = L(b) + L(b ), L(v b) = v L(b) for any b, b R, v Z. 16 / 21
77 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). 17 / 21
78 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d 17 / 21
79 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. 17 / 21
80 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. Easy Lemma For any E-linear L: R S, there is an S-linear L: T S that agrees with L on R. 17 / 21
81 Algebra: Combining Cyclotomic Rings Let R = O k, S = O l. Let d = gcd(k, l) and m = lcm(k, l). T = R + S = O m ( compositum ) R S E = R S = O d Compositum T as a tensor product of R, S, where is E-bilinear: T { } = (R/E) (S/E) := ei,j (r i s j ) : e i,j E, r i R, s j S. Easy Lemma For any E-linear L: R S, there is an S-linear L: T S that agrees with L on R. Proof: define L by L(r s) = L(r) s S. 17 / 21
82 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. 18 / 21
83 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z 18 / 21
84 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 18 / 21
85 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! 18 / 21
86 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! Problem: degree of T is quadratic, therefore so is runtime & space. 18 / 21
87 Enhanced Ring-Switching: First Attempt Let R = O k, S = O l be s.t. gcd(k, l) = 1, lcm(k, l) = kl. R embed T = O kl L (induced) L S E = Z To homom ly eval. Z-linear L: R S on an encryption of v R q, 1 Trivially embed ciphertext R T (still encrypts v). 2 Homomorphically apply S-linear L: T S using ring-switching. We now have an encryption of L(v) = L(v)! Problem: degree of T is quadratic, therefore so is runtime & space. This is inherent if we treat L as a generic Z-linear map! 18 / 21
88 Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. 19 / 21
89 Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. Gradually map B to C through a sequence of hybrid rings H (i), via E (i) -linear functions that each send a factor of B to one of C. B R = H (0) embed T (1) E (1) -linear (induced) H (1) embed T (2) E (2) -linear (induced) H (2) = S C E (1) E (2) 19 / 21
90 Enhanced Ring-Switching, Efficiently Key Ideas The Z-linear L: R S given by L(B) = C is highly structured, because B, C are product sets. Gradually map B to C through a sequence of hybrid rings H (i), via E (i) -linear functions that each send a factor of B to one of C. Ensure small compositums T (i) = H (i 1) + H (i) via large gcd s: replace prime factors of k with those of l, one at a time. B R = H (0) embed T (1) E (1) -linear (induced) H (1) embed T (2) E (2) -linear (induced) H (2) = S C E (1) E (2) 19 / 21
91 Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. 20 / 21
92 Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. 20 / 21
93 Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. B 8 B 4 O 8 B 8 C 7 fix B 4 B 4 C 7 O 4 7 B 4 C 91 fix C 7 C 7 C 91 O 7 13 O 4 O 7 20 / 21
94 Toy Example R = O 8, basis B = B 8 B 4 = {1, ζ 8} {1, ζ 4 }. S = O 7 13, CRT set C = C 7 C 91 = {c 1, c 2 } {c 1, c 2, c 3 }. B 8 B 4 O 8 B 8 C 7 fix B 4 B 4 C 7 O 4 7 B 4 C 91 fix C 7 C 7 C 91 O 7 13 O 4 O 7 In general, switch through log(deg(r/z)) = log(λ) hybrid rings, one for each prime factor of k. 20 / 21
95 Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. 21 / 21
96 Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. 21 / 21
97 Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. Practical implementation and evaluation are underway. 21 / 21
98 Final Thoughts Gradually converting B to C via hybrid rings is roughly analogous to a log-depth FFT butterfly network. Technique should also be useful for homomorphically evaluating other signal-processing transforms having sparse decompositions. Practical implementation and evaluation are underway. Thanks! 21 / 21
Practical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert October 9, 2013 Abstract Gentry s bootstrapping technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationVadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationTOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION
TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION A Thesis Presented to The Academic Faculty by Jacob Alperin-Sheriff In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the
More informationFULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ART Craig Gentry, IBM Research Africacrypt 2012 Homomorphic Encryption The special sauce! For security parameter k, Eval s running should be Time(f) poly(k)
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationBootstrapping for HElib
Bootstrapping for HElib Shai Halevi 1 and Victor Shoup 1,2 1 IBM Research 2 New York University Abstract. Gentry s bootstrapping technique is still the only known method of obtaining fully homomorphic
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry IBM Shai Halevi IBM Nigel P. Smart University of Bristol December 15, 2011 Abstract Gentry s bootstrapping technique is currently the only
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry 1, Shai Halevi 1, and Nigel P. Smart 2 1 IBM T.J. Watson Research Center 2 Dept. Computer Science, University of Bristol Abstract. Gentry
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationFixed-Point Arithmetic in SHE Schemes
Fixed-Point Arithmetic in SHE Schemes Anamaria Costache 1, Nigel P. Smart 1, Srinivas Vivek 1, Adrian Waller 2 1 University of Bristol 2 Thales UK Research & Technology July 6, 2016 Outline Motivation
More informationFaster Bootstrapping with Polynomial Error
Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert June 13, 2014 Abstract Bootstrapping is a technique, originally due to Gentry (STOC 2009), for refreshing ciphertexts of a
More informationHigh-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption
More informationSubring Homomorphic Encryption
Subring Homomorphic Encryption Seiko Arita Sari Handa June 7, 2017 Abstract In this paper, we construct subring homomorphic encryption scheme that is a homomorphic encryption scheme built on the decomposition
More informationField Switching in BGV-Style Homomorphic Encryption
Field Switching in BGV-Style Homomorphic Encryption Craig Gentry IBM Research Shai Halevi IBM Research Nigel P. Smart University of Bristol Chris Peikert Georgia Institute of Technology September 13, 2013
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University) Miran Kim, Yongsoo Song (University of California, San Diego) Landscape of Homomorphic
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationHomomorphic Encryption for Arithmetic of Approximate Numbers
Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon 1, Andrey Kim 1, Miran Kim 2, and Yongsoo Song 1 1 Seoul National University, Republic of Korea {jhcheon, kimandrik, lucius05}@snu.ac.kr
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationOptimizing Fully Homomorphic Encryption
Optimizing Fully Homomorphic Encryption By Kevin C. King B.S., C.S. M.I.T., 2015 September 30, 2016 Submitted to the Department of Electrical Engineering and Computer Science In Partial Fulfillment of
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationA Toolkit for Ring-LWE Cryptography
A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky Chris Peikert Oded Regev May 16, 2013 Abstract Recent advances in lattice cryptography, mainly stemming from the development of ring-based primitives
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationImplementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields
Department of Mathematics and Department of Computer Science Master Thesis Implementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields Christoph Manuel Mayer December 16,
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon 1, Kyoohyung Han 1, Andrey Kim 1, Miran Kim 2, and Yongsoo Song 1,2 1 Seoul National University, Seoul, Republic of Korea {jhcheon, satanigh,
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationFloating-Point Homomorphic Encryption
Floating-Point Homomorphic Encryption Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song Department of Mathematical Sciences, Seoul National University, Republic of Korea {jhcheon, kimandrik, alfks500,
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationCarmen s Core Concepts (Math 135)
Carmen s Core Concepts (Math 135) Carmen Bruni University of Waterloo Week 8 1 The following are equivalent (TFAE) 2 Inverses 3 More on Multiplicative Inverses 4 Linear Congruence Theorem 2 [LCT2] 5 Fermat
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationFunctional Lattice Cryptography
Λ λ : Functional Lattice Cryptography Eric Crockett * Chris Peikert August 17, 2016 Abstract This work describes the design, implementation, and evaluation of Λ λ, a general-purpose software framework
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationFaster Homomorphic Evaluation of Discrete Fourier Transforms
Faster Homomorphic Evaluation of Discrete Fourier Transforms Anamaria Costache, Nigel P. Smart, and Srinivas Vivek University of Bristol, Bristol, UK Abstract. We present a methodology to achieve low latency
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationHigh-Precision Arithmetic in Homomorphic Encryption
High-Precision Arithmetic in Homomorphic Encryption Hao Chen 1, Kim Laine 2, Rachel Player 3, and Yuhou Xia 4 1 Microsoft Research, USA haoche@microsoft.com 2 Microsoft Research, USA kim.laine@microsoft.com
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationHomomorphic AES Evaluation Using the Modified LTV Scheme
Noname manuscript No. (will be inserted by the editor) Homomorphic AES Evaluation Using the Modified LTV Scheme Yarkın Doröz Yin Hu Berk Sunar the date of receipt and acceptance should be inserted later
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationFast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international,
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationA Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme
A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme Presented by: Vincent Zucca 1 Joint work with: Jean-Claude Bajard 1, Julien Eynard 2 and Anwar Hasan 2 1 Sorbonne
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationChapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives
More informationHomomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes
An extended abstract of this paper appears in the proceedings of COCOON 2016. This is the full version. Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes Pierre-Alain Fouque 1,3, Benjamin
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationManipulating Data while It Is Encrypted
Manipulating Data while It Is Encrypted Craig Gentry IBM Watson ACISP 2010 The Goal A way to delegate processing of my data, without giving away access to it. Application: Private Google Search I want
More informationBetween a Rock and a Hard Place: Interpolating Between MPC and FHE
Between a Rock and a Hard Place: Interpolating Between MPC and FHE A. Choudhury, J. Loftus, E. Orsini, A. Patra and N.P. Smart Dept. Computer Science, University of Bristol, United Kingdom. {Ashish.Choudhary,Emmanuela.Orsini,Arpita.Patra}@bristol.ac.uk,
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More information16 Fully homomorphic encryption : Construction
16 Fully homomorphic encryption : Construction In the last lecture we defined fully homomorphic encryption, and showed the bootstrapping theorem that transforms a partially homomorphic encryption scheme
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationManual for Using Homomorphic Encryption for Bioinformatics
1 Manual for Using Homomorphic Encryption for Bioinformatics Nathan Dowlin, Ran Gilad-Bachrach, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing Abstract Biological Data Science is an emerging
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationBatch Fully Homomorphic Encryption over the Integers
Batch Fully Homomorphic Encryption over the Integers Jung Hee Cheon 1, Jean-Sébastien Coron 2, Jinsu Kim 1, Moon Sung Lee 1, Tancrède Lepoint 3,4, Mehdi Tibouchi 5, and Aaram Yun 6 1 Seoul National University
More information