Gentry s SWHE Scheme

Transcription

1 Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme. In Gentry s scheme, the plaintext space and the ciphertext space are rings (support addition and multiplication), and given encryptions of l messages, c 1,..., c l, where c i Enc(m i ), and a polynomial Q of bounded degree (and not-too-many terms), we have (except for negligible probability) Q(m 1,..., m l ) = Dec(Q(c 1,..., c l )). 1 Background: GGH-type Cryptosystems We briefly recall Micciancio s cleaned-up version of GGH cryptosystems [GGH97, Mic01]. The secret and public keys are good and bad bases of some lattice Λ. More specifically, the keyholder generates a good basis by choosing B to be a basis of short, nearly orthogonal vectors. def Then it sets the public key to be the Hermite normal form of the same lattice, B pk = HNF(Λ(B )). A ciphertext in a GGH-type cryptosystem is a vector c close to the lattice Λ(B pk ), and the message which is encrypted in this ciphertext is somehow encoded in the distance from c to the nearest lattice vector. To encrypt a message m, the sender chooses a short error vector e that encodes m, and then computes the ciphertext as c e mod B pk. Note that if e is short enough (i.e., less than λ 1 (Λ)/), then it is indeed the distance between c and the nearest lattice point. To decrypt, the key-holder uses its good basis B to recover e by setting e c mod B, and then recovers m from e. The reason decryption works is that, if the parameters are chosen correctly, then the parallelepiped P(B ) of the secret key will be a plump parallelepiped that contains a sphere of radius bigger than e, so that e is indeed the unique point inside P(B ) that equals c modulo Λ. On the other hand, the parallelepiped P(B pk ) of the public key will be very ewed, and will not contain a sphere of large radius, making it useless for solving BDDP. More algebraically, the secret-key basis B is chosen so that all the columns of B 1 have Eucledean length smaller than 1/ e. Recall that c = v + e for some v Λ, so we can write c = αb + e for some integer coefficient vector α. Also, reducing c mod B is done by computing c mod B = [ ] is distance to nearest integer {}}{ [ cb 1 ] B = [( αb + e)b 1 ]B = [ α + eb 1 ]B ( ) = [ eb 1 ]B where Equality ( ) follows since α is an integer vector and [ ] means taking only the fractional part. Each entry of eb 1 is the inner product of e with a column of B 1, and as the column is shorter than 1/ e then that entry is smaller than 1/ in absolute value. It follows that the fractional part [ eb 1 ] equals eb 1 exactly. Thus, c mod B = [ eb 1 ]B = eb 1 B Note that if the encoding of m into e is linear, then this scheme is already somewhat additively homomorphic, since for two ciphertexts c 1 = v 1 + e 1 and c = v + e, we get that e = e 1 + e encodes m 1 +m. If e is still short enough then decryption will recover it and thus returns m 1 +m. = e. 1

2 For example, if in order to encode m {0, 1} we denote m = (m, 0,..., 0) {0, 1} n, choose a short integer vector r and set e = r + m, then c 1 + c = ( v 1 + r 1 + m 1 ) + ( v + r + m ) = ( v 1 + v ) + ( r 1 + r ) + ( m 1 + m ) = v + e, where v = v 1 + v Λ, and e (m 1 m, 0,..., 0) mod. If e is short then we decrypt m 1 m. Recall that a lattice is a discrete additive subgroup of Z n. In order to obtain an encryption scheme that is (somewhat) homomorphic w.r.t. multiplication we need a ring structure as we have in ideal lattices. Consider the encryption scheme from the GGH example above, where Λ = Λ J is an ideal lattice with the underlying ring R n = Z[x]/ x n + 1, then we have c 1 c = ( v 1 + r 1 + m 1 ) ( v + r + m ) = v 1 ( v + r + m ) + v ( r 1 + m 1 ) + ( r }{{} 1 r + r 1 m + m 1 r ) + m 1 m }{{} v e where v Λ J since v 1, v Λ J and J is an ideal. Note that if m i = (m i, 0,..., 0), with the leftmost entry being the free term in the corresponding polynomial, then we have m 1 m = (m 1 m, 0,..., 0). If e is still small enough then we can recover it by m 1 m e mod. Gentry s Somewhat-Homomorphic Encryption (SWHE) Scheme The SWHE scheme that underlies Gentry s scheme is a GGH-type cryptosystem where the public key specifies an ideal lattice Λ J. Here we only cover a special case of Gentry s scheme where all the ideals are principal and the ring that is used for polynomial arithmetic is R n = Z[x]/ x n + 1, with n a power of two. (This is the variant that was implemented in [SV10] and [GH11].) The relation in the ring R n is x n 1, hence R n is closed under rotation-negation, i.e. if then so is v = (v 0,..., v ) = v 0 + v 1 x v x R n, x v = x v i x i = v + v 0 x + v 1 x v n x = ( v, v 0,..., v n ). Therefore, given v = (v 0,..., v ) R n, we can define the rotation basis of v as v v 0 v 1... v x v V =. = v v 0... v n x v v 1 v... v 0 Parameters: The security parameter is n = m, in addition we have 3 other size parameters ρ, σ, τ that satisfy τ σn log n and τ > (ρn log n) 4 n. For example one can set σ = n, and then determine ρ, τ. Key Gen: Choose s N (0, σ ) n and set v = (τ, 0,..., 0) + s. Ensure that det(v ) is odd and that s 1 < σn log n. The secret key is v whereas the public key is B = HNF( v), the HNF basis for the lattice spanned by the rows of V (corresponding to the ideal v ). Encrypt B (m): Given m {0, 1} choose at random r N (0, ρ ) n, and set c = r + (m, 0,..., 0) mod B.

3 Decrypt v ( c): Let V be the rotation basis of v, compute m = ( c mod V ) mod, and output the first entry, i.e. if W = V 1, then m = ([ cw ]V ) mod (where [ ] is the fractional part in the range [ 1, 1 )). As in the GGH scheme, in order for the decryption to work we require that ew < 1, so that we have [ ew ]V = ew V = e. Claim 1. Let e R n such that e < τ 4, then ew < 1. Proof. Since every entry of ew is an inner product of e with a column of W. it is enough to show that every column of W is small enough. Assume that ew 1, and we will show that w.h.p. e τ 4. Let t = ew = ev 1, i.e. e = tv = j t j(x j v). Let i be the largest such that t i 1. In the key generation procedure we set v = (τ, 0,..., 0) + s, therefore x j v = (0,..., 0, τ, 0,..., 0) + x j s, and the i th entry of e is It follows that e i = t i τ + i e i = t i τ + t i τ t i τ (i+1) t j s i j t j+i+1 s j. i i i = t i (τ s j ) (i+1) t j s i j t j+i+1 s j (i+1) t j s i j t j+i+1 s j (i+1) t i s i j t i s j = t i (τ s 1 ) However, since t i 1, s 1 < σn log n and τ σn log n we get e i 1 (τ σn log n) τ 4. It follows that e τ 4, and we get a contradiction. The following claim explains the somewhat homomorphic nature of the encryption scheme. Claim. Let Q(x 1,..., x l ) be a binary polynomial of degree at most n in each variable, with at most n n terms. For i = 1,..., l let m i {0, 1} and set c i Enc B (m i ). In addition, set c = Q( c 1,..., c l ) (where evaluation is over R n ). Then w.h.p. Dec( c) Q(m 1,..., m l ) mod. Proof. With high probability each one of the c i is of the form c i = u i + e i, for some u i v, with e i < ρ log n and e i (m i, 0,..., 0) mod. It follows that Q( c 1,..., c l ) = u + Q( e 1,..., e l ) for some u v (because the u i are in the ideal). Similarly, since e i = r i + m i we have Q( e 1,..., e l ) = r + Q( m 1,..., m l ) Q( m 1,..., m l ) mod. Note that for a, b R n we have a b n a b, hence e = Q( e 1,..., e l ) (max e i ) n n (# of terms) i (ρn log n) n n n < (ρn log n) 4 n τ/4. So by Claim 1 decryption will recover e = Q( e 1,..., e l ), and therefore also Q( m 1,..., m l ). 3

4 3 Security of Gentry s SWHE Scheme Claim 3. The scheme is CPA-secure if for v (τ, 0,..., 0) + N (0, σ ) n it is hard to distinguish N (0, ρ ) n mod B from a uniform integer vector modb, where B is the HNF of the lattice Λ V, assuming det(v ) is odd. Before we prove the claim we need to play a bit with some algebra. Let V be the rotation basis of v and denote d = det(v ). We know that d 0. Assume d is odd, an denote the adjoint matrix of V by A = dv 1, A is an integer matrix as it is the adjoint of an integer matrix. Let a = (a 0,..., a ) be the first row of A. On one hand, since AV = di we have av = (d, 0,..., 0), which is in fact the constant polynomial d R n. On the other hand we have av = a i (x i v) = (a i x i ) v mod (x n + 1) = a v R n. It follows that a v = d (the constant polynomial d). Note that x a v = xd = (0, d, 0,..., 0), hence the second row of A is x a. In fact A is the rotation basis of a, and a is the scaled inverse of v. Now, since d is odd, d 1 Z, and we can consider the constant polynomial d 1 R n. It holds that a v d 1 = d (d 1) = 1 R n, namely the polynomials v and are coprime in R n. It follows that the map x x mod v is a permutation. What do we actually mean by x x mod v? Since v is an ideal in R n, we can consider the quotient ring R n / v and the natural projection R n R n / v. Now x mod v is simply the image of this projection (by abuse of notation we write x R n / v for the equivalence class [ x] R n / v ). We can look at the doubling map over R n / v, sending x R n / v to x R n / v. Since and v are coprime in R n, has an inverse 1 d R n / v. Thus doubling induces a permutation on R n / v : x 1 d = x (1 a v) = x mod v. Two polynomials a, b R n are congruent mod v if a b v, i.e. there is some u R n such that a = b + u v, however u v = uv, hence a, b are congruent mod v iff a, b are congruent modv, and we can conclude that the mapping x x mod V is a permutation on R n / v. We are now ready to prove claim 3. Proof of Claim 3. Let A be a CPA adversary with advantage ɛ. We will show how to utilize it and construct a distinguisher between ( N (0, ρ ) n mod B) from a uniform integer vector in P(B), where v is chosen as in the key generation algorithm of the scheme and B is the HNF basis of v. Given B and x, we need to decide if x is uniform modb or Gaussian modb. We give A the basis B as public key, and A gives us two bits m 0, m 1. We choose a random bit b R {0, 1}, and give A the ciphertext c = x + (m b, 0,..., 0) mod B. When A returns a bit b we output 1 if b = b and 0 otherwise. If x is Gaussian then this is a perfect simulation of the scheme, hence A guesses correctly with probability 1 + ɛ. If x is uniform modb then x mod B = ( x mod V ) mod B, and since x mod V is uniform in P(V ) and doubling is a permutation, then x mod V is also uniform in P(V ), hence x mod B is uniform in P(B). It follows that x + m b mod B is uniform in P(B) regardless of b. Therefore A guesses correctly in this case with probability 1. 4

5 So how hard is it to distinguish between uniform and Gaussian modb? We don t really know, however one way is to solve the BDD problem for the Gaussian case. Note that when x is Gaussian then w.h.p. x ρ, whereas det(λ(v )) x i v (τ + σ log n) n < (τ) n. It follows that the ratio between the error distance ( c, Λ) and n det(λ) is n det(λ) ρ < τ ρ < 4 n, and we do not know how to solve BDD with this ratio. References [GGH97] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Public-key cryptosystems from lattice reduction problems. In Burton S. Kalii Jr., editor, Advances in Cryptology - CRYPTO 1997, volume 194 of Lecture Notes in Computer Science, pages Springer, [GH11] Craig Gentry and Shai Halevi. Implementing gentry s fully-homomorphic encryption scheme. In Advances in Cryptology - EUROCRYPT 11, volume 663 of Lecture Notes in Computer Science, pages Springer, 011. Full version available on-line from [Mic01] Daniele Micciancio. Improving lattice based cryptosystems using the hermite normal form. In CaLC 01, volume 146 of Lecture Notes in Computer Science, pages Springer, 001. [SV10] Nigel P. Smart and Frederik Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography - PKC 010, volume 6056 of Lecture Notes in Computer Science, pages Springer,