Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part
GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of ClosestVector Problem (CVP). Our discussion of GGH is variant by D. Micciancio: "mproving lattice based cryptosystems using the Hermite normal form," Cryptography and Lattices 200.
Secret key ( ) The sceret key is a "good" basis R = r,, r of a lattice L. n For computational purpose, assume L. The quantity ρr = min ri is relatively large. 2 We know: λ ( L) min r ; i ( t L) thus, λ ( L) 2 ρ. Thus, the orthogonalized centered parallelepiped C( R ) is fat, containing a ball of radius ρ. n Any point t with dist, < ρ can be corrected to the closest lattice point (using the nearest plane algorithm). R R n R
A good basis and the corresponding correction radius Source: Daniele Micciancio's paper, CaLC 200
Public key ( ) The public key is a "bad" basis = b,, b of L. For example, = HNF( R). ts orthogonalized parallelepiped, P( ρ = CVP * ), is skiny. min bi is much smaller than ρr. 2 (DDC) is hard (w/o knowing R) even if dist t, L < ρ. * Denote by mod the unique P( ) s.t. s is congruent to t modulo L (i.e., s t or t s L). n ( ) * system of.) (Here we use P( t s ) as the representative L n L R
HNF basis and corresponding orthogonalized parallelepiped Source: Daniele Micciancio's paper, CaLC 200
Encryption and Decryption Encryption: to encrypt a message m, Encode m as a vector r, r < ρ. c rmod. Decryption: to decrypt a ciphertext c, Recover r from c by r cmod R. Recover m from r. R
Correcting small errors using the private basis From Micciancio's paper
s GGH homomorphic? f the encoding scheme is such that m m r m + m r + r r 2 2 2 2 2 and if r, r < ρ 2, then GGH is additively R homomorphic: GGH( m + m ) = GGH( m ) + GGH( m 2 mod How to make it multiplicatively homomorphic? Genty's answer: use ideal lattices. 2 )
deals Gentry s scheme uses ideal lattices, which are lattices corresponding to some ideals
Rings A ring R is a set together with two binary operations + and satisfying the following axioms: ( R, + ) is an abelian group. is associative: ( a b) c= a ( b c) for all abc,, R. Distributive laws hold: ( a+ b) c= ( a c) + ( b c) and a ( b+ c) = ( a b) + ( a c). The ring R is commutative if a b= b a. The ring R is said to have an identity if there is an element R with a = a = a for all a R. We will only be interested in communative rings with an identy.
deals An ideal of a ring R is an additive subgroup of R s.t. r for all r R. (.e., a subset R s.t. a b and r a for all a, b, r R.) Example: Consider the ring. { na n } For any integer a, = : is an ideal. a Conversely, any ideal is equal to a for some a. The mapping f : a is a bijective function from { } { } nonnegative integers ideals of. a The name ideal comes from "ideal" numbers.
Some historical notes An algebraic integer n n 0 is a number [ α] satisfying n x + a x + + ax+ a = 0, where a. The set of all algebraic integers forms a ring. For any algebraic integer α, [ α ] { α} under +,,. [ i] = { a + bi a b } [ α ] x i denote the closure of Example: :,. Gaussian integers. resembles, and many question s concerning can be answered by considering.
For instance, Format's theorem on sums of two squares: 2 2 an odd prime can be expressed as (, ) iff p mod 4. This theorem can be proved by showing that if p p= x + y xy in [ i] p mod 4, then p factors into p = ( a + bi)( a bi) if p 3mod 4, then p cannot be factored. While has the unique prime factorization property, in general doesn't. For instance, in 5, 6 has two prime factorizations: 6 = 2 3 = ( + 5 )( 5 ). [ α ]
Eduard Kummer, inspired by the discovery of imaginary numbers, introduced ideal numbers. ( )( ) For instance, in the example of 6 = 2 3 = + 5 5, we may define ideal prime numbers p, p, p, p, are subject to the rules: 2 3 4 which pp = 2, pp = 3, pp = + 5, pp = 5. 2 3 4 3 2 4 Then, 6 would have the unique prime factorization: 6 = pppp. 2 3 4 Kummer's concept of that of ideal numbers was later replaced by ideals, by Richard Dedekind.
Operations on deals Let, be ideals of the ring R. { } Sum of ideals: + a+ b: a, b, which is the smallest ideal containing both and. Product o f ideals: the set of all finite sums of the form a b with a, b..e., the smallest ideal { } containing a b: a, b. Thus, R is the identy. divides iff. Thus, gcd(, ) = (, ) = +. is a prime ideal if a, b R, ab a or b. Two ideal and are relatively prime if + = R.
Generators and ases of ideals Let be any subset of a ring R. Denote by ( ) the smallest ideal of R containing, called the ideal generated by. We have: { + n n i R, i, n } ( ) = rb + + rb : r b The ideal = ( ) is finitely generated if is finite, and is a principal ideal if contains a single element. is a basis of = ( ) if it is linearly independent.
Cosets Let be an ideal of a ring R. R is partitioned into cosets s.t. two elements a, b R are ( + ) in the same coset iff a b. R= a a Z [ ] = a+ = { + i i } The coset containing a is a a :. Define [ a] [ b] [ a b] [ a] [ b] [ a b] + = + and =. The cosets form a ring R, called the quotient ring. Choose an element from each coset as a representative, then we have a system of representatives for R. For x R, denote by x od the element representin [ x] m g.
Gentry s deal-based Scheme
Notations Let be an ideal of the ring R, and a basis of. R mod : a system of representatives for Rdefined by. f 2 in general ( ) are two bases for the same ideal, we have x mod xmod (not necessarily equal). Samp x, : samples the coset x + according to some probability distribution. C : a circuit whose gates perform + and operations mod. 2 gc ( ) : generalized C, the same as C but without mod. C : same as C, but gates perform mod operations instead.
From Micciancio's paper
Σ: an ideal-based encryption scheme KeyGen, ( R ) : nput: a ring R, a basis of an ideal. ( sk ) R ( R ), dealgen,. sk Public key : =. Secret key sk : =. Parameters: ( R,, Samp ), which are public info. Plaintext space P: = (a subset of) R mod Remarks: As in GGH, sk is a good (fat) basis and a bad (skiny) one. The ideal is used to encode plaintexts as ring elements.
( π ) π ( ) Encrypt, : ( sk ψ ) ( sk ψ mod ) // P// π Samp π, // an element in coset π + // ψ π mod Decrypt, : π // the ciphertext // mod Remarks: π is encoded as a random element π π is then encrypted as in GGH. sk Decryption is correct if π mod. R in the same coset.
( C ) Evaluate,, Ψ : nput: a public key ; a mod circuit C composed of Add and Mult (and identity) gates; and ciphertexts ( ) Ψ= ( ψ,, ψ ), where ψ = Encrypt, π, π P. t i i ( Ψ ) = gc( Π ) Output: ψ : = gc ( ) mod. // ( ) mod // i Remarks: ( ) Evaluate, Add, ψ, ψ : outputs ψ + ψ mod. ( ) 2 2 Evaluate, Mult, ψ, ψ : outputs ψ ψ mod. 2 2 Evaluate circuit C by evaluating its gates in a proper order.
Correctness: informal Evaluating yields: ( ) ( ) ( ) ψ : = C Ψ = gc ( ) Ψ mod = gc ( ) Π mod C encode ( π π ) ( π π ) where Π =,, Π =,, t mod ( ψ ψ ) Ψ=,,. sk Decrypting ψ will yield: π : = ψ mod mod. ( Π ) ( ) sk Correct if gc ( ) Rmod. Thus, if we restrict π,, π to be in certain region, the scheme will be homomorphic for circuits C for which sk ( Π ) R gc ( ) mod. t t
Correctness of the ideal-based scheme ( ) Let X Samp, M and X R mod. Enc Dec A mod circuit C (including the identity circuit) with t inputs is a permitted circuit w.r.t. the scheme if: x,, x X, g( C) x,, x X. ( ) t Enc t Dec Theorem: f CΣ is a set of permitted circuits containing the identity circuit, then the scheme is correct for CΣ..e., algorithm Decrypt correctly decrypts valid ciphertexts: ( Π ) = Decrypt (, Evaluate (,, Ψ) ), C CΣ Ψ ( sk Π) ( Ψ) C sk C where and Encrypt,. Valid ciphertexts: outputs of Evaluate, C,, C C. Σ Σ
coset π + π coset π + π ψ ψ Encrypt: Decrypt: ( π ) Samp, mod π π ψ sk mod mod π ψ ψ = sk t works if π ψ, i.e. if π R mod.
π π π π ψ Q: ( Π) ( )( Π ) ( Ψ) C gc C ( Π) = sk C ( Ψ) s C Decrypt, C ( ) ( ( ) mod ) sk C Ψ ( Π) = gc ( )( Π ) mod gc ( )( Π ) mod = C ( Ψ) ( Π ) sk ( Π ) = C ( Ψ) gc ( ) mod mod ( sk gc ( ) mod ) mod = C ( Ψ) ( mod ) sk sk mod mod? sk ( Π ) gc( Π ) d g C ( Π ) sk Yes, if g( C) = ( ) mo, i.e., ( ) R mod.
Security of the ideal-based scheme
deal Coset Problem (CP) Let R be a ring, an ideal, and a basis. dealgen: an algorithm that given ( R, sk two bases, of the same ideal. ) outputs Samp : a random algorithm that samples R (non-uniformly). deal Coset Problem: Fix R,, dealgen, Samp. ( sk ) R ( R ) Challenger:, dealgen,. b {0, }. b = r R t r f 0, then R Samp ( ), mod. f b=, then t uniformly R mod. Adversary: given t and, determine if b = 0 or. u
Essentially, the problem is to to distinguish between: b b [ t] [ t] = 0 : a coset is chosen according to some "Samp ". = : a coset is chosen uniformly ra ndomly. The hardness of CP depends on Samp. How does CP connect to Gentry's encryption scheme Σ? [ π ] A ciphertext is essentially a coset chosen by Samp. Σ is semantically secure if the ciphertext is random-like. CP is hard if coset t chosen by Samp is random-like. [ ] Will show CP distinguishing ciphertexts of scheme Σ. Will use Samp to def ine Samp.
Connect Samp to Samp r Samp ( R) samples an element in ring R. x Samp Wanted: Let ( s) ( x, ) [ x] r random = = R s [ x] Then, = x + R s. samples an element in coset. x random be a principal idel a generated by s. ( x, ) x ( R) Let Samp + Samp s.
Security of the ideal-based scheme Σ The deal Coset Problem is to distinguish between t t Samp ( R) mod ( R ) uniform mod. Encrypt, : where ψ ( π) Samp ( π, ) π Samp ( R) mod ( s) ( s) + mod = = R s is a principal ideal generated by s.
Theorem: f there is an algorithm A that breaks the semantic security of Σ with advantage ε when it uses Samp, then there is an algorithm, running in about the same time as A, that solves the CP with advantage ε 2. Proof: ( s) ( t ) The challenger of CP sends an instance,. chooses an ideal = relatively prime to and sets up the other parameters of Σ. We have two games: () the CP game between Challenger and (adversary), and (2) the Σ game between (challenger) and A (adversary). They run as follows.
Challenger b : = {0, } u t,, β : = {0, } u π, π 2 β β b : = β β ψ A where if b = 0, t Samp ( R) mod ; else, t R mod ; and ( ) ψβ πβ + t s mod. π π + β β u
( R ) ( ) f b= 0, t Samp ( R) mod and ψ = π + t s mod ( ) = πβ + Samp ( ) s mod = Encrypt, πβ. π β Samp ( π β,) Pr[ b= b b= 0] = Pr[ β = β b= 0] = 2 + ε. f b=, t R mod, so ψ = π uniform β β β ( + ) β t s mod is unformly random (for ( s) = is relatively prime to s t πβ + t s πβ + t s exists bijective uniform.) Pr[ b= b b= ] = Pr[ β β b= ] = 2. Thus, has advantage ε 2.