Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Similar documents
Gentry s SWHE Scheme

Gentry s Fully Homomorphic Encryption Scheme

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Lattice Cryptography

On Homomorphic Encryption and Secure Computation

Open problems in lattice-based cryptography

Lattice Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Fully Homomorphic Encryption over the Integers

Ideal Lattices and NTRU

Background: Lattices and the Learning-with-Errors problem

Fully Homomorphic Encryption and Bootstrapping

Faster Fully Homomorphic Encryption

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

General Impossibility of Group Homomorphic Encryption in the Quantum World

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Fully Homomorphic Encryption over the Integers

Algebraic Structures Exam File Fall 2013 Exam #1

Cryptology. Scribe: Fabrice Mouhartem M2IF

Topics in Cryptography. Lecture 5: Basic Number Theory

New Cryptosystem Using The CRT And The Jordan Normal Form

Mathematical Foundations of Public-Key Cryptography

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Elliptic Curve Cryptography

Mathematics for Cryptography

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Fully Homomorphic Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Rings and Fields Theorems

El Gamal A DDH based encryption scheme. Table of contents

Number Theory and Algebra: A Brief Introduction

Lattice Basis Reduction Part 1: Concepts

Fully Homomorphic Encryption over the Integers with Shorter Public Keys

Multikey Homomorphic Encryption from NTRU

Subrings and Ideals 2.1 INTRODUCTION 2.2 SUBRING

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Public Key Cryptography

Fully Homomorphic Encryption over the Integers with Shorter Public Keys

A Digital Signature Scheme based on CVP

Fully Homomorphic Encryption

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Groups Subgroups Normal subgroups Quotient groups Homomorphisms Cyclic groups Permutation groups Cayley s theorem Class equations Sylow theorems

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Homomorphic Encryption. Liam Morris

Joseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia

Discrete Mathematics GCD, LCM, RSA Algorithm

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

SIS-based Signatures

9 Knapsack Cryptography

MASTER. Fully homomorphic encryption in JCrypTool. Ramaekers, C.F.W. Award date: Link to publication

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Fully Homomorphic Encryption Using Ideal Lattices

Historical cryptography. cryptography encryption main applications: military and diplomacy

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

Classical Cryptography

Implementing Homomorphic Encryption

Computing with Encrypted Data Lecture 26

Notes for Lecture 16

Efficient and Secure Delegation of Linear Algebra

Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption

An Introduction to Probabilistic Encryption

Shai Halevi IBM August 2013

Some security bounds for the DGHV scheme

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

A Little Beyond: Linear Algebra

6.892 Computing on Encrypted Data September 16, Lecture 2

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Basic elements of number theory

Basic elements of number theory

Exercise Sheet Cryptography 1, 2011

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Notes for Lecture 17

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Definition List Modern Algebra, Fall 2011 Anders O.F. Hendrickson

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

An intro to lattices and learning with errors

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

1 Public-key encryption

Foundations of Cryptography

Fully Homomorphic Encryption - Part II

Lecture Notes, Week 6

RSA Cryptosystem and Factorization

CPSC 467b: Cryptography and Computer Security

Introduction to Cryptography. Lecture 8

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

ENTRY GROUP THEORY. [ENTRY GROUP THEORY] Authors: started Mark Lezama: October 2003 Literature: Algebra by Michael Artin, Mathworld.

An Efficient Broadcast Attack against NTRU

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Lattice Based Crypto: Answering Questions You Don't Understand

Number Theory. Modular Arithmetic

Discrete logarithm and related schemes

Diophantine equations via weighted LLL algorithm

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Transcription:

Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part

GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of ClosestVector Problem (CVP). Our discussion of GGH is variant by D. Micciancio: "mproving lattice based cryptosystems using the Hermite normal form," Cryptography and Lattices 200.

Secret key ( ) The sceret key is a "good" basis R = r,, r of a lattice L. n For computational purpose, assume L. The quantity ρr = min ri is relatively large. 2 We know: λ ( L) min r ; i ( t L) thus, λ ( L) 2 ρ. Thus, the orthogonalized centered parallelepiped C( R ) is fat, containing a ball of radius ρ. n Any point t with dist, < ρ can be corrected to the closest lattice point (using the nearest plane algorithm). R R n R

A good basis and the corresponding correction radius Source: Daniele Micciancio's paper, CaLC 200

Public key ( ) The public key is a "bad" basis = b,, b of L. For example, = HNF( R). ts orthogonalized parallelepiped, P( ρ = CVP * ), is skiny. min bi is much smaller than ρr. 2 (DDC) is hard (w/o knowing R) even if dist t, L < ρ. * Denote by mod the unique P( ) s.t. s is congruent to t modulo L (i.e., s t or t s L). n ( ) * system of.) (Here we use P( t s ) as the representative L n L R

HNF basis and corresponding orthogonalized parallelepiped Source: Daniele Micciancio's paper, CaLC 200

Encryption and Decryption Encryption: to encrypt a message m, Encode m as a vector r, r < ρ. c rmod. Decryption: to decrypt a ciphertext c, Recover r from c by r cmod R. Recover m from r. R

Correcting small errors using the private basis From Micciancio's paper

s GGH homomorphic? f the encoding scheme is such that m m r m + m r + r r 2 2 2 2 2 and if r, r < ρ 2, then GGH is additively R homomorphic: GGH( m + m ) = GGH( m ) + GGH( m 2 mod How to make it multiplicatively homomorphic? Genty's answer: use ideal lattices. 2 )

deals Gentry s scheme uses ideal lattices, which are lattices corresponding to some ideals

Rings A ring R is a set together with two binary operations + and satisfying the following axioms: ( R, + ) is an abelian group. is associative: ( a b) c= a ( b c) for all abc,, R. Distributive laws hold: ( a+ b) c= ( a c) + ( b c) and a ( b+ c) = ( a b) + ( a c). The ring R is commutative if a b= b a. The ring R is said to have an identity if there is an element R with a = a = a for all a R. We will only be interested in communative rings with an identy.

deals An ideal of a ring R is an additive subgroup of R s.t. r for all r R. (.e., a subset R s.t. a b and r a for all a, b, r R.) Example: Consider the ring. { na n } For any integer a, = : is an ideal. a Conversely, any ideal is equal to a for some a. The mapping f : a is a bijective function from { } { } nonnegative integers ideals of. a The name ideal comes from "ideal" numbers.

Some historical notes An algebraic integer n n 0 is a number [ α] satisfying n x + a x + + ax+ a = 0, where a. The set of all algebraic integers forms a ring. For any algebraic integer α, [ α ] { α} under +,,. [ i] = { a + bi a b } [ α ] x i denote the closure of Example: :,. Gaussian integers. resembles, and many question s concerning can be answered by considering.

For instance, Format's theorem on sums of two squares: 2 2 an odd prime can be expressed as (, ) iff p mod 4. This theorem can be proved by showing that if p p= x + y xy in [ i] p mod 4, then p factors into p = ( a + bi)( a bi) if p 3mod 4, then p cannot be factored. While has the unique prime factorization property, in general doesn't. For instance, in 5, 6 has two prime factorizations: 6 = 2 3 = ( + 5 )( 5 ). [ α ]

Eduard Kummer, inspired by the discovery of imaginary numbers, introduced ideal numbers. ( )( ) For instance, in the example of 6 = 2 3 = + 5 5, we may define ideal prime numbers p, p, p, p, are subject to the rules: 2 3 4 which pp = 2, pp = 3, pp = + 5, pp = 5. 2 3 4 3 2 4 Then, 6 would have the unique prime factorization: 6 = pppp. 2 3 4 Kummer's concept of that of ideal numbers was later replaced by ideals, by Richard Dedekind.

Operations on deals Let, be ideals of the ring R. { } Sum of ideals: + a+ b: a, b, which is the smallest ideal containing both and. Product o f ideals: the set of all finite sums of the form a b with a, b..e., the smallest ideal { } containing a b: a, b. Thus, R is the identy. divides iff. Thus, gcd(, ) = (, ) = +. is a prime ideal if a, b R, ab a or b. Two ideal and are relatively prime if + = R.

Generators and ases of ideals Let be any subset of a ring R. Denote by ( ) the smallest ideal of R containing, called the ideal generated by. We have: { + n n i R, i, n } ( ) = rb + + rb : r b The ideal = ( ) is finitely generated if is finite, and is a principal ideal if contains a single element. is a basis of = ( ) if it is linearly independent.

Cosets Let be an ideal of a ring R. R is partitioned into cosets s.t. two elements a, b R are ( + ) in the same coset iff a b. R= a a Z [ ] = a+ = { + i i } The coset containing a is a a :. Define [ a] [ b] [ a b] [ a] [ b] [ a b] + = + and =. The cosets form a ring R, called the quotient ring. Choose an element from each coset as a representative, then we have a system of representatives for R. For x R, denote by x od the element representin [ x] m g.

Gentry s deal-based Scheme

Notations Let be an ideal of the ring R, and a basis of. R mod : a system of representatives for Rdefined by. f 2 in general ( ) are two bases for the same ideal, we have x mod xmod (not necessarily equal). Samp x, : samples the coset x + according to some probability distribution. C : a circuit whose gates perform + and operations mod. 2 gc ( ) : generalized C, the same as C but without mod. C : same as C, but gates perform mod operations instead.

From Micciancio's paper

Σ: an ideal-based encryption scheme KeyGen, ( R ) : nput: a ring R, a basis of an ideal. ( sk ) R ( R ), dealgen,. sk Public key : =. Secret key sk : =. Parameters: ( R,, Samp ), which are public info. Plaintext space P: = (a subset of) R mod Remarks: As in GGH, sk is a good (fat) basis and a bad (skiny) one. The ideal is used to encode plaintexts as ring elements.

( π ) π ( ) Encrypt, : ( sk ψ ) ( sk ψ mod ) // P// π Samp π, // an element in coset π + // ψ π mod Decrypt, : π // the ciphertext // mod Remarks: π is encoded as a random element π π is then encrypted as in GGH. sk Decryption is correct if π mod. R in the same coset.

( C ) Evaluate,, Ψ : nput: a public key ; a mod circuit C composed of Add and Mult (and identity) gates; and ciphertexts ( ) Ψ= ( ψ,, ψ ), where ψ = Encrypt, π, π P. t i i ( Ψ ) = gc( Π ) Output: ψ : = gc ( ) mod. // ( ) mod // i Remarks: ( ) Evaluate, Add, ψ, ψ : outputs ψ + ψ mod. ( ) 2 2 Evaluate, Mult, ψ, ψ : outputs ψ ψ mod. 2 2 Evaluate circuit C by evaluating its gates in a proper order.

Correctness: informal Evaluating yields: ( ) ( ) ( ) ψ : = C Ψ = gc ( ) Ψ mod = gc ( ) Π mod C encode ( π π ) ( π π ) where Π =,, Π =,, t mod ( ψ ψ ) Ψ=,,. sk Decrypting ψ will yield: π : = ψ mod mod. ( Π ) ( ) sk Correct if gc ( ) Rmod. Thus, if we restrict π,, π to be in certain region, the scheme will be homomorphic for circuits C for which sk ( Π ) R gc ( ) mod. t t

Correctness of the ideal-based scheme ( ) Let X Samp, M and X R mod. Enc Dec A mod circuit C (including the identity circuit) with t inputs is a permitted circuit w.r.t. the scheme if: x,, x X, g( C) x,, x X. ( ) t Enc t Dec Theorem: f CΣ is a set of permitted circuits containing the identity circuit, then the scheme is correct for CΣ..e., algorithm Decrypt correctly decrypts valid ciphertexts: ( Π ) = Decrypt (, Evaluate (,, Ψ) ), C CΣ Ψ ( sk Π) ( Ψ) C sk C where and Encrypt,. Valid ciphertexts: outputs of Evaluate, C,, C C. Σ Σ

coset π + π coset π + π ψ ψ Encrypt: Decrypt: ( π ) Samp, mod π π ψ sk mod mod π ψ ψ = sk t works if π ψ, i.e. if π R mod.

π π π π ψ Q: ( Π) ( )( Π ) ( Ψ) C gc C ( Π) = sk C ( Ψ) s C Decrypt, C ( ) ( ( ) mod ) sk C Ψ ( Π) = gc ( )( Π ) mod gc ( )( Π ) mod = C ( Ψ) ( Π ) sk ( Π ) = C ( Ψ) gc ( ) mod mod ( sk gc ( ) mod ) mod = C ( Ψ) ( mod ) sk sk mod mod? sk ( Π ) gc( Π ) d g C ( Π ) sk Yes, if g( C) = ( ) mo, i.e., ( ) R mod.

Security of the ideal-based scheme

deal Coset Problem (CP) Let R be a ring, an ideal, and a basis. dealgen: an algorithm that given ( R, sk two bases, of the same ideal. ) outputs Samp : a random algorithm that samples R (non-uniformly). deal Coset Problem: Fix R,, dealgen, Samp. ( sk ) R ( R ) Challenger:, dealgen,. b {0, }. b = r R t r f 0, then R Samp ( ), mod. f b=, then t uniformly R mod. Adversary: given t and, determine if b = 0 or. u

Essentially, the problem is to to distinguish between: b b [ t] [ t] = 0 : a coset is chosen according to some "Samp ". = : a coset is chosen uniformly ra ndomly. The hardness of CP depends on Samp. How does CP connect to Gentry's encryption scheme Σ? [ π ] A ciphertext is essentially a coset chosen by Samp. Σ is semantically secure if the ciphertext is random-like. CP is hard if coset t chosen by Samp is random-like. [ ] Will show CP distinguishing ciphertexts of scheme Σ. Will use Samp to def ine Samp.

Connect Samp to Samp r Samp ( R) samples an element in ring R. x Samp Wanted: Let ( s) ( x, ) [ x] r random = = R s [ x] Then, = x + R s. samples an element in coset. x random be a principal idel a generated by s. ( x, ) x ( R) Let Samp + Samp s.

Security of the ideal-based scheme Σ The deal Coset Problem is to distinguish between t t Samp ( R) mod ( R ) uniform mod. Encrypt, : where ψ ( π) Samp ( π, ) π Samp ( R) mod ( s) ( s) + mod = = R s is a principal ideal generated by s.

Theorem: f there is an algorithm A that breaks the semantic security of Σ with advantage ε when it uses Samp, then there is an algorithm, running in about the same time as A, that solves the CP with advantage ε 2. Proof: ( s) ( t ) The challenger of CP sends an instance,. chooses an ideal = relatively prime to and sets up the other parameters of Σ. We have two games: () the CP game between Challenger and (adversary), and (2) the Σ game between (challenger) and A (adversary). They run as follows.

Challenger b : = {0, } u t,, β : = {0, } u π, π 2 β β b : = β β ψ A where if b = 0, t Samp ( R) mod ; else, t R mod ; and ( ) ψβ πβ + t s mod. π π + β β u

( R ) ( ) f b= 0, t Samp ( R) mod and ψ = π + t s mod ( ) = πβ + Samp ( ) s mod = Encrypt, πβ. π β Samp ( π β,) Pr[ b= b b= 0] = Pr[ β = β b= 0] = 2 + ε. f b=, t R mod, so ψ = π uniform β β β ( + ) β t s mod is unformly random (for ( s) = is relatively prime to s t πβ + t s πβ + t s exists bijective uniform.) Pr[ b= b b= ] = Pr[ β β b= ] = 2. Thus, has advantage ε 2.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback