Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris
Cryptography Secure communication in the presence of adversaries
Symmetric-Key Cryptography Secret key = s
Symmetric-Key Cryptography Secret Key = s Secret Key = s
Symmetric-Key Cryptography
doing more interesting things
Public-Key Cryptography Diffie-Hellman Key Exchange (1976) RSA cryptosystem (1978)
Secret Key = s Public Key = p Public-Key Cryptography
Public-Key Cryptography Secret Key = s Public Key = p Public Key = p Public Key = p
public key cryptography revolutionized e-commerce but there is still more
Fully-Homomorphic Encryption Someone else can compute any function on your encrypted data First construction in 2009 by Craig Gentry Currently, very inefficient lots of exciting work left to be done!!!
Applications of Fully-Homomorphic Encryption Computation in the cloud Database retrieval Private searching
PUBLIC KEY ENCRYPTION
Public Key Encryption
Public Key Encryption (sk,pk) KeyGen(1 n )
Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m)
Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c)
Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m
Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m CPA-Security: Enc(pk,m i ) are computationally indistinguishable from each other
Computationally Indistinguishable
Computationally Indistinguishable DX X 1 X 2 X k
Computationally Indistinguishable DX X 1 X 2 X k DY Y 1 Y 2 Y k
Computationally Indistinguishable DX X 1 X 2 X k DY Y 1 Y 2 Y k
Computationally Indistinguishable DX X 1 X 2 X k D? Z 1 Z 2 Z k DY Y 1 Y 2 Y k
Computationally Indistinguishable DX D? DY X 1 Z 1 Y 1 X 2? = Z 2? = Y 2 X k Z k Y k
(SLIGHTLY MODIFIED) NTRU CRYPTOSYSTEM
Polynomial Ring Z p [x]/(x n +1)
Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1
Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1
Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1 a i in the range [-(p-1)/2, (p-1)/2]
Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1 a i in the range [-(p-1)/2, (p-1)/2] a, b in Z p [x]/(x n +1)
Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1 a i in the range [-(p-1)/2, (p-1)/2] a, b in Z p [x]/(x n +1) 1. If a, b < k, then a+b < 2k
Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1 a i in the range [-(p-1)/2, (p-1)/2] a, b in Z p [x]/(x n +1) 1. If a, b < k, then a+b < 2k 2. If a, b < k, then ab < nk 2
Computationally-Indistinguishable Distributions
Computationally-Indistinguishable D1 Distributions 1. Pick uniform a in Z p [x]/(x n +1)
Computationally-Indistinguishable D1 Distributions 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a
Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1
Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1 2. Output a=f/g
Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1 2. Output a=f/g If p << 2 n, the distributions are computationally-indistinguishable
Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1 2. Output a=f/g If p << 2 n, the distributions are computationally-indistinguishable D1 1. Pick uniform (a,u) in Z p [x]/(x n +1) 2. Output (a,u)
Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1 2. Output a=f/g If p << 2 n, the distributions are computationally-indistinguishable D1 1. Pick uniform (a,u) in Z p [x]/(x n +1) 2. Output (a,u) D2 1. Pick uniform a in Z p [x]/(x n +1) and r,e such that r, e = 1 2. Output (a,ar+e)
NTRU Cryptosystem
NTRU Cryptosystem f g = a mod p Looks random
NTRU Cryptosystem f g = a -1,0,1 coefficients mod p Looks random
f g NTRU Cryptosystem -1,0,1 coefficients -1,0,1 coefficients = a mod p u = 2 a r + e + m Looks random Looks random mod p
f g NTRU Cryptosystem -1,0,1 coefficients -1,0,1 coefficients = a mod p u = 2 a r + e + m Looks random Looks random mod p u g mod p = 2 f r + e g + g m
f g NTRU Cryptosystem -1,0,1 coefficients -1,0,1 coefficients = a mod p u = 2 a r + e + m Looks random Looks random mod p u g mod p = 2 f r + e g + g m u g mod p mod 2 = g m
f g NTRU Cryptosystem -1,0,1 coefficients -1,0,1 coefficients = a mod p u = 2 a r + e + m Looks random Looks random mod p u g mod p = 2 f r + e g + g m u g mod p mod 2 = g m u g mod p mod 2 = g m
COMPUTING ON ENCRYPTED DATA
Homomorphic Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c)
Homomorphic Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m
Homomorphic Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i )
Homomorphic Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ) Homomorphic: Dec(sk,c F ) = F(m 1,m 2 )
Uninteresting Eval Function c F = Eval(F,c 1,c 2 ) = (F, c 1, c 2 ) Dec(sk, (F, c 1, c 2 )) = F(Dec(sk,c 1 ), Dec(sk,c 2 ))
Uninteresting Eval Function c F = Eval(F,c 1,c 2 ) = (F, c 1, c 2 ) Dec(sk, (F, c 1, c 2 )) = F(Dec(sk,c 1 ), Dec(sk,c 2 )) Want compactness: Output length of Eval is independent of F and the number of inputs
Functions as Arithmetic Circuits For bits a, b we can rewrite: a b a b a a + 1
Functions as Arithmetic Circuits For bits a, b we can rewrite: a b a b a a + 1 Use NTRU and define Eval for and + as:
Functions as Arithmetic Circuits For bits a, b we can rewrite: a b a b a a + 1 Use NTRU and define Eval for and + as: Eval (+, c 1, c 2 ) = c 1 + c 2
Functions as Arithmetic Circuits For bits a, b we can rewrite: a b a b a a + 1 Use NTRU and define Eval for and + as: Eval (+, c 1, c 2 ) = c 1 + c 2 Eval (, c 1, c 2 ) = c 1 c 2
Eval of + in the NTRU Cryptosystem f g - Very small f g = a mod p
Eval of + in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p
Eval of + in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p + = a r 1 + a r 2 + m 1 + + m 2 u 1 u 2 2 mod p
Eval of + in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p + = a r 1 + a r 2 + m 1 + + m 2 u 1 u 2 2 mod p + g = 2 f r 1 + f r 2 m + g + g 1 + m 2 u 1 u 2 mod p
Eval of + in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p + = a r 1 + a r 2 + m 1 + + m 2 u 1 u 2 2 mod p + g = 2 f r 1 + f r 2 m + g + g 1 + m 2 u 1 u 2 mod p want coefficients of this to be less than p/2
Eval of in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p
Eval of in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p u 1 u 2 = a + m 1 a + + 2 a + 4 mod p m 2
Eval of in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p u 1 u 2 = a + m 1 a + + 2 a + 4 mod p u 1 u 2 g g = 4 f f + + 2 f g + m 2 + g g m 1 m 2 mod p
NTRU and Eval for F in {+, } secret key: small f, g public key: a = f/g mod p
NTRU and Eval for F in {+, } secret key: small f, g public key: a = f/g mod p Enc(a,m) = 2(ar+e)+m mod p
NTRU and Eval for F in {+, } secret key: small f, g public key: a = f/g mod p Enc(a,m) = 2(ar+e)+m mod p Dec(g,c) = (g 2 c mod 2)/g 2 mod 2
NTRU and Eval for F in {+, } secret key: small f, g public key: a = f/g mod p Enc(a,m) = 2(ar+e)+m mod p Dec(g,c) = (g 2 c mod 2)/g 2 mod 2 Eval(F,c 1,c 2 ) = F(c 1,c 2 )
Extending to Higher Depths +
Extending to Higher Depths a + a 2 a 4 a 8
Extending to Higher Depths a g + a 2 g 2 a 4 g 4 a 8 g 8
Limitation Decrypting a d-level circuit requires g 2d < p (and similarly f)
Limitation Decrypting a d-level circuit requires g 2d < p (and similarly f) Problem: if 2 n g < p, then one can recover f and g from f/g mod p using LLL
Limitation Decrypting a d-level circuit requires g 2d < p (and similarly f) Problem: if 2 n g < p, then one can recover f and g from f/g mod p using LLL Thus d < log n
Limitation Decrypting a d-level circuit requires g 2d < p (and similarly f) Problem: if 2 n g < p, then one can recover f and g from f/g mod p using LLL Thus d < log n Still we can evaluate all low-depth functions Called somewhat-homomorphic encryption
BOOTSTRAPPING
Reducing the Noise + c
Reducing the Noise + problem: can t do any more operations on c (too much noise in it) c
Reducing the Noise + problem: can t do any more operations on c (too much noise in it) c idea: somehow re-encrypt c under a different key and hope the new encryption has less noise
Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 )
Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1
Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1 - want to re-encrypt c under pk 2
Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1 - want to re-encrypt c under pk 2 c F = Eval(Dec, Enc(pk 2,sk 1 ), Enc(pk 2,c))
Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1 - want to re-encrypt c under pk 2 c F = Eval(Dec, Enc(pk 2,sk 1 ), Enc(pk 2,c)) And so Dec(sk 2,c F ) = Dec(sk 1,c)!!
Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1 provide as part of the public key - want to re-encrypt c under pk 2 c F = Eval(Dec, Enc(pk 2,sk 1 ), Enc(pk 2,c)) And so Dec(sk 2,c F ) = Dec(sk 1,c)!! noise in c F depends on the depth of Dec
NTRU with Bootstrapping?
NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n
NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n In NTRU, Dec(g d,c) = (cg d mod 2)/g d mod 2
NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n In NTRU, Dec(g d,c) = (cg d mod 2)/g d mod 2 Polynomial multiplication requires log n depth
NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n In NTRU, Dec(g d,c) = (cg d mod 2)/g d mod 2 Polynomial multiplication requires log n depth Overcoming this: [Gen 2009] Give the decryptor some hints, which makes the Dec algorithm shallower
NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n In NTRU, Dec(g d,c) = (cg d mod 2)/g d mod 2 Polynomial multiplication requires log n depth Overcoming this: [Gen 2009] Give the decryptor some hints, which makes the Dec algorithm shallower [Bra,Gen,Vai 2011] New technique (modulus switching) allows evaluation of deeper circuits ~ O(n)-depth
References Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman (1998): NTRU: A Ring-Based Public Key Cryptosystem Daniele Micciancio (2002): Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions Chris Peikert, Alon Rosen (2006): Efficient Collision-Resistant Hashing from Worst- Case Assumptions on Cyclic Lattices. Vadim Lyubashevsky, Daniele Micciancio (2006): Generalized Compact Knapsacks Are Collision Resistant Craig Gentry (2009) Fully Homomorphic Encryption Using Ideal Lattices Vadim Lyubashevsky, Chris Peikert, Oded Regev (2010): On Ideal Lattices and Learning with Errors over Rings. Damien Stehlé, Ron Steinfeld (2011): Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan (2012): (Leveled) Fully Homomorphic Encryption Without Bootstrapping Adriana Lopez-Alt, Eran Tromer, Vinod Vaikuntanathan (2012): On-the-fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption