Lattice Based Crypto: Answering Questions You Don't Understand

Similar documents
Multikey Homomorphic Encryption from NTRU

Multi-key fully homomorphic encryption report

Ideal Lattices and NTRU

Classical hardness of Learning with Errors

Shai Halevi IBM August 2013

Classical hardness of Learning with Errors

Open problems in lattice-based cryptography

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

Computing with Encrypted Data Lecture 26

Fully Homomorphic Encryption over the Integers

Classical hardness of the Learning with Errors problem

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Fully Homomorphic Encryption over the Integers

Notes for Lecture 16

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Implementing Ring-LWE cryptosystems

Cryptology. Scribe: Fabrice Mouhartem M2IF

Fully Homomorphic Encryption from LWE

Report Fully Homomorphic Encryption

Multi-Key FHE from LWE, Revisited

6.892 Computing on Encrypted Data September 16, Lecture 2

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Lossy Trapdoor Functions and Their Applications

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

The LTV Homomorphic Encryption Scheme and Implementation in Sage

Manipulating Data while It Is Encrypted

Fully Homomorphic Encryption

NTRU Cryptosystem and Its Analysis

Fully Homomorphic Encryption and Bootstrapping

On Homomorphic Encryption and Secure Computation

Lattice Cryptography

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Fully Homomorphic Encryption

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Gentry s SWHE Scheme

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

A history of the development of NTRU

Chosen-Ciphertext Security from Subset Sum

Cryptography and Security Midterm Exam

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

From NewHope to Kyber. Peter Schwabe April 7, 2017

6.892 Computing on Encrypted Data October 28, Lecture 7

Hardness and advantages of Module-SIS and Module-LWE

Cryptographic Algorithms for the Secure Delegation of Multiparty Computation

Lattice Signature Schemes. Vadim Lyubashevsky INRIA / ENS Paris

Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

Homomorphic Encryption. Liam Morris

Introduction to Cybersecurity Cryptography (Part 4)

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Applied cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Introduction to Cybersecurity Cryptography (Part 4)

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Public Key Cryptography

CRYPTANALYSIS OF COMPACT-LWE

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Fully Homomorphic Encryption

An Efficient Lattice-based Secret Sharing Construction

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

ADVERTISING AGGREGATIONARCHITECTURE

i-hop Homomorphic Encryption Schemes

Parameter selection in Ring-LWE-based cryptography

Weak Instances of PLWE

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Towards Round-Optimal Secure Multiparty Computations: Multikey FHE without a CRS

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

FULLY HOMOMORPHIC ENCRYPTION

On Two Round Rerunnable MPC Protocols

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Some security bounds for the DGHV scheme

An Efficient and Parallel Gaussian Sampler for Lattices

Gentry s Fully Homomorphic Encryption Scheme

An Overview of Homomorphic Encryption

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Solutions to homework 2

15 Public-Key Encryption

Structure Preserving CCA Secure Encryption

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Blending FHE-NTRU keys The Excalibur Property

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Fully Homomorphic Encryption - Part II

Leakage Resilient Fully Homomorphic Encryption

Part 2 LWE-based cryptography

1 Number Theory Basics

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Simple Lattice Trapdoor Sampling from a Broad Class of Distributions

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Post-quantum key exchange for the Internet based on lattices

Bandwidth Efficient PIR from NTRU

Transcription:

Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris

Cryptography Secure communication in the presence of adversaries

Symmetric-Key Cryptography Secret key = s

Symmetric-Key Cryptography Secret Key = s Secret Key = s

Symmetric-Key Cryptography

doing more interesting things

Public-Key Cryptography Diffie-Hellman Key Exchange (1976) RSA cryptosystem (1978)

Secret Key = s Public Key = p Public-Key Cryptography

Public-Key Cryptography Secret Key = s Public Key = p Public Key = p Public Key = p

public key cryptography revolutionized e-commerce but there is still more

Fully-Homomorphic Encryption Someone else can compute any function on your encrypted data First construction in 2009 by Craig Gentry Currently, very inefficient lots of exciting work left to be done!!!

Applications of Fully-Homomorphic Encryption Computation in the cloud Database retrieval Private searching

PUBLIC KEY ENCRYPTION

Public Key Encryption

Public Key Encryption (sk,pk) KeyGen(1 n )

Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m)

Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c)

Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m

Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m CPA-Security: Enc(pk,m i ) are computationally indistinguishable from each other

Computationally Indistinguishable

Computationally Indistinguishable DX X 1 X 2 X k

Computationally Indistinguishable DX X 1 X 2 X k DY Y 1 Y 2 Y k

Computationally Indistinguishable DX X 1 X 2 X k DY Y 1 Y 2 Y k

Computationally Indistinguishable DX X 1 X 2 X k D? Z 1 Z 2 Z k DY Y 1 Y 2 Y k

Computationally Indistinguishable DX D? DY X 1 Z 1 Y 1 X 2? = Z 2? = Y 2 X k Z k Y k

(SLIGHTLY MODIFIED) NTRU CRYPTOSYSTEM

Polynomial Ring Z p [x]/(x n +1)

Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1

Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1

Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1 a i in the range [-(p-1)/2, (p-1)/2]

Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1 a i in the range [-(p-1)/2, (p-1)/2] a, b in Z p [x]/(x n +1)

Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1 a i in the range [-(p-1)/2, (p-1)/2] a, b in Z p [x]/(x n +1) 1. If a, b < k, then a+b < 2k

Polynomial Ring Z p [x]/(x n +1) Elements are polynomials of degree n-1 a=a 0 +a 1 x+ + a n-1 x n-1 a i in the range [-(p-1)/2, (p-1)/2] a, b in Z p [x]/(x n +1) 1. If a, b < k, then a+b < 2k 2. If a, b < k, then ab < nk 2

Computationally-Indistinguishable Distributions

Computationally-Indistinguishable D1 Distributions 1. Pick uniform a in Z p [x]/(x n +1)

Computationally-Indistinguishable D1 Distributions 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a

Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1

Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1 2. Output a=f/g

Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1 2. Output a=f/g If p << 2 n, the distributions are computationally-indistinguishable

Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1 2. Output a=f/g If p << 2 n, the distributions are computationally-indistinguishable D1 1. Pick uniform (a,u) in Z p [x]/(x n +1) 2. Output (a,u)

Computationally-Indistinguishable D1 Distributions D2 1. Pick uniform a in Z p [x]/(x n +1) 2. Output a 1. Pick uniform f,g in Z p [x]/(x n +1) such that f, g = 1 2. Output a=f/g If p << 2 n, the distributions are computationally-indistinguishable D1 1. Pick uniform (a,u) in Z p [x]/(x n +1) 2. Output (a,u) D2 1. Pick uniform a in Z p [x]/(x n +1) and r,e such that r, e = 1 2. Output (a,ar+e)

NTRU Cryptosystem

NTRU Cryptosystem f g = a mod p Looks random

NTRU Cryptosystem f g = a -1,0,1 coefficients mod p Looks random

f g NTRU Cryptosystem -1,0,1 coefficients -1,0,1 coefficients = a mod p u = 2 a r + e + m Looks random Looks random mod p

f g NTRU Cryptosystem -1,0,1 coefficients -1,0,1 coefficients = a mod p u = 2 a r + e + m Looks random Looks random mod p u g mod p = 2 f r + e g + g m

f g NTRU Cryptosystem -1,0,1 coefficients -1,0,1 coefficients = a mod p u = 2 a r + e + m Looks random Looks random mod p u g mod p = 2 f r + e g + g m u g mod p mod 2 = g m

f g NTRU Cryptosystem -1,0,1 coefficients -1,0,1 coefficients = a mod p u = 2 a r + e + m Looks random Looks random mod p u g mod p = 2 f r + e g + g m u g mod p mod 2 = g m u g mod p mod 2 = g m

COMPUTING ON ENCRYPTED DATA

Homomorphic Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c)

Homomorphic Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m

Homomorphic Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i )

Homomorphic Public Key Encryption (sk,pk) KeyGen(1 n ) c = Enc (pk,m) m = Dec(sk,c) Correctness: Dec(sk,Enc(pk,m))=m c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ) Homomorphic: Dec(sk,c F ) = F(m 1,m 2 )

Uninteresting Eval Function c F = Eval(F,c 1,c 2 ) = (F, c 1, c 2 ) Dec(sk, (F, c 1, c 2 )) = F(Dec(sk,c 1 ), Dec(sk,c 2 ))

Uninteresting Eval Function c F = Eval(F,c 1,c 2 ) = (F, c 1, c 2 ) Dec(sk, (F, c 1, c 2 )) = F(Dec(sk,c 1 ), Dec(sk,c 2 )) Want compactness: Output length of Eval is independent of F and the number of inputs

Functions as Arithmetic Circuits For bits a, b we can rewrite: a b a b a a + 1

Functions as Arithmetic Circuits For bits a, b we can rewrite: a b a b a a + 1 Use NTRU and define Eval for and + as:

Functions as Arithmetic Circuits For bits a, b we can rewrite: a b a b a a + 1 Use NTRU and define Eval for and + as: Eval (+, c 1, c 2 ) = c 1 + c 2

Functions as Arithmetic Circuits For bits a, b we can rewrite: a b a b a a + 1 Use NTRU and define Eval for and + as: Eval (+, c 1, c 2 ) = c 1 + c 2 Eval (, c 1, c 2 ) = c 1 c 2

Eval of + in the NTRU Cryptosystem f g - Very small f g = a mod p

Eval of + in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p

Eval of + in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p + = a r 1 + a r 2 + m 1 + + m 2 u 1 u 2 2 mod p

Eval of + in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p + = a r 1 + a r 2 + m 1 + + m 2 u 1 u 2 2 mod p + g = 2 f r 1 + f r 2 m + g + g 1 + m 2 u 1 u 2 mod p

Eval of + in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p + = a r 1 + a r 2 + m 1 + + m 2 u 1 u 2 2 mod p + g = 2 f r 1 + f r 2 m + g + g 1 + m 2 u 1 u 2 mod p want coefficients of this to be less than p/2

Eval of in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p

Eval of in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p u 1 u 2 = a + m 1 a + + 2 a + 4 mod p m 2

Eval of in the NTRU Cryptosystem f g f = g - Very small a u a r 1 + + m 1 1 mod p = 2 u 2 mod p a r 2 + + m 2 = 2 mod p u 1 u 2 = a + m 1 a + + 2 a + 4 mod p u 1 u 2 g g = 4 f f + + 2 f g + m 2 + g g m 1 m 2 mod p

NTRU and Eval for F in {+, } secret key: small f, g public key: a = f/g mod p

NTRU and Eval for F in {+, } secret key: small f, g public key: a = f/g mod p Enc(a,m) = 2(ar+e)+m mod p

NTRU and Eval for F in {+, } secret key: small f, g public key: a = f/g mod p Enc(a,m) = 2(ar+e)+m mod p Dec(g,c) = (g 2 c mod 2)/g 2 mod 2

NTRU and Eval for F in {+, } secret key: small f, g public key: a = f/g mod p Enc(a,m) = 2(ar+e)+m mod p Dec(g,c) = (g 2 c mod 2)/g 2 mod 2 Eval(F,c 1,c 2 ) = F(c 1,c 2 )

Extending to Higher Depths +

Extending to Higher Depths a + a 2 a 4 a 8

Extending to Higher Depths a g + a 2 g 2 a 4 g 4 a 8 g 8

Limitation Decrypting a d-level circuit requires g 2d < p (and similarly f)

Limitation Decrypting a d-level circuit requires g 2d < p (and similarly f) Problem: if 2 n g < p, then one can recover f and g from f/g mod p using LLL

Limitation Decrypting a d-level circuit requires g 2d < p (and similarly f) Problem: if 2 n g < p, then one can recover f and g from f/g mod p using LLL Thus d < log n

Limitation Decrypting a d-level circuit requires g 2d < p (and similarly f) Problem: if 2 n g < p, then one can recover f and g from f/g mod p using LLL Thus d < log n Still we can evaluate all low-depth functions Called somewhat-homomorphic encryption

BOOTSTRAPPING

Reducing the Noise + c

Reducing the Noise + problem: can t do any more operations on c (too much noise in it) c

Reducing the Noise + problem: can t do any more operations on c (too much noise in it) c idea: somehow re-encrypt c under a different key and hope the new encryption has less noise

Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 )

Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1

Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1 - want to re-encrypt c under pk 2

Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1 - want to re-encrypt c under pk 2 c F = Eval(Dec, Enc(pk 2,sk 1 ), Enc(pk 2,c))

Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1 - want to re-encrypt c under pk 2 c F = Eval(Dec, Enc(pk 2,sk 1 ), Enc(pk 2,c)) And so Dec(sk 2,c F ) = Dec(sk 1,c)!!

Using the Somewhat-Homomorphism For all low-depth functions F: If c F = Eval (F, c 1, c 2 ) where c i = Enc(pk,m i ), then Dec(sk,c F ) = F(m 1,m 2 ) - c is encrypted under pk 1 provide as part of the public key - want to re-encrypt c under pk 2 c F = Eval(Dec, Enc(pk 2,sk 1 ), Enc(pk 2,c)) And so Dec(sk 2,c F ) = Dec(sk 1,c)!! noise in c F depends on the depth of Dec

NTRU with Bootstrapping?

NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n

NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n In NTRU, Dec(g d,c) = (cg d mod 2)/g d mod 2

NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n In NTRU, Dec(g d,c) = (cg d mod 2)/g d mod 2 Polynomial multiplication requires log n depth

NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n In NTRU, Dec(g d,c) = (cg d mod 2)/g d mod 2 Polynomial multiplication requires log n depth Overcoming this: [Gen 2009] Give the decryptor some hints, which makes the Dec algorithm shallower

NTRU with Bootstrapping? For bootstrapping to work need Dec to have depth < log n In NTRU, Dec(g d,c) = (cg d mod 2)/g d mod 2 Polynomial multiplication requires log n depth Overcoming this: [Gen 2009] Give the decryptor some hints, which makes the Dec algorithm shallower [Bra,Gen,Vai 2011] New technique (modulus switching) allows evaluation of deeper circuits ~ O(n)-depth

References Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman (1998): NTRU: A Ring-Based Public Key Cryptosystem Daniele Micciancio (2002): Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions Chris Peikert, Alon Rosen (2006): Efficient Collision-Resistant Hashing from Worst- Case Assumptions on Cyclic Lattices. Vadim Lyubashevsky, Daniele Micciancio (2006): Generalized Compact Knapsacks Are Collision Resistant Craig Gentry (2009) Fully Homomorphic Encryption Using Ideal Lattices Vadim Lyubashevsky, Chris Peikert, Oded Regev (2010): On Ideal Lattices and Learning with Errors over Rings. Damien Stehlé, Ron Steinfeld (2011): Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan (2012): (Leveled) Fully Homomorphic Encryption Without Bootstrapping Adriana Lopez-Alt, Eran Tromer, Vinod Vaikuntanathan (2012): On-the-fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback