Ideal Lattices and NTRU

Similar documents
Multikey Homomorphic Encryption from NTRU

Lattice Based Crypto: Answering Questions You Don't Understand

Open problems in lattice-based cryptography

Shai Halevi IBM August 2013

Background: Lattices and the Learning-with-Errors problem

Multi-key fully homomorphic encryption report

Revisiting Lattice Attacks on overstretched NTRU parameters

Cryptology. Scribe: Fabrice Mouhartem M2IF

Gentry s SWHE Scheme

Better Bootstrapping in Fully Homomorphic Encryption

SIS-based Signatures

The LTV Homomorphic Encryption Scheme and Implementation in Sage

Faster Fully Homomorphic Encryption

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

CS Topics in Cryptography January 28, Lecture 5

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

Field Switching in BGV-Style Homomorphic Encryption

Classical hardness of the Learning with Errors problem

Fully Homomorphic Encryption and Bootstrapping

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Weaknesses in Ring-LWE

Classical hardness of Learning with Errors

Short Stickelberger Class Relations and application to Ideal-SVP

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Some security bounds for the DGHV scheme

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Weak Instances of PLWE

Somewhat Practical Fully Homomorphic Encryption

An Efficient Broadcast Attack against NTRU

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Fully Homomorphic Encryption - Part II

Computing with Encrypted Data Lecture 26

A Comment on Gu Map-1

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

A subfield lattice attack on overstretched NTRU assumptions

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

A history of the development of NTRU

MaTRU: A New NTRU-Based Cryptosystem

Better Bootstrapping in Fully Homomorphic Encryption

Lattices, Cryptography, and NTRU. An introduction to lattice theory and the NTRU cryptosystem. Ahsan Z. Zahid

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Classical hardness of Learning with Errors

Solving LWE with BKW

Attribute-based Encryption & Delegation of Computation

High-Precision Arithmetic in Homomorphic Encryption

Fully Homomorphic Encryption from LWE

Quantum-resistant cryptography

Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Double-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls

Fully Homomorphic Encryption over the Integers

On Ideal Lattices and Learning with Errors Over Rings

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Implementing Ring-LWE cryptosystems

Homomorphic AES Evaluation Using the Modified LTV Scheme

Cryptanalysis via Lattice Techniques

Bootstrapping for HElib

Parameter selection in Ring-LWE-based cryptography

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Simple Lattice Trapdoor Sampling from a Broad Class of Distributions

On the Ring-LWE and Polynomial-LWE problems

An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero

Scale-Invariant Fully Homomorphic Encryption over the Integers

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Multi-Key FHE from LWE, Revisited

Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption

On Ideal Lattices and Learning with Errors Over Rings

6.892 Computing on Encrypted Data September 16, Lecture 2

Fully Homomorphic Encryption

Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices

1. Group Theory Permutations.

MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION

Making NTRU as Secure as Worst-Case Problems over Ideal Lattices

On Homomorphic Encryption and Secure Computation

Fully Homomorphic Encryption

UNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Practical Analysis of Key Recovery Attack against Search-LWE Problem

New Chosen-Ciphertext Attacks on NTRU

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Middle-Product Learning With Errors

Lecture 6: Lattice Trapdoor Constructions

Density of Ideal Lattices

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

On error distributions in ring-based LWE

AES side channel attacks protection using random isomorphisms

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

An Overview of Homomorphic Encryption

NTRU Cryptosystem and Its Analysis

Gentry s Fully Homomorphic Encryption Scheme

Implementation of Automatic Invertible Matrix Mechanism in NTRU Matrix Formulation Algorithm

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices

Johns Hopkins University, Department of Mathematics Abstract Algebra - Spring 2013 Midterm Exam Solution

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven

CYCLICITY OF (Z/(p))

Transcription:

Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative ring with unity (R, +, ) satisfies the following properties: (R, +) is an abelian group; (R, ) is associative, commutative and has unity; distributes over + (Similar to a field, except not every non-zero element has an inverse) Examples: Z, Z [x] Definition 2. An ideal I R is a subset that satisfies: (I, +) is a subgroup of (R, +); I is closed under multiplication by R (i r I i I, r R). Definition 3. We say that an ideal is finitely generated if there is a finite set of generators {i 1,..., i t } s.t. I = { r j i j } = i 1,..., i t. Definition 4. For a ring R and an ideal I we can define the quotient ring to be the set Q = R/I = {[r] I : r R} where [r] I = {r + i: i I}. Examples: Z 5 = Z/5Z, Z [x] / x 4 + 1, Z 5 [x] / x 4 + 1 = Z [x] / 5, x 4 + 1. We will mostly be interested in rings of the forms Z [x] / f and Z p [x] / f for some monic polynomial f. Note that if f is not irreducible, then Z [x] / f has zero divisors: a b = f, 0 < deg a, b < deg f, therefore a, b Z [x] / f. Thus we will mostly be interested in quotient rings over irreducible polynomials. We can represent an element of R = Z [x] / f by the vector of its coefficients: (deg n 1) -polynomial g R vector g Z n additive subgroup of R lattice in Z n Other representations are also possible, but we do not deal with them here. Definition 5. A lattice Λ Z n is an ideal lattice if there exist a ring R = Z [x] / f and an ideal I R s.t. Λ is associated with I. For example: Λ = { coeff. vector of g () h () s.t. g (x) = h (x) ( x 2 + 5 ) (mod ( x 4 + 1, 8 ) ) } Z 4 is associated with the ideal x 2 + 5 Z 8 [X]/ x 4 + 1 1

Lemma 1. Z [X] is a Unique Factorization Domain (UFD) Proof. Follows since (a) Z is a UFD; and (b) if a ring R is a UFD then so is R [X]. Corollary 1. If f Z [X] is irreducible and f g h then f g or f h. Lemma 2. If f is irreducible and I Z [X] / f is a non-zero ideal then Λ I is a full-rank lattice in Z n. Proof. Let R = Z[X]/ f and I R and let g I be a non-zero element. We will show that the coefficient vectors of { g, X g,..., X n 1 g } R are linearly independent. Assume h i (X i g(x)) = 0 R, and we show that the h i s must be all be zeros. Since the coefficient vectors of X i g(x) are all integer vectors, then we can assume w.l.o.g. that the h i s are all rational coefficients, and by multiplying by the common denominator we can assume that they are in fact integers. Denote h(x) = h i X i. Then h g = 0 in the ring, (which is the same as f h g, since we are working modulo f). Thus by the previous corollary, and since g 0, we have that h = 0 in the ring, so h i = 0 for all i. Definition 6. For any polynomial f we define: θ (f) = max a Z[X]/ f, i<deg f For any two polynomials a, b Z [X] / f : X i a mod f a a b mod f a b nθ (f) Lemma 3. If f is an n-degree irreducible polynomial and I Z [X] / f is a non-zero ideal then λ n (Λ I ) λ 1 (Λ I ) θ (f) Proof. Let g be the shortest vector in Λ, and g (X) the corresponding polynomial. Then the vectors that correspond to { g i (X) = X i g (X) } are linearly independent. Clearly, λ n (Λ I ) n 1 max i=0 g i g θ (f) = λ 1 (Λ I ) θ (f) 2 The Shortest Vector Problem in Ideal Lattices Just as in any lattice, we can ask how easy / hard it is to find a (good approximaiton of) the shortest vector in the lattice. Note that if θ (f) is small, then by the previous lemma estimating the size of the smallest vector is easy: 1 n λ 1 (Λ) det (Λ) 1 /n λ n (Λ) nλ n (Λ) nλ 1 (Λ) θ (f) nλ 1 (Λ) θ (f) Still, finding the shortest vectors themselves seems hard. In particular, we don t know of methods that do much better on ideal lattices than on regular lattices. (Sometimes we can do slightly better, for example in [GS02] they are able to reduce an ideal lattice problem in dimension 2n to a non-ideal lattice problem in dimension n.) 2

2.1 The f-svp γ Problem For a family of polynomials f = {f n } (with deg f n = n): Given a lattice Λ I corresponding to ideal I Z [x] / f n, find a non-zero vector v Λ I s.t. v γλ 1 (n). (Can also be stated with l or any other l p norm). Below we will typically use f n (x) = x n + 1, where n is a power of 2. Thus f n (x) is irreducible. Also, θ (f) = 1 because: For any g (x) with coefficient vector (g 1, g 2,..., g n ), we have that the coefficient vector of x g (x) is ( g n, g 1,..., g n 1 ). This ( means that lattices over ) Z [x] / f n are almost circular : sign (i k 1) vi k (mod n) ΛI. If (v i ) Λ I, then also 3 The NTRU Cryptosystem [HPS98] Below we describe a variant similar to [SS11] and [LTV12]. This variant is also somewhat similar to Regev s crypto system with dimension 1, but it uses LSB to encode the message rather MSB. Namely, whereas in Regev s scheme we recover upon decryption something like small-error + m q 2, in NTRU we get 2 small-error + m. (We can easily get a variant of Regev with LSB encoding, but getting a variant of NTRU with MSB encoding is a little tricky.) This NTRU variant is defined as follows: Parameters: n - security parameter q - modulus error distribution We assume that n is power of two so x n + 1 is irreducible, we consider R = Z[X]/(x n + 1) and R q = R(mod q), i.e. R q = Z q [X]/(x n + 1). We assume that q is odd (and sometimes it is even convenient to assume q = 1 (mod 2n)). Key Generation. Choose at random the coefficients for the polynomials g, f from the error distribution (so coefficients are small): g, f D Z n,σ. (Note that g, f are now the coefficient vectors of functions g, f.) Set f = 2f + 1 so that f is small and f = 1 (mod 2). If f is not irreducible in R q, then try again. (If f was random in R q, it would have been invertible with probability at least 1 n q. For small f this still holds with high probability, see proof in [SS11]. The public key is h = g/f R q and the secret key is f. Note the analogy between this cryptosystem and Regev s: In Regev s system, we have public key A, secret key s, and sa=small. In NTRU, we have public key h, secret key f, and f h = g = small. Enccypt h (m R 2 ). Choose a small element s D Z n,σ. The ciphertext is c = 2s h + m mod q. Decrypt f (c). Set a = f c mod q, and output a mod 2. (In fact this is exactly the same procedure as in the LSB-variant of Regev s cryptosustem, except product is in the ring R q.) 3

Correctness. Since s, g, m, f are all small then a = 2s g + m f holds also in R, not just in R q. Hence a = m f = m (2f + 1) = m (mod 2). Security. We don t have much to say about the security of the variant above, except that we do not know how to break it. (We also do not know how to reduce its security to better known hardness assumptions.) Note, however, that decryption works even if we encrypt using c = 2(s h + e) + m, for a small e. In this case we would get f c = 2s g + 2e f + f m = m (mod 2). This version is secure if (h, s h + e) is pseudorandom, which is similar to ring-lwe except h is not uniformly random. But if you also assume that h = g/f itself is pseudorandom (this is called the NTRU assumption ), then you get security. So NTRU Assumption + ring-lwe the NTRU cryptosystem is secure. [SS11] proved that if σ > q 1 2 +ε (and also n is a power of two and q = 1 mod 2n), then choosing f, g where f, g D Z n,σ to be invertible in R q and setting h = g/f, h is close to uniform among all invertible elements. Hence with these parameters you get security under ring-lwe by itself. (We note that these parameters will not be enough to get homomorphic encryption, though.) 3.1 Homomorphic NTRU Note that c is a valid encryption of m if f c = 2e + m for small e. This is the same as the expression you get for the LSB variant of Regev s scheme, and indeed you can get a homomorphic scheme from NTRU in the same way that you do for Regev s cryptosystem. As usual, additive homomorphism is easy: If f c i = 2e i +m i, i = 1, 2 then f (c 1 +c 2 ) = 2(e 1 +e 2 +e )+(m 1 m 2 ). Also for multiplicative homomorphism we have f 2 (c 1 c 2 ) = (2e 1 + m 1 )(2e 2 + m 2 ) = 2(2e 1 e 2 + m 1 e 2 + e 1 m 2 ) + m 1 m 2 = 2e + m 1 m 2 The noise doubles on addition, gets squared on multiplication. This is worse than what we had before, where the noise doubles on addition and poly(n) for multiplication. It means that we can only support depth Ω(log log q). This is an artifact of the LSB-encoding method (we have the same issue with the LSB variant of Regev s crytosystem), and we will see how to handle it shortly. Note also that we do not have the dimension explosion that we had with tensor products in Regev s cryptosystem. The dimension stays 1, but the size of the key grows: f, f 2, f 4,... This too limits the applicability to depth: Ω(log log q). Controlling the secret key growth is done using key-switching. For the other problem we use a different trick called modulus switching. Key Switching. We add to the public key an encryption of f 2 under f, namely w such that w f = 2e + qf 2 (mod Q), for Q = q 2. Then, given c such that c f 2 = 2e + m (mod q), we set c = c w mod Q. Therefore: c f = c w f = c (2e + qf 2 ) = (2c e) + (qc f 2 ) = (2c e) + q(2e + m + kq) ( = 2(c e + qe ) + qm + kq = 2 c e + qe + q 1 ) 2 m + m (mod Q) ( ) Call c e + qe + q 1 2 m = e, where we note that e Q since Q = q 2, c q, and e, e, m q. So we now have a ciphertext c valid relative to f and Q. 4

Modulus switching. Given c such that c f = 2e + m (mod Q) with e Q and f q, we set c = round(c q Q ), where rounding is done so c = c (mod 2). Note that c = c q Q + ε where ε is the rounding error, ε 1. Let k be the factor of Q, namely c f kq = (c f mod Q) = 2e + m. Then we have Q c f kq = ( q Q c f + ε f) q Q kq = q Q (c f kq) + ε f = q {}}{ Q ( 2e + m) } {{ } q + ε f }{{} q Hence c f kq q and therefore c f kq = (c f mod q). But c = c (mod 2) and also q = Q = 1 (mod 2), so c f kq = c f kq (mod 2). We conclude that (c f mod q) = (c f mod Q) = m (mod 2). Hence c f = 2e + m, where 2e + m q Q 2e + m + ε f. Note: We did not use here that Q = q 2 ; we can modulo switch to any other q and the noise term decreases from 2e + m to q Q 2e m + ε f. This can be used to control the noise: start from q i, then after every multiplication switch from q i to q i+1 q i, decreasing the noise. Multi-key Homomorphic Encryption [LTV12]. Suppose we have two ciphertexts encrypted relative to two different keys (and the same q): c i f i = 2e i + m i (and recall that f i = 2f i + 1), then clearly we get: But also for addition we get: (c 1 c 2 ) f 1 f 2 = 2(2e 1 e 2 + e 1 m 2 + e 2 m 1 ) + m 1 m 2 (c 1 + c 2 ) f 1 f 2 = c 1 f 1 f 2 + c 2 f 2 f 1 = (2e 1 + m 1 )(2f 2 + 1) + (2e 2 + m 2 )(2f 1 + 1) = 2(2e 1 f 2 + m 1 f 2 + 2e 2 f 1 + m 2 f 1 + e 2 ) + m 1 + m 2 = 2e + (m 1 m 2 ) So we can add/multiply cipher texts relative to different keys, then decrypt using the products of the keys. Note that if we have a complicated circuit, we can get ciphertexts relative to keys like f1 3 f 2 f3 5.... We can reduce the degree in each f i separately to 1, by putting in the public key the terms w[fi 2 f i ], and reduce everything back to a ciphertext relative to f 1 f 2... f t, but we cannot reduce anymore without interaction between the key-holders. References [GS02] Craig Gentry and Michael Szydlo, Cryptanalysis of the revised ntru signature scheme, Advances in Cryptology - EUROCRYPT 02, Lecture Notes in Computer Science, vol. 2332, Springer, 2002, pp. 299 320. [HPS98] Jeffrey Hoffstein, Jill Pipher, and JosephH. Silverman, Ntru: A ring-based public key cryptosystem, Algorithmic Number Theory (JoeP. Buhler, ed.), Lecture Notes in Computer Science, vol. 1423, Springer Berlin Heidelberg, 1998, pp. 267 288. [LTV12] Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan, On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption, Proceedings of the 44th Symposium on Theory of Computing Conference, STOC 12, ACM, 2012, pp. 1219 1234. 5

[SS11] Damien Stehlé and Ron Steinfeld, Making ntru as secure as worst-case problems over ideal lattices, Advances in Cryptology - EUROCRYPT 11, Lecture Notes in Computer Science, vol. 6632, Springer, 2011, pp. 27 47. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback