a simple bgn-type cryptosystem from lwe craig gentry shai halevi vinod vaikuntanathan ibm research
TRANSCRIPT
A Simple BGN-Type Cryptosystem from LWE
Craig GentryShai Halevi
Vinod VaikuntanathanIBM Research
Perspective
Homomorphic Encryptionin three easy steps [G’09]
• Step 1: Encryption from linear codes• SK/PK are Good/Bad representation of code
• Bad representation, can’t tell words close to code from random
• Good representation can be used to correct many errors
• Additive homomorphism “for free”
• Step 2: ECC lives inside a ring• We have both additive, multiplicative sructure• If code is an ideal, also multiplicative
homomorphism• for low-degree polynomials
• Step 3: Bootstrapping, Squashing, etc.
Instances of this Paradigm
• Ring of polynomials [G’09]• Ring of integers [vDGHV’10]• This work: how about ring of matrices?
• Doesn’t quite work like the others• We only get additive-HE + one multiplication• Quadratic formulas, as in [BGN’05]• But more efficient and more flexible • Can be made leakage-resilient, identity-based
Background
Learning with Errors (LWE)
Search-LWE: Given A,c, find s,x• [R’05, P’09] As hard as worst-case
of some lattice problems
As
xc +=
n
m
random mod q small
• n – security parameter• q poly(n)• m > n log q mod q
Learning with Errors (LWE)
Decision-LWE: Distinguish c from random• [R’05] as hard as finding s,x
• For certain parameters
A xc += m
random mod q small
mod q
c close to the linear code
spanned by A
s
n• n – security parameter• q poly(n)• m > n log q
Learning with Errors (LWE)
• Many LWE instances with same A• Same hardness (easy hybrid argument)
A
S
XC +=
n
m
random mod q small
m
n
Ajtai’s Trapdoors
• [A’96] Given , hard to find small s.t. tA =0 mod q
• As hard as worst-case of some lattice problems
• [A’99] But it is possible to generate together = 0 mod q
• [Alwen-Peikert’08] Even smaller T
A t
ATrando
msmall, full
rank
Trapdoor Functions [GPV’08]
• (A,s,x) As+x is a trapdoor function• Can use to correct errors:
• c = As + x• Tc = T(As + x) = Tx mod q
• But T,x are small, so Tx << q
(Tc mod q) = Tx• Equality over the integers
T1(Tc mod q) = x
T
Our Cryptosystem
Step 1: Encryption from linear ECCs
• Code is the column space of mod q• { As: s Zq
n }
• Bad representation (PK) is A itself• Given A, hard to distinguish words close
to the code from random words (LWE)
• Good representation (SK) is• Can use T to correct errors
A
T
Step 1: Encryption from linear ECCs
• PK: , SK:• Encode plaintext is LSB of error matrix
• Plaintext is a binary matrix Bmxm
• Enc(A,B): Choose random Smxn, small Emxm
• Dec(T,C): Set X T-1(TC mod q)• Output B = X mod 2
A T
A XS
+2E+B
C = mod q
X
Step 1: Encryption from linear ECCs
• Security follows from LWE (for odd q)Thm: LWE For any B, EncA(B) random
Proof: Given LWE input (A,C’)• Either C’=AS+E or C’ random:
• Set C = 2C’+B mod q• If C’=AS+E then C = A(2S) + (2E+B) mod
q• A random encryption of B
• If C’ is random then so is C
Step 1: Encryption from linear ECCs
Additive homomorphism “for free”
• C = C1 + C2
= (AS1+(2E1+B1)) + (AS2+(2E2+B2))
= A(S1+S2) + 2(E1+E2)+(B1+B2) mod q
• T-1(TC mod q) = X = B1+B2 mod 2• As long as X <<q
XS
Step 2: ECC lives inside a ring
• Multiply C1 x C2 mod q?
• (AS1+(2E1+B1)) (AS2+(2E2+B2))
= A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q
• Not what we wanted• Cannot use T to cancel out (2E1+B1)AS2
• Matrix multiplication is not commutative
Step 2: ECC lives inside a ring
• How about C = C1 x C2t mod q?
• (AS1+(2E1+B1)) (AS2+(2E2+B2))t
= A(…) + (…)At + 2(…)+B1B2t mod q
• That’s better: • TCTt = TXTt mod q
• X = (2E1+B1)(2E2+B2)t is still small
TCTt mod q = TXTt over the integers T-1(TCTt mod q)(Tt)-1 = X = B1B2
t mod 2
X
What Did We Get?
• KeyGen: Generate • Enc(A, B): CAS + 2E+B mod q
• Add(C1,C2): CC1+C2 mod q
• Mult(C1,C2): CC1C2t mod q
• Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2• Can decrypt any quadratic formula with
polynomially many terms• With appropriate parameters
AT
What Did We Get?
• KeyGen: Generate • Enc(A, B): CAS + pE+B mod q
• Add(C1,C2): CC1+C2 mod q
• Mult(C1,C2): CC1C2t mod q
• Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p• Can decrypt any quadratic formula with
polynomially many terms• With appropriate parameters
AT Can replace 2
by any pq
Extensions, Applications
• Can apply the [AMGH’10] transformation• Get homomorphism for low-degree
polynomials
• “Dual Regev encryption” [GPV’08] is a special case of our scheme*• Leakage resilience• IBE
• Efficient quadratic-formula homomorphism for polynomials, big-integers
* After changing encoding of plaintext
Thank You
2-of-2 Decryption
• Alice has key-pair (A1,T1), Bob has (A2,T2)
• Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q
• Dora encrypts B2 to Bob, [ C2A2S2+X2 ]q
• Zachariah Sets C* = [ C1 C2t ]q
• C* looks random to either Alice, Bob
• Pulling their keys together they can recover B1B2t
• B1B2t = T1
-1[T1C*T2t]q (T2
t)-1 mod 2
• Can also “blind” C* to hide relation to C1, C2
Multiplying Polynomials
• p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2
p2 p1 p0p2 p1
p2
P=
q0 q1 q2q0 q1
q0
Q=
p0q1+p1q0+p1q
0
p0q1+p1q0 p0q0
p1q2+p2q1 $ $p2q2 $ $
PQt+R=
$ $
$ $
R=
Dual Regev Encryption [GPV’08]
• Dual-Regev Cryptosystem is an instanceof our scheme with T = • A different input encoding than [GPV’08]• T is no longer invertible• But can still recover top-left entry in B
• It is known to be IBE, leakage-resilient• Still true with new input encoding• And now it supports quadratic formulas
u