lattice based cryptography and fully homomorphic encryption · lattice based cryptography and fully...
TRANSCRIPT
Lattice Based Cryptography and Fully HomomorphicEncryption
Ani Nadiga
Carleton College
NUMS
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 1 / 21
Introduction to Cryptography
The most basic encryption scheme you can think of - Caesar Cipher
Figure 1: https://tex.stackexchange.com/questions/103364/how-to-create-a-caesars-encryption-disk-using-latex
This scheme is super easy to break, so we needed something more
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 2 / 21
Introduction to Cryptography
The most basic encryption scheme you can think of - Caesar Cipher
Figure 1: https://tex.stackexchange.com/questions/103364/how-to-create-a-caesars-encryption-disk-using-latex
This scheme is super easy to break, so we needed something more
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 2 / 21
Introduction to Cryptography
The most basic encryption scheme you can think of - Caesar Cipher
Figure 1: https://tex.stackexchange.com/questions/103364/how-to-create-a-caesars-encryption-disk-using-latex
This scheme is super easy to break, so we needed something more
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 2 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
Public Key Cryptosystem
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 3 / 21
RSA
Secret Key - two large prime numbersPublic Key - product of those prime numbers
m Enc(m)Public Key
With just the public key, finding m given Enc(m) is hard,But with the private key it is easy!
Given the public key it is hard to find the private key because factoringlarge integers is hardRSA is based on the integer factoring problem being hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 4 / 21
RSA
Secret Key - two large prime numbers
Public Key - product of those prime numbers
m Enc(m)Public Key
With just the public key, finding m given Enc(m) is hard,But with the private key it is easy!
Given the public key it is hard to find the private key because factoringlarge integers is hardRSA is based on the integer factoring problem being hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 4 / 21
RSA
Secret Key - two large prime numbersPublic Key - product of those prime numbers
m Enc(m)Public Key
With just the public key, finding m given Enc(m) is hard,But with the private key it is easy!
Given the public key it is hard to find the private key because factoringlarge integers is hardRSA is based on the integer factoring problem being hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 4 / 21
RSA
Secret Key - two large prime numbersPublic Key - product of those prime numbers
m Enc(m)Public Key
With just the public key, finding m given Enc(m) is hard,But with the private key it is easy!
Given the public key it is hard to find the private key because factoringlarge integers is hardRSA is based on the integer factoring problem being hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 4 / 21
RSA
Secret Key - two large prime numbersPublic Key - product of those prime numbers
m Enc(m)Public Key
With just the public key, finding m given Enc(m) is hard,
But with the private key it is easy!
Given the public key it is hard to find the private key because factoringlarge integers is hardRSA is based on the integer factoring problem being hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 4 / 21
RSA
Secret Key - two large prime numbersPublic Key - product of those prime numbers
m Enc(m)Public Key
With just the public key, finding m given Enc(m) is hard,But with the private key it is easy!
Given the public key it is hard to find the private key because factoringlarge integers is hardRSA is based on the integer factoring problem being hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 4 / 21
RSA
Secret Key - two large prime numbersPublic Key - product of those prime numbers
m Enc(m)Public Key
With just the public key, finding m given Enc(m) is hard,But with the private key it is easy!
Given the public key it is hard to find the private key because factoringlarge integers is hard
RSA is based on the integer factoring problem being hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 4 / 21
RSA
Secret Key - two large prime numbersPublic Key - product of those prime numbers
m Enc(m)Public Key
With just the public key, finding m given Enc(m) is hard,But with the private key it is easy!
Given the public key it is hard to find the private key because factoringlarge integers is hardRSA is based on the integer factoring problem being hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 4 / 21
Short Comings of RSA
1 Quantum algorithms can factor integers efficientlyI Quantum computers can break all our cryptography!
2 Not provably secureI For some choices of primes RSA can be broken with out factoring the
public key
3 Can not process on encrypted dataI Given Enc(a) and Enc(b), can not find Enc(a + b) or Enc(a · b)
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 5 / 21
Short Comings of RSA
1 Quantum algorithms can factor integers efficiently
I Quantum computers can break all our cryptography!
2 Not provably secureI For some choices of primes RSA can be broken with out factoring the
public key
3 Can not process on encrypted dataI Given Enc(a) and Enc(b), can not find Enc(a + b) or Enc(a · b)
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 5 / 21
Short Comings of RSA
1 Quantum algorithms can factor integers efficientlyI Quantum computers can break all our cryptography!
2 Not provably secureI For some choices of primes RSA can be broken with out factoring the
public key
3 Can not process on encrypted dataI Given Enc(a) and Enc(b), can not find Enc(a + b) or Enc(a · b)
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 5 / 21
Short Comings of RSA
1 Quantum algorithms can factor integers efficientlyI Quantum computers can break all our cryptography!
2 Not provably secure
I For some choices of primes RSA can be broken with out factoring thepublic key
3 Can not process on encrypted dataI Given Enc(a) and Enc(b), can not find Enc(a + b) or Enc(a · b)
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 5 / 21
Short Comings of RSA
1 Quantum algorithms can factor integers efficientlyI Quantum computers can break all our cryptography!
2 Not provably secureI For some choices of primes RSA can be broken with out factoring the
public key
3 Can not process on encrypted dataI Given Enc(a) and Enc(b), can not find Enc(a + b) or Enc(a · b)
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 5 / 21
Short Comings of RSA
1 Quantum algorithms can factor integers efficientlyI Quantum computers can break all our cryptography!
2 Not provably secureI For some choices of primes RSA can be broken with out factoring the
public key
3 Can not process on encrypted data
I Given Enc(a) and Enc(b), can not find Enc(a + b) or Enc(a · b)
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 5 / 21
Short Comings of RSA
1 Quantum algorithms can factor integers efficientlyI Quantum computers can break all our cryptography!
2 Not provably secureI For some choices of primes RSA can be broken with out factoring the
public key
3 Can not process on encrypted dataI Given Enc(a) and Enc(b), can not find Enc(a + b) or Enc(a · b)
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 5 / 21
Short Comings of RSA
1 Quantum algorithms can factor integers efficientlyI Quantum computers can break all our cryptography!
2 Not provably secureI For some choices of primes RSA can be broken with out factoring the
public key
3 Can not process on encrypted dataI Given Enc(a) and Enc(b), can not find Enc(a + b) or Enc(a · b)
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 5 / 21
Building a Better System
We need a new problem to build a new crypto system on
25
105
35
75
15
10
36
100
24
84
65
4
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 6 / 21
Building a Better System
We need a new problem to build a new crypto system on
25
105
35
75
15
10
36
100
24
84
65
4
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 6 / 21
Building a Better System
We need a new problem to build a new crypto system on
25
105
35
75
15
10
36
100
24
84
65
4
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 6 / 21
Building a Better System
We need a new problem to build a new crypto system on
25
105
35
75
15
10
36
100
24
84
65
4
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 6 / 21
The Learning With Errors Problem
We work in Znq
Pick one s ∈ Znq
Pick many ai ∈ Znq
Given(a1,a1·s)(a2,a2·s)(a3,a3·s)
...
can you find s?
χ an error distribution over Znq
Pick many ei ← χSet bi = ai · s + ei
Given(a1,b1)(a2,b2)(a3,b3)
...
, finding s is hard!
By adding a small amount of error a trivial problem becomes hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 7 / 21
The Learning With Errors Problem
We work in Znq
Pick one s ∈ Znq
Pick many ai ∈ Znq
Given(a1,a1·s)(a2,a2·s)(a3,a3·s)
...
can you find s?
χ an error distribution over Znq
Pick many ei ← χSet bi = ai · s + ei
Given(a1,b1)(a2,b2)(a3,b3)
...
, finding s is hard!
By adding a small amount of error a trivial problem becomes hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 7 / 21
The Learning With Errors Problem
We work in Znq
Pick one s ∈ Znq
Pick many ai ∈ Znq
Given(a1,a1·s)(a2,a2·s)(a3,a3·s)
...
can you find s?
χ an error distribution over Znq
Pick many ei ← χSet bi = ai · s + ei
Given(a1,b1)(a2,b2)(a3,b3)
...
, finding s is hard!
By adding a small amount of error a trivial problem becomes hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 7 / 21
The Learning With Errors Problem
We work in Znq
Pick one s ∈ Znq
Pick many ai ∈ Znq
Given(a1,a1·s)(a2,a2·s)(a3,a3·s)
...
can you find s?
χ an error distribution over Znq
Pick many ei ← χSet bi = ai · s + ei
Given(a1,b1)(a2,b2)(a3,b3)
...
, finding s is hard!
By adding a small amount of error a trivial problem becomes hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 7 / 21
The Learning With Errors Problem
We work in Znq
Pick one s ∈ Znq
Pick many ai ∈ Znq
Given(a1,a1·s)(a2,a2·s)(a3,a3·s)
...
can you find s?
χ an error distribution over Znq
Pick many ei ← χ
Set bi = ai · s + ei
Given(a1,b1)(a2,b2)(a3,b3)
...
, finding s is hard!
By adding a small amount of error a trivial problem becomes hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 7 / 21
The Learning With Errors Problem
We work in Znq
Pick one s ∈ Znq
Pick many ai ∈ Znq
Given(a1,a1·s)(a2,a2·s)(a3,a3·s)
...
can you find s?
χ an error distribution over Znq
Pick many ei ← χSet bi = ai · s + ei
Given(a1,b1)(a2,b2)(a3,b3)
...
, finding s is hard!
By adding a small amount of error a trivial problem becomes hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 7 / 21
The Learning With Errors Problem
We work in Znq
Pick one s ∈ Znq
Pick many ai ∈ Znq
Given(a1,a1·s)(a2,a2·s)(a3,a3·s)
...
can you find s?
χ an error distribution over Znq
Pick many ei ← χSet bi = ai · s + ei
Given(a1,b1)(a2,b2)(a3,b3)
...
, finding s is hard!
By adding a small amount of error a trivial problem becomes hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 7 / 21
The Learning With Errors Problem
We work in Znq
Pick one s ∈ Znq
Pick many ai ∈ Znq
Given(a1,a1·s)(a2,a2·s)(a3,a3·s)
...
can you find s?
χ an error distribution over Znq
Pick many ei ← χSet bi = ai · s + ei
Given(a1,b1)(a2,b2)(a3,b3)
...
, finding s is hard!
By adding a small amount of error a trivial problem becomes hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 7 / 21
Basic Scheme [BGV12]
Use the ring Rq = Zq[x ]/〈xd + 1〉χ is the error distribution (over Rq)N = b log qc number of samples for dRLWE to be well defined
Secret Key Generation:pick s ′ ← Rq,set SK: s = (1, s ′) ∈ R2
q
Public Key Generation:pick a′ ← RN
q and RNq 3 e← χN
b← a′s ′ + 2e.
set PK: A =
b −a′ ∈ RN×2
q
Note that A · s = 2e ∈ RNq
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 8 / 21
Basic Scheme Cont.
Encryption:message m ∈ R2, m = (m, 0) ∈ R2
q
r← RN2 a small random vector
ciphertext c = m + AT r =
[m0
]+
[bT r
−a′T r
]∈ R2
q
Decryption:for a ciphertext c output m← [[〈c, s〉]q]2
〈c, s〉 = 〈
[(a′T s ′ + 2eT )r + m
−a′T r
],
[1s ′
]〉 = 2eT r + m
As long as 〈c, s〉 < q/2 then [[〈c, s〉]q]2 = [2eT r + m]2 = m
[x ]q denotes taking an 0 ≤ x ≤ q − 1 to its representative in (−q/2, q/2]
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 9 / 21
Addition and Multiplication
For two ciphertexts c1, c2 encrypting messages m1,m2
Addition: c1 + c2 represents m1 + m2
c1 + c2 =
[m1 + bT r1−a′T r1
]+
[m2 + bT r2−a′T r2
]=
[m2 + m1 + bT (r1 + r2)
−a′T (r1 + r2)
]〈(c1 + c2), s〉 = 2eT (r1 + r2)
Multiplication: c1 ⊗ c2 encrypts m1 ·m2 under the new key s⊗ sm1 ·m2 = [[〈c1 ⊗ c2, s⊗ s〉]q]2
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 10 / 21
Recall that we are trying to build a crypto system that is:
1 Immune to quantum attacks
2 Provably secure
3 Capable of processing encrypted data
Also, how do we show that LWE problem is hard?
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 11 / 21
Recall that we are trying to build a crypto system that is:
1 Immune to quantum attacks
2 Provably secure
3 Capable of processing encrypted data
Also, how do we show that LWE problem is hard?
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 11 / 21
Lattice Problems
What is a lattice?
A discrete additive subgroup of Rn
All linear combinations of somebasis vectors
Lattices can exist in any dimension
Lattice Problems:
Shortest Vector Problem
Closest Vector Problem
These problems are conjectured to be both classically and quantum hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 12 / 21
Lattice Problems
What is a lattice?
A discrete additive subgroup of Rn
All linear combinations of somebasis vectors
Lattices can exist in any dimension
Lattice Problems:
Shortest Vector Problem
Closest Vector Problem
These problems are conjectured to be both classically and quantum hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 12 / 21
Lattice Problems
What is a lattice?
A discrete additive subgroup of Rn
All linear combinations of somebasis vectors
Lattices can exist in any dimension
Lattice Problems:
Shortest Vector Problem
Closest Vector Problem
These problems are conjectured to be both classically and quantum hard
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 12 / 21
The SVP LWE Reduction
How does this make LWE quantum hard?
Reduction
If there is a reduction from a problem A to a problem B, then an efficientalgorithm for solving B can be used as a subroutine to make an efficientalgorithm to solve problem A
[Regev 05] found a quantum reduction from LWE to SVPIf you can solve LWE efficiently, then you can solve SVP efficiently
The encryption is an instance of LWE, so we have provable security
We also have average case worst case reductions
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 13 / 21
The SVP LWE Reduction
How does this make LWE quantum hard?
Reduction
If there is a reduction from a problem A to a problem B, then an efficientalgorithm for solving B can be used as a subroutine to make an efficientalgorithm to solve problem A
[Regev 05] found a quantum reduction from LWE to SVPIf you can solve LWE efficiently, then you can solve SVP efficiently
The encryption is an instance of LWE, so we have provable security
We also have average case worst case reductions
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 13 / 21
The SVP LWE Reduction
How does this make LWE quantum hard?
Reduction
If there is a reduction from a problem A to a problem B, then an efficientalgorithm for solving B can be used as a subroutine to make an efficientalgorithm to solve problem A
[Regev 05] found a quantum reduction from LWE to SVPIf you can solve LWE efficiently, then you can solve SVP efficiently
The encryption is an instance of LWE, so we have provable security
We also have average case worst case reductions
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 13 / 21
The SVP LWE Reduction
How does this make LWE quantum hard?
Reduction
If there is a reduction from a problem A to a problem B, then an efficientalgorithm for solving B can be used as a subroutine to make an efficientalgorithm to solve problem A
[Regev 05] found a quantum reduction from LWE to SVPIf you can solve LWE efficiently, then you can solve SVP efficiently
The encryption is an instance of LWE, so we have provable security
We also have average case worst case reductions
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 13 / 21
The SVP LWE Reduction
How does this make LWE quantum hard?
Reduction
If there is a reduction from a problem A to a problem B, then an efficientalgorithm for solving B can be used as a subroutine to make an efficientalgorithm to solve problem A
[Regev 05] found a quantum reduction from LWE to SVPIf you can solve LWE efficiently, then you can solve SVP efficiently
The encryption is an instance of LWE, so we have provable security
We also have average case worst case reductions
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 13 / 21
Recall that we are trying to build a crypto system that is:
1 Immune to quantum attacks
2 Provably secure
3 Capable of processing encrypted data
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 14 / 21
Recall that we are trying to build a crypto system that is:
1 Immune to quantum attacks
2 Provably secure
3 Capable of processing encrypted data
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 14 / 21
Homomorphic Encryption
Homomorphic Encryption
a form of encryption that allows computation on ciphertexts, generatingan encrypted result which, when decrypted, matches the result of theoperations as if they had been performed on the plaintext. - Wikipedia
Recall: given Enc(a) and Enc(b) we want Enc(a + b) and Enc(a · b)
Homomorphic Encryption does not exist with traditional crypto tools
In 2009, the first HE scheme was developed [Gentry 09], but was very slow
In 2013 a faster scheme was developed
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 15 / 21
Homomorphic Encryption
Homomorphic Encryption
a form of encryption that allows computation on ciphertexts, generatingan encrypted result which, when decrypted, matches the result of theoperations as if they had been performed on the plaintext. - Wikipedia
Recall: given Enc(a) and Enc(b) we want Enc(a + b) and Enc(a · b)
Homomorphic Encryption does not exist with traditional crypto tools
In 2009, the first HE scheme was developed [Gentry 09], but was very slow
In 2013 a faster scheme was developed
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 15 / 21
Homomorphic Encryption
Homomorphic Encryption
a form of encryption that allows computation on ciphertexts, generatingan encrypted result which, when decrypted, matches the result of theoperations as if they had been performed on the plaintext. - Wikipedia
Recall: given Enc(a) and Enc(b) we want Enc(a + b) and Enc(a · b)
Homomorphic Encryption does not exist with traditional crypto tools
In 2009, the first HE scheme was developed [Gentry 09], but was very slow
In 2013 a faster scheme was developed
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 15 / 21
Homomorphic Encryption
Homomorphic Encryption
a form of encryption that allows computation on ciphertexts, generatingan encrypted result which, when decrypted, matches the result of theoperations as if they had been performed on the plaintext. - Wikipedia
Recall: given Enc(a) and Enc(b) we want Enc(a + b) and Enc(a · b)
Homomorphic Encryption does not exist with traditional crypto tools
In 2009, the first HE scheme was developed [Gentry 09], but was very slow
In 2013 a faster scheme was developed
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 15 / 21
Homomorphic Encryption
Homomorphic Encryption
a form of encryption that allows computation on ciphertexts, generatingan encrypted result which, when decrypted, matches the result of theoperations as if they had been performed on the plaintext. - Wikipedia
Recall: given Enc(a) and Enc(b) we want Enc(a + b) and Enc(a · b)
Homomorphic Encryption does not exist with traditional crypto tools
In 2009, the first HE scheme was developed [Gentry 09], but was very slow
In 2013 a faster scheme was developed
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 15 / 21
Why it Works
There are many aspects of the LWE problem that make homomorphicencryption possible, but one of the most important is that there is somerandomness in the encryption:
m RSA c
m RSA c
m LC c1 + e1m LC c1 + e2
This prevents ”observational attacks”
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 16 / 21
Why it Works
There are many aspects of the LWE problem that make homomorphicencryption possible, but one of the most important is that there is somerandomness in the encryption:
m RSA c
m RSA c
m LC c1 + e1m LC c1 + e2
This prevents ”observational attacks”
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 16 / 21
Why it Works
There are many aspects of the LWE problem that make homomorphicencryption possible, but one of the most important is that there is somerandomness in the encryption:
m RSA c
m RSA c
m LC c1 + e1m LC c1 + e2
This prevents ”observational attacks”
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 16 / 21
Why it Works
There are many aspects of the LWE problem that make homomorphicencryption possible, but one of the most important is that there is somerandomness in the encryption:
m RSA c
m RSA c
m LC c1 + e1
m LC c1 + e2
This prevents ”observational attacks”
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 16 / 21
Why it Works
There are many aspects of the LWE problem that make homomorphicencryption possible, but one of the most important is that there is somerandomness in the encryption:
m RSA c
m RSA c
m LC c1 + e1m LC c1 + e2
This prevents ”observational attacks”
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 16 / 21
Why it Works
There are many aspects of the LWE problem that make homomorphicencryption possible, but one of the most important is that there is somerandomness in the encryption:
m RSA c
m RSA c
m LC c1 + e1m LC c1 + e2
This prevents ”observational attacks”
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 16 / 21
Recall that we are trying to build a crypto system that is:
1 Immune to quantum attacks
2 Provably secure
3 Capable of processing encrypted data
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 17 / 21
Recall that we are trying to build a crypto system that is:
1 Immune to quantum attacks
2 Provably secure
3 Capable of processing encrypted data
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 17 / 21
What I did
I learned this stuff
Goal: get information from node A to node B, transmission line isuntrusted
So we add relay stations
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 18 / 21
What I did
Goal: get information from node A to node B, transmission line isuntrusted
So we add relay stations
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 18 / 21
What I didGoal: get information from node A to node B, transmission line isuntrusted
So we add relay stationsAni Nadiga (Carleton College) Lattice Based Cryptography NUMS 18 / 21
What I didGoal: get information from node A to node B, transmission line isuntrusted
But information quality can degrade over long transmission lines
So we add relay stations
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 18 / 21
What I didGoal: get information from node A to node B, transmission line isuntrusted
So we add ”relay stations”
Sowe add relay stations
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 18 / 21
Problems and Solutions
How do relay stations know what is degradation and what is the validencryption with out knowing the unencrypted message?
Using homomorphic encryption techniques, we can check thattransmitted information is correct with out knowing the message.
But homomorphic evaluation causes the encryption’s ”noise” to grow,which increases the chances of decryption error.
We applied existing ”noise management” techniques that do notcompromise security
When adding information that did not need to be encrypted, wefound a way to incorporate unencrypted information with theencrypted information
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 19 / 21
Problems and Solutions
How do relay stations know what is degradation and what is the validencryption with out knowing the unencrypted message?
Using homomorphic encryption techniques, we can check thattransmitted information is correct with out knowing the message.
But homomorphic evaluation causes the encryption’s ”noise” to grow,which increases the chances of decryption error.
We applied existing ”noise management” techniques that do notcompromise security
When adding information that did not need to be encrypted, wefound a way to incorporate unencrypted information with theencrypted information
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 19 / 21
Problems and Solutions
How do relay stations know what is degradation and what is the validencryption with out knowing the unencrypted message?
Using homomorphic encryption techniques, we can check thattransmitted information is correct with out knowing the message.
But homomorphic evaluation causes the encryption’s ”noise” to grow,which increases the chances of decryption error.
We applied existing ”noise management” techniques that do notcompromise security
When adding information that did not need to be encrypted, wefound a way to incorporate unencrypted information with theencrypted information
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 19 / 21
Problems and Solutions
How do relay stations know what is degradation and what is the validencryption with out knowing the unencrypted message?
Using homomorphic encryption techniques, we can check thattransmitted information is correct with out knowing the message.
But homomorphic evaluation causes the encryption’s ”noise” to grow,which increases the chances of decryption error.
We applied existing ”noise management” techniques that do notcompromise security
When adding information that did not need to be encrypted, wefound a way to incorporate unencrypted information with theencrypted information
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 19 / 21
Problems and Solutions
How do relay stations know what is degradation and what is the validencryption with out knowing the unencrypted message?
Using homomorphic encryption techniques, we can check thattransmitted information is correct with out knowing the message.
But homomorphic evaluation causes the encryption’s ”noise” to grow,which increases the chances of decryption error.
We applied existing ”noise management” techniques that do notcompromise security
When adding information that did not need to be encrypted, wefound a way to incorporate unencrypted information with theencrypted information
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 19 / 21
(Ring) LWE Works Cited
1. Regular LWE:[Reg05] O. Regev. On lattices, learning with errors, random linear codes,
and cryptography. In STOC, H. N. Gabow and R. Fagin, eds., ACM, New
York, 2005, pp. 84–93.
2. RLWE:[LPR10] V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and
learning with errors over rings. In EUROCRYPT, Springer, Berlin, 2010,
pp. 1–23
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 20 / 21
Fully Homomorphic Encryption Schemes
1. Initial scheme by Gentry. Based on ideal lattices and uses thebootstrapping technique.
[G09] Craig Gentry. Fully homomorphic encryption using ideal lattices. In
Michael Mitzenmacher,ed., STOC, pages 169-178. ACM, 2009.
2. RLWE Schemes:1. FHE without bootstrapping:
[BGV12] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully
homomorphic encryption without bootstrapping. In ITCS, S. Goldwasser,
ed., ACM, New York, 2012, pp. 309–325
2. FHE Batching:
[GHS12] S. Halevi, and N. P. Smart, Fully homomorphic encryption with
polylog overhead. In EUROCRYPT, Lecture Notes in Comput. Sci. 7237,
D. Pointcheval and T. Johansson, eds., Springer, Heidelberg, 2012, pp.
465–482
Ani Nadiga (Carleton College) Lattice Based Cryptography NUMS 21 / 21