Gentry’s ideal-lattice based encryption scheme
Gentry’s STOC’09 paper - Part III
1 From Micciancio's paper Why ideal lattices --- as opposed to just ideals or lattices? • We described an ideal-based encryption scheme Σ .
sk • Recall XEnc Samp(BBIJ , P) and XRDec mod . • The scheme is correct for circuit C if
∀ xxXgCxxX1 ,, …∈ ttEnc , (),,( 1 … ) ∈Dec . • For Σ to be correct as an ordinary encryption scheme,
we require: XXEnc⊆ Dec . • For Σ to be additively and multiplicatively homomorphic, +⊆ ×⊆ we require: XXXEnc Enc Dec and XXX Enc Enc Dec. 3 • Our goal is to have gC( )( XEnc ) ⊆ X Dec for deep enough
circuits CD , including the decryption circuit Σ. • So, we want to analyze, for example, how
(( XXEnc+ Enc) ×( XX Enc + Enc )) ×× XEncX Enc expand, and how to ensure
(( XXEnc+ Enc) ×( XX Enc + Enc)) ×× XX Enc Enc ⊆ X Dec .
• Connecting ideals with lattices makes such analysis possible, n because, with R= [ x ] ( fx ( ))≅ , XEnc and X Dec become subsets of n and we can analyze them geometrically.
4 Instantiate the ideal-based scheme • To instantiate the (abstract) ideal-based encryption scheme using ideal lattices, we will do the following. • Choose a polynomial fx ( ) with integer coefficients and let ring R= [ x ]( fx ( )) .
• Choose an element s∈==RI , ideal (sB) , I the rotation basis.
• Plaintext space MC : a subset of (BI ), centered parallelepiped.
• Samp: choose a range Samp for Samp. sk • Choose an ideal J and a good basis BJ . pk sk Let BBJJ= HNF( ). 5 Ideal Lattices
6 []x ( fx( ):) a polynomial ring
• [x ]: the ring of all polynomials with integer coefficients. • fx( ): a monic polynomial of degree nx in [ ] Monic means the leading coefficient is 1 Often choose fx ( ) to be irreducible.
• ( fx( )) : the ideal generated by fx ( ).
( fx ()) = fx () ⋅= [] x{ fx () ⋅ gx (): gx() ∈ []. x}
• gx()≡ h ()modx fx( ) iff g (x )− hx ( ) is divisible by f (x ).
• [x ] is divided into classes (cosets) such that gx ( ) and hx ( ) ≡ are in the same class (coset) iff gx ( ) hx()mod(). f x 7 • [](()x fx): [x ] ( fx ( )) denotes the set of those classes (cosets). Each class has exactly one polynomial of degree≤−n 1. Thus, [x ]( fx ( )) may also be defined as the set of all polynomials of degree ≤−n 1, i.e., n−1 []x( fx ()) ={ ani−1 x ++ aa 10x +a : ∈ }. Addition and multiplication in [xx ] (f ( )) are like regular polynomial addition and multiplication except that the result is reduced modulo fx ( ). [x ]( fx ( )) is a commutative ring with identity.
8 n−1 • If a ( x ) = an−1 x ++ ax 10 + a and n−1 b ( x ) = bn−1 x ++ bx 10 + b, then n−1 ax ()+ bx () = ( ann−−1 + b 1 ) x ++ ( a11 + b ) x + ( a 0+ b 0 ).
• [x] (f (x ))≅ n as an additive group. The group [x ] (fx ( )) is isomorphic to the lattice n . n−1 a0++ ax 1+↔ ann−−1 x ( a01 , a , , a 1 ). Define multiplication in n by way of multiplication in [x ] ( fx ( )), and then we have multiplication in n .
• Each ideal in [x] (fx ( )) defines a sublattice in n . • Lattices corresponding to ideals are ideal latt i ces. 9 Rotation basis for principal ideal (v)
• Since R= [ x ] ( fx ( ))≅ n , we do not distinguish between ring elements in R and lattice points/vectors in n .
• Any ideal in R corresponds to a lattice in n .
• In particular, the ideal (v) generated by 0v≠∈R defines a
lattice with basis Bv= [ 01 , , vn− ] , where i vvi = × x mod fx ( ). • This basis is called the rotation basis for the ideal lattice (v).
• Not every ideal has a rotation basis.
10 Examples
• Ideal ( 1) =R . 1 = e1 . Rotation basis= [ee12 , , , vn ] . Ideal lattice= n .
• Ideal ( 2) =×= 2RR{ all polynomials in with even coefficients} .
Rotation basis: [ 2ee12 , 2 , , 2 vn ] . all lattice points in n Corresponding lattice, 2n = . with even coordinates
• Q: Find the rotation basis of (2++x) or ( 2ee12) .
11 []x (fx ( )) and fractional id ea l s • [x ]: the ring of polynomials with rational coefficients.
n−1 • [xf ] ( (x )) ={ ani−1 x ++ ax 10 + a:. a ∈}
• If I is an ideal in R= [ x ] ( fx ( )), define I−1 as I −1 {v ∈ [x ] ( fx ( )) : v ×⊆ I R} ⊇ R. IR−1 is a fractional ideal. It behaves like an ideal of except that it is not necessarily contained in R . −−11 II ⊆ R . I is said to be invertible if IR I = . • All invertible (fractional) ideals form a group with R as the identity. 12 [x] (fx ( )) and fractional ideals • If II= (vv) , then −−11= ( ) is generated by v−1∈ [x ] ( fx ( )). v−1 exists if fx ( ) is irreducible.
• I −1 defines a lattice in nn , not necessarily in .
• We have (detdI ) ⋅( etI −1 ) = 1.
• Recall: detI= detBBII = det( LP ( )) = vol( ( B I )) , the volumn of the fundamental parallelepiped of the lattice defined by I .
• detI= the index [RI :] the number of elements in RI.
13 Review
• Hermite nornal form (HNF): a basis which is skiny, skew, and will be used as a pk .
• Centered fundamental parallelepiped: //Bb= [ 1 , , bn ]// n P (Bb ) ∑ xxii : i∈−[ 12, 12) . i=1
• t modB the unique t′′∈PL ( B ) with tt −∈ ( B ).
• t mod B can be efficiently computed as tBB− ⋅ −1 ⋅ t .
• xx rounded to the nearest integer.
• ∈ B max{ bbBii :} . 14 Instantiating the ideal-based scheme using ideal lattices
15 From Micciancio's paper Recall: • To instantiate the (abstract) ideal-based encryption scheme using (ideal) lattices, we will do the following.
• Choose a polynomial fx ( ) and let ring R= [ x]( fx ().)
• Choose a vector s , let ideal I =(sB) , let I = the rotation basis.
• Plaintext space MP : a subset of (BI ).
• Samp: choose a range Samp for Samp. sk • Choose an ideal J and a good basis BJ . pk sk Let BBJJ= HNF( ).
• Our goal is to have gC()( X Enc) ⊆ X Dec for deep enough 17 circuits C , including the decryption circuit DΣ. Balls: BB(rrEncD) and ( ec )
• XMEnc Samp(BI , ) .
sk sk XRDec modBBJJ= P ( ).
• Define: rEnc the smallest radius s.t. XrEnc⊆ B ( Enc ),
rDec the largest radius s.t. B()rXDec⊆ Dec. • Theorem (a sufficient condition for permitted circui ts):
A modBI -circuit Ct (including the identity circuit) with ≥ 1 inputs is a permitted circuit for the schecme if:
∀ x1 , …∈ , xt B ( rEnc ), gC ( )( xx1, …∈ , t ) B ( rDec ). 18 XXEnc Dec
B()rEnc
B()rDec
19 20 Expansion of vectors with operations
• Starting from BB := (rEnc ), how does B expand with addition and multiplication?
• u+v≤+ u v for all u , v ∈R (triangle inequality).
• u×≤ vγ Mult u ⋅ v for all uv , ∈R , where γ Mult
is a factor dependent on R. Let m = γ Mult . • If input vectors are in B (rm ), then after a -fan-in addition or a 2-fan-in multiplication, the output vector is in B (mr2 ).
21 • By induction, if input vectors are in B(rkEnc ), then after levels of m -fan-in addition and/or 2-fan-in multiplication,
kk k 2− 12 ⊆ 2 the result is in BB (m rEnc )( ( mrEnc )) .
2k • We will have (mrEnc ) ≤ rDec if kr≤ loglogDec − loglogmrEnc . • Theorem: The proposed scheme Σ correctly evaluates
circuits of depth up to loglogrDec − loglog(γ Mult⋅ r Enc ). • To maximize the depth of permitted circuits, we will
attempt to minimize rrEnc and γ Mult and maximize Dec subject to security constraints.
22 Security constraints
• Roughly: the ratio rrDec Enc must be ≤ subexponential. • Recall: the security of the abstract scheme relies on the hardness of ICP. • In the setting of ideal lattices (where π′ is chosen to be pk shorter than rEnc and tB := modJ ), ICP becomes: Decide
whether t is within a small distance (rJEnc ) of lattice , or is uniformly random modulo J . • This is a decision version of BDDP, which is not surprising since the abstract scheme is a variant of GGH and the security of GGH relies on the hardness of BDDP. 23 • Roughly: the ratio rrDec Enc must be ≤ sub-exponential.
n • If rEnc is too small, say rJEnc≤ λ 1 ( ) 2 , BDDP can be solved using, for example, the LLL algorithm.
nc • No algorithm is known to solve BDDP if rJEnc≥ λ 1()2, c < 1.
• On the other hand, by definition, we have rJDec1≤ λ ( ). • Thus, for BDDP to be hard, we require
nc rrDec Enc ≤< 2 , c 1 //sub-exponential// nc1 nc2 • If we choose rDec = 2 , γ Mult ⋅=rEnc 2 , then the scheme
can handle circuits of depth up to (occ12− )l gn. 24 Minimizing γ Mult (R )
• Goal: Set fx ( ) so that R= [ x ] ( fx ( )) has a small γ Mult (R ). • To this end, we only have to choose fx ( ) such that fx ( ) and gx ( ) have small norms, due to the following theorem. • Theorem: If fx ( ) is a monic polynomial of degree n then
γ Mult ()R≤ 2 n ⋅+( 1 2 nf ⋅ ⋅ g) , where gx ( )= Fx ( )−−11 mod xnn //inverse in [x ] ( x−1 ) // Fx ( )= xfn (1 x ) //reversing the coefficients of fx ( )//
2 n p=∑ ain for px ( ) = ax ++ a0 //polynomial norm//
25 • Theorem: If f ( x )= xn − hx ( ) where hx ( ) has degree at most n−− ( n 1) kk , ≥ 2, then, for R = [ x ] ( fx ( )), k
γ (R )≤ 2 n ⋅+ 1 2 n ( k − 1) nf . Mult ( ( ) )
• Theorem: Let fx( )=xn ± 1 and Rx= [ ] (f (x )). Then,
γ Mult ()Rn≤ . • There are non-fatal attacks on hard problems over this ring.
26 Minimizing rEnc
n • Let R= [ x ]( fx ( )) with fx ( ) = x−≤ 1 and so γ Mult (R ) n . • Let ss∈=RI , and ( ) the ideal generated by s ,
BI= ( s01 , , s n− ) the rotation basis of sB , Ii= max{ s} ,
L (BI ) the lattice generated by BI ,
P (BI ) the centered fundamental parallelepiped,
MP⊆∈ (BxI ) the message space, M a message,
Samp(BI ,x ) := x + Samp1 (R) × s .
• We want Samp(B,I MX) Enc⊆ B( r Enc ). • Let be an upper bound on rr , ← SampR . Samp1 1 ( ) 27 • Theorem: rn≤⋅BB + n ⋅ ⋅ . Enc II Samp1
Proof : rEnc =max{ xrs +× : x ∈ MR , r ←Samp1 ( )} .
n−1 Since x∈MP ⊆ ( BxI ) ⇒ ≤ ∑ s iI 2 ≤⋅ n B i=0 ⇒ xrs +× ≤ x +rs× ≤⋅ nn B + ⋅ ⋅B. II Samp1
• May choose se= 2 1 to make BI small. Q: why not s = e1 ? • The size of is a security. It needs to be large enough to Samp1 pk make t ← Samp1 (R ) modBJ in ICP sufficiently random. • May set = nn and let Samp sample uniformly in n ∩B( ). Samp1 1 • With this setting, r≤+ 2 nn 21.5 . Enc 28 Maximizing rDec
sk • Recall: the decryption equation: πψ← ( modBBJI) mod . sk • We want B (rDec )⊆ XP Dec (BJ ). sk • To have a large rDec , the shape of P (BJ ) is important. sk BJ We want it to be "fat" (i.e. containing a large ball). • The "fattest" parallelepiped is that associated with basis
tt⋅=⋅Ee( 1 , , t⋅ en ) , containing a ball of radius t . sk • So, we will choose our BEJ to be "close" to t ⋅ . sk Q: why not simply letting BeJn=⋅⋅(tt1 , , e) ?
29 • Theorem: Let t≥ 4 ns ⋅ ⋅γ Mult ( R ). Suppose ve1∈⋅t 1 + B(), s sk i.e., within distance st of ⋅eB11 . Let J be the rotation basis of v . sk Then, Pt (BJ ) circumscribes a ball of radius at least 4. sk i−1 Proof: We have BJ =( v11 , , v ni) , with vv= × x .
The difference zvjj= −⋅t e j has length j−1 zvjj= −⋅t e j =( ve1 −⋅ t 1 ) × xs ≤ ⋅γ Mult ( R ). sk For every point aB on the surface of P(J ), we have 1 av=±⋅+i ∑a jjv for some ia and j≤ 1 2. 2 ji≠ We will show a ≥ t 4, from which the theorem will follow.
30 1 av=±⋅+i∑aa jj v, j ≤ 1 2. 2 ji≠ 1 a ≥≥ ae, i ⋅+ vii , e∑a j v ji , e 2 ji≠ 11 = ⋅+ta ⋅zeii, +∑ jji z , e 22 ji≠
≥ t2− nzeji , ≥≥ tn2− zj tnsR2 − ⋅⋅γ Mult ( ) ≥≥ tt 2− 4 t 4, where we have used
veii, = z i +⋅tt ee ii, =+ ze ii,
veji, = z j +⋅t eji, e= ze ji, 31 sk pk Generating BBJJ and
sk pk • By the theorem, we may generate BBJJ and as follows:
Randomly generate a vector ve within distance st of ⋅ 1 . sk Let BvJ be the rotation basis of . pk sk Let BBJJ be the HNF of .
• We have to choose st , , Samp to ensure that rDec r Enc is sub-exponential.
32 An example instantiation of the abstract scheme
n • Ring: R= [ x ]( fx ( )) , fx ( ) =−≤ x 1, γ Mult n . n 32 • Ideal: I=( 2) = 2 . BeIn =( 21 , , 2 e) . rEnc ≤+ 2 nn 2 .
• Plaintext space: (a subset of) { (x1 , …∈ , xxni ) : {0,− 1}} . n • Samp1 : samples uniformly in ∩B (n ).
• Samp(BI ,ππ ): +← 2 r with r Samp1 . • Ideal: J
33 How good is it? • An improvement over previous work.
• Boneh-Goh-Nissim (2005): quadratic formulas with any number of monomials. plaintext space: logλλ bits for security prameter . • Gentry (2009): polynomials of degree logn . plaintext space: larger. • Not bootstrappable ye t !
34 Why not bootstrappable?
sk sk− 1 • Decryption (ψ −⋅BBJ ( BJ ) ⋅ψ )modI involves adding n vectors. • Adding nk -bit numbers in [ 0,1) requires a constant fan-in boolean circuit of depth Ω+ (lognklog ) : 3-for-2: convert 3 numbers to 2 numbers with the same sum; this can be done with a circuit of constant depth, say depth c .
It takes a circuit of depth ≈ cn log32 to convert n numbers to 2 numbers with the same sum. It needs depth Ω (logk ) to add the final two numbers. • The proposed scheme permits circuits of depth On (log ). 35 Tweak 1 to simplify the decryption circuit
• Tweak: Narrow the permitted circuits from BB(rrDec ) to (Dec 2). • Purpose: To ensure that the ciphertexts vectors are closer to the lattice J than they strictly need to be, so that less precision is needed to ensure the correctness of decryption.
sk− 1 • Allowing the coefficients of (⋅BJ )ψ to be very close to
half-integrs (i.e., ψ very close to the sphere of B (rDec )) would require high precision (large k ) to ensure correct rounding.
36 • Lemma: If ψ is a valid ciphertext after tweak 1, sk− 1 i.e., ψψ • With Tweak 1, we can reduce the precision to On(log ) bits, and cut the the circuit depth of adding n numbers to Ω (lognn+=Ω loglog ) (log n ). • The new maximum depth of permitted circuits is loglog(rrDec 2) − loglog(γ Mult⋅ Enc ), almost the same as the original depth, which can be as large as On (log ). • Unfortunately, the constant hidden in Ω> (logn ) is 1, while that in On (log ) < 1. So, still not bootstrappable. 37 Tweak 2, optional, more technical, less essential • Tweak: Modify Decrypt(sk, ψ ) from sk sk− 1 sk (ψ−BBJJ ⋅( ) ⋅ ψψ ) mod BI ⇒ ( − vJ ×ψ )mod BI sk− 1 for some vector v J ∈ J . • Purpose: To reduce the secret key size (as well as public key size in bootstrapping) and per-gate computation in decryption (from matrix-vector mult to ring mult). • To use this tweak, we will need to replace 1.5 2 B (rDec ) ⇒ B ( 2(⋅ rnDecγ Mult BI )) 38 Decryption complexity of the tweaked scheme sk • Decrypt(sk , ψ ) : πψ←( − vBJI × ψ )mod sk1 sk2 If Tweak 2 is used, BIBJJ= and is some rotation matrix, − sk1 sk sk2 sk 1 otherwise, BBJJ= and B J= ( B J) . • Split the computation of decryption into three steps: sk2 Step 1: Generate n vectors xBiJ with sum ⋅ψ . Step 2: From the n vectors xi , generate integer vectors y11 , , yynn , + with sum ∑xi . sk1 Step 3: Compute πψ←−( ByJi ⋅∑ )mod B I . 39 Plaintext space • As a somewhat homomorphic scheme, Gentry's scheme provides a large plaintext space, RPmodBBII= ( ). • However, in order to make the scheme bootstrappable, Gentry has to limit the plaintext space to { 0,1} modBI . • Evaluate evaluates modBI -circuits. For bootstrapping, the decryption circuit must be composed of modBI -gates. • Ordinary boolean operations can be esaily emulated with modBI operations. 40 Decryption complexity of the tweaked scheme sk1 sk2 • Decrypt(sk , ψ ) : πψ←−(ψ BBJJ⋅ ⋅)mdo BI sk1 sk2 If Tweak 2 is used, BIBJJ= and is some rotation matrix, − sk1 sk sk2 sk 1 otherwise, BBJ= J and B JJ= (B ) . • Split the computation of decryption into three steps: sk2 Step 1: Generate n vectors xi with ∑ xB iJ= ⋅ψ . Step 2: From the n vectors xi , generate integer vectors y11 , , yynn , + with ∑∑yxii= . sk1 Step 3: Compute πψ←−( ByJi ⋅∑ )mod B I . 41 Squashing the Decryption Circuit 42 Squashing • A technique to lower the complexity of the decryption circuit, so as to make the encryption scheme bootstrapable. • Basic idea is to split the decryption algorithm into two phases: computationally intensive, secret-key independent, by the encrypter. computationally lightweight, secret-key dependent, by the decrypter : • Properties: Does not reduce the evaluation capacity (i.e., the set of permitted circuits remains the same), but may potentially weakens security. 43 Squashing: generic version • ε ∗ : the original encryption scheme. • εε : to be constructed from ∗ using two algorithms, SplitKey and ExpandCT . ∗∗ ∗ • KeyGen(λλ ): (pk , sk )← KeyGen ( ) ∗∗ (pk , sk )← SplitKey(pk , sk ) where sk is the (new) secret key and pk := ( pk ∗ , τ ). ∗ ∗∗ • Encrypt(pk , πψ ) : ← Encrypt (pk , π ) ∗ x ← ExpandCT(pk , ψ ) //heavy use of τ // ∗ ψψ← ( ,) x 44 ∗∗ • Decrypt(sk , ψψ ) : decrypts making use of sk and x. It is desired that Decrypt(sk , ψ ) works whenever ∗∗∗ Decrypt (sk , ψ ) does. ∗∗ • Add(pk , ψψ12 , ) : ( ψψ 1 , 2 )← extracted from (ψψ12 , ) ∗ ∗ ∗∗∗ ψ← Add (pk , ψψ12 , ) ∗ x ← ExpandCT(pk , ψ ) ∗ ψψ← ( ,) x • Mult(pk , ψψ12 , ) : similar. 45 Squash: concrete scheme ∗ sk∗ • Let ε be the encryption scheme with Tweak 2. Let v J be the secret key, which is an element of the fractional ideal J −1 . Recall the decryption equation: ∗∗sk∗ πψ:=−× vB ψ mod JI −1 • Let tBiu∈∈J modI , iU . //uniformly generate a set of ti // sk∗ • Let SU⊂= be a sparse subset s.t. ∑tiIv J mod B iS∈ ∗∗ • SplitKey(pk , sk ) : ∗ τ = = τ = 46 :{ti }iU∈ . pk : ( pk , ). sk : S (encoding of S ). ∗∗ • ExpandCT(pk , ψτ ) : //recall pk= ( pk , )// ∗ Compute cBii :=t ×∈ψ modI for iU . ψψ= ∗ The expanded ciphertext is :( , {ci }i∈U ) . • Decrypt(pk , ψ ) : ∗ sk∗ ∗ Recall πψ:= − v ×ψ mod B J I sk∗ Recall v J ≡ ∑tBiI mod . iS∈ sk∗ ∗ ∗ Thus, v J ×ψ ≡∑∑tBi ×≡ψ ci modI . iS∈∈iS Thus, πψ := − ∑ci modBI . iS∈ 47