Gentry's Ideal-Lattice Based Encryption Scheme

Gentry’s ideal-lattice based encryption scheme

Gentry’s STOC’09 paper - Part III

1 From Micciancio's paper Why ideal lattices --- as opposed to just ideals or lattices? • We described an ideal-based encryption scheme Σ .

sk • Recall XEnc  Samp(BBIJ , P) and XRDec mod . • The scheme is correct for circuit C if

∀ xxXgCxxX1 ,, …∈ ttEnc , (),,( 1 … ) ∈Dec . • For Σ to be correct as an ordinary encryption scheme,

we require: XXEnc⊆ Dec . • For Σ to be additively and multiplicatively homomorphic, +⊆ ×⊆ we require: XXXEnc Enc Dec and XXX Enc Enc Dec. 3 • Our goal is to have gC( )( XEnc ) ⊆ X Dec for deep enough

circuits CD , including the decryption circuit Σ. • So, we want to analyze, for example, how

(( XXEnc+ Enc) ×( XX Enc + Enc )) ×× XEncX Enc  expand, and how to ensure

(( XXEnc+ Enc) ×( XX Enc + Enc)) ×× XX Enc Enc ⊆ X Dec .

• Connecting ideals with lattices makes such analysis possible, n because, with R=  [ x ] ( fx ( ))≅ , XEnc and X Dec become subsets of n and we can analyze them geometrically.

4 Instantiate the ideal-based scheme • To instantiate the (abstract) ideal-based encryption scheme using ideal lattices, we will do the following. • Choose a polynomial fx ( ) with integer coefficients and let ring R=  [ x ]( fx ( )) .

• Choose an element s∈==RI , ideal (sB) , I the rotation basis.

• Plaintext space MC : a subset of (BI ), centered parallelepiped.

• Samp: choose a range  Samp for Samp. sk • Choose an ideal J and a good basis BJ . pk sk Let BBJJ= HNF( ). 5 Ideal Lattices

6 []x ( fx( ):) a polynomial ring

• [x ]: the ring of all polynomials with integer coefficients. • fx( ): a monic polynomial of degree nx in  [ ]  Monic means the leading coefficient is 1  Often choose fx ( ) to be irreducible.

• ( fx( )) : the ideal generated by fx ( ).

 ( fx ()) = fx () ⋅= [] x{ fx () ⋅ gx (): gx() ∈ []. x}

• gx()≡ h ()modx fx( ) iff g (x )− hx ( ) is divisible by f (x ).

•  [x ] is divided into classes (cosets) such that gx ( ) and hx ( ) ≡ are in the same class (coset) iff gx ( ) hx()mod(). f x 7 • [](()x fx):   [x ] ( fx ( )) denotes the set of those classes (cosets).  Each class has exactly one polynomial of degree≤−n 1.  Thus,  [x ]( fx ( )) may also be defined as the set of all polynomials of degree ≤−n 1, i.e., n−1 []x( fx ()) ={ ani−1 x ++ aa 10x +a : ∈ }.  Addition and multiplication in  [xx ] (f ( )) are like regular polynomial addition and multiplication except that the result is reduced modulo fx ( ).   [x ]( fx ( )) is a commutative ring with identity.

8 n−1 • If a ( x ) = an−1 x ++ ax 10 + a and n−1 b ( x ) = bn−1 x ++ bx 10 + b, then n−1 ax ()+ bx () = ( ann−−1 + b 1 ) x ++ ( a11 + b ) x + ( a 0+ b 0 ).

• [x] (f (x ))≅ n as an additive group.  The group  [x ] (fx ( )) is isomorphic to the lattice n . n−1  a0++ ax 1+↔ ann−−1 x ( a01 , a , , a 1 ).  Define multiplication in n by way of multiplication in  [x ] ( fx ( )), and then we have multiplication in n .

• Each ideal in  [x] (fx ( )) defines a sublattice in n . • Lattices corresponding to ideals are ideal latt i ces. 9 Rotation basis for principal ideal (v)

• Since R=  [ x ] ( fx ( ))≅ n , we do not distinguish between ring elements in R and lattice points/vectors in n .

• Any ideal in R corresponds to a lattice in n .

• In particular, the ideal (v) generated by 0v≠∈R defines a

lattice with basis Bv= [ 01 ,  , vn− ] , where i vvi = × x mod fx ( ). • This basis is called the rotation basis for the ideal lattice (v).

• Not every ideal has a rotation basis.

10 Examples

• Ideal ( 1) =R . 1 = e1 . Rotation basis= [ee12 , ,  , vn ] . Ideal lattice= n .

• Ideal ( 2) =×= 2RR{ all polynomials in with even coefficients} .

Rotation basis: [ 2ee12 , 2 ,  , 2 vn ] . all lattice points in n Corresponding lattice, 2n = . with even coordinates

• Q: Find the rotation basis of (2++x) or ( 2ee12) .

11 []x (fx ( )) and fractional id ea l s •  [x ]: the ring of polynomials with rational coefficients.

n−1 •  [xf ] ( (x )) ={ ani−1 x ++  ax 10 + a:. a ∈}

• If I is an ideal in R=  [ x ] ( fx ( )), define I−1 as I −1 {v ∈ [x ] ( fx ( )) : v ×⊆ I R} ⊇ R.  IR−1 is a fractional ideal. It behaves like an ideal of except that it is not necessarily contained in R . −−11  II ⊆ R . I is said to be invertible if IR I = . • All invertible (fractional) ideals form a group with R as the identity. 12 [x] (fx ( )) and fractional ideals • If II= (vv) , then −−11= ( ) is generated by v−1∈ [x ] ( fx ( )).  v−1 exists if fx ( ) is irreducible.

• I −1 defines a lattice in nn , not necessarily in .

• We have (detdI ) ⋅( etI −1 ) = 1.

• Recall: detI= detBBII = det( LP ( )) = vol( ( B I )) , the volumn of the fundamental parallelepiped of the lattice defined by I .

• detI= the index [RI :]  the number of elements in RI.

13 Review

• Hermite nornal form (HNF):  a basis which is skiny, skew, and will be used as a pk .

• Centered fundamental parallelepiped: //Bb= [ 1 ,  , bn ]// n P (Bb ) ∑ xxii : i∈−[ 12, 12) .  i=1 

• t modB the unique t′′∈PL ( B ) with tt −∈ ( B ).

• t mod B can be efficiently computed as tBB− ⋅ −1 ⋅ t .

• xx  rounded to the nearest integer.

• ∈ B max{ bbBii :} . 14 Instantiating the ideal-based scheme using ideal lattices

15 From Micciancio's paper Recall: • To instantiate the (abstract) ideal-based encryption scheme using (ideal) lattices, we will do the following.

• Choose a polynomial fx ( ) and let ring R=  [ x]( fx ().)

• Choose a vector s , let ideal I =(sB) , let I = the rotation basis.

• Plaintext space MP : a subset of (BI ).

• Samp: choose a range  Samp for Samp. sk • Choose an ideal J and a good basis BJ . pk sk Let BBJJ= HNF( ).

• Our goal is to have gC()( X Enc) ⊆ X Dec for deep enough 17 circuits C , including the decryption circuit DΣ. Balls: BB(rrEncD) and ( ec )

• XMEnc  Samp(BI , ) .

sk sk XRDec  modBBJJ= P ( ).

• Define: rEnc  the smallest radius s.t. XrEnc⊆ B ( Enc ),

rDec  the largest radius s.t. B()rXDec⊆ Dec. • Theorem (a sufficient condition for permitted circui ts):

A modBI -circuit Ct (including the identity circuit) with ≥ 1 inputs is a permitted circuit for the schecme if:

∀ x1 , …∈ , xt B ( rEnc ), gC ( )( xx1, …∈ , t ) B ( rDec ). 18 XXEnc Dec

B()rEnc

B()rDec

19 20 Expansion of vectors with operations

• Starting from BB := (rEnc ), how does B expand with addition and multiplication?

• u+v≤+ u v for all u , v ∈R (triangle inequality).

• u×≤ vγ Mult u ⋅ v for all uv , ∈R , where γ Mult

is a factor dependent on R. Let m = γ Mult . • If input vectors are in B (rm ), then after a -fan-in addition or a 2-fan-in multiplication, the output vector is in B (mr2 ).

21 • By induction, if input vectors are in B(rkEnc ), then after levels of m -fan-in addition and/or 2-fan-in multiplication,

kk k 2− 12 ⊆ 2 the result is in BB (m rEnc )( ( mrEnc )) .

2k • We will have (mrEnc ) ≤ rDec if kr≤ loglogDec − loglogmrEnc . • Theorem: The proposed scheme Σ correctly evaluates

circuits of depth up to loglogrDec − loglog(γ Mult⋅ r Enc ). • To maximize the depth of permitted circuits, we will

attempt to minimize rrEnc and γ Mult and maximize Dec subject to security constraints.

22 Security constraints

• Roughly: the ratio rrDec Enc must be ≤ subexponential. • Recall: the security of the abstract scheme relies on the hardness of ICP. • In the setting of ideal lattices (where π′ is chosen to be pk shorter than rEnc and tB := modJ ), ICP becomes: Decide

whether t is within a small distance (rJEnc ) of lattice , or is uniformly random modulo J . • This is a decision version of BDDP, which is not surprising since the abstract scheme is a variant of GGH and the security of GGH relies on the hardness of BDDP. 23 • Roughly: the ratio rrDec Enc must be ≤ sub-exponential.

n • If rEnc is too small, say rJEnc≤ λ 1 ( ) 2 , BDDP can be solved using, for example, the LLL algorithm.

nc • No algorithm is known to solve BDDP if rJEnc≥ λ 1()2, c < 1.

• On the other hand, by definition, we have rJDec1≤ λ ( ). • Thus, for BDDP to be hard, we require

nc rrDec Enc ≤< 2 , c 1 //sub-exponential// nc1 nc2 • If we choose rDec = 2 , γ Mult ⋅=rEnc 2 , then the scheme

can handle circuits of depth up to (occ12− )l gn. 24 Minimizing γ Mult (R )

• Goal: Set fx ( ) so that R=  [ x ] ( fx ( )) has a small γ Mult (R ). • To this end, we only have to choose fx ( ) such that fx ( ) and gx ( ) have small norms, due to the following theorem. • Theorem: If fx ( ) is a monic polynomial of degree n then

γ Mult ()R≤ 2 n ⋅+( 1 2 nf ⋅ ⋅ g) , where gx ( )= Fx ( )−−11 mod xnn //inverse in  [x ] ( x−1 ) // Fx ( )= xfn (1 x ) //reversing the coefficients of fx ( )//

2 n p=∑ ain for px ( ) = ax ++ a0 //polynomial norm//

25 • Theorem: If f ( x )= xn − hx ( ) where hx ( ) has degree at most n−− ( n 1) kk , ≥ 2, then, for R = [ x ] ( fx ( )), k

γ (R )≤ 2 n ⋅+ 1 2 n ( k − 1) nf . Mult ( ( ) )

• Theorem: Let fx( )=xn ± 1 and Rx=  [ ] (f (x )). Then,

γ Mult ()Rn≤ . • There are non-fatal attacks on hard problems over this ring.

26 Minimizing rEnc

n • Let R= [ x ]( fx ( )) with fx ( ) = x−≤ 1 and so γ Mult (R ) n . • Let ss∈=RI , and ( ) the ideal generated by s ,

BI= ( s01 ,  , s n− ) the rotation basis of sB , Ii= max{ s} ,

L (BI ) the lattice generated by BI ,

P (BI ) the centered fundamental parallelepiped,

MP⊆∈ (BxI ) the message space, M a message,

Samp(BI ,x ) := x + Samp1 (R) × s .

• We want Samp(B,I MX)  Enc⊆ B( r Enc ). • Let be an upper bound on rr , ← SampR .  Samp1 1 ( ) 27 • Theorem: rn≤⋅BB + n ⋅ ⋅ . Enc II Samp1

Proof : rEnc =max{ xrs +× : x ∈ MR , r ←Samp1 ( )} .

n−1 Since x∈MP ⊆ ( BxI ) ⇒ ≤ ∑ s iI 2 ≤⋅ n B i=0 ⇒ xrs +× ≤ x +rs× ≤⋅ nn B + ⋅ ⋅B. II Samp1

• May choose se= 2 1 to make BI small. Q: why not s = e1 ? • The size of is a security. It needs to be large enough to  Samp1 pk make t ← Samp1 (R ) modBJ in ICP sufficiently random. • May set = nn and let Samp sample uniformly in n ∩B( ). Samp1 1 • With this setting, r≤+ 2 nn 21.5 . Enc 28 Maximizing rDec

sk • Recall: the decryption equation: πψ← ( modBBJI) mod . sk • We want B (rDec )⊆ XP Dec  (BJ ). sk • To have a large rDec , the shape of P (BJ ) is important. sk BJ We want it to be "fat" (i.e. containing a large ball). • The "fattest" parallelepiped is that associated with basis

tt⋅=⋅Ee( 1 ,  , t⋅ en ) , containing a ball of radius t . sk • So, we will choose our BEJ to be "close" to t ⋅ . sk Q: why not simply letting BeJn=⋅⋅(tt1 ,  , e) ?

29 • Theorem: Let t≥ 4 ns ⋅ ⋅γ Mult ( R ). Suppose ve1∈⋅t 1 + B(), s sk i.e., within distance st of ⋅eB11 . Let J be the rotation basis of v . sk Then, Pt (BJ ) circumscribes a ball of radius at least 4. sk i−1 Proof: We have BJ =( v11 ,  , v ni) , with vv= × x .

The difference zvjj= −⋅t e j has length j−1 zvjj= −⋅t e j =( ve1 −⋅ t 1 ) × xs ≤ ⋅γ Mult ( R ). sk For every point aB on the surface of P(J ), we have 1 av=±⋅+i ∑a jjv for some ia and j≤ 1 2. 2 ji≠ We will show a ≥ t 4, from which the theorem will follow.

30 1 av=±⋅+i∑aa jj v, j ≤ 1 2. 2 ji≠ 1 a ≥≥ ae, i ⋅+ vii , e∑a j v ji , e 2 ji≠ 11 = ⋅+ta ⋅zeii, +∑ jji z , e 22 ji≠

≥ t2− nzeji , ≥≥ tn2− zj tnsR2 − ⋅⋅γ Mult ( ) ≥≥ tt 2− 4 t 4, where we have used

veii, = z i +⋅tt ee ii, =+ ze ii,

veji, = z j +⋅t eji, e= ze ji, 31 sk pk Generating BBJJ and

sk pk • By the theorem, we may generate BBJJ and as follows:

 Randomly generate a vector ve within distance st of ⋅ 1 . sk  Let BvJ be the rotation basis of . pk sk  Let BBJJ be the HNF of .

• We have to choose st , ,  Samp to ensure that rDec r Enc is sub-exponential.

32 An example instantiation of the abstract scheme

n • Ring: R= [ x ]( fx ( )) , fx ( ) =−≤ x 1, γ Mult n . n 32 • Ideal: I=( 2) = 2 . BeIn =( 21 , , 2 e) . rEnc ≤+ 2 nn 2 .

• Plaintext space: (a subset of) { (x1 , …∈ , xxni ) : {0,− 1}} . n • Samp1 : samples uniformly in  ∩B (n ).

• Samp(BI ,ππ ): +← 2 r with r Samp1 . • Ideal: J

33 How good is it? • An improvement over previous work.

• Boneh-Goh-Nissim (2005):  quadratic formulas with any number of monomials.  plaintext space: logλλ bits for security prameter . • Gentry (2009):  polynomials of degree logn .  plaintext space: larger. • Not bootstrappable ye t !

34 Why not bootstrappable?

sk sk− 1 • Decryption (ψ −⋅BBJ ( BJ ) ⋅ψ )modI involves adding n vectors. • Adding nk -bit numbers in [ 0,1) requires a constant fan-in boolean circuit of depth Ω+ (lognklog ) :  3-for-2: convert 3 numbers to 2 numbers with the same sum; this can be done with a circuit of constant depth, say depth c .

 It takes a circuit of depth ≈ cn log32 to convert n numbers to 2 numbers with the same sum.  It needs depth Ω (logk ) to add the final two numbers. • The proposed scheme permits circuits of depth On (log ). 35 Tweak 1 to simplify the decryption circuit

• Tweak: Narrow the permitted circuits from BB(rrDec ) to (Dec 2). • Purpose: To ensure that the ciphertexts vectors are closer to the lattice J than they strictly need to be, so that less precision is needed to ensure the correctness of decryption.

sk− 1 • Allowing the coefficients of (⋅BJ )ψ to be very close to

half-integrs (i.e., ψ very close to the sphere of B (rDec )) would require high precision (large k ) to ensure correct rounding.

36 • Lemma: If ψ is a valid ciphertext after tweak 1, sk− 1 i.e., ψψ

• With Tweak 1, we can reduce the precision to On(log ) bits, and cut the the circuit depth of adding n numbers to Ω (lognn+=Ω loglog ) (log n ). • The new maximum depth of permitted circuits is

loglog(rrDec 2) − loglog(γ Mult⋅ Enc ), almost the same as the original depth, which can be as large as On (log ). • Unfortunately, the constant hidden in Ω> (logn ) is 1, while

that in On (log ) < 1. So, still not bootstrappable. 37 Tweak 2, optional, more technical, less essential

• Tweak: Modify Decrypt(sk, ψ ) from

sk sk− 1 sk (ψ−BBJJ ⋅( ) ⋅ ψψ ) mod BI ⇒ ( − vJ ×ψ )mod BI sk− 1 for some vector v J ∈ J . • Purpose: To reduce the secret key size (as well as public key size in bootstrapping) and per-gate computation in decryption (from matrix-vector mult to ring mult). • To use this tweak, we will need to replace

1.5 2 B (rDec ) ⇒ B ( 2(⋅ rnDecγ Mult BI )) 38 Decryption complexity of the tweaked scheme

sk • Decrypt(sk , ψ ) : πψ←( − vBJI × ψ )mod sk1 sk2  If Tweak 2 is used, BIBJJ= and is some rotation matrix, − sk1 sk sk2 sk 1 otherwise, BBJJ= and B J= ( B J) .

• Split the computation of decryption into three steps: sk2  Step 1: Generate n vectors xBiJ with sum ⋅ψ .

 Step 2: From the n vectors xi , generate integer vectors

y11 ,  , yynn , + with sum  ∑xi . sk1  Step 3: Compute πψ←−( ByJi ⋅∑ )mod B I . 39 Plaintext space • As a somewhat homomorphic scheme, Gentry's scheme

provides a large plaintext space, RPmodBBII= ( ). • However, in order to make the scheme bootstrappable,

Gentry has to limit the plaintext space to { 0,1} modBI .

• Evaluate evaluates modBI -circuits. For bootstrapping,

the decryption circuit must be composed of modBI -gates. • Ordinary boolean operations can be esaily emulated with

modBI operations.

40 Decryption complexity of the tweaked scheme

sk1 sk2 • Decrypt(sk , ψ ) : πψ←−(ψ BBJJ⋅  ⋅)mdo BI sk1 sk2  If Tweak 2 is used, BIBJJ= and is some rotation matrix, − sk1 sk sk2 sk 1 otherwise, BBJ= J and B JJ= (B ) .

• Split the computation of decryption into three steps: sk2  Step 1: Generate n vectors xi with ∑ xB iJ= ⋅ψ .

 Step 2: From the n vectors xi , generate integer vectors

y11 ,  , yynn , + with ∑∑yxii=  . sk1  Step 3: Compute πψ←−( ByJi ⋅∑ )mod B I . 41 Squashing the Decryption Circuit

42 Squashing • A technique to lower the complexity of the decryption circuit, so as to make the encryption scheme bootstrapable. • Basic idea is to split the decryption algorithm into two phases:  computationally intensive, secret-key independent, by the encrypter.  computationally lightweight, secret-key dependent, by the decrypter :

• Properties: Does not reduce the evaluation capacity (i.e., the set of permitted circuits remains the same), but may potentially weakens security. 43 Squashing: generic version

• ε ∗ : the original encryption scheme. • εε : to be constructed from ∗ using two algorithms, SplitKey and ExpandCT .

∗∗ ∗ • KeyGen(λλ ): (pk , sk )← KeyGen ( ) ∗∗ (pk , sk )← SplitKey(pk , sk ) where sk is the (new) secret key and pk := ( pk ∗ , τ ).

∗ ∗∗ • Encrypt(pk , πψ ) : ← Encrypt (pk , π ) ∗ x ← ExpandCT(pk , ψ ) //heavy use of τ // ∗ ψψ← ( ,) x 44 ∗∗ • Decrypt(sk , ψψ ) : decrypts making use of sk and x.

It is desired that Decrypt(sk , ψ ) works whenever ∗∗∗ Decrypt (sk , ψ ) does.

∗∗ • Add(pk , ψψ12 , ) : ( ψψ 1 , 2 )← extracted from (ψψ12 , )

∗ ∗ ∗∗∗ ψ← Add (pk , ψψ12 , ) ∗ x ← ExpandCT(pk , ψ ) ∗ ψψ← ( ,) x

• Mult(pk , ψψ12 , ) : similar.

45 Squash: concrete scheme

∗ sk∗ • Let ε be the encryption scheme with Tweak 2. Let v J be the secret key, which is an element of the fractional ideal J −1 . Recall the decryption equation:

∗∗sk∗ πψ:=−× vB ψ mod JI

−1 • Let tBiu∈∈J modI , iU . //uniformly generate a set of ti //

sk∗ • Let SU⊂= be a sparse subset s.t. ∑tiIv J mod B iS∈

∗∗ • SplitKey(pk , sk ) :

∗ τ = = τ = 46 :{ti }iU∈ . pk : ( pk , ). sk : S (encoding of S ). ∗∗ • ExpandCT(pk , ψτ ) : //recall pk= ( pk , )// ∗  Compute cBii :=t ×∈ψ modI for iU . ψψ= ∗  The expanded ciphertext is :( , {ci }i∈U ) .

• Decrypt(pk , ψ ) :

 ∗ sk∗ ∗   Recall πψ:= − v ×ψ mod B J I sk∗  Recall v J ≡ ∑tBiI mod . iS∈ sk∗ ∗ ∗  Thus, v J ×ψ ≡∑∑tBi ×≡ψ ci modI . iS∈∈iS   Thus, πψ := −  ∑ci  modBI .  iS∈  47