Gentry’s ideal-lattice based encryption scheme Gentry’s STOC’09 paper - Part III 1 From Micciancio's paper Why ideal lattices --- as opposed to just ideals or lattices? • We described an ideal-based encryption scheme Σ. sk • Recall XEnc Samp(BBIJ , P) and XRDec mod . • The scheme is correct for circuit C if ∀ xxXgCxxX1,, …∈ ttEnc , (),,( 1 … ) ∈Dec . • For Σ to be correct as an ordinary encryption scheme, we require: XXEnc⊆ Dec. • For Σ to be additively and multiplicatively homomorphic, +⊆ ×⊆ we require: XXXEnc Enc Dec and XXX Enc Enc Dec. 3 • Our goal is to have gC( )( XEnc ) ⊆ X Dec for deep enough circuits CD, including the decryption circuit Σ. • So, we want to analyze, for example, how (( XXEnc+ Enc) ×( XX Enc + Enc )) ×× XEncX Enc expand, and how to ensure (( XXEnc+ Enc) ×( XX Enc + Enc)) ×× XX Enc Enc ⊆ X Dec . • Connecting ideals with lattices makes such analysis possible, n because, with R= [ x ] ( fx ( ))≅ , XEnc and X Dec become subsets of n and we can analyze them geometrically. 4 Instantiate the ideal-based scheme • To instantiate the (abstract) ideal-based encryption scheme using ideal lattices, we will do the following. • Choose a polynomial fx( ) with integer coefficients and let ring R= [ x ]( fx ( )) . • Choose an element s∈==RI, ideal (sB), I the rotation basis. • Plaintext space MC: a subset of (BI ), centered parallelepiped. • Samp: choose a range Samp for Samp. sk • Choose an ideal J and a good basis BJ . pk sk Let BBJJ= HNF( ). 5 Ideal Lattices 6 []x ( fx( ):) a polynomial ring • [x ]: the ring of all polynomials with integer coefficients. • fx( ): a monic polynomial of degree nx in [ ] Monic means the leading coefficient is 1 Often choose fx( ) to be irreducible. • ( fx( )) : the ideal generated by fx( ). ( fx()) = fx () ⋅= [] x{ fx () ⋅ gx (): gx() ∈ []. x} • gx()≡ h ()modx fx( ) iff g(x )− hx ( ) is divisible by f(x ). • [x ] is divided into classes (cosets) such that gx( ) and hx( ) ≡ are in the same class (coset) iff gx( ) hx()mod(). f x 7 • [](()x fx): [x ] ( fx ( )) denotes the set of those classes (cosets). Each class has exactly one polynomial of degree≤−n 1. Thus, [x ]( fx ( )) may also be defined as the set of all polynomials of degree ≤−n 1, i.e., n−1 []x( fx ()) ={ ani−1 x ++ aa 10x +a : ∈ }. Addition and multiplication in [xx ] (f ( )) are like regular polynomial addition and multiplication except that the result is reduced modulo fx( ). [x ]( fx ( )) is a commutative ring with identity. 8 n−1 • If a( x ) = an−1 x ++ ax 10 + a and n−1 b( x ) = bn−1 x ++ bx 10 + b, then n−1 ax()+ bx () = ( ann−−1 + b 1 ) x ++ ( a11 + b ) x + ( a 0+ b 0 ). • [x] (f (x ))≅ n as an additive group. The group [x ] (fx ( )) is isomorphic to the lattice n . n−1 a0++ ax 1+↔ ann−−1 x ( a01 , a, , a 1). Define multiplication in n by way of multiplication in [x ] ( fx ( )), and then we have multiplication in n . • Each ideal in [x] (fx ( )) defines a sublattice in n . • Lattices corresponding to ideals are ideal latt i ces. 9 Rotation basis for principal ideal (v) • Since R= [ x ] ( fx ( ))≅ n , we do not distinguish between ring elements in R and lattice points/vectors in n . • Any ideal in R corresponds to a lattice in n . • In particular, the ideal (v) generated by 0v≠∈R defines a lattice with basis Bv= [ 01, , vn− ], where i vvi = × xmod fx ( ). • This basis is called the rotation basis for the ideal lattice (v). • Not every ideal has a rotation basis. 10 Examples • Ideal (1) =R . 1 = e1 . Rotation basis= [ee12 , , , vn ]. Ideal lattice= n . • Ideal (2) =×= 2RR{ all polynomials in with even coefficients} . Rotation basis: [2ee12 , 2 , , 2 vn ] . all lattice points in n Corresponding lattice, 2n = . with even coordinates • Q: Find the rotation basis of (2++x) or (2ee12) . 11 []x (fx ( )) and fractional id ea l s • [x ]: the ring of polynomials with rational coefficients. n−1 • [xf ] ( (x )) ={ ani−1 x ++ ax 10 + a:. a ∈} • If I is an ideal in R= [ x ] ( fx ( )), define I−1 as I −1 {v ∈ [x ] ( fx ( )) : v ×⊆ I R} ⊇ R. IR−1 is a fractional ideal. It behaves like an ideal of except that it is not necessarily contained in R. −−11 II ⊆ R. I is said to be invertible if IR I = . • All invertible (fractional) ideals form a group with R as the identity. 12 [x] (fx ( )) and fractional ideals • If II= (vv), then −−11= ( ) is generated by v−1∈[x ] ( fx ( )). v−1 exists if fx( ) is irreducible. • I −1 defines a lattice in nn, not necessarily in . • We have (detdI ) ⋅( etI −1 ) = 1. • Recall: detI= detBBII = det( LP ( )) = vol( ( B I )) , the volumn of the fundamental parallelepiped of the lattice defined by I. • detI= the index [RI:] the number of elements in RI. 13 Review • Hermite nornal form (HNF): a basis which is skiny, skew, and will be used as a pk. • Centered fundamental parallelepiped: //Bb= [ 1 , , bn ]// n P(Bb ) ∑ xxii : i∈−[ 12, 12) . i=1 • t modB the unique t′′∈PL( B ) with tt −∈( B ). • tmod B can be efficiently computed as tBB− ⋅ −1 ⋅ t . • xx rounded to the nearest integer. • ∈ B max{ bbBii :} . 14 Instantiating the ideal-based scheme using ideal lattices 15 From Micciancio's paper Recall: • To instantiate the (abstract) ideal-based encryption scheme using (ideal) lattices, we will do the following. • Choose a polynomial fx( ) and let ring R= [ x]( fx ().) • Choose a vector s, let ideal I =(sB), let I = the rotation basis. • Plaintext space MP: a subset of (BI ). • Samp: choose a range Samp for Samp. sk • Choose an ideal J and a good basis BJ . pk sk Let BBJJ= HNF( ). • Our goal is to have gC()( X Enc) ⊆ X Dec for deep enough 17 circuits C, including the decryption circuit DΣ. Balls: BB(rrEncD) and ( ec ) • XMEnc Samp(BI , ) . sk sk XRDec modBBJJ= P ( ). • Define: rEnc the smallest radius s.t. XrEnc⊆ B( Enc ), rDec the largest radius s.t. B()rXDec⊆ Dec. • Theorem (a sufficient condition for permitted circui ts): A modBI -circuit Ct (including the identity circuit) with ≥1 inputs is a permitted circuit for the schecme if: ∀ x1, …∈ , xt B ( rEnc ), gC( )( xx1, …∈ , t ) B ( rDec ). 18 XXEnc Dec B()rEnc B()rDec 19 20 Expansion of vectors with operations • Starting from BB:= (rEnc ), how does B expand with addition and multiplication? • u+v≤+ u v for all u, v ∈R (triangle inequality). • u×≤ vγ Mult u ⋅ v for all uv, ∈R , where γ Mult is a factor dependent on R. Let m = γ Mult . • If input vectors are in B(rm ), then after a -fan-in addition or a 2-fan-in multiplication, the output vector is in B(mr2 ). 21 • By induction, if input vectors are in B(rkEnc ), then after levels of m-fan-in addition and/or 2-fan-in multiplication, kk k 2− 12 ⊆ 2 the result is in BB(m rEnc )( ( mrEnc )) . 2k • We will have (mrEnc ) ≤ rDec if kr≤ loglogDec − loglogmrEnc . • Theorem: The proposed scheme Σ correctly evaluates circuits of depth up to loglogrDec − loglog(γ Mult⋅ r Enc ). • To maximize the depth of permitted circuits, we will attempt to minimize rrEnc and γ Mult and maximize Dec subject to security constraints. 22 Security constraints • Roughly: the ratio rrDec Enc must be ≤ subexponential. • Recall: the security of the abstract scheme relies on the hardness of ICP. • In the setting of ideal lattices (where π′ is chosen to be pk shorter than rEnc and tB:= modJ ), ICP becomes: Decide whether t is within a small distance (rJEnc ) of lattice , or is uniformly random modulo J. • This is a decision version of BDDP, which is not surprising since the abstract scheme is a variant of GGH and the security of GGH relies on the hardness of BDDP. 23 • Roughly: the ratio rrDec Enc must be ≤ sub-exponential. n • If rEnc is too small, say rJEnc≤ λ 1( ) 2 , BDDP can be solved using, for example, the LLL algorithm. nc • No algorithm is known to solve BDDP if rJEnc≥ λ 1()2, c <1. • On the other hand, by definition, we have rJDec1≤ λ ( ). • Thus, for BDDP to be hard, we require nc rrDec Enc ≤< 2 , c1 //sub-exponential// nc1 nc2 • If we choose rDec = 2 , γ Mult ⋅=rEnc 2 , then the scheme can handle circuits of depth up to (occ12− )l gn. 24 Minimizing γ Mult (R ) • Goal: Set fx( ) so that R= [ x ] ( fx ( )) has a small γ Mult (R ). • To this end, we only have to choose fx( ) such that fx( ) and gx( ) have small norms, due to the following theorem. • Theorem: If fx( ) is a monic polynomial of degree n then γ Mult ()R≤ 2 n ⋅+( 1 2 nf ⋅ ⋅ g) , where gx( )= Fx ( )−−11 mod xnn //inverse in [x ] ( x−1 ) // Fx( )= xfn (1 x ) //reversing the coefficients of fx( )// 2 n p=∑ ain for px( ) = ax ++ a0 //polynomial norm// 25 • Theorem: If f( x )= xn − hx ( ) where hx( ) has degree at most n−−( n 1) kk , ≥2, then, for R =[ x ] ( fx ( )), k γ (R )≤ 2 n ⋅+ 1 2 n ( k − 1) nf . Mult ( ( ) ) • Theorem: Let fx( )=xn ± 1 and Rx= [ ] (f (x )). Then, γ Mult ()Rn≤ . • There are non-fatal attacks on hard problems over this ring. 26 Minimizing rEnc n • Let R=[ x ]( fx ( )) with fx( ) = x−≤ 1 and so γ Mult (R ) n . • Let ss∈=RI, and ( ) the ideal generated by s, BI= ( s01, , s n− ) the rotation basis of sB, Ii= max{ s} , L(BI ) the lattice generated by BI , P(BI ) the centered fundamental parallelepiped, MP⊆∈(BxI ) the message space, M a message, Samp(BI ,x ) := x + Samp1 (R) × s .