bootstrapping with small error growth chris peikert
play

Bootstrapping (with Small Error Growth) Chris Peikert University - PowerPoint PPT Presentation

Aug 18, 2022 •327 likes •1.01k views

Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School 12 Oct 2015 1 / 14 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval ( f ) f ( ) A cryptographic holy

  1. Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School 12 Oct 2015 1 / 14

  2. Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] 2 / 14

  3. Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] ◮ “Naturally occurring” schemes are somewhat homomorphic (SHE): can only evaluate functions of an a priori bounded depth. µ Eval ( f ) f ( µ ) Eval ( g ) g ( f ( µ )) 2 / 14

  4. Fully Homomorphic Encryption [RAD’78,Gentry’09] ◮ FHE lets you do this: µ Eval ( f ) f ( µ ) A cryptographic “holy grail” with countless applications. First solved in [Gentry’09] , followed by [vDGHV’10,BV’11a,BV’11b,BGV’12,B’12,GSW’13,. . . ] ◮ “Naturally occurring” schemes are somewhat homomorphic (SHE): can only evaluate functions of an a priori bounded depth. µ Eval ( f ) f ( µ ) Eval ( g ) g ( f ( µ )) ◮ Thus far, “bootstrapping” is required to achieve unbounded FHE. 2 / 14

  5. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluate the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. 3 / 14

  6. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluate the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. ◮ Decrypting µ as a function of sk : � � µ Dec · , µ sk 3 / 14

  7. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluate the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. ◮ Decrypting µ as a function of sk : � � µ Dec · , µ sk ◮ Homomorphically decrypting µ on sk : � � � � µ Eval Dec · , µ sk 3 / 14

  8. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluate the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. ◮ Decrypting µ as a function of sk : � � µ Dec · , µ sk ◮ Homomorphically decrypting µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime of Eval ( Dec ) is controlled by complexity of Dec. 3 / 14

  9. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphically evaluate the SHE decryption function to “refresh” a ciphertext µ , allowing further homomorphic operations. ◮ Decrypting µ as a function of sk : � � µ Dec · , µ sk ◮ Homomorphically decrypting µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime of Eval ( Dec ) is controlled by complexity of Dec. Error growth of Eval ( Dec ) determines strength of cryptographic assumption – e.g., initial LWE noise “rate” of sk . 3 / 14

  10. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphic decryption of µ on sk : � � � � µ Eval Dec · , µ sk 4 / 14

  11. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphic decryption of µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime: quasi-linear ˜ O ( λ ) using rings [GHS’12,AP’13] 4 / 14

  12. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphic decryption of µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime: quasi-linear ˜ O ( λ ) using rings [GHS’12,AP’13] ◮ Error growth using [BGV’12,B’12,GSW’13] : 4 / 14

  13. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphic decryption of µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime: quasi-linear ˜ O ( λ ) using rings [GHS’12,AP’13] ◮ Error growth using [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. 4 / 14

  14. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphic decryption of µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime: quasi-linear ˜ O ( λ ) using rings [GHS’12,AP’13] ◮ Error growth using [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. 4 / 14

  15. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphic decryption of µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime: quasi-linear ˜ O ( λ ) using rings [GHS’12,AP’13] ◮ Error growth using [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known boolean decryption circuits have logarithmic O (log λ ) depth. 4 / 14

  16. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphic decryption of µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime: quasi-linear ˜ O ( λ ) using rings [GHS’12,AP’13] ◮ Error growth using [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known boolean decryption circuits have logarithmic O (log λ ) depth. ⇒ Quasi-polynomial λ O (log λ ) error growth & lattice approx factors. = 4 / 14

  17. Bootstrapping: SHE → FHE [Gentry’09] ◮ Homomorphic decryption of µ on sk : � � � � µ Eval Dec · , µ sk ◮ Runtime: quasi-linear ˜ O ( λ ) using rings [GHS’12,AP’13] ◮ Error growth using [BGV’12,B’12,GSW’13] : ⋆ Homom Addition: Error grows additively. ⋆ Homom Multiplication: Error grows by poly( λ ) factor. ◮ Known boolean decryption circuits have logarithmic O (log λ ) depth. ⇒ Quasi-polynomial λ O (log λ ) error growth & lattice approx factors. = Can we do better?? 4 / 14

  18. Agenda for the Talk 1 Branching program bootstrapping with (large) polynomial runtime and error growth [BrakerskiVaikuntanathan’14] 5 / 14

  19. Agenda for the Talk 1 Branching program bootstrapping with (large) polynomial runtime and error growth [BrakerskiVaikuntanathan’14] 2 Arithmetic bootstrapping with small polynomial runtime and growth [Alperin-SheriffPeikert’14] 5 / 14

  20. Agenda for the Talk 1 Branching program bootstrapping with (large) polynomial runtime and error growth [BrakerskiVaikuntanathan’14] 2 Arithmetic bootstrapping with small polynomial runtime and growth [Alperin-SheriffPeikert’14] 3 Fast ( < 1s) ring-based implementation [DucasMicciancio’15] 5 / 14

  21. Somewhat Homomorphic Encryption [GentrySahaiWaters’13] ◮ Recall “gadget” matrix G over Z q [MP’12] : for any matrix A over Z q , G − 1 ( A ) is short (over Z ) G · G − 1 ( A ) = A (mod q ) . and 6 / 14

  22. Somewhat Homomorphic Encryption [GentrySahaiWaters’13] ◮ Recall “gadget” matrix G over Z q [MP’12] : for any matrix A over Z q , G − 1 ( A ) is short (over Z ) G · G − 1 ( A ) = A (mod q ) . and ◮ Ciphertext encrypting µ ∈ Z under s is a Z q -matrix C satisfying sC = µ · sG + e ≈ µ · sG (mod q ) . 6 / 14

  23. Somewhat Homomorphic Encryption [GentrySahaiWaters’13] ◮ Recall “gadget” matrix G over Z q [MP’12] : for any matrix A over Z q , G − 1 ( A ) is short (over Z ) G · G − 1 ( A ) = A (mod q ) . and ◮ Ciphertext encrypting µ ∈ Z under s is a Z q -matrix C satisfying sC = µ · sG + e ≈ µ · sG (mod q ) . ◮ Homomorphic add: C 1 ‘ C 2 := C 1 + C 2 . 6 / 14

  24. Somewhat Homomorphic Encryption [GentrySahaiWaters’13] ◮ Recall “gadget” matrix G over Z q [MP’12] : for any matrix A over Z q , G − 1 ( A ) is short (over Z ) G · G − 1 ( A ) = A (mod q ) . and ◮ Ciphertext encrypting µ ∈ Z under s is a Z q -matrix C satisfying sC = µ · sG + e ≈ µ · sG (mod q ) . ◮ Homomorphic add: C 1 ‘ C 2 := C 1 + C 2 . ◮ Homomorphic mult: C 1 d C 2 := C 1 · G − 1 ( C 2 ) . 6 / 14

  25. Somewhat Homomorphic Encryption [GentrySahaiWaters’13] ◮ Recall “gadget” matrix G over Z q [MP’12] : for any matrix A over Z q , G − 1 ( A ) is short (over Z ) G · G − 1 ( A ) = A (mod q ) . and ◮ Ciphertext encrypting µ ∈ Z under s is a Z q -matrix C satisfying sC = µ · sG + e ≈ µ · sG (mod q ) . ◮ Homomorphic add: C 1 ‘ C 2 := C 1 + C 2 . ◮ Homomorphic mult: C 1 d C 2 := C 1 · G − 1 ( C 2 ) . s · C 1 · G − 1 ( C 2 ) = ( µ 1 · sG + e 1 ) · G − 1 ( C 2 ) 6 / 14

  26. Somewhat Homomorphic Encryption [GentrySahaiWaters’13] ◮ Recall “gadget” matrix G over Z q [MP’12] : for any matrix A over Z q , G − 1 ( A ) is short (over Z ) G · G − 1 ( A ) = A (mod q ) . and ◮ Ciphertext encrypting µ ∈ Z under s is a Z q -matrix C satisfying sC = µ · sG + e ≈ µ · sG (mod q ) . ◮ Homomorphic add: C 1 ‘ C 2 := C 1 + C 2 . ◮ Homomorphic mult: C 1 d C 2 := C 1 · G − 1 ( C 2 ) . s · C 1 · G − 1 ( C 2 ) = ( µ 1 · sG + e 1 ) · G − 1 ( C 2 ) = µ 1 · sC 2 + e 1 · G − 1 ( C 2 ) 6 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of

Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech CRYPTO 2014 19 August 2014 1 / 10 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval (

1.03k views • 50 slides
Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech Oberwolfach Crypto Workshop 29 July 2014 1 / 22 Agenda 1 A homomorphic encryption tool: ring switching 2 An application: (practical!) bootstrapping

1.11k views • 98 slides
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD78,Gen09] FHE lets you do this:

1.36k views • 98 slides
On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory of Cryptography Conference 5 March 2006 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 1 / 9 Error Correction (in the

1.04k views • 58 slides
How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12 Conclusions 2 / 12 Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error

861 views • 65 slides
Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA &amp; ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC 2019 1 / 13 Algebraic Learning With Errors A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE,

954 views • 57 slides
New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

960 views • 68 slides
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan

A Framework for Efficient and Composable Oblivious Transfer Chris Peikert 1 Vinod Vaikuntanathan 2 Brent Waters 1 1 SRI International 2 MIT CRYPTO 2008 1 / 10 Oblivious Transfer [R81,EGL85,BCR86,C87,K88,CK88,C89,CS91,CGT95,DCP95,FMR96,BC97,. .

1.02k views • 50 slides
Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1

Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1

Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1 Content-based confidentiality Confidentiality stays with content independent from where the content is independent from how it is

647 views • 10 slides
How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20 november 2019 1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1 1 LWE hard

1.07k views • 81 slides
Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15

Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15

Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15 ndncomm2015 1 What is content-based confidentiality? Confidentiality stays with content independent from where the content is

456 views • 11 slides
Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring

Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring

Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Joining the RSA Cryptosystem: Quick Review First, Bob randomly chooses two

293 views • 14 slides
Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

1 Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69 submissions in first round, from hundreds of people. (+13 submissions that NIST declared incomplete or improper.) 22 signature-system submissions. 5

1.97k views • 196 slides
Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents Introduction Functional Encryption Security definitions Notations The Power of Inner Products Descriptive statistics Machine Learning Practical

930 views • 65 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides

More recommend