HOMOMORPHIC ENCRYPTION Craig Gentry Shai Halevi Chris Peikert - PowerPoint PPT Presentation

FIELD-SWITCHING IN HOMOMORPHIC ENCRYPTION Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart

HE Over Cyclotomic Rings  Denote the field 𝐿 𝑛 = 𝑅(𝜂 𝑛 ) ≅ 𝑅 𝑌 /(Φ 𝑛 𝑌 )  Its ring of integers is 𝑆 𝑛 = 𝑎(𝜂 𝑛 ) ≅ 𝑎 𝑌 /(Φ 𝑛 𝑌 )  Mod- 𝑟 denoted 𝑆 𝑛,𝑟 = 𝑆 𝑛 /𝑟𝑆 𝑛 ≅ 𝑎 𝑟 𝑌 /(Φ 𝑛 (𝑌))  “ N ative plaintext space” is 𝑆 𝑛,2  Ciphertexts , secret-keys are vectors over 𝑆 𝑛,𝑟 *  𝒅 wrt 𝒕 encrypts 𝑏 if (for representatives in 𝑆 𝑛 ) we 𝑟 * have 𝒕, 𝒅 = 𝑏 ⋅ 2 + 𝑓 (𝑛𝑝𝑒 𝑟) for small 𝑓 *  Decryption via 𝑏 ≔ 𝑁𝑇𝐶( 𝒕, 𝒅 )  Using “appropriate” 𝑎 -bases of 𝑆 𝑛,2 , 𝑆 𝑛,𝑟 * Not exactly

HE Over Cyclotomic Rings  “Native plaintexts” encode vectors of values  𝑏 ∈ 𝑆 𝑛,2 → 𝛽 1 … 𝛽 ℓ ∈ 𝐻𝐺 2 𝑒 ℓ (more on that later)  Homomorphic Operations  Addition: 𝒅 ⊞ 𝒅 ′ encrypts 𝑏 + 𝑏 ′ ∈ 𝑆 𝑛,2 , encoding ′ … 𝛽 ℓ + 𝛽 ℓ ′ ) (𝛽 1 + 𝛽 1  Multiplication: 𝒅 × 𝒅 ′ encrypts 𝑏 × 𝑏 ′ ∈ 𝑆 𝑛,2 , encoding ′ … 𝛽 ℓ × 𝛽 ℓ ′ ) (𝛽 1 × 𝛽 1  Automorphism: 𝒅(𝑌 𝑢 ) encrypts 𝑏(𝑌 𝑢 ) ∈ 𝑆 𝑛,2 , encoding some permutation of (𝛽 1 … 𝛽 ℓ )  Relative to key 𝒕(𝑌 𝑢 )

HE Over Cyclotomic Rings  Also a key-switching operation  For any two 𝐭, 𝐭 ′ ∈ (𝑆 𝑛,𝑟 ) 2 we can publish a key-switching gadget 𝑋[𝒕 → 𝒕 ′ ]  𝑋 used to translate valid 𝐝 wrt 𝐭 into 𝐝 ′ wrt 𝐭 ′  𝐝, 𝐝 ′ encrypt the same plaintext 𝒕, 𝒅 = 𝒕 ′ , 𝒅 ′ + 𝑓 (𝑛𝑝𝑒 𝑟) for some small 𝑓

How Large are 𝑛, 𝑟 ?  Ciphertexts are “noisy” (for security)  noise grows during homomorphic computation  Decryption error if noise grows larger than 𝑟  Must set 𝑟 “much larger” than initial noise  Security relies on LWE-hardness with very large modulus/noise ratio  Dimension ( 𝑛 ) must be large to get hardness (𝑙)  Asymptotically 𝑟 = 𝑞𝑝𝑚𝑧𝑚𝑝𝑕 𝑙 , 𝑛 = Ω  For realistic settings, 𝑟 ≈ 1000, 𝑛 > 10000

Switching to Smaller 𝑛 ?  As we compute, the noise grows  Cipehrtexts have smaller modulus/noise ratio  From a security perspective, it becomes permissible to switch to smaller values of 𝑛  How to do this?  Not even clear what outcome we want here:  Have 𝒅 wrt 𝒕 ∈ (𝑆 𝑛,𝑟 ) 2 , encrypting some 𝑏 ∈ 𝑆 𝑛,2  Want 𝒅′ wrt 𝒕′ ∈ (𝑆 𝑛 ′ ,𝑟 ) 2 for 𝑛 ′ < 𝑛  Encrypting 𝑏 ′ ∈ 𝑆 𝑛 ′ ,2 ??

Ring-Switching: The Goal  We cannot get 𝑏 ′ = 𝑏 since 𝑏 ′ ∈ 𝑆 𝑛 ′ ,2 , 𝑏 ∈ 𝑆 𝑛,2  We want 𝑏 ′ to be “related” to 𝑏  𝑏 ∈ 𝑆 𝑛,2 encodes 𝛽 1 … 𝛽 ℓ ∈ 𝐻𝐺 2 𝑒 ℓ ∈ 𝐻𝐺 2 𝑒 ′ ℓ ′ ′ … 𝛽 ℓ ′  𝑏 ′ ∈ 𝑆 𝑛 ′ ,2 encodes 𝛽 1 ′  May want 𝑏 ′ to encode a subset of the 𝛽 𝑗 ’s?  E.g., the first ℓ ′ of them  Not always possible, only if 𝑒 ′ = 𝑒  What relations between the 𝛽′ 𝑘 , 𝛽 𝑗 ’s are possible?

Prior Work  A limited ring-switching technique was described in [BGV’12]  Only for 𝑛 = 2 𝑜 , 𝑛 ′ = 2 𝑜−1 ′ , 𝒅 𝟑 ′  Transforms big-ring 𝐝 into small-ring 𝒅 𝟐 s.t. 𝑏 (encrypted in 𝐝 ) can be recovered from ′ , 𝑏 2 ′ , 𝒅 𝟑 ′ (encrypted in 𝒅 𝟐 ′ ). 𝑏 1  Used only for bootstrapping

Our Transformation: Overview  Work for any 𝑛, 𝑛 ′ as long as 𝑛 ′ |𝑛  𝐝 wrt 𝐭 ∈ (𝑆 𝑛,𝑟 ) 2  𝐝 ′ wrt 𝐭 ′ ∈ (𝑆 𝑛 ′ ,𝑟 ) 2  𝐝 , 𝐝 ′ encrypt 𝑏, 𝑏′ , that encode vectors: ′ ∈ 𝐻𝐺 2 𝑒 ′ ℓ ′  𝒅 → 𝛽 𝑗 ∈ 𝐻𝐺 2 𝑒 ℓ , 𝐝 ′ → 𝛽 𝑘  Necessarily 𝑒 ′ |𝑒 , so 𝐻𝐺 2 𝑒 ′ a subfield of 𝐻𝐺(2 𝑒 ) ′ is a 𝐻𝐺 2 𝑒 ′ -linear function of some 𝛽 𝑗 ‘s  Each 𝛽 𝑘  We can choose the linear functions, but not the subset of 𝛽 𝑗 ‘ s ′ that correspond to each 𝛽 𝑘  If 𝑒 ′ = 𝑒 , can use projections (so 𝛽 𝑘 ′ ’s a subset of 𝛽 𝑗 ’s)

Our Transformation: Overview Denote 𝐿 = 𝐿 𝑛 , 𝑆 = 𝑆 𝑛 , 𝐿 ′ = 𝐿 𝑛 ′ , 𝑆 ′ = 𝑆 𝑛 ′ Key-switching to map 𝒅 wrt 𝒕  𝒅′ ′ wrt 𝒕′ 1. ′ 2 ⊂ 𝑆 𝑟 2 and 𝒕 ′ ∈ 𝑆 𝑟 2 𝒕 ∈ 𝑆 𝑟  𝒅′ ′ = (𝑑 0 ′′ , 𝑑 1 ′′ ) over the big field, wrt subfield key  Compute a small 𝑠 ∈ 𝑆 𝑟 that depends only on the 2. desired linear functions ′ = Tr 𝐿/𝐿′ 𝑠 ⋅ 𝑑 𝑗 ′′ Apply the trace function, 𝑑 𝑗 3. Output 𝒅 ′ = (𝑑 0 ′ , 𝑑 1 ′ ) 4.

Algebra

Geometry of 𝐿  Use canonical-embedding to associate 𝑣 ∈ 𝐿 with a 𝜚(𝑛) -vector of complex numbers  Thinking of 𝑣 = 𝑣(𝑌) as a polynomial, associate 𝑣 with the vector 𝜏 𝑣 = 𝑣 𝜍 𝑗 ∗ 𝑗∈𝑎 𝑛  𝜍 = 𝑓 2𝜌𝑗/𝑛 , the principal complex 𝑛 ’th root of unity  E.g., if 𝑣 ∈ 𝑅 ⊂ 𝐿 then 𝜏 𝑣 = 𝑣, 𝑣, … , 𝑣  W e can talk about the “size of 𝑣 ”  say the 𝑚 2 or 𝑚 ∞ norm of 𝜏 𝑣  For decryption, the “noise element” must be ≪ 𝑟

Geometry of 𝐿, 𝐿 ′  𝐿 can be expressed as a vector-space over 𝐿 ′ ′ , etc.  Similarly 𝑆 over 𝑆 ′ , 𝑆 𝑟 over 𝑆 𝑟  Every 𝑆 ′ -basis 𝐶 induces a transformation 𝑈 𝐶 : coefficients in 𝑆 ′ ↦ element of 𝑆  With canonical embedding on both sides, we have a 𝐷 -linear transformation 𝑈 𝐶 : 𝐷 𝜚(𝑛) → 𝐷 𝜚(𝑛)  We want a “good basis”, where 𝑈 𝐶 is “short” and “nearly orthogonal”

Geometry of 𝐿, 𝐿 ′  Lemma 1: There exists 𝑆′ -basis 𝐶 of R for which all the singular values of 𝑈 𝐶 are nearly the same.  Specifically 𝑡 1 𝑈 = 𝑡 𝑜 𝑈 ⋅ 𝑔 where 𝑠𝑏𝑒 𝑛 𝑠𝑏𝑒 𝑛 ′ = ∏ primes that divide 𝑛 but not 𝑛 ′ 𝑔 ≤  The proof follows techniques from [LPR13], the basis 𝐶 is essentially a tensor of DFT matrices

The Trace Function  For 𝑣 ∈ 𝐿 , Tr 𝑣 = 𝜏 𝑣 𝑗 ∈ 𝑅 ∗ 𝑗∈𝑎 𝑛  By definition: if 𝑣 is small then so is Tr 𝑣  Tr: 𝐿 → 𝑅 is 𝑅 − linear  𝑀: 𝐿 → 𝑅 is 𝑅 -linear if ∀𝑣, 𝑤 ∈ 𝐿, 𝑟 ∈ 𝑅 , 𝑀 𝑣 + 𝑀 𝑤 = 𝑀(𝑣 + 𝑤) and 𝑀 𝑟 ⋅ 𝑣 = 𝑟 ⋅ 𝑀(𝑣)  The trace is a “universal” 𝑅 -linear function:  For every 𝑅 -linear function 𝑀 there exists 𝜆 ∈ 𝐿 such that 𝑀 𝑣 = Tr 𝜆 ⋅ 𝑣 ∀𝑣 ∈ 𝐿

The Trace Function  The trace Implies also a 𝑎 -linear map Tr: 𝑆 → 𝑎 , and 𝑎 𝑟 -linear map Tr: 𝑆 𝑟 → 𝑎 𝑟  Every 𝑎 -linear map L ∶ 𝑆 → 𝑎 can be written as 𝑀 𝑏 = Tr 𝜆 ⋅ 𝑏  But 𝜆 need not be in 𝑆  More on that later

The Intermediate Trace Function  𝑈𝑠 𝐿/𝐿 ′ : 𝐿 → 𝐿′ when 𝐿 is an extension of 𝐿′  Satisfies 𝑈𝑠 𝐿/𝑅 = 𝑈𝑠 𝐿/𝐿 ′ ∘ 𝑈𝑠 𝐿 ′ /𝑅  Lemma 2: if 𝑣 is small then so is Tr 𝐿/𝐿 ′ 𝑣  Less trivial than for Tr 𝐿/𝑅 but still true  Tr 𝐿/𝐿 ′ is a “universal” 𝐿′ -linear function:  Tr 𝐿/𝐿 ′ : 𝐿 → 𝐿 ′ is 𝐿 ′ − linear  For every 𝐿 ′ -linear function 𝑀 there exists 𝜆 ∈ 𝐿 𝑛 such that 𝑀 𝑣 = Tr K/K ′ 𝜆 ⋅ 𝑣 ∀𝑣 ∈ 𝐿 𝑛  Similarly implies 𝑆′ -linear map 𝑈𝑠 𝐿/𝐿 ′ : 𝑆 → 𝑆′ and ′ -linear map 𝑈𝑠 𝐿/𝐿 ′ : 𝑆 𝑟 → 𝑆 𝑟 ′ 𝑆 𝑟

Some Complications 𝑆 ⊆ 𝑆 ′  Often we get Tr 𝐿 𝐿 ′  Also for many linear functions we get 𝑀 𝑣 = Tr K/K ′ 𝜆 ⋅ 𝑣 where 𝜆 is not in 𝑆  In our setting this will cause problems when we apply the trace to ciphertext elements  That’s (one reason) why ciphertexts are not really vectors over R  Hence the * ‘s throughout the slides

The Dual of 𝑆  Instead of 𝑆 , ciphertext are vectors over the dual 𝑆 ∨ = {𝑏 ∈ 𝐿: ∀ 𝑠 ∈ 𝑆, Tr 𝑏𝑠 ∈ 𝑎}  R ∨ = R/t , R ′∨ = R ′ /t ′ for some t ∈ 𝑆, 𝑢 ′ ∈ 𝑆 ′ R ∨ = 𝑆 ′∨  We have Tr 𝐿 𝐿 ′  Also every R ′ -linear 𝑀: 𝑆 ∨ → 𝑆 ′∨ can be written as 𝑀 𝑏 = 𝑈𝑠 𝐿/𝐿 ′ (𝑠 ⋅ 𝑏) for some 𝑠 ∈ 𝑆  In the rest of this talk we ignore this point, and pretend that everything is over 𝑆

Prime Splitting 𝑓  The integer 2 splits over 𝑆 as 2 = ∏ 𝒒 𝑗 𝑗 ∗ /(2)  𝑗 ranges over 𝐻 = 𝑎 𝑛 𝑗⋅2 𝑘  𝒒 𝑗 is generated by (2, 𝐺 𝑗 𝑌 = ∏ 𝑌 − 𝜂 𝑛 ) 𝑘  In this talk we assume 𝑓 =1 (i.e., 𝑛 is odd)  ℓ = |𝐻| prime ideals, each 𝑆/𝒒 𝑗 ≅ 𝐻𝐺(2 𝑒 )  R 2 = 𝑆/(2) ≅⊕ 𝑗 𝑆/𝒒 𝑗 ≅⊕ 𝑗 𝐻𝐺(2 𝑒 )  Using CRT, each 𝑏 ∈ 𝑆 2 encodes the vector ) ∈ 𝐻𝐺 2 𝑒 ℓ (𝑏 𝑛𝑝𝑒 𝒒 𝑗 1 , … , 𝑏 𝑛𝑝𝑒 𝒒 𝑗 ℓ 𝛽 1 𝛽 ℓ