parameter selection in ring lwe based fully homomorphic
play

Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption - PowerPoint PPT Presentation

May 20, 2023 •196 likes •851 views

Motivation Security Correctness Performance Bibliography Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R.

  1. Motivation Security Correctness Performance Bibliography Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, Sam Scott, and Yuhou Xia London-ish Lattice Coding & Crypto Meeting — September 29, 2017 Parameter selection in Ring-LWE-based FHE – Rachel Player 1/44

  2. Motivation Security Correctness Performance Bibliography Table of Contents 1 Motivation FHE background LWE background 2 Security 3 Correctness 4 Performance 5 Bibliography Rachel Player Parameter selection in Ring-LWE-based FHE 2/44

  3. Motivation Security Correctness Performance Bibliography Setting the scene Lattice-based crypto: Candidate for post-quantum crypto Parameter selection is a drawback Rachel Player Parameter selection in Ring-LWE-based FHE 3/44

  4. Motivation Security Correctness Performance Bibliography Setting the scene Lattice-based crypto: Candidate for post-quantum crypto Parameter selection is a drawback Fully Homomorphic Encryption: Rachel Player Parameter selection in Ring-LWE-based FHE 3/44

  5. Motivation Security Correctness Performance Bibliography Setting the scene Lattice-based crypto: Candidate for post-quantum crypto Parameter selection is a drawback Fully Homomorphic Encryption: the coolest application of lattice-based crypto Rachel Player Parameter selection in Ring-LWE-based FHE 3/44

  6. Motivation Security Correctness Performance Bibliography Setting the scene Lattice-based crypto: Candidate for post-quantum crypto Parameter selection is a drawback Fully Homomorphic Encryption: the coolest application of lattice-based crypto an interesting setting for parameter selection Rachel Player Parameter selection in Ring-LWE-based FHE 3/44

  7. Motivation Security Correctness Performance Bibliography FHE background What is homomorphic encryption? Rachel Player Parameter selection in Ring-LWE-based FHE 4/44

  8. Motivation Security Correctness Performance Bibliography FHE background Achieving homomorphic encryption Rachel Player Parameter selection in Ring-LWE-based FHE 5/44

  9. Motivation Security Correctness Performance Bibliography FHE background Applications of homomorphic encryption Healthcare Genomics Private set intersection Signal processing Machine learning . . . Rachel Player Parameter selection in Ring-LWE-based FHE 6/44

  10. Motivation Security Correctness Performance Bibliography FHE background Is homomorphic encryption practical? First schemes very impractical Rachel Player Parameter selection in Ring-LWE-based FHE 7/44

  11. Motivation Security Correctness Performance Bibliography FHE background Is homomorphic encryption practical? First schemes very impractical Many implementations now exist: HElib SEAL FV-NFLlib, Palisade, HEAAN, cuHE, TFHE, . . . Rachel Player Parameter selection in Ring-LWE-based FHE 7/44

  12. Motivation Security Correctness Performance Bibliography FHE background Is homomorphic encryption practical? First schemes very impractical Many implementations now exist: HElib SEAL FV-NFLlib, Palisade, HEAAN, cuHE, TFHE, . . . Standardisation effort: https://homomorphicencryption.org Rachel Player Parameter selection in Ring-LWE-based FHE 7/44

  13. Motivation Security Correctness Performance Bibliography FHE background Is homomorphic encryption practical? First schemes very impractical Many implementations now exist: HElib SEAL FV-NFLlib, Palisade, HEAAN, cuHE, TFHE, . . . Standardisation effort: https://homomorphicencryption.org Results for specific applications Rachel Player Parameter selection in Ring-LWE-based FHE 7/44

  14. Motivation Security Correctness Performance Bibliography LWE background Learning with Errors (LWE) [R05] = · + s e b A Search: given A and b , recover s Decision: distinguish whether ( A , b ) is chosen as LWE or uniformly at random Rachel Player Parameter selection in Ring-LWE-based FHE 8/44

  15. Motivation Security Correctness Performance Bibliography LWE background Ring LWE definition The ring R q Let n be a power of 2 and define R q = Z q [ x ] / ( x n + 1) Rachel Player Parameter selection in Ring-LWE-based FHE 9/44

  16. Motivation Security Correctness Performance Bibliography LWE background Ring LWE definition The ring R q Let n be a power of 2 and define R q = Z q [ x ] / ( x n + 1) Ring LWE (Decision) Let s ∈ R q be a secret. Let a ← R q be chosen uniformly at random. Let χ be a distribution over R q . Let e ← χ . Distinguish ( a , b = as + e ) ∈ R q × R q from uniformly random ( a , b ) ∈ R q × R q . Rachel Player Parameter selection in Ring-LWE-based FHE 9/44

  17. Motivation Security Correctness Performance Bibliography LWE background Why is n a power of two? Theorem [LPR12] There is a polynomial time quantum reduction from approximate SIVP (Shortest Independent Vector Problem) on ideal lattices in K to Decision Ring-LWE in R given a fixed number of samples, where the error distribution is a fixed spherical Gaussian over the field tensor product K R = K ⊗ Q R . If n = 2 k : easy to implement performance benefit Rachel Player Parameter selection in Ring-LWE-based FHE 10/44

  18. Motivation Security Correctness Performance Bibliography LWE background What are the parameters? A (Ring) LWE instance is specified by: n dimension q modulus α error distribution where the standard deviation σ of χ satisfies σ = α q √ 2 π Rachel Player Parameter selection in Ring-LWE-based FHE 11/44

  19. Motivation Security Correctness Performance Bibliography Table of Contents 1 Motivation 2 Security 3 Correctness 4 Performance 5 Bibliography Rachel Player Parameter selection in Ring-LWE-based FHE 12/44

  20. Motivation Security Correctness Performance Bibliography Is my Ring-LWE-based scheme secure? Parameters n , q , α in the scheme imply an underlying Ring LWE instance Treat Ring LWE instance as an LWE instance Observe that LWE instance is hard to solve Rachel Player Parameter selection in Ring-LWE-based FHE 13/44

  21. Motivation Security Correctness Performance Bibliography LWE based FHE parameters are atypical Typical LWE parameters (Regev) q polynomial in n α q = √ n Rachel Player Parameter selection in Ring-LWE-based FHE 14/44

  22. Motivation Security Correctness Performance Bibliography LWE based FHE parameters are atypical Typical LWE parameters (Regev) q polynomial in n α q = √ n FHE parameters huge q tiny error distribution e.g. α q = 8 small secret � s � = 1 possibly sparse secret Rachel Player Parameter selection in Ring-LWE-based FHE 14/44

  23. Motivation Security Correctness Performance Bibliography So how hard is (small secret) LWE, anyway? Theory LWE with binary secret in dimension n log q is as hard as general LWE in dimension n . [BLP+13,MP13] Many approaches for solving LWE Even more in the case of small and/or sparse secret Rachel Player Parameter selection in Ring-LWE-based FHE 15/44

  24. Motivation Security Correctness Performance Bibliography [APS15] estimator for hardness of LWE instances https://bitbucket.org/malb/lwe-estimator input LWE instance n , q , α output estimates of runtime, memory, samples Can optionally specify: Limited samples [BBGS17] Secret distribution Lattice reduction cost method Rachel Player Parameter selection in Ring-LWE-based FHE 16/44

  25. Motivation Security Correctness Performance Bibliography Running example: SEAL [DGBL+15,LP16,CLP16,CLP17] Homomorphic encryption library Developed by Microsoft Research Current version v2.2, June 2017 Implements FV scheme [FV12] sealcrypto.org Rachel Player Parameter selection in Ring-LWE-based FHE 17/44

  26. Motivation Security Correctness Performance Bibliography FV is IND-CPA secure if Ring LWE is hard $ SecretKeyGen: Output s ← R 2 $ PublicKeyGen: Sample a ← R q , and e ← χ . Output ( p 0 , p 1 ) = ([ − ( as + e )] q , a ) $ Encrypt(( p 0 , p 1 ), m ): Sample u ← R 2 , and e 1 , e 2 ← χ . Output ( c 0 , c 1 ) = ([∆ m + p 0 u + e 1 ] q , [ p 1 u + e 2 ] q ) Rachel Player Parameter selection in Ring-LWE-based FHE 18/44

  27. Motivation Security Correctness Performance Bibliography Choosing SEAL parameters for security Already fixed are n a power of two σ = 3 . 2 some threshold λ Rachel Player Parameter selection in Ring-LWE-based FHE 19/44

  28. Motivation Security Correctness Performance Bibliography Choosing SEAL parameters for security Already fixed are n a power of two σ = 3 . 2 some threshold λ Find an acceptable bit length of q Choose initial bit length K Use [APS15] estimator to determine best attack for n , q = 2 K , α = 8 / q If best attack costs less than λ , decrement K and repeat If best attack costs more than λ , stop Rachel Player Parameter selection in Ring-LWE-based FHE 19/44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1 2 Joint work with: C. Boura, N. Gama, D. Jetchev 1 / 30 Homomorphic encryption Given ( c 1 , c 2 , . . . , c k ) = ( E ( m 1 ) , E ( m 2 ) , . . .

497 views • 48 slides
Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika Brakerski Vinod Vaikuntanathan (Weizmann) (University of Toronto) CRYPTO 2011 Outsourcing Computation x Function x f f ( x ) medical records

520 views • 15 slides
Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many slides taken/adapted from Geoffroy Couteau, Lisa Kohl, & Peter Scholl Fully Homomorphic Encryption (FHE) Supports homomorphic

791 views • 40 slides
Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt

Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt

Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt 2019 (Fully Homomorphic) Encryption Encryption: used to protect data at rest or in transit Enc( m ) Enc( m ) Enc( m ) Fully Homomorphic

2.2k views • 39 slides
References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford University, 2009. http://crypto.stanford.edu/craig/craig-thesis.pdf Fully Homomorphic Encryption Gentry, C., Computing arbitrary functions of encrypted

233 views • 7 slides
CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

Introduction CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi Sakurai and Jian Weng 1 / 26 Introduction Outline Background Related Work CCA-Secure Keyed-Fully Homomorphic Encryption Conclusion

686 views • 26 slides
Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole Polytechnique, Universit e Paris-Saclay Applied Cryptography @ ProtonMail Generic homomorphic encryption Gentrys blueprint Second generation

1.07k views • 63 slides
Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A b e 1 LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has small entries from a matrix in A Z q

514 views • 12 slides
Using Fully y Homomorphic Encryp yption for St Statistical Analysi sis s of Categori rical,

Using Fully y Homomorphic Encryp yption for St Statistical Analysi sis s of Categori rical,

Using Fully y Homomorphic Encryp yption for St Statistical Analysi sis s of Categori rical, , Or Ordinal and and Num Numeric ical al Data Wen-jie Lu 1 , Shohei Kawasaki 1 , Jun Sakuma 1,2,3 1. University of Tsukuba, Japan 2. JST

540 views • 30 slides
Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With

Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With

Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With Errors s where = + A b A r b A e LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has

345 views • 15 slides
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Introduction Previous work Our contribution Conclusion Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron, Avradip Mandal, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS

864 views • 60 slides
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University CRYPTO 2012 Outsourcing Computation () Email, web- search, navigation, social networking Search query,

380 views • 21 slides
A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special Class of Non-Commutative Groups Koji Nuida National Institute of Advanced Industrial Science and Technology (AIST), Japan (Japan Science and

1.24k views • 57 slides
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October 2013 Outsourcing Computation () Email, web- search, navigation, social networking Search query, location, business

1.15k views • 51 slides
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS: DAN BONEH, ROSARIO GENNARO, STEVEN GOLDFEDER, AAYUSH JAIN, SAM KIM, PETER M. R. RASMUSSEN AND AMIT SAHAI Introduction to Characters Thanos: Bad Guy

567 views • 36 slides
INITIAL RFG NATIONAL PARAMETER SELECTION BASED ON DRAFT RFG VERSION DATED 14 JANUARY 2014

INITIAL RFG NATIONAL PARAMETER SELECTION BASED ON DRAFT RFG VERSION DATED 14 JANUARY 2014

INITIAL RFG NATIONAL PARAMETER SELECTION BASED ON DRAFT RFG VERSION DATED 14 JANUARY 2014 DECEMBER 2014 Notes:- Red Text Areas of further work Highlighted text:- Areas of further clarification required Article Requirement Range Suggested

258 views • 10 slides
A simple bonding process of SU-8 to glass to seal a microfluidic device S. G. Serra a , A.

A simple bonding process of SU-8 to glass to seal a microfluidic device S. G. Serra a , A.

A simple bonding process of SU-8 to glass to seal a microfluidic device S. G. Serra a , A. Schneider a , K. Malecki b , S. E. Huq a , W. Brenner b a - Science and Technology Facilities Council, Rutherford Appleton Laboratory, Technology

425 views • 14 slides
Draft Shared Use Paths Inventory and Detailed Maintenance Plan Presented to the Revenue and

Draft Shared Use Paths Inventory and Detailed Maintenance Plan Presented to the Revenue and

Draft Shared Use Paths Inventory and Detailed Maintenance Plan Presented to the Revenue and Transportation Interim Committee 12/1/2015 Purpose House Bill 604, as passed, requires the following: compile an inventory of all multiuse

381 views • 14 slides
Low-power test results and analysis of the modular cavity D. Bowring 1 with A. Haase 2 , T. Luo 3

Low-power test results and analysis of the modular cavity D. Bowring 1 with A. Haase 2 , T. Luo 3

Low-power test results and analysis of the modular cavity D. Bowring 1 with A. Haase 2 , T. Luo 3 , and J. van Pelt 2 1 Fermilab, 2 SLAC, and 3 LBNL May 11-15, 2014 D. Bowring (FNAL) Modular Cavity Status May 11-15, 2014 1 / 18 1.

602 views • 20 slides
Is Fidel Castro Really an American President? On Set Expansion An Example Google Sets Google

Is Fidel Castro Really an American President? On Set Expansion An Example Google Sets Google

Is Fidel Castro Really an American President? On Set Expansion An Example Google Sets Google Sets Google Sets Google Sets Notion Notion Seeds: Barack Obama, Bill Clinton, George Bush Notion Seeds: Barack Obama, Bill Clinton,

1.4k views • 128 slides
S e a l a b l e Me t a o b j e c t s f o r C o m m o n L i s p Ma r

S e a l a b l e Me t a o b j e c t s f o r C o m m o n L i s p Ma r

S e a l a b l e Me t a o b j e c t s f o r C o m m o n L i s p Ma r c o H e i s i g Mo t i v a t i o n (defgeneric two-arg-+ (a b) (:generic-function-class fast-generic-function ) (:method two-arg-+

290 views • 26 slides
Schedule 8:45 Object detec1on 10:15 Spotlights 10:00

Schedule 8:45 Object detec1on 10:15 Spotlights 10:00

Large Scale Visual Recogni1on Challenge (ILSVRC) 2014: Introduc)on Jia Deng

559 views • 28 slides
Recent developments in RegESM modeling system and plans to support higher resolution and

Recent developments in RegESM modeling system and plans to support higher resolution and

Eighth ICTP Workshop on the Theory and Use of Regional Climate Models | 23 May 3 June 2016 Recent developments in RegESM modeling system and plans to support higher resolution and multi-component applications Ufuk UtkuTuruncoglu 1,2 (1)

662 views • 29 slides
Knowledge Representation for the Semantic Web Lecture 8: Answer Set Programming III Daria

Knowledge Representation for the Semantic Web Lecture 8: Answer Set Programming III Daria

The DLV System and its Features Weak Constraints Aggregates DLV Usage: Examples Overview: DLV -Extensions Knowledge Representation for the Semantic Web Lecture 8: Answer Set Programming III Daria Stepanova partially based on slides by Thomas

1.07k views • 103 slides

More recommend