str r rt - - PowerPoint PPT Presentation
str r rt tstr ss t ss tt 1 2 , 1
❋❛st❡r ❢✉❧❧② ❤♦♠♦♠♦r♣❤✐❝ ❡♥❝r②♣t✐♦♥✿ ❇♦♦tstr❛♣♣✐♥❣ ✐♥ ❧❡ss t❤❛♥ ✵✳✶ s❡❝♦♥❞s
■✳ ❈❤✐❧❧♦tt✐1 ◆✳ ●❛♠❛2,1 ▼✳ ●❡♦r❣✐❡✈❛3 ▼✳ ■③❛❜❛❝❤è♥❡4
1 2 3 4
❙é♠✐♥❛✐r❡ ●❚❇❆❈ ❚é❧é❝♦♠ P❛r✐s❚❡❝❤ ❆♣r✐❧ ✻✱ ✷✵✶✼
✶ ✴ ✹✸
❚❛❜❧❡ ♦❢ ❝♦♥t❡♥ts
✶ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♣♣❧✐❝❛t✐♦♥s
✷ ❚▲❲❊
❚❤❡ r❡❛❧ t♦r✉s ▲❲❊ ❛♥❞ ❚▲❲❊
✸ ❚●❙❲ ❛♥❞ t❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t
❊♥❝r②♣t✐♦♥ ❛♥❞ ●❛❞❣❡t ❚▲❲❊ ❛♥❞ ❚●❙❲
✹ ❋❛st❡r ❇♦♦tstr❛♣♣✐♥❣
❙❡❝✉r✐t② ❛♥❛❧②s✐s
✺ ❈♦♥❝❧✉s✐♦♥
✷ ✴ ✹✸
❚❛❜❧❡ ♦❢ ❝♦♥t❡♥ts
✶ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♣♣❧✐❝❛t✐♦♥s
✷ ❚▲❲❊
❚❤❡ r❡❛❧ t♦r✉s ▲❲❊ ❛♥❞ ❚▲❲❊
✸ ❚●❙❲ ❛♥❞ t❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t
❊♥❝r②♣t✐♦♥ ❛♥❞ ●❛❞❣❡t ❚▲❲❊ ❛♥❞ ❚●❙❲
✹ ❋❛st❡r ❇♦♦tstr❛♣♣✐♥❣
❙❡❝✉r✐t② ❛♥❛❧②s✐s
✺ ❈♦♥❝❧✉s✐♦♥
✸ ✴ ✹✸
❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
■❉❊❆✿ ♣❡r❢♦r♠ ❝♦♠♣✉t❛t✐♦♥s ♦♥ ❡♥❝r②♣t❡❞ ❞❛t❛✱ ✇✐t❤♦✉t ❞❡❝r②♣t✐♥❣ ✐t✳ b1, b2 ∈ {0, 1} b1 b1 ⊕hom b2 = b1⊕b2 − → b2 b1 ∧hom b2 = b1∧b2
✹ ✴ ✹✸
❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
▼♦r❡ ❣❡♥❡r❛❧❧② b1 ✳ ✳ ✳ − → ϕhom( b1 , . . . , bn ) = ϕ(b1, . . . , bn) bn ✇❤❡r❡ b1, . . . , bn ∈ {0, 1} ❛♥❞ ϕ ✐s ❛ ❜♦♦❧❡❛♥ ❝✐r❝✉✐t✳
✺ ✴ ✹✸
❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♥ ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥ s❝❤❡♠❡ ✐s ❝♦♠♣♦s❡❞ ❜② ✹ ❛❧❣♦r✐t❤♠s✿ ❑❡② ●❡♥❡r❛t✐♦♥ ❑❡②●❡♥ ✿ ❉❡❝r②♣t✐♦♥ ❉❡❝ ✭❞❡t❡r♠✐♥✐st✐❝✮ ✿ ❊♥❝r②♣t✐♦♥ ❊♥❝ ✭r❛♥❞♦♠✐③❡❞✮ ✿ s✉❝❤ t❤❛t ❉❡❝
✻ ✴ ✹✸
❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♥ ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥ s❝❤❡♠❡ ✐s ❝♦♠♣♦s❡❞ ❜② ✹ ❛❧❣♦r✐t❤♠s✿ ❑❡② ●❡♥❡r❛t✐♦♥ ❑❡②●❡♥ ✿ λ − → (sk, pk) ❉❡❝r②♣t✐♦♥ ❉❡❝ ✭❞❡t❡r♠✐♥✐st✐❝✮ ✿ ❊♥❝r②♣t✐♦♥ ❊♥❝ ✭r❛♥❞♦♠✐③❡❞✮ ✿ s✉❝❤ t❤❛t ❉❡❝
✻ ✴ ✹✸
❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♥ ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥ s❝❤❡♠❡ ✐s ❝♦♠♣♦s❡❞ ❜② ✹ ❛❧❣♦r✐t❤♠s✿ ❑❡② ●❡♥❡r❛t✐♦♥ ❑❡②●❡♥ ✿ λ − → (sk, pk) ❉❡❝r②♣t✐♦♥ ❉❡❝ ✭❞❡t❡r♠✐♥✐st✐❝✮ ✿ (c, sk) − → m ❊♥❝r②♣t✐♦♥ ❊♥❝ ✭r❛♥❞♦♠✐③❡❞✮ ✿ s✉❝❤ t❤❛t ❉❡❝
✻ ✴ ✹✸
❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♥ ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥ s❝❤❡♠❡ ✐s ❝♦♠♣♦s❡❞ ❜② ✹ ❛❧❣♦r✐t❤♠s✿ ❑❡② ●❡♥❡r❛t✐♦♥ ❑❡②●❡♥ ✿ λ − → (sk, pk) ❉❡❝r②♣t✐♦♥ ❉❡❝ ✭❞❡t❡r♠✐♥✐st✐❝✮ ✿ (c, sk) − → m ❊♥❝r②♣t✐♦♥ ❊♥❝ ✭r❛♥❞♦♠✐③❡❞✮ ✿ (m, pk) − → c s✉❝❤ t❤❛t ❉❡❝(c, sk) = m
✻ ✴ ✹✸
❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❊✈❛❧✉❛t✐♦♥ ❊✈❛❧ ✭♣♦ss✐❜❧② r❛♥❞♦♠✐③❡❞✮ ✿ (ϕ, c1, . . . , ck) − → c s✉❝❤ t❤❛t ❉❡❝(c, sk) = ϕ(m1, . . . , mk)
mk . . . ck . . . Eval(ϕ, . . .) m1 c1 c ϕ(m1, . . . , mk)
❆ s❝❤❡♠❡ t❤❛t ❝❛♥ ❤♦♠♦♠♦r♣❤✐❝❛❧❧② ❡✈❛❧✉❛t❡ ❛❧❧ ❢✉♥❝t✐♦♥s✴❝✐r❝✉✐ts ✐s s❛✐❞ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ✭❋❍❊✮✳
✼ ✴ ✹✸
❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❊✈❛❧✉❛t✐♦♥ ❊✈❛❧ ✭♣♦ss✐❜❧② r❛♥❞♦♠✐③❡❞✮ ✿ (ϕ, c1, . . . , ck) − → c s✉❝❤ t❤❛t ❉❡❝(c, sk) = ϕ(m1, . . . , mk)
mk . . . ck . . . Eval(ϕ, . . .) m1 c1 c ϕ(m1, . . . , mk)
❆ s❝❤❡♠❡ t❤❛t ❝❛♥ ❤♦♠♦♠♦r♣❤✐❝❛❧❧② ❡✈❛❧✉❛t❡ ❛❧❧ ❢✉♥❝t✐♦♥s✴❝✐r❝✉✐ts ✐s s❛✐❞ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ✭❋❍❊✮✳
✼ ✴ ✹✸
❆♣♣❧✐❝❛t✐♦♥s
✽ ✴ ✹✸
❆♣♣❧✐❝❛t✐♦♥s
Statistic computations on sensitive data
✽ ✴ ✹✸
❆♣♣❧✐❝❛t✐♦♥s
Statistic computations on sensitive data Secure multiparty computation
✽ ✴ ✹✸
❆♣♣❧✐❝❛t✐♦♥s
Statistic computations on sensitive data Secure multiparty computation Electronic voting
✽ ✴ ✹✸
❆♣♣❧✐❝❛t✐♦♥s
Statistic computations on sensitive data Secure multiparty computation Electronic voting Cloud computing
✽ ✴ ✹✸
❆♣♣❧✐❝❛t✐♦♥s
Statistic computations on sensitive data Secure multiparty computation Electronic voting Cloud computing and even more...
✽ ✴ ✹✸
❆ ✇♦r❧❞ ❢✉❧❧ ♦❢ ♥♦✐s❡✳✳✳
❛♥✐♠✳❤t♠❧
✾ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ♥♦✇
c1 cℓ ciphertext secret key c2 . . . . . . message bits bits k1 kn k2 Decryption circuit (public)
✶✵ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ♥♦✇
c1 cℓ ciphertext secret key c2 . . . . . . message bits bits k1 kn k2 Decryption circuit (public) encrypted encrypted Decryption circuit (public) hom.
✶✵ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ♥♦✇
❇♦♦tstr❛♣♣✐♥❣ ✐s t❤❡ ♠♦st ❡①♣❡♥s✐✈❡ ♣❛rt ♦❢ t❤❡ ❡♥t✐r❡ ❤♦♠♦♠♦r♣❤✐❝ ♣r♦❝❡❞✉r❡ ❖r✐❣✐♥❛❧ ✐❞❡❛ ❜② ●❡♥tr② ❬●❡♥✵✾❪ ▲❛st ②❡❛rs✿ ✇♦r❦ t♦ r❡❞✉❝❡ t❤❡ ❡①❡❝✉t✐♦♥ t✐♠❡ ❛♥❞ ♠❡♠♦r② ❝♦♥s✉♠✐♥❣ ✳✳✳❜✉t ❛ ❧♦t ❤❛✈❡ t♦ ❜❡ ❞♦♥❡✦
✶✶ ✴ ✹✸
❚❛❜❧❡ ♦❢ ❝♦♥t❡♥ts
✶ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♣♣❧✐❝❛t✐♦♥s
✷ ❚▲❲❊
❚❤❡ r❡❛❧ t♦r✉s ▲❲❊ ❛♥❞ ❚▲❲❊
✸ ❚●❙❲ ❛♥❞ t❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t
❊♥❝r②♣t✐♦♥ ❛♥❞ ●❛❞❣❡t ❚▲❲❊ ❛♥❞ ❚●❙❲
✹ ❋❛st❡r ❇♦♦tstr❛♣♣✐♥❣
❙❡❝✉r✐t② ❛♥❛❧②s✐s
✺ ❈♦♥❝❧✉s✐♦♥
✶✷ ✴ ✹✸
▲❲❊
▲❲❊ ❂ ▲❡❛r♥✐♥❣ ❲✐t❤ ❊rr♦rs ❬❘❡❣✵✺❪ ❘✐♥❣✲▲❲❊ ❬▲P❘✶✵❪
■♥ ♦✉r ♣❛♣❡r
▲❲❊✿ ❞❡✜♥✐t✐♦♥ s✐♠✐❧❛r t♦ ❬❇▲P❘❙✶✸❪✱❬❈❙✶✺❪✱❬❈●●■✶✻❪ ❚▲❲❊✿ ❣❡♥❡r❛❧✐③❡❞ ❞❡✜♥✐t✐♦♥ s✐♠✐❧❛r t♦ ❬❇●❱✶✷❪
✶✸ ✴ ✹✸
▲❲❊
▲❲❊ ❂ ▲❡❛r♥✐♥❣ ❲✐t❤ ❊rr♦rs ❬❘❡❣✵✺❪ ❘✐♥❣✲▲❲❊ ❬▲P❘✶✵❪
■♥ ♦✉r ♣❛♣❡r
▲❲❊✿ ❞❡✜♥✐t✐♦♥ s✐♠✐❧❛r t♦ ❬❇▲P❘❙✶✸❪✱❬❈❙✶✺❪✱❬❈●●■✶✻❪ ❚▲❲❊✿ ❣❡♥❡r❛❧✐③❡❞ ❞❡✜♥✐t✐♦♥ s✐♠✐❧❛r t♦ ❬❇●❱✶✷❪
✶✸ ✴ ✹✸
❚❤❡ r❡❛❧ t♦r✉s T = R/Z = R mod 1
(T, +, ·) ✐s ❛ Z✲♠♦❞✉❧❡ ✭· : Z × T → T ❛ ✈❛❧✐❞ ❡①t❡r♥❛❧ ♣r♦❞✉❝t✮ ■t ✐s ❛ ❣r♦✉♣✿ ❛♥❞ ■t ✐s ❛ ✲♠♦❞✉❧❡✿ ✐s ❞❡✜♥❡❞✦ ■t ✐s ♥♦t ❛ ❘✐♥❣✿ ✐s ♥♦t ❞❡✜♥❡❞✦
❱❡❝t♦rs✴♠❛tr✐❝❡s
❇② ❡①t❡♥s✐♦♥✱ ✐s ❛ ✲♠♦❞✉❧❡
✶✹ ✴ ✹✸
❚❤❡ r❡❛❧ t♦r✉s T = R/Z = R mod 1
(T, +, ·) ✐s ❛ Z✲♠♦❞✉❧❡ ✭· : Z × T → T ❛ ✈❛❧✐❞ ❡①t❡r♥❛❧ ♣r♦❞✉❝t✮ ✔ ■t ✐s ❛ ❣r♦✉♣✿ x + y mod 1 ❛♥❞ −x mod 1 ■t ✐s ❛ ✲♠♦❞✉❧❡✿ ✐s ❞❡✜♥❡❞✦ ■t ✐s ♥♦t ❛ ❘✐♥❣✿ ✐s ♥♦t ❞❡✜♥❡❞✦
❱❡❝t♦rs✴♠❛tr✐❝❡s
❇② ❡①t❡♥s✐♦♥✱ ✐s ❛ ✲♠♦❞✉❧❡
✶✹ ✴ ✹✸
❚❤❡ r❡❛❧ t♦r✉s T = R/Z = R mod 1
(T, +, ·) ✐s ❛ Z✲♠♦❞✉❧❡ ✭· : Z × T → T ❛ ✈❛❧✐❞ ❡①t❡r♥❛❧ ♣r♦❞✉❝t✮ ✔ ■t ✐s ❛ ❣r♦✉♣✿ x + y mod 1 ❛♥❞ −x mod 1 ✔ ■t ✐s ❛ Z✲♠♦❞✉❧❡✿ 0 · 1
2 = 0 ✐s ❞❡✜♥❡❞✦
■t ✐s ♥♦t ❛ ❘✐♥❣✿ ✐s ♥♦t ❞❡✜♥❡❞✦
❱❡❝t♦rs✴♠❛tr✐❝❡s
❇② ❡①t❡♥s✐♦♥✱ ✐s ❛ ✲♠♦❞✉❧❡
✶✹ ✴ ✹✸
❚❤❡ r❡❛❧ t♦r✉s T = R/Z = R mod 1
(T, +, ·) ✐s ❛ Z✲♠♦❞✉❧❡ ✭· : Z × T → T ❛ ✈❛❧✐❞ ❡①t❡r♥❛❧ ♣r♦❞✉❝t✮ ✔ ■t ✐s ❛ ❣r♦✉♣✿ x + y mod 1 ❛♥❞ −x mod 1 ✔ ■t ✐s ❛ Z✲♠♦❞✉❧❡✿ 0 · 1
2 = 0 ✐s ❞❡✜♥❡❞✦
✘ ■t ✐s ♥♦t ❛ ❘✐♥❣✿ 0 × 1
2 ✐s ♥♦t ❞❡✜♥❡❞✦
❱❡❝t♦rs✴♠❛tr✐❝❡s
❇② ❡①t❡♥s✐♦♥✱ ✐s ❛ ✲♠♦❞✉❧❡
✶✹ ✴ ✹✸
❚❤❡ r❡❛❧ t♦r✉s T = R/Z = R mod 1
(T, +, ·) ✐s ❛ Z✲♠♦❞✉❧❡ ✭· : Z × T → T ❛ ✈❛❧✐❞ ❡①t❡r♥❛❧ ♣r♦❞✉❝t✮ ✔ ■t ✐s ❛ ❣r♦✉♣✿ x + y mod 1 ❛♥❞ −x mod 1 ✔ ■t ✐s ❛ Z✲♠♦❞✉❧❡✿ 0 · 1
2 = 0 ✐s ❞❡✜♥❡❞✦
✘ ■t ✐s ♥♦t ❛ ❘✐♥❣✿ 0 × 1
2 ✐s ♥♦t ❞❡✜♥❡❞✦
❱❡❝t♦rs✴♠❛tr✐❝❡s
❇② ❡①t❡♥s✐♦♥✱ (Tn, +, .) ✐s ❛ Z✲♠♦❞✉❧❡
−2 4
1 −2 3 4 5 · 0.252 0.672 0.231 0.991 = 3 −2 4 × 1 −2 3 4 5 · 0.252 0.672 0.231 0.991
❚♦r✉s ♣♦❧②♥♦♠✐❛❧s TN[X]
(TN[X], +, ·) ✐s ❛ R✲♠♦❞✉❧❡ ❍❡r❡✱ R = Z[X]/(XN + 1) ❆♥❞ TN[X] = T[X] mod (XN + 1)
❊①❛♠♣❧❡s
❉❡❝♦♠♣♦s❡ ♦✈❡r ✇✐t❤ s♠❛❧❧ ❝♦❡❢s
✶✺ ✴ ✹✸
❚♦r✉s ♣♦❧②♥♦♠✐❛❧s TN[X]
(TN[X], +, ·) ✐s ❛ R✲♠♦❞✉❧❡ ❍❡r❡✱ R = Z[X]/(XN + 1) ❆♥❞ TN[X] = T[X] mod (XN + 1)
❊①❛♠♣❧❡s
(1 + 2X) · ( 1
3 + 4 7X) =
❉❡❝♦♠♣♦s❡ ♦✈❡r ✇✐t❤ s♠❛❧❧ ❝♦❡❢s
✶✺ ✴ ✹✸
❚♦r✉s ♣♦❧②♥♦♠✐❛❧s TN[X]
(TN[X], +, ·) ✐s ❛ R✲♠♦❞✉❧❡ ❍❡r❡✱ R = Z[X]/(XN + 1) ❆♥❞ TN[X] = T[X] mod (XN + 1)
❊①❛♠♣❧❡s
(1 + 2X) · ( 1
3 + 4 7X) =( 4 21 + 5 21X) mod (X2 + 1) mod 1
❉❡❝♦♠♣♦s❡ ♦✈❡r ✇✐t❤ s♠❛❧❧ ❝♦❡❢s
✶✺ ✴ ✹✸
❚♦r✉s ♣♦❧②♥♦♠✐❛❧s TN[X]
(TN[X], +, ·) ✐s ❛ R✲♠♦❞✉❧❡ ❍❡r❡✱ R = Z[X]/(XN + 1) ❆♥❞ TN[X] = T[X] mod (XN + 1)
❊①❛♠♣❧❡s
(1 + 2X) · ( 1
3 + 4 7X) =( 4 21 + 5 21X) mod (X2 + 1) mod 1
❉❡❝♦♠♣♦s❡ ( 3
8 + 7 8X) ♦✈❡r [ 1 2, 1 4, 1 8] ✇✐t❤ s♠❛❧❧ ❝♦❡❢s
✶✺ ✴ ✹✸
❚♦r✉s ♣♦❧②♥♦♠✐❛❧s TN[X]
(TN[X], +, ·) ✐s ❛ R✲♠♦❞✉❧❡ ❍❡r❡✱ R = Z[X]/(XN + 1) ❆♥❞ TN[X] = T[X] mod (XN + 1)
❊①❛♠♣❧❡s
(1 + 2X) · ( 1
3 + 4 7X) =( 4 21 + 5 21X) mod (X2 + 1) mod 1
❉❡❝♦♠♣♦s❡ ( 3
8 + 7 8X) ♦✈❡r [ 1 2, 1 4, 1 8] ✇✐t❤ s♠❛❧❧ ❝♦❡❢s
( 3
8 + 7 8X) = (0 + X) · 1 2 + (1 + X) · 1 4 + (1 + X) · 1 8
✶✺ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
▲❲❊ ❊♥❝r②♣t✐♦♥
✶ ❈❤♦♦s❡
✷ ❈❤♦♦s❡ ❛ r❛♥❞♦♠ ♠❛s❦ ✸ ❘❡t✉r♥ t❤❡ ❧♦❝❦❡❞ r❡♣r❡s❡♥t❛t✐♦♥ ✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
1/3 2/3 Example: M = {0, 1/3, 2/3} mod 1 µ = 1/3 mod 1 ∈ M
▲❲❊ ❊♥❝r②♣t✐♦♥
✶ ❈❤♦♦s❡
✷ ❈❤♦♦s❡ ❛ r❛♥❞♦♠ ♠❛s❦ ✸ ❘❡t✉r♥ t❤❡ ❧♦❝❦❡❞ r❡♣r❡s❡♥t❛t✐♦♥ ✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
1/3 2/3 Example: M = {0, 1/3, 2/3} mod 1 µ = 1/3 mod 1 ∈ M ( , ϕ)
▲❲❊ ❊♥❝r②♣t✐♦♥
✶ ❈❤♦♦s❡ ϕ = µ + ●❛✉ss✐❛♥ ❊rr♦r ✷ ❈❤♦♦s❡ ❛ r❛♥❞♦♠ ♠❛s❦ ✸ ❘❡t✉r♥ t❤❡ ❧♦❝❦❡❞ r❡♣r❡s❡♥t❛t✐♦♥ ✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
1/3 2/3 Example: M = {0, 1/3, 2/3} mod 1 µ = 1/3 mod 1 ∈ M a (a, ϕ)
▲❲❊ ❊♥❝r②♣t✐♦♥
✶ ❈❤♦♦s❡ ϕ = µ + ●❛✉ss✐❛♥ ❊rr♦r ✷ ❈❤♦♦s❡ ❛ r❛♥❞♦♠ ♠❛s❦ a ∈ Tn ✸ ❘❡t✉r♥ t❤❡ ❧♦❝❦❡❞ r❡♣r❡s❡♥t❛t✐♦♥ ✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
1/3 2/3 Example: M = {0, 1/3, 2/3} mod 1 µ = 1/3 mod 1 ∈ M a (a, ϕ) a (a, b) b = s · a + ϕ secret key: s ∈ {0, 1}n
▲❲❊ ❊♥❝r②♣t✐♦♥
✶ ❈❤♦♦s❡ ϕ = µ + ●❛✉ss✐❛♥ ❊rr♦r ✷ ❈❤♦♦s❡ ❛ r❛♥❞♦♠ ♠❛s❦ a ∈ Tn ✸ ❘❡t✉r♥ t❤❡ ❧♦❝❦❡❞ r❡♣r❡s❡♥t❛t✐♦♥ (a, b) ✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
a (a, b) secret key: s ∈ {0, 1}n
▲❲❊ ❉❡❝r②♣t✐♦♥
✶ ❯♥❧♦❝❦ t❤❡ r❡♣r❡s❡♥t❛t✐♦♥ ✷ ❘♦✉♥❞
t♦ t❤❡ ♥❡❛r❡st ♠❡ss❛❣❡
✸ ♣❧♦✉❢✦ ✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
a (a, ϕ) a (a, b) secret key: s ∈ {0, 1}n ϕ = b − s · a
▲❲❊ ❉❡❝r②♣t✐♦♥
✶ ❯♥❧♦❝❦ t❤❡ r❡♣r❡s❡♥t❛t✐♦♥ (a, ϕ) ✷ ❘♦✉♥❞
t♦ t❤❡ ♥❡❛r❡st ♠❡ss❛❣❡
✸ ♣❧♦✉❢✦ ✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
a (a, ϕ) a (a, b) secret key: s ∈ {0, 1}n ϕ = b − s · a 1/3 2/3
▲❲❊ ❉❡❝r②♣t✐♦♥
✶ ❯♥❧♦❝❦ t❤❡ r❡♣r❡s❡♥t❛t✐♦♥ (a, ϕ) ✷ ❘♦✉♥❞ ϕ t♦ t❤❡ ♥❡❛r❡st ♠❡ss❛❣❡ µ ∈ M ✸ ♣❧♦✉❢✦ ✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
a (a, ϕ) a (a, b) b = s · a + ϕ secret key: s ∈ {0, 1}n ϕ = b − s · a
✶✻ ✴ ✹✸
▲❲❊ s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥
a (a, b) b = s · a + ϕ secret key: s ∈ {0, 1}n ϕ = b − s · a
❚r✐✈✐❛❧ ▲❲❊ s❛♠♣❧❡s
▲❲❊ s❛♠♣❧❡s ✇✐t❤ ♠❛s❦ a = 0 ❛r❡ tr✐✈✐❛❧✳ ❚❤❡② ♥❡✈❡r ♦❝❝✉r ✐♥ ❣❡♥❡r❛❧ ✳✳✳❜✉t ❛r❡ st✐❧❧ ✇♦rt❤ ♠❡♥t✐♦♥♥✐♥❣✦
✶✻ ✴ ✹✸
▲❲❊
❍♦♠♦♠♦r♣❤✐❝ Pr♦♣❡rt✐❡s
a a′ a′′ + = b′′ b b′ x a′′ = x · a + y · a′ b′′ = x · b + y · b′ y
✶✼ ✴ ✹✸
▲❲❊
❍♦♠♦♠♦r♣❤✐❝ Pr♦♣❡rt✐❡s
a a′ a′′ + = b′′ b b′ x a′′ = x · a + y · a′ b′′ = x · b + y · b′ y a a′′ a′ + = ϕ′′ ϕ ϕ′ ϕ′′ = x · ϕ + y · ϕ′ x y
✶✼ ✴ ✹✸
▲❲❊
❍♦♠♦♠♦r♣❤✐❝ Pr♦♣❡rt✐❡s
a a′ a′′ + = b′′ b b′ x a′′ = x · a + y · a′ b′′ = x · b + y · b′ y a a′′ a′ + = ϕ′′ ϕ ϕ′ ϕ′′ = x · ϕ + y · ϕ′ x y µ′′ µ = E(ϕ) µ′ µ′′ = x · µ + y · µ′ µ′′ µ = E(ϕ) µ′ µ′′ = x · µ + y · µ′
✶✼ ✴ ✹✸
▲❲❊
❍♦♠♦♠♦r♣❤✐❝ Pr♦♣❡rt✐❡s
a a′ a′′ + = b′′ b b′ x a′′ = x · a + y · a′ b′′ = x · b + y · b′ y a a′′ a′ + = ϕ′′ ϕ ϕ′ ϕ′′ = x · ϕ + y · ϕ′ x y µ′′ µ = E(ϕ) µ′ µ′′ = x · µ + y · µ′ µ′′ µ = E(ϕ) µ′ µ′′ = x · µ + y · µ′ α′′ α = stdev(ϕ) α′ α′′2 = x2α2 + y2α′2
✶✼ ✴ ✹✸
▲❲❊
❍♦♠♦♠♦r♣❤✐❝ Pr♦♣❡rt✐❡s
a a′ a′′ + = b′′ b b′ x a′′ = x · a + y · a′ b′′ = x · b + y · b′ y a a′′ a′ + = ϕ′′ ϕ ϕ′ ϕ′′ = x · ϕ + y · ϕ′ x y µ′′ µ = E(ϕ) µ′ µ′′ = x · µ + y · µ′ µ′′ µ = E(ϕ) µ′ µ′′ = x · µ + y · µ′ α′′ α = stdev(ϕ) α′ α′′2 = x2α2 + y2α′2 Ω: The only proba. space where this intuitive picture makes sense!
✶✼ ✴ ✹✸
▲❲❊
▲❲❊ ❂ ▲❡❛r♥✐♥❣ ❲✐t❤ ❊rr♦rs ❬❘❡❣✵✺❪ ❘✐♥❣✲▲❲❊ ❬▲P❘✶✵❪
■♥ ♦✉r ♣❛♣❡r
▲❲❊✿ ❞❡✜♥✐t✐♦♥ s✐♠✐❧❛r t♦ ❬❇▲P❘❙✶✸❪✱❬❈❙✶✺❪✱❬❈●●■✶✻❪ ❚▲❲❊✿ ❣❡♥❡r❛❧✐③❡❞ ❞❡✜♥✐t✐♦♥ s✐♠✐❧❛r t♦ ❬❇●❱✶✷❪
✶✽ ✴ ✹✸
▲❲❊
▲❲❊ ❂ ▲❡❛r♥✐♥❣ ❲✐t❤ ❊rr♦rs ❬❘❡❣✵✺❪ ❘✐♥❣✲▲❲❊ ❬▲P❘✶✵❪
■♥ ♦✉r ♣❛♣❡r
▲❲❊✿ ❞❡✜♥✐t✐♦♥ s✐♠✐❧❛r t♦ ❬❇▲P❘❙✶✸❪✱❬❈❙✶✺❪✱❬❈●●■✶✻❪ ❚▲❲❊✿ ❣❡♥❡r❛❧✐③❡❞ ❞❡✜♥✐t✐♦♥ s✐♠✐❧❛r t♦ ❬❇●❱✶✷❪
✶✽ ✴ ✹✸
❚▲❲❊ ❊♥❝r②♣t✐♦♥
T
N[X]k+1
H
TLWE Samples ϕs : T
N[X]k+1 → T N[X]
(a, b) → b − s · a
✶✾ ✴ ✹✸
❚▲❲❊ ❊♥❝r②♣t✐♦♥
T
N[X]k+1
H
TLWE Samples Trivial {(0, µ)}
M
µ Im ϕs isom samples ϕs : T
N[X]k+1 → T N[X]
(a, b) → b − s · a
✶✾ ✴ ✹✸
❚▲❲❊ ❊♥❝r②♣t✐♦♥
Homogeneous ker ϕs
Γ
samples
T
N[X]k+1
H
TLWE Samples Trivial {(0, µ)}
M
µ Im ϕs isom samples ϕs : T
N[X]k+1 → T N[X]
(a, b) → b − s · a
✶✾ ✴ ✹✸
❚▲❲❊ ❊♥❝r②♣t✐♦♥
Homogeneous ker ϕs
Γ
samples
T
N[X]k+1
H
TLWE Samples Trivial {(0, µ)}
M
µ Im ϕs isom samples ϕs : T
N[X]k+1 → T N[X]
(a, b) → b − s · a encrypt: add z ∈ ker ϕs µ c = z + (0, µ) decrypt: apply ϕs c µ = ϕs(c)
✶✾ ✴ ✹✸
❚▲❲❊ ❊♥❝r②♣t✐♦♥
(Approx of R-module) Homogeneous ker ϕs
Γ
samples
T
N[X]k+1
H
TLWE Samples Trivial {(0, µ)}
M
µ Im ϕs isom samples ϕs : T
N[X]k+1 → T N[X]
(a, b) → b − s · a encrypt: add approx(z ∈ ker ϕs) µ c = z + (0, µ) decrypt: apply ϕs... c approx(µ) = ϕs(c)
✶✾ ✴ ✹✸
❚▲❲❊ ❊♥❝r②♣t✐♦♥
(Approx of R-module) Homogeneous ker ϕs
Γ
samples
T
N[X]k+1
H
TLWE Samples Trivial {(0, µ)}
M
µ Im ϕs isom samples ϕs : T
N[X]k+1 → T N[X]
(a, b) → b − s · a encrypt: add approx(z ∈ ker ϕs) µ c = z + (0, µ) decrypt: apply ϕs... c approx(µ) = ϕs(c) Option 1: µ = E(ϕs(c)) (in the relevant proba. space) Option 2: µ = round(ϕs(c)) On a given finite message space M The Ω-space logic The logic of the decryption algorithm
How to recover µ exactly?
✶✾ ✴ ✹✸
❚❛❜❧❡ ♦❢ ❝♦♥t❡♥ts
✶ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♣♣❧✐❝❛t✐♦♥s
✷ ❚▲❲❊
❚❤❡ r❡❛❧ t♦r✉s ▲❲❊ ❛♥❞ ❚▲❲❊
✸ ❚●❙❲ ❛♥❞ t❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t
❊♥❝r②♣t✐♦♥ ❛♥❞ ●❛❞❣❡t ❚▲❲❊ ❛♥❞ ❚●❙❲
✹ ❋❛st❡r ❇♦♦tstr❛♣♣✐♥❣
❙❡❝✉r✐t② ❛♥❛❧②s✐s
✺ ❈♦♥❝❧✉s✐♦♥
✷✵ ✴ ✹✸
❲❡ ✇❛♥t ❋❍❊✦ ❲❤❛t ✐s st✐❧❧ ♠✐ss✐♥❣ t♦ ❤❛✈❡ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥❄
❘❡❧✐❡s ♦♥ ❛ ❣❛❞❣❡t ❞❡❝♦♠♣♦s✐t✐♦♥ ❢✉♥❝t✐♦♥
■♥ t❤✐s t❛❧❦
❆❜str❛❝t✐♦♥ ♦❢ ❬●❙❲✶✸❪ ❜② ❬●■◆❳✶✻❪ ❚●❙❲✿ ✧●❙❲✧ ♦♥
✷✶ ✴ ✹✸
❲❡ ✇❛♥t ❋❍❊✦ ❲❤❛t ✐s st✐❧❧ ♠✐ss✐♥❣ t♦ ❤❛✈❡ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥❄
❘❡❧✐❡s ♦♥ ❛ ❣❛❞❣❡t ❞❡❝♦♠♣♦s✐t✐♦♥ ❢✉♥❝t✐♦♥
■♥ t❤✐s t❛❧❦
❆❜str❛❝t✐♦♥ ♦❢ ❬●❙❲✶✸❪ ❜② ❬●■◆❳✶✻❪ ❚●❙❲✿ ✧●❙❲✧ ♦♥
✷✶ ✴ ✹✸
❲❡ ✇❛♥t ❋❍❊✦ ❲❤❛t ✐s st✐❧❧ ♠✐ss✐♥❣ t♦ ❤❛✈❡ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥❄
❘❡❧✐❡s ♦♥ ❛ ❣❛❞❣❡t ❞❡❝♦♠♣♦s✐t✐♦♥ ❢✉♥❝t✐♦♥
■♥ t❤✐s t❛❧❦
❆❜str❛❝t✐♦♥ ♦❢ ❬●❙❲✶✸❪ ❜② ❬●■◆❳✶✻❪ ❚●❙❲✿ ✧●❙❲✧ ♦♥ T
✷✶ ✴ ✹✸
❚●❙❲ ❚❤❡ ❣❛❞❣❡t
v = ( v1 | . . . | vk+1 ) ∈ H h = 1/2 . . . 1/22 . . . ✳ ✳ ✳ ✳✳✳ ✳ ✳ ✳ 1/2ℓ . . . ✳ ✳ ✳ ✳✳✳ ✳ ✳ ✳ . . . 1/2 . . . 1/22 ✳ ✳ ✳ ✳✳✳ ✳ ✳ ✳ . . . 1/2ℓ
h ❣❡♥❡r❛t✐♥❣ ❢❛♠✐❧② ♦❢ H
h ∈ Mℓ′,k+1(TN[X]) h ✐s ❜❧♦❝❦ ❞✐❛❣♦♥❛❧ s✉♣❡r✲✐♥❝r❡❛s✐♥❣ ❲❡ ❛r❡ ❛❜❧❡ t♦ ❞❡❝♦♠♣♦s❡ ❡❧❡♠❡♥ts ✐♥ t❤❡ s✉❜✲♠♦❞✉❧❡ H ❚❤❡ ❝♦❡✣❝✐❡♥ts ✐♥ t❤❡ ❞❡❝♦♠♣♦s✐t✐♦♥ ❛r❡ s♠❛❧❧ ❆♣♣r♦①✐♠❛t❡❞ ❞❡❝♦♠♣♦s✐t✐♦♥ ✭✉♣ t♦ s♦♠❡ ♣r❡❝✐s✐♦♥ ♣❛r❛♠❡t❡rs✮ ■♠♣r♦✈❡ t✐♠❡ ❛♥❞ ♠❡♠♦r② r❡q✉✐r❡♠❡♥ts ❢♦r ❛ s♠❛❧❧ ❛♠♦✉♥t ♦❢ ❛❞❞✐t✐♦♥❛❧ ♥♦✐s❡
✷✷ ✴ ✹✸
❚●❙❲
P❛r❛♠❡t❡rs ▲❡t H = TN[X]k × TN[X] h = (h1, . . . , hl) ∈ Hℓ′ ❛ s✉♣❡r✲✐♥❝r❡❛s✐♥❣ ❣❡♥❡r❛t✐♥❣ ❢❛♠✐❧② ♦❢ H Dech t❤❡ ✧s♠❛❧❧✧ ❞❡❝♦♠♣♦s✐t✐♦♥ ❢✉♥❝t✐♦♥ ❢r♦♠ H → Rℓ′ ✭R = Z[X]/(XN + 1)✮ s✉❝❤ t❤❛t Dech(x) · h = x ❢♦r ❛❧❧ x ∈ H Γ = kerϕs ❞❡♥♦t❡s ❤♦♠♦❣❡♥❡♦✉s ❚▲❲❊ s❛♠♣❧❡s
❊♥❝r②♣t✐♦♥✿
✇❤❡r❡
❍♦♠♦♠♦r♣❤✐❝ ♦♣❡r❛t✐♦♥s✿
▲❡t ❛♥❞ ▲✐♥❡❛r ❝♦♠❜✐♥❛t✐♦♥s✿ ❡♥❝r②♣ts ✭ ✮ ▼✉❧t✐♣❧✐❝❛t✐♦♥ ✿ ❡♥❝r②♣ts
✷✸ ✴ ✹✸
❚●❙❲
P❛r❛♠❡t❡rs ▲❡t H = TN[X]k × TN[X] h = (h1, . . . , hl) ∈ Hℓ′ ❛ s✉♣❡r✲✐♥❝r❡❛s✐♥❣ ❣❡♥❡r❛t✐♥❣ ❢❛♠✐❧② ♦❢ H Dech t❤❡ ✧s♠❛❧❧✧ ❞❡❝♦♠♣♦s✐t✐♦♥ ❢✉♥❝t✐♦♥ ❢r♦♠ H → Rℓ′ ✭R = Z[X]/(XN + 1)✮ s✉❝❤ t❤❛t Dech(x) · h = x ❢♦r ❛❧❧ x ∈ H Γ = kerϕs ❞❡♥♦t❡s ❤♦♠♦❣❡♥❡♦✉s ❚▲❲❊ s❛♠♣❧❡s
❊♥❝r②♣t✐♦♥✿
C = Z + µ · h ✇❤❡r❡ Z ∈ Γℓ′
❍♦♠♦♠♦r♣❤✐❝ ♦♣❡r❛t✐♦♥s✿
▲❡t ❛♥❞ ▲✐♥❡❛r ❝♦♠❜✐♥❛t✐♦♥s✿ ❡♥❝r②♣ts ✭ ✮ ▼✉❧t✐♣❧✐❝❛t✐♦♥ ✿ ❡♥❝r②♣ts
✷✸ ✴ ✹✸
❚●❙❲
P❛r❛♠❡t❡rs ▲❡t H = TN[X]k × TN[X] h = (h1, . . . , hl) ∈ Hℓ′ ❛ s✉♣❡r✲✐♥❝r❡❛s✐♥❣ ❣❡♥❡r❛t✐♥❣ ❢❛♠✐❧② ♦❢ H Dech t❤❡ ✧s♠❛❧❧✧ ❞❡❝♦♠♣♦s✐t✐♦♥ ❢✉♥❝t✐♦♥ ❢r♦♠ H → Rℓ′ ✭R = Z[X]/(XN + 1)✮ s✉❝❤ t❤❛t Dech(x) · h = x ❢♦r ❛❧❧ x ∈ H Γ = kerϕs ❞❡♥♦t❡s ❤♦♠♦❣❡♥❡♦✉s ❚▲❲❊ s❛♠♣❧❡s
❊♥❝r②♣t✐♦♥✿
C = Z + µ · h ✇❤❡r❡ Z ∈ Γℓ′
❍♦♠♦♠♦r♣❤✐❝ ♦♣❡r❛t✐♦♥s✿
▲❡t C1 = Z1 + µ1 · h ❛♥❞ C2 = Z2 + µ2 · h ▲✐♥❡❛r ❝♦♠❜✐♥❛t✐♦♥s✿ δ1C1 + δ2C2 ❡♥❝r②♣ts δ1µ1 + δ2µ2 ✭δi ∈ R✮ ▼✉❧t✐♣❧✐❝❛t✐♦♥ ✿ Dech(C1) · C2 ❡♥❝r②♣ts µ1µ2
✷✸ ✴ ✹✸
❚♦② ❡①❛♠♣❧❡ ✭✇✐t❤♦✉t ♥♦✐s❡✮
ϕs = ·4
1 100Z/Z 1 4Z/Z
1 25Z/Z
Imϕs
( i s
)
P❛r❛♠❡t❡rs H =
1 100Z/Z = 1 4Z/Z ⊕ 1 25Z/Z ✭✐s ❛ Z✲♠♦❞✉❧❡✮
h = 1
100, 2 100, 5 100, 10 100, 20 100, 50 100
Γ = 1
4Z/Z ⊂ H✿ ♠♦❞✉❧♦ ♦❢ t❤❡ ❝♦❞❡
❙❛♠♣❧❡s
✷✹ ✴ ✹✸
❚♦② ❡①❛♠♣❧❡ ✭✇✐t❤♦✉t ♥♦✐s❡✮
ϕs = ·4
1 100Z/Z 1 4Z/Z
1 25Z/Z
Imϕs
( i s
)
P❛r❛♠❡t❡rs H =
1 100Z/Z = 1 4Z/Z ⊕ 1 25Z/Z ✭✐s ❛ Z✲♠♦❞✉❧❡✮
h = 1
100, 2 100, 5 100, 10 100, 20 100, 50 100
Γ = 1
4Z/Z ⊂ H✿ ♠♦❞✉❧♦ ♦❢ t❤❡ ❝♦❞❡
❙❛♠♣❧❡s
C1 = 32 100, 14 100, 60 100, 45 100, 90 100, 100
1 4, 0 4, 1 4, 3 4, 2 4, 2 4
C2 = 73 100, 21 100, 40 100, 5 100, 35 100, 50 100
3 4, 1 4, 2 4, 1 4, 3 4, 2 4
✷✹ ✴ ✹✸
❚♦② ❡①❛♠♣❧❡ ✭✇✐t❤♦✉t ♥♦✐s❡✮
▼✉❧t✐♣❧✐❝❛t✐♦♥✿ Dech(C1) · C2 = 1 1 1 2 1 1 1 1 2 2 1 73/100 21/100 40/100 5/100 35/100 50/100 = 61 100, 47 100, 55 100, 10 100, 20 100, 0 100
61 100, 47 100, 55 100, 10 100, 20 100, 0 100
2 4, 1 4, 0 4, 0 4, 0 4, 2 4
✷✺ ✴ ✹✸
❚♦② ❡①❛♠♣❧❡ ✭✇✐t❤♦✉t ♥♦✐s❡✮
▼✉❧t✐♣❧✐❝❛t✐♦♥✿ Dech(C1) · C2 = 1 1 1 2 1 1 1 1 2 2 1 73/100 21/100 40/100 5/100 35/100 50/100 = 61 100, 47 100, 55 100, 10 100, 20 100, 0 100
61 100, 47 100, 55 100, 10 100, 20 100, 0 100
2 4, 1 4, 0 4, 0 4, 0 4, 2 4
✷✺ ✴ ✹✸
❚▲❲❊ ❛♥❞ ❚●❙❲
Γ= ker ϕs
ϕs
H
TLWE
M
T
N[X]
i s
✷✻ ✴ ✹✸
❚▲❲❊ ❛♥❞ ❚●❙❲
Γ= ker ϕs
ϕs
H
TLWE
M
T
N[X]
i s
Hℓ′
TGSW
Γℓ′
R · h R
✷✻ ✴ ✹✸
❚▲❲❊ ❛♥❞ ❚●❙❲
Γ= ker ϕs
ϕs
H
TLWE
M
T
N[X]
i s
Hℓ′
TGSW
Γℓ′
R · h R
e · TGSW(A) is a TLWE of A · ϕs(e · h) ∀e ∈ Rℓ′,∀A ∈ R,∀b ∈ T
N[X]: ✷✻ ✴ ✹✸
❚▲❲❊ ❛♥❞ ❚●❙❲
Γ= ker ϕs
ϕs
H
TLWE
M
T
N[X]
i s
Hℓ′
TGSW
Γℓ′
R · h R
e · TGSW(A) is a TLWE of A · ϕs(e · h) ∀e ∈ Rℓ′,∀A ∈ R,∀b ∈ T
N[X]:
= ⇒ Decomph(TLWE(b)) · TGSW(A) is a TLWE of A · b
✷✻ ✴ ✹✸
❚♦② ❡①❛♠♣❧❡ ✭❲■❚❍ ♥♦✐s❡✮
P❛r❛♠❡t❡rs H =
1 100Z/Z = 1 4Z/Z ⊕ 1 25Z/Z ✭✐s ❛ Z✲♠♦❞✉❧❡✮
h = 1
100, 2 100, 5 100, 10 100, 20 100, 50 100
Γ = 1
4Z/Z ⊂ H✿ ♠♦❞✉❧♦ ♦❢ t❤❡ ❝♦❞❡
❙❛♠♣❧❡s
C1 = 31 100, 16 100, 63 100, 46 100, 89 100, 100
1 4, 0 4, 1 4, 3 4, 2 4, 2 4
100, 2 100, 3 100, 1 100, − 1 100, 1 100
C2 = 71 100, 23 100, 37 100, 5 100, 33 100, 48 100
3 4, 1 4, 2 4, 1 4, 3 4, 2 4
100, 2 100, − 3 100, 100, − 2 100, − 2 100
✷✼ ✴ ✹✸
❚♦② ❡①❛♠♣❧❡ ✭❲■❚❍ ♥♦✐s❡✮
P❛r❛♠❡t❡rs H =
1 100Z/Z = 1 4Z/Z ⊕ 1 25Z/Z ✭✐s ❛ Z✲♠♦❞✉❧❡✮
h = 1
100, 2 100, 5 100, 10 100, 20 100, 50 100
Γ = 1
4Z/Z ⊂ H✿ ♠♦❞✉❧♦ ♦❢ t❤❡ ❝♦❞❡
❙❛♠♣❧❡s
C1 = 31 100, 16 100, 63 100, 46 100, 89 100, 100
1 4, 0 4, 1 4, 3 4, 2 4, 2 4
100, 2 100, 3 100, 1 100, − 1 100, 1 100
C2 = 71 100, 23 100, 37 100, 5 100, 33 100, 48 100
3 4, 1 4, 2 4, 1 4, 3 4, 2 4
100, 2 100, − 3 100, 100, − 2 100, − 2 100
✷✼ ✴ ✹✸
❚♦② ❡①❛♠♣❧❡ ✭❲■❚❍ ♥♦✐s❡✮
▼✉❧t✐♣❧✐❝❛t✐♦♥✿ Dech(C1,1) · C2 = [ 1
1 1 0 ]
71/100 23/100 37/100 5/100 33/100 48/100
Dech(C1,1) · C2 = 9 100
9 100
4
2 100
✷✽ ✴ ✹✸
Pr♦❞✉❝t
❊①t❡r♥❛❧ ♣r♦❞✉❝t ✭❢♦✉♥❞ ✐♥❞❡♣❡♥❞❡♥t❧② ❜② ❬❇P✶✻❪✮ ⊡: TGSW × TLWE − → TLWE (A, b) − → A ⊡ b = Dech,β,ǫ(b) · A (µA, µb) − → µA · µb ✇❤❡r❡ Dech,β,ǫ ✐s t❤❡ ❛♣♣r♦①✐♠❛t❡ ❣❛❞❣❡t ❞❡❝♦♠♣♦s✐t✐♦♥ ■♥t❡r♥❛❧ ♣r♦❞✉❝t ✭❝❧❛ss✐❝❛❧✮ ✳ ✳ ✳
✷✾ ✴ ✹✸
Pr♦❞✉❝t
❊①t❡r♥❛❧ ♣r♦❞✉❝t ✭❢♦✉♥❞ ✐♥❞❡♣❡♥❞❡♥t❧② ❜② ❬❇P✶✻❪✮ ⊡: TGSW × TLWE − → TLWE (A, b) − → A ⊡ b = Dech,β,ǫ(b) · A (µA, µb) − → µA · µb ✇❤❡r❡ Dech,β,ǫ ✐s t❤❡ ❛♣♣r♦①✐♠❛t❡ ❣❛❞❣❡t ❞❡❝♦♠♣♦s✐t✐♦♥ ■♥t❡r♥❛❧ ♣r♦❞✉❝t ✭❝❧❛ss✐❝❛❧✮ ⊠: TGSW × TGSW − → TGSW (A, B) − → A ⊠ B = A ⊡ b1 ✳ ✳ ✳ A ⊡ b(k+1)ℓ (µA, µB) − → µA · µB
✷✾ ✴ ✹✸
Pr♦❞✉❝t
µA T-LWE T-GSW µb µA · µb T-LWE ηA ηb µA1 ηb + O(ηA) ❊rr(A ⊡ b)∞ ≤ ℓ′NβηA + µA1 (1 + kN)ǫ + µA1 ηb ✇❤❡r❡ β ❛♥❞ ǫ ❛r❡ t❤❡ ♣❛r❛♠❡t❡rs ✉s❡❞ ✐♥ t❤❡ ❞❡❝♦♠♣♦s✐t✐♦♥ Dech,β,ǫ(b)✳
✸✵ ✴ ✹✸
❚❛❜❧❡ ♦❢ ❝♦♥t❡♥ts
✶ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♣♣❧✐❝❛t✐♦♥s
✷ ❚▲❲❊
❚❤❡ r❡❛❧ t♦r✉s ▲❲❊ ❛♥❞ ❚▲❲❊
✸ ❚●❙❲ ❛♥❞ t❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t
❊♥❝r②♣t✐♦♥ ❛♥❞ ●❛❞❣❡t ❚▲❲❊ ❛♥❞ ❚●❙❲
✹ ❋❛st❡r ❇♦♦tstr❛♣♣✐♥❣
❙❡❝✉r✐t② ❛♥❛❧②s✐s
✺ ❈♦♥❝❧✉s✐♦♥
✸✶ ✴ ✹✸
❋❛st❡r ❜♦♦tstr❛♣♣✐♥❣
❲❡ ❛♣♣❧✐❡❞ ♦✉r r❡s✉❧t t♦ t❤❡ ❢❛st ❜♦♦tstr❛♣♣✐♥❣ ♣r♦♣♦s❡❞ ❜② ❉✉❝❛s ❛♥❞ ▼✐❝❝✐❛♥❝✐♦ ✭❊✉r♦❝r②♣t ✷✵✶✺✮ ❬❉▼✶✺❪✿ ❤♦♠♦♠♦r♣❤✐❝ ◆❆◆❉ ❣❛t❡ ✇✐t❤ ❢❛st ❜♦♦tstr❛♣♣✐♥❣ ✐♥ ∼ 0.69 s❡❝♦♥❞s ❲❡ r❡♣❧❛❝❡❞ ❛❧❧ t❤❡ ✐♥t❡r♥❛❧ ♣r♦❞✉❝ts ✐♥ t❤❡ ❜♦♦tstr❛♣♣✐♥❣ ♣r♦❝❡❞✉r❡ ✇✐t❤ t❤❡ ❡①t❡r♥❛❧ ♦♥❡✳ ❘❡s✉❧t✿ ✭✇✐t❤ ❢✉rt❤❡r ♦♣t✐♠✐③❛t✐♦♥s✮ ✇❡ ❤❛❞ ❛ s♣❡❡❞✲✉♣ ♦❢ ❛ ❢❛❝t♦r ✭❜♦♦tstr❛♣♣✐♥❣ ✐♥ s❡❝♦♥❞s✮
✸✷ ✴ ✹✸
❋❛st❡r ❜♦♦tstr❛♣♣✐♥❣
❲❡ ❛♣♣❧✐❡❞ ♦✉r r❡s✉❧t t♦ t❤❡ ❢❛st ❜♦♦tstr❛♣♣✐♥❣ ♣r♦♣♦s❡❞ ❜② ❉✉❝❛s ❛♥❞ ▼✐❝❝✐❛♥❝✐♦ ✭❊✉r♦❝r②♣t ✷✵✶✺✮ ❬❉▼✶✺❪✿ ❤♦♠♦♠♦r♣❤✐❝ ◆❆◆❉ ❣❛t❡ ✇✐t❤ ❢❛st ❜♦♦tstr❛♣♣✐♥❣ ✐♥ ∼ 0.69 s❡❝♦♥❞s ❲❡ r❡♣❧❛❝❡❞ ❛❧❧ t❤❡ ✐♥t❡r♥❛❧ ♣r♦❞✉❝ts ✐♥ t❤❡ ❜♦♦tstr❛♣♣✐♥❣ ♣r♦❝❡❞✉r❡ ✇✐t❤ t❤❡ ❡①t❡r♥❛❧ ♦♥❡✳ ❘❡s✉❧t✿ ✭✇✐t❤ ❢✉rt❤❡r ♦♣t✐♠✐③❛t✐♦♥s✮ ✇❡ ❤❛❞ ❛ s♣❡❡❞✲✉♣ ♦❢ ❛ ❢❛❝t♦r ∼ 12 ✭❜♦♦tstr❛♣♣✐♥❣ ✐♥ ∼ 0.052 s❡❝♦♥❞s✮
✸✷ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣
1 2 1 4 3 4
✸✸ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣
1 2 1 4 3 4
✸✸ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣
1 2 1 4 3 4
[Gentry09]-style bootstrap
✸✸ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣
1 2 1 4 3 4
[Gentry09]-style bootstrap
✸✸ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣
1 2 1 4 3 4
[DM15]-style bootstrap
✸✸ ✴ ✹✸
false := LWE(− 1
8), noise< 1 16 1 2 1 4 3 4 1 8
− 1
8
✸✹ ✴ ✹✸
true := LWE(+ 1
8), noise < 1 16 1 2 1 4 3 4 1 8
− 1
8
✸✹ ✴ ✹✸
= + c1 c2
1 2 1 4 3 4 1 8
− 1
8
✸✹ ✴ ✹✸
c1 c2 NAND( , ) : return false return true
1 2 1 4 3 4 1 8
− 1
8
✸✹ ✴ ✹✸
c1 c2 NAND( , ) : return false return true
1 2 1 4 3 4 1 8
− 1
8
✸✹ ✴ ✹✸
1 2 1 4 3 4
[DM15/BR15]-(revisited) [. . . ] v0 v1 v2 vi vi+1 v2N−1
✸✹ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts
✭ ✮ ✇❤❡♥ ✐s ❦♥♦✇♥ ✭ ✮ ✇❤❡♥ ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② ❄
✶ ▼✉❧t✐♣❧② ❜② ✷ ❋♦r
♠✉❧t✐♣❧② ❜②
✇✐t❤ ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts
✭ ✮ ✇❤❡♥ ✐s ❦♥♦✇♥ ✭ ✮ ✇❤❡♥ ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② ❄
✶ ▼✉❧t✐♣❧② ❜② ✷ ❋♦r
♠✉❧t✐♣❧② ❜②
✇✐t❤ ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② p ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts c ∈ TLWE
✭ ✮ ✇❤❡♥ ✐s ❦♥♦✇♥ ✭ ✮ ✇❤❡♥ ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② ❄
✶ ▼✉❧t✐♣❧② ❜② ✷ ❋♦r
♠✉❧t✐♣❧② ❜②
✇✐t❤ ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② p ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts c ∈ TLWE
✭Xp · c✮ ✇❤❡♥ p ✐s ❦♥♦✇♥ ✭ ✮ ✇❤❡♥ ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② ❄
✶ ▼✉❧t✐♣❧② ❜② ✷ ❋♦r
♠✉❧t✐♣❧② ❜②
✇✐t❤ ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② p ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts c ∈ TLWE
✭Xp · c✮ ✇❤❡♥ p ✐s ❦♥♦✇♥ ✭TGSW(Xp) ⊡ c✮ ✇❤❡♥ p ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② ❄
✶ ▼✉❧t✐♣❧② ❜② ✷ ❋♦r
♠✉❧t✐♣❧② ❜②
✇✐t❤ ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② p ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts c ∈ TLWE
✭Xp · c✮ ✇❤❡♥ p ✐s ❦♥♦✇♥ ✭TGSW(Xp) ⊡ c✮ ✇❤❡♥ p ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② −ϕs(a, b) = −b + n
i=1 aisi❄
✶ ▼✉❧t✐♣❧② ❜② ✷ ❋♦r
♠✉❧t✐♣❧② ❜②
✇✐t❤ ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② p ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts c ∈ TLWE
✭Xp · c✮ ✇❤❡♥ p ✐s ❦♥♦✇♥ ✭TGSW(Xp) ⊡ c✮ ✇❤❡♥ p ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② −ϕs(a, b) = −b + n
i=1 aisi❄
✶ ▼✉❧t✐♣❧② ❜② X−b ✷ ❋♦r
♠✉❧t✐♣❧② ❜②
✇✐t❤ ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② p ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts c ∈ TLWE
✭Xp · c✮ ✇❤❡♥ p ✐s ❦♥♦✇♥ ✭TGSW(Xp) ⊡ c✮ ✇❤❡♥ p ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② −ϕs(a, b) = −b + n
i=1 aisi❄
✶ ▼✉❧t✐♣❧② ❜② X−b ✷ ❋♦r i ∈ [1, n] ♠✉❧t✐♣❧② ❜② TGSW(X−aisi)
✇✐t❤ ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② p ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts c ∈ TLWE
✭Xp · c✮ ✇❤❡♥ p ✐s ❦♥♦✇♥ ✭TGSW(Xp) ⊡ c✮ ✇❤❡♥ p ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② −ϕs(a, b) = −b + n
i=1 aisi❄
✶ ▼✉❧t✐♣❧② ❜② X−b ✷ ❋♦r i ∈ [1, n] ♠✉❧t✐♣❧② ❜② TGSW(X−aisi)
Xaisi = 1 + (Xai − 1) · si, ✇✐t❤ si ∈ {0, 1} ✱ ✇❤❡r❡ ❇❑
✸✺ ✴ ✹✸
❇♦♦tstr❛♣♣✐♥❣ ❆❧❣♦r✐t❤♠ ✭❛♥✐♠❛t✐♦♥✮
❇♦♦tstr❛♣♣✐♥❣ ❛❧❣♦r✐t❤♠ ♦❢ (a, b)
✶ ❙t❛rt ❢r♦♠ ✭❛ tr✐✈✐❛❧✮ TLWE(v0 + v1X + · · · + vN−1XN−1)❛ ✷ ❘♦t❛t❡ ✐t ❜② p = −ϕs(a, b) ♣♦s✐t✐♦♥s ✸ ❊①tr❛❝t t❤❡ ❝♦♥st❛♥t t❡r♠ ✭✇❤✐❝❤ ❡♥❝r②♣ts vp✮
❛N ❝♦❡❢s ♠♦❞ XN + 1 ❝❛♥ ❜❡ ✈✐❡✇❡❞ ❛s 2N ❝♦❡❢s ♠♦❞ X2N − 1 s✳t✳ vN+i = −vi
❘♦t❛t❡ ❜② p ♣♦s✐t✐♦♥s t❤❡ ❝♦❡✣❝✐❡♥ts c ∈ TLWE
✭Xp · c✮ ✇❤❡♥ p ✐s ❦♥♦✇♥ ✭TGSW(Xp) ⊡ c✮ ✇❤❡♥ p ✐s ✉♥❦♥♦✇♥
❍♦✇ t♦ r♦t❛t❡ ❜② −ϕs(a, b) = −b + n
i=1 aisi❄
✶ ▼✉❧t✐♣❧② ❜② X−b ✷ ❋♦r i ∈ [1, n] ♠✉❧t✐♣❧② ❜② TGSW(X−aisi)
Xaisi = 1 + (Xai − 1) · si, ✇✐t❤ si ∈ {0, 1} TGSW(Xaisi) = h + (Xai − 1) · TGSW(si)✱ ✇❤❡r❡ ❇❑ = TGSW(si)
✸✺ ✴ ✹✸
❙❡❝✉r✐t② ❛♥❛❧②s✐s
◆✉♠❡r✐❝❛❧ s❡❝✉r✐t② ❡st✐♠❛t❡s
❇❛s❡❞ ♦♥ ❬❆P❙✶✺❪✱❬▲P✶✶❪✱❬❉▼✶✺❪ r❡s✉❧ts
✶ ❈♦♥✈❡rt t❤❡ ✐♥st❛♥❝❡ t♦ ❛ ❧❛tt✐❝❡ ♣r♦❜❧❡♠
✇❡ t❡st❡❞✿ ❯♥✐q✉❡❙❱P✱ r❡❞ t♦ ❙■❙✱ ♠♦❞❙✇✐t❝❤✳✳✳
✷ ❆♣♣❧② t❤❡ ❜❡st ❤❡✉r✐st✐❝s ✸ ❖♣t✐♠✐③❡❞ ❛❧❧ ♥♦♥✲r❡❧❡✈❛♥t ♣❛r❛♠❡t❡rs✿
tr✐❛❧s
■♠♣♦rt❛♥t s❡❝✉r✐t② ♣❛r❛♠❡t❡rs
✶ ◆♦✐s❡ r❛t❡✿ ✷ ❊♥tr♦♣② ♦❢ t❤❡ s❡❝r❡t✿
❛♥❞ t❤❛t✬s ❛❧❧✦ ❡①♣r❡ss❡❞ s♦❧❡❧② ❛s ❛ ❢✉♥❝t✐♦♥ ♦❢
✸✻ ✴ ✹✸
❙❡❝✉r✐t② ❛♥❛❧②s✐s
◆✉♠❡r✐❝❛❧ s❡❝✉r✐t② ❡st✐♠❛t❡s
❇❛s❡❞ ♦♥ ❬❆P❙✶✺❪✱❬▲P✶✶❪✱❬❉▼✶✺❪ r❡s✉❧ts
✶ ❈♦♥✈❡rt t❤❡ ✐♥st❛♥❝❡ t♦ ❛ ❧❛tt✐❝❡ ♣r♦❜❧❡♠
✔ ✇❡ t❡st❡❞✿ ❯♥✐q✉❡❙❱P✱ r❡❞ t♦ ❙■❙✱ ♠♦❞❙✇✐t❝❤✳✳✳
✷ ❆♣♣❧② t❤❡ ❜❡st ❤❡✉r✐st✐❝s ✸ ❖♣t✐♠✐③❡❞ ❛❧❧ ♥♦♥✲r❡❧❡✈❛♥t ♣❛r❛♠❡t❡rs✿ m, ε, q, tr✐❛❧s . . .
■♠♣♦rt❛♥t s❡❝✉r✐t② ♣❛r❛♠❡t❡rs
✶ ◆♦✐s❡ r❛t❡✿ ✷ ❊♥tr♦♣② ♦❢ t❤❡ s❡❝r❡t✿
❛♥❞ t❤❛t✬s ❛❧❧✦ ❡①♣r❡ss❡❞ s♦❧❡❧② ❛s ❛ ❢✉♥❝t✐♦♥ ♦❢
✸✻ ✴ ✹✸
❙❡❝✉r✐t② ❛♥❛❧②s✐s
◆✉♠❡r✐❝❛❧ s❡❝✉r✐t② ❡st✐♠❛t❡s
❇❛s❡❞ ♦♥ ❬❆P❙✶✺❪✱❬▲P✶✶❪✱❬❉▼✶✺❪ r❡s✉❧ts
✶ ❈♦♥✈❡rt t❤❡ ✐♥st❛♥❝❡ t♦ ❛ ❧❛tt✐❝❡ ♣r♦❜❧❡♠
✔ ✇❡ t❡st❡❞✿ ❯♥✐q✉❡❙❱P✱ r❡❞ t♦ ❙■❙✱ ♠♦❞❙✇✐t❝❤✳✳✳
✷ ❆♣♣❧② t❤❡ ❜❡st ❤❡✉r✐st✐❝s ✸ ❖♣t✐♠✐③❡❞ ❛❧❧ ♥♦♥✲r❡❧❡✈❛♥t ♣❛r❛♠❡t❡rs✿ m, ε, q, tr✐❛❧s . . .
■♠♣♦rt❛♥t s❡❝✉r✐t② ♣❛r❛♠❡t❡rs
✶ ◆♦✐s❡ r❛t❡✿ α ✷ ❊♥tr♦♣② ♦❢ t❤❡ s❡❝r❡t✿ n
❛♥❞ t❤❛t✬s ❛❧❧✦ λ ❡①♣r❡ss❡❞ s♦❧❡❧② ❛s ❛ ❢✉♥❝t✐♦♥ ♦❢ (n, α)
✸✻ ✴ ✹✸
❙❡❝✉r✐t② ♣❛r❛♠❡t❡r ✲ t❤❡ r❛✐♥❜♦✇
5 10 15 20 25 30 35 40 45 200 400 600 800 1000 log2(1/α) n Values of λ(n,α) 32 64 128 256 512 512 384 2 5 6 192 128 8 40
Switch Key
✸✼ ✴ ✹✸
❚❛❜❧❡ ♦❢ ❝♦♥t❡♥ts
✶ ❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥
❆♣♣❧✐❝❛t✐♦♥s
✷ ❚▲❲❊
❚❤❡ r❡❛❧ t♦r✉s ▲❲❊ ❛♥❞ ❚▲❲❊
✸ ❚●❙❲ ❛♥❞ t❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t
❊♥❝r②♣t✐♦♥ ❛♥❞ ●❛❞❣❡t ❚▲❲❊ ❛♥❞ ❚●❙❲
✹ ❋❛st❡r ❇♦♦tstr❛♣♣✐♥❣
❙❡❝✉r✐t② ❛♥❛❧②s✐s
✺ ❈♦♥❝❧✉s✐♦♥
✸✽ ✴ ✹✸
❚❋❍❊ ✐♠♣❧❡♠❡♥t❛t✐♦♥
❤tt♣s✿✴✴t❢❤❡✳❣✐t❤✉❜✳✐♦✴t❢❤❡✴ ❇❡❢♦r❡✿ ✶ ❜♦♦tstr❛♣♣✐♥❣ ✐♥ ✺✷ ♠s ◆♦✇✿ ✶ ❜♦♦tstr❛♣♣✐♥❣ ✐♥ ✷✵ ♠s
✸✾ ✴ ✹✸
❚❋❍❊ ✐♠♣❧❡♠❡♥t❛t✐♦♥
❤tt♣s✿✴✴t❢❤❡✳❣✐t❤✉❜✳✐♦✴t❢❤❡✴ ❇❡❢♦r❡✿ ✶ ❜♦♦tstr❛♣♣✐♥❣ ✐♥ ✺✷ ♠s ◆♦✇✿ ✶ ❜♦♦tstr❛♣♣✐♥❣ ✐♥ ✷✵ ♠s
✸✾ ✴ ✹✸
❚❋❍❊ ✐♠♣❧❡♠❡♥t❛t✐♦♥
❤tt♣s✿✴✴t❢❤❡✳❣✐t❤✉❜✳✐♦✴t❢❤❡✴ ❇❡❢♦r❡✿ ✶ ❜♦♦tstr❛♣♣✐♥❣ ✐♥ ✺✷ ♠s ◆♦✇✿ ✶ ❜♦♦tstr❛♣♣✐♥❣ ✐♥ ✷✵ ♠s
✸✾ ✴ ✹✸
❈♦♥❝❧✉s✐♦♥
❙✉♠♠❛r② ❈♦♥str✉❝t✐♦♥ ❛♥❞ ❛❜str❛❝t✐♦♥ ♦❢ ❚▲❲❊ ❛♥❞ ❚●❙❲ ❚❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t ⊡ : TGSW × TLWE → TLWE ❋❛st❡r ❜♦♦tstr❛♣♣✐♥❣ ▼♦r❡ ❲❡ ❝❛♥ ❛♣♣❧② ♦✉r r❡s✉❧ts t♦ ❧❡✈❡❧❡❞ ❍❊ s❝❤❡♠❡s ❲❡ ❝❛♥ ✐♠♣r♦✈❡ t❤✐s r❡s✉❧t ❛♥❞ ♠❛❦❡ ❋❍❊ ❢❛st❡r
❚❤❛♥❦ ②♦✉✦
♠✳s✳♥✳
✹✵ ✴ ✹✸
❈♦♥❝❧✉s✐♦♥
❙✉♠♠❛r② ❈♦♥str✉❝t✐♦♥ ❛♥❞ ❛❜str❛❝t✐♦♥ ♦❢ ❚▲❲❊ ❛♥❞ ❚●❙❲ ❚❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t ⊡ : TGSW × TLWE → TLWE ❋❛st❡r ❜♦♦tstr❛♣♣✐♥❣ ▼♦r❡ ❲❡ ❝❛♥ ❛♣♣❧② ♦✉r r❡s✉❧ts t♦ ❧❡✈❡❧❡❞ ❍❊ s❝❤❡♠❡s ❲❡ ❝❛♥ ✐♠♣r♦✈❡ t❤✐s r❡s✉❧t ❛♥❞ ♠❛❦❡ ❋❍❊ ❢❛st❡r
❚❤❛♥❦ ②♦✉✦
♠✳s✳♥✳
✹✵ ✴ ✹✸
❈♦♥❝❧✉s✐♦♥
❙✉♠♠❛r② ❈♦♥str✉❝t✐♦♥ ❛♥❞ ❛❜str❛❝t✐♦♥ ♦❢ ❚▲❲❊ ❛♥❞ ❚●❙❲ ❚❤❡ ❡①t❡r♥❛❧ ♣r♦❞✉❝t ⊡ : TGSW × TLWE → TLWE ❋❛st❡r ❜♦♦tstr❛♣♣✐♥❣ ▼♦r❡ ❲❡ ❝❛♥ ❛♣♣❧② ♦✉r r❡s✉❧ts t♦ ❧❡✈❡❧❡❞ ❍❊ s❝❤❡♠❡s ❲❡ ❝❛♥ ✐♠♣r♦✈❡ t❤✐s r❡s✉❧t ❛♥❞ ♠❛❦❡ ❋❍❊ ❢❛st❡r
❚❤❛♥❦ ②♦✉✦
♠✳s✳♥✳
✹✵ ✴ ✹✸
❇✐❜❧✐♦❣r❛♣❤②
❬❆P❙✶✺❪ ❆❧❜r❡❝❤t✱ ▼✳❘✳✱ P❧❛②❡r✱ ❘✳✱ ❛♥❞ ❙❝♦tt✱ ❙✳✱ ✧❖♥ t❤❡ ❝♦♥❝r❡t❡ ❤❛r❞♥❡ss ♦❢ ❧❡❛r♥✐♥❣ ✇✐t❤ ❡rr♦rs✳✧ ❏♦✉r♥❛❧ ♦❢ ▼❛t❤❡♠❛t✐❝❛❧ ❈r②♣t♦❧♦❣② ✾✳✸ ✭✷✵✶✺✮✿ ✶✻✾✲✷✵✸✳ ❬❇●❱✶✷❪ ❇r❛❦❡rs❦✐✱ ❩✳✱ ●❡♥tr②✱ ❈✳✱ ❛♥❞ ❱❛✐❦✉♥t❛♥❛t❤❛♥✱ ❱✳ ✧✭▲❡✈❡❧❡❞✮ ❢✉❧❧② ❤♦♠♦♠♦r♣❤✐❝ ❡♥❝r②♣t✐♦♥ ✇✐t❤♦✉t ❜♦♦tstr❛♣♣✐♥❣✳✧ ■♥ Pr♦❝❡❡❞✐♥❣s ♦❢ t❤❡ ✸r❞ ■♥♥♦✈❛t✐♦♥s ✐♥ ❚❤❡♦r❡t✐❝❛❧ ❈♦♠♣✉t❡r ❙❝✐❡♥❝❡ ❈♦♥❢❡r❡♥❝❡ ✭♣♣✳ ✸✵✾✲✸✷✺✮✳ ❆❈▼ ✭✷✵✶✷✮✳ ❬❇▲P❘❙✶✸❪ ❇r❛❦❡rs❦✐✱ ❩✳✱ ▲❛♥❣❧♦✐s✱ ❆✳✱ P❡✐❦❡rt✱ ❈✳✱ ❘❡❣❡✈✱ ❖✳✱ ❛♥❞ ❙t❡❤❧é✱ ❉✳ ✧❈❧❛ss✐❝❛❧ ❤❛r❞♥❡ss ♦❢ ❧❡❛r♥✐♥❣ ✇✐t❤ ❡rr♦rs✳✧ ■♥ t❤❡ ♣r♦❝❡❡❞✐♥❣s ♦❢ ❙❚❖❈✬✶✸ ✭✷✵✶✸✮✳ ❬❇P✶✻❪✱ ❇r❛❦❡rs❦✐✱ ❩✳✱ ❛♥❞ P❡r❧♠❛♥✱ ❘✳ ✧▲❛tt✐❝❡✲❇❛s❡❞ ❋✉❧❧② ❉②♥❛♠✐❝ ▼✉❧t✐✲❑❡② ❋❍❊ ✇✐t❤ ❙❤♦rt ❈✐♣❤❡rt❡①ts✳✧ ■♥ t❤❡ ♣r♦❝❡❡❞✐♥❣s ♦❢ ❈❘❨P❚❖ ✷✵✶✻ ✭✷✵✶✻✮✳ ❬❇❘✶✺❪ ❇✐❛ss❡✱ ❏✲❋✳✱ ❘✉✐③✱ ▲✳✱ ✧❋❍❊❲ ✇✐t❤ ❊✣❝✐❡♥t ▼✉❧t✐❜✐t ❇♦♦tstr❛♣♣✐♥❣✳✧ ■♥ t❤❡ ♣r♦❝❡❡❞✐♥❣s ♦❢ ▲❛t✐♥❈r②♣t ✷✵✶✺ ✭✷✵✶✺✮✳
✹✶ ✴ ✹✸
❇✐❜❧✐♦❣r❛♣❤②
❬❈❙✶✺❪ ❈❤❡♦♥✱ ❏✳❍✳✱ ❙t❡❤❧é✱ ❉✳✱ ✧❋✉❧❧② ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥ ♦✈❡r t❤❡ ■♥t❡❣❡rs ❘❡✈✐s✐t❡❞✳✧ ■♥ t❤❡ ♣r♦❝❡❡❞✐♥❣s ♦❢ ❊❯❘❖❈❘❨P❚✬✶✺✳ ❙♣r✐♥❣❡r✲❱❡r❧❛❣ ✭✷✵✶✺✮✳ ❬❈●●■✶✻❪ ❈❤✐❧❧♦tt✐✱ ■✳✱ ●❛♠❛✱ ◆✳✱ ●❡♦r❣✐❡✈❛✱ ▼✳✱ ❛♥❞ ■③❛❜❛❝❤è♥❡✱ ▼✳ ✧❆ ❍♦♠♦♠♦r♣❤✐❝ ▲❲❊ ❇❛s❡❞ ❊✲✈♦t✐♥❣ ❙❝❤❡♠❡✳✧ ■♥ ■♥t❡r♥❛t✐♦♥❛❧ ❲♦r❦s❤♦♣ ♦♥ P♦st✲◗✉❛♥t✉♠ ❈r②♣t♦❣r❛♣❤② ✭♣♣✳ ✷✹✺✲✷✻✺✮✳ ❙♣r✐♥❣❡r ■♥t❡r♥❛t✐♦♥❛❧ P✉❜❧✐s❤✐♥❣ ✭✷✵✶✻✮✳ ❬❉▼✶✺❪ ❉✉❝❛s✱ ▲✳✱ ▼✐❝❝✐❛♥❝✐♦✱ ❉✳✱ ✧❋❍❊❲✿ ❇♦♦tstr❛♣♣✐♥❣ ❍♦♠♦♠♦r♣❤✐❝ ❊♥❝r②♣t✐♦♥ ✐♥ ❧❡ss t❤❛♥ ❛ s❡❝♦♥❞✳✧ ■♥ t❤❡ ♣r♦❝❡❡❞✐♥❣s ♦❢ ❊❯❘❖❈❘❨P❚✬✶✺✳ ❙♣r✐♥❣❡r✲❱❡r❧❛❣ ✭✷✵✶✺✮✳ ❬●■◆❳✶✻❪ ●❛♠❛✱ ◆✳✱ ■③❛❜❛❝❤❡♥❡✱ ▼✳✱ ◆❣✉②❡♥✱ P✳◗✳✱ ❛♥❞ ❳✐❡✱ ❳✳✱ ✧❙tr✉❝t✉r❛❧ ▲❛tt✐❝❡ ❘❡❞✉❝t✐♦♥✿ ●❡♥❡r❛❧✐③❡❞ ❲♦rst✲❈❛s❡ t♦ ❆✈❡r❛❣❡✲❈❛s❡ ❘❡❞✉❝t✐♦♥s✳✧ ■♥ t❤❡ ♣r♦❝❡❡❞✐♥❣s ♦❢ ❊❯❘❖❈❘❨P❚✬✶✻✳ ❙♣r✐♥❣❡r✲❱❡r❧❛❣ ✭✷✵✶✻✮✳ ❬●❡♥✵✾❪ ●❡♥tr②✱ ❈✳✱ ✧❆ ❢✉❧❧② ❤♦♠♦♠♦r♣❤✐❝ ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡ ❬P❤✳ ❉✳ t❤❡s✐s❪✳✧ ■♥t❡r♥❛t✐♦♥❛❧ ❏♦✉r♥❛❧ ♦❢ ❉✐str✐❜✉t❡❞ ❙❡♥s♦r ◆❡t✇♦r❦s✱ ❙t❛♥❢♦r❞ ❯♥✐✈❡rs✐t② ✭✷✵✵✾✮✳
✹✷ ✴ ✹✸
❇✐❜❧✐♦❣r❛♣❤②
❬●❙❲✶✸❪ ●❡♥tr②✱ ❈✳✱ ❙❛❤❛✐✱ ❆✳✱ ❛♥❞ ❲❛t❡rs✱ ❇✳✱ ✧❍♦♠♦♠♦r♣❤✐❝ ❡♥❝r②♣t✐♦♥ ❢r♦♠ ❧❡❛r♥✐♥❣ ✇✐t❤ ❡rr♦rs✿ ❈♦♥❝❡♣t✉❛❧❧②✲s✐♠♣❧❡r✱ ❛s②♠♣t♦t✐❝❛❧❧②✲❢❛st❡r✱ ❛ttr✐❜✉t❡✲❜❛s❡❞✳✧ ❆❞✈❛♥❝❡s ✐♥ ❈r②♣t♦❧♦❣②✕❈❘❨P❚❖ ✷✵✶✸✳ ❙♣r✐♥❣❡r ❇❡r❧✐♥ ❍❡✐❞❡❧❜❡r❣✱ ✷✵✶✸✳ ✼✺✲✾✷ ✭✷✵✶✸✮✳ ❬▲P✶✶❪ ▲✐♥❞♥❡r✱ ❘✳✱ ❛♥❞ P❡✐❦❡rt✱ ❈✳✱ ✧❇❡tt❡r ❦❡② s✐③❡s ✭❛♥❞ ❛tt❛❝❦s✮ ❢♦r ▲❲❊✲❜❛s❡❞ ❡♥❝r②♣t✐♦♥✳✧ ❈r②♣t♦❣r❛♣❤❡rs✬ ❚r❛❝❦ ❛t t❤❡ ❘❙❆ ❈♦♥❢❡r❡♥❝❡✳ ❙♣r✐♥❣❡r ❇❡r❧✐♥ ❍❡✐❞❡❧❜❡r❣ ✭✷✵✶✶✮✳ ❬▲P❘✶✵❪ ▲②✉❜❛s❤❡✈s❦②✱ ❱✳✱ P❡✐❦❡rt✱ ❈✳✱ ❛♥❞ ❘❡❣❡✈✱ ❖✳✱ ✧❖♥ ■❞❡❛❧ ▲❛tt✐❝❡s ❛♥❞ ▲❡❛r♥✐♥❣ ✇✐t❤ ❊rr♦rs ♦✈❡r ❘✐♥❣s✳✧ ❆❞✈❛♥❝❡s ✐♥ ❈r②♣t♦❧♦❣②✕❊❯❘❖❈❘❨P❚ ✷✵✶✵ ✭✷✵✶✵✮✳ ❬❘❡❣✵✺❪ ❘❡❣❡✈✱ ❖✳✱ ✧❖♥ ❧❛tt✐❝❡s✱ ❧❡❛r♥✐♥❣ ✇✐t❤ ❡rr♦rs✱ r❛♥❞♦♠ ❧✐♥❡❛r ❝♦❞❡s✱ ❛♥❞ ❝r②♣t♦❣r❛♣❤②✳✧ ■♥ ❙❚❖❈✱ ♣♣✳✽✹✲✾✸ ✭✷✵✵✺✮✳
✹✸ ✴ ✹✸