Post on 24-Feb-2016
description
FIELD-SWITCHING INHOMOMORPHIC ENCRYPTIONCraig GentryShai HaleviChris PeikertNigel P. Smart
HE Over Cyclotomic Rings Denote the field
Its ring of integers is Mod- denoted
“Native plaintext space” is Ciphertexts , secret-keys are vectors over wrt encrypts if (for representatives in )
we have for small Decryption via Using “appropriate” -bases of
* Not exactly
*
**
HE Over Cyclotomic Rings “Native plaintexts” encode vectors of
values (more on that later)
Homomorphic Operations Addition: encrypts , encoding Multiplication: encrypts , encoding Automorphism: encrypts , encoding some
permutation of Relative to key
HE Over Cyclotomic Rings Also a key-switching operation For any two we can publish a
key-switching gadget used to translate valid wrt into wrt
encrypt the same plaintext for some small
How Large are ? Ciphertexts are “noisy” (for security)
noise grows during homomorphic computation Decryption error if noise grows larger than
Must set “much larger” than initial noiseSecurity relies on LWE-hardness with very large modulus/noise ratioDimension () must be large to get hardness Asymptotically
For realistic settings,
Switching to Smaller ? As we compute, the noise grows
Cipehrtexts have smaller modulus/noise ratio
From a security perspective, it becomes permissible to switch to smaller values of
How to do this? Not even clear what outcome we want
here: Have wrt , encrypting some Want wrt for
Encrypting ??
Ring-Switching: The Goal We cannot get since , We want to be “related” to
encodes encodes
May want to encode a subset of the ’s? E.g., the first of them Not always possible, only if
What relations between the ’s are possible?
Prior Work A limited ring-switching technique was
described in [BGV’12] Only for
Transforms big-ring into small-ring s.t. (encrypted in ) can be recovered from (encrypted in ).
Used only for bootstrapping
Our Transformation: Overview Work for any as long as wrt wrt , encrypt , that encode vectors:
, Necessarily , so a subfield of
Each is a -linear function of some ‘s We can choose the linear functions, but not
the subset of ‘s that correspond to each If , can use projections (so ’s a subset of ’s)
Our Transformation: OverviewDenote 1. Key-switching to map wrt wrt
and over the big field, wrt subfield key
2. Compute a small that depends only on the desired linear functions
3. Apply the trace function, 4. Output
Algebra
Geometry of Use canonical-embedding to associate
with a -vector of complex numbers Thinking of as a polynomial, associate with
the vector , the principal complex ’th root of unity E.g., if then
We can talk about the “size of ” say the or norm of For decryption, the “noise element” must be
Geometry of can be expressed as a vector-space over
Similarly over , over , etc. Every -basis induces a transformation coefficients in element of
With canonical embedding on both sides, we havea -linear transformation
We want a “good basis”, where is “short”and “nearly orthogonal”
Geometry of Lemma 1: There exists -basis of R for
which all the singular values of are nearly the same. Specifically where
primes that divide but not The proof follows techniques from
[LPR13],the basis is essentially a tensor of DFT matrices
The Trace Function For ,
By definition: if is small then so is is
is -linear if , and
The trace is a “universal” -linear function: For every -linear function there exists such
that
The Trace Function The trace Implies also a -linear map ,
and -linear map Every -linear map can be written as
But need not be in More on that later
The Intermediate Trace Function
when is an extension of Satisfies
Lemma 2: if is small then so is Less trivial than for but still true
is a “universal” -linear function: is For every -linear function there exists such
that Similarly implies -linear map and -linear
map
Some Complications Often we get Also for many linear functions we get
where is not in In our setting this will cause problems
when we apply the trace to ciphertext elements That’s (one reason) why ciphertexts are not
really vectors over Hence the *‘s throughout the slides
The Dual of Instead of , ciphertext are vectors over
the dual , for some
We have Also every -linear can be written as for
some In the rest of this talk we ignore this point,
and pretend that everything is over
Prime Splitting The integer 2 splits over as
ranges over is generated by In this talk we assume =1 (i.e., is odd) prime ideals, each
Using CRT, each encodes the vector
Prime Splitting Similarly 2 splits over as
Again we assume Using CRT, each encodes the vector
When then also , , and each split over as a product of some of the ’s
Prime Splitting Example for
2
𝒑1′ 𝒑 3
′
𝒑 22❑𝒑15
❑𝒑1❑ 𝒑 31
❑𝒑17❑𝒑 3
❑
𝑍
𝑅′
𝑅
⊆⊆
Lie over 2
Lie over Lie over
Plaintext-Slot Representation
Recall that for all the ’s But the isomorphisms are not unique
To fix the isomorphisms: Fix a primitive -th root of unity Fix representatives for all defined via
Same for isomorphisms Define by fixing and
Plaintext-Slot Representation Making the ’s and ‘s “consistent”
Fix and set Fix , then that lies over , choose s.t.
Fact: if lies over and , then
In words: for a sub-ring plaintext, the slots mod and all the ’s lie over it, hold the same value
Plaintext-Slot Representation Lemma 3: collection of -linear functions
a unique -linear function s.t. =
holds and , and The ’s range over all the ’s that lie over
Illustration of Lemma 3
s.t. and
Can express for some
𝒑1′ 𝒑 3
′
𝒑 22❑𝒑15
❑𝒑1❑ 𝒑 31
❑𝒑17❑𝒑 3
❑
𝑅′
𝑅
⊆
(𝑑=12 , ℓ=6)
(𝑑′=3 , ℓ ′=2)
𝐿1:𝐺𝐹 (212 )3→𝐺𝐹 (23) 𝐿3:𝐺𝐹 (212 )3→𝐺𝐹 (23)
* Not exactly
*
The Transformation
Step 1, Key Switching Let (chosen at keygen) Publish a key-switching matrix Given ctxt wrt , use W to get wrt
Just plain key-switching in the big ring still over the big ring, but wrt a sub-ring
key encrypts the same -element as
Security of Key-Swicthing Security of usual big-ring key-switching
relies on the secret being drawn from Then constrains only LWE-instance over What can we say when it is drawn from ?
We devise LWE instances over with secret from , with security relying on LWE in Instead of one small error element in ,
choose many small elements in , use an -basis of to combine them into a single error element in
-LWE With Secret in Let be any -basis of Given the LWE secret
Choose uniform and small Set and output
If the basis B is “good” (short, orthogonal) then is not much larger than the ’s This is where we use Lemma 1 ( good basis)
-LWE With Secret in Theorem: If decision-LWE is hard in ,
then is indistinguishable from uniform in Proof:
We can consider for uniform Induces the same uniform distribution on
Then we would get . If the were uniform in , then would be
uniform in .
Steps 2,3: Ring Switching encrypts wrt
encodes a vector We view it as
target functions, Want small-ring ciphertext encrypting that
encodes For each ,
Steps 2,3: Ring Switching By Lemma 2, that induces the ’s
Expressed as for We identify with a short representative in
One must exists since 2 is “short” Thus identify with over
Further identify as a representative of Apply the trace,
Recall that is valid wrt
* Not exactly
*
Correctness Recall over
For some (with small) and over Thus we have the equalities (over ):
encodes the ’s that we want
Correctness• We have
This looks like a valid encryption of It remains to show that is short
is short (from the input), is short (reduced mod 2)
So is short By Lemma 3 also is short
Conclusions We have a general ring-switching
technique Converts over to over for The plaintext slots in can contain any
linear functions of the slots in A -slot is a function of the -slots that lie above it
We may choose projection functions to have contain subset of the slots of
Lets us to speed up computation by switching to a smaller ring
Epilog: The [AP13] WorkAlperin-Sheriff & Peikert described a clever use of ring-switching for efficient homomorphic computation of DFT-like transformations:1. Decompose it to an FFT-like network of
“local” linear functions2. Use ring-switching for each level3. Then switch back up before the next level
Yields fastest bootstrapping procedure to date