Encryption from Learning with Errors, Schemes and Mind Maps of Cryptography and System Security

Homomorphic Encryption: A cryptographic system in which an operation over the ciphertexts corresponds to an operation over the plain texts, i.e..

Typology: Schemes and Mind Maps

2022/2023

Uploaded on 05/11/2023

ekani
ekani 🇺🇸

4.7

(26)

265 documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
University of Illinois, Urbana Champaign
CS 598DK Special Topics in Cryptography
Instructor: Dakshita Khurana
Scribe: Andrew Miranti, Tanya Verma
Date: October 5, 2019
LECTURE
10
Encryption from Learning with Errors
10.1 Motivation & Introduction
All cryptographic primitives are based upon some problem that is believed to be difficult.
While we have discussed a number of provably secure means to perform both public key
and private key encryption already in class, these had some shortcomings. Since it is not
known if P=NP , we cannot know with certainty if these problems are actually difficult
for conventional nuPPT machines. Since it is commonly believed that P6=N P , this
uncertainty is tolerated if a cryptographic system would be secure in that case. Some,
however, are weaker than this: RSA, for example, is based on the difficulty of the integer
factorization problem. This problem is known to be solvable with quantum computing using
Shor’s algorithm, regardless of whether P=NP [2].
Furthermore, prior methods discussed in class allow us to pass messages without fear
of eavesdroppers, and sign messages against impersonation, but they lack the ability to
compute using the ciphertext.
Definition 10.1.Homomorphic Encryption: A cryptographic system in which an operation
over the ciphertexts corresponds to an operation over the plain texts, i.e.
Dec(Enc(m0)#E nc(m1)) = m1@m2
for some operations #,@.
Definition 10.2.Fully Homomorphic Encryption: A cryptographic system in which enough
operations are supported that one can compute a ciphertext of the result of any arbitrary
function over the plaintexts using only the ciphertexts.[7]
In this lecture we introduce a new difficult computational problem which addresses both
these issues. It is thought to be resistant to quantum computing, and it admits a fully ho-
momorphic encryption scheme. Consider the problem of solving systems of linear equations
pf3
pf4
pf5
pf8

Partial preview of the text

Download Encryption from Learning with Errors and more Schemes and Mind Maps Cryptography and System Security in PDF only on Docsity!

University of Illinois, Urbana Champaign CS 598DK Special Topics in Cryptography

Instructor: Dakshita Khurana Scribe: Andrew Miranti, Tanya Verma Date: October 5, 2019

LECTURE

Encryption from Learning with Errors

10.1 Motivation & Introduction

All cryptographic primitives are based upon some problem that is believed to be difficult. While we have discussed a number of provably secure means to perform both public key and private key encryption already in class, these had some shortcomings. Since it is not known if P = N P , we cannot know with certainty if these problems are actually difficult for conventional nuPPT machines. Since it is commonly believed that P 6 = N P , this uncertainty is tolerated if a cryptographic system would be secure in that case. Some, however, are weaker than this: RSA, for example, is based on the difficulty of the integer factorization problem. This problem is known to be solvable with quantum computing using Shor’s algorithm, regardless of whether P = N P [2]. Furthermore, prior methods discussed in class allow us to pass messages without fear of eavesdroppers, and sign messages against impersonation, but they lack the ability to compute using the ciphertext.

Definition 10.1. Homomorphic Encryption: A cryptographic system in which an operation over the ciphertexts corresponds to an operation over the plain texts, i.e.

Dec(Enc(m 0 )#Enc(m 1 )) = m 1 @m 2

for some operations #, @.

Definition 10.2. Fully Homomorphic Encryption: A cryptographic system in which enough operations are supported that one can compute a ciphertext of the result of any arbitrary function over the plaintexts using only the ciphertexts.[7]

In this lecture we introduce a new difficult computational problem which addresses both these issues. It is thought to be resistant to quantum computing, and it admits a fully ho- momorphic encryption scheme. Consider the problem of solving systems of linear equations

with known coefficients such as the following:

a 11 s 1 + a 12 s 2 + ...a 1 nsn = b 1 mod q a 21 s 1 + a 22 s 2 + ...a 2 nsn = b 2 mod q ... am 1 s 1 + am 2 s 2 + ...amnsn = bm mod q

In which all aij , bi and q are known, and the sj variables are the unknowns. This problem is known to be efficiently solvable using gaussian elimination. However, what if we add small (we will more formally define this term later) randomized error terms to each equation?

a 11 s 1 + a 12 s 2 + ...a 1 nsn + e 1 = b 1 mod q a 21 s 1 + a 22 s 2 + ...a 2 nsn + e 2 = b 2 mod q ... am 1 s 1 + am 2 s 2 + ...amnsn + em = bm mod q

In which the ei terms are randomly selected from some distribution with mean zero and low standard deviation, most typically a discretized gaussian distribution. This gives us a new, much more difficult problem: Learning with Errors.

10.2 Lattice Cryptography

In this section, we briefly try to understand what a lattice is and how are they important for cryptography.[5][6]

Definition 10.3. A lattice is a set of points L = {a 1 v 1 + a 2 v 2 + ... + anvn | ai ∈ Z} for linearly independent vectors v 1 ...vn ∈ Rn. v 1 ...vn form the basis of L.

The basis of a lattice is not unique. This non-uniqueness of the basis ends up being highly relevant to cryptography because it helps hide the structure of the lattice, since two very different looking sets of basis vectors can yield the same lattice.

The main computational problems that arise from lattices are the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP). These problems are supposed to be hard to solve by a quantum computer, because no one has made much progress in this area. This is why these problems allow us to develop quantum-resistant cryptography.

The Shortest Vector Problem can be summarized as follows: If you are given an arbitrary lattice, which means you are given the basis of a lattice since a lattice is fully specified by a basis, can you find a short vector in this lattice? Restating this, can you find a combination of these vectors v 1 ...vn that somehow cancel and become short? For crypto, we consider the approximate variant of this problem. We don’t need to find the shortest vector, just something in the factor γ of the shortest.

10.4 Secret Key Encryption with LWE

We now present a definition of single bit secret key encryption using LWE. (Let ←− mean sampling from a given distribution). All randomness is based on the r parameter.

KeyGen(1n, r) = s ←− Zqn

Enc(s, μ, r) = (a, sT^ a + e + μb q 2

c mod q) : a unif orm ←−−−−−− Zqn e ←− χ

Recall that e is not public, and is not part of the secret key. Thus, the decryption algorithm does not know it. However, the decryption algorithm does know the distribution. We require for this algorithm to work that the χ distribution has a mean of zero and, with

overwhelming probability falls into the range [

−q 4

q 4 ]. If we require perfect correctness, then

we can round e into this range. With this requirement set, we can use the following for our decryption:

Dec(s, a, b) =

0 if b − sT^ a mod q ∈ [

−q 4

q 4

]

1 if b − sT^ a mod q ∈ [

q 4

3 q 4

]

To see why this works, recall that

b = sT^ a + e + μb q 2

c mod q

Thus,

b − sT^ a = e + μb

q 2

c mod q

Since e is in the range [ −q 4

q 4

], if μ was zero then this value will be in the range [ −q 4

q 4

].

Otherwise it will be in the range [ q 4

3 q 4

]. Thus, Dec can distinguish μ = 0 and μ = 1 even

though it does not know e. The requirement also generalizes to ||e|| < q 4

when encrypting

multiple messages, which guarantees that each component of e is in the appropriate range with overwhelming probability.

10.5 Secret Key Encryption Proof of Security

Single bit message security: We want to prove that Enc(s, 0 , r) ≈ Enc(s, 1 , r) (where ≈ means computationally in- distinguishable to nuPPT machines). Note that we have made explicit the r randomness parameter in this statement of the problem.

Enc(s, 0 , r) = (a, sT^ a + e mod q)

≈ (a, b) (chosen uniformly from Zq - by decisional LWE assumption = (a, b + μb q 2

c mod q) constant offset of uniform distribution is identical to uniform

≈ (a, sT^ a + μb q 2

c + e mod q)by decisional LWE assumption

= Enc(s, 1 , r)

Multi bit message security: We want to prove that Enc(s, 0 , r 1 )Enc(s, 0 , r 2 )...Enc(s, 0 , rm) ≈ Enc(s, 1 , r 1 )Enc(s, 1 , r 2 )...Enc(s, 1 , rm) By definition of Enc (note the different randomness parameters gives us different a and e vectors.:

Enc(s, 0 , r 1 ) = (a^1 , b^1 ) = (a^1 , sT^ a^1 + e^1 ) mod q Enc(s, 0 , r 2 ) = (a^2 , b^2 ) = (a^2 , sT^ a^2 + e^2 ) mod q ... Enc(s, 0 , rm) = (am, bm) = (am, sT^ am^ + em) mod q

But this is identical to:

Enc(s, 0 m, r) = (A, sT^ A + e) with A unif orm ←−−−−−− Zn,mq , s unif orm ←−−−−−− Zqn , e ←− χm

By the decisional LWE assumption:

(A, sT^ A + e) ≈ (A, b) with b ←− Zqm Since shifting a uniform distribution mod q by a constant does not change the distri- bution, it’s easy to see that:

(A, b) = (A, b + μb

q 2 c 1 m)

In which 1 m^ is the vector of all ones with length m.

(A, b) = (A, b + μb

q 2

c 1 m)

≈ (A, sT^ A + e + μb

q 2

c 1 m)

= Enc(s, 1 m, r)

Thus, this secret key encryption scheme is also secure over an arbitrary number of messages.

Enc(pk, μ) : (u = Ar, u′^ = bT^ r + μb

q 2

c)

with r unif orm ←−−−−−− { 0 , 1 }m

Dec(sk, (u, u′)) =

0 if u′^ − sT^ u mod q ∈ [

−q 4

q 4

]

1 if u′^ − sT^ u mod q ∈ [

q 4

3 q 4

]

10.7 Public Key Encryption: Proof of Security

Before we begin the proof, we will note a feature of public key cryptography. In this space, single message security implies multiple message security. To see why, consider the case of an adversary can distinguish two messages given ciphertexts Enc(pk, m 0 , 0 ), ...Enc(pk, m 0 ,j ) and Enc(pk, m 1 , 0 ), ...Enc(pk, m 1 ,j ) and wants to distinguish the messages m 0 , m 1 given their ciphertexts. In this case, the adversary can simply place these two ciphertexts into different sets and encrypt an arbitrary number of random messages to make enlarge these sets (this is possible, because the adversary has the encryption key, unlike in private key crypto where the adversary cannot encrypt messages themselves), and use the distinguisher we assumed existed to distinguish the sets (and thus, the messages m 0 , m 1 ). As a result, it is sufficient to prove that the public key crypto system we described above is secure for a single message.

Let’s try to understand why the above encryption scheme is secure. If we have an adversary reading the transcript above, they can see Alice’s public key (A, b), and they can see the ciphertext (u, u′). To prove security, we observe two key points:

The first thing to note is that LWE is a hard problem, which implies that it is difficult to distinguish (A, b) where bT^ = sT^ A + eT^ , from (A, b), where b has simply been sampled uniformly at random. So if Alice’s public key were to be replaced by the latter version, the attacker wouldn’t be able to tell the difference between the two types of bs.

Next, we note that if Bob were to encrypt his message using a uniformly sampled b, given that A is already uniformly random, the encryption is equivalent to a One Time Pad. This can be shown using the Leftover Hash Lemma.

Stated more formally, we say that the view of the adversary if they intercepted the encryption of the message μ = 0 is: View 0 = (A, bT^ = sT^ A + eT^ , Ar, bT^ r)) By the appropriate LWE assumption, this is indistinguishable from:

View′ 0 = (A, bT^

unif orm ←−−−−−− Zqm , Ar, bT^ r))

Construct a matrix C of size n + 1, m by placing the row vector bT^ below the matrix A. Then, the distribution View′ 0 is exactly (C, Cr) by construction. We now use our requirement that m > n log q. The Leftover Hash Lemma states that

the distributions (C, Cr) ≈ (A, u unif orm ←−−−−−− Z qn +1) under these conditions (C is composed of uniformly random elements drawn from Zq , and r is a uniformly random binary vector).

Denote by View′′ 0 , the distribution (A, u unif orm ←−−−−−− Z qn +1).

Since A and u consist of uniformly random elements drawn from Zq , View′′ 0 is indis-

tinguishable from another pair View′′ 1 = (A, u unif orm ←−−−−−− Zn q +1+ b q 2 c 1 n+1) in which every

element in the second vector has been shifted by b

q 2 c, because shifting a uniformly random

variable by a constant does not change the distribution. [3]. Next, we note that View′′ 1 is also indistinguishable from another pair View′ 1 = (C, Cr + b q 2 c 1 n+1) by another application of the Leftover Hash Lemma to the distribution (C, Cr).

This view is then exactly the same as the view View′ 1 = (A, bT^ unif orm ←−−−−−− Zmq , Ar, bT^ r +

b

q 2

c)), which, by the LWE assumption, is computationally indistinguishable from View 1 =

(A, bT^ = sT^ A + eT^ , Ar, bT^ r + b

q 2

c) - which is exactly the adversary’s view when μ = 1.

Thus, the adversary’s view when μ = 0 (which is the distribution View 0 ) is computationally indistinguishable from their view when μ = 1 (which is the distribution View 1 ).

This is why an adversary reading the transcript cannot tell what the message bit is, and this encryption scheme is semantically secure.

Acknowledgement

These scribe notes were prepared by editing a light modification of the template designed by Alexander Sherstov.

References

[1] The learning with errors problem: Introduction and basic cryptography.

[2] S. T. Elisa Baumer, Jan-Grimo Sobez. Shor’s algorithm, 2015.

[3] S. Park. Advanced topics in cryptography: Lattices, 2015.

[4] C. Peikert. Winter school on cryptography: Learning with errors, 2012.

[5] O. Regev. Winter school on cryptography: Introduction to lattices, 2012.

[6] Wikipedia. Lattice problem, 2019.

[7] D. J. Wu. Fully homomorphic encryption: Cryptography’s holy grail, 2015.