Fully Homomorphic Encryption II, Lecture notes of Cryptography and System Security

A lecture on Fully Homomorphic Encryption II, which is a special topic in Cryptography. The lecture covers the construction of a leveled-FHE using learning with errors (LWE) and why this construction is correct. The technical difficulty focused on in this lecture is ensuring that the leveled-FHE construction is multiplicatively homomorphic. The lecture culminates with a discussion of how leveled-FHE can be combined with an additional security assumption to produce FHE with an unbounded number of homomorphic operations. a detailed description of the encryption scheme and its algorithms.

Typology: Lecture notes

2021/2022

Uploaded on 05/11/2023

anuprabha
anuprabha 🇺🇸

4.4

(18)

237 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
University of Illinois, Urbana Champaign
CS 598DK Special Topics in Cryptography
Instructor: Dakshita Khurana
Scribe: Sarah Christensen, Siheng Pan,
Nerla Jean-Louis
Date: October 11, 2019
LECTURE
12
Fully Homomorphic Encryption II
In the prior lecture, we were first introduced to the concept of fully homomorphic encryp-
tion (FHE). In particular, we covered the motivation for the problem, its formal definition,
and how FHE schemes can leverage learning with errors (LWE) in their construction. In
this lecture, we continued our discussion of FHE, diving more deeply into the details of how
to construct a leveled-FHE using LWE and why this construction is correct.
The key technical difficulty focused on in this lecture is ensuring that the leveled-FHE
construction is multiplicatively homomorphic, which requires significantly more care than
its additive analog. Indeed, the intuition behind the construction only becomes apparent in
hindsight, after understanding how it behaves under multiplication. The lecture culminated
with a discussion of how leveled-FHE, which allows only a bounded number of homomorphic
operations, can be combined with an additional security assumption to produce FHE with
an unbounded number of homomorphic operations [1]. This result, called bootstrapping, is
one of the most exciting breakthroughs in recent cryptography.
12.1 A leveled-FHE scheme
We begin by describing a leveled fully homomorphic public-key encryption scheme that uti-
lizes LWE (for a review on LWE, see Lecture 10). Recall that any encryption scheme is de-
fined by a tuple of probabilistic polynomial-time algorithms (KeyGen,Encrypt,Decrypt).
KeyGen(prime number q, 1n):
Construct an n×mmatrix Aby drawing its entries uniformly at random from the
space of integers modulo q(i.e., A Zn×m
q).
Construct an n-dimensional vector sby also drawing its entries uniformly at random
from the space of integers modulo q(i.e., s Zn
q).
Construct an m-dimensional vector eby drawing its entries from the χdistribution
(i.e., e χm). With high probability, ||e|| < q/(mc) for some sufficiently large
constant cby the properties of the χdistribution.
pf3
pf4
pf5

Partial preview of the text

Download Fully Homomorphic Encryption II and more Lecture notes Cryptography and System Security in PDF only on Docsity!

University of Illinois, Urbana Champaign CS 598DK Special Topics in Cryptography

Instructor: Dakshita Khurana Scribe: Sarah Christensen, Siheng Pan, Nerla Jean-Louis Date: October 11, 2019

LECTURE

Fully Homomorphic Encryption II

In the prior lecture, we were first introduced to the concept of fully homomorphic encryp- tion (FHE). In particular, we covered the motivation for the problem, its formal definition, and how FHE schemes can leverage learning with errors (LWE) in their construction. In this lecture, we continued our discussion of FHE, diving more deeply into the details of how to construct a leveled-FHE using LWE and why this construction is correct. The key technical difficulty focused on in this lecture is ensuring that the leveled-FHE construction is multiplicatively homomorphic, which requires significantly more care than its additive analog. Indeed, the intuition behind the construction only becomes apparent in hindsight, after understanding how it behaves under multiplication. The lecture culminated with a discussion of how leveled-FHE, which allows only a bounded number of homomorphic operations, can be combined with an additional security assumption to produce FHE with an unbounded number of homomorphic operations [1]. This result, called bootstrapping, is one of the most exciting breakthroughs in recent cryptography.

12.1 A leveled-FHE scheme

We begin by describing a leveled fully homomorphic public-key encryption scheme that uti- lizes LWE (for a review on LWE, see Lecture 10). Recall that any encryption scheme is de- fined by a tuple of probabilistic polynomial-time algorithms (KeyGen, Encrypt, Decrypt).

KeyGen(prime number q, 1n):

  • Construct an n × m matrix A by drawing its entries uniformly at random from the space of integers modulo q (i.e., A ←− Znq ×m).
  • Construct an n-dimensional vector s by also drawing its entries uniformly at random from the space of integers modulo q (i.e., s ←− Znq ).
  • Construct an m-dimensional vector e by drawing its entries from the χ distribution (i.e., e ←− χm). With high probability, ||e|| < q/(mc) for some sufficiently large constant c by the properties of the χ distribution.
  • Define an m-dimensional vector b = sA + eT^. Notice that these entries are simply the sums of the LWE system of equations.
  • Define the secret key to be the following (n + 1)-dimensional vector: t =

[ (^) −s 1

]

  • Define the public key to be the following (n + 1) × m dimensional matrix: B =

[ A

b

]

  • Output the public key B.

Encrypt(public key B, message μ ∈ { 0 , 1 }):

  • Construct an m × m matrix R by drawing its entries uniformly at random from { 0 , 1 }. (i.e., R ←− { 0 , 1 }m×m).
  • Define a linear operator G using matrix multiplication. In particular, G can be repre- sented with an (n + 1) ×

(n + 1)(blog qc + 1)

matrix as follows:

G :=

1 2... 2 blog^ qc^0... 0... 0 0 0... 0 1... 2 blog^ qc^... 0 .. .

0 0... 0 0... 0... 2 blog^ qc

In other words, G is a matrix with the sequence [1, 2 , ..., 2 blog^ qc] repeated in each row; in the ith row, this pattern begins in column j = i·(blog qc+1). We state the entries of G here for completeness, but the intuition behind it will only make sense in hindsight when proving this scheme is multiplicatively homomorphic.

  • Define the ciphertext to be the following:

C = BR + μG.

Note that BR has dimension (n + 1) × m. For this matrix multiplication to make sense, we need to set m =

(n + 1)(blog qc + 1)

  • Output the ciphertext C.

Decrypt(secret key t, ciphertext C):

  • Compute the matrix product of the secret key with the ciphertext.

tT^ C = tT^ (BR + μG) = tT^ BR + μtT^ G

= [ −s^1 ]

[

A sA+eT

]

R + μtT^ G

= eT^ R + μtT^ G = Low norm error term + μtT^ G (12.1)

Low norm error term μ = 0 Low norm error term + tT^ G μ = 1

time we wish to show that we can compute the ciphertext encoding μ 1 μ 2 mod q. The most natural thing to try for an evaluation algorithm is the following (ignoring dimension issues):

EvaluateN aive(×, ciphertext C, ciphertext C′):

  • Return CM ult = CC′.

Unfortunately, when we simplify CM ult in our decryption step, we run into some difficulties.

tT^ CM ult = tT^ CC′ = tT^ (BR 1 + μ 1 G)(BR 2 + μ 2 G) = tT^ BR 1 BR 2 + tT^ BR 1 μ 2 G + tT^ BR 2 μ 1 G + tT^ μ 1 μ 2 G^2 = eT^ R 1 BR 2 + eT^ R 1 μ 2 G + eT^ R 2 μ 1 G + μ 1 μ 2 tT^ G^2

In addition to the obvious dimension problems, we obtain the term μ 1 μ 2 tT^ G^2 , which does not fit the functional form of Equation 12.1. Also, only one of the Bs was reduced to eT^ in the first term. This leaves an error term multiplied by the remaining B, which will likely be too large since entries in B are relatively large. We modify this evaluation scheme by introducing the operator G−^1 , which functions as the inverse to G. The intuition behind doing this is that it will cancel an extra G from the final term as well as shrink the entries in the extra B of the first term to control error.

Evaluate(×, ciphertext C, ciphertext C′):

  • We first define the operator G−^1 , which takes as input a Z(qn +1)×mmatrix and outputs a { 0 , 1 }((n+1)(blog^ qc+1))×m^ matrix. In particular, G−^1 expands an input matrix into its component-wise binary decomposition. For instance, given an input matrix

X :=

x 0 , 0 x 0 , 1... x 0 ,m− 1 .. .

xn, 0 xn, 1... xn,m− 1

We define G−^1 on that matrix as follows:

G−^1 (X) :=

Bin(x 0 , 0 ) 0 Bin(x 0 , 1 ) 0... Bin(x 0 ,m− 1 ) 0 Bin(x 0 , 0 ) 1 Bin(x 0 , 1 ) 1... Bin(x 0 ,m− 1 ) 1 .. .

Bin(x 0 , 0 )(blog qc) Bin(x 0 , 1 )(blog qc)... Bin(x 0 ,m− 1 )(blog qc) .. .

Bin(xn, 0 )(blog qc) Bin(xn, 1 )(blog qc)... Bin(xn,m− 1 )(blog qc)

where Bin(x 0 , 0 ) 0 is the first bit in the binary decomposition of x 0 , 0 ∈ Zq into ((n + 1)(blog qc + 1)) bits. Note that the number of columns does not change. Each element in the input matrix gets expanded into (blog qc + 1) rows, so the number of rows in the output matrix increases by a factor of (blog qc + 1).

  • Return the (n + 1) × m dimensional matrix CM ult = CG−^1 (C′). Recall that we fixed m = (n + 1)(blog qc + 1) when defining our encryption scheme so the matrix multiplication here is well-defined.

G−^1 (G) =

I

I

I

Figure 12.1: Each identity sub-matrix I corresponds to the expansion of the sequence [1, 2 , ..., 2 blog^ qc] for one row in G. Each I is of dimension (blog qc + 1) × (blog qc + 1).

Remark 12.1. G and G−^1 are both operators. G performs binary recomposition, and G−^1 performs binary decomposition. While G is a linear operator (whose operations can therefore be encoded in a matrix), G−^1 is not a linear operator.

Remark 12.2. G−^1 takes as input a small matrix with large entries and creates a large matrix with small entries. How convenient!

Fact 12.3. For any matrix X ∈ Z(qn +1)×m, G(G−^1 (X)) = X. Similarly, G−^1 (G) is equal to the identity matrix Im×m.

To convince yourself of the second half of this fact, recall that each row in the matrix representation of G has the sequence [1, 2 , ..., 2 blog^ qc]. When expanded into a component- wise binary decomposition, this sequence is just the identity matrix I(blog qc+1)×(blog qc+1). Next, observe that the spacing of the sequences in G is such that these identity sub-matrices line up along the diagonal of the output matrix, forming a full identity matrix as claimed (see Figure 12.3). Now, we finally show that with this modified evaluation function, our decryption scheme returns the correct result.

CM ult = CG−^1 (C′) = (BR 1 + μ 1 G)G−^1 (BR 2 + μ 2 G) = (BR 1 + μ 1 G)(G−^1 (BR 2 ) + G−^1 (G)μ 2 ) = BR 1 G−^1 (BR 2 ) + BR 1 μ 2 + μ 1 BR 2 + μ 1 μ 2 G

Multiplying by the secret key, we have

tT^ CM ult = tT^

BR 1 G−^1 (BR 2 ) + BR 1 μ 2 + μ 1 BR 2 + μ 1 μ 2 G

= tT^ BR 1 G−^1 (BR 2 ) + tT^ BR 1 μ 2 + tT^ BR 2 μ 1 + tT^ μ 1 μ 2 G

= eT^ R 1 G−^1 (BR 2 ) + eT^

R 1 μ 2 + R 2 μ 1

  • μ 1 μ 2 tT^ G

This is very close to the invariant functional form that we are looking for. Note that the final term is exactly in the same form as Equation 12.1. The middle term is bounded above

CPA-security, we have that for all messages μ 0 , μ 1 Encpk(μ 0 ) ≈ Encpk(μ 1 ). Under some- thing called Circular-Security, we have that all messages μ 0 , μ 1 Encpk (μ 0 ), Encpk (sk) ≈ Encpk (μ 1 ), Encpk (sk). Note that it is not known that CPA-security implies Circular- Security, and that Circular-Security is a stronger assumption. What we have shown is that if we had leveled-FHE with Circular-Security, then we can build a true FHE with unbounded homomorphism.

Remark 12.5. FHE with bounded homomorphism is often referred to as leveled-FHE. FHE with unbounded homomorphism is often just referred to as FHE.

Open Problem 12.6. Construct a FHE with unbounded homomorphism without relying on the additional circular security assumption.

Acknowledgement

These scribe notes were prepared by editing a light modification of the template designed by Alexander Sherstov.

References

[1] C. Gentry et al. Fully homomorphic encryption using ideal lattices. In STOC, volume 9, pages 169–178, 2009.