Difference between revisions of "Fully Homomorphic Encryption without Modulus Switching"

Revision as of 17:02, 18 January 2021

This scheme proposed by Brakerski ^[1] has a number of advantages over previous candidates such as BGV. In particular, it uses the same modulus throughout the evaluation process, so there's no need for modulus switching. Security of these scheme is baed on the hardness of the GapSVP problem.

Preliminaries

For an integer $q$ , write $\mathbb {Z} _{q}:=\left(-q/2,q/2\right]\cap \mathbb {Z}$ . This is not the same with the ring $\mathbb {Z} /q\mathbb {Z}$ . For any $x\in \mathbb {Q}$ , write $[x]_{p}$ for the unique value in $\left(-q/2,q/2\right]\cap \mathbb {Z}$ that is congruent to Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle x } modulo $q$ .

If Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle v,w } are two Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle n} -dimensional vectors, then the tensor product Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle v \otimes w } is the Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle n^2} dimensional vector containing all elements of the form Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle v[i]w[j]} . Note that

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle <v \otimes w, x \otimes y> = <v,x> \cdot <w,y> .}

Building Blocks of a homomorphic encryption scheme

We start by presenting Regev's ^[2] basic public-key encryption scheme.

The Regev scheme

Let Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle q= q(n) } be an integer function and let Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \chi(n) } be a distribution over Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathbb Z } . The scheme 'Regev' is defined as follows:

Regev.SecretKeygen( Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle 1^n } ): Sample Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle s \leftarrow \mathbb Z_q^n } uniformly. Output Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle sk=s } .

Regev.PublicKeygen(Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle s } ): Let Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle N := (n+1)(\log q + O(1)) } . Sample uniformly Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle A \leftarrow \mathbb Z_q^{N \times n} } then sample Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle e \leftarrow \chi^N } . Compute Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle b := [A \cdot s + e]_q } . Here we apply Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle [\cdot]_q } to every entry in the $N$ -dimensional vector $A\cdot s+e$ and define

P:=[b\vert -A]\in \mathbb {Z} _{q}^{N\times (n+1)}

.

Output $pk=P$ .

Regev.Enc( $pk,m$ ): To encrypt a message $m\in \{0,1\}$ using $pk=P$ , sample $r\in \{0,1\}^{N}$ uniformly and output the ciphertext

c:=\left[P^{T}\cdot r+\left\lfloor {\frac {q}{2}}\right\rfloor \cdot {\hat {m}}\right]_{q}\in \mathbb {Z} _{q}^{n+1},

where ${\hat {m}}:=(m,0,\dots ,0)\in \{0,1\}^{n+1}$ .

Regev.Dec( $sk,c$ ): To decrypt $c\in \mathbb {Z} _{q}^{n+1}$ using the secret key $sk=s$ , compute

m:=\left[\left\lfloor 2\cdot {\frac {[<c,(1,2)>]_{q}}{q}}\right\rceil \right]_{2}.

In order to prove corectness, the author first shows (Lemma 3.1 in [1]) that if $q,n,N$ and $\chi$ - $B$ -bounded are parameters for the 'Regev' scheme described above and if $c$ is the fresh encryption of some message $m\in \{0,1\}$ , then

<c,(1,s)>=\left\lfloor {\frac {q}{2}}\right\rfloor \cdot m+e

for some $e$ with $|e|\leq N\cdot B$ .

Then, Lemma 3.2 in the same article asserts that if $s\in \mathbb {Z} ^{n}$ is some vector and $c\in \mathbb {Z} _{q}^{n+1}$ is such that

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle <c,(1,s)> = \left\lfloor \frac{q}{2} \right\rfloor \cdot m + e }

with Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle m \in \{ 0,1\} } and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle |e| < \lfloor q/2 \rfloor/2 } , then

Regev.Dec(Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle s,c } )= Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle m} .

Brakerski claims that the security of this scheme reduces to the hardness of (a decisional variant of) LWE problem by classical arguments (originally due to Regev [2]).

Vector decompositions

Recall from BGV the procedures

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle BitDecomp_q(x) : \mathbb Z^n \to \{0,1 \}^{n \cdot \lceil \log q \rceil} }

and

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle PowersOfTwo_q(y) : \mathbb Z^n \to \mathbb Z_q^{n \cdot \lceil \log q \rceil}. }

When the modulus Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle q } is clear from the context we will omit its writing.

We also recall the property

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle <x,y> = <BitDecomp_q(x), PowersOfTwo_q(y)> \pmod{q} } .

Key switching

In the functions described below Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle q } is an integer and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \chi } is a distribution over Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathbb Z } .

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle SwitchKeyGen_{q, \chi}(s,t } ): For a 'source' key $s\in \mathbb {Z} ^{n_{s}}$ and target key $t\in \mathbb {Z} ^{n_{t}}$ this outputs matrix with $n_{s}\cdot \lceil \log q\rceil$ rows and Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle (n_t+1) } columns, very similar to an encryption of Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle PowersOfTwo_q(s)} under the secret key Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle t } . Let us call this matrix Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle P_{s:t} } .

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle SwithcKey_{q}(P_{s:t}, c_s) } : To switch a ciphertext from a secret key Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle s } to Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle (1,t) } , output

Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_t := [P_{s:t}^T \cdot BitDecomp_q(c_s) ]_q } .

Details on the correctness and security of this scheme are given at the end of Section 3 in [1].

References

↑ Z. Brakerski, Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32009-5_50
↑ O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Harold N. Gabow and Ronald Fagin, editors, STOC, pages 84–93. ACM, 2005

[Brak.22-1] Z. Brakerski, Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32009-5_50

[Regev-2] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Harold N. Gabow and Ronald Fagin, editors, STOC, pages 84–93. ACM, 2005

[1]

[2]

Revision as of 17:02, 18 January 2021 (view source) Gturcas (talk \| contribs) (→‎Key switching) ← Older edit		Revision as of 17:02, 18 January 2021 (view source) Gturcas (talk \| contribs) (→‎Key switching) Newer edit →
Line 71:		Line 71:
	In the functions described below <math>q </math> is an integer and <math> \chi </math> is a distribution over <math>\mathbb Z </math>.		In the functions described below <math>q </math> is an integer and <math> \chi </math> is a distribution over <math>\mathbb Z </math>.

−	*<math> SwitchKeyGen_{q, \ci}(s,t </math>): For a 'source' key <math> s \in \mathbb Z^{n_s} </math> and target key <math>t \in \mathbb Z^{n_t} </math> this outputs matrix with <math>n_s \cdot \lceil \log q \rceil </math> rows and <math>(n_t+1) </math> columns, very similar to an encryption of <math>PowersOfTwo_q(s)</math> under the secret key <math>t </math>. Let us call this matrix <math>P_{s:t} </math>.	+	*<math> SwitchKeyGen_{q, \chi}(s,t </math>): For a 'source' key <math> s \in \mathbb Z^{n_s} </math> and target key <math>t \in \mathbb Z^{n_t} </math> this outputs matrix with <math>n_s \cdot \lceil \log q \rceil </math> rows and <math>(n_t+1) </math> columns, very similar to an encryption of <math>PowersOfTwo_q(s)</math> under the secret key <math>t </math>. Let us call this matrix <math>P_{s:t} </math>.

Difference between revisions of "Fully Homomorphic Encryption without Modulus Switching"

Revision as of 17:02, 18 January 2021

Contents

Preliminaries

Building Blocks of a homomorphic encryption scheme

The Regev scheme

Vector decompositions

Key switching

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools