Difference between revisions of "Fully Homomorphic Encryption without Modulus Switching"
Line 68: | Line 68: | ||
===Key switching=== | ===Key switching=== | ||
+ | |||
+ | In the functions described below <math>q </math> is an integer and <math> \chi </math> is a distribution over <math>\mathbb Z </math>. | ||
+ | |||
+ | *<math> SwitchKeyGen_{q, \ci}(s,t </math>): For a 'source' key <math> s \in \mathbb Z^{n_s} </math> and target key <math>t \in \mathbb Z^{n_t} </math> this outputs matrix with <math>n_s \cdot \lceil \log q \rceil </math> rows and <math>(n_t+1) </math> columns, very similar to an encryption of <math>PowersOfTwo_q(s)</math> under the secret key <math>t </math>. Let us call this matrix <math>P_{s:t} </math>. | ||
+ | |||
+ | |||
+ | * <math>SwithcKey_{q}(P_{s:t}, c_s) </math>: To switch a ciphertext from a secret key <math> s </math> to <math>(1,t) </math>, output | ||
+ | |||
+ | <center><math> c_t := [P_{s:t}^T \cdot BitDecomp_q(c_s) ]_q </math>.</center> | ||
+ | |||
+ | Details on the correctness and security of this scheme are given at the end of Section 3 in [1]. | ||
==References== | ==References== |
Revision as of 14:02, 18 January 2021
This scheme proposed by Brakerski [1] has a number of advantages over previous candidates such as BGV. In particular, it uses the same modulus throughout the evaluation process, so there's no need for modulus switching. Security of these scheme is baed on the hardness of the GapSVP problem.
Contents
Preliminaries
For an integer , write . This is not the same with the ring . For any , write for the unique value in that is congruent to modulo .
If are two -dimensional vectors, then the tensor product is the dimensional vector containing all elements of the form . Note that
Building Blocks of a homomorphic encryption scheme
We start by presenting Regev's [2] basic public-key encryption scheme.
The Regev scheme
Let be an integer function and let be a distribution over . The scheme 'Regev' is defined as follows:
- Regev.SecretKeygen( ): Sample uniformly. Output .
- Regev.PublicKeygen(): Let . Sample uniformly then sample . Compute . Here we apply to every entry in the -dimensional vector and define
Output .
- Regev.Enc(): To encrypt a message using , sample uniformly and output the ciphertext
where .
- Regev.Dec(): To decrypt using the secret key , compute
In order to prove corectness, the author first shows (Lemma 3.1 in [1]) that if and - -bounded are parameters for the 'Regev' scheme described above and if is the fresh encryption of some message , then
for some with .
Then, Lemma 3.2 in the same article asserts that if is some vector and is such that
with and , then
Brakerski claims that the security of this scheme reduces to the hardness of (a decisional variant of) LWE problem by classical arguments (originally due to Regev [2]).
Vector decompositions
Recall from BGV the procedures
and
When the modulus is clear from the context we will omit its writing.
We also recall the property
Key switching
In the functions described below is an integer and is a distribution over .
- Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle SwitchKeyGen_{q, \ci}(s,t } ): For a 'source' key and target key this outputs matrix with rows and columns, very similar to an encryption of under the secret key . Let us call this matrix .
- : To switch a ciphertext from a secret key to , output
Details on the correctness and security of this scheme are given at the end of Section 3 in [1].
References
- ↑ Z. Brakerski, Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32009-5_50
- ↑ O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Harold N. Gabow and Ronald Fagin, editors, STOC, pages 84–93. ACM, 2005