A Simple BGN-Type Cryptosystem from LWE Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research.

A Simple BGN-Type Cryptosystem from LWE

Craig GentryShai Halevi

Vinod VaikuntanathanIBM Research

Perspective

Homomorphic Encryptionin three easy steps [G’09]

• Step 1: Encryption from linear codes• SK/PK are Good/Bad representation of code

• Bad representation, can’t tell words close to code from random

• Good representation can be used to correct many errors

• Additive homomorphism “for free”

• Step 2: ECC lives inside a ring• We have both additive, multiplicative sructure• If code is an ideal, also multiplicative

homomorphism• for low-degree polynomials

• Step 3: Bootstrapping, Squashing, etc.

Instances of this Paradigm

• Ring of polynomials [G’09]• Ring of integers [vDGHV’10]• This work: how about ring of matrices?

• Doesn’t quite work like the others• We only get additive-HE + one multiplication• Quadratic formulas, as in [BGN’05]• But more efficient and more flexible • Can be made leakage-resilient, identity-based

Background

Learning with Errors (LWE)

Search-LWE: Given A,c, find s,x• [R’05, P’09] As hard as worst-case

of some lattice problems

As

xc +=

n

m

random mod q small

• n – security parameter• q poly(n)• m > n log q mod q

Learning with Errors (LWE)

Decision-LWE: Distinguish c from random• [R’05] as hard as finding s,x

• For certain parameters

A xc += m

random mod q small

mod q

c close to the linear code

spanned by A

s

n• n – security parameter• q poly(n)• m > n log q

Learning with Errors (LWE)

• Many LWE instances with same A• Same hardness (easy hybrid argument)

A

S

XC +=

n

m

random mod q small

m

n

Ajtai’s Trapdoors

• [A’96] Given , hard to find small s.t. tA =0 mod q

• As hard as worst-case of some lattice problems

• [A’99] But it is possible to generate together = 0 mod q

• [Alwen-Peikert’08] Even smaller T

A t

ATrando

msmall, full

rank

Trapdoor Functions [GPV’08]

• (A,s,x) As+x is a trapdoor function• Can use to correct errors:

• c = As + x• Tc = T(As + x) = Tx mod q

• But T,x are small, so Tx << q

(Tc mod q) = Tx• Equality over the integers

T1(Tc mod q) = x

T

Our Cryptosystem

Step 1: Encryption from linear ECCs

• Code is the column space of mod q• { As: s Zq

n }

• Bad representation (PK) is A itself• Given A, hard to distinguish words close

to the code from random words (LWE)

• Good representation (SK) is• Can use T to correct errors

A

T

Step 1: Encryption from linear ECCs

• PK: , SK:• Encode plaintext is LSB of error matrix

• Plaintext is a binary matrix Bmxm

• Enc(A,B): Choose random Smxn, small Emxm

• Dec(T,C): Set X T-1(TC mod q)• Output B = X mod 2

A T

A XS

+2E+B

C = mod q

X

Step 1: Encryption from linear ECCs

• Security follows from LWE (for odd q)Thm: LWE For any B, EncA(B) random

Proof: Given LWE input (A,C’)• Either C’=AS+E or C’ random:

• Set C = 2C’+B mod q• If C’=AS+E then C = A(2S) + (2E+B) mod

q• A random encryption of B

• If C’ is random then so is C

Step 1: Encryption from linear ECCs

Additive homomorphism “for free”

• C = C1 + C2

= (AS1+(2E1+B1)) + (AS2+(2E2+B2))

= A(S1+S2) + 2(E1+E2)+(B1+B2) mod q

• T-1(TC mod q) = X = B1+B2 mod 2• As long as X <<q

XS

Step 2: ECC lives inside a ring

• Multiply C1 x C2 mod q?

• (AS1+(2E1+B1)) (AS2+(2E2+B2))

= A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q

• Not what we wanted• Cannot use T to cancel out (2E1+B1)AS2

• Matrix multiplication is not commutative

Step 2: ECC lives inside a ring

• How about C = C1 x C2t mod q?

• (AS1+(2E1+B1)) (AS2+(2E2+B2))t

= A(…) + (…)At + 2(…)+B1B2t mod q

• That’s better: • TCTt = TXTt mod q

• X = (2E1+B1)(2E2+B2)t is still small

TCTt mod q = TXTt over the integers T-1(TCTt mod q)(Tt)-1 = X = B1B2

t mod 2

X

What Did We Get?

• KeyGen: Generate • Enc(A, B): CAS + 2E+B mod q

• Add(C1,C2): CC1+C2 mod q

• Mult(C1,C2): CC1C2t mod q

• Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2• Can decrypt any quadratic formula with

polynomially many terms• With appropriate parameters

AT

What Did We Get?

• KeyGen: Generate • Enc(A, B): CAS + pE+B mod q

• Add(C1,C2): CC1+C2 mod q

• Mult(C1,C2): CC1C2t mod q

• Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p• Can decrypt any quadratic formula with

polynomially many terms• With appropriate parameters

AT Can replace 2

by any pq

Extensions, Applications

• Can apply the [AMGH’10] transformation• Get homomorphism for low-degree

polynomials

• “Dual Regev encryption” [GPV’08] is a special case of our scheme*• Leakage resilience• IBE

• Efficient quadratic-formula homomorphism for polynomials, big-integers

* After changing encoding of plaintext

Thank You

2-of-2 Decryption

• Alice has key-pair (A1,T1), Bob has (A2,T2)

• Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q

• Dora encrypts B2 to Bob, [ C2A2S2+X2 ]q

• Zachariah Sets C* = [ C1 C2t ]q

• C* looks random to either Alice, Bob

• Pulling their keys together they can recover B1B2t

• B1B2t = T1

-1[T1C*T2t]q (T2

t)-1 mod 2

• Can also “blind” C* to hide relation to C1, C2

Multiplying Polynomials

• p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2

p2 p1 p0p2 p1

p2

P=

q0 q1 q2q0 q1

q0

Q=

p0q1+p1q0+p1q

0

p0q1+p1q0 p0q0

p1q2+p2q1 $ $p2q2 $ $

PQt+R=

$ $

$ $

R=

Dual Regev Encryption [GPV’08]

• Dual-Regev Cryptosystem is an instanceof our scheme with T = • A different input encoding than [GPV’08]• T is no longer invertible• But can still recover top-left entry in B

• It is known to be IBE, leakage-resilient• Still true with new input encoding• And now it supports quadratic formulas

u