Lattice Based Cryptography - SJTU

Wenling Liu @ SJTU

Lattice Based CryptographyLattice 2K21, III — Advanced Encryption Schemes

Wenling Liu, Shanghai Jiao Tong University.

Wenling Liu @ SJTU

Table of Contents

Trapdoor Extension

Key-Homomorphic Encryption & Attribute-Based Encryption

Fully-Homomorphic Encryption I — GSW13 Scheme

Fully-Homomorphic Encryption II — BGV12 Scheme

Predicate Encryption — GVW15

Wenling Liu @ SJTU

Section 1

Trapdoor Extension

Wenling Liu @ SJTU

Left Extension of Lattice TrapdoorWe’ve known that a given matrix A ∈ Zn×m

q can be regarded as a Lattice

Λ⊥(A) = {z = Ax mod q : x ∈ Zmq }

Let T be a trapdoor of A, how does it work on F = [A|S]? (where S ∈ Zn×mq ) We

introduce

Theorem ([CHKP10])For any A ∈ Zn×m

q that columns generates Znq , there exists an algorithm ExtLeft that

extends any basis T of A to a basis TF of F s.t. ‖TF‖=‖T‖.

Proof on next page.

Wenling Liu @ SJTU

Left Extension of Lattice TrapdoorProof. Let m′ = m + m, ExtLeft(A,S,T) works as follows:1. Work out a solution W ∈ Zm×m

q s.t. AW = −S2. Output

TF =

[T W0 I

]

We have• TF is full-rank;• FTF = 0;• We have

TF =

∥∥∥∥∥∥˜[T W0 I

]∥∥∥∥∥∥ =

∥∥∥∥∥[T W0 I

]∥∥∥∥∥ = ‖T‖

Thus TF is what we want.

Wenling Liu @ SJTU

Hermite Normal Form

DefinitionHermite Normal Form Let T ∈ Zm×m, we say T is in Hermite Normal Form (HNF), if• It is a lower triangular matrix, and all elements are nonnegative;• tj,i < ti ,i for all i and j < i ;

Example. 70 32 3 41 0 1 2

Wenling Liu @ SJTU

Hermite Normal FormA integer lattice basis can be transform to HNF by elementary transformations.Example.

4 2 6 43 9 12 3−3 6 2 75 3 5 5

i↔ii−→

2 4 6 49 3 12 36 −3 2 73 5 5 5

−→

2 0 0 09 −15 −15 −156 −15 −16 −53 −1 −10 −5

−→

2 0 0 09 15 0 06 15 −1 103 1 −9 −4

−→

2 0 0 09 15 0 06 15 1 03 5 9 40

−→

2 0 0 09 15 0 00 0 1 0−51 −130 9 40

−→

2 0 0 09 15 0 00 0 1 0

29 30 9 40

Note. Every single step is the basis of the same lattice.

Wenling Liu @ SJTU

Hermite Normal Form IFact. Every integer lattice has a unique HNF basis.Prove by your selt by the following steps:Let

a11a21 a22

... . . .an1 an2 · · · ann

being the basis of Λ, prove:1. For V = {v ∈ Λ : v1 6= 0}, a11 = gcdv∈V (v1)

2. The matrix a22... . . .

an2 · · · ann

is the basis of Λ ∩ {0} × Rn−1, which is a sublattic of Λ.

Wenling Liu @ SJTU

Hermite Normal Form II

3. The ai ,i in H has to be fixed uniquely.4. (a21, · · · , an1) has to be unique when moduling h2, · · · ,hn.

Fact. Given a lattice basis, its HNF can be computed efficiently.Proof on Micciancio’s Lecture.

Wenling Liu @ SJTU

Trapdoor DelegationIn trapdoor delegation setting, (A,TA) is the master key pair. One holds TA coulddelegate a trapdoor TF for any F = [A|S], s.t.• TF keeps the secracy of TA• TF is still a good key

Recall

Lemma ([MG02])There is a diterministic polynomial-time algorithm ToBasis s.t. given an arbitrarybasis B of an n-dimensional lattice Λ = (B) and a full-rank set of lattice vectorsD ⊂ Λ, ToBasis(S,B) outputs a basis T of Λ such that ‖T‖ ≤ ‖D‖ for all i ∈ [n].

ToBasis asks for two inputs:• D can be sampled by Gaussian Sampling,• B can be the unique HNF basis of the lattice.

Wenling Liu @ SJTU

Trapdoor DelegationWe construct the delegation algorithm DeleLeft as follows.DeleLeft(A,S,TA):1. Compute T← ExtLeft(A,S,TA)

2. Run v← SampleD(T, s ≥ ‖‖T‖ · ω(√

log n)) to sample m′ independent vectors onΛ⊥(F), denote by V.

3. Run TF = ToBasis(V,HNF(B)) and output TF.Since different B generates statistically close V, the algorithm’s output affected rarelyby the input basis.

If we only needs the basis of F for sampling, we can use the T in above. We call thiskind of sampling SampleLeft.

SampleLeft(A,B,TA,u)→ z : [A|B]z = u

Wenling Liu @ SJTU

Right ExtensionRight Extension is another extension technique that extends the lattice trapdoor.

For a matrix S, we define a constant of it

σS := sup‖x‖=1

‖Sx‖

Lemma ([ABB10, Boy10])There exists an efficient algorithm ExtRight, on input• A ∈ Zn×m

q ;• B ∈ Zn×m

q that columns generate Znq;

• a matrix S ∈ Zm×mq ;

• a basis TB of B;it outputs a basis TF of F s.t. ‖TF‖ ≤ ‖TB‖(σS + 1).

Wenling Liu @ SJTU

Right ExtensionLet m′ = m + m, TB = [t1, · · · , tm], ExtRight(A,B,R,TB) works as follows.1. Find m′ independent vectors (denote by V) on Λ⊥(F) s.t. ‖V‖ < ‖TB‖(σS + 1) by

following steps:• For i = 1, · · · ,m set vi = (−Sti , ti );• For i = 1, · · · , m let wi be the i-th column of Im Let ui being arbitrary vector s.t.

Awi + Bui = 0, settm+i =

[wi − Sui

ui

].

2. Work out an arbitrary basis T of F.3. Run TF ← ToBasis(V,B) to gain a basis of F and output TF.

We can construct DeleRight like we’ve done for DeleLeft.

Wenling Liu @ SJTU

Homework

Learn the IBE scheme in RO model given by [CHKP10] and its security proof.

Wenling Liu @ SJTU

Section 2

Key-HomomorphicEncryption &

Attribute-Based Encryption

Wenling Liu @ SJTU

Tensor (Kronecker) ProductTensor product of two matrices A ∈ Fn×m and B can be defined as

A⊗ B =

a11B a12B · · · a1mBa21B a22B · · · a2mB

......

...an1B an2B · · · anmB

Facts.• (A⊗ B)⊗ C = A⊗ (B⊗ C)

• (A⊗ B)T = AT ⊗ BT

• (A⊗ B)(C⊗D) = (AC)⊗ (BD)

Wenling Liu @ SJTU

Gadget LatticeFor k = dlog qe, we define g to be

g := (1, 2, 4, · · · , 2k)

Then for any a ∈ {0, 1}k , a is the binary form of A = gT a. (LSB→MSB)This operation can be extend to vectors/matrix, for

G =

· · · gT · · ·

· · · gT · · ·. . .

· · · gT · · ·

= I⊗ gT ∈ Zn×nkq

Then for a ∈ {0, 1}nk , we have

Ga = (A1, · · · ,An) ∈ Znq

where a is the binary form of A1, · · · ,An.

Wenling Liu @ SJTU

Gadget Lattice

Gadget Lattice is a powerful tool introduced by [MP12].

Wenling Liu @ SJTU

Gadget LatticeWe also define a function G−1 : Zn

q → Znkq

s.t.

Note that G−1 is not a matrix.

We haveG · G−1(A) = A

Example. In Z7, we have

Wenling Liu @ SJTU

Key-Homomorphic EncryptionYou might have heard Fully-Homomorphic Encryption whose ciphertexts can dooperations to obtain ciphertexts of other plaintext.

We introduce another kind of encryption scheme, whose keys can do operations toobtain ciphertext under other keys, called Key-Homomorphic Encryption (KHE).

We use it to instantiate Attribute-Based Encryption.

In this section, we talk about• How to use KHE to construct above• How to constuct KHE

The main work has been done by [BGG+14].

Wenling Liu @ SJTU

Key-Homomorphic EncryptionKHE scheme KHE can be defined by following algorithms:• Setup(1n)→ (mpk,msk): Generate the master key pair.• KeyGen(msk, (y , f ))→ sky ,f : Generates secret key y .• Enc(mpk, x , µ)→ c : Encrypt the message µ with public key x to ciphertext c .• Eval(mpk, f , c)→ cf : Evaluate the ciphertext c to cf according to function f .• Dec(sky , c): Decrypts the ciphertext c with key sky .

Wenling Liu @ SJTU

Attribute-Based EncryptionAttribute-Based Encryption can be defined by following algorithms• Setup(1n)→ (mpk,msk): Generate the master key pair.• KeyGen(msk, f )→ skf : Output a secret key skf according to function f .• Enc(mpk, x , µ)→ cx : Encrypt the message µ with attribute x to ciphertext cx .• Dec(skf , cx ): Decrypts the message µ to plaintext if f (x) = 0.

Note that ABE.Dec is a merge of KHE.Eval and KHE.Dec, with the followingmodifying:• Since we merge KHE.Eval and KHE.Dec, sk has to indicate the function, denote

by sky ,f• Since we only need f (x) = 0, we can always generate key for y = 0

ABE can be constructed from KHE.

Wenling Liu @ SJTU

Security of ABE

Since KHE serves ABE, we study the security of ABE and then figure out how todefine the security of KHE.We study selective security, s.t. adversary has to fix a challenge attribute beforeSetup.

An ABE for F = {f : X → Y} from KHE:• ABE.Setup(1n): Output (mpk,msk)← KHE.Setup(1λ).• ABE.KeyGen(msk, f ): Output sk0,f ← KHE.KeyGen(msk, (0, f )) as skf .• ABE.Enc(mpk, x ∈ X `, µ): Output (x, c) where c← KHE.Enc(mpk, x, µ).• ABE.Dec(skf , (x, c)): If f (x) = 0 set cf = KHE.Eval(f , x, c) and output

KHE.Dec(sk0,f , cf ). Otherwis, output ⊥.

Wenling Liu @ SJTU

Security of ABEDefinition (Selective-Security of ABE)An ABE scheme of function famlity F is selectively-secure if for all PPT adversaryA = (A1,A2,A3), we have

Adv = |Pr[EXP0 = 1]− Pr[EXP1 = 1| = negl(n)

where EXPi is defined as follows:1. (x∗, s1)← A1(1n)

2. (mpk,msk)← Setup(1n)

3. (µ0, µ1, s2)← AKG(msk,x∗,·)2 (mpk, s1)

4. c∗ ← Enc(mpk, x∗, µb)

5. Output b′ ← AKG(msk,x∗,·)3 (c∗, s2)

where KG(msk, x∗, ·) returns skf ← KeyGen(msk, x∗, f ) if f (x∗) 6= 0, and ⊥ otherwise.

Wenling Liu @ SJTU

Security of KHEDefinition (Selective-Security of KHE)An KHE scheme of function famlity F is selectively-secure if for all PPT adversaryA = (A1,A2,A3), we have

Adv = |Pr[EXP0 = 1]− Pr[EXP1 = 1| = negl(n)

where EXPi is defined as follows:1. (x∗, s1)← A1(1n)

2. (mpk,msk)← Setup(1n)

3. (µ0, µ1, s2)← AKG(msk,x∗,·,·)2 (mpk, s1)

4. c∗ ← Enc(mpk, x∗, µb)

5. Output b′ ← AKG(msk,x∗,·,·)3 (c∗, s2)

where KG(msk, x∗, ·, ·) returns skf ← KeyGen(msk, f , y , f ) if f (x∗) 6= y , and ⊥otherwise.

Wenling Liu @ SJTU

Constructing KHEKey-Homomorphic Encryption can be constructed by using our trapdoor delegationtechnique.

Notice that• Bf should be indepent to f (x).• The error in (b) should be kept small.

Wenling Liu @ SJTU

Constructing KHETo encrypt m bits, we can setup as followingSetup(1n, `):1. Generate random lattice with basis: (A,TA)← TrapGen(1n).2. Choose D,B1, · · · ,B` ← Zn×m

q .3. Output

mpk = (A,D,B1, · · · ,B`), msk = (TA,mpk)

Our encoding of attribute x has the form of the following

H = [A|x1G + B1| · · · |x`G + B`]

where G is the gadget matrix. H is the matrix we are using for encryption.

Wenling Liu @ SJTU

Constructing KHEThe naive scheme.“Enc”(mpk, x, µ ∈ {0, 1}m):1. Makeup H.2. Sample Random Error e.3. Set c = (HT s + e,DT s + e′+ b1/2e).4. Output (x, c).

“KeyGen”(msk, f )

1. Output Bf generated by B1, · · · ,B`.2. Compute y = f (x).3. Makeup Hf = [A|f (x)G + Bf ].4. Use SampleRight to sample Rf (x) s.t.

Hf Rf (x) = D.

“Eval&Dec”(mpk, skf , (x, c))

1. If y 6= f (x) output ⊥.2. Otherwise,

2.1 Generate ciphertext cf = (cA, c′f , cD)

from c.2.2 Output (cD − RT

f (cA, c′f )).

Wenling Liu @ SJTU

Constructing KHEWe show how to construct Bf by showing how to construct addition, scaling andmultiplication, with the following notions:

We have e = c− sT F = small.

Wenling Liu @ SJTU

Constructing KHEAdditing. Set cT

x+y = cTx + cT

y and B1+2 = B1 + B2, then

cTx+y − sT [(x + y)G + B1+2] = eT

x + eTy = small

Scaling. For scaling by α, we cannot simply multiply α to cTx and By since

αcTx − sT [αxG + αB1] = αeT

x = nonsmall

Notice that G · G−1(αG) = αG, we try to come up with an idea to control noise,

sT (x(αG) + Bα1) = eTαx

sT (xG · G−1(αG) + Bα1) = eTαx

sT (xG · Rα + Bα1) = eTαx where Rα = G−1(αG)

sT (xGRα + B1Rα) = eTαx = eT

x Rα

Wenling Liu @ SJTU

Constructing KHEMultiplication. The tech for scaling doesn’t work here since α is needed whencomputing Bα.We wish to make up sT [xyG + B12] + eT

xy = cTxy from

• sT (xG + B1) + eTx = cT

x• sT (yG + B2) + eT

y = cTy

Multiply y to 1st equation gives

sT (xyG + yB1) + yeTx = ycT

x (1)

where yex is small. Next we figure out how to remove yB1 by using 2nd equation.To remove G from “yG”, we resort to G−1, with B1 inside it, we have

sT (yB1 + B2G−1(B1)) + eTy G−1(B1) = cT

y G−1(B1) (2)

Wenling Liu @ SJTU

Constructing KHE

Adding (1) and -(2) and write R1 = G−1(B1), we have

sT (xyG− B2R1︸ ︷︷ ︸B12

) + (yeTx − eT

y R1)︸ ︷︷ ︸exy

= ycTx − cT

y R1︸ ︷︷ ︸cxy

which is what we exactly need.

We briefly list the error growth (set ‖e‖ ≤ δ):• Scaling: ‖e‖ → ‖RT e‖ ≤ σR‖e‖ ≤ mδ.• k-Multiplication: for input bounded by p, the error is pk−1

p−1 mδ

Wenling Liu @ SJTU

Construct by Left, Prove by RightTo “Prove by Right”, we follow these steps in the intermediate games:1. Receive LWE challenge [A|D] with cA, cD.2. Receiving x∗ from A, choose random S∗i ∈ {±1}m×m and set Bi = AS∗i − x∗i G.3. Receiving µ0, µ1 from A, makeup and send the ciphertext c∗ for µb to A.4. For any secret key query f , makeup the magic Sf s.t. Bf = ASf − f (x∗)G and use

SampleRight to sample the Rf and send the result to A.5. Output A’s guess b′ to b.To answer all KG(·) queries, the algorithm is able to give trapdoor for all

[A|yG + Bf ] = [A|ASf + (y − y∗)G]

where Sf is small and we can delegate TF with TG.

We denote the above game with b = i to Game(i)1 .

Wenling Liu @ SJTU

Construct by Left, Prove by Right

Notice that:• ASx − xG = B1• ASy − yG = B2

Addition. Since B1+2 = B1 + B2, wehave

A(Sx + Sy )− (x + y)G = B1+2

Thus, Sx+y is set to Sx + Sy .

Scaling. Since Bα1 = B1Rα, we have

ASαx − Bα1 = ASxRα − B1Rα

Thus Sαx = SxRα.

Multiplication. Since ASxy − B2R1, wehave

ASxy − B2R1 = (ASy R1 − B2R1)

Thus Sxy = Sy R1.

Note. Sx+y , Sαx and Sxy are small. Fork-multiplication, with input bounded by p,‖S×‖ is bounded by pk−1

p−1 m max{‖Si‖}.

Wenling Liu @ SJTU

Construct by Left, Prove by RightNotice the last step of reduction:

Receiving µ0, µ1 from A, makeup and send the ciphertext c∗ for µb to A.

But how can we makeup c∗ without s? This can be done by adding carefully preparednoise to x∗i G + Bi .In simulation,

sT (x∗i G + Bi ) + eTi = sT (AS∗i ) + eT

i

If we set eTi = eT

A S∗i , we have

sT (x∗i G + Bi ) + eTi = (sT A + eT

A )S∗i

Then we can makeup the ciphertext without s in simulation.Of course, to make the simulation work, the error in the real scheme has to be thesame.

Wenling Liu @ SJTU

A Small ConclusionFor functional family F , {Bi}i∈[`] ∈ (Zn×m

q )`, x, x∗ ∈ {0, 1}`, {ci}i∈[`] ∈ (Znq)`, and

{S∗i }i∈[`] and A ∈ Zn×mq , we now have:

• Evalpk(f ∈ F , {Bi}i∈[`])→ Bf ∈ Zn×mq .

• Evalct(f ∈ F , x, {Bi , ci}i∈[`])→ cf ∈ Zmq s.t.

cTf − sT (f (x)G + B) = small .

• Evalsim(f ∈ F , x∗, {S∗i }i∈[`],A)→ Sf ∈ Zm×mq s.t.

ASf − f (x∗)G = Bf for Bf = Evalpk(f , {ASi − x∗i G}i∈[`])

Wenling Liu @ SJTU

The Whole SchemeWe now list the whole KHE scheme:• Setup(1n, `): Run (A,TA)← TrapGen(1n), choose D,B1 · · · ,B` ← Zn×m

q , output

mpk = (A,D,B1, · · · ,B`), msk = (TA,mpk)

• KeyGen(msk, (y , f )→ sky ,f ): Compute =Evalpk(f ,B1, · · · ,B`). Sample Rf s.t.[A|yG + Bf ]Rf = D. Output sk(y , f ) = (f ,Rf ).• Enc(mpk, x, µ) Choose s← Zn

q and eT0 , eT

1 ← χm. Choose Si ← {±1}m×m for alli ∈ [`], set

H = [A|x1G + B1| · · · |x`G + B`]

eT = eT0 [Im|S1| · · · |S`]

Compute cTx = (sT H + eT , sT H + eT

1 + bq/2eµT ). Output (x, g , c).

Wenling Liu @ SJTU

The Whole Scheme• Dec(sky ,f = (f ,Rf ), (x, g , c)): If y 6= x or f 6= g , output ⊥.

Otherwise, set cf = Evalct(f , x, {Bi , ci}i∈[`]), output Round(cD − [cTA |c′Tf ]Rf ).

Please complete the proof of security by yourselt.

Wenling Liu @ SJTU

Learn by Yourself

1. Complete the security proof with hybrid argument. Denote the real game of KHEwith b = i by Game(i)

0 , and denote the game that change the c∗ in Game(i)2 to

uniform distribution.1.1 Prove that Game(i)

0 and Game(i)1 are statistically indistinguishable.

1.2 Prove that Game(i)1 and Game(i)

2 are computational indistinguishable, otherwise there’sa efficient program that invokes a LWE distinguisher that distinguishes the two gameswith non-negligible probability.

1.3 Prove that Game(0)2 and Game(1)

2 are statistically indistinguishable.2. Analyze the circuit depth that can be done by this scheme.

Wenling Liu @ SJTU

Section 3

Fully-HomomorphicEncryption I — GSW13

Scheme

Wenling Liu @ SJTU

Homomorphic EncryptionHomomorphic Encryption is a category of encryption schemes that operations can bedown on ciphertexts, s.t.• The operations on ciphertexts generates new ciphertexts.• The encryption function is a homomorphism from the plaintext space to the

ciphertext space.• The operations on ciphertext reals nothing about the plaintext.

For bf bf Fully Homomorphic Encryption, we require that any operation can be doneon ciphertext for arbitrary times.

Wenling Liu @ SJTU

Fully Homomorphic EncryptionA Fully Homomorphic Encryption is a tuple of PPT algorthms:• KeyGen(1n)→ (pk, sk, evk): Output the public key pk , private key sk and

evaluation key evk .• Enc(pk, µ)→ c : Encrypt the message µ to its ciphertext c with public key pk .• Eval(evk, f , {ci}i∈[`])→ cf : For any function f that takes ` inputs,

homomorphically evaluate the k ciphertexts {ci}i∈[`] to a homomorphic ciphertextcf with the evaluation key evk .• Dec(sk, c)→ µ: Decrypto the ciphertext c to plaintext µ with secret key sk .

In some FHE scheme evk = pk, we call a scheme s.t. evk = sk = pk a symmetric FHEscheme.

Wenling Liu @ SJTU

Fully Homomorphic Encryption

Correctness. Also called “homomorphicality”, require that

Pr

KeyGen(1nt)→ (pk, sk, evk){Enc(pk, µi )→ ci}i∈][`

Eval(evk, f , {ci}i∈[`]): Dec (sk, cf ) 6= f (µ1, · · · , µ`)

= negl(n).

Compactness. FHE often requires compactness on ciphertext, which says the lengthof evaluated ciphertext cf is independent of the evaluated function f or the number `of inputs.

We move on to build a FHE for circuits with logarithm depth (which is called asomewhat HE, SWHE), and boostrap it into a FHE scheme.

Wenling Liu @ SJTU

Eigenvalues are Homomorphic!The intuition of GSW is simple: Encrypt message as eigenvalues of Matrix!

Let v be the eigenvector of C1,C2, with eigenvalues µ1, µ2 respectively, then• (C1 + C2)v = C1v + C2v = (µ1 + µ2)v.• (C1 · C2)v = µ2C1v = µ1µ2v.

That’s FH....But not E. Given C1, the v can be efficiently workout.

The solution is to add some noise to matrix, make that

Civ = µiv + e

where e is small. Then the decryption can be done by rounding.

To encrypt µi to Ci , we can find some C0 s.t. C0vi = 0 and set Ci = C0 + µi I.

Wenling Liu @ SJTU

Eigenvalues are Homomorphic!We check the homomorphism again:• (C1 + C2)v = C1v + C2v = (µ1 + µ2)v + (e1 + e2).• (C1 · C2)v = C1(µ2v + e2) = µ2(µ1v + e1) + C1e2 = µ1µ2v + C1e2 + µ2e1.

The homomorphism still holds iff C1 is small. Thus we focus on:• Find secure enough error that keeps v secret.• Figure out a way to control noise.

where the 1st goal can be interprate as• Find secure enough C0 s.t. C0v = e.

Wenling Liu @ SJTU

Resort to LatticeRecall our LWE form:

Can we translate it into C0?

Wenling Liu @ SJTU

Resort to LatticeYES! If we recall our new friend G−1

To keep the product 0, we do as following:

Work out v is as hard as work out s.

Wenling Liu @ SJTU

Introduce RandomnessIf we sample LWE (AT ,b) and encrypts µ To

µI + G−1(AT )

then the encryption is deterministic. To introduce randomnessl, we add aR ∈ {0, 1}N×m, and encrypts µI with G−1(RAT ), we have

G−1(RAT )(s⊗ g) = RAT s = Re = e′

which is still small.

Wenling Liu @ SJTU

KeyGen and EncryptionWe now formalize the KeyGen and Enc of FHE.• Setup(· · · )→ pp: Given the security parameter and some other parameters,

output the public parameter pp shared by other algorithms. Output v = s⊗ g.• SecretKeyGen(pp): Sample a knapsack LWE instance secret vector s = (t,−1),

where t← Znq .

• PublicSecretKeyGen(pp): Sample a knapsack LWE instance AT s.t. AT s = e forsmall e.• Enc′(pp, pk = AT , µ): Sample R← {0, 1}N×m, and output C′ = µIN + G−1(RAT ).• Dec(pp, sk = v,C): Let v1 = (v (1), · · · , v (`)) Let Ci be the i-th row of C, for

v (i) ∈ (q/4, q/2), decrypt to b〈Ci , v〉/v (i)e.

Note. To make C square, we set N = ndlog qe.

Wenling Liu @ SJTU

Noise ControlFor µ ∈ Zq, C′ = µIN + G−1(RAT ) is not small. For a binary form of a integer withan none binary bit, can we flatten it?

This can be done by letFlatten(a) = G−1(Ga)

Thus, we have• Enc(pp, pk = AT , µ): Sample R← {0, 1}N×m, and output

C = Flatten(µIN + G−1(RAT ))

Wenling Liu @ SJTU

Noise ControlIn evalutation, small matrix C1,C2 might make big C1 · C2. So we Flatten the resultafter every operation.Thus, we have Eval, for two ciphertexts C1,C2:• Addition. Output Flatten(C1 + C2).• Multiplication. Output Flatten(C1C2).

For multiplication, let Ci be fresh ciphertext, with noise upper bounded by B. Inmultiplication gate, we have

C1C2v = µ1µ2v + C1e2 + µ2e1

the noise is approximate to (N + 1)B. Thus for L depth circuit, the noise goes up to(N + 1)2LB. Since we can only set q to 2poly(n), we can only evalute polylog depthcircuits.

Wenling Liu @ SJTU

BootstrappingA SWHE scheme can complete itself tomake a FHE scheme.

Fact. The GSW decryption algorithm hascomplexity Size(log n).Thus, we can use Eval to evaluate Dec,with the encryption secret key.

Wenling Liu @ SJTU

BootstrappingWe evaluate polynomial depth circuits by the following:

Which gives us a FHE.

Wenling Liu @ SJTU

SecurityViewing evk as part of pk, FHE shares the IND-CPA security with PKE or SKE.Please prove the security of GSW by yourself by reducing from LWE assumption withappropriate parameters.

FHE has no CCA security.For challenge ciphertext c∗ of µ∗, the adversary could encrypt 0 to c0, and ask thechallenger to decrypt c∗ + c0, which decrypts to µ∗, for her.

Wenling Liu @ SJTU

Circular SecurityLet PKE = (KeyGen,Enc,Dec) be a IND-CPA secure PKE scheme, we define anotherPKE scheme PKE2 = (KeyGen2,Enc2,Dec2):• KeyGen2(1n): Output KeyGen(1n)→ (pk, sk).• Enc2(pk, µ): If µ 6= sk , output Enc(pk, µ), otherwise output sk .• Dec2(sk, c): If c 6= sk , output Dec(pk, µ), otherwise output sk .

Then given an encryption of sk, one can instantly figure out sk. We say PKE2 has nocircular security. Notice that PKE2 is still circular secure.If PKE2 is our FHE, then we leak all our information when bootstrapping.Thus the security of GSW has to base on the circular security assumption.

Wenling Liu @ SJTU

GSW*Notice that our ciphertext C = G−1(RAT ) + µIN can be recorded as

CG = (G−1(RAT ) + µIN)G = RAT + µG

Multiplication.• GSW: C1C2 = (G−1(R1AT ) + µ1IN)(G−1(R2AT ) + µ2IN)

• GSW∗:G−1(C1G)G−1(C2G)G = G−1(C1G)(C2G) = G−1(R1AT + µ1G)(R2AT + µ2G).

Wenling Liu @ SJTU

Section 4

Fully-HomomorphicEncryption II — BGV12

Scheme

Wenling Liu @ SJTU

Circular SecurityNotice that GSW needs circular security. In this section, we introduce a “FHE” schemethat• Can evaluate arbitrary polynomial circuit.• Needs no circular security.

“FHE” is Level-FHE infact, which we have to promise an depth L in setup phase thatwe never exceed during evalutating.

Wenling Liu @ SJTU

Leveled FHEA Leveled FHE can be described by the following algorithms:• Setup(1n, 1L)→ pp: Given security parameter n and depth L, output the public

parameter pp that shared by other algorithms.• KeyGen(pp)→ (pk, sk, evk): Output the public key pk , private key sk and

evaluation key evk .• Enc(pp, pk, µ)→ c : Encrypt the message µ to its ciphertext c with public key pk .• Eval(evk, f , {ci}i∈[`])→ cf : For function f with depth less than L, that takes `

inputs, homomorphically evaluate the k ciphertexts {ci}i∈[`] to a homomorphicciphertext cf with the evaluation key evk .• Dec(sk, c)→ µ: Decrypto the ciphertext c to plaintext µ with secret key sk .

Wenling Liu @ SJTU

Section 5

Predicate Encryption —GVW15

Wenling Liu @ SJTU

ABE and PEWe’ve defined the ABE with following algorithms:• Setup(1n)→ (mpk,msk): Generate the master key pair.• KeyGen(msk, f )→ skf : Output a secret key skf according to function f .• Enc(mpk, x , µ)→ cx : Encrypt the message µ with attribute x to ciphertext cx .• Dec(skf , cx ): Decrypts the message µ to plaintext if f (x) = 0.

This is also the description of Predicate Encryption (PE)! However,• In ABE, we protecst the encrypted message µ, but do not care the secracy of

attribute x.• In PE, we care the secracy of both µ and x.

Wenling Liu @ SJTU

Partially Hiding PEConstructing PE directly is hard. Thus we loose its definition to partially hiding PE(PHPE).• Setup(1n,X ,Y,F ,M)→ (mpk,msk): Generate the master key pair.• KeyGen(msk, f ∈ F)→ skf : Output a secret key skf according to function f .• Enc(mpk, (x , y) ∈ X × Y, µ ∈M)→ cy : Encrypt the message µ with attribute

(x , y) to ciphertext cy .• Dec(skf , (cx , y)): Decrypts the message µ to plaintext if f (x , y) = 0.

In PHPE, every ciphertext has 2 attributes x and y , we only protects the secracy of x .

Wenling Liu @ SJTU

SecurityWe define the sim-based attribute hiding (SIM-AH) property.

Real Exp

1. (x , y)← A(1n,X ,Y, C,M)

2. (mpk,msk)← Setup(1n,X ,Y, C,M)

3. µ← AKeyGen(msk,·)(mpk)

4. cy ← Enc(mpk, (x , y), µ)

5. α← AKeyGen(msk,·)(cy )

6. Output EXPreal(x , y , µ, α)

Ideal Exp

1. (x , y)← A(1n,X ,Y, C,M)

2. (mpk,msk)← Setup(1n,X ,Y, C,M)

3. µ← AKeyGen(msk,·)(mpk)

4. cy ← S(mpk, y , 1|x |, 1|µ|)

5. α← AKeyGen(msk,·)(cy )

6. Output EXPideal(x , y , µ, α)

Admissible A: Those A never queries C ∈ C s.t. C(x , y) = 0.

PHPE is (SIM-AH) secure if for any admissible PPT A, there is a PPT S s.t.EXPreal ≈c EXPideal.

Wenling Liu @ SJTU

SecurityNotice that in the security definition:• A non-admissible A can query for C s.t. C(x , y) = 1 to decrypts cy in EXPreal, but

gains nothing about µ in EXPideal.• Sim-based security is stronger than indistinguishability based (IND-AH).• The security is weaker than IND-SAH s.t. the adversary can be non-admissible.

Wenling Liu @ SJTU

Recall the KHE-based ABEMultiplication. We make up sT [xyG + B12] + eT

xy = cTxy from

• sT (xG + B1) + eTx = cT

x• sT (yG + B2) + eT

y = cTy

We havesT (xyG− B2R1︸ ︷︷ ︸

B12

) + (yeTx − eT

y R1)︸ ︷︷ ︸exy

= ycTx − cT

y R1︸ ︷︷ ︸cxy

the computation of cxy needs no information about x . Thus we can construct PHPEfor circuits in the form C ◦ IP s.t.

C ◦ IP(x, y) = 〈x, C(y)〉

where C is arbitrary polynomial size circuit with output length |x|.

Wenling Liu @ SJTU

Bibliography

Wenling Liu @ SJTU

Bibliography I

Shweta Agrawal, Dan Boneh, and Xavier Boyen.Efficient lattice (H)IBE in the standard model.In Henri Gilbert, editor, Advances in Cryptology - EUROCRYPT 2010, 29thAnnual International Conference on the Theory and Applications of CryptographicTechniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings, volume6110 of Lecture Notes in Computer Science, pages 553–572. Springer, 2010.

Dan Boneh, Craig Gentry, Sergey Gorbunov, Shai Halevi, Valeria Nikolaenko, GilSegev, Vinod Vaikuntanathan, and Dhinakaran Vinayagamurthy.Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbledcircuits.In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology -EUROCRYPT 2014 - 33rd Annual International Conference on the Theory andApplications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15,

Wenling Liu @ SJTU

Bibliography II

2014. Proceedings, volume 8441 of Lecture Notes in Computer Science, pages533–556. Springer, 2014.

Xavier Boyen.Lattice mixing and vanishing trapdoors: A framework for fully secure shortsignatures and more.In Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography -PKC 2010, 13th International Conference on Practice and Theory in Public KeyCryptography, Paris, France, May 26-28, 2010. Proceedings, volume 6056 ofLecture Notes in Computer Science, pages 499–517. Springer, 2010.

Wenling Liu @ SJTU

Bibliography III

David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert.Bonsai trees, or how to delegate a lattice basis.In Henri Gilbert, editor, Advances in Cryptology - EUROCRYPT 2010, 29thAnnual International Conference on the Theory and Applications of CryptographicTechniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings, volume6110 of Lecture Notes in Computer Science, pages 523–552. Springer, 2010.

Daniele Micciancio and Shafi Goldwasser.Complexity of lattice problems - a cryptograhic perspective, volume 671 of TheKluwer international series in engineering and computer science.Springer, 2002.

Wenling Liu @ SJTU

Bibliography IV

Daniele Micciancio and Chris Peikert.Trapdoors for lattices: Simpler, tighter, faster, smaller.In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology -EUROCRYPT 2012 - 31st Annual International Conference on the Theory andApplications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012.Proceedings, volume 7237 of Lecture Notes in Computer Science, pages 700–718.Springer, 2012.

Wenling Liu @ SJTU

The End

Thank You!