FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ...

More documents

Recommendations

Info

SWHE over Cyclotomic Rings [Brakerski-Vaikuntanathan ‘11] Main Idea Encryptions of 0 have a small and even (smeven) dot product with the secret key. � KeyGen: Secret = some point s 2 R q = Zq[x]/Ф q N(x). N gcd(q,2)=1. d m is an R-element with coefficients in {0,1}. m is φ(N) bits, big!!! Public key: Linear polys ai(y) = ai0+ai1y 2 R[y] s.t. ai(s)=2ei mod q, where ei is an element of R with small coefficients: |ei| ¿ q. � Encrypt: From {a i}, generate a random linear polynomial b(y) such that b(s) = smeven mod q (via subset sum). For m in R 2, ciphertext is: c(y) = m + b(y) mod q (a linear polynomial). � Decrypt: Evaluate ciphertext at secret key: c(y) = c 0+c 1s = m+smeven mod q. Reduce mod 2. � ADD and MULT: Output sum or product of ciphertexts. Relinearize.
Security of SWHE over Cyclotomic Rings � The Ring Learning-with-Errors (RLWE) Problem � Let B ¿ q. Choose s randomly from Rq. Given many (linear) polynomials ai(y) = ai0+ai1·y 2 R[y] such that ai(s) = ei (an Rq-element whose coefficients are smaller than B) output s. � How hard is the RLWE Problem? � [LPR10]: As hard as solving the (q/B)-approximate shortest vector problem (SVP) on ideal lattices in R. � As q/B increases, RLWE becomes easier (unless n grows). � For B ~ poly(k), best known attacks for require 2 k time when n (the ring dimension) ~ k log(q/B).
Page 1 and 2: FULLY HOMOMORPHIC ENCRYPTION: CURRE
Page 3 and 4: Homomorphic Encryption “Somewhat
Page 5 and 6: Fully Homomorphic Encryption: Curre
Page 7 and 8: Somewhat Homomorphic Encryption wit
Page 9 and 10: How To Construct a SWHE Scheme? Mos
Page 11 and 12: Polly Cracker Cryptanalysis [see AF
Page 13 and 14: Noisy Polly Cracker: A Framework fo
Page 15 and 16: SWHE with Integers [vDGHV10] Main I
Page 17 and 18: Encrypting More than Bits � So fa
Page 19 and 20: SWHE with Integers (Mod-15) Divisib
Page 21: Cyclotomic Ring R = Z[x]/Ф N(x)
Page 25 and 26: Managing Ciphertext Noise
Page 27 and 28: Better Noise Management? � Crazy
Page 29 and 30: How Does Modulus Switching Help? [B
Page 31 and 32: Where Are We? (The Good News) � W
Page 33 and 34: Packing Plaintexts into Ciphertexts
Page 35 and 36: Our Weird Cyclotomic Plaintext Spac
Page 37 and 38: SIMD (Single Instruction Multiple D
Page 39 and 40: SIMD (Single Instruction Multiple D
Page 41 and 42: A Taste of Cyclotomic Rings � Cho
Page 43 and 44: What Is Our Overhead Now? � A cip
Page 45 and 46: AES (Advanced Encryption Standard)
Page 47 and 48: The Inversion Step of AES � For m
Page 49 and 50: Parameter Sizes L (levels) N n = φ
Page 51 and 52: Bootstrapping
Page 53 and 54: Bootstrapping: What Is It? � So f
Page 55 and 56: Bootstrapping in [BGV12] � Set L
Page 57 and 58: Summary
Page 59 and 60: Next Steps
Page 61 and 62: Open Problem: A Fast Refresh Proced
Page 63 and 64: Homomorphic Encryption “Fully”
Page 65 and 66: SWHE with Integers [vDGHV10] Divisi
Page 67 and 68: Relinearizing and “Key Switching
Page 69 and 70: Basic PERMUTEs (Rotations) Array of
Page 71 and 72: n-PERMUTE(π) from n-ADD, n-MULT, a
Page 73 and 74:
n-PERMUTE(π) from n-ADD, n-MULT, a
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
show all

FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?