A Simple BGN-Type
Cryptosystem from LWE
Craig Gentry
Shai Halevi
Vinod Vaikuntanathan
IBM Research
Perspective
Homomorphic Encryption
in three easy steps [G’09]
• Step 1: Encryption from linear codes
• SK/PK are Good/Bad representation of code
• Bad representation, can’t tell words close to code from random
• Good representation can be used to correct many errors
• Additive homomorphism “for free”
• Step 2: ECC lives inside a ring
• We have both additive, multiplicative sructure
• If code is an ideal, also multiplicative homomorphism
• for low-degree polynomials
• Step 3: Bootstrapping, Squashing, etc.
Instances of this Paradigm
• Ring of polynomials [G’09]
• Ring of integers [vDGHV’10]
• This work: how about ring of matrices?
•
•
•
•
•
Doesn’t quite work like the others
We only get additive-HE + one multiplication
Quadratic formulas, as in [BGN’05]
But more efficient and more flexible
Can be made leakage-resilient, identity-based
Background
Learning with Errors (LWE)
• n – security parameter
• q  poly(n)
• m > n log q
n
s
c
=m
A
random mod q
+
x
mod q
small
Search-LWE: Given A,c, find s,x
• [R’05, P’09] As hard as worst-case of
some lattice problems
Learning with Errors (LWE)
• n – security parameter
• q  poly(n)
• m > n log q
n
s
c
=m
c close to the
linear code
spanned by A
A
random mod q
+
x
mod q
small
Decision-LWE: Distinguish c from random
• [R’05] as hard as finding s,x
• For certain parameters
Learning with Errors (LWE)
n
m
S
C
=m
A
n
+
random mod q
• Many LWE instances with same A
• Same hardness (easy hybrid argument)
X
small
Ajtai’s Trapdoors
• [A’96] Given A , hard to find small
s.t. tA =0 mod q
t
• As hard as worst-case of some lattice problems
• [A’99] But it is possible to generate
together T A = 0 mod q
small, full rank
random
• [Alwen-Peikert’08] Even smaller T
Trapdoor Functions [GPV’08]
• (A,s,x) As+x is a trapdoor function
• Can use T to correct errors:
• c = As + x
• Tc = T(As + x) = Tx mod q
• But T,x are small, so Tx << q
 (Tc mod q) = Tx
• Equality over the integers
 T-1(Tc mod q) = x
Our Cryptosystem
Step 1: Encryption from linear ECCs
• Code is the column space of A mod q
• { As: s  Zqn }
• Bad representation (PK) is A itself
• Given A, hard to distinguish words close
to the code from random words (LWE)
• Good representation (SK) is T
• Can use T to correct errors
Step 1: Encryption from linear ECCs
• PK: A , SK: T
• Encode plaintext is LSB of error matrix
• Plaintext is a binary matrix Bmxm
X
• Enc(A,B): Choose random Smxn, small Emxm
C
= A
S
+ X
mod q
2E+B
• Dec(T,C): Set X  T-1(TC mod q)
• Output B = X mod 2
Step 1: Encryption from linear ECCs
• Security follows from LWE (for odd q)
Thm: LWE  For any B, EncA(B)  random
Proof: Given LWE input (A,C’)
• Either C’=AS+E or C’ random:
• Set C = 2C’+B mod q
• If C’=AS+E then C = A(2S) + (2E+B) mod q
• A random encryption of B
• If C’ is random then so is C
Step 1: Encryption from linear ECCs
Additive homomorphism “for free”
• C = C1 + C2
= (AS1+(2E1+B1)) + (AS2+(2E2+B2))
= A(S1+S2) + 2(E1+E2)+(B1+B2) mod q
S
X
• T-1(TC mod q) = X = B1+B2 mod 2
• As long as X <<q
Step 2: ECC lives inside a ring
• Multiply C1 x C2 mod q?
• (AS1+(2E1+B1)) (AS2+(2E2+B2))
= A(…) + (2E1+B1)AS2 + 2(…)+B1B2 mod q
• Not what we wanted
• Cannot use T to cancel out (2E1+B1)AS2
• Matrix multiplication is not commutative
Step 2: ECC lives inside a ring
• How about C = C1 x C2t mod q?
• (AS1+(2E1+B1)) (AS2+(2E2+B2))t
= A(…) + (…)At + 2(…)+B1B2t mod q
X
• That’s better:
• TCTt = TXTt mod q
• X = (2E1+B1)(2E2+B2)t is still small
 TCTt mod q = TXTt over the integers
 T-1(TCTt mod q)(Tt)-1 = X = B1B2t mod 2
What Did We Get?
•
•
•
•
•
KeyGen: Generate T A
Enc(A, B): CAS + 2E+B mod q
Add(C1,C2): CC1+C2 mod q
Mult(C1,C2): CC1C2t mod q
Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod 2
• Can decrypt any quadratic formula with
polynomially many terms
• With appropriate parameters
What Did We Get?
•
•
•
•
•
Can
KeyGen: Generate T A
replace 2
Enc(A, B): CAS + pE+B mod q
by any
pq
Add(C1,C2): CC1+C2 mod q
Mult(C1,C2): CC1C2t mod q
Dec(T, C): BT-1(TCTt mod q)(Tt)-1 mod p
• Can decrypt any quadratic formula with
polynomially many terms
• With appropriate parameters
Extensions, Applications
• Can apply the [AMGH’10] transformation
• Get homomorphism for low-degree polynomials
• “Dual Regev encryption” [GPV’08] is a
special case of our scheme*
• Leakage resilience
• IBE
• Efficient quadratic-formula homomorphism
for polynomials, big-integers
* After changing encoding of plaintext
Thank You
2-of-2 Decryption
•
•
•
•
Alice has key-pair (A1,T1), Bob has (A2,T2)
Charlie encrypts B1 to Alice, [ C1A1S1+X1 ]q
Dora encrypts B2 to Bob,
[ C2A2S2+X2 ]q
Zachariah Sets C* = [ C1 C2t ]q
• C* looks random to either Alice, Bob
• Pulling their keys together they can recover B1B2t
• B1B2t = T1-1[T1C*T2t]q (T2t)-1 mod 2
• Can also “blind” C* to hide relation to C1, C2
Multiplying Polynomials
• p(x) = p0+p1x+p2x2, q(x) = q0+q1x+q2x2
p2 p1 p0
p2 p1
P=
p2
q0 q1 q2
q0 q1
Q=
q0
R=
p0q1+p1q0+p1q0 p0q1+p1q0 p0q0
PQt+R=
p1q2+p2q1
p2q2
$
$
$
$
$ $
$ $
Dual Regev Encryption [GPV’08]
• Dual-Regev Cryptosystem is an instance
-uof our scheme with T = 0
• A different input encoding than [GPV’08]
• T is no longer invertible
• But can still recover top-left entry in B
• It is known to be IBE, leakage-resilient
• Still true with new input encoding
• And now it supports quadratic formulas