Showing papers by "Craig Gentry published in 2011"

Implementing Gentry's fully-homomorphic encryption scheme

Abstract: We describe a working implementation of a variant of Gentry's fully homomorphic encryption scheme (STOC 2009), similar to the variant used in an earlier implementation effort by Smart and Vercauteren (PKC 2010). Smart and Vercauteren implemented the underlying "somewhat homomorphic" scheme, but were not able to implement the bootstrapping functionality that is needed to get the complete scheme to work. We show a number of optimizations that allow us to implement all aspects of the scheme, including the bootstrapping functionality. Our main optimization is a key-generation method for the underlying somewhat homomorphic encryption, that does not require full polynomial inversion. This reduces the asymptotic complexity from O(n2.5) to O(n1.5) when working with dimension-n lattices (and practically reducing the time from many hours/days to a few seconds/minutes). Other optimizations include a batching technique for encryption, a careful analysis of the degree of the decryption polynomial, and some space/time trade-offs for the fully-homomorphic scheme. We tested our implementation with lattices of several dimensions, corresponding to several security levels. From a "toy" setting in dimension 512, to "small," "medium," and "large" settings in dimensions 2048, 8192, and 32768, respectively. The public-key size ranges in size from 70 Megabytes for the "small" setting to 2.3 Gigabytes for the "large" setting. The time to run one bootstrapping operation (on a 1-CPU 64- bit machine with large memory) ranges from 30 seconds for the "small" setting to 30 minutes for the "large" setting.

Separating succinct non-interactive arguments from all falsifiable assumptions

Abstract: An argument system for NP is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian '92 and Micali '94 show that such arguments can be constructed under standard cryptographic hardness assumptions with four rounds of interaction, and that they be made non-interactive in the random-oracle model. However, we currently do not have any construction of succinct non-interactive arguments (SNARGs) in the standard model with a proof of security under any simple cryptographic assumption.In this work, we give a broad black-box separation result, showing that black-box reductions cannot be used to prove the security of any SNARG construction based on any falsifiable cryptographic assumption. This includes essentially all common assumptions used in cryptography (one-way functions, trapdoor permutations, DDH, RSA, LWE etc.). More generally, we say that an assumption is falsifiable if it can be modeled as an interactive game between an adversary and an efficient challenger that can efficiently decide if the adversary won the game. This is similar, in spirit, to the notion of falsifiability of Naor '03, and captures the fact that we can efficiently check if an adversarial strategy breaks the assumption.Our separation result also extends to designated verifier SNARGs, where the verifier needs a trapdoor associated with the CRS to verify arguments, and slightly succinct SNARGs, whose size is only required to be sublinear in the statement and witness size.

Fully Homomorphic Encryption with Polylog Overhead.

Abstract: We show that homomorphic evaluation of (wide enough) arithmetic circuits can be accomplished with only polylogarithmic overhead. Namely, we present a construction of fully homomorphic encryption (FHE) schemes that for security parameter λ can evaluate any width-Ω(λ) circuit with t gates in time t · polylog(λ). To get low overhead, we use the recent batch homomorphic evaluation techniques of Smart-Vercauteren and BrakerskiGentry-Vaikuntanathan, who showed that homomorphic operations can be applied to “packed” ciphertexts that encrypt vectors of plaintext elements. In this work, we introduce permuting/routing techniques to move plaintext elements across these vectors efficiently. Hence, we are able to implement general arithmetic circuit in a batched fashion without ever needing to “unpack” the plaintext vectors. We also introduce some other optimizations that can speed up homomorphic evaluation in certain cases. For example, we show how to use the Frobenius map to raise plaintext elements to powers of p at the “cost” of a linear operation.

Fully Homomorphic Encryption without Bootstrapping.

Abstract: We present a radically new approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry’s bootstrapping procedure. Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have 2 security against known attacks. For RLWE, we have: • A leveled FHE scheme that can evaluate L-level arithmetic circuits with O(λ · L) per-gate computation – i.e., computation quasi-linear in the security parameter. Security is based on RLWE for an approximation factor exponential in L. This construction does not use the bootstrapping procedure. • A leveled FHE scheme that uses bootstrapping as an optimization, where the per-gate computation (which includes the bootstrapping procedure) is O(λ), independent of L. Security is based on the hardness of RLWE for quasi-polynomial factors (as opposed to the sub-exponential factors needed in previous schemes). We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width – e.g., where a constant fraction of levels have width at least λ – we can reduce the per-gate computation of the bootstrapped version to O(λ), independent of L, by batching the bootstrapping operation. Previous FHE schemes all required Ω(λ) computation per gate. At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011). ∗Sponsored by the Air Force Research Laboratory (AFRL). Disclaimer: This material is based on research sponsored by DARPA under agreement number FA8750-11-C-0096. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.S. Government. Approved for Public Release, Distribution Unlimited. †This material is based on research sponsored by DARPA under agreement number FA8750-11-2-0225. The same disclaimer as above applies. ISSN 1433-8092 Electronic Colloquium on Computational Complexity, Report No. 111 (2011)

Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits

Abstract: All previously known fully homomorphic encryption (FHE) schemes use Gentry's blueprint:* SWHE: Construct a somewhat homomorphic encryption (SWHE) scheme -- roughly, an encryption scheme that can homomorphically evaluate polynomials up to some degree.* Squash: ``Squash" the decryption function of the SWHE scheme, so that the scheme can evaluate functions twice as complex (in terms of polynomial degree) than its own decryption function. Do this by adding a ``hint " to the SHWE public key -- namely, a large set of vectors that has a secret sparse subset that sums to the original secret key.* Bootstrap: Given a SWHE scheme that can evaluate functions twice as complex as its decryption function, apply Gentry's transformation to get a ``leveled" FHE scheme. To get ``pure" (non-leveled) FHE, one assumes circular security. Here, we describe a new blueprint for FHE. We show how to eliminate the squashing step, and thereby eliminate the need to assume that the sparse subset sum problem (SSSP) is hard, as all previous leveled FHE schemes have done. Using our new blueprint, we obtain the following results:* A ``simple" leveled FHE scheme where we replace SSSP with Decision Diffie-Hellman!* The first leveled FHE scheme based entirely on worst-case hardness}. Specifically, we give a leveled FHE scheme with security based on the shortest independent vector problem over ideal lattices (ideal-SIVP).* Some efficiency improvements for FHE.} While the new blueprint does not yet improve computational efficiency, it reduces cipher text length. As in the previous blueprint, we obtain pure FHE by assuming circular security. Our main technique is to express the decryption function of SWHE schemes as a depth-3 ($\sum \prod \sum$) arithmetic circuit. When we evaluate this decryption function homomorphically, we temporarily switch to a multiplicatively homomorphic encryption (MHE) scheme, such as Elgamal, to handle the $\prod$ part, after which we translate the result from the MHE scheme back to the SWHE scheme by evaluating the MHE scheme's decryption function within the SWHE scheme. The SWHE scheme only needs to be able to evaluate the MHE scheme's decryption function (plus minor operations), and does not need to have the self-referential property of being able to evaluate its {\em own} decryption function, a property that necessitated squashing in the original blueprint.

Efficient implementation of fully homomorphic encryption

Abstract: In one exemplary embodiment of the invention, a method for homomorphic decryption, including: providing a ciphertext with element c, there exists a big set B having N elements zi so B={z1,z2, . . . , zN}, there exists a small set S having n elements sj so S={s1, s2, . . . , sn}, the small set is a subset of the big set, summing up the elements of the small set yields the private key, there exists a bit vector {right arrow over (σ)} having N bits σi so {right arrow over (σ)}= σ1, σ2, . . . , σN , σi=1 if zi e S else σi=0, there exists an encrypted vector {right arrow over (d)} having N ciphertexts di so d= d1, d2, . . . , dN , di is an encryption of σi; post-processing c by multiplying it by all zi to obtain an intermediate vector {right arrow over (y)}= y1, y2, . . . , yN with yi computed yi=c×zi; homomorphically multiplying yi by di obtaining a ciphertext vector {right arrow over (x)} having N ciphertexts xi so {right arrow over (x)}= x1, x2, . . . , xN , where xi is an encryption of the product yi·σi; and homomorphically summing all xi to obtain a resulting ciphertext that is an encryption of the at least one bit, where the big set is partitioned into n parts with each part having a plurality of different elements from the big set, where the elements of the small set are one element from each part.

Fast evaluation of many polynomials with small coefficients on the same point

Abstract: In one exemplary embodiment of the invention, a method for evaluating at point r one or more polynomials p1(x), . . . , pl(x) of maximum degree up to n−1, where the polynomial pi(x) has a degree of ti−1, the method including: partitioning each polynomial pi(x) into a bottom half pi bot(x) with bottom terms of lowest si coefficients and a top half pi top(x) with top terms of remaining ti−si coefficients; recursively partitioning the bottom half pi bot(x) and the top half pi top(x) of each polynomial pi(x) obtaining further terms having a lower degree than previous terms, performed until at least one condition is met yielding a plurality of partitioned terms; evaluating the bottom half pi bot(x) and the top half pi top(x) at the point r for each polynomial pi(x) by evaluating the partitioned terms at the point r and iteratively combining the evaluated partitioned terms; and evaluating each polynomial pi(x) at the point r by setting pi(r)=rs i pi top(r)+pi bot(r).

Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits.

Abstract: We describe a new approach for constructing fully homomorphic encryption (FHE) schemes. Previous FHE schemes all use the same blueprint from [Gentry 2009]: First construct a somewhat homomorphic encryption (SWHE) scheme, next \squash" the decryption circuit until it is simple enough to be handled within the homomorphic capacity of the SWHE scheme, and nally \bootstrap" to get a FHE scheme. In all existing schemes, the squashing technique induces an additional assumption: that the sparse subset sum problem (SSSP) is hard. Our new approach constructs FHE as a hybrid of a SWHE and a multiplicatively homomorphic encryption (MHE) scheme, such as Elgamal. Our construction eliminates the need for the squashing step, and thereby also removes the need to assume the SSSP is hard. We describe a few concrete instantiations of the new method, including a \simple" FHE scheme where we replace SSSP with Decision Die-Hellman, an optimization of the simple scheme that let us \compress" the FHE ciphertext into a single Elgamal ciphertext(!), and a scheme whose security can be (quantumly) reduced to the approximate ideal-SIVP. We stress that the new approach still relies on bootstrapping, but it shows how to bootstrap without having to \squash" the decryption circuit. The main technique is to express the decryption function of SWHE schemes as a depth-3 ( PQP ) arithmetic circuit of a particular form. When evaluating this circuit homomorphically (as needed for bootstrapping), we temporarily switch to a MHE scheme, such as Elgamal, to handle the Q part. Due to the special form of the circuit, the switch to the MHE scheme can be done without having to evaluate anything homomorphically. We then translate the result back to the SWHE scheme by homomorphically evaluating the decryption function of the MHE scheme. Using our method, the SWHE scheme only needs to be capable of evaluating the MHE scheme’s decryption function, not its own decryption function. We thereby avoid the circularity that necessitated squashing in the original blueprint.

Fully Homomorphic Encryption without Bootstrapping.

Abstract: We present a radically new approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry’s bootstrapping procedure. Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have 2 security against known attacks. For RLWE, we have: • A leveled FHE scheme that can evaluate L-level arithmetic circuits with O(λ · L) per-gate computation – i.e., computation quasi-linear in the security parameter. Security is based on RLWE for an approximation factor exponential in L. This construction does not use the bootstrapping procedure. • A leveled FHE scheme that uses bootstrapping as an optimization, where the per-gate computation (which includes the bootstrapping procedure) is O(λ), independent of L. Security is based on the hardness of RLWE for quasi-polynomial factors (as opposed to the sub-exponential factors needed in previous schemes). We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width – e.g., where a constant fraction of levels have width at least λ – we can reduce the per-gate computation of the bootstrapped version to O(λ), independent of L, by batching the bootstrapping operation. Previous FHE schemes all required Ω(λ) computation per gate. At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011). ∗Sponsored by the Air Force Research Laboratory (AFRL). Disclaimer: This material is based on research sponsored by DARPA under agreement number FA8750-11-C-0096 and FA8750-11-2-0225. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.S. Government. Approved for Public Release, Distribution Unlimited. †This material is based on research sponsored by DARPA under Agreement number FA8750-11-2-0225. All disclaimers as above apply.

Fast computation of a single coefficient in an inverse polynomial

Abstract: In one exemplary embodiment of the invention, a method for computing a resultant and a free term of a scaled inverse of a first polynomial v(x) modulo a second polynomial f n (x), including: receiving the first polynomial v(x) modulo the second polynomial f n (x), where the second polynomial is of a form f n (x)=x n ±1, where n=2 k and k is an integer greater than 0; computing lowest two coefficients of a third polynomial g(z) that is a function of the first polynomial and the second polynomial, where g ⁡ ( z ) ⁢ = def ⁢ ∏ i = 0 n - 1 ⁢ ⁢ ( v ⁡ ( ρ i ) - z ) , where ρ 0 , ρ 1 , . . . , ρ n−1 are roots of the second polynomial f n (x) over a field; outputting the lowest coefficient of g(z) as the resultant; and outputting the second lowest coefficient of g(z) divided by n as the free term of the scaled inverse of the first polynomial v(x) modulo the second polynomial f n (x).

Better Bootstrapping in Fully Homomorphic Encryption.

Abstract: Gentry’s bootstrapping technique is currently the only known method of obtaining a “pure” fully homomorphic encryption (FHE) schemes, and it may offers performance advantages even in cases that do not require pure FHE (such as when using the new noise-control technique of Brakerski-GentryVaikuntanathan). The main bottleneck in bootstrapping is the need to evaluate homomorphically the reduction of one integer modulo another. This is typically done by emulating a binary modular reduction circuit, using bit operations on binary representation of integers. We present a simpler approach that bypasses the homomorphic modular-reduction bottleneck to some extent, by working with a modulus very close to a power of two. Our method is easier to describe and implement than the generic binary circuit approach, and is likely to be faster in practice. In some cases it also allows us to store the encryption of the secret key as a single ciphertext, thus reducing the size of the public key. We also show how to combine our new method with the SIMD homomorphic computation techniques of Smart-Vercauteren and Gentry-Halevi-Smart, to get a bootstrapping method that works in time quasilinear in the security parameter. This last part requires extending the techniques from prior work to handle arithmetic not only over fields, but also over some rings. (Specifically, our method uses arithmetic modulo a power of two, rather than over characteristic-two fields.)

Encryption device, decryption device, authentication device, verification device, encryption method, decryption method, authentication method, verification method, encryption program, decryption program, authentication program, and verification program

Abstract: PROBLEM TO BE SOLVED: To provide an encryption system and a signature method that reduce sizes of an encrypted message,a signature, and other encryption information.SOLUTION: After a plane text is encoded, a mapping step (610) is executed to map the encoded message H(M) to an intermediate number b of a predetermined set B, and the result is encrypted (220) to generate and transmit a short ciphertext (230). The mapping is reversible at least on condition that the message H(M) (encoded upon occasion) is within a limit set such as a set [0, h"] of short messages. Further, a signature is mapped to a short signature for providing the short signature. The mapping is reversible at least on condition that a source message (H(M)) used to generate the signature is short. Output of signcryption, group signature, and ring signature is reduced.

Effizientes homomorphes Verschlüsselungsverfahren für Bilinearformen

Abstract: In einer beispielhaften Ausfuhrungsform ein computerlesbares Speichermedium, das ein Programm aus Befehlen physisch verkorpert, die von einer Maschine zum Durchfuhren von Operationen ausgefuhrt werden konnen, wobei die Operationen das Folgende beinhalten: Empfangen von Daten B, die als Chiffriertext C gemas einem Verschlusselungsverfahren verschlusselt werden sollen, das eine Verschlusselungsfunktion beinhaltet; und Verschlusseln von B gemas der Verschlusselungsfunktion zum Erhalten von C, wobei das Verschlusselungsverfahren mindestens einen offentlichen Schlussel A verwendet, wobei es sich bei B, C und A um Matrizen handelt, die Verschlusselungsfunktion als Eingaben A und B empfangt und C als C ← AS + pX + B(modq) ausgibt, wobei S eine Zufallsmatrix, X eine Fehlermatrix, p eine ganze Zahl und q eine ungerade Primzahl darstellen. In anderen beispielhaften Ausfuhrungsformen beinhaltet das Verschlusselungsverfahren eine Entschlusselungsfunktion, die als Eingaben mindestens einen privaten Schlussel T (eine Matrix) und C empfangt und B als B = T –1 ·(TCT t modq)·(T t ) –1 modp ausgibt.

Effizientes homomorphes Verschlüsselungsverfahren für Bilinearformen Efficient homomorphic encryption method for bilinear forms

Abstract: In einer beispielhaften Ausfuhrungsform ein computerlesbares Speichermedium, das ein Programm aus Befehlen physisch verkorpert, die von einer Maschine zum Durchfuhren von Operationen ausgefuhrt werden konnen, wobei die Operationen das Folgende beinhalten: Empfangen von Daten B, die als Chiffriertext C gemas einem Verschlusselungsverfahren verschlusselt werden sollen, das eine Verschlusselungsfunktion beinhaltet; In an exemplary embodiment, a computer-readable storage medium containing a program of instructions tangibly embodied that can be executed by a machine to perform operations wherein the operations include the following: receiving data B which are to be encoded as a ciphertext C according to an encryption method , which includes an encryption function; und Verschlusseln von B gemas der Verschlusselungsfunktion zum Erhalten von C, wobei das Verschlusselungsverfahren mindestens einen offentlichen Schlussel A verwendet, wobei es sich bei B, C und A um Matrizen handelt, die Verschlusselungsfunktion als Eingaben A und B empfangt und C als C ← AS + pX + B(modq) ausgibt, wobei S eine Zufallsmatrix, X eine Fehlermatrix, p eine ganze Zahl und q eine ungerade Primzahl darstellen. and encrypting B according to the encryption function for obtaining C, wherein the encryption method uses at least a public key A, where it is die at B, C and A, the encryption function as inputs A and B receives and C as C ← AS + pX + B (mod q), wherein S be a random matrix, X is an error matrix, p is an integer and q is an odd prime. In anderen beispielhaften Ausfuhrungsformen beinhaltet das Verschlusselungsverfahren eine Entschlusselungsfunktion, die als Eingaben mindestens einen privaten Schlussel T (eine Matrix) und C empfangt und B als B = T –1 ·(TCT t modq)·(T t ) –1 modp ausgibt. In other exemplary embodiments, the encryption process includes a decryption function, the at least one private key T (a matrix) and C receives as inputs, and B as B = T -1 · (TCT t mod q) · (T t) -1 outputs modp.