FIELD-SWITCHING INHOMOMORPHIC ENCRYPTIONCraig GentryShai HaleviChris PeikertNigel P. Smart

HE Over Cyclotomic Rings Denote the field

Its ring of integers is Mod- denoted

“Native plaintext space” is Ciphertexts , secret-keys are vectors over wrt encrypts if (for representatives in )

we have for small Decryption via Using “appropriate” -bases of

* Not exactly

*

**

HE Over Cyclotomic Rings “Native plaintexts” encode vectors of

values (more on that later)

Homomorphic Operations Addition: encrypts , encoding Multiplication: encrypts , encoding Automorphism: encrypts , encoding some

permutation of Relative to key

HE Over Cyclotomic Rings Also a key-switching operation For any two we can publish a

key-switching gadget used to translate valid wrt into wrt

encrypt the same plaintext for some small

How Large are ? Ciphertexts are “noisy” (for security)

noise grows during homomorphic computation Decryption error if noise grows larger than

Must set “much larger” than initial noiseSecurity relies on LWE-hardness with very large modulus/noise ratioDimension () must be large to get hardness Asymptotically

For realistic settings,

Switching to Smaller ? As we compute, the noise grows

Cipehrtexts have smaller modulus/noise ratio

From a security perspective, it becomes permissible to switch to smaller values of

How to do this? Not even clear what outcome we want

here: Have wrt , encrypting some Want wrt for

Encrypting ??

Ring-Switching: The Goal We cannot get since , We want to be “related” to

encodes encodes

May want to encode a subset of the ’s? E.g., the first of them Not always possible, only if

What relations between the ’s are possible?

Prior Work A limited ring-switching technique was

described in [BGV’12] Only for

Transforms big-ring into small-ring s.t. (encrypted in ) can be recovered from (encrypted in ).

Used only for bootstrapping

Our Transformation: Overview Work for any as long as wrt wrt , encrypt , that encode vectors:

, Necessarily , so a subfield of

Each is a -linear function of some ‘s We can choose the linear functions, but not

the subset of ‘s that correspond to each If , can use projections (so ’s a subset of ’s)

Our Transformation: OverviewDenote 1. Key-switching to map wrt wrt

and over the big field, wrt subfield key

2. Compute a small that depends only on the desired linear functions

3. Apply the trace function, 4. Output

Algebra

Geometry of Use canonical-embedding to associate

with a -vector of complex numbers Thinking of as a polynomial, associate with

the vector , the principal complex ’th root of unity E.g., if then

We can talk about the “size of ” say the or norm of For decryption, the “noise element” must be

Geometry of can be expressed as a vector-space over

Similarly over , over , etc. Every -basis induces a transformation coefficients in element of

With canonical embedding on both sides, we havea -linear transformation

We want a “good basis”, where is “short”and “nearly orthogonal”

Geometry of Lemma 1: There exists -basis of R for

which all the singular values of are nearly the same. Specifically where

primes that divide but not The proof follows techniques from

[LPR13],the basis is essentially a tensor of DFT matrices

The Trace Function For ,

By definition: if is small then so is is

is -linear if , and

The trace is a “universal” -linear function: For every -linear function there exists such

that

The Trace Function The trace Implies also a -linear map ,

and -linear map Every -linear map can be written as

But need not be in More on that later

The Intermediate Trace Function

when is an extension of Satisfies

Lemma 2: if is small then so is Less trivial than for but still true

is a “universal” -linear function: is For every -linear function there exists such

that Similarly implies -linear map and -linear

map

Some Complications Often we get Also for many linear functions we get

where is not in In our setting this will cause problems

when we apply the trace to ciphertext elements That’s (one reason) why ciphertexts are not

really vectors over Hence the *‘s throughout the slides

The Dual of Instead of , ciphertext are vectors over

the dual , for some

We have Also every -linear can be written as for

some In the rest of this talk we ignore this point,

and pretend that everything is over

Prime Splitting The integer 2 splits over as

ranges over is generated by In this talk we assume =1 (i.e., is odd) prime ideals, each

Using CRT, each encodes the vector

Prime Splitting Similarly 2 splits over as

Again we assume Using CRT, each encodes the vector

When then also , , and each split over as a product of some of the ’s

Prime Splitting Example for

2

𝒑1′ 𝒑 3

′

𝒑 22❑𝒑15

❑𝒑1❑ 𝒑 31

❑𝒑17❑𝒑 3

❑

𝑍

𝑅′

𝑅

⊆⊆

Lie over 2

Lie over Lie over

Plaintext-Slot Representation

Recall that for all the ’s But the isomorphisms are not unique

To fix the isomorphisms: Fix a primitive -th root of unity Fix representatives for all defined via

Same for isomorphisms Define by fixing and

Plaintext-Slot Representation Making the ’s and ‘s “consistent”

Fix and set Fix , then that lies over , choose s.t.

Fact: if lies over and , then

In words: for a sub-ring plaintext, the slots mod and all the ’s lie over it, hold the same value

Plaintext-Slot Representation Lemma 3: collection of -linear functions

a unique -linear function s.t. =

holds and , and The ’s range over all the ’s that lie over

Illustration of Lemma 3

s.t. and

Can express for some

𝒑1′ 𝒑 3

′

𝒑 22❑𝒑15

❑𝒑1❑ 𝒑 31

❑𝒑17❑𝒑 3

❑

𝑅′

𝑅

⊆

(𝑑=12 , ℓ=6)

(𝑑′=3 , ℓ ′=2)

𝐿1:𝐺𝐹 (212 )3→𝐺𝐹 (23) 𝐿3:𝐺𝐹 (212 )3→𝐺𝐹 (23)

* Not exactly

*

The Transformation

Step 1, Key Switching Let (chosen at keygen) Publish a key-switching matrix Given ctxt wrt , use W to get wrt

Just plain key-switching in the big ring still over the big ring, but wrt a sub-ring

key encrypts the same -element as

Security of Key-Swicthing Security of usual big-ring key-switching

relies on the secret being drawn from Then constrains only LWE-instance over What can we say when it is drawn from ?

We devise LWE instances over with secret from , with security relying on LWE in Instead of one small error element in ,

choose many small elements in , use an -basis of to combine them into a single error element in

-LWE With Secret in Let be any -basis of Given the LWE secret

Choose uniform and small Set and output

If the basis B is “good” (short, orthogonal) then is not much larger than the ’s This is where we use Lemma 1 ( good basis)

-LWE With Secret in Theorem: If decision-LWE is hard in ,

then is indistinguishable from uniform in Proof:

We can consider for uniform Induces the same uniform distribution on

Then we would get . If the were uniform in , then would be

uniform in .

Steps 2,3: Ring Switching encrypts wrt

encodes a vector We view it as

target functions, Want small-ring ciphertext encrypting that

encodes For each ,

Steps 2,3: Ring Switching By Lemma 2, that induces the ’s

Expressed as for We identify with a short representative in

One must exists since 2 is “short” Thus identify with over

Further identify as a representative of Apply the trace,

Recall that is valid wrt

* Not exactly

*

Correctness Recall over

For some (with small) and over Thus we have the equalities (over ):

encodes the ’s that we want

Correctness• We have

This looks like a valid encryption of It remains to show that is short

is short (from the input), is short (reduced mod 2)

So is short By Lemma 3 also is short

Conclusions We have a general ring-switching

technique Converts over to over for The plaintext slots in can contain any

linear functions of the slots in A -slot is a function of the -slots that lie above it

We may choose projection functions to have contain subset of the slots of

Lets us to speed up computation by switching to a smaller ring

Epilog: The [AP13] WorkAlperin-Sheriff & Peikert described a clever use of ring-switching for efficient homomorphic computation of DFT-like transformations:1. Decompose it to an FFT-like network of

“local” linear functions2. Use ring-switching for each level3. Then switch back up before the next level

Yields fastest bootstrapping procedure to date