Λολ: Functional Lattice Cryptography

This work describes the design, implementation, and evaluation of Λολ, a general-purpose software framework for lattice-based cryptography. The Λολ framework has several novel properties that distinguish it from prior implementations of lattice cryptosystems, including the following. Generality, modularity, concision: Λολ defines a collection of general, highly composable interfaces for mathematical operations used across lattice cryptography, allowing for a wide variety of schemes to be expressed very naturally and at a high level of abstraction. For example, we implement an advanced fully homomorphic encryption (FHE) scheme in as few as 2--5 lines of code per feature, via code that very closely matches the scheme's mathematical definition. Theory affinity: Λολ is designed from the ground-up around the specialized ring representations, fast algorithms, and worst-case hardness proofs that have been developed for the Ring-LWE problem and its cryptographic applications. In particular, it implements fast algorithms for sampling from theory-recommended error distributions over arbitrary cyclotomic rings, and provides tools for maintaining tight control of error growth in cryptographic schemes. Safety: Λολ has several facilities for reducing code complexity and programming errors, thereby aiding the correct implementation of lattice cryptosystems. In particular, it uses strong typing to statically enforce---i.e., at compile time---a wide variety of constraints among the various parameters. Advanced features: Λολ exposes the rich hierarchy of cyclotomic rings to cryptographic applications. We use this to give the first-ever implementation of a collection of FHE operations known as "ring switching," and also define and analyze a more efficient variant that we call "ring tunneling." Lastly, this work defines and analyzes a variety of mathematical objects and algorithms for the recommended usage of Ring-LWE in cyclotomic rings, which we believe will serve as a useful knowledge base for future implementations.

[1]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[2]  Jean-Sébastien Coron,et al.  Scale-Invariant Fully Homomorphic Encryption over the Integers , 2014, Public Key Cryptography.

[3]  Christoph M. Mayer,et al.  Implementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields , 2016, IACR Cryptol. ePrint Arch..

[4]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[5]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[6]  Vinod Vaikuntanathan,et al.  Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages , 2011, CRYPTO.

[7]  Craig Gentry,et al.  Homomorphic Evaluation of the AES Circuit , 2012, IACR Cryptol. ePrint Arch..

[8]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[9]  Simon L. Peyton Jones,et al.  Guiding parallel array fusion with indexed types , 2012, Haskell '12.

[10]  Abhishek Banerjee,et al.  New and Improved Key-Homomorphic Pseudorandom Functions , 2014, CRYPTO.

[11]  Manuel M. T. Chakravarty,et al.  Accelerating Haskell array codes with multicore GPUs , 2011, DAMP '11.

[12]  Hao Chen,et al.  Attacks on Search RLWE , 2015, IACR Cryptol. ePrint Arch..

[13]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[14]  Chris Peikert,et al.  Practical Bootstrapping in Quasilinear Time , 2013, CRYPTO.

[15]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[16]  Richard A. Eisenberg,et al.  Promoting functions to type families in Haskell , 2014, Haskell '14.

[17]  Berk Sunar,et al.  Accelerating fully homomorphic encryption using GPU , 2012, 2012 IEEE Conference on High Performance Extreme Computing.

[18]  Léo Ducas,et al.  Fast Fourier Orthogonalization , 2016, IACR Cryptol. ePrint Arch..

[19]  Kurt Rohloff,et al.  An FPGA co-processor implementation of Homomorphic Encryption , 2014, 2014 IEEE High Performance Extreme Computing Conference (HPEC).

[20]  Léo Ducas,et al.  Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic , 2012, ASIACRYPT.

[21]  Dan Boneh,et al.  Key Homomorphic PRFs and Their Applications , 2013, CRYPTO.

[22]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[23]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[24]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[25]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[26]  Frederik Vercauteren,et al.  Fully homomorphic SIMD operations , 2012, Designs, Codes and Cryptography.

[27]  Vinod Vaikuntanathan,et al.  Can homomorphic encryption be practical? , 2011, CCSW '11.

[28]  Simon L. Peyton Jones,et al.  Regular, shape-polymorphic, parallel arrays in Haskell , 2010, ICFP '10.

[29]  Chris Peikert,et al.  How (Not) to Instantiate Ring-LWE , 2016, SCN.

[30]  Ron Steinfeld,et al.  Making NTRU as Secure as Worst-Case Problems over Ideal Lattices , 2011, EUROCRYPT.

[31]  Craig Gentry,et al.  Field switching in BGV-style homomorphic encryption , 2013, J. Comput. Secur..

[32]  Frederik Vercauteren,et al.  Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes , 2010, Public Key Cryptography.

[33]  Miran Lipovača,et al.  Learn You a Haskell for Great Good! , 2009 .

[34]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[35]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[36]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[37]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[38]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[39]  Shai Halevi,et al.  Bootstrapping for HElib , 2015, EUROCRYPT.

[40]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[41]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[42]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[43]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[44]  Zvika Brakerski,et al.  Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP , 2012, CRYPTO.

[45]  Stephanie Weirich,et al.  Dependently typed programming with singletons , 2013, Haskell '12.

[46]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[47]  Tancrède Lepoint,et al.  NFLlib: NTT-Based Fast Lattice Library , 2016, CT-RSA.

[48]  Kristin E. Lauter,et al.  Provably Weak Instances of Ring-LWE , 2015, CRYPTO.

[49]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[50]  Léo Ducas,et al.  A Hybrid Gaussian Sampler for Lattices over Rings , 2015, IACR Cryptol. ePrint Arch..

[51]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[52]  Simon L. Peyton Jones,et al.  Giving Haskell a promotion , 2012, TLDI '12.

[53]  Vinod Vaikuntanathan,et al.  Attribute-based encryption for circuits , 2013, STOC '13.

[54]  Wouter Castryck,et al.  Provably Weak Instances of Ring-LWE Revisited , 2016, EUROCRYPT.