Gentry’s ideal-lattice based encryption scheme
Gentry’s STOC’09 paper - Part III
1
From Micciancio's paper
( ) Enc Dec
We described an ideal-based encryption scheme .
Recall Samp , and mod .
The scheme is correct for circuit
Why ideal lattices --- as opposed to just ideals or lattices?
skI JX P X R
C
Σ•
•
•
B B
( ) 1 Enc 1 Dec
Enc Dec
if , , , ( ) , , .
For to be correct as an ordinary encryption scheme, we require: .
For to be additively and multiplicatively homomorphic,
t tx x X g C x x X
X X
∀ … ∈ … ∈
Σ⊆
Σ
•
•
Enc Enc Dec Enc Enc Decwe require: and .X X X X X X+ ⊆ × ⊆3
( )
( ) ( )( )Enc Enc Enc Enc
Enc
Enc E
De
n
c
c
Our goal is to have for deep enough circuits , including the decryption circuit .
So, we want to analyze, for example, how
expand
)
,
(g C XC D
X X X X X
X
X
Σ
•
+ × + × ×
•
⊆
( ) ( )( )Enc Enc Enc Enc Enc Enc
Enc Dec
Dec
and how to ensure
.
Connecting ideals with lattices makes such analysis possible, because, with [ ] ( ( )) , and become
subsets of
n
X X X X X X
R x f x X X
X+ × + × ×
≅
•
⊆
=
and we can analyze them geometrically.
n
4
To instantiate the (abstract) ideal-based encryption scheme using ideal lattices, we will do the following.
Choose a polynomial ( ) with integer coefficien
Instantiate the ideal-based scheme
f x
•
•
( )
( )
Samp
ts and let ring [ ] ( ) .
Choose an element , ideal , the rotation basis.
Plaintext space : a subset of ( ), centered parallelepiped. Samp: choose a range for Samp.
Cho
I
I
R x f x
R I
M C
•
••
•
=
∈ = =s s B
B
ose an ideal and a good basis .
Let HNF( ).
skJ
pk skJ J
J=
BB B
5
Ideal Lattices
6
( )
the ring of all polynomials with integer coefficients.
a monic polynomial of degree in [ ] Monic means the leading coefficien
(
t is 1 Often c
) :
ho
[ ]:
( ) :
a polynomial ring[ ] f x
x
n xf x
x
•
•
( )
( )
ose ( ) to be irreducible.
the ideal generated by ( ).
( ) ( ) [ ] ( ) ( ) :
( ) :
( ) ( ) mod
( ) [ ] .
iff ( ) ( ) is divisible by ( ).
[ ] is divided into classes (cosets
( )
f x
f x
f x f x x f x g x g x x
g
f x
g x h x h x fx f x x
x
= ⋅ = ⋅ ∈
•
• −≡
•
) such that ( ) and ( ) are in the same class (coset) iff ( ) ( ) mod ( ).
g x h xg x h x f x≡
7
( )
[ ] ( ( )) denotes the set of those classes (cosets). Each class has exactly one polynomial of degree 1. Thus, [ ] ( ) may also be
[ ] ( ( )
defined as the set of all
) :
x f xn
x f x
x f x
≤ −
•
( ) 11 1 0
polynomials of degree 1, i.e.,
.
Addition and multiplication in [ ] ( ( )) are like regular polynomi
[ ] ( ) :
al addition and multiplication exce
nn ix f x a x
f
a
n
a a
x x
x−−= + + +
≤ −
∈
( )
pt that the result is reduced modulo ( ). [ ] ( ) is a commutative ring with identity.
f xx f x
8
11 1 0
11 1 0
11 1 1 1 0 0
If ( ) and
( ) , then
( ) ( ) ( ) ( ) ( ).
The group [ ] ( ( ))
[x] ( ( )) as an additive grois
up.
nn
nn
nn n
n
a x a x a x ab x b x b x b
a x b x a b x a b x a b
xx
f xf
−−
−−
−− −
= + + +
= + + +
+ = + + + + +
≅•
+
•
10 1 1 0 1 1
isomorphic to the lattice . ( , , , ).
Define multiplication in by way of multiplication in [ ] ( ( )), and then we have multiplication in .
E
n
nn n
n
n
a a x a x a a a
x f x
−− −+ +
•
+ ↔
ach ideal in [x] ( ( )) defines a sublattice in .
Lattices corresponding to ideals are ideal lat i .s t ce
nf x
•
9
( )
Since [ ] ( ( )) , we do not distinguish between ring elements in and lattice points/vectors in .
Any ideal in corresponds to a lattice in .
Rotation basis for principal ideal n
n
n
R x f xR
R
= ≅•
•
•
v
( )[ ]0 1
In particular, the ideal generated by defines a
lattice with basis , , , where
mod ( ). This basis is called the rotation basis for the ideal l
n
ii
R
x f x−
≠ ∈
=
=
•
×
v 0 v
B v v
v v
( ).
Not every ideal has a rotation
attice
basis. •
v
10
( ) [ ]
( ) [ ]
1 1 2
1 2
Ideal 1 . 1 . Rotation basis , , , .
Ideal lattice .
Ideal 2 2 all polynomials in with coefficients .
Rotation basis: 2 , 2 , , 2 .
even
Corresponding la
Examples
n
n
n
R
R R
•
•
= = =
=
= × =
e e e v
e e v
( ) ( )1 2
all lattice points in ttice, 2 .
with coordinates
Q: Find the rotation basis of
e
2 or 2 .
ven
nn
x
=
+ +• e e
11
11 1 0
1
1
[ ] : the ring of polynomials with rational coefficients.
[ ] ( ( )) : .
If is an ideal in [ ] ( ( )), define as
( ( )) and fractio
nal d l
i ea s[ ]
nn i
x
x f
f x
x a x a x a a
I R x f x II
x
−−
−
−
= + + + ∈
=
∈
•
•
•
v
1
1 1
[ ] ( ( )) : .
is a . It behaves like an ideal of except that it is not necessarily contained in .
. is said to be invertible if .
fractional i
d
A
a
l
l
l
e
x f x I R
I RR
I I R I I R
R
I
−
− −
× ⊆
⊆•
⊇
=
v
invertible (fractional) ideals form a group with as the identity.
R
12
( ) ( )
( )
1 1 1
1
1
If , then is generated by [ ] ( ( )).
exists if ( ) is irreducible.
defines a lattice in , not necessarily in .
We h
( ( )) and fractional idea
ave de
l
t d
s
[x]
n n
I I x f x
f x
I
I
f x
− − −
−
−
•
•
•
= = ∈
⋅
v v v
v
( )( ) ( )
[ ]
1et 1.
Recall: det det det ( ) vol ( ) , the volumn of the fundamental parallelepiped of the lattice defined by .
det the index : the number of elements in .
I I I
I
I L PI
I R I R I
− =
•
•
= = =
=
B B B
13
[ ]
[ )
1
1
Hermite nornal form (HNF): a basis which is skiny, skew, and will be used as a .
fundamental parallelepiped: // , , //
( ) : 1 2, 1 2
R
.
eview
Cent
m
e
red
n
n
i i ii
pk
P x x=
=
∈ −
•
•
•
∑
B b b
B b
t
1
od the unique ( ) with ( ).
mod can be efficiently computed as
rounded to the nearest integer.
max : .i i
P L
x x
−
′ ′∈ − ∈
−•
•
⋅ ⋅ .
∈•
B t B t t B
t B t B B t
B b b B
14
Instantiating the ideal-based scheme using ideal lattices
15
From Micciancio's paper
( )
To instantiate the (abstract) ideal-based encryption scheme using (ideal) lattices, we will do the following.
Choose a polynomial ( ) and let ring [ ] ( ) .
Choose a vector , l
Recall:
f x R x f x
•
• =
• s
( )
Samp
et ideal , let the rotation basis.
Plaintext space : a subset of ( ). Samp: choose a range for Samp.
Choose an ideal and a good basis .
Let HNF( ). Our goal is
I
I
skJ
pk skJ J
I
M P
J
= =
=
••
•
•
s B
B
BB B
( )Enc Decto have for deep enough circuits , including the decryption circui .
( )t
g CC
XD
X
Σ
⊆17
( ) ( )
( )
Enc
Dec
Enc E
En
nc Enc
Dec Dec D
c
c
c D
e
e
Samp , .
mod ( ).
Define: the smallest radius s.t. ( ),
the largest r
T
adius s.t.
heore
( )
m
an
.
(
dBalls:
I
sk skJ J
X M
X R P
r X r
r r X
r r
•
=
• ⊆
⊆
• B
B B
B
B
B B
1 Enc
):
A mod -circuit (including the identity circuit) with 1 inputs is a permitted circuit for the schec
a sufficient condition for perm
me if:
itted cir
, , ( ), (
i
)
cu ts
I
t
C t
x x r g C
≥
∀ … ∈
B
B ( ) 1 Dec, , ( ). tx x r… ∈B18
Enc Dec X X
Enc
Dec
( )
( )
r
r
B
B
19
20
Enc
Mult
Starting from : ( ), how does expand with addition and multiplication?
for all , (triangle inequality).
for all , , wh
Expansion of vectors with operationsr
R
Rγ
=
≤ + ∈
× ≤ ⋅ ∈
•
•
•
u + v u v u v
u v u v u v
B B B
Mult
Mult
2
ere is a factor . Let .
If input vectors are in ( ), then after a -fan-in addition or a 2-fan-in multiplication, the output ve
dep
cto
endent on
r is in ( ).
R m
r mmr
γγ
•
=
BB
21
( )
Enc
2 1 2 2Enc Enc
2Enc
By induction, if input vectors are in ( ), then after levels of -fan-in addition and/or 2-fan-in multiplication,
the result is in ( ) ( ) .
We will have ( )
k k k
k
r km
m r mr
mr r
− ⊆
≤
•
•
B
B B
( )Dec Mult Enc
Dec Dec Enc if loglog loglog .
The proposed scheme correctly evaluates circuits of depth up to .
To maximize the depth
Tloglog loglo
of
h
p
eorem
ermitted circuits, we wil
:g
l
r
mr
r
k r
γ•
−
Σ
•
≤
⋅
−
Enc Mult Decminimize and and maxisubject
attempto secur
t to ity con
mize strai nts.
r rγ
22
Dec Enc Roughly: the ratio must be subexponential.
Recall: the security of the abstract scheme relies on the hardness of ICP. In the setting of ideal lattices (where
Security constraintsr r•
•
•
≤
Enc
Enc
is chosen to be shorter than and : mod ), ICP becomes: Decide whether is within a small distance ( ) of lattice , or is uniformly random modulo . This is a decision ver
pkJr
r JJ
′
=
•
πt B
t
sion of BDDP, which is not surprising since the abstract scheme is a variant of GGH and the security of GGH relies on the hardness of BDDP.
23
Dec Enc
Enc Enc 1
Roughly: the ratio must be sub-exponential.
If is too small, say ( ) 2 , BDDP can be solved using, for example, the LLL algorithm.
No algorithm is known to solve BDDP if
n
r r
r r Jλ
•
•
•
≤
≤
1
De
Enc 1
De
c
c 1
Dec E
t
nc
Mul
( ) 2 , 1. On the other hand, by definition, we have ( ). Thus, for BDDP to be hard, we require
2 , 1 //sub-exponential//
If we choose 2 , c
c
cn
n
n
r
r Jc
r J
r r c
γ
λ
λ
≥<
≤
≤ <
••
• = 2
Enc
1 2
, then the scheme can handle circuits of depth up to ( o
2.) l g
cn
c cr
n−⋅ =
24
Mult
Mult
Goal: Set ( ) so that [ ] ( ( )) has a small ( ).
To this end, we only have to choose ( ) such that ( ) and ( ) have small norms, due to the following theorem.
Minimizing ( )
f x R x f x R
f x f xg x
R
γ
γ
•
•
•
=
( )Mult
1 1 1
Theorem: If ( ) is a monic polynomial of degree then
( ) 2 1 2 ,
where ( ) ( ) mod //inverse in [ ] ( ) // ( ) (1 ) //reversing the coefficie
n n
n
f x n
R n n f g
g x F x x x xF x x f x
γ− − −
≤ ⋅ + ⋅ ⋅
=
=
20
nts of ( )//
for ( ) //polynomial norm//ni n
f x
p a p x a x a= = + +∑
25
( )( ) Mult
Theorem: If ( ) ( ) where ( ) has degree at most ( 1) , 2, then, for [ ] ( ( )),
( ) 2 1 2 ( 1) .
Theorem: Let and [ ] ( ( )). ( ) 1 Then,
n
n
k
f x x h x h xn n k k R x f x
R n n k n f
R xx xf x f
γ
= −− − ≥ =
•
•
≤ ⋅ + −
== ±
Mult
There are non-fatal attacks on h
ard problems
( ) .
over this rin
g .
R nγ ≤
•
26
( )
( )
Mult
0 1
Enc
Let [ ] ( ) with ( ) 1 and so ( ) . Let , and ( ) the ideal generated by ,
, , the rotation basis of , max ,
( ) the lattice generated b
Minimizingn
I n I i
I
R x f x f x x R nR I
L
rγ
−
= = − ≤
∈ =
= =
•
• s s s
B s s s B s
B
( ) ( )( )
1
1
Enc Enc
Samp
y , ( ) the centered fundamental parallelepiped, ( ) the message space, a message, Samp : Samp .
We want Samp ( ).
Let be an upper bound on ,
I
I
I
I
I
PM P M
R
M X r
⊆ ∈
= +
⊆•
•
×
BB
B xB , x x s
B ,
r r
B
( )1Samp .R←27
( ) 1
1
Enc Samp
Enc 1
1
0
Samp
1
Proof :
Theorem: .
max : , Samp .
Since ( ) 2
.
May choose to make small.
2 Q
I I
n
I i Ii
I I
I
r n n
r M R
M P n
n n
−
=
≤ ⋅ + ⋅ ⋅
= + × ∈ ←
∈ ⊆ ⇒ ≤ ≤ ⋅
⇒ + × ≤ +
•
•
× ≤ ⋅ + ⋅ ⋅
=
∑
B B
x r s x r
x B x s B
x r s x
s e
r s B B
B
1
1
Samp
1
Samp 1
1
The size of is a security. It needs to be large enough to
make Samp ( ) mod in ICP sufficiently ran
: why n
Samp sample uniformly
dom.
May set and let in
ot ?
).(n
pkJR
n n=
=
• ∩
←
•
t
s
B
e
B1.5
Enc With this setting, 2 2 .r n n≤ +•28
( )sk
Dec Dec
D
c
ec
De
Recall: the decryption equation: mod mod .
We want ( ) ( ).
To have a large , the shape of ( ) is important. We want it to be "fat" (i.e. con
Maximizing
J I
skJ
skJ
r X PPr
rπ ψ←
• ⊆
•
•
B B
BB
B
( )1
taining a large ball). The "fattest" parallelepiped is that associated with basis
, , , containing a ball of radius .
So, we will choose our to be "close" to .
Q: w
n
skJ
t t t t
t
⋅ = ⋅
⋅
•
⋅
•
E e e
B E
( )1hy not simply letting , , ?skJ nt t= ⋅ ⋅B e e
skJB
29
Mult 1 1
1 1
Let 4 ( ). Suppose ( ),
i.e., within distance of . Let be the rotation basis of .
Then, ( ) circumscribes a ball of radi
Theore
us at least 4.
m:
P
skJ
skJ
t n s R t ss t
P t
γ≥ ⋅ ⋅ ∈ ⋅• +
⋅
v ee B v
B
B
( )
( )
11 1
11 1 Mult
We have = , , , with . The difference has length
( ).
For every point on the surface of ( ), we have 1 2
roof: sk iJ n i
j j j
jj j j
skJ
i
xt
t t x s R
P
a
γ
−
−
= ×
= − ⋅
= − ⋅ = − ⋅ × ≤ ⋅
= ± ⋅ +
B v v v vz v e
z v e v e
a B
a v
for some and 1 2.
We will show 4, from which the theorem will follow.
j j jj i
i a
t≠
≤
≥
∑ v
a30
Mult
1 , 1 2.2
1 , , ,2
1 1 , , 2 2
2 , 2 2 ( )
2 4 4, where we have used, , ,
,
i j j jj i
i i i j j ij i
i i j j ij i
j i j
i i i i i i i
j i j
a a
a
t a
t n t n t n s R
t t tt t
t
γ
≠
≠
≠
= ± ⋅ + ≤
⋅ +
⋅ + ⋅ +
− − − ⋅ ⋅
−
= + ⋅ =
≥ ≥
=
≥ ≥ ≥
≥ ≥
+
= + ⋅
∑
∑
∑
a v v
a a e v e v e
z e z e
z e z
v e z e e z e
v e z e , , j i j i=e z e31
1
pksk
By the theorem, we may generate and as follows: Randomly generate a vector within distance of .
Let be the rotation basis of .
Let
Generating and sk pkJ J
skJ
J J
s t ⋅• B B
v eB v
B B
Samp Dec Enc
be the HNF of .
We have to choose , , to ensure that is
sub-exponential.
pk skJ J
s t r r•
B B
32
( )( ) ( )
Mult
3 21 Enc
1
Ring: [ ] ( ) , ( ) 1, .
Ideal: 2 2 . 2 , , 2 . 2 2 .
Plaintext space: (a subset of) ( , , ) : 0, 1 .
An example instantiation of the abstract schemen
nI n
n i
R x f x f x x n
I r n n
x x x
γ= = − ≤
= = = ≤ +
… ∈
•
−
•
•
•
B e e
1
1
Samp : samples uniformly in ( ). Samp( , ): 2 with Samp . Ideal:
n
I
n
J
∩+ ←•
•B π π r r
B
33
An improvement over previous work.
Boneh-Goh-Nissim (2005): quadratic formulas with any number of monomials. plaintext space: log bits for security prameter .
Ge
How good is it?
λ λ
•
•
•
ntry (2009): polynomials of degree log . plaintext space: larger.
Not bootstrappable t e ! y
n
•
34
( )
[ )
sk sk 1 Decryption mod involves adding
vectors. Adding -bit numbers in 0,1 requires a constant fan-in
boolean circuit of depth (log
)
log ) :
Why not bootstrappable?
J J I
nn k
n k
ψ ψ−− ⋅
Ω +
• ( ⋅
•
B BB
3 2
3-for-2: convert 3 numbers to 2 numbers with the same sum; this can be done with a circuit of constant depth, say depth . It takes a circuit of depth log to convert numbers
t
cc n n≈
o 2 numbers with the same sum. It needs depth (log ) to add the final two numbers. The proposed scheme permits circuits of depth (log ).
kO n•
Ω
35
Dec Dec Tweak: Narrow the permitted circuits from ( ) to ( 2).
Purpose: To ensure that the ciphertexts vectors are closer to the lattice than they stri
Tweak 1 to simplify the decryption circuitr r
J
•
•
B B
sk 1
ctly need to be, so that is needed to ensure the correctness of decryption.
Allowing the coefficients of ) to be very close to half-integrs (i.e., v
l
ery close to the sp
ess precision
heJ ψ
ψ
−( ⋅• B
Decre of ( )) would require high precision (large ) to ensure correct rounding.
rk
B
36
sk 1Dec
If is a valid ciphertext after tweak 1, i.e., 2, then each coefficient of ) is within 1 4 of an integer.
With Tweak 1, we can reduce the precision to
L
(log ) bits,
emm
a
:
a
Jr
O n
ψ
ψ ψ−
•
•
< ( ⋅B
( ) ( )Dec Mult Enc
nd cut the the circuit depth of adding numbers to (log loglog ) (log ).
The new maximum deloglog 2 log
pth of permitted circuits is almost the same as the original
lo ,de
g
nn n n
r rγ
Ω
⋅
+ = Ω
−
•
pth, which can be as large as (log ).
Unfortunately, the constant hidden in (log ) is 1, while that in (lo So, still not g ) 1. bootstrappab l e.
O n
nO n
Ω ><
•
37
( )( ) ( )
sk sk 1 sk
sk 1
Tweak: Modify from
) mod mod
for some vector .
Purpose: To reduce the secret key
Decrypt
size
,
(
Tweak 2, optional, more technical, less essential
J J I J I
J
sk
J
ψ ψ ψ
ψ
ψ−
−
− ⋅ ( ⋅ − ×
∈
•
•
⇒B B B v B
v
Dec
as well as public key size in bootstrapping) and per-gate computation in decryption (from matrix-vector mult to ring mult).
To use this tweak, we will need to replace
( ) r ⇒
•
B ( )1.5 2Dec Mult 2 ( )Ir n γ⋅ BB
38
( ) ( )
( )
sk1 sk2
1sk1 sk sk2
sk
sk
Decrypt , :
If Tweak 2 is used, and is some rotation matrix,
otherwise, and .
Split
mod
Decryption complexity of the tweaked scheme
J I
J J
J J J J
sk ψ π ψ ψ
−
← − ×
=
•
=
•
=
v B
B I B
B B B B
sk2
1 1
the computation of decryption into three steps: Step 1: Generate vectors with sum . Step 2: From the vectors , generate vectors
, , , with
integer
su
i J
i
n n
nn
ψ
+
⋅x Bx
y y y
( )sk1
m
Step 3: Compute mod .i
J i Iπ ψ← − ⋅
.∑∑
x
B y B
39
As a somewhat homomorphic scheme, Gentry's scheme provides a large plaintext space,
However, in order to make the scheme bootstrappable, Gentry
mod ( ).
has to limit th
Plaintext space
I IR P=•
•
B B
e plaintext space to 0,1 mod .
mod -circuits. For bootstrapping, the decryption circuit must be composed of mo
evaluates
Ordinary boolean operations
d -gates.
can be esaily emulated
I
I
I
•
•
B
BB
Evaluate
mod operations.with
IB
40
( ) ( )
( )
sk1 sk2
1sk1 sk sk2 s
sk1 sk
k
2 Decrypt , :
If Tweak 2 is used, and is some rotation matrix,
otherwise, and
o
.
m d
Decryption complexity of the tweaked scheme
J J
J J J
J J I
J
sk π ψψ ψ
−
=
=
← − •
=
⋅ ⋅ B B
B I B
B B B
B
B
sk2
1 1
Split the computation of decryption into three steps: Step 1: Generate vectors with . Step 2: From the vectors , generate i vectors
, , ,
ntegeri i J
i
n n
nn
ψ
+
= ⋅
•
∑x x Bx
y y y
( )sk1
with
Step 3: Compute mod .i i
J i Iπ ψ
=
← − ⋅
.∑ ∑∑
y x
B y B
41
Squashing the Decryption Circuit
42
A technique to lower the complexity of the decryption circuit, so as to make the encryption scheme bootstrapable.
Basic idea is to split the decryption algorithm into two phases:
Squashing•
• computationally intensive, secret-key independent,
by the encrypter. computationally lightweight, secret-key dependent, by the decrypter :
Properties: Does not reduce the evalua•
tion capacity (i.e., the set of permitted circuits remains the same), but may potentially weakens security.
43
: the original encryption scheme. : to be constructed from usin
SplitKg two algorithms,
and .
KeyGen( ): ( , ) Ke
ey Expand
y
C
Gen ( )
T
Squashing: generic version
pk skλ λ
εε ε
∗
∗
∗ ∗ ∗
•
•
←•
( , ) SplitKey( , ) where is the (new) secret key and : ( , ).
Encrypt( , ) : Encrypt ( , ) ExpandCT( , ) //heavy use of
pk sk pk sksk pk pk
pk pkx pk
π ψ
ψ
τ
π
τ
∗ ∗
∗
∗ ∗ ∗
∗
=
•
←
←
←
// ( , )xψ ψ ∗←
44
1 2 1 2 1 2
Decrypt( , ) : decrypts making use of and .
It is desired that Decrypt( , ) works whenever Decrypt ( , ) does.
Add( , , ) : ( , ) extracted from ( , )
sk sk x
sksk
pk
ψ ψ
ψ
ψ
ψ ψ ψ ψ ψ ψ
∗ ∗
∗ ∗ ∗
∗ ∗ ←
•
•
1 2
1 2
Add ( , , )
ExpandCT( , ) ( , )
Mult( , , ) : similar.
pkx pk
x
pk
ψ ψ ψ
ψ
ψ ψ
ψ ψ
∗ ∗ ∗ ∗ ∗
∗
∗
←
←
←
•
45
1
Let be the encryption scheme with Tweak 2. Let be
the secret key, which is an element of the fractional ideal . Recall the decryption equation:
Squash: concrete schemeskJ
Jε ∗∗
−
• v
1
Let mod , . //uniformly generate a set of //
Let be a sparse subset s.t. mod
SplitKey( , ) :
: mod
: . : ( ,
i S
i U
i u I
skJ I
skJ
i
i I
i
J i U
S U
pk sk
pk pk
π ψ ψ
τ
∗
∗
∈
∗ ∗
−
∗ ∗
∗∈
= − ×
∈ ∈•
•
•
⊂ =
= =
∑
t B t
t
t
v B
v B
). : (encoding of ).sk S Sτ = 46
( )
ExpandCT( , ) : //recall ( , )// Compute : mod for .
The expanded ciphertext is : , .
Decrypt( , ) :
Recall
: mod
i i
i i I
IskJ
U
pk pk pki U
pk
ψ τ
ψ
ψ ψ
ψ
π ψ ψ∗
∗ ∗
∗
∗
∗
∈
∗
=
= × ∈
=
× = −
•
•
c B
B
c
v
t
Recall mod .
Thus, mod .
Thus, : mod .
i Ii S
i i
ii S
Ii S i S
I
skJ
skJ ψψ
π ψ
∗
∗
∈
∗
∈ ∈
∈
∗
≡
≡ × ≡
= −
×
∑
∑
∑ ∑
t B
t B
v
v c
Bc
47
Top Related