Columbia University, Computer Science
Spring 2013, COMS E6261

Homomorphic Encryption and Lattices

Tuesdays 2:10-4:00pm, Mudd 1024
Instructor: Shai Halevi, co-instructor: Tal Malkin, TA: Fernando Krell
Office hours: Tal on Thursdays 2-4pm, Shai & Fernando by request

This class will cover results in cryptography, mostly from the last few years, related to homomorphic encryption schemes and other lattice-based cryptosystems. The format will mostly be regular lectures, but some lectures may also be given by students (if there is interest).

Schedule

January 22	Introduction to Lattices. Lecture notes from Oded Regev's course in Tel-Aviv.
Januray 29	The Hermite normal form. Material contained in notes of lecture 4 and lecture 5 from Gennady Shmonin's course in EPFL.
February 5	The LLL algorithm, lecture notes from Oded Regev's course.
February 12	Ajtai's worst-case/average-case connection. The Small Integer Solution problem (SIS), Relation to worst-case SVP, SIVP, SIS-based collision-resistant hashing. Lecture notes from Oded Regev's course.
February 19	• Discrete Gaussians, Smoothing Parameter, Lecture notes from Oded Regev's course • Leftover Hash Lemma, Lecture notes from Ronitt Rubinfeld's course in MIT.
February 26 Class notes	The Learning with Errors problem (LWE), random-self reducability, search-to-decision reduction, the Regev'05 cryptosystem.
March 12 Class notes	The Gentry-Peikert-Vaikuntanathan SIS-based signatures [GPV08]
March 26 Class notes	The lattice trapdoor construction of Micciancio-Peikert [MP12]
April 2	Yao garbled circuits. See the Lindel-Pinkas exposition and proof [LP09].
April 9 Class notes	The Gorbunov-Vaikuntanathan-Wee LWE-based Delegation & Attribute-Based Ecnryption Scheme [GVW13]
April 12 Class notes	• Continue with [GVW13] Attribute-Based Ecnryption • LWE-based homomorphic encryption
April 16 Class notes	Continue LWE-based homomorphic encryption [BV11, BGV12, B12]
April 23 Class notes	Ideal Lattices, The NTRU cryptosystem, [SS11]
April 30	• Continue with the NTRU cryptosystem, [LTV12] • Multilinear maps from ideal lattices [GGH13] (slides)

Homework

Problem-set #1, due Feb 5.
Problem-set #2, due Feb 19.
Problem-set #3, due Mar 12.
Problem-set #4, due Mar 26.
Problem-set #5, due Apr 23.
Problem-set #6, due May 7.

Handouts

March 12: Sketch of the LWE average-case to worst-case reducion
March 12: The "easy lattce" from the Micciancio-Peikert trapdoor construction

PRE-REQUISITES:

The main pre-requisite is general familiarity with modern theory of cryptography, such as obtained by taking the class 4261 introduction to cryptography.

For example, students are assumed to be familiar with the notion of semantic-security of encryption schemes (CPA-security), know about standard hardness assumptions (e.g., factoring), and be comfortable with reduction-based proofs of security. We also assume good command of linear algebra (e.g., matrices and their rank, the determinant, Gaussian elimination, Gram-Schmidt orthogonalization, etc.) To the extent that we need more advanced algebra, we will cover it in class.

GRADING:

Grade will be based on a combination of class participation, homework, scribe notes, and maybe also a project or presentation of a paper.

Scribe notes: We will need scribes for each lecture, the scribe notes should be a cleaned-up summary of the lecture (possibly with some additional details that were omitted in class).

Project: In the second half of the class we may assign small projects instead of regular problem-sets, for example reading a recent paper and summarizing it in a report.

Paper Presentation: We may have a few of the lectures given by students, on recent papers related to the general topic of the class. (No more than 3-4 of the classes.) Students who want to present a paper in class should contact the lecturer.

SYLLABUS:

Below is a very tentative course plan. There are likely to be changes to this plan as the semester goes on, especially toward the end.

Weeks 1-2. Introduction and course plan. Lattice basics: definitions, bases, duality, etc. Hard problems in lattices (Gap-)SVP, SIVP, BDD, etc. Basic lattice algorithms: Hermite-normal-form, the LLL algorithm and approximation of SVP/SIVP/BDD.
Weeks 3-4. Lattice-based crypto, part 1: The Short-Integer-Solution problem (SIS), using it to get collision-resistant hashing, Ajtai/Micciancio-Regev reduction of SIVP-approximation to SIS. The Micciancio-Peikert trapdoor construction (EUROCRYPT 2012).
Weeks 5-7. Lattice-based crypto, part 2: The Learning-With-Errors problem (LWE, Regev 2005), Regev's LWE-based encryption scheme. Peikert's reduction of Gap-SVP to LWE (STOC 2009). Maybe GPV signatures and the dual Regev cryptosystem (Gentry-Peikert-Vaikuntanathan STOC 2008).
Week 8. A short detour: Secure computation and Yao garbled circuits.
Week 9. More LWE-based crypto: Attribute-based encryption, functional encryption, reusable garbled circuits (the new works of Gorbunov et al. and Goldwasser et al.)
Week 10. LWE-based homomorphic encryption: Based on (Gentry STOC 2009), (Brakerski-Vaikuntanathan FOCS 2011), (Brakerski-Gentry-Vaikuntanathan ITCS 2012), (Brakerski CRYPTO 2012).
Weeks 11-12. Ideal lattices: Introduction, definitions, properties. Micciancio's reduction of Ideal-SIVP to Ideal-SIS (FOCS 2002), maybe hashing from ideal-SIS (Peikert-Rosen TCC 2006, Lyubashevsky-Micciancio ICALP 2006), maybe Ideal-LWE (Lyubashevsky-Peikert-Regev EUROCRYPT 2010). Maybe some ideal-lattice cryptanalysis
Week 13. Homomorphic encryption from ideal lattices: efficiency with packed ciphertexts (Smart-Vercauteren 2011), (Gentry-Halevi-Smart EUROCRYPT/CRYPTO 2012), NTRU-based (multi-key) homomorphic encryption (López-Alt, Tromer, Vaikuntanathan STOC 2012).
Week 14. Multi-linear maps from ideal lattices (Garg-Gentry-Halevi 2012), and applications for attribute-based encryption and similar (Garg-Gentry-Halevi 2012, Sahai-Waters 2012).

Columbia University, Computer ScienceSpring 2013, COMS E6261