An intro to lattices and learning with errors

Transcription

1 A way to keep your secrets secret in a post-quantum world

2 Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys on his personal website regev/ (as of Sept 29, 2012)

3 Introduction to LWE 1. Learning with Errors Let p = p(n) poly(n). Consider the noisy linear equations: a 1, s χ b 1 (mod p) a 2, s χ b 2 (mod p). for s Z n $ p, a i Z n p, b i Z p, and error χ : Z p R + on Z p.

4 Introduction to LWE 1. Learning with Errors Let p = p(n) poly(n). Consider the noisy linear equations: a 1, s χ b 1 (mod p) a 2, s χ b 2 (mod p). for s Z n p, a i $ Z n p, b i Z p, and error χ : Z p R + on Z p. Goal: Recover s.

5 Introduction to LWE 1. Learning with Errors Let p = p(n) poly(n). Consider the noisy linear equations: a 1, s χ b 1 (mod p) a 2, s χ b 2 (mod p). for s Z n p, a i $ Z n p, b i Z p, and error χ : Z p R + on Z p. Goal: Recover s. 2. Why we care: Believed hard for quantum algorithms Average-case = worst-case Many crypto applications!

6 Talk Overview. Up next: Intro to lattices 1. Intro to lattices 1.1 What s a lattice? 1.2 Hard lattice problems 2. Gaussians and lattices 3. From lattices to learning 4. From learning to crypto

7 What s a lattice? A lattice is a discrete additive subgroup of R n

8 What s a lattice? A lattice is a discrete additive subgroup of R n A lattice is a set of points in n-dimensional space with a periodic structure

9 What s a lattice? A lattice is a discrete additive subgroup of R n A lattice is a set of points in n-dimensional space with a periodic structure Given n linearly independent vectors v 1,..., v n R n, the lattice they generate is the set of vectors { n } L(v 1,..., v n ) def = α i v i αi Z. i=1

10 What s a lattice? A lattice is a discrete additive subgroup of R n A lattice is a set of points in n-dimensional space with a periodic structure Given n linearly independent vectors v 1,..., v n R n, the lattice they generate is the set of vectors { n } L(v 1,..., v n ) def = α i v i αi Z. The basis B = ( v 1 v 2 i=1 ) v n generates the lattice L(B).

11 More on lattice bases

12 More on lattice bases The gray-shaded region is the fundamental parallelepiped, given by P(B) = {Bx x [0, 1) n }.

13 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 ))

14 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 )) vol(p(b)) = det(b)

15 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 )) vol(p(b)) = det(b) det(b 1 ) = det(b 2 ) iff B 1 = B 2 U for a unimodular matrix U

16 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 )) vol(p(b)) = det(b) det(b 1 ) = det(b 2 ) iff B 1 = B 2 U for a unimodular matrix U A matrix U is unimodular if it is integral and det(u) = ±1.

17 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 )) vol(p(b)) = det(b) det(b 1 ) = det(b 2 ) iff B 1 = B 2 U for a unimodular matrix U A matrix U is unimodular if it is integral and det(u) = ±1. Moral of the story: All lattices have countably infinitely many bases, and given some fixed lattice, all of its possible bases are related by volume-preserving transformations.

18 The dual of a lattice Given a lattice L = L(B), the dual lattice L def = L(B ) is generated by the dual basis B ; the unique basis s.t. B T B = I.

19 The dual of a lattice Given a lattice L = L(B), the dual lattice L def = L(B ) is generated by the dual basis B ; the unique basis s.t. B T B = I. Equivalently, the dual of a lattice L R n is given by } L = {y R n x, y Z, for all x L.

20 The dual of a lattice Given a lattice L = L(B), the dual lattice L def = L(B ) is generated by the dual basis B ; the unique basis s.t. B T B = I. Equivalently, the dual of a lattice L R n is given by } L = {y R n x, y Z, for all x L. Fact. For any L = L(B), L = L(B ), vol(p(b)) = 1 vol(p(b )).

21 Lattice problems Defn: λ 1 (L) is the length of the shortest nonzero vector in L

22 Lattice problems Defn: λ 1 (L) is the length of the shortest nonzero vector in L 1. GapSVP γ Input: n-dimensional lattice L and a number d > 0 Output: YES if λ1 (L) d; NO if λ 1 (L) > γ(n) d

23 Lattice problems Defn: λ 1 (L) is the length of the shortest nonzero vector in L 1. GapSVP γ Input: n-dimensional lattice L and a number d > 0 Output: YES if λ1 (L) d; NO if λ 1 (L) > γ(n) d 2. CVP L,d Input: n-dimensional (dual) lattice L and a point x R n within distance d of L Output: the closest vector in L to x

24 Lattice problems Defn: λ 1 (L) is the length of the shortest nonzero vector in L 1. GapSVP γ Input: n-dimensional lattice L and a number d > 0 Output: YES if λ1 (L) d; NO if λ 1 (L) > γ(n) d 2. CVP L,d Input: n-dimensional (dual) lattice L and a point x R n within distance d of L Output: the closest vector in L to x 3. Other common lattice problems: Shortest Independent Vectors Problem (SIVP), Covering Radius Problem (CRP), Bounded Distance Decoding (BDD), Discrete Gaussian Sampling Problem (DGS), Generalized Independent Vectors Problem (GIVP)

25 Complexity of (Gap)SVP and (Gap)CVP (and SIVP) Moral of the story: We can get Õ(2 n )-approximate solutions in polynomial time. Constant-factor approximations are NP-hard. The best algorithms for anything in between require Ω(2 n ) time.

26 Talk Overview. Up next: Gaussians and lattices 1. Intro to lattices 2. Gaussians and lattices 2.1 Uniformly sampling space 2.2 D L,r : The discrete Gaussian of width r on a lattice L 3. From lattices to learning 4. From learning to crypto

27 Uniformly sampling space Question: How do you uniformly sample over an unbounded range? Eg, how do you uniformly sample x Z?

28 Uniformly sampling space Question: How do you uniformly sample over an unbounded range? Eg, how do you uniformly sample x Z? Answer: You can t!

29 Uniformly sampling space Question: How do you uniformly sample over an unbounded range? Eg, how do you uniformly sample x Z? Answer: You can t! The lattice answer : Sample uniformly from Z p ; view Z as being partitioned by copies of Z p

30 Uniformly sampling space Question: How do you uniformly sample from R n?

31 Uniformly sampling space Question: How do you uniformly sample from R n? Answer: You can t!

32 Uniformly sampling space Question: How do you uniformly sample from R n? Answer: You can t! The lattice answer : Sample uniformly from the fundamental parallelepiped of a lattice.

33 Lattices with Gaussian noise A related question: What does a lattice look like when you smudge the lattice points with Gaussian-distributed noise?

34 Lattices with Gaussian noise A related question: What does a lattice look like when you smudge the lattice points with Gaussian-distributed noise? Answer: R n Left-to-right: PDFs of Gaussians centered at lattice points with increasing standard deviation

35 The discrete Gaussian: D L,r Denote by D L,r the discrete Gaussian on a lattice L of width r

36 The discrete Gaussian: D L,r Denote by D L,r the discrete Gaussian on a lattice L of width r Define the smoothing parameter, η ɛ (L), as the least width s.t. D L,r is at most ɛ-far from the continuous Gaussian (over L).

37 The discrete Gaussian: D L,r Denote by D L,r the discrete Gaussian on a lattice L of width r Define the smoothing parameter, η ɛ (L), as the least width s.t. D L,r is at most ɛ-far from the continuous Gaussian (over L). Important fact. η negl(n) (L) = ω( log n) Θ( n)

38 Talk Overview. Up next: From lattices to learning 1. Intro to lattices 2. Gaussians and lattices 3. From lattices to learning 3.1 Reduction sketch: GapSVP to LWE 4. From learning to crypto

39 Reduction from GapSVP to LWE Overview Reduction sketch 1. Our goal: Prove LWE is hard 2. Reduction outline 2.1 Why quantum? 3. Classical step: D L,r + LWE oracle CVP L,αp/r oracle 4. Quantum step: CVP L,αp/r oracle D L,r n/(αp) 4.1 Note: (η ɛ (L) ) αp > 2 n D L,r n/(αp) D L,<r/2 5. Conclude: Either LWE is hard, or the complexity landscape turns into a war zone 5.1 War zone: At least 4 or 5 good complexity classes had to give their lives to ensure stability that sort of thing.

40 Reduction outline: GapSVP to LWE LLL Basis Reduction algorithm: In polytime, given an arbitrary L(B) outputs a new basis B of length at most 2 n times the shortest basis. GOAL: Given an arbitrary lattice L, output a very short vector, or decide none exist.

41 Reduction outline: GapSVP to LWE LLL Basis Reduction algorithm: In polytime, given an arbitrary L(B) outputs a new basis B of length at most 2 n times the shortest basis. GOAL: Given an arbitrary lattice L, output a very short vector, or decide none exist. Let r i denote r (αp/ n) i for i = 3n, 3n 1,..., 1 and r O(n/α). (Imagine α 1/n 1.5, so r n 1.5 n.) Using LLL, generate B, and using B, draw n c samples from D L,r3n.

42 Reduction outline: GapSVP to LWE LLL Basis Reduction algorithm: In polytime, given an arbitrary L(B) outputs a new basis B of length at most 2 n times the shortest basis. GOAL: Given an arbitrary lattice L, output a very short vector, or decide none exist. Let r i denote r (αp/ n) i for i = 3n, 3n 1,..., 1 and r O(n/α). (Imagine α 1/n 1.5, so r n 1.5 n.) Using LLL, generate B, and using B, draw n c samples from D L,r3n. For i = 3n,...1, Call IterativeStep n c times, using the n c samples from D L,ri to produce 1 sample from D L,ri 1 each time. Output a sample from D L,r0 = D L,r.

43 The iterative step Two steps: (1) classical, (2) quantum

44 Why quantum? Let L be a lattice. Let d λ 1 (L). You are given an oracle O that, on input x R n within distance d from L, outputs the closest lattice vector to x. (Caveat: If x of distance > d from L, O s output is arbitrary.) How do you use O?

45 Why quantum? Let L be a lattice. Let d λ 1 (L). You are given an oracle O that, on input x R n within distance d from L, outputs the closest lattice vector to x. (Caveat: If x of distance > d from L, O s output is arbitrary.) How do you use O? One idea: Choose some lattice vector y L. Let x = y + z with z d. Give x to O.

46 Why quantum? Let L be a lattice. Let d λ 1 (L). You are given an oracle O that, on input x R n within distance d from L, outputs the closest lattice vector to x. (Caveat: If x of distance > d from L, O s output is arbitrary.) How do you use O? One idea: Choose some lattice vector y L. Let x = y + z with z d. Give x to O. But then O(x) = y!

47 Why quantum? Let L be a lattice. Let d λ 1 (L). You are given an oracle O that, on input x R n within distance d from L, outputs the closest lattice vector to x. (Caveat: If x of distance > d from L, O s output is arbitrary.) How do you use O? One idea: Choose some lattice vector y L. Let x = y + z with z d. Give x to O. But then O(x) = y! But quantumly, knowing how to compute y given only y + z is useful it allows us to uncompute a register containing y.

48 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Let D be a probability distribution on a lattice L. Consider the Fourier transform f : R n C, given by f (x) def = y L D(y)exp(2πi x, y ) = E y D [exp(2πi x, y )]

49 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Let D be a probability distribution on a lattice L. Consider the Fourier transform f : R n C, given by f (x) def = y L D(y)exp(2πi x, y ) = E y D [exp(2πi x, y )] Using Hoeffding s inequality, if y 1,..., y N are N = poly(n) independent samples from D, then w.h.p. f (x) 1 N N exp(2πi x, y j ) j=1

50 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Applying this idea to D L,r, we get a good approximation of its Fourier transform, denoted f 1/r. Note f 1/r is L -periodic.

51 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Applying this idea to D L,r, we get a good approximation of its Fourier transform, denoted f 1/r. Note f 1/r is L -periodic. It can be shown that 1/r λ 1 (L ), so we have f 1/r (x) exp( π(r dist(l, x)) 2 )

52 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Attempt #1: Using samples from D L,r, we repeatedly compute approximations to f 1/r and attempt to walk uphill to find the peak (a dual lattice point).

53 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Attempt #1: Using samples from D L,r, we repeatedly compute approximations to f 1/r and attempt to walk uphill to find the peak (a dual lattice point). The problem: This procedure only gives a method to solve CVP L,1/r. (Beyond that distance, the value of f 1/r becomes negligible.) Plugging this into our iterative step means we go from D L,r to D L,r n, which is the wrong direction!

54 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Attempt #1: Using samples from D L,r, we repeatedly compute approximations to f 1/r and attempt to walk uphill to find the peak (a dual lattice point). The problem: This procedure only gives a method to solve CVP L,1/r. (Beyond that distance, the value of f 1/r becomes negligible.) Plugging this into our iterative step means we go from D L,r to D L,r n, which is the wrong direction! Goal: We need a FATTER Fourier transform!

55 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Equivalently, we need tighter samples! Attempt #2: Take samples from D L,r and just divide every coordinate by p. This gives samples from D L/p,r/p, where L/p is L scaled down by a factor of p.

56 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Equivalently, we need tighter samples! Attempt #2: Take samples from D L,r and just divide every coordinate by p. This gives samples from D L/p,r/p, where L/p is L scaled down by a factor of p. That is, the lattice L/p consists of p n translates of L. Label these p n translates by vectors from Z n p.

57 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Equivalently, we need tighter samples! Attempt #2: Take samples from D L,r and just divide every coordinate by p. This gives samples from D L/p,r/p, where L/p is L scaled down by a factor of p. That is, the lattice L/p consists of p n translates of L. Label these p n translates by vectors from Z n p. It can be shown that r/p > η ɛ (L), which implies D L/p,r/p is uniform over the set of L + La/p, for a Z n p For any choice of a Z n p, L + La/p (modulo the parallelepiped) corresponds to a choice of translate

58 Classical step: D L,r + LWE oracle CVP L,αp/r oracle This motivates defining a new distribution, D with samples (a, y) obtained by: 1. y D L/p,r/p 2. a Z n p s.t. y L + La/p ( Complicated to analyze..?)

59 Classical step: D L,r + LWE oracle CVP L,αp/r oracle This motivates defining a new distribution, D with samples (a, y) obtained by: 1. y D L/p,r/p 2. a Z n p s.t. y L + La/p ( Complicated to analyze..?) From the previous slide, we know that we can obtain D from D L,r.

60 Classical step: D L,r + LWE oracle CVP L,αp/r oracle This motivates defining a new distribution, D with samples (a, y) obtained by: 1. y D L/p,r/p 2. a Z n p s.t. y L + La/p ( Complicated to analyze..?) From the previous slide, we know that we can obtain D from D L,r. Also, we know that D is equivalently obtained by: 1. First, a $ Z n p ( Ahh! Much nicer. :)) 2. Then, y D L+La/p,r/p

61 Classical step: D L,r + LWE oracle CVP L,αp/r oracle This motivates defining a new distribution, D with samples (a, y) obtained by: 1. y D L/p,r/p 2. a Z n p s.t. y L + La/p ( Complicated to analyze..?) From the previous slide, we know that we can obtain D from D L,r. Also, we know that D is equivalently obtained by: 1. First, a $ Z n p ( Ahh! Much nicer. :)) 2. Then, y D L+La/p,r/p The width of the discrete Gaussian samples y is tighter now!..

62 Classical step: D L,r + LWE oracle CVP L,αp/r oracle How about the Fourier transform of D? It s wider now! But...

63 Classical step: D L,r + LWE oracle CVP L,αp/r oracle How about the Fourier transform of D? It s wider now! But... The problem: Each hill of f p/r now has its own phase. Do we climb up or down? Two examples of the Fourier transform of D L+La/p,r/p with a=(0,0) (left) and a=(1,1) (right).

64 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Key observation #1: For x L, each sample (a, y) D gives a linear equation a, τ(x) = p x, y mod p for a $ Z n p. After about n equations, we can use Gaussian elimination to recover τ(x) Z n p. What if x L?

65 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Key observation #2: For x close to L, each sample (a, y) D gives a linear equation with error a, τ(x) p x, y mod p for a $ Z n p. After poly(n) equations, we use the LWE oracle to recover τ(x) Z n p. (NOTE: error = τ(x) 2 )

66 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Key observation #2: For x close to L, each sample (a, y) D gives a linear equation with error a, τ(x) p x, y mod p for a $ Z n p. After poly(n) equations, we use the LWE oracle to recover τ(x) Z n p. (NOTE: error = τ(x) 2 ) This lets us compute the phase exp(2πi a, τ(x) /p), and hence recover the closest dual lattice vector to x. Classical step DONE.

67 Quantum step: CVP L,αp/r oracle D L,r n/(αp) Observe: CVP L,αp/r D L,r n/(αp) = CVP L, n/r D L,r

68 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r.

69 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r. GOAL: Get a quantum state corresponding to f 1/r (on the dual lattice) and use the quantum Fourier transform to get D L,r (on the primal lattice). We will use the promised CVP oracle to do so.

70 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r. GOAL: Get a quantum state corresponding to f 1/r (on the dual lattice) and use the quantum Fourier transform to get D L,r (on the primal lattice). We will use the promised CVP oracle to do so. 1. Create a uniform superposition on L : x L x.

71 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r. GOAL: Get a quantum state corresponding to f 1/r (on the dual lattice) and use the quantum Fourier transform to get D L,r (on the primal lattice). We will use the promised CVP oracle to do so. 1. Create a uniform superposition on L : x L x. 2. On a separate register, create a Gaussian state of width 1/r: z R n exp( π rz 2 ) z.

72 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r. GOAL: Get a quantum state corresponding to f 1/r (on the dual lattice) and use the quantum Fourier transform to get D L,r (on the primal lattice). We will use the promised CVP oracle to do so. 1. Create a uniform superposition on L : x L x. 2. On a separate register, create a Gaussian state of width 1/r: z R n exp( π rz 2 ) z. 3. The combined system state is written: x L,z R n exp( π rz 2 ) x, z.

73 New quantum step: CVP L, n/roracle D L,r Key rule: All quantum computations must be reversible.

74 New quantum step: CVP L, n/roracle D L,r Key rule: All quantum computations must be reversible. 1. Add the first register to the second (reversible) to obtain: x L,z R n exp( π rz 2 ) x, x + z.

75 New quantum step: CVP L, n/roracle D L,r Key rule: All quantum computations must be reversible. 1. Add the first register to the second (reversible) to obtain: x L,z R n exp( π rz 2 ) x, x + z. 2. Since we have a CVP L, n/r oracle we can compute x from x + z. Therefore, we can uncompute the first register: exp( π rz 2 ) x + z f 1/r (z) z. x L,z R n z R n

76 New quantum step: CVP L, n/roracle D L,r Key rule: All quantum computations must be reversible. 1. Add the first register to the second (reversible) to obtain: x L,z R n exp( π rz 2 ) x, x + z. 2. Since we have a CVP L, n/r oracle we can compute x from x + z. Therefore, we can uncompute the first register: exp( π rz 2 ) x + z f 1/r (z) z. x L,z R n z R n 3. Finally, apply the quantum Fourier transform to obtain D L,r (y) y, y L and measure it to obtain a sample from D L,r.

77 Talk Overview. Up next: From learning to crypto 1. Intro to lattices 2. Gaussians and lattices 3. From lattices to learning 4. From learning to crypto 4.1 Regev s PKE scheme from LWE

78 Decisional Learning with Errors (DLWE) For positive integers n and q 2, a secret s Z n q, and a distribution χ on Z, define A s,χ as the distribution obtained by drawing a $ Z n q uniformly at random and a noise term e $ χ, and outputting (a, b) = (a, a, s + e (mod q)) Z n q Z q.

79 Decisional Learning with Errors (DLWE) For positive integers n and q 2, a secret s Z n q, and a distribution χ on Z, define A s,χ as the distribution obtained by drawing a $ Z n q uniformly at random and a noise term e $ χ, and outputting (a, b) = (a, a, s + e (mod q)) Z n q Z q. (DLWE n,q,χ ). An adversary gets oracle access to either A s,χ or U(Z n q Z q ) and aims to distinguish (with non-negligible advantage) which is the case.

80 Decisional Learning with Errors (DLWE) For positive integers n and q 2, a secret s Z n q, and a distribution χ on Z, define A s,χ as the distribution obtained by drawing a $ Z n q uniformly at random and a noise term e $ χ, and outputting (a, b) = (a, a, s + e (mod q)) Z n q Z q. (DLWE n,q,χ ). An adversary gets oracle access to either A s,χ or U(Z n q Z q ) and aims to distinguish (with non-negligible advantage) which is the case. Theorem. Let B ω(log n) n. There exists an efficiently sampleable distribution χ with χ < B (meaning, χ is supported only on [ B, B]) s.t. if an efficient algorithm solves the average-case DLWE n,q,χ problem, then there is an efficient quantum algorithm that solves GapSVPÕ(n q/b) on any n-dimensional lattice.

81 Regev s PKE scheme 1. SecretKeyGen(1 n ): Sample s $ Z n q. Output sk = s.

82 Regev s PKE scheme 1. SecretKeyGen(1 n ): Sample s $ Z n q. Output sk = s. 2. PublicKeyGen(s): Let N def = O(n log q). Sample A $ Z N n q and e $ χ N. Compute b = A s + e (mod q), and define Output pk = P. P def = [b A] Z N (n+1) q.

83 Regev s PKE scheme 1. SecretKeyGen(1 n ): Sample s $ Z n q. Output sk = s. 2. PublicKeyGen(s): Let N def = O(n log q). Sample A $ Z N n q and e $ χ N. Compute b = A s + e (mod q), and define P def = [b A] Z N (n+1) q. Output pk = P. 3. Enc pk (m): To encrypt a message m {0, 1} using pk = P, sample r {0, 1} N and output the ciphertext q c = P T r + m mod q Z n+1 q, 2 where m def = (m, 0,..., 0) {0, 1} n+1.

84 Regev s PKE scheme 1. SecretKeyGen(1 n ): Sample s $ Z n q. Output sk = s. 2. PublicKeyGen(s): Let N def = O(n log q). Sample A $ Z N n q and e $ χ N. Compute b = A s + e (mod q), and define P def = [b A] Z N (n+1) q. Output pk = P. 3. Enc pk (m): To encrypt a message m {0, 1} using pk = P, sample r {0, 1} N and output the ciphertext q c = P T r + m mod q Z n+1 q, 2 where m def = (m, 0,..., 0) {0, 1} n Dec sk (c): To decrypt c Z n+1 q using secret key sk = s, compute 2 m = ( c, (1, s) mod q) mod 2. q

85 Regev s PKE scheme: Correctness Encryption noise. Let all parameters be as before. Then for some e where e N B, c, (1, s) = q 2 m + e (mod q).

86 Regev s PKE scheme: Correctness Encryption noise. Let all parameters be as before. Then for some e where e N B, c, (1, s) = q 2 m + e (mod q). q Proof. c, (1, s) = P T r + m, (1, s) (mod q) 2 q = m + r T P (1, s) (mod q) 2 q = m + r T b r T As (mod q) 2 q = m + r, e (mod q), 2 and r, e r 1 e = N B.

87 Regev s PKE scheme: Correctness Encryption noise. Let all parameters be as before. Then for some e where e N B, c, (1, s) = q 2 m + e (mod q). q Proof. c, (1, s) = P T r + m, (1, s) (mod q) 2 q = m + r T P (1, s) (mod q) 2 q = m + r T b r T As (mod q) 2 q = m + r, e (mod q), 2 and r, e r 1 e = N B. Decryption noise. We re good to go as long as noise q/2 /2!

88 Regev s PKE scheme: Security Let n, q, χ be chosen so that DLWE n,q,χ holds. Then for any m {0, 1}, the joint distribution ( (P, c) is computationally Z N (n+1) q Z n+1 q indistinguishable from U from Regev s PKE scheme. ), where P and c come

89 That s all. :)