Background: Lattices and the Learning-with-Errors problem

Similar documents
Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

Classical hardness of the Learning with Errors problem

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

Classical hardness of Learning with Errors

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

An intro to lattices and learning with errors

Ideal Lattices and NTRU

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Notes for Lecture 15

Lattice Cryptography

9 Knapsack Cryptography

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Lattice Cryptography

Cryptology. Scribe: Fabrice Mouhartem M2IF

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

On error distributions in ring-based LWE

Notes for Lecture 16

Proving Hardness of LWE

Dwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP

Classical hardness of Learning with Errors

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Gentry s SWHE Scheme

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Weaknesses in Ring-LWE

Fully Homomorphic Encryption and Bootstrapping

UNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Lattice-Based Cryptography

Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption

Dimension-Preserving Reductions Between Lattice Problems

6.892 Computing on Encrypted Data September 16, Lecture 2

Lattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018

Hard Instances of Lattice Problems

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Hardness and advantages of Module-SIS and Module-LWE

Post-Quantum Cryptography

Shai Halevi IBM August 2013

Diophantine equations via weighted LLL algorithm

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

CS Topics in Cryptography January 28, Lecture 5

Solving All Lattice Problems in Deterministic Single Exponential Time

Lecture Notes. Advanced Discrete Structures COT S

Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields

Solving LWE problem with bounded errors in polynomial time

On the Ring-LWE and Polynomial-LWE problems

Advanced Topics in Cryptography

COS 598D - Lattices. scribe: Srdjan Krstic

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

A New Trapdoor in Modular Knapsack Public-Key Cryptosystem

Oded Regev Courant Institute, NYU

Open problems in lattice-based cryptography

Computational complexity of lattice problems and cyclic lattices

Lattice Basis Reduction and the LLL Algorithm

Solving LWE with BKW

On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Noise Distributions in Homomorphic Ring-LWE

Parameter selection in Ring-LWE-based cryptography

Key Recovery for LWE in Polynomial Time

CSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio

Notes on Alekhnovich s cryptosystems

Upper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China

Lattice Basis Reduction Part 1: Concepts

On Homomorphic Encryption and Secure Computation

Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

Efficient Lattice (H)IBE in the Standard Model

Part 2 LWE-based cryptography

Practical Analysis of Key Recovery Attack against Search-LWE Problem

A Digital Signature Scheme based on CVP

1 Shortest Vector Problem

Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

A Framework to Select Parameters for Lattice-Based Cryptography

On the power of non-adaptive quantum chosen-ciphertext attacks

A new security notion for asymmetric encryption Draft #8

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

CPSC 467b: Cryptography and Computer Security

1 Public-key encryption

Cryptanalysis via Lattice Techniques

Increased efficiency and functionality through lattice-based cryptography

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

Computational and Statistical Learning Theory

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Introduction to Cryptography. Lecture 8

Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR

How to Encrypt with the LPN Problem

COMP4109 : Applied Cryptography

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

The Dual Lattice, Integer Linear Systems and Hermite Normal Form

A new security notion for asymmetric encryption Draft #10

A new security notion for asymmetric encryption Draft #12

An Efficient Lattice-based Secret Sharing Construction

FULLY HOMOMORPHIC ENCRYPTION

Looking back at lattice-based cryptanalysis

Transcription:

Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014

Starting Point: Linear Equations Easy to solve a linear system of equations A s = b (mod q) Given A, b, find s Solved using Gaussian elimination, Cramer rule, etc. [Regev 2005] Hard if we add a little noise A s + e = b (mod q) e is a noise vector, e q Given A, b, find s and/or e

Learning with Errors (LWE) [R 05] Parameters: q (modulus), n (dimension), m>n (# of samples) Secret: uniformly random vector s Z q n Input: random matrix A Z q m n, vector b Z q m Computed as e chosen from some distribution s.t. e q whp b is close to the columns space of A Goal: discover s b = A s + e (mod q)

Learning with Errors (LWE) [R 05] 1. Is it really hard to solve LWE? How hard? For what range of parameters? 2. Is it useful? Can we design cryptosystems with security based on the hardness of LWE We ll do #2 first, then #1

Using LWE in Cryptography

The Decision-LWE Problem A more useful variant of LWE: Same parameters q, n, m A Input: same and A is still a uniform random matrix in Zm n q Either b = A s + e (mod q), or b is uniform in Z q m n Goal: distinguish A s + e from uniform I.e., given A,b, decide if b is unusually close to the column space of A b

Search vs. Decision LWE Clearly, if we can solve the search problem then we can also solve the decision problem Try to solve the search problem on A,b If successful then b is close to the column space of A, otherwise b is random More interesting: If we can solve decision, then we can also solve the search problem But the complexity grows by a factor of q n So this reduction only works for small (polynomial) q

Reducing Search to Decision LWE Assume that we have a distinguisher D that can tell if b = As + e (mod q) or b is random Say for now that D succeeds with probability close to 1 We construct a solver S that finds s For every index i {1.. n} and every value v Z q, S will use D to determine if s i = v

Reducing Search to Decision LWE Given A and b = As + e, test if s i = v: Choose r = (r 1, r 2,, r m ) Z q m uniformly at random Add r to the i th column of A, this gives a matrix A A is uniformly random because A is A = A + 0.. r 1.. 0 0.. r 2.. 0 0.. r m.. 0 Note that A s = As + s i r

Reducing Search to Decision LWE Given A and b = As + e, test if s i = v: Choose r = (r 1, r 2,, r m ) Z q m uniformly at random Add r to the i th column of A, this gives a matrix A A is uniformly random because A is Add v r to b, this gives the vector b b = b + v r 1 r 2 r m

Reducing Search to Decision LWE Given A and b = As + e, test if s i = v: Choose r = (r 1, r 2,, r m ) Z q m uniformly at random Add r to the i th column of A, this gives a matrix A A is uniformly random because A is Add v r to b, this gives the vector b b = b + v r = As + e + v r = A s s i r + e + v r = A s + e + v s i r

Reducing Search to Decision LWE Given A and b = As + e, test if s i = v: Choose random r, compute A, b Such that b = A s + e + v s i If s i = v then we get b = A s + e Otherwise b is uniform (because r is uniform) Use the distinguisher D(A, b ) to tell which case it is This will tell us if s i = v r

Reducing Search to Decision LWE The reduction assumes that D is always right Can be extended to distinguisher D with polynomially small advantage The reduction works in time linear in n q Can be refined to work in time n p i The p i s are the prime factors of q So the reduction can be efficient even for large q, as long as it is smooth

A Useful Variant of LWE Instead of choosing the secret s uniformly, choose it from the same distribution as e So s is small Theorem [ACPS 09]: Uniform-secret LWE is equivalent to small-secret LWE Solving one solving the other

Uniform- vs. Small-secret LWE Easy direction: If we can solve uniform-secret LWE then we can solve small-secret LWE We are given A and b = As + e s is a small secret Choose a uniform random r Set b = Ar + b = A r + s + e (mod q) s = r + s is uniform (because r is uniform) A, b = As + e is instance of uniform-secret LWE Solving it, we get s and can compute s = s r

Uniform- vs. Small-secret LWE Hard direction: If we can solve small-secret LWE then we can solve uniform-secret LWE But the parameter m changes For solving m n uniform-secret LWE, we would need to solve m n small-secret LWE with m = m n We are given A and b = As + e s is a uniform secret Find n linearly-independent rows of A Such rows exist with high probability Assume that these are the first n rows

Uniform- vs. Small-secret LWE m n A = n A 1 A 2 n m Set A = A 2 A 1 1 and b = b 2 + A b 1 b = A 2 s + e 2 + A A 1 s + e 1 = A 2 s + A A 1 s + A e 1 + e 2 = A e 1 + e 2 Because A A 1 = A 2 A 1 1 A 1 = A 2 So (A, b = A e 1 + e 2 ) is instance of short-secret LWE The secret is e 1, drawn from the error distribution Solving it we get e 1 Then compute s = A 1 1 (b 1 e 1 ) b = b 1 b 2 = A 1 s + e 1 = A 2 s + e 2

Regev s Cryptosystem [R 05] Secret key: vector s Public key: Matrix A, vector b = A s + e Denote A = (b A ) If decision-lwe is hard then A is pseudorandom Denote s = 1, s, then As = b A s = e Encrypt A σ {0,1} Choose a random small vector r 0,1 m Output the ciphertext c = ra + q σ, 0,, 0 2 Decrypt s (c) Compute the inner product y = c, s (mod q) Output 0 if y < q/4, else output 1 σ Z q n

Regev s Cryptosystem [R 05] Correctness: y = c, s = ra + q σ, s = 2 ras + q σ0 0, 1, s = r, e + q σ 2 2 r, e < q (since r is 0-1 vector and e 4 < q ) 4 If σ = 0 then y < q 4, if σ = 1 then y > q 4 Security: Recall that A is pseudo-random We show that if A was random then c was statistically close to uniform, regardless of σ

Regev s Cryptosystem [R 05] The Leftover Hash Lemma [HILL 99] implies the following corollary: If m > 3n log q then the two distributions < A, ra : A U Z q m n, r U 0,1 m > < A, u A U Z q m n, u U Z q n > are statistically close (upto q Ω(m) ) For a random A, ra is close to uniform Even conditioned on A And therefore so is ra + q 2 σ If A is pseudorandom, so is ra + q 2 σ

A Useful Variant of the Cryptosystem Encrypt: c = 2rA + σ instead of c = ra + q σ from before 2 Plaintext encoded in the LSB rather than MSB Decrypt: y = c, s (mod q), then σ = y mod 2 y = 2 r, e + σ (mod q) 2 r, e < q/2, so no mod-q reduction y mod 2 = σ

The Hardness of LWE

Lattices and Hard Problems 0 A lattice is just an additive subgroup of R n.

Lattices v 2 v 2 v 1 0 v 1 Lattice of rank n = set of all integer linear combinations of n linearly independent basis vectors.

Lattices A Lattice has infinitely many bases They are related by unimodular matrices, B = BU U is an integer matrix with det U = ±1 All bases have the same determinant (upto sign) This quantity is the determinant of the lattice Given any set of vectors that span the lattice, can compute a canonical basis Hermite normal form (HNF)

Lattices A good basis has all small vectors close to orthogonal to each other Typically the HNF is a bad basis Minkowsky s theorems: A rank-n lattice with determinant d has A non-zero vector of length v n d 1/n n n linearly independent v i s s.t. v i n n/2 d i=1 Also a basis of vectors of similar sizes Lattice reduction: Given a bad basis, find a good one for the same lattice

Lattices and Hard Problems v 2 v 2 v 1 0 v 1 Given some basis of L, may be hard to find good basis of L. Hard to solve the (approx) shortest/closest vector problems.

Hard Problems Given a basis B for a lattice L(B): Shortest-Vector Problem (SVP) Find the shortest nonzero vector in L(B) Or maybe just compute the size of such vector (λ 1 L ) Shortest Independent-Set Problem (SIVP) Find n linearly independent v 1,, v n minimize max Or maybe just the quantity λ n L Also approximation versions n = max i=1 v i Find v such that v γ shortest Find v i s such that max v i γ smallest-possible i i v i

Hard Problems: What s Known? The [LLL 82] algorithm and its variants can approximate SVP upto γ = 2 O(n) NP-hard to approx. SVP upto γ = 2 log1 ε n γ = ω(1) but γ < n ε for any ε Roughly: approximate upto 2 n/k takes time 2 O(k) Practically we can perhaps approximate SVP upto γ = 2 n/100 but not upto γ = 2 n/200 At least for moderate n s (say n < 500) Similar for SIVP

LWE and Lattices Consider the matrix A = a 1 a n The column space mod-q is a rank-m lattice, spanned by the columns of B = q 0 0 A discrete additive subgroup of R m a 0 q 0 1 a n Can compute its HNF basis b = As + e (mod q) is close to this lattice v = b e is in the lattice, at distance e from b We have a bound β q on e whp (say β = If we find v, we can solve for s 0 0 q) q

Bounded Distance Decoding (BDD) Input: a basis B, another point x, a bound β Goal: find v L(B) such that x v β Solving BDD Solving LWE Thm [Babai 86,GPV 08]: Solving SIVP Solving BDD Given a basis for L with max v i = α, i can solve BDD upto distance β α poly(n)

LWE and Lattices Thm [Reg 05, Pei 09]: Solving LWE Solving SIVP, SVP LWE-solver with error-bound β < q/o( n) implies quantum approximation of SIVP upto a factor poly(n) Or a classical algorithm for approximating λ 1 L upto a factor poly(n)

Summary Learning with Errors: b = As + e This is a hard problem For some parameters, can be shown to be as hard as some well-known lattice problems Even for other settings, we don t know how to solve it Only known attacks use lattice reduction These only work when q/ e = exp (n) LWE is useful for cryptography For example for public-key encryption Decryption formula s, c mod q mod 2

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback