CS Topics in Cryptography January 28, Lecture 5

Similar documents
Solving LWE with BKW

Cryptology. Scribe: Fabrice Mouhartem M2IF

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Dimension-Preserving Reductions Between Lattice Problems

Classical hardness of Learning with Errors

Ideal Lattices and NTRU

16 Fully homomorphic encryption : Construction

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Background: Lattices and the Learning-with-Errors problem

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

6.892 Computing on Encrypted Data October 28, Lecture 7

An Efficient Lattice-based Secret Sharing Construction

Leakage of Signal function with reused keys in RLWE key exchange

Density of Ideal Lattices

Practical Fully Homomorphic Encryption without Noise Reduction

Some security bounds for the DGHV scheme

Quantum-resistant cryptography

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio

Lecture 6: Lattice Trapdoor Constructions

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

Classical hardness of the Learning with Errors problem

Weaknesses in Ring-LWE

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Classical hardness of Learning with Errors

Multi-key fully homomorphic encryption report

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Weak Instances of PLWE

Solving the Shortest Lattice Vector Problem in Time n

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Lossy Trapdoor Functions and Their Applications

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Notes for Lecture 16

Open problems in lattice-based cryptography

Upper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Parameter selection in Ring-LWE-based cryptography

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Proving Hardness of LWE

Fully Homomorphic Encryption - Part II

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

SIS-based Signatures

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

Fuzzy Identity Based Encryption from Lattices

Classical Homomorphic Encryption for Quantum Circuits

Lattice-based Cryptography

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Notes 10: Public-key cryptography

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Better Bootstrapping in Fully Homomorphic Encryption

How many rounds can Random Selection handle?

Lattice Cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lattice-Based Non-Interactive Arugment Systems

Error Detection and Correction: Hamming Code; Reed-Muller Code

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

A Lattice-Based Computationally-Efficient Private Information Retrieval Protocol

Implementing Ring-LWE cryptosystems

Improved Generalized Birthday Attack

Post-quantum verifiable random functions from ring signatures

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption

Solving LWE problem with bounded errors in polynomial time

ADVERTISING AGGREGATIONARCHITECTURE

On error distributions in ring-based LWE

Lecture 3: Error Correcting Codes

Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Lattice-based Multi-signature with Linear Homomorphism

Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices

Shai Halevi IBM August 2013

Oded Regev Courant Institute, NYU

Fully Homomorphic Encryption from LWE

Chosen ciphertext attacks on lattice-based public key encryption and modern (non-quantum) cryptography in a quantum environment

Cryptanalysis of a Homomorphic Encryption Scheme

1 Shortest Vector Problem

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Locally Dense Codes. Daniele Micciancio. August 26, 2013

Hardness and advantages of Module-SIS and Module-LWE

How to Encrypt with the LPN Problem

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

Field Switching in BGV-Style Homomorphic Encryption

Lattice Based Crypto: Answering Questions You Don't Understand

Cryptanalysis of GGH15 Multilinear Maps

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Lattice-Based Cryptography

Increased efficiency and functionality through lattice-based cryptography

Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers

Hardness of the Covering Radius Problem on Lattices

A simple lattice based PKE scheme

A Generic Attack on Lattice-based Schemes using Decryption Errors

Solving LPN Using Covering Codes

6.892 Computing on Encrypted Data September 16, Lecture 2

Lecture 11: Key Agreement

Transcription:

CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems that are conjectured to be computationally hard to solve as well as structurally well-suited for cryptographic constructions to be based on. Examples of such problems include number-theoretic assumptions (e.g. integer factorization is hard). Here we will discuss another such problem called the learning with errors (LWE) problem that was introduced by Regev in [Reg05] where it was shown that the hardness of LWE can be reduced to the hardness of the approximate shortest vector problem (SVP), a well-studied lattice problem that is believed to be computationally hard. Interestingly, unlike classical number-theoretical assumptions, LWE s hardness extends to quantum algorithms as well, making it a suitable candidate for use in post-quantum cryptography. Besides its proven hardness, LWE is also a versatile problem that was used as the basis for several diverse constructions including public-key encryption schemes [Reg05, PW08], oblivious transfer protocols [PVW08] and, more pertinently, fully homomorphic encryption schemes [BV11, BGV12, GSW13]. To get a better understanding of the LWE problem, we will first look at some related concepts in coding theory before transitioning to their lattice-based variants. 2 Coding Theory One of the more widely studied topics in coding theory is error correcting codes where we are interested in finding a (usually linear) message-encoding function f that transforms a message x {0, 1} n into a codeword f( x) {0, 1} m where m n such that, even after flipping a large fraction of the bits in f( x), we are still able to (efficiently) decode it and get back x. 2.1 Linear Codes Background Throughout this section, we focus on working in GF(2). We first recall some general definitions from coding theory: Definition 1 (Hamming distance). For any two vectors x, y {0, 1} m, their Hamming distance hd( x, y) is the number of positions i where x i y i Definition 2 (Hamming weight). For any vector x {0, 1} m, its Hamming weight hw( x) is the number of positions i where x i = 1 5-1

Define A F m n 2 to be some binary matrix. We represent the linear encoding operation as a function f A : F n 2 F m 2 that accepts a message x {0, 1} n and outputs the corresponding codeword f A ( x) = A x = y {0, 1} m. A linear code C is simply the set of codewords generated by matrix A which form an n-dimensional subspace in F m 2. If the codeword y is error-free (no bits were flipped) and the matrix A is full column rank (or, if n = m, it is invertible/non-singular) then we can uniquely and efficiently recover x using Gaussian elimination. However, this is not always the case when we add noise to y. Consider, for example, the effect of flipping half the bits in y. This would result in a string z that we cannot decode because if we have another codeword y such that hd( y, y ) = m, then we cannot determine whether z is actually y or y without the noise. Thus, it is important to determine the error tolerance of a code, which is given by the maximum number of bits that we can flip in y while preserving the ability to decode it and get back the correct x. In addition, we should also take into consideration the length of the codewords m, as we generally prefer to have m to be on the same order of n (no excessive redundancy) while still providing comparative error tolerance. Fortunately, the following theorem whose proof we omit shows that this is possible. Theorem 3. There exists a linear coding function f A : F n F m with m = O(n) and error tolerance Ω(m) For now, we can set m = 10n and the error tolerance to be m/10. We say that a linear coding function f A is decodable if for every pair of messages x x, their Hamming distance is hd(a x, A x ) m/5. This guarantees that any codeword A x can be decoded into some unique x. Note that while the encoding procedure is efficient (simple matrix multiplication), the decoding procedure might not necessarily be so, even though, information-theoretically, there exists a way to correctly decode a codeword. We can efficiently generate a decodable coding function using the following theorem. Theorem 4. A randomly chosen A F m n 2 can be used to get a decodable linear coding function f A with high probability. Lastly, we define the code distance d of a linear code f A which is the minimum Hamming distance between any two codewords. It can be easily shown that d is also equal to the codeword with the minimum Hamming weight. That is: Proof. A good simple exercise! 2.2 Problem Definitions d = min hd(a x, x x A x ) = min hw(a x) (1) x 0 Here we discuss the problem definitions related to coding theory that are conjectured to be computationally hard. While it is easy to find a decodable linear code (see Theorem 4), we do not yet know of any efficient procedure to test that it is decodable. That is, finding the code distance d is computationally hard. By Equation (1), finding the minimum weight among all (non-zero) codewords is also equivalently hard. 5-2

Definition 5 (Shortest vector problem). Given matrix A for some linear code f A with code distance d, find y = A x such that hw( y) = d. That is, find the shortest non-zero vector in {A x x {0, 1} n } {0, 1} m In contrast to the above problem of testing whether a linear code is decodable or not, the following problem is based on the hardness of decoding a noisy codeword from a random linear code. Definition 6 (Decoding random linear codes). Given some random matrix A F m n 2 for some linear code f A and a perturbed codeword y A x + e where x {0, 1} n is chosen uniformly at random and e {0, 1} m is a random error vector with weight at most m/10, find x. 3 Lattice-based Cryptography 3.1 Lattices Background Figure 1: An example of a lattice in R 2 An m-dimensional lattice L is a discrete additive subgroup of R m and is represented as the set of all possible integer linear combinations of n linearly independent m-dimensional (column) vectors a 1,..., a n. We call the matrix A = [ a 1,..., a n ] the basis of lattice L and we can define it more formally as follows: { n } L(A) = L( a 1,..., a n ) = x i a i : x i Z = {A x : x Z n } i=1 5-3

An example of 2-dimensional lattice is shown in Figure 1 where the explicitly drawn arrows represent a basis for the lattice from which we can generate all other points. For any vector y L, we usually refer to the length of a vector y using the Euclidean norm however other norms are also applicable. 3.2 Problem Definitions We list here the definitions of the relevant lattice-based problem that are conjectured to be computationally hard. These problems are the lattice analogue of the ones described in Section 2.2. Definition 7 (Shortest vector problem in lattices). Given a basis A for lattice L, find the shortest non-zero vector in L(A). The shortest vector problem (SVP) was one of the first lattice problems to have been used as the basis for a public-key cryptosystem [AD97]. The exact version of SVP was proven to be NP-hard [Ajt98] and the approximate version was shown to be computationally hard even for constant approximation factors [Kho05]. Definition 8 (Learning with Errors). For uniformly random x F n define O x to be an LWE oracle that upon request returns a tuple ( a, a, x + e) where a F n is a vector chosen uniformly at random and e F is an error term chosen from some suitable distribution. Given m samples from O x, where m can be arbitrary, the LWE problem is to find x. Unlike the two problems in Section 2.2, the two problems showcased here are known to be related. Specifically, Regev [Reg05] shows a reduction from approximate-svp to LWE. Usually, the field we use on which to perform these computations is Z p and the error vector is drawn from some suitable Gaussian distribution. References [AD97] Miklós Ajtai and Cynthia Dwork. A public-key cryptosystem with worstcase/average-case equivalence. In Proceedings of the 29th Annual ACM Symposium on Theory of Computing (STOC), pages 284 293. ACM Press, 1997. See also ECCC TR96-065. [Ajt98] Miklós Ajtai. The shortest vector problem in l 2 is np-hard for randomized reductions (extended abstract). In Proceedings of the thirtieth annual ACM symposium on Theory of computing, STOC 98, pages 10 19, New York, NY, USA, 1998. ACM. [BGV12] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic encryption without bootstrapping. In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS 12, pages 309 325, New York, NY, USA, 2012. ACM. 5-4

[BV11] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) lwe. In Rafail Ostrovsky, editor, FOCS, pages 97 106. IEEE, 2011. [GSW13] Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In CRYPTO, pages 75 92. Springer, 2013. [Kho05] Subhash Khot. Hardness of approximating the shortest vector problem in lattices. J. ACM, 52(5):789 808, 2005. [PVW08] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable oblivious transfer. In David Wagner, editor, Advances in Cryptology CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pages 554 571. Springer Berlin Heidelberg, 2008. [PW08] [Reg05] Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. In Richard E. Ladner and Cynthia Dwork, editors, Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17-20, 2008, pages 187 196. ACM, 2008. Regev. On lattices, learning with errors, random linear codes, and cryptography. In STOC: ACM Symposium on Theory of Computing (STOC), 2005. 5-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback