classical hardness of the learning with errors problem
play

Classical hardness of the Learning with Errors problem Adeline - PowerPoint PPT Presentation

Sep 21, 2023 •280 likes •608 views

Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehl August 12, 2013 Adeline Langlois Hardness of LWE August 12, 2013 1/ 18 Our

  1. Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness of LWE August 12, 2013 1/ 18

  2. Our main result GapSVP in dimension √ n Not quantum A classical reduction from a worst-case lattice problem to the Learning with Errors problem with small modulus. Dimension n Polynomial in n Adeline Langlois Hardness of LWE August 12, 2013 2/ 18

  3. Outline 1. Lattices: definitions and problems 2. Lattice-based cryptography: LWE and a public-key encryption 3. Our main result: classical hardness of LWE for polynomial modulus 4. Other results on LWE. Adeline Langlois Hardness of LWE August 12, 2013 3/ 18

  4. Lattices and problems • • • • • • b 2 • • • • • b 1 • • • • • • Lattice L ( B ) = { � n 1= i a i b i , a i ∈ Z } , where the ( b i ) 1 ≤ i ≤ n ’s, linearly independent vectors, are a basis of L ( B ) . Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  5. Lattices and problems Definitions : ◮ 1 st minimum; ◮ 2 nd minimum. • • • • • • λ 2 • • • • • λ 1 • • • • • • Lattice L ( B ) = { � n 1= i a i b i , a i ∈ Z } , where the ( b i ) 1 ≤ i ≤ n ’s, linearly independent vectors, are a basis of L ( B ) . Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  6. Lattices and problems Definitions : ◮ 1 st minimum; ◮ 2 nd minimum. • • • • • • Problems : ◮ Shortest Vector Pbm. • • • • • b 1 (computational or decisional version) • • • • • • Lattice L ( B ) = { � n 1= i a i b i , a i ∈ Z } , where the ( b i ) 1 ≤ i ≤ n ’s, linearly independent vectors, are a basis of L ( B ) . Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  7. Lattices and problems Definitions : ◮ 1 st minimum; ◮ 2 nd minimum. • • • • • • Problems : b 2 ◮ Shortest Vector Pbm. • • • • • b 1 (computational or decisional version) • • • • • • ◮ Shortest Independent Vectors Pbm. Lattice L ( B ) = { � n 1= i a i b i , a i ∈ Z } , where the ( b i ) 1 ≤ i ≤ n ’s, linearly independent vectors, are a basis of L ( B ) . Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  8. Lattices and problems Definitions : ◮ 1 st minimum; ◮ 2 nd minimum. • • • • • • Problems : b 2 ◮ Shortest Vector Pbm. • • • • • b 1 (computational or decisional version) ◮ Shortest Independent • • • • • • Vectors Pbm. ◮ Approximation factor: γ . Conjecture There is no polynomial time algorithm that approximates these lattice problems to within polynomial factors. Adeline Langlois Hardness of LWE August 12, 2013 4/ 18

  9. GapSVP Gap Shortest Vector Problem (GapSVP γ ) Input : a basis B of a lattice Λ and a number d , Output : • yes : there is z ∈ Λ non-zero such that � z � < d , • no : for all non-zero vectors z ∈ Λ : � z � ≥ d . • • • • • • d • • • • • • • • • • • Best known algorithm: complexity 2 Ω( n log log n ) . log n Adeline Langlois Hardness of LWE August 12, 2013 5/ 18

  10. GapSVP Gap Shortest Vector Problem (GapSVP γ ) Input : a basis B of a lattice Λ and a number d , Output : • yes : there is z ∈ Λ non-zero such that � z � < d , • no : for all non-zero vectors z ∈ Λ : � z � ≥ d . • • • • • • d • • • • • • • • • • • Best known algorithm: complexity 2 Ω( n log log n ) . log n Adeline Langlois Hardness of LWE August 12, 2013 5/ 18

  11. GapSVP Gap Shortest Vector Problem (GapSVP γ ) Input : a basis B of a lattice Λ and a number d , Output : • yes : there is z ∈ Λ non-zero such that � z � < d , • no : for all non-zero vectors z ∈ Λ : � z � ≥ γd . • • • • • • γd • • • • • • • • • • • Approximation factor: γ . Best known algorithm: complexity 2 Ω( n log log n ) . log n Adeline Langlois Hardness of LWE August 12, 2013 5/ 18

  12. Hardness of GapSVP γ Conjecture There is no polynomial time algorithm that approximates this lattice problems to within polynomial factors. Adeline Langlois Hardness of LWE August 12, 2013 6/ 18

  13. LWE-based cryptography From basic to very advanced primitives ◮ Public key encryption [Regev 2005, ...] ; ◮ Identity-based encryption [Gentry, Peikert and Vaikuntanathan 2008, ...] ; ◮ Fully homomorphic encryption [Brakerski and Vaikuntanathan 2011, ...] . Advantages of LWE-based primitives ◮ Efficient, especially when the modulus is polynomial ; ◮ Security proofs from the hardness of LWE ; ◮ Likely to resist attacks from quantum computers. Adeline Langlois Hardness of LWE August 12, 2013 7/ 18

  14. The Learning With Errors problem [Regev05] LWE n q m s s find Given A A + , e n ◮ A ← U ( Z m × n ) , q ◮ s ← U ( Z n q ) , αq ◮ e ∼ D Z m ,αq with α = o (1) . Discrete Gaussian error Decision version: Distinguish from ( A , b ) with b uniform. Adeline Langlois Hardness of LWE August 12, 2013 8/ 18

  15. Public key Encryption ◮ An user A has two keys: ◮ one public pk A ◮ one secret sk A ◮ To encrypt a message M, anyone can use pk A . ◮ To decrypt a ciphertext C, only A can do it using sk A . Adeline Langlois Hardness of LWE August 12, 2013 9/ 18

  16. An example of Public-Key Encryption [Regev 2005] ◮ Parameters : n, m, q ∈ Z , α ∈ R , ◮ Keys : sk = s and pk = ( A , b ) , with b = A s + e mod q ֓ U ( Z n ֓ U ( Z m × n where s ← q ) , A ← ) , e ← ֓ D Z m ,αq . q ◮ Encryption ( M ∈ { 0 , 1 } ) : Let r ← ֓ U ( { 0 , 1 } m ) , r r u T = A , v = + ⌊ q/ 2 ⌉ . M b Adeline Langlois Hardness of LWE August 12, 2013 10/ 18

  17. An example of Public-Key Encryption [Regev 2005] ◮ Parameters : n, m, q ∈ Z , α ∈ R , ◮ Keys : sk = s and pk = ( A , b ) , with b = A s + e mod q ֓ U ( Z n ֓ U ( Z m × n where s ← q ) , A ← ) , e ← ֓ D Z m ,αq . q ◮ Encryption ( M ∈ { 0 , 1 } ) : Let r ← ֓ U ( { 0 , 1 } m ) , r r u T = A , v = + ⌊ q/ 2 ⌉ . M b ◮ Decryption of ( u , v ) : compute v − u T s , r r s s A A e + ⌊ q/ 2 ⌉ . M − = + small + ⌊ q/ 2 ⌉ . M � �� � � �� � v u T s If close from 0 : return 0 , if close from ⌊ q/ 2 ⌋ : return 1 . Adeline Langlois Hardness of LWE August 12, 2013 10/ 18

  18. An example of Public-Key Encryption [Regev 2005] ◮ Parameters : n, m, q ∈ Z , α ∈ R , ◮ Keys : sk = s and pk = ( A , b ) , with b = A s + e mod q ֓ U ( Z n ֓ U ( Z m × n where s ← q ) , A ← ) , e ← ֓ D Z m ,αq . q ◮ Encryption ( M ∈ { 0 , 1 } ) : Let r ← ֓ U ( { 0 , 1 } m ) , r r u T = A , v = + ⌊ q/ 2 ⌉ . M b ◮ Decryption of ( u , v ) : compute v − u T s , r r s s A A e + ⌊ q/ 2 ⌉ . M − = + small + ⌊ q/ 2 ⌉ . M � �� � � �� � v u T s LWE hard ⇒ Regev’s scheme is "secure" . Adeline Langlois Hardness of LWE August 12, 2013 10/ 18

  19. Reminders ◮ Hard problem on lattices: GapSVP. ◮ Lattice-based cryptography: Security proof based on reduction from GapSVP to a problem ( = a protocol attacker). ◮ Learning With Errors problem: Distinguish between ( A , b ) uniform and ( A , As + e mod q ) , where A ← U ( Z m × n ) , s ← U ( Z n q ) is secret, and e Gaussian. q ◮ Public-key encryption: security based on hardness of LWE. Adeline Langlois Hardness of LWE August 12, 2013 11/ 18

  20. Prior reductions from worst-case lattice problems to LWE ◮ [Regev05] ◮ A quantum reduction; Quantum computer? ◮ with q polynomial. ◮ [Peikert09] ◮ A classical reduction; ◮ with q exponential, Inefficient primitives ◮ [Peikert09] ◮ A classical reduction; ◮ based on a non-standard lattice problem; Hardness? ◮ with q polynomial. Adeline Langlois Hardness of LWE August 12, 2013 12/ 18

  21. Prior reductions from worst-case lattice problems to LWE ◮ [Regev05] ◮ A quantum reduction; ◮ with q polynomial. Our main result ◮ [Peikert09] ◮ A classical reduction, ◮ A classical reduction; ◮ from a standard worst-case ◮ with q exponential, lattice problem, ◮ with q polynomial. ◮ [Peikert09] ◮ A classical reduction; ◮ based on a non-standard lattice problem; ◮ with q polynomial. Adeline Langlois Hardness of LWE August 12, 2013 12/ 18

  22. Main component in the proof: a self reduction ◮ Recall that [Peikert09] already showed hardness of LWE with q exponential. How do we obtain a hardness proof for q polynomial? Adeline Langlois Hardness of LWE August 12, 2013 13/ 18

  23. Main component in the proof: a self reduction ◮ Recall that [Peikert09] already showed hardness of LWE with q exponential. How do we obtain a hardness proof for q polynomial? ◮ All we have to do is show the following reduction: in dimension n From LWE with modulus q k , in dimension nk to LWE with modulus q . Adeline Langlois Hardness of LWE August 12, 2013 13/ 18

  24. Modulus Switching A reduction from LWE with modulus q to LWE with modulus p . How to map ( A , As + e ) mod q to ( A ′ , A ′ s + e ′ ) mod p ? ) to A ′ ← ◮ Transform A ← ֓ U ( Z m × n ֓ U ( Z m × n ) ; q p First idea: A ′ = ⌊ p q A ⌉ ? Adeline Langlois Hardness of LWE August 12, 2013 14/ 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron Steinfeld Monash University

Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron Steinfeld Monash University

Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron Steinfeld Monash University ron.steinfeld@monash.edu CIS 2019 Winter School based on joint work [RSSS17], [SSZ17], [B+19] (work in progress, in submission) with subsets of: Shi

740 views • 47 slides
Hardness of correcting errors on a Stabilizer code (arXiv:1310.3235) Pavithran Iyer, Ma

Hardness of correcting errors on a Stabilizer code (arXiv:1310.3235) Pavithran Iyer, Ma

Computational Complexity Classical error correction Quantum error correction Main result Conclusions Hardness of correcting errors on a Stabilizer code (arXiv:1310.3235) Pavithran Iyer, Ma trise En Physique, Superviseur: David Poulin,

1.64k views • 57 slides
Beyond NP [HMU06,Chp.11a] Tautology Problem NP-Hardness and co-NP Historical

Beyond NP [HMU06,Chp.11a] Tautology Problem NP-Hardness and co-NP Historical

Beyond NP [HMU06,Chp.11a] Tautology Problem NP-Hardness and co-NP Historical Comments Optimization Problems More Complexity Classes 1 Tautology Problem &amp; NP-Hardness &amp; co-NP 2 NP-Hardness Another

559 views • 23 slides
Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP

Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP

Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP Next best thing: define hardest problem in NP A problem P is NP -hard if Every problem Q in NP can be solved in this way: 1. given an instance

609 views • 14 slides
Mechanical Properties of Paint Coatings Hardness Measurement Shore Hardness D Barcol Hardness

Mechanical Properties of Paint Coatings Hardness Measurement Shore Hardness D Barcol Hardness

Mechanical Properties of Paint Coatings Hardness Measurement Shore Hardness D Barcol Hardness ASTM D2583 Fiberglass Aluminum Aluminum Alloys Soft Metals Plastics Scratch Hardness- (IS 101 - Part 5/Sec 2) BS 3900 Hardness can

1.89k views • 30 slides
Viterbi Training for PCFGs: Hardness Results and Competitiveness of Uniform Initialization Shay

Viterbi Training for PCFGs: Hardness Results and Competitiveness of Uniform Initialization Shay

Viterbi Training for PCFGs: Hardness Results and Competitiveness of Uniform Initialization Shay Cohen Noah Smith Carnegie Mellon University July 14, 2010 Outline Hardness results for unsupervised learning of PCFGs Background and problem

602 views • 46 slides
2017.03.24 Yongsoo Song Contents Motivation The Learning with errors (LWE) Problem

2017.03.24 Yongsoo Song Contents Motivation The Learning with errors (LWE) Problem

2017.03.24 Yongsoo Song Contents Motivation The Learning with errors (LWE) Problem LWE-based Encryptions; Previous Works Our Scheme LWR Result and Conclusion Motivation Mot otiv ivation Contemporary Cryptography 1 2

541 views • 25 slides
On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 1 1 Tel Aviv University 2 Georgia Institute of Technology Eurocrypt 2010 1 / 12 The Learning With Errors Problem [Regev05]

819 views • 59 slides
Connections between Learning with Errors and the Dihedral Coset Problem Elena Kirshanova joint

Connections between Learning with Errors and the Dihedral Coset Problem Elena Kirshanova joint

Connections between Learning with Errors and the Dihedral Coset Problem Elena Kirshanova joint work with Zvika Brakerski, Damien Stehl, and Weiqiang Wen LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ( a 1 , a 1 , s + e

492 views • 19 slides
On the Quantitative Hardness of CVP Huck Bennett, Alexander Golovnev, Noah Stephens-Davidowitz

On the Quantitative Hardness of CVP Huck Bennett, Alexander Golovnev, Noah Stephens-Davidowitz

On the Quantitative Hardness of CVP Huck Bennett, Alexander Golovnev, Noah Stephens-Davidowitz NYCAC 2017 Outline Closest Vector Problem Applications Hardness Isolating Parallelepipeds The Closest Vector Problem n is the rank

1.05k views • 83 slides
with classical methods Visualisations Introduction The first problem Problem

with classical methods Visualisations Introduction The first problem Problem

with classical methods Visualisations Introduction The first problem Problem The second problem Given Problems Analysis Simplification Classification Discussion Complex Handling Lagrangian

689 views • 20 slides
On Hardness of Approximating the Parameterized Clique Problem Igor Shinkar (NYU) Joint work with

On Hardness of Approximating the Parameterized Clique Problem Igor Shinkar (NYU) Joint work with

On Hardness of Approximating the Parameterized Clique Problem Igor Shinkar (NYU) Joint work with Subhash Khot (NYU) The clique problem The Clique problem : Input : A graph G=(V,E) on n vertices, and a parameter k. Goal : Find a k-clique in G (or

586 views • 35 slides
Classical Conditioning Learning &amp; Memory Arlo Clark-Foos What is classical conditioning?

Classical Conditioning Learning &amp; Memory Arlo Clark-Foos What is classical conditioning?

Classical Conditioning Learning &amp; Memory Arlo Clark-Foos What is classical conditioning? Learning to associate previously neutral stimuli with the subsequent events. Howard Eichenbaums Thanksgiving Pavlovs psychic secretion

776 views • 40 slides
Computational and Statistical Learning Theory TTIC 31120 Prof. Nati Srebro Lecture 7:

Computational and Statistical Learning Theory TTIC 31120 Prof. Nati Srebro Lecture 7:

Computational and Statistical Learning Theory TTIC 31120 Prof. Nati Srebro Lecture 7: Computational Complexity of Learning Hardness of Improper Learning (continued) Agnostic Learning Hardness of Learning via Crypto Easy to generate

433 views • 24 slides
NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs . . . Usual Proofs of NP- . . . Proofs of NP- . . . Pedagogical Problem . . . NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers Instead What Is NP-Hard: . . . Proof that . . . of

296 views • 12 slides
Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors

Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors

Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors CS-121 Logic errors Syntax Errors Syntax Errors An error in which a C++ grammar rule has been violated. Are flagged at compile time Missing ;

338 views • 5 slides
Whats on the Horizon? Accountability, Compliance &amp; Monitoring will have some changes based

Whats on the Horizon? Accountability, Compliance &amp; Monitoring will have some changes based

Whats on the Horizon? Accountability, Compliance &amp; Monitoring will have some changes based on mandates under Senate Bill 1, Rider 70 Texas 83 rd Legislative Session, 2013 Impl plem emen entation tion of of St Stan and Al Alone Specia

286 views • 5 slides
Policy-Based Management Overview by: Vladimir Tosic Outline Introduction to service-level

Policy-Based Management Overview by: Vladimir Tosic Outline Introduction to service-level

Policy-Based Management Overview by: Vladimir Tosic Outline Introduction to service-level management Definitions and examples Policies, policy rules, types of policy rules Policy conflicts, meta-policies Roles and related

517 views • 26 slides
production grant DUNE UK DAQ workshop, Oxford, 2019.10.17 1 Oct 2019 SJM Peeters | UK

production grant DUNE UK DAQ workshop, Oxford, 2019.10.17 1 Oct 2019 SJM Peeters | UK

Overview of the DUNE UK DAQ production grant DUNE UK DAQ workshop, Oxford, 2019.10.17 1 Oct 2019 SJM Peeters | UK Production Grant: Overview DAQ consortium view D. Newbold DUNE/LBNF Resources management R. Sipos G. Lehmann A. Thea

621 views • 17 slides
Software Methodologies for distributed systems Policy-based Management (PBM) Software

Software Methodologies for distributed systems Policy-based Management (PBM) Software

A Fuzzy, Utility-based Approach for Proactive Policy-based Management Christoph Frenzel, Henning Sanneck, and Bernhard Bauer RuleML 2013, July 11 13, Seattle, WA, USA Software Methodologies for distributed systems Policy-based Management

195 views • 16 slides
production of loosely bound states at the QCD phase boundary 'snowballs in hell'

production of loosely bound states at the QCD phase boundary 'snowballs in hell'

production of loosely bound states at the QCD phase boundary 'snowballs in hell' introduction and perspective the hadron resonance gas (u,d,s) hadron production, Lattice QCD and the QCD phase structure loosely bound states

761 views • 37 slides
Welcome to the webcast on the ADAP Services Report otherwise known as the ADR. This webcast will

Welcome to the webcast on the ADAP Services Report otherwise known as the ADR. This webcast will

Welcome to the webcast on the ADAP Services Report otherwise known as the ADR. This webcast will help you choose the best software for creating the ADR client level data file given your organizations current data management system and

453 views • 20 slides
Web Capabilities (Employer) Employer Login Employer Site Member Search Member Record

Web Capabilities (Employer) Employer Login Employer Site Member Search Member Record

Web Capabilities (Employer) Employer Login Employer Site Member Search Member Record Eligibility Functions Enroll a Member Update Employee Information Add a New Dependent Terminate Coverage Add or Change

585 views • 20 slides
SPQR Method: a new linear-time exact sampler of combinatorial structures Andrea Sportiello CNRS |

SPQR Method: a new linear-time exact sampler of combinatorial structures Andrea Sportiello CNRS |

SPQR Method: a new linear-time exact sampler of combinatorial structures Andrea Sportiello CNRS | LIPN, Universit e Paris Nord, Villetaneuse work in collaboration with Fr ed erique Bassino Al ea 2014 CIRM, Luminy, 21st March 2014 1

1.36k views • 79 slides

More recommend