SLIDE 1
Connections between Learning with Errors and the Dihedral Coset - - PowerPoint PPT Presentation
Connections between Learning with Errors and the Dihedral Coset - - PowerPoint PPT Presentation
Connections between Learning with Errors and the Dihedral Coset Problem Elena Kirshanova joint work with Zvika Brakerski, Damien Stehl, and Weiqiang Wen LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ( a 1 , a 1 , s + e
SLIDE 2
SLIDE 3
LWE and DCP
Dimension: n, modulus: q = poly(n) LWE: Given (a1, a1,s + e1 mod q) . . . (am, am,s + em mod q) with e ≪ q, find s. DCP: Given |0, x1 + |1, x1 + s mod N . . . |0, xℓ + |1, xℓ + s mod N find s.
SLIDE 4
LWE and DCP
Dimension: n, modulus: q = poly(n) LWE: Given (a1, a1,s + e1 mod q) . . . (am, am,s + em mod q) with e ≪ q, find s. ≤ [Regev’02] DCP: Given |0, x1 + |1, x1 + s mod N . . . |0, xℓ + |1, xℓ + s mod N find s.
SLIDE 5
LWE and DCP
Dimension: n, modulus: q = poly(n) LWE: Given (a1, a1,s + e1 mod q) . . . (am, am,s + em mod q) with e ≪ q, find s. ≤ [Regev’02] DCP: Given |0, x1 + |1, x1 + s mod N . . . |0, xℓ + |1, xℓ + s mod N find s. Does not improve upon classical algorithms
SLIDE 6
LWE and DCP
Dimension: n, modulus: q = poly(n) LWE: Given (a1, a1,s + e1 mod q) . . . (am, am,s + em mod q) with e ≪ q, find s. ≤ [Regev’02] DCP: Given |0, x1 + |1, x1 + s mod N . . . |0, xℓ + |1, xℓ + s mod N find s. Does not improve upon classical algorithms BKW / lattices: 2
O
- n·
log q (log q−log ei)2
- Kuperberg:
2O(log ℓ+log N/ log ℓ) The reduction produces ℓ = poly(n), N = 2n2
SLIDE 7
Inverse direction
Is DCP ≤ LWE?
◮ might give a strong evidence for quantum hardness of LWE ◮ DCP might be too ‘hard’ for LWE:
DCP ≤ SubsetSum1·c [Reg’02], but SubsetSum
1 log n ≤ LWE ≤ Vec. SubsetSum>log n
SLIDE 8
Inverse direction
Is DCP ≤ LWE?
◮ might give a strong evidence for quantum hardness of LWE ◮ DCP might be too ‘hard’ for LWE:
DCP ≤ SubsetSum1·c [Reg’02], but SubsetSum
1 log n ≤ LWE ≤ Vec. SubsetSum>log n
No, but we show that EDCP ≤ LWE
SLIDE 9
Extended DCP
EDCP DCP for a distr. D
- j∈sup(D)
D(j) |j |x + j · s |0 |x + |1 |x + s
SLIDE 10
Extended DCP
EDCP DCP for a distr. D
- j∈sup(D)
D(j) |j |x + j · s |0 |x + |1 |x + s G-EDCP U-EDCP
- j∈Z
ρr(j) |j |x + j · s M−1
j=0 |j |x + j · s
SLIDE 11
Extended DCP
EDCP DCP for a distr. D
- j∈sup(D)
D(j) |j |x + j · s |0 |x + |1 |x + s G-EDCP U-EDCP
- j∈Z
ρr(j) |j |x + j · s M−1
j=0 |j |x + j · s
Main result:
LWE ⇐ ⇒ G-EDCP ⇐ ⇒ U-EDCP < DCP
⇐ ⇒ hides polynomial loses
SLIDE 12
Extended DCP
EDCP DCP for a distr. D
- j∈sup(D)
D(j) |j |x + j · s |0 |x + |1 |x + s G-EDCPn,q,r U-EDCPn,q,M
- j∈Z
ρr(j) |j |x + j · s M−1
j=0 |j |x + j · s
LWEn,q,
q r·poly(n)
G-EDCPn,q,r U-EDCPn,q,c·r DCP2n log q LWEn,q,q/r G-EDCPn,q,r/√n
Dimension modulus
- st. dev.
SLIDE 13
Extended DCP
EDCP DCP for a distr. D
- j∈sup(D)
D(j) |j |x + j · s |0 |x + |1 |x + s G-EDCPn,q,r U-EDCPn,q,M
- j∈Z
ρr(j) |j |x + j · s M−1
j=0 |j |x + j · s
LWEn,q,
q r·poly(n)
G-EDCPn,q,r U-EDCPn,q,c·r DCP2n log q LWEn,q,q/r G-EDCPn,q,r/√n
Dimension modulus
- st. dev.
Quantum rejection sampling, Ozols et al.
SLIDE 14
Results
LWEn,q,
q r·poly(n)
G-EDCPn,q,r U-EDCPn,q,c·r DCP2n log q[2n2 ]
via average case lattice problems [Reg02]+[LM09]
SLIDE 15
Results
LWEn,q,
q r·poly(n)
G-EDCPn,q,r U-EDCPn,q,c·r DCP2n log q[2n2 ]
via average case lattice problems [Reg02]+[LM09]
1-dim UDCP was already considered in [Childs-van Dam’07]:
M−1
- j=0
|j |x + j · s mod 2n 2 2n 2n/c poly(n) [CvD’07] 2
√n
poly(n) M Runtime LWE√n,2
√n, 2 √n M
LWE1,2n, 2n
M
G-EDCP1,2n,M U-EDCP1,2n,M [Brakerski et. al]
SLIDE 16
G-EDCP ≤ LWE
QFT
- e∈Zq
ρ 1
r
- e
q
- |a, s + e
QFT a
- j∈Z
ρr(j) |j |x + j · s mod q
(1) (2)
SLIDE 17
G-EDCP ≤ LWE
QFT
- e∈Zq
ρ 1
r
- e
q
- |a, s + e
QFT a
- j∈Z
ρr(j) |j |x + j · s mod q
(1) (2)
(1) :
- a∈Zn
q
- j∈Z
ω(x+j·s),a
q
· ρr(j) |j |a
SLIDE 18
G-EDCP ≤ LWE
QFT
- e∈Zq
ρ 1
r
- e
q
- |a, s + e
QFT a
- j∈Z
ρr(j) |j |x + j · s mod q
(1) (2)
(1) :
- a∈Zn
q
- j∈Z
ω(x+j·s),a
q
· ρr(j) |j |a (2) :
- b∈Zq
- j∈Z
ωj·(a,s+b)
q
· ρr(j) |b
PSF
− − →
- b∈Zq
- j∈Z
ρ1/r
- j + a, s + b
q
- |b
SLIDE 19