module lwe vs ring lwe
play

Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of - PowerPoint PPT Presentation

Feb 02, 2024 •208 likes •990 views

Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56 Main Aim of the Talk 1. Discuss popular variants of the LWE problem 2. Present a collection of reductions between the variants 3. Explicitly state

  1. Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56

  2. Main Aim of the Talk 1. Discuss popular variants of the LWE problem 2. Present a collection of reductions between the variants 3. Explicitly state parameter expansions in the reductions 2/56

  3. Outline 1. Definitions 2. Motivation for Ring/Module-LWE 3. Normal Form Secrets 4. “BLPRS13” Style Reductions 5. “Structure-Building” Reduction 3/56

  4. Section 1 Definitions 4/56

  5. Notation Vectors x ∈ Z n q : ◮ Entries integers modulo q , i.e. Z q ◮ Dimension n , i.e. x = ( x 0 , . . . , x n − 1 ) Ring elements r ∈ R q = Z q [ X ] / ( X n + 1): ◮ Coefficients integers modulo q ◮ Degree at most n − 1 i.e. r = r 0 + r 1 · X + · · · + r n − 1 · X n − 1 ∈ Z q [ X ] / ( X n + 1) ◮ Coefficient Embedding r = ( r 0 , . . . , r n − 1 ) ∈ Z n q 5/56

  6. Notation Module elements m ∈ R d q : ◮ A d -tuple of ring elements m = ( m 0 , . . . , m d − 1 ) ◮ Multiplication: m · n := m 0 n 0 + · · · + m d − 1 · n d − 1 Terminology : ◮ q is a “modulus” ◮ n is a “(ring) dimension” ◮ d is a “module rank” ◮ m is the number of samples 6/56

  7. Notation: Distributions ◮ U ( X ) - uniform distribution over set X 7/56

  8. Notation: Distributions ◮ U ( X ) - uniform distribution over set X ◮ χ σ - discrete gaussian over the integers, s.d. σ ◮ D Λ ,σ - discrete gaussian over lattice Λ, s.d. σ ◮ D Λ , r - discrete ellipsoidal gaussian with s.d.’s r i ∈ R 7/56

  9. Notation: Distributions ◮ U ( X ) - uniform distribution over set X ◮ χ σ - discrete gaussian over the integers, s.d. σ ◮ D Λ ,σ - discrete gaussian over lattice Λ, s.d. σ ◮ D Λ , r - discrete ellipsoidal gaussian with s.d.’s r i ∈ R ◮ D σ - continuous gaussian over R ◮ D r - continuous ellipsoidal gaussian over R n with s.d.’s r i 7/56

  10. Generic LWE Problem Framework Given some uniform random a , b = a · s + e : ◮ (search LWE) decode the noisy product b i.e. recover s from b for “small” e ◮ (decision LWE) distinguish b from uniform random 8/56

  11. Generic LWE Problem Framework Given some uniform random a , b = a · s + e : ◮ (search LWE) decode the noisy product b i.e. recover s from b for “small” e ◮ (decision LWE) distinguish b from uniform random Plain LWE sample: a ← Z n q ; s ← U or χ n σ , e ← χ σ ; b ∈ Z q a 1 e 1 b 1 a 2 e 2 b 2 . + a m = s a 1 a 2 … , … … … a m e m b m 8/56

  12. Distributions and Parameters ◮ Uniform a ◮ Error distribution: discrete gaussian e ← χ σ ◮ Secret distribution: uniform s or s ← χ n σ Plain LWE sample: a ← Z n q ; s ← χ n σ , e ← χ σ ; b ∈ Z q 9/56

  13. Distributions and Parameters ◮ Uniform a ◮ Error distribution: discrete gaussian e ← χ σ ◮ Secret distribution: uniform s or s ← χ n σ Plain LWE sample: a ← Z n q ; s ← χ n σ , e ← χ σ ; b ∈ Z q ◮ Absolute error σ ◮ Error rate α := σ/ q 9/56

  14. Practical Ring-LWE Let R q = Z q [ X ] / ( X n + 1). Given some uniform random a ∈ R q , ◮ (search) recover s ∈ R q from b = a · s + e for “small” e ∈ R q ◮ (decision) decide whether b = a · s + e or b is random 10/56

  15. Practical Ring-LWE Let R q = Z q [ X ] / ( X n + 1). Given some uniform random a ∈ R q , ◮ (search) recover s ∈ R q from b = a · s + e for “small” e ∈ R q ◮ (decision) decide whether b = a · s + e or b is random Error distribution: s , e ← χ n σ n a . s + e a = b , n 10/56

  16. Almost Proper Ring-LWE Given some uniform random a ∈ R q , ◮ (search) recover s ∈ ( R q ) d from b = 1 q a · s + e mod 1 for “small” e ∈ R q ◮ (decision) decide whether b = 1 q a · s + e mod 1 or b is random Notes: ◮ The error distribution is now continuous ◮ The discrete Gaussian distribution χ σ becomes continuous Gaussian D α where α := σ/ q ◮ Ignoring canonical embedding and dual ring 11/56

  17. Practical Module-LWE Given some uniform random a ∈ ( R q ) d , ◮ (search) recover s ∈ ( R q ) d from b = a · s + e for “small” e ∈ R q ◮ (decision) decide whether b = a · s + e or b is random 12/56

  18. Practical Module-LWE Given some uniform random a ∈ ( R q ) d , ◮ (search) recover s ∈ ( R q ) d from b = a · s + e for “small” e ∈ R q ◮ (decision) decide whether b = a · s + e or b is random Error distribution: s ← χ nd σ , e ← χ n σ nd a . a + = s b e , n 12/56

  19. Almost Proper Module-LWE Given some uniform random a ∈ ( R q ) d , ◮ (search) recover s ∈ ( R q ) d from b = 1 q a · s + e mod 1 for “small” e ∈ R q ◮ (decision) decide whether b = 1 q a · s + e mod 1 or b is random Notes: ◮ The error distribution is now continuous ◮ The discrete Gaussian distribution χ σ becomes continuous Gaussian D α where α := σ/ q ◮ Once again, we ignore canonical embedding and dual ring 13/56

  20. Other Variants ◮ Learning with Rounding (LWR) ◮ Compact-LWE ◮ Binary-LWE ◮ And many more 14/56

  21. Section 2 Motivation for Ring-LWE/Module-LWE 15/56

  22. Efficiency vs. Security ◮ Representing n LWE samples: ◮ O ( n ) integers (Ring-LWE) ◮ O ( nd ) integers (Module-LWE) ◮ O ( n 2 ) integers (LWE) 16/56

  23. Efficiency vs. Security ◮ Representing n LWE samples: ◮ O ( n ) integers (Ring-LWE) ◮ O ( nd ) integers (Module-LWE) ◮ O ( n 2 ) integers (LWE) ◮ Lattice hardness: ◮ Ideal lattices SIVP (Ring-LWE) ◮ Module lattices SIVP (Module-LWE) ◮ General lattices SIVP (LWE) 16/56

  24. Flexibility of Module-LWE ◮ R = Z q [ X ] / ( X n + 1) for power-of-two n ◮ Effective Ring-LWE dimensions: 256 , 512 , 1024 , 2048 , . . . ◮ Effective Module-LWE dimensions: 256 · d , d = 1 , 2 , . . . Note: The cost of multiplying using Module-LWE is larger than the cost of multiplying for Ring-LWE of the same effective dimension. 17/56

  25. Section 3 Transforming Secret Distributions 18/56

  26. Normal Form LWE Lemma Let q be prime. Given m > n uniform secret LWE samples ( A , b ) ∈ Z n × m × Z m q , we can produce m − n normal form LWE q samples ( A ′ , b ′ ) ∈ Z n × ( m − n ) × Z ( m − n ) (with significant probability q q 1 − O (1 / q ) ). 19/56

  27. Normal Form LWE Lemma Let q be prime. Given m > n uniform secret LWE samples ( A , b ) ∈ Z n × m × Z m q , we can produce m − n normal form LWE q samples ( A ′ , b ′ ) ∈ Z n × ( m − n ) × Z ( m − n ) (with significant probability q q 1 − O (1 / q ) ). Proof. 1. Write A = [ A 1 | A 2 ] where A 1 ∈ Z n × n is invertible. q 2. b = [ b 1 | b 2 ] T := [ A 1 | A 2 ] T s + [ e 1 | e 2 ] T 3. Set A ′ := − A − 1 1 A 2 , b ′ := A ′ T b 1 + b 2 = A ′ e 1 + e 2 . 19/56

  28. Non-Uniform Secret − → Uniform Secret Lemma Given a LWE sample ( a , b ) with non-uniform secret s, we can obtain a LWE sample ( a , ˜ b ) with a uniform secret ˜ s. Proof. 1. Sample s ′ ← U . 2. Output LWE sample � � b := b + a · s ′ = a · ( s ′ + s ) + e = ( a , a · ( s ′ + s ) + e ). a , ˜ 20/56

  29. Section 4 BLPRS13 Style Reductions 21/56

  30. Modulus-Dimension Switching LWE Reduction 1 Lemma There exists a reduction from → LWE m , n ′ = n / k , q ′ = q k , D β where β = O ( α √ n ) . LWE m , n , q , D α − “We can reduce the dimension at the cost of increasing the modulus while changing the error rate by a √ n factor without decreasing hardness.” 1 Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D. St´ ehle. Classical hardness of learning with errors. STOC13 22/56

  31. Reduction Intuition Goal Find a reduction (i.e. transformation F ) such that the original LWE distribution almost maps to the target LWE distribution where the effect that F has on the secret is reversible. F (LWE) ∼ indist. LWE ′ a ′ ∈ Z n / k F a ∈ Z n − → q q k s ′ ∈ Z n / k F s ∈ Z n − → q q k � 1 � 1 � � b ′ = q k a ′ · s ′ + e ′ F b = q a · s + e mod 1 − → mod 1 23/56

  32. Reduction Intuition n = 3 , n / k = 1 a ′ = a 0 + qa 1 + q 2 a 2 s ′ = s 2 + qs 1 + q 2 s 0 24/56

  33. Reduction Intuition n = 3 , n / k = 1 a ′ = a 0 + qa 1 + q 2 a 2 s ′ = s 2 + qs 1 + q 2 s 0 q 3 a ′ · s ′ ≡ 0 + 1 1 q a · s + 1 = ⇒ q 2 ( a 0 · s 1 + a 1 · s 2 ) + . . . mod 1 ≅ 1 q a · s mod 1 24/56

  34. Reduction Intuition n = 3 , n / k = 1 a ′ = a 0 + qa 1 + q 2 a 2 s ′ = s 2 + qs 1 + q 2 s 0 q 3 a ′ · s ′ ≡ 0 + 1 1 q a · s + 1 = ⇒ q 2 ( a 0 · s 1 + a 1 · s 2 ) + . . . mod 1 ≅ 1 q a · s mod 1 Therefore take b ′ = b 24/56

  35. A Closer Look at the Error Distribution Want to analyse the distribution of: b ′ − 1 q n a ′ · s ′ = e − � q j − i − 1 a j s i i > j Problem: ◮ q j − i − 1 a j s i are not continuous gaussians ✗ 25/56

  36. INTERLUDE: Fixing a “Bad” Error Distribution - Discrete Version Aim Given bad non-Gaussian distribution ˆ e , make it look like a discrete Gaussian. How? Drown by adding a wide discrete Gaussian i.e. consider ˆ e + χ σ 26/56

  37. Fixing a “Bad” Error Distribution - Discrete Version 0.35 0.3 0.25 0.2 0.15 0.1 0.05 -4 -2 2 4 27/56

  38. Drowning ( σ = 3) 0.14 0.12 0.1 0.08 0.06 0.04 0.02 -15 -10 -5 5 10 15 28/56

  39. Drowning ( σ = 10) 0.04 0.03 0.02 0.01 -30 -20 -10 10 20 30 29/56

  40. Drowning ( σ = 10) 0.04 0.03 0.02 0.01 -4 -2 2 4 30/56

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. Albrecht, Amit Deo, Kenneth G.

Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. Albrecht, Amit Deo, Kenneth G.

Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. Albrecht, Amit Deo, Kenneth G. Paterson Royal Holloway, University of London September 12, 2018 1 / 30 Cold boot attack scenario Originally investigated by [HSHCPCFAF09]

1.16k views • 48 slides
On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory

On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory

( ) On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory Symposium Okayama University of Science Masahisa Sato Aichi University & University of Yamanashi 13:10-13:40

514 views • 25 slides
1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

MODULE SPECIFICATION Project Management and Credit Module Title: Level : 5 20 Presentation Techniques Value : Is this a Code of module Module code : ENG543 new NO being replaced : module? Cost Centre : GAME JACS3 code : F311

261 views • 4 slides
WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3 Status Boards Position Log Request for Assistance Mission/Task Significant Events Module 4 Forms Module 5 Links Module 6

847 views • 72 slides
Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design: Ring Background : Randomized, double-blind, phase 3, placebo-controlled trial of a

341 views • 6 slides
Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio informatics .ca Module 7 Data Visualization Anamaria Crisan Learning Objectives of Module Understand the process of encoding and decoding

1.31k views • 79 slides
Module 3 Supervisory Transition Module 3: Superivsory Transition 1 Objectives Learn about

Module 3 Supervisory Transition Module 3: Superivsory Transition 1 Objectives Learn about

Module 2 was an overview about leadership. But, how do we or did we gain an opportunity to lead? Module 3 gives us insight into transitioning from an employee into a supervisor and/or manager. 0 Module 3 Supervisory Transition Module 3:

1.03k views • 18 slides
Module 12 Effective Communication, The Who Stakeholder Identification & Engagement 1 Module

Module 12 Effective Communication, The Who Stakeholder Identification & Engagement 1 Module

As you learned to take your leadership vision and create a progressive strategy in Module 11, it should be apparent that our stakeholders are a priority. Module 12 identifies how to effectively communicate with our stakeholders. 0 Module 12

473 views • 15 slides
Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 -

Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 -

Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 - Identifying the Building Blocks Module 4 - Reviewing a portfolio This Module Active vs Passive investing Off the shelf solutions Trackers and ETFs and

648 views • 32 slides
lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

Crystal Extraction from the Recycler Ring A.I. Drozhdin Fermi National Accelerator Laboratory P.O. Box 500, Batavia, Illinois 60510 May 31, 2012 1 Recycler Ring Lattice The choices to install the crystal in the Recycler Ring would be

427 views • 13 slides
New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of Sheffield) V. V. Bavula, New criteria for a ring to have a semisim- ple left quotient ring. Arxiv:math.RA:1303.0859. talk-NewCrit-SS-lQuot.tex 1

359 views • 15 slides
A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic stat No el magnetic states es induced b induced by ring e ring exchange change Members: Tsutomu Momoi (RIKEN) Kenn Kubo (Aoyama Gakuinn Univ.)

489 views • 31 slides
T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

The generic model Nongeometric properties A systematic source A topos-theoretic Nullstellensatz This talk in a nutshell: There is a certain ring, the generic ring , which is special in that it is conserva- tive : It has exactly

855 views • 26 slides
1 The objectives of this e-module are to learn how to register for a Data Universal Numbering

1 The objectives of this e-module are to learn how to register for a Data Universal Numbering

Welcome to our e-module series on How to Work with USAID. This e- module is the first part on Registering for Federal Award Systems and focuses on DUNS registration. This e-module is geared towards non- governmental organizations

498 views • 22 slides
6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ

6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ

6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ Level (only if an NFQ level can be 7 demonstrated) Module number/Reference BAAMT206 Parent Programme BA (Hons) in Audio and Music Technology Stage

340 views • 6 slides
Mohrs Circle Lecture 2 ME EN 372 Andrew Ning aning@byu.edu Outline Material Properties

Mohrs Circle Lecture 2 ME EN 372 Andrew Ning aning@byu.edu Outline Material Properties

Mohrs Circle Lecture 2 ME EN 372 Andrew Ning aning@byu.edu Outline Material Properties Plane Stress Transformation Material Properties Isotropic materials: 2 constants to define. E : modulus of elasticity, or Youngs modulus :

586 views • 11 slides
We only consider geometric nonlinearity, with linear strain-stress relationship = : In

We only consider geometric nonlinearity, with linear strain-stress relationship = : In

We only consider geometric nonlinearity, with linear strain-stress relationship = : In Introd oduction ion Space-time editing Powerful tool for animation editing Seeking minimal control forces Matching the constraints in

885 views • 70 slides
ENERGY EFFICIENT SENSOR PLACEMENT FOR MONITORING STRUCTURAL HEALTH Mohammed Najeeb A 1, * and

ENERGY EFFICIENT SENSOR PLACEMENT FOR MONITORING STRUCTURAL HEALTH Mohammed Najeeb A 1, * and

ENERGY EFFICIENT SENSOR PLACEMENT FOR MONITORING STRUCTURAL HEALTH Mohammed Najeeb A 1, * and Vrinda Gupta 2 1 M.Tech Student, Department of Electronics and Communication Engineering, National Institute of Technology Kurukshetra, Haryana, India;

194 views • 15 slides
Mul$-Modal Bayesian Embeddings for Learning Social Knowledge

Mul$-Modal Bayesian Embeddings for Learning Social Knowledge

Mul$-Modal Bayesian Embeddings for Learning Social Knowledge Graphs Zhilin Yang 12 , Jie Tang 1 , William W. Cohen 2 1 Tsinghua University 2 Carnegie Mellon

520 views • 40 slides
Non-uniform Self-Moduli Peter Gerdes Group in Logic University of California, Berkeley 2007-08

Non-uniform Self-Moduli Peter Gerdes Group in Logic University of California, Berkeley 2007-08

Background Uniform Moduli Nonuniform Moduli Non-uniform Self-Moduli Peter Gerdes Group in Logic University of California, Berkeley 2007-08 ASL Winter Meeting Peter Gerdes Non-uniform Self-Moduli Background Uniform Moduli Nonuniform

924 views • 61 slides
DTTF/NB479: Dszquphsbqiz Day 8 Announcements: Please use pencil on quizzes if possible

DTTF/NB479: Dszquphsbqiz Day 8 Announcements: Please use pencil on quizzes if possible

DTTF/NB479: Dszquphsbqiz Day 8 Announcements: Please use pencil on quizzes if possible Questions? Today: Congruences Chinese Remainder Theorem Modular Exponents Hill Cipher implementation Encryption Easy to do in MATLAB.

466 views • 14 slides
Modular Arithmetic Addition and Subtraction Modulus 9 0 mod 9 = 0 9 mod 9 = 0 1 mod 9 = 1 10

Modular Arithmetic Addition and Subtraction Modulus 9 0 mod 9 = 0 9 mod 9 = 0 1 mod 9 = 1 10

Modular Arithmetic Addition and Subtraction Modulus 9 0 mod 9 = 0 9 mod 9 = 0 1 mod 9 = 1 10 mod 9 = 1 0 2 mod 9 = 2 11 mod 9 = 2 8 1 3 mod 9 = 3 12 mod 9 = 3 7 2 4 mod 9 = 4 13 mod 9 = 4 5 mod 9 = 5 14 mod 9 = 5 6 3 6 mod 9 =

212 views • 8 slides
Axial Gaps in HQ 05/16/2011 Collaboration Meeting 16, Montauk - NY May 16 th to 18 th 2011 B.

Axial Gaps in HQ 05/16/2011 Collaboration Meeting 16, Montauk - NY May 16 th to 18 th 2011 B.

Axial Gaps in HQ 05/16/2011 Collaboration Meeting 16, Montauk - NY May 16 th to 18 th 2011 B. Collins - H. Felice J. Krishnan D. Dietderich Parameters affecting the gap sizes Winding tension relaxation winding tension Young

171 views • 6 slides

More recommend