Session #5: Learning With Errors Chris Peikert Georgia Institute - - PowerPoint PPT Presentation

Session #5: Learning With Errors Chris Peikert

Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/15

Last Time. . .

◮ SIS: find “small” nontrivial z1, . . . , zm ∈ Z such that:   | a1 |     | a2 |   · · ·   | am |   ∈ Zn

q

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

Last Time. . .

◮ SIS: find “small” nontrivial z1, . . . , zm ∈ Z such that: z1 ·   | a1 |   + z2 ·   | a2 |   + · · · + zm ·   | am |   =   | |   ∈ Zn

q

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

Last Time. . .

◮ SIS: find “short” nonzero z ∈ Zm such that:  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

Last Time. . .

◮ SIS: find “short” nonzero z ∈ Zm such that:  · · · · A · · · ·  

• m

    z      = 0 ∈ Zn

q

◮ This talk: a complementary problem, Learning With Errors

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

Overview of LWE Hardness

GapSVP, SIVP ≤

quantum [R’05]

search-LWE ≤

[BFKL’94,R’05, P’09,. . . ]

decision-LWE ≤

[R’05,PW’08, GPV’08,. . . ]

crypto ≤

classical (large q) [P’09]

GapSVP

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/15

History of LWE

Crypto papers with “something new” regarding LWE:

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/15

Learning With Errors

[Regev’05]

◮ Dimension n (security param), modulus q ≥ 2

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

Learning With Errors

[Regev’05]

◮ Dimension n (security param), modulus q ≥ 2 ◮ Search: find s ∈ Zn

q given ‘noisy random inner products’

a1 ← Zn

q , b1 = s , a1 + e1

a2 ← Zn

q , b2 = s , a2 + e2

. . .

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

Learning With Errors

[Regev’05]

◮ Dimension n (security param), modulus q ≥ 2, ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Zn

q given ‘noisy random inner products’

a1 ← Zn

q , b1 = s , a1 + e1

a2 ← Zn

q , b2 = s , a2 + e2

. . . Errors ei ← χ = Gaussian over Z, param αq α · q > √n

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

Learning With Errors

[Regev’05]

◮ Dimension n (security param), modulus q ≥ 2, ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Zn

q given ‘noisy random inner products’

a1 ← Zn

q , b1 = s , a1 + e1

a2 ← Zn

q , b2 = s , a2 + e2

. . . Errors ei ← χ = Gaussian over Z, param αq α · q > √n ◮ Decision: distinguish (ai, bi) from uniform (ai, bi) pairs

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

Learning With Errors

[Regev’05]

◮ Dimension n (security param), modulus q ≥ 2, ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Zn

q given ‘noisy random inner products’

A =   | | a1 · · · am | |   , bt = stA + et Errors ei ← χ = Gaussian over Z, param αq α · q > √n ◮ Decision: distinguish (ai, bi) from uniform (ai, bi) pairs

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

Learning With Errors

[Regev’05]

◮ Dimension n (security param), modulus q ≥ 2, ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Zn

q given ‘noisy random inner products’

A =   | | a1 · · · am | |   , bt = stA + et Errors ei ← χ = Gaussian over Z, param αq α · q > √n ◮ Decision: distinguish (ai, bi) from uniform (ai, bi) pairs Generalizes LPN (q = 2, Bernoulli noise)

[AL’88,BFKL’94,. . . ]

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

Learning With Errors

[Regev’05]

◮ Dimension n (security param), modulus q ≥ 2, ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Zn

q given ‘noisy random inner products’

A =   | | a1 · · · am | |   , bt = stA + et Errors ei ← χ = Gaussian over Z, param αq α · q > √n ◮ Decision: distinguish (ai, bi) from uniform (ai, bi) pairs Generalizes LPN (q = 2, Bernoulli noise)

[AL’88,BFKL’94,. . . ]

◮ Why error αq > √n?

⋆ Required by worst-case hardness proofs [R’05,P’09]

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

Learning With Errors

[Regev’05]

◮ Dimension n (security param), modulus q ≥ 2, ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Zn

q given ‘noisy random inner products’

A =   | | a1 · · · am | |   , bt = stA + et Errors ei ← χ = Gaussian over Z, param αq α · q > √n ◮ Decision: distinguish (ai, bi) from uniform (ai, bi) pairs Generalizes LPN (q = 2, Bernoulli noise)

[AL’88,BFKL’94,. . . ]

◮ Why error αq > √n?

⋆ Required by worst-case hardness proofs [R’05,P’09] ⋆ There’s an exp((αq)2)-time attack! [AG’11]

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 LWE (A, bt = stA + et) vs. (A, bt)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH LWE (A, bt = stA + et) vs. (A, bt)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH ◮ Many valid solutions z LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH ◮ Many valid solutions z LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH ◮ Unique solution s (w/short e)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH ◮ Many valid solutions z ◮ LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH ◮ Unique solution s (w/short e)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH ◮ Many valid solutions z ◮ LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH ◮ Unique solution s (w/short e) ◮ SIS

??

≤ LWE

(stay till Wed...)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH ◮ Many valid solutions z ◮ LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH ◮ Unique solution s (w/short e) ◮ SIS

??

≤ LWE

(stay till Wed...)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH ◮ Many valid solutions z ◮ LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes ‘minicrypt’ LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH ◮ Unique solution s (w/short e) ◮ SIS

??

≤ LWE

(stay till Wed...)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH ◮ Many valid solutions z ◮ LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes ‘minicrypt’ LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH ◮ Unique solution s (w/short e) ◮ SIS

??

≤ LWE

(stay till Wed...)

◮ Applications: PKE, OT, ID-based encryption, FHE

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH ◮ Many valid solutions z ◮ LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes ‘minicrypt’ LWE (A, bt = stA + et) vs. (A, bt) ◮ ‘Decisional’ problem a la QR, DCR, DDH ◮ Unique solution s (w/short e) ◮ SIS

??

≤ LWE

(stay till Wed...)

◮ Applications: PKE, OT, ID-based encryption, FHE ‘CRYPTOMANIA’

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

SIS versus LWE

SIS Az = 0, ‘short’ z = 0 Average-case SVP: L⊥(A) = {z ∈ Zm : Az = 0}

O (0, q) (q, 0)

LWE (A, bt = stA + et) vs. (A, bt) Average-case BDD: L(A) = {zt ≡ stA mod q}

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 7/15

Warm-Up: Simple Properties of LWE

1 Check a candidate solution s′ ∈ Zn q :

test if all b − s′, a ‘small.’ If s′ = s, then b − s′, a = s − s′, a + e is ‘well-spread’ in Zq.

2 ‘Shift’ the secret by any t ∈ Zn q : given (a, b = s, a + e), output

a , b′ = b + t, a = s + t, a + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Zn

q

= ⇒ ≈ 1 on any s ∈ Zn

q 3 Multiple secrets: (a, b1 ≈ s1, a, . . . , bt ≈ st, a) vs. (a, b1, . . . , bt).

Simple hybrid argument, since a’s are public.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15

Warm-Up: Simple Properties of LWE

1 Check a candidate solution s′ ∈ Zn q :

test if all b − s′, a ‘small.’ If s′ = s, then b − s′, a = s − s′, a + e is ‘well-spread’ in Zq.

2 ‘Shift’ the secret by any t ∈ Zn q : given (a, b = s, a + e), output

a , b′ = b + t, a = s + t, a + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Zn

q

= ⇒ ≈ 1 on any s ∈ Zn

q 3 Multiple secrets: (a, b1 ≈ s1, a, . . . , bt ≈ st, a) vs. (a, b1, . . . , bt).

Simple hybrid argument, since a’s are public.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15

Warm-Up: Simple Properties of LWE

1 Check a candidate solution s′ ∈ Zn q :

test if all b − s′, a ‘small.’ If s′ = s, then b − s′, a = s − s′, a + e is ‘well-spread’ in Zq.

2 ‘Shift’ the secret by any t ∈ Zn q : given (a, b = s, a + e), output

a , b′ = b + t, a = s + t, a + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Zn

q

= ⇒ ≈ 1 on any s ∈ Zn

q 3 Multiple secrets: (a, b1 ≈ s1, a, . . . , bt ≈ st, a) vs. (a, b1, . . . , bt).

Simple hybrid argument, since a’s are public.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15

Warm-Up: Simple Properties of LWE

1 Check a candidate solution s′ ∈ Zn q :

test if all b − s′, a ‘small.’ If s′ = s, then b − s′, a = s − s′, a + e is ‘well-spread’ in Zq.

2 ‘Shift’ the secret by any t ∈ Zn q : given (a, b = s, a + e), output

a , b′ = b + t, a = s + t, a + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Zn

q

= ⇒ ≈ 1 on any s ∈ Zn

q 3 Multiple secrets: (a, b1 ≈ s1, a, . . . , bt ≈ st, a) vs. (a, b1, . . . , bt).

Simple hybrid argument, since a’s are public.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15

Warm-Up: Simple Properties of LWE

1 Check a candidate solution s′ ∈ Zn q :

test if all b − s′, a ‘small.’ If s′ = s, then b − s′, a = s − s′, a + e is ‘well-spread’ in Zq.

2 ‘Shift’ the secret by any t ∈ Zn q : given (a, b = s, a + e), output

a , b′ = b + t, a = s + t, a + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Zn

q

= ⇒ ≈ 1 on any s ∈ Zn

q 3 Multiple secrets: (a, b1 ≈ s1, a, . . . , bt ≈ st, a) vs. (a, b1, . . . , bt).

Simple hybrid argument, since a’s are public.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15

Warm-Up: Simple Properties of LWE

1 Check a candidate solution s′ ∈ Zn q :

test if all b − s′, a ‘small.’ If s′ = s, then b − s′, a = s − s′, a + e is ‘well-spread’ in Zq.

2 ‘Shift’ the secret by any t ∈ Zn q : given (a, b = s, a + e), output

a , b′ = b + t, a = s + t, a + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Zn

q

= ⇒ ≈ 1 on any s ∈ Zn

q 3 Multiple secrets: (a, b1 ≈ s1, a, . . . , bt ≈ st, a) vs. (a, b1, . . . , bt).

Simple hybrid argument, since a’s are public.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15

Warm-Up: Simple Properties of LWE

1 Check a candidate solution s′ ∈ Zn q :

test if all b − s′, a ‘small.’ If s′ = s, then b − s′, a = s − s′, a + e is ‘well-spread’ in Zq.

2 ‘Shift’ the secret by any t ∈ Zn q : given (a, b = s, a + e), output

a , b′ = b + t, a = s + t, a + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Zn

q

= ⇒ ≈ 1 on any s ∈ Zn

q 3 Multiple secrets: (a, b1 ≈ s1, a, . . . , bt ≈ st, a) vs. (a, b1, . . . , bt).

Simple hybrid argument, since a’s are public.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15

Search/Decision Equivalence [BFKL’94,R’05]

◮ Suppose D solves decision-LWE: it ‘perfectly’ distinguishes between pairs (a, b = s, a + e) and (a, b).

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15

Search/Decision Equivalence [BFKL’94,R’05]

◮ Suppose D solves decision-LWE: it ‘perfectly’ distinguishes between pairs (a, b = s, a + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15

Search/Decision Equivalence [BFKL’94,R’05]

◮ Suppose D solves decision-LWE: it ‘perfectly’ distinguishes between pairs (a, b = s, a + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ◮ If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1

?

= 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15

Search/Decision Equivalence [BFKL’94,R’05]

◮ Suppose D solves decision-LWE: it ‘perfectly’ distinguishes between pairs (a, b = s, a + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ◮ If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1

?

= 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn. The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs (a′ = a − (r, 0, . . . , 0) , b).

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15

Search/Decision Equivalence [BFKL’94,R’05]

◮ Suppose D solves decision-LWE: it ‘perfectly’ distinguishes between pairs (a, b = s, a + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ◮ If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1

?

= 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn. The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs (a′ = a − (r, 0, . . . , 0) , b). ◮ Notice: b = s, a′ + s1 · r + e.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15

Search/Decision Equivalence [BFKL’94,R’05]

◮ Suppose D solves decision-LWE: it ‘perfectly’ distinguishes between pairs (a, b = s, a + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ◮ If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1

?

= 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn. The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs (a′ = a − (r, 0, . . . , 0) , b). ◮ Notice: b = s, a′ + s1 · r + e.

⋆ If s1 = 0, then b = s, a′ + e ⇒ D accepts.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15

Search/Decision Equivalence [BFKL’94,R’05]

◮ Suppose D solves decision-LWE: it ‘perfectly’ distinguishes between pairs (a, b = s, a + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ◮ If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1

?

= 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn. The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs (a′ = a − (r, 0, . . . , 0) , b). ◮ Notice: b = s, a′ + s1 · r + e.

⋆ If s1 = 0, then b = s, a′ + e ⇒ D accepts. ⋆ If s1 = 0 and q prime then b = uniform ⇒ D rejects.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15

Search/Decision Equivalence [BFKL’94,R’05]

◮ Suppose D solves decision-LWE: it ‘perfectly’ distinguishes between pairs (a, b = s, a + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ◮ If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1

?

= 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn. The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs (a′ = a − (r, 0, . . . , 0) , b). ◮ Notice: b = s, a′ + s1 · r + e.

⋆ If s1 = 0, then b = s, a′ + e ⇒ D accepts. ⋆ If s1 = 0 and q prime then b = uniform ⇒ D rejects.

◮ Don’t really need prime q = poly(n)

[P’09,ACPS’09,MM’11,MP’12]

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15

Decision-LWE with ‘Short’ Secrets

Theorem ([M’01,ACPS’09])

LWE is no easier if the secret is drawn from the error distribution χn.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15

Decision-LWE with ‘Short’ Secrets

Theorem ([M’01,ACPS’09])

LWE is no easier if the secret is drawn from the error distribution χn. (This is the ‘Hermite normal form’ of LWE.)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15

Decision-LWE with ‘Short’ Secrets

Theorem ([M’01,ACPS’09])

LWE is no easier if the secret is drawn from the error distribution χn. (This is the ‘Hermite normal form’ of LWE.) ◮ Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15

Decision-LWE with ‘Short’ Secrets

Theorem ([M’01,ACPS’09])

LWE is no easier if the secret is drawn from the error distribution χn. (This is the ‘Hermite normal form’ of LWE.) ◮ Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s. Transformation from secret s ∈ Zn

q to secret ¯

e ← χn:

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15

Decision-LWE with ‘Short’ Secrets

Theorem ([M’01,ACPS’09])

LWE is no easier if the secret is drawn from the error distribution χn. (This is the ‘Hermite normal form’ of LWE.) ◮ Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s. Transformation from secret s ∈ Zn

q to secret ¯

e ← χn:

1 Draw samples to get ( ¯

A, ¯ bt = st ¯ A + ¯ et) for square, invertible ¯ A.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15

Decision-LWE with ‘Short’ Secrets

Theorem ([M’01,ACPS’09])

LWE is no easier if the secret is drawn from the error distribution χn. (This is the ‘Hermite normal form’ of LWE.) ◮ Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s. Transformation from secret s ∈ Zn

q to secret ¯

e ← χn:

1 Draw samples to get ( ¯

A, ¯ bt = st ¯ A + ¯ et) for square, invertible ¯ A.

2 Transform each additional sample (a, b = s, a + e) to

a′ = − ¯ A−1a , b′ = b + ¯ b, a′

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15

Decision-LWE with ‘Short’ Secrets

Theorem ([M’01,ACPS’09])

LWE is no easier if the secret is drawn from the error distribution χn. (This is the ‘Hermite normal form’ of LWE.) ◮ Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s. Transformation from secret s ∈ Zn

q to secret ¯

e ← χn:

1 Draw samples to get ( ¯

A, ¯ bt = st ¯ A + ¯ et) for square, invertible ¯ A.

2 Transform each additional sample (a, b = s, a + e) to

a′ = − ¯ A−1a , b′ = b + ¯ b, a′ = ¯ e, a′ + e.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15

Decision-LWE with ‘Short’ Secrets

Theorem ([M’01,ACPS’09])

LWE is no easier if the secret is drawn from the error distribution χn. (This is the ‘Hermite normal form’ of LWE.) ◮ Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s. Transformation from secret s ∈ Zn

q to secret ¯

e ← χn:

1 Draw samples to get ( ¯

A, ¯ bt = st ¯ A + ¯ et) for square, invertible ¯ A.

2 Transform each additional sample (a, b = s, a + e) to

a′ = − ¯ A−1a , b′ = b + ¯ b, a′ = ¯ e, a′ + e. ◮ This maps (a, b) to (a′, b′), so it applies to decision-LWE too.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15

Public-Key Cryptosystem [R’05]

s ← Zn

q

A ← Zn×m

q

(Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15

Public-Key Cryptosystem [R’05]

s ← Zn

q

A ← Zn×m

q

bt = stA + et

(public key) (Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15

Public-Key Cryptosystem [R’05]

s ← Zn

q

A ← Zn×m

q

x ← {0, 1}m bt = stA + et

(public key)

u = Ax

(ciphertext ‘preamble’) (Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15

Public-Key Cryptosystem [R’05]

s ← Zn

q

A ← Zn×m

q

x ← {0, 1}m bt = stA + et

(public key)

u = Ax

(ciphertext ‘preamble’)

u′ = bt x + bit · q

2

(‘payload’) (Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15

Public-Key Cryptosystem [R’05]

s ← Zn

q

A ← Zn×m

q

x ← {0, 1}m bt = stA + et

(public key)

u = Ax

(ciphertext ‘preamble’)

u′ − st u ≈ bit · q

2

u′ = bt x + bit · q

2

(‘payload’) (Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15

Public-Key Cryptosystem [R’05]

s ← Zn

q

A ← Zn×m

q

x ← {0, 1}m bt = stA + et

(public key)

u = Ax

(ciphertext ‘preamble’)

u′ − st u ≈ bit · q

2

u′ = bt x + bit · q

2

(‘payload’)

(A, bt), (u, u′)

(Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15

Public-Key Cryptosystem [R’05]

s ← Zn

q

A ← Zn×m

q

x ← {0, 1}m bt = stA + et

(public key)

u = Ax

(ciphertext ‘preamble’)

u′ − st u ≈ bit · q

2

u′ = bt x + bit · q

2

(‘payload’)

(A, bt), (u, u′)

by LWE

(Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15

Public-Key Cryptosystem [R’05]

s ← Zn

q

A ← Zn×m

q

x ← {0, 1}m bt = stA + et

(public key)

u = Ax

(ciphertext ‘preamble’)

u′ − st u ≈ bit · q

2

u′ = bt x + bit · q

2

(‘payload’)

(A, bt), (u, u′)

by LWE and by LHL when m ≥ n log q

(Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15

‘Dual’ Cryptosystem [GPV’08]

x ← {0, 1}m A ← Zn×m

q

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15

‘Dual’ Cryptosystem [GPV’08]

x ← {0, 1}m A ← Zn×m

q

u = Ax

(public key, uniform when m ≥ n log q)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15

‘Dual’ Cryptosystem [GPV’08]

x ← {0, 1}m A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m ≥ n log q)

bt = stA + et

(ciphertext ‘preamble’)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15

‘Dual’ Cryptosystem [GPV’08]

x ← {0, 1}m A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m ≥ n log q)

bt = stA + et

(ciphertext ‘preamble’)

b′ = st u + e′ + bit · q

2

(‘payload’)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15

‘Dual’ Cryptosystem [GPV’08]

x ← {0, 1}m A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m ≥ n log q)

bt = stA + et

(ciphertext ‘preamble’)

b′ − bt x ≈ bit · q

2

b′ = st u + e′ + bit · q

2

(‘payload’)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15

‘Dual’ Cryptosystem [GPV’08]

x ← {0, 1}m A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m ≥ n log q)

bt = stA + et

(ciphertext ‘preamble’)

b′ − bt x ≈ bit · q

2

b′ = st u + e′ + bit · q

2

(‘payload’)

(A, u), (b, b′)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15

‘Dual’ Cryptosystem [GPV’08]

x ← {0, 1}m A ← Zn×m

q

s ← Zn

q

u = Ax

(public key, uniform when m ≥ n log q)

bt = stA + et

(ciphertext ‘preamble’)

b′ − bt x ≈ bit · q

2

b′ = st u + e′ + bit · q

2

(‘payload’)

(A, u), (b, b′)

by LWE

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15

Primal vs. Dual Systems

Primal ◮ pk = (A, bt = stA + et) is pseudorandom with unique sk = s Dual

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15

Primal vs. Dual Systems

Primal ◮ pk = (A, bt = stA + et) is pseudorandom with unique sk = s Dual ◮ pk = (A, u = Ax) is statistically random with many possible sk = x

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15

Primal vs. Dual Systems

Primal ◮ pk = (A, bt = stA + et) is pseudorandom with unique sk = s ◮ c’text (u = Ax, u′ ≈ st u) is a fresh LWE sample, with many possible Enc coins x Dual ◮ pk = (A, u = Ax) is statistically random with many possible sk = x

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15

Primal vs. Dual Systems

Primal ◮ pk = (A, bt = stA + et) is pseudorandom with unique sk = s ◮ c’text (u = Ax, u′ ≈ st u) is a fresh LWE sample, with many possible Enc coins x Dual ◮ pk = (A, u = Ax) is statistically random with many possible sk = x ◮ c’text (b, b′) ≈ st(A, u) is many LWE RHS’s, with unique Enc coins s, e

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15

Primal vs. Dual Systems

Primal ◮ pk = (A, bt = stA + et) is pseudorandom with unique sk = s ◮ c’text (u = Ax, u′ ≈ st u) is a fresh LWE sample, with many possible Enc coins x ◮ security: encrypting to ‘malformed’ pk = (A, bt) induces uniform ciphertext Dual ◮ pk = (A, u = Ax) is statistically random with many possible sk = x ◮ c’text (b, b′) ≈ st(A, u) is many LWE RHS’s, with unique Enc coins s, e

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15

Primal vs. Dual Systems

Primal ◮ pk = (A, bt = stA + et) is pseudorandom with unique sk = s ◮ c’text (u = Ax, u′ ≈ st u) is a fresh LWE sample, with many possible Enc coins x ◮ security: encrypting to ‘malformed’ pk = (A, bt) induces uniform ciphertext Dual ◮ pk = (A, u = Ax) is statistically random with many possible sk = x ◮ c’text (b, b′) ≈ st(A, u) is many LWE RHS’s, with unique Enc coins s, e ◮ security: switch ciphertext to uniform using LWE

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15

Primal vs. Dual Systems

Primal ◮ pk = (A, bt = stA + et) is pseudorandom with unique sk = s ◮ c’text (u = Ax, u′ ≈ st u) is a fresh LWE sample, with many possible Enc coins x ◮ security: encrypting to ‘malformed’ pk = (A, bt) induces uniform ciphertext Dual ◮ pk = (A, u = Ax) is statistically random with many possible sk = x ◮ c’text (b, b′) ≈ st(A, u) is many LWE RHS’s, with unique Enc coins s, e ◮ security: switch ciphertext to uniform using LWE (shared) A size: n × (n log q) elements of Zq (user) pk & ct size: n log q & n elements, or vice-versa

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15

Most Efficient Cryptosystem [A’03,LPS’10,LP’11]

s ← χn A ← Zn×n

q

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15

Most Efficient Cryptosystem [A’03,LPS’10,LP’11]

s ← χn A ← Zn×n

q

ut = stA + et

(public key)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15

Most Efficient Cryptosystem [A’03,LPS’10,LP’11]

s ← χn A ← Zn×n

q

r ← χn ut = stA + et

(public key)

b = Ar + x

(ciphertext ‘preamble’)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15

Most Efficient Cryptosystem [A’03,LPS’10,LP’11]

s ← χn A ← Zn×n

q

r ← χn ut = stA + et

(public key)

b = Ar + x

(ciphertext ‘preamble’)

b′ = ut r + x′ + bit · q

2

(‘payload’)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15

Most Efficient Cryptosystem [A’03,LPS’10,LP’11]

s ← χn A ← Zn×n

q

r ← χn ut = stA + et

(public key)

b = Ar + x

(ciphertext ‘preamble’)

b′−st b ≈ bit· q

2

b′ = ut r + x′ + bit · q

2

(‘payload’)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15

Most Efficient Cryptosystem [A’03,LPS’10,LP’11]

s ← χn A ← Zn×n

q

r ← χn ut = stA + et

(public key)

b = Ar + x

(ciphertext ‘preamble’)

b′−st b ≈ bit· q

2

b′ = ut r + x′ + bit · q

2

(‘payload’)

(A, u, b, b′)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15

Most Efficient Cryptosystem [A’03,LPS’10,LP’11]

s ← χn A ← Zn×n

q

r ← χn ut = stA + et

(public key)

b = Ar + x

(ciphertext ‘preamble’)

b′−st b ≈ bit· q

2

b′ = ut r + x′ + bit · q

2

(‘payload’)

(A, u, b, b′)

by LWE (HNF)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15

Most Efficient Cryptosystem [A’03,LPS’10,LP’11]

s ← χn A ← Zn×n

q

r ← χn ut = stA + et

(public key)

b = Ar + x

(ciphertext ‘preamble’)

b′−st b ≈ bit· q

2

b′ = ut r + x′ + bit · q

2

(‘payload’)

(A, u, b, b′)

by LWE (HNF) by LWE (HNF)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15

When We Come Back. . .

◮ A different kind of LWE application: Efficient pseudorandom functions

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 15/15

When We Come Back. . .

◮ A different kind of LWE application: Efficient pseudorandom functions Selected bibliography for this talk:

R’05 O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” STOC’05 / JACM’09. GPV’08 C. Gentry, C. Peikert, V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” STOC’08. ACPS’09 B. Applebaum, D. Cash, C. Peikert, A. Sahai, “Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems,” CRYPTO’09. LPS’10 V. Lyubashevsky, A. Palacio, G. Segev, “Public-Key Cryptographic Primitives Provably as Secure as Subset Sum,” TCC’10. LP’11 R. Lindner, C. Peikert, “Better Key Sizes (and Attacks) for LWE-Based Encryption,” CT-RSA’11.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 15/15