China Summer School on Lattices and Cryptography June 2014 Starting Point Linear Equations Easy to solve a linear system of equations Given A b find s S olved using Gaussian elimination Cramer rule etc ID: 725706
Download Presentation The PPT/PDF document "Background: Lattices and the Learning-wi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Background: Lattices and the Learning-with-Errors problem
China Summer School on Lattices and Cryptography, June 2014Slide2
Starting Point: Linear Equations
Easy to solve a linear system of equations
Given
A
, b, find sSolved using Gaussian elimination, Cramer rule, etc.[Regev 2005] Hard if we add a little noise is a noise vector, Given A, b, find s and/or e
A
s
b
A
s
b
e
Slide3
Learning with Errors (LWE) [R’05]
Parameters:
q
(modulus),
n (dimension), m>n (# of samples)Secret: uniformly random vector Input: random matrix , vector
Computed as chosen from some distribution
s.t.
whp
is close to the columns space of Goal: discover
A
s
e
b
Slide4
Learning with Errors (LWE) [R’05]
Is it really hard to solve LWE?
How hard?
For what range of parameters?
Is it useful?Can we design cryptosystems with security based on the hardness of LWEWe’ll do #2 first, then #1Slide5
Using LWE in CryptographySlide6
The Decision-LWE Problem
A more useful variant of LWE:
Same parameters
q, n, m
Input: same andA is still a uniform random matrix in Either , or is uniform in
Goal:
distinguish
from uniform
I.e., given A,b, decide if b is “unusually close” tothe column space of A
b
ASlide7
Search vs. Decision LWE
Clearly, if we can solve the search problem then we can also solve the decision problem
Try to solve the search problem on
A
,bIf successful then b is close to the column space of A, otherwise b is randomMore interesting: If we can solve decision, then we can also solve the search problemBut the complexity grows by a factor of So this reduction only works for small (polynomial) Slide8
Reducing Search to Decision LWE
Assume that we have a distinguisher D that can tell if
or
is random
Say for now that D succeeds with probability close to 1We construct a solver S that finds sFor every index and every value
,S will use D to determine if
Slide9
Reducing Search to Decision LWE
Given
and
, test if
:Choose
uniformly at random
Add
to the ’th column of
, this gives a matrix
is uniformly random because is
Note that
=
+Slide10
Reducing Search to Decision LWE
Given
and
, test if
:Choose
uniformly at random
Add
to the ’th column of , this gives a matrix
is uniformly random because isAdd
to , this gives the vector
=
+
Slide11
Reducing Search to Decision LWE
Given
and
, test if
:Choose
uniformly at random
Add
to the ’th column of , this gives a matrix
is uniformly random because isAdd
to , this gives the vector
Slide12
Reducing Search to Decision LWE
Given
and
, test if
:Choose random , compute Such that
If
then we get
Otherwise
is uniform (because
is uniform)
Use the distinguisher
to tell which case it is
This will tell us if
Slide13
Reducing Search to Decision LWE
The reduction assumes that D is always right
C
an be extended to distinguisher D with
polynomially small advantageThe reduction works in time linear in Can be refined to work in time The ’s are the prime factors of So the reduction can be efficient even for large ,as long as it is smooth
Slide14
A Useful Variant of LWE
Instead of choosing the secret
uniformly, choose it from the same distribution as
So is smallTheorem [ACPS’09]: Uniform-secret LWE is equivalent to small-secret LWESolving one solving the other Slide15
Uniform- vs. Small-secret LWE
Easy direction: If we can solve uniform-secret LWE then we can solve
small
-secret LWE
We are given and is a small secretChoose a uniform random Set
is uniform (because
is
uniform)
is instance
of uniform-secret LWE
Solving it, we get
and can compute
Slide16
Uniform- vs. Small-secret LWE
Hard direction
: If we can solve small
-secret
LWE then we can solve uniform-secret LWEBut the parameter changesFor solving uniform-secret LWE, we would need to solve small-secret LWE with We are given and
is a uniform secret
Find
linearly-independent rows of Such rows exist with high probabilityAssume that these are the first n rows
Slide17
Uniform- vs. Small-secret LWE
Set
and
Because
So
is
instance
of short-secret LWE
The secret is
, drawn from the error distribution
Solving it we get
T
hen compute
=
=
Slide18
Regev’s
Cryptosystem [R’05]
Secret key: vector
Public key: Matrix , vector Denote
If decision-LWE is hard then A is pseudorandom
Denote
, then
Encrypt
Choose a random small vector
Output the
ciphertext
Decrypt
)
Compute the inner product
(mod q)
Output 0 if
, else output 1
Slide19
Regev’s Cryptosystem [R’05]
Correctness:
(since
is 0-1 vector and
)
If
then
, if
then
Security:
Recall that A is pseudo-random
We show that if A was random then
was statistically close to uniform, regardless of
Slide20
Regev’s Cryptosystem [R’05]
The Leftover
H
ash
Lemma [HILL’99] implies the following corollary:If then the two distributions
are statistically close (
upto
)
For a random
,
is close to uniform
E
ven conditioned on AAnd therefore so is
If
is pseudorandom, so is
Slide21
A Useful Variant of the Cryptosystem
Encrypt:
instead of
from beforePlaintext encoded in the LSB rather than MSBDecrypt:
, then
, so no mod-
reduction
Slide22
The Hardness of LWESlide23
Lattices and Hard Problems
0
A lattice is just an additive subgroup of
R
n
.Slide24
Lattices
0
v
2
’
v
1
’
v
1
v
2
Lattice of rank n = set of all integer linear combinations of n linearly independent basis vectors.Slide25
Lattices
A Lattice has infinitely many bases
They are related by
unimodular
matrices, is an integer matrix with All bases have the same determinant (upto sign)This quantity is the determinant of the latticeGiven any set of vectors that span the lattice, can compute a canonical basisHermite normal form (HNF)
Slide26
Lattices
A “good basis” has all small vectors
“close to orthogonal” to each other
Typically the HNF is a “bad”
basisMinkowsky’s theorems:A rank- lattice with determinant hasA non-zero vector of length linearly independent
‘s s.t.
Also a basis of vectors of similar sizes
Lattice reduction: Given a “bad” basis,
find a “good” one for the same lattice
Slide27
Lattices and Hard Problems
0
v
2
’
v
1
’
v
1
v
2
Given
some
basis of L, may be hard to find
good
basis of L.
Hard to solve the (
approx
) shortest/closest vector problems.Slide28
Hard Problems
Given a basis
for a lattice
:
Shortest-Vector Problem (SVP)Find the shortest nonzero vector in L(B)Or maybe just compute the size of such vector ()Shortest Independent-Set Problem (SIVP)Find linearly independent
minimize
Or maybe just the quantity
Also approximation versions
Find
such that
shortest
Find
’s such that
smallest-possible
Slide29
Hard Problems: What’s Known?
The [LLL’82] algorithm and its variants can approximate SVP
upto
NP-hard to approx. SVP upto but
for any Roughly: approximate upto
takes time
Practically we can perhaps approximate SVP upto
but not upto
At least for moderate
’s (say )Similar for SIVP
Slide30
LWE and Lattices
Consider the matrix
The column space mod-
is a rank-
lattice, spanned by the columns of A discrete additive subgroup of Can compute its HNF basis
is close to this lattice
is in the lattice, at distance
from
We have a bound on
whp (say
)If we find , we can solve for
Slide31
Bounded Distance Decoding (BDD)
Input: a basis B, another point
, a bound
Goal: find
such that Solving BDD Solving LWEThm [Babai’86,GPV’08]:Solving SIVP Solving BDDGiven a basis for
with
,
can solve BDD
upto
distance
Slide32
LWE and Lattices
Thm [Reg’05, Pei’09]:
Solving LWE
Solving SIVP, SVP
LWE-solver with error-bound implies quantum approximation of SIVPupto a factor poly()Or a classical algorithm for approximating upto a factor poly()
Slide33
Summary
Learning with Errors:
This is a hard problem
For some parameters, can be shown to be
as hard as some well-known lattice problemsEven for other settings, we don’t know how to solve itOnly known attacks use lattice reductionThese only work when LWE is useful for cryptographyFor example for public-key encryptionDecryption formula