The Learning With Errors Problem Oded Regev Tel Aviv University (for more details, see the survey paper in the proceedings) Cambridge, 2010/6/11
Overview
Learning With Errors (LWE) Problem A secret vector s in 174 We are given an arbitrary number of equations, each correct up to 1 Can you find s?
LWE’s Claim to Fame Known to be as hard as worst-case lattice problems, which are believed to be exponentially hard (even against quantum computers) Extremely versatile Basis for provably secure and efficient cryptographic constructions
LWE’s Origins The problem was first defined in [R05] Already (very) implicit in the first work on lattice-based public key cryptography [AjtaiDwork97] (and slightly more explicit in [R03])
LWE – More Precisely There is a secret vector s in qn An oracle (who knows s) generates a uniform vector a in qn and noise e distributed normally with standard deviation q. The oracle outputs (a, b=a,s+e mod q) This procedure is repeated with the same s and fresh a and e Our task is to find s 2 13 7 3 • 8 1 13 + = 3 4 7 9 1 -1 12 12 6 14 5 11 2 3 5
LWE – Parameters: n, q, The main parameter is n, the dimension The modulus q is typically poly(n) Choosing exponential q increases size of input and makes applications much less efficient (but hardness is somewhat better understood) (The case q=2 is known as Learning Parity with Noise (LPN)) The noise element e is chosen from a normal distribution with standard deviation q (rounded to the nearest integer): The security proof requires q>n The noise parameter is typically 1/poly(n) The number of equations does not really matter q=113 =0.05
Algorithms solving LWE
Algorithm 1: More Luck Than Sense Ask for equations until seeing several “s1…”. E.g., This allows us to deduce s1 and we can do the same for the other coordinates Running time and number of equations is 2O(nlogn)
Algorithm 2: Maximum Likelihood Easy to show: After about O(n) equations, the secret s is the only assignment that approximately satisfies the equations (hence LWE is well defined) We can therefore find s by trying all possible qn assignments We obtain an algorithm with running time qn=2O(nlogn) using only O(n) equations
Algorithm 3: [BlumKalaiWasserman’03] Running time and number of equations is 2O(n) Best known algorithm for LWE (with usual setting of parameters)
Algorithm 4: [AroraGe’10] Running time and number of equations is 2O((q)2) So for q<n, this gives a sub-exponential algorithm Interestingly, the LWE hardness proof [R05] requires q>n; only now we ‘know’ why! Idea: apply a polynomial that zeroes the noise, and solve by linearization
Simple Cryptosystem
Public Key Encryption Based on LWE Secret Key: s in qn Public Key: A in qmn , b=As+e (where m=2n·logq) A s e b + = To encrypt a single bit z{0,1}: Pick r in {0,1}m and send (rA, r·b+z·q/2) r A r b + q/2 ,
Proof of Semantic Security b r A r b + z + = A b r A b 2. If A,b is truly random, then the distribution of (rA, r·b) (over r chosen from {0,1}m) is statistically extremely close to uniform so decryption is impossible 1. The public key is pseudo-random: based on LWE
Lattices For vectors v1,…,vn in Rn we define the lattice generated by them as ={a1v1+…+anvn | ai integers} We call v1,…,vn a basis of v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1
Computational Problems on Lattices ‘Algebraic’ lattice problems are easy; ‘geometric’ problems are hard Shortest Vector Problem (GapSVP): given a lattice , approximate length of shortest (nonzero) vector1() to within Another lattice problem: SIVP. Asks to find n short linearly independent lattice vectors. v2 v1 3v2-4v1
Lattice Problems Are Hard Conjecture: for any =poly(n), GapSVP is hard Best known algorithms run in time 2n [AjtaiKumarSivakumar01, MicciancioVoulgaris10] Quantum computation doesn’t seem to help
LWE over Rings
Some Inefficiencies of LWE-Based Schemes + A s e b r A r b z + = public key is O(n2) encryption of 1 bit requires O(n2) (or O(n)) operations
Polynomial ring Polynomials Example: x3+2x2+1, we don’t care about x, but the coefficients Operations Addition: (x3+2x2+1) + (x+1) = x3+2x2+x + 2 Multiplication (x3+2x2+1)*(x+1) = x4+2x3+x + x3+2x2+1 = x4+3x3+2x3 +x + 1 Polynomial ring over finite field q[x]/xn+1 xn+1 is the quotient (like the modulus in mod operation), so that no polynomial has rank higher than n in the field q : also apply mod operation on the coefficients
Polynomial ring Example: 2[x]/xn+1 equivalent to n bit binary representation Addition of polynomials result in the same result as binary addition Multiplication also applies Important to homomorphic addition/multiplication
The Ring-LWE Problem Let R be the ring q[x]/xn+1 The secret s is now an element in R The elements a are chosen uniformly from R The coefficients of the noise polynomial e are chosen as small independent normal vars a s e b 2 8 1 8 13 3 -1 1 * + = 7 12 2 16 3 5 -1 6 (a1, b1 = a1s+e1) (a2, b2= a2s+e2) … (ak, bk = aks+ek) Ring-LWE Solver s
Ring-LWE – Known Results [LyubashevskyPeikertR10] show that Ring-LWE is as hard as (quantumly) solving the standard lattice problem SIVP (on ideal lattices) The proof is by adapting [R05]‘s proof to rings; only the classical part needs to be changed A qualitatively weaker result was independently shown by [Stehlé SteinfeldTanakaXagawa09] using different techniques of independent interest. [LPR10] also show that decision Ring-LWE is as hard as (search) Ring-LWE Proof is quite non-trivial! Finally [LPR10] show how this can be used to construct very efficient cryptographic applications Many more details in the survey paper!
Ring-LWE public-key Let R be the ring q[x]/xn+1 n = 2^m, related to security level, q is poly(n) Random sample a1, s 2 R e 2 R, coefficients are randomly from discrete normal distribution Secret key: s Public key (a0 = -(a*s + te), a1), t is prime to q, e.g., t=2, representing the message space t[x]/xn+1 Encryption: sample u, g, h from discrete normal distribution polynomials ciphertext: (c0, c1) = (a0*u + t*g + m, a1*u+t*h), m in t[x]/xn+1 Decryption: m’ = c0+c1*s = a0*u + t*g + m + (a1*u+t*h)*s = m + t(g+h*s-e*u) m = m’ mod t
Decryption:
Homomorphic operation c = (c0, c1), c’ = (c0’, c1’) Addition: (c0+c0’, c1 + c1’) = (a0*(u+u’) + t*(g+g’) + m+m’, a1*(u+u’) + t*(h+h’))
Homomorphic operation c = (c0, c1), c’ = (c0’, c1’) multiplication: (c0+c1*X)*(c0’ + c1’*X) = c0*c0’ + (c1*c0’+c0*c1’)X + c1*c1’ *X2 Represented as (c0*c0’, c1*c0’+c0*c1’, c1*c1’)
Decrypting multiplication result (c0, c1, c2): c2. s2 + c1. s + c0 = t Decrypting multiplication result (c0, c1, c2): c2*s2 + c1*s + c0 = t*emul + m*m’
relinearization Converting the 3-tuple (c0, c1, c2) back to the 2-tuple (c0, c1) representation, with relinearization Error increases dramatically with each multiplication