Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai

2 Need Good Randomness Crucially need ideal randomness in many areas, eg. cryptography However, often deal with imperfect randomness physical sources, biometric data, partial knowledge about secrets… Can we “extract” good randomness from ill-behaved random variables? EXTRACTORS (NZ96) Yes!

Classic Leftover Hash Lemma  Universal Hash Family H = { h: X  Y } For all x ≠ y Pr h [ h(x) = h(y) ] = 1/| Y |  Leftover Hash Lemma (HILL) : Universal hash functions yield good extractors ( h(x), h) ≈ (U, h)

Classic use of LHL Universal Hash Function : Inner Product over finite field  H = { h a : Z q m  Z q }  Pick a 1 …..a m uniformly over Z q  Define h a (x) = Σ a i x i mod q h a (x) uniform over Z q Simple, useful randomness extractor !

Discrete Gaussian LHL ? What if target distribution we need is discrete Gaussian instead of uniform? What if domain is infinite ring instead of finite field? When do generalized subset sums of lattice points yield nice discrete Gaussians ?

You ask … What are discrete Gaussians ? Why do we care ?

Because they help us build “Multilinear Maps” from lattices (GGH12)!

WHAT ARE DISCRETE GAUSSIANS?

Lattices… A set of points with periodic arrangement Discrete subgroup in R n v1v1 v2v2 v’ 2 v’ 1

What are discrete Gaussians ? D Λ, r : Gaussian distribution with std deviation r but support restricted to points over lattice Λ More formally ….. D Λ, r (x) α exp(- Π ||x|| 2 / r 2 ) if x in Λ 0 otherwise

Why study discrete Gaussians ? Ubiquitous in lattice based crypto At the technical core of most proofs in the area, notably in the famous “Learning with Errors” assumption Not as well understood as their continuous counterparts

Our Results: Discrete Gaussian LHL over infinite domains Fix once and for all, vectors x 1 …..x m Λ We choose x i from discrete Gaussian D Λ, s Let X = [x 1 |…..|x m ] Z n x m Choose vector z from discrete Gaussian D Z m, s’ Then the distribution Σ z i x i is statistically close to D Λ, s’X D Λ, s’X is a “roughly spherical” discrete Gaussian of “moderate width” (under certain conditions)

Oblivious Gaussian Sampler Our result yields an oblivious Gaussian sampler: Given enc(x 1 )…..enc(x m ) If enc is additively homomorphic, can compute enc(g) where g is discrete Gaussian. Just sample z and compute Σ z i enc(x i ) Previous Gaussian samplers [GPV08, Pei10] too complicated to use within additively homomorphic scheme.

Why is the Gaussian LHL true ?

Analyzing Σ z i x i : Proof Idea Recall our setup: Fix once and for all, vectors x 1 …..x m Λ We sample x i from discrete Gaussian D Λ, s Let X = [x 1 |…..|x m ] Z n x m Sample vector z from discrete Gaussian D Z m, s’ Define A = {v Z m : X v = 0} Note, A is a lattice.

Analyzing Σ z i x i : Broad Outline of Proof Thm 1: Σ z i x i ≈ D Λ, s’X if lattice A is “smooth” relative to s’ Thm 2: A is “smooth” if matrix X is “regularly shaped” Thm 3: X is “regularly shaped” if x i ~ D Λ, s Σ z i x i ≈ D Λ, s’X “near spherical” discrete Gaussian of moderate width A = {v : X v = 0}

Analyzing Σ z i x i : Broad Outline of Proof Thm 1: Σ z i x i ≈ D Λ, s’X if lattice A is “smooth” relative to s’ Thm 2: A is “smooth” if matrix X is “regularly shaped” Thm 3: X is “regularly shaped” if x i ~ D Λ, s Σ z i x i ≈ D Λ, s’X “near spherical” discrete Gaussian of moderate width A = {v : X v = 0}

Analyzing Σ z i x i : Broad Outline of Proof Thm 1: Σ z i x i ≈ D Λ, s’X if lattice A is “smooth” relative to s’ Thm 2: A is “smooth” if matrix X is “regularly shaped” Thm 3: X is “regularly shaped” if x i ~ D Λ, s Σ z i x i ≈ D Λ, s’X “near spherical” discrete Gaussian of moderate width A = {v : X v = 0}

Smoothness of a Lattice Want to wipe out the structure of the lattice Add noise to lattice points till we get the uniform distribution * Smoothness animation from Regev’s slides

Smoothness of a Lattice Want to wipe out the structure of the lattice Add noise to lattice points till we get the uniform distribution * Smoothness animation from Regev’s slides

Smoothness of a Lattice Want to wipe out the structure of the lattice Add noise to lattice points till we get the uniform distribution * Smoothness animation from Regev’s slides

Smoothness of a Lattice Want to wipe out the structure of the lattice Add noise to lattice points till we get the uniform distribution * Smoothness animation from Regev’s slides

Smoothness of a Lattice  How much noise is needed to blur the lattice depends on its structure  Informally, if the noise magnitude needed is “small”, we may say that a lattice is “smooth”  Measured by smoothing parameter smooth(L) [MR04]  Smooth(L) is the smallest “s” s.t. adding Gaussian noise of radius s to L yields an essentially uniform distribution

X is regularly shaped if its singular values lie within small interval. Thm 3: If x i ~ D Λ, s then X is regularly shaped  Start with random matrix theory. Know that if matrix M has continuous Gaussian entries and m >2n, then all the singular values of M are within constant sized interval  Can extend this to discrete Gaussians, “ Regularly shaped”

Broad Outline of Proof Thm 1: Σ z i x i ≈ D Λ, s’X if s’ > smooth(A) Thm 2: If matrix X is “regularly shaped” then smooth(A) is small. Thm 3: If x i ~ D Λ, s then X is “regularly shaped” Σ z i x i ≈ D Λ, s’X “near spherical” discrete Gaussian of moderate width

Thm 2: smooth(A) is small if X is regularly shaped.  Argue that λ n+1 ( M q ), the (n+ 1 ) st minima of M q is large if X regularly shaped  Embed A into a full rank lattice A q  Consider dual lattice M q : dual of A q  Convert to upper bound λ m-n (A q ) using thm by Banasczcyk  Argue these m-n short vectors belong to A  Relate λ m-n (A) to smooth(A) using bound by MR04

 Typical application would use our LHL to drown out some value it wishes to hide, a la GGH12. Applicability  Need the minimum width of the Gaussian to be wide enough to drown out the value it is hiding  Our LHL can be seen as showing that this can be done in a frugal way, without wasting too many samples.  Can be used within additively homomorphic scheme.  Care needs to be taken if basis X has to be kept secret. Better use other samplers (GPV08, Pei10)

 Discrete Gaussians are important and not as well understood. Our work makes progress towards understanding their behavior. Conclusions  Provided a discrete Gaussian LHL over infinite rings.  May be used as an oblivious Gaussian sampler within an additively homomorphic scheme.

Thank you! Questions?