Lattice-based cryptography and quantum Oded Regev Tel-Aviv University

Outline Introduction to lattices Main result: a stronger and more efficient public key encryption scheme Main theorem: a hard learning problem Proof of main theorem Overview Part I: Quantum Part II: Classical

A lattice is a set of points in n dimensional space A lattice is a set of points in n dimensional space For any vectors v 1, …,v n in R n, the lattice spanned by v 1, …,v n is For any vectors v 1, …,v n in R n, the lattice spanned by v 1, …,v n is L={a 1 v 1 + … +a n v n | a i integers} L={a 1 v 1 + … +a n v n | a i integers} These vectors form a basis of L These vectors form a basis of L Lattice v1v1 v2v2 0 2v 1 v 1 +v 2 2v 2 2v 2 -v 1 2v 2 -2v 1

SVP: Given a lattice, find a short vector SVP: Given a lattice, find a short vector Like most other lattice problems it is believed to be extremely hard classically. Perhaps also quantumly. Like most other lattice problems it is believed to be extremely hard classically. Perhaps also quantumly. Shortest Vector Problem (SVP) 0 v2v2 v1v1

CVP: Given a lattice and a target vector, find the closest lattice point CVP: Given a lattice and a target vector, find the closest lattice point CVP d : Given a lattice and a target vector within distance d, find the closest lattice point CVP d : Given a lattice and a target vector within distance d, find the closest lattice point Closest Vector Problem (CVP) 0 v2v2 v1v1v

Every lattice has a dual lattice (also known as the reciprocal) Every lattice has a dual lattice (also known as the reciprocal) The dual lattice of L is The dual lattice of L is L * = {x | 8 y 2 L, h x,y i 2 Z} L * = {x | 8 y 2 L, h x,y i 2 Z} (L * ) * =L (L * ) * =L In fact, the dual lattice is the Fourier transform of the lattice In fact, the dual lattice is the Fourier transform of the lattice Dual Lattice

Main Result New Public Key Encryption Scheme

Public Key Encryption Scheme (PKES) Allows parties to communicate securely without having to agree on a secret key beforehand Used extensively on the Internet (RSA, PGP…) However, most PKES are based on the hardness of factoring No longer secure in a world with quantum computers !! Main alternative: lattice-based PKES

Previous lattice-based PKES Previous lattice-based PKES [AjtaiDwork96,GoldreichGoldwasserHalevi97,R’03] Main advantages: Based on a lattice problem Worst-case hardness Main disadvantages: Based only on unique-SVP Impractical (think of n as  1000): Public key size O(n 4 ) Encryption expands by O(n 2 )

New lattice-based PKES [This work] Main advantages: Worst-case hardness Based on the main lattice problems (SVP, SIVP). (More) practical (think of n as  1000): Public key size O(n 2 ) Encryption expands by O(n) However, breaking the cryptosystem implies an efficient quantum algorithm for lattices quantum

Why Quantum? As part of the proof, we need to perform a certain algorithmic task on lattices We do not know how to do it classically, only quantumly!

Does it really matter? Assume quantum computers can be built (as we all believe) Two cases: 1. Efficient quantum algorithm for lattices exists: Then both previous and new lattice-based PKES are weak 2. No efficient quantum algorithm for lattices: Then both previous and new lattices-based PKES are secure

Main Theorem A Hard Learning Problem

Learning from parity with error Let s2Z 2 n be a secret We have independent random equations modulo 2 with error: Without error, it’s easy! s 2 +s 3 +s 4 + s 6 +…+s n  0 s 1 +s 2 + s 4 + s 6 +…+s n  1 s 1 + s 3 +s 4 +s 5 + …+s n  1 s 2 +s 3 +s 4 + s 6 +…+s n  0.

More formally, we need to learn s from samples of the form (t,st+e) where t is chosen uniformly from Z 2 n and e is a bit that is 1 with probability 10%. Trivial algorithm needs 2 O(n) equations/time Best known algorithm needs 2 O(n/logn) equations/time [ BlumKalaiWasserman’00 ] Open question: why is this problem so hard? Learning from parity with error

Learning modulo p Fix some p<poly(n) Let s2Z p n be a secret We have random equations modulo p with error: 2s 1 +0s 2 +2s 3 +1s 4 +2s 5 +4s 6 +…+4s n  2 0s 1 +1s 2 +5s 3 +0s 4 +6s 5 +6s 6 +…+2s n  4 6s 1 +5s 2 +2s 3 +0s 4 +5s 5 +2s 6 +…+0s n  2 6s 1 +4s 2 +4s 3 +4s 4 +3s 5 +3s 6 +…+1s n  5.

Learning modulo p More formally, we need to learn s from samples of the form (t,st+e) where t is chosen uniformly from Z p n and e is chosen from Z p Best known algorithm needs 2 O(n) equations/time [ BlumKalaiWasserman’00 ]

Main Theorem Learning modulo p is as hard as worst-case lattice problems using a quantum reduction In other words: solving the problem implies an efficient quantum algorithm for lattices This theorem implies our new PKES

Proof of the Main Theorem Overview

Gaussian Distribution Define a Gaussian distribution on a lattice (normalization omitted) We can efficiently sample from D r for large r=2 n

The Reduction √n Assume the existence of an algorithm for the modulo p learning problem for p=2√n Our lattice algorithm: r=2 n Take poly(n) samples from D r Repeat: Given poly(n) samples from D r, compute poly(n) samples from D r/2 Set r←r/2 When r is small, output a short vector

DrDr

D r/2

Obtaining D r/2 from D r √n Let p=2√n Given poly(n) samples from D r, we show how to solve CVP p/r in L * Classical Uses learning oracle mod p Given a solution to CVP p/r in L *, we show how to obtain samples from D √n r/p = D r/2 Quantum Based on the quantum Fourier transform

Samples from D r in L Solution to CVP p/r in L * Samples from D r/2 in L Solution to CVP 2p/r in L * Samples from D r/4 in L Solution to CVP 4p/r in L * Classical, uses learning oracle Quantum

Fourier Transform Primal world (L)Dual world (L * )

Fourier Transform The Fourier transform of D r is given by Its value is 1 for x in L *, e -1 at points of distance 1/r from L *, ¼ 0 at points far away from L *.

Proof of the Main Theorem Part I: Obtaining D r/2 from CVP p/r

From CVP p/r to D r/2 Assume we can solve CVP p/r ; we’ll show how to obtain samples from D r/2 Idea: Create the quantum state by adding a Gaussian to each lattice point and uncomputing the lattice point by using the CVP algorithm Then compute the (quantum) Fourier Transform

From CVP to D r/2 More precisely, create the state And the state Tensor them together and add first to second Uncompute first register by solving CVP p/r

From CVP to D r/2 Compute the quantum Fourier transform of It is exactly D r/2 !! Measure and obtain a sample from D r/2 By repeating this quantum process, we can obtain poly(n) samples

Proof of the Main Theorem Part II: Solving CVP p/r given samples from D r

It ’ s enough to approximate f p/r Lemma: being able to approximate f p/r implies a solution to CVP p/r Proof Idea – walk uphill: f p/r (x)>¼ for points x of distance < p/r Keep making small modifications to x as long as f p/r (x) increases Stop when f p/r (x)=1 (then we are on a lattice point)

What ’ s ahead in this part For warm-up, we show how to approximate f 1/r given samples from D r No need for learning This is main idea in [AharonovR’04] Then we show how to approximate f 2/r given samples from D r and an oracle for the learning problem Approximating f p/r is similar

Warm-up: approximating f 1/r Let’s write f 1/r in its Fourier representation: Using samples from D r, we can compute a good approximation to f 1/r (this is the main idea in [AharonovR’04])

Fourier Transform Consider the Fourier representation again: For x 2 L *, h w,x i is integer for all w in L and therefore we get f 1/r (x)=1 For x that is close to L *, h w,x i is distributed around an integer. Its standard deviation can be (say) 1.

Approximating f 2/r Consider the distribution D r /2 given by: Sample a vector w from D r Output w/2 We obtain 2 n translates of the distribution D r/2 For t 2 Z 2 n, denote the translate t by D t r/2

DrDr

We can equivalently think of our samples as taken from the following distribution: Choose t 2 Z 2 n uniformly at random Output a sample from D t r/2 Consider the Fourier transform of D t r/2 Approximating f 2/r

The functions f t 2/r look almost like f 2/r Only difference is that some Gaussians have their sign flipped Approximating f t 2/r is enough: we can easily take the absolute value and obtain f 2/r For this, we need to obtain several samples from D t r/2 The problem is that each sample is from D t r/2 for different t ! Approximating f 2/r

The sign of each Gaussian is ±1 depending on h s,t i mod 2 where s is the coeff vector of its center The distribution of 2 h x,w i i mod 2 for a point x close to L * is centred around h s,t i i mod 2 Hence, we obtained equations modulo 2 with error: h s,t 1 i¼d 2 h x,w 1 ic mod 2 h s,t 2 i¼d 2 h x,w 2 ic mod 2 h s,t 3 i¼d 2 h x,w 3 ic mod 2. Approximating f 2/r

Using the learning algorithm, we solve these equations and obtain s Knowing s, we can cancel the sign Averaging over enough samples gives us an approximation to f 2/r Approximating f 2/r

Open questions Dequantize the reduction: What can one do classically with a solution to CVP d ? Extend to learning from parity (i.e., p=2) or even some constant p Is there something inherently different about the case of constant p? Any other applications for this ‘new quantum algorithm’?