1. The Learning With Errors Problem
Oded Regev
Tel Aviv University
(for more details, see the survey paper in the proceedings)
Cambridge, 2010/6/11

2. Overview

3. Learning With Errors (LWE) Problem
A secret vector s in 174
We are given an arbitrary number of equations, each correct up to 1
Can you find s?

4. LWE’s Claim to Fame
Known to be as hard as worst-case lattice problems, which are believed to be exponentially hard (even against quantum computers)
Extremely versatile
Basis for provably secure
and efficient cryptographic
constructions

5. LWE’s Origins The problem was first defined in [R05]
Already (very) implicit in the first work on lattice-based public key cryptography [AjtaiDwork97] (and slightly more explicit in [R03])

6. LWE – More Precisely There is a secret vector s in qn
An oracle (who knows s) generates a uniform vector a in qn and noise e distributed normally with standard deviation q.
The oracle outputs (a, b=a,s+e mod q)
This procedure is repeated with the same s and fresh a and e
Our task is to find s 2 13 7 3 • 8 1 13 + = 3 4 7 9 1 -1 12 12 6 14 5 11 2 3 5

7. LWE – Parameters: n, q,  The main parameter is n, the dimension
The modulus q is typically poly(n)
Choosing exponential q increases size of input and makes applications much less efficient (but hardness is somewhat better understood)
(The case q=2 is known as Learning Parity with Noise (LPN))
The noise element e is chosen from a normal distribution with standard deviation q (rounded to
the nearest integer):
The security proof requires q>n
The noise parameter  is typically 1/poly(n)
The number of equations does not really matter
q=113
=0.05

8. Algorithms solving LWE

9. Algorithm 1: More Luck Than Sense
Ask for equations until seeing several “s1…”. E.g.,
This allows us to deduce s1 and we can do the same for the other coordinates
Running time and number of equations is 2O(nlogn)

10. Algorithm 2: Maximum Likelihood
Easy to show: After about O(n) equations, the secret s is the only assignment that approximately satisfies the equations (hence LWE is well defined)
We can therefore find s by trying all possible qn assignments
We obtain an algorithm with running time qn=2O(nlogn) using only O(n) equations

11. Algorithm 3: [BlumKalaiWasserman’03]
Running time and number of equations is 2O(n)
Best known algorithm for LWE (with usual setting of parameters)

12. Algorithm 4: [AroraGe’10]
Running time and number of equations is 2O((q)2)
So for q<n, this gives a sub-exponential algorithm
Interestingly, the LWE hardness proof [R05] requires q>n; only now we ‘know’ why!
Idea: apply a polynomial that zeroes the noise, and solve by linearization

13. Simple Cryptosystem

14. Public Key Encryption Based on LWE
Secret Key: s in qn
Public Key: A in qmn , b=As+e
(where m=2n·logq) A s e b + =
To encrypt a single bit z{0,1}: Pick r in {0,1}m and send (rA, r·b+z·q/2) r A r b +
q/2 ,

15. Proof of Semantic Securityb r A r b + z + = A b r A b
2. If A,b is truly random, then the distribution of (rA, r·b) (over r chosen from {0,1}m) is statistically extremely close to uniform so decryption is impossible
1. The public key is pseudo-random: based on LWE

16. Lattices
For vectors v1,…,vn in Rn we define the lattice generated by them as
={a1v1+…+anvn | ai integers}
We call v1,…,vn a basis of 
v1+v2
2v2
2v1
2v2-v1 v1 v2
2v2-2v1

17. Computational Problems on Lattices
‘Algebraic’ lattice problems are easy; ‘geometric’ problems are hard
Shortest Vector Problem (GapSVP): given a lattice , approximate length of shortest (nonzero) vector1() to within 
Another lattice problem: SIVP. Asks to find n short linearly independent lattice vectors. v2 v1
3v2-4v1

18. Lattice Problems Are Hard
Conjecture: for any =poly(n), GapSVP is hard
Best known algorithms run in time 2n [AjtaiKumarSivakumar01, MicciancioVoulgaris10]
Quantum computation doesn’t seem to help

19. LWE over Rings

20. Some Inefficiencies of LWE-Based Schemes+ A s e b r A r b z + =
public key is O(n2)
encryption of 1 bit requires O(n2) (or O(n)) operations

21. Polynomial ring Polynomials
Example: x3+2x2+1, we don’t care about x, but the coefficients
Operations
Addition: (x3+2x2+1) + (x+1) = x3+2x2+x + 2
Multiplication (x3+2x2+1)*(x+1) = x4+2x3+x + x3+2x2+1
= x4+3x3+2x3 +x + 1
Polynomial ring over finite field q[x]/xn+1
xn+1 is the quotient (like the modulus in mod operation), so that no polynomial has rank higher than n in the field
q : also apply mod operation on the coefficients

22. Polynomial ring
Example: 2[x]/xn+1 equivalent to n bit binary representation
Addition of polynomials result in the same result as binary addition
Multiplication also applies
Important to homomorphic addition/multiplication

23. The Ring-LWE Problem Let R be the ring q[x]/xn+1
The secret s is now an element in R
The elements a are chosen uniformly
from R
The coefficients of the noise
polynomial e are chosen as small independent normal vars a s e b 2 8 1 8 13 3 -1 1 * + = 7 12 2 16 3 5 -1 6
(a1, b1 = a1s+e1)
(a2, b2= a2s+e2) …
(ak, bk = aks+ek)
Ring-LWE
Solver s

24. Ring-LWE – Known Results
[LyubashevskyPeikertR10] show that Ring-LWE is as hard as (quantumly) solving the standard lattice problem SIVP (on ideal lattices)
The proof is by adapting [R05]‘s proof to rings; only the classical part needs to be changed
A qualitatively weaker result was independently shown by [Stehlé SteinfeldTanakaXagawa09] using different techniques of independent interest.
[LPR10] also show that decision Ring-LWE is as hard as (search) Ring-LWE
Proof is quite non-trivial!
Finally [LPR10] show how this can be used to construct very efficient cryptographic applications
Many more details in the survey paper!

25. Ring-LWE public-key Let R be the ring q[x]/xn+1
n = 2^m, related to security level, q is poly(n)
Random sample a1, s 2 R
e 2 R, coefficients are randomly from discrete normal distribution
Secret key: s
Public key (a0 = -(a*s + te), a1), t is prime to q, e.g., t=2, representing the message space t[x]/xn+1
Encryption: sample u, g, h from discrete normal distribution polynomials
ciphertext: (c0, c1) = (a0*u + t*g + m, a1*u+t*h), m in t[x]/xn+1
Decryption:
m’ = c0+c1*s
= a0*u + t*g + m + (a1*u+t*h)*s
= m + t(g+h*s-e*u)
m = m’ mod t

28. Decryption:

29. Homomorphic operation
c = (c0, c1), c’ = (c0’, c1’) Addition: (c0+c0’, c1 + c1’) = (a0*(u+u’) + t*(g+g’) + m+m’, a1*(u+u’) + t*(h+h’))

30. Homomorphic operation
c = (c0, c1), c’ = (c0’, c1’) multiplication: (c0+c1*X)*(c0’ + c1’*X) = c0*c0’ + (c1*c0’+c0*c1’)X + c1*c1’ *X2 Represented as (c0*c0’, c1*c0’+c0*c1’, c1*c1’)

31. Decrypting multiplication result (c0, c1, c2): c2. s2 + c1. s + c0 = t
Decrypting multiplication result (c0, c1, c2): c2*s2 + c1*s + c0 = t*emul + m*m’

32. relinearization
Converting the 3-tuple (c0, c1, c2) back to the 2-tuple (c0, c1) representation, with relinearization
Error increases dramatically with each multiplication