1 / 31

On Ideal Lattices and Learning With Errors Over Rings

Vadim Lyubashevsky Chris Peikert Oded Regev P artly based on slides by Vadim To appear in Eurocrypt 2010; see also survey prepared for CCC’2010. On Ideal Lattices and Learning With Errors Over Rings. Overview of the Learning With Errors Problem. Learning With Errors (LWE) Problem.

job
Download Presentation

On Ideal Lattices and Learning With Errors Over Rings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vadim Lyubashevsky Chris Peikert Oded Regev Partly based on slides by Vadim To appear in Eurocrypt 2010; see also survey prepared for CCC’2010 On Ideal LatticesandLearning With Errors Over Rings

  2. Overview of the Learning With Errors Problem

  3. Learning With Errors (LWE) Problem • There is a secret vector s in qn(we'll use 174 as a running example) • An oracle (who knows s) generates a random vector a in qnand “small” noise element e in  • The oracle outputs (a, b=<a,s>+e mod 17) • This procedure is repeated with the same s and fresh a and e • Our task is to find s 2 13 7 3 8 1 13 • + = 3 4 7 9 1 -1 12 12 6 14 5 11 2 3 5

  4. Learning With Errors (LWE) Problem • Once there are enough ai , the s is uniquely determined • Thm[Regev'05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst case to solving LWE a1 . . . s e b a2 + = am

  5. Decision LWE Problem World 1 a1 a1 . . . b a2 . . . s e b a2 + = am am World 2 a1 Decision LWE Oracle . . . b a2 am uniformly random in Zqm I am in World 1 (or 2)

  6. Search LWE < Decision LWE • Idea: Use the Decision oracle to figure out the coefficients of s one at a time • Let g be our guess for the first coordinate • of s • Repeat the following: • Receive LWE pair (a,b) • Pick random r in Z17 • Send sample below to the Decision Oracle • If g is right, then we are sending a distribution from World 1 • If g is wrong, then we are sending a distribution from World 2 • We will find the right g in O(q)time • Use the same idea to recover all coefficients of s one at a time · 2 13 7 3 8 1 13 + = 3 a b 12 5 2+r 13 7 3 13+rg

  7. What is LWE useful for? • Public Key Encryption [Reg '05, Pei '09] • CCA-Secure PKE [PW ’08, Pei ’09] • Identity-Based Encryption [GPV '08] • Oblivious Transfer [PVW '08] • Circular-Secure Encryption [ACPS '09] • Hierarchical Identity-Based Encryption [CHKP '09, ABB '09] • And more…

  8. Public Key Encryption Based on LWE Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e A s e b + = represents 1 To encrypt a single bit z in {0,(q-1)/2}: Pick r in {0,1}m . Send (rA,<r,b>+z) + r A r b z

  9. Proof of Semantic Security r A r b + z A s e b + = A b r A b 2. If A,b is truly random, then the distribution of r(A||b) (over r chosen from {0,1}m) is statistically extremely close to uniform 1. The public key is pseudo-random based on LWE

  10. Some Inefficiencies of LWE-Based Schemes + z r A r b A s e b + = encryption of 1 bit requires O(n2) (or O(n)) operations public key is O(n2)

  11. Source of Inefficiency · • Getting just one extra random-looking number requires n random numbers! + 2 13 7 3 8 1 13 = 3 12 5 • Wishful thinking: get n random numbers and produce O(n) pseudo-random numbers in “one shot” 2 8 1 13 3 -1 + = * 7 12 2 3 5 -1

  12. Cryptosystem Possibility LWE-Based Cryptosystem + r A r b A s e b z + = Wishful Thinking-Based Cryptosystem r A r b A s e b z + + =

  13. Main Question 2 8 1 13 3 -1 + = * 7 12 2 3 5 -1 • How do we define multiplication so that the resulting distribution is pseudorandom? (Coordinate-wise multiplication is not secure) • Answer: Define it as multiplication of polynomials over some carefully-chosen ring • Similar ideas used in the heuristic design of NTRU [HPS98], and in compact one-way functions [Mic02,PR06,LM06,…].

  14. Our Results • 0. We define a compact version of LWE called Ring-LWE • We show that Ring-LWE is as hard as (quantumly) solving certain lattice problems in the worst case • A quantitatively weaker result was independently shown by Stehle, Steinfeld, Tanaka, and Xagawa [SSTX’09] using different techniques of independent interest. • We show that decision Ring-LWE is as hard as (search) Ring-LWE • Works with any cyclotomic ring • We demonstrate some basic cryptographic applications

  15. Learning With Errors over Rings

  16. The Search Ring-LWE Problem • Let R be the ring q[x]/xn+1 for n a power of 2 and q a prime satisfying q=1 (mod 2n). • E.g., q=17, n=4, 17[x]/x4+1 • The secret s is now an element in R • The elements a are chosen uniformly • from R • The coefficients of the noise • polynomial e are chosen as small independent normal vars s e b a 2 8 1 8 13 3 -1 1 + = * 7 12 2 16 3 5 -1 6 Search Ring-LWE Solver (a1, b1 = a1s+e1) (a2, b2= a2s+e2) … (ak, bk= aks+ek) s

  17. Our First Result: Hardness of Search Ring-LWE • We show that the search ring-LWE problem is as hard as quantumly solving worst-case lattice problems on ideal lattices • In our running example, these are lattices satisfying that if (x1,…,xn)L then also (x2,…,xn,-x1)L • The result applies to rather general rings • The proof is by adapting the proof of [R05] to rings • The quantum part remains the same; only the classical part needs to be adapted

  18. Our First Result: Hardness of Search Ring-LWE • One technical issue is that the distribution of the coefficients of the error polynomial e is Gaussian, but unfortunately not a spherical one • Luckily this does not cause any serious problems, and we ignore it here • It is possible to get hardness for the spherical noise case if we restrict the number of ring-LWE samples (as in [SSTX’09] or as a corollary to our main result)

  19. Our Second Result: Reducing Search Ring-LWE to Decision Ring-LWE

  20. Decision Ring-LWE Problem World 1: s in R aiuniform in R ei random and “small” (a1, b1 = a1s+e1) (a2, b2= a2s+e2) … (ak, bk= aks+ek) Decision Ring-LWE Oracle I am in World 1 (or 2) World 2: ai,biuniform in R (a1,b1) (a2,b2) … (ak,bk)

  21. What We Want to Construct s in R aiuniform in R ei random and “small” (a1, b1 = a1s+e1) (a2, b2= a2s+e2) … (ak, bk= aks+ek) Search Ring-LWE Solver s I am in World 1 (or 2) Decision Ring-LWE Oracle

  22. Why Does the Search-to-Decision Reduction for LWE not Work? • Recall the reduction for LWE: • Let g be our guess for the first coordinate of s (only 17 possibilities). • Repeat the following: • Receive LWE pair (a,b): • Pick random r in Z17 • Send sample below to the Decision Oracle: • Then: • If g is correct, we have legal LWE samples; • If g is incorrect, we have uniform samples · 2 13 7 3 8 1 13 + = 3 a b 12 5 2+r 13 7 3 13+rg

  23. Why Does the Search-to-Decision Reduction for LWE not Work? • Now consider what happens in ring-LWE: • Repeat the following: • Receive LWE pair (a,b): • Pick random r in Z17 • Send sample to the Decision Oracle: • How do we satisfy (1), namely, output legal ring-LWE samples? It seems we have to guess n numbers! s e b a 2 8 -1 8 13 3 -1 16 + = * 7 12 2 8 3 5 1 1 2+r ? 13 ? 7 ? 3 ?

  24. The Ring q[x]/xn+1 • Let tq be such that tn=-1 (i.e., a root of xn+1). • Then, for any p1,p2q[x]/xn+1, p1(t)·p2(t)=(p1·p2)(t), and obviously p1(t)+p2(t)=(p1+p2)(t), hence the function mapping p to p(t) is a ring homomorphism • By our assumption that q=1 (mod 2n), the polynomial xn+1 has n roots in the field q, • t1=g(q-1)/2n, t3=g3(q-1)/2n, …, t2n-1=g(2n-1)(q-1)/2n • Hence the mapping :Rqn that maps each pR to (p(t1),…,p(t2n-1))qn is a ring isomorphism, with both addition and multiplication in qnbeing coordinate-wise

  25. The Search Ring-LWE Problem • So we can equivalently think of ring-LWE as follows: • The secret is an element ŝ in qn • The elements â are chosen uniformly • from qn • Multiplication is coordinate-wise • The coordinates of the noise • vector ê are chosen from some • ‘strange’ distribution ŝ ê b̂ â 2 8 9 8 13 3 11 16 + =  7 12 9 8 3 5 3 1 Search Ring-LWE Solver (â1, b̂1 = â1ŝ+e1) (â2, b̂2= â2ŝ+e2) … (âk, b̂k= âkŝ+ek) ŝ

  26. Search-to-Decision Reduction for Ring-LWE (better attempt) • Let g be our guess for the first coordinate of ŝ (only 17 possibilities). • Repeat the following: • Receive LWE pair (â,b̂): • Pick random r in Z17 • Send sample to the Decision Oracle: • Then: • If g is correct, we have legal ring-LWE samples!  • BUT if g is incorrect, we don’t have uniform samples  ŝ ê b̂ â 2 8 9 8 13 3 11 16 + =  7 12 9 8 3 5 3 1 2+r 8+rg 13 16 7 8 3 1

  27. A Hybrid Argument ( ( ( ( ( ) ) ) ) ) Decision Ring-LWE Oracle Decision Ring-LWE Oracle Decision Ring-LWE Oracle Decision Ring-LWE Oracle Decision Ring-LWE Oracle , , , , , Correct g “I am in World 2” “I am in World 2” “I am in World 1” “I am in World 1” “I am in World 1” â1 â1 â1 â1 â1 â2 â2 â2 â2 â2 â3 â3 â3 â3 â3 â4 â4 â4 â4 â4  b̂1      b̂2 b̂2  b̂3 b̂3   b̂3 b̂4  b̂4 b̂4 b̂4 Wrong g • To summarize, using the decision oracle, we are able to find ŝi for one fixedi • But how can we recover all of ŝ?

  28. Recovering All of s • Idea: permute the coordinates of (the unknown) ŝ by permuting â and b • Repeat the following: • Receive ring-LWE pair (â,b̂): • Output the pair ((â),(b̂)=(â)(ŝ)+(ê)): • If the output pairs were legal ring-LWE samples with secret (ŝ), we would be done • But why would (ê) be distributed correctly?? ŝ ê b̂ â 2 8 9 8 13 3 11 16 + =  7 12 9 8 3 5 3 1 13 16 2 8 3 1 7 8

  29. Recovering All of s • It turns out that there are n special permutations 1,…,nthat have the remarkable property that they preserve the error distribution! • For instance, assume q=17 and n=4. • In this case, the mapping  maps each polynomial p(x)17[x]/x4+1 to p̂=(p(2),p(23),p(25),p(27))174 • Now assume we permute this to (p(23),p(2),p(27),p(25)) • This is equal to p̂’ where p’(x)=p(x3) • Hence, if p(x)=c0+c1x+c2x2+c3x3 then p’(x)=c0+c1x-c2x2+c3x3 • We see that all the permutation does is permute the coefficients of the polynomial and possibly negate their sign. • In particular, it preserves the error distribution!

  30. Summary of Reduction • By using a hybrid argument on the decision oracle, we are able to recover one fixed coordinate of ŝ • Repeating this procedure with all n permutations allows us to recover all of ŝ, and hence also s, as required • Actually, one also need several delicate amplification steps and random self reductions… details in the paper! • The reduction might seem mysterious and ad-hoc… • In fact, we are relying here on the properties of the cyclotomic number field (2n), its n Galois automorphisms, its canonical embedding, and the factorization of the ideal q • Viewed this way, the reduction is easy to extend to all cyclotomic polynomials (and not just xn+1)

  31. Final Summary • Search Ring-LWE is as hard as (quantumly) solving certain lattice problems in the worst case • Decision Ring-LWE (in cyclotomicrings) is as hard as Search Ring-LWE • Ring-LWE allows for much more efficient cryptographic constructions than regular LWE • Open questions: • Develop more advanced cryptographic constructions based on Ring-LWE, as was done for LWE • Theoretically sound fully-homomorphic encryption scheme based on ring-LWE?

More Related