Middle-Product Learning With Errors - Inria · PDF fileMiddle-Product Learning With Errors...

Introduction Reminders MP-LWE Encryption from MP-LWE Conclusion

Middle-Product Learning With Errors

Miruna Rosca, Amin Sakzad,Damien Stehle and Ron Steinfeld

ENS de Lyon, Bitdefender and Monash University

Paris, June 2017

Damien Stehle The MP-LWE problem 09/06/2017 1/29

LWE, P-LWE and MP-LWE

Learning With Errors [LWE]

Hardness related to worst-case problems over latticesInduces large keys and slow cryptographic operations

Polynomial LWE [P-LWE]

Leads to more efficient schemesHardness related to lattices over a single polynomial ring

Middle-product LWE [MP-LWE]

Still somewhat efficient encryptionAt least as hard as P-LWE for many polynomial rings

Road-map

Reminders and context

Middle-Product LWE

Encryption from Middle-Product LWE

Road-map

Reminders and context: LWE, P-LWE

Middle-Product LWE

The LWE distribution

Let n ≥ 1, q ≥ 2 and α ∈ (0, 1). Let Rq = (R/(qZ),+).

Let Dαq denote the Gaussian distribution of standarddeviation αq, folded modulo q.

For all s ∈ Znq, we define the distribution DLWE

n,q,α(s):

(ai , 〈ai , s〉+ ei) ∈ Znq × Rq,

with ai ←↩ U(Znq) and ei ←↩ Dαq.

The LWE distribution

Let n ≥ 1, q ≥ 2 and α ∈ (0, 1). Let Rq = (R/(qZ),+).

Let Dαq denote the Gaussian distribution of standarddeviation αq, folded modulo q.

For all s ∈ Znq, we define the distribution DLWE

n,q,α(s):

(ai , 〈ai , s〉+ ei) ∈ Znq × Rq,

with ai ←↩ U(Znq) and ei ←↩ Dαq.

The LWE problem [Re05]

For all s ∈ Znq , we define the distribution DLWE

n,q,α(s):

(a, 〈a, s〉+ e) ∈ Znq × Rq , with a←↩ U(Zn

q) and e ←↩ Dαq .

Search LWE

For all s: Given arbitrarily many samples from DLWEn,q,α(s), find s.

Decision LWE

With non-negligible probability over s←↩ U(Znq):

distinguish between DLWEn,q,α(s) and U(Zn

q × Rq).

(Given arbitrarily many samples from either.)

n,q,α(s):

Search LWE

Decision LWE

q × Rq).

n,q,α(s):

Search LWE

Decision LWE

q × Rq).

Matrix version of LWE

A ←↩ U(Zm×nq ),

s ←↩ U(Znq),

e ←↩ Dmαq.

Gaussian error

Decision LWE:

Determine whether (A,b) is of the form above, or uniform.

Hardness results on LWE (for αq ≥ 2√n)

The Approximate Shortest Vector Problem

ApproxSVPγ: Given B ∈ Zn×n, find x ∈ Zn \ 0 s.t.

‖B · x‖ ≤ γ ·min (‖B · y‖ : y ∈ Zn,B · y 6= 0) .

[Re05]

For q prime and ≤ nO(1), there is a quantum poly-timereduction from ApproxSVPγ in dimension n to LWEn,q,α,with γ ≈ n/α.

[BLPRS13]

For q ≤ nO(1), there is a classical poly-time reduction fromBDDγ in dimension

√n to LWEn,q,α, with γ ≈ n/α.

(The two results are incomparable.)Damien Stehle The MP-LWE problem 09/06/2017 7/29

‖B · x‖ ≤ γ ·min (‖B · y‖ : y ∈ Zn,B · y 6= 0) .

[Re05]

[BLPRS13]

‖B · x‖ ≤ γ ·min (‖B · y‖ : y ∈ Zn,B · y 6= 0) .

[Re05]

[BLPRS13]

LWE, pros and cons

3 ApproxSVP has been studied for almost four decades.

3 All known LWE/approxSVP algorithms are exponential inthe dimension.

7 Cryptographic applications of LWE involve matrices andmatrix-vector products.

Polynomial-LWE [SSTX09]

Let q ≥ 2, α ∈ (0, 1), f ∈ Z[x ] monic irreducible of degree n.

For all s ∈ Zq[x ]/f , we define the distribution P fq,α(s):

(ai , ai · s + ei), with ai ←↩ U(Zq[x ]/f ) and ei ←↩ Dnαq.

Search P-LWEf

For all s: Given arbitrarily many samples from P fq,α(s), find s.

Decision P-LWEf

With non-negligible probability over s ←↩ U(Zq[x ]/f ):distinguish between P f

q,α(s) and uniform.

Search P-LWEf

Decision P-LWEf

Search P-LWEf

Decision P-LWEf

Why P-LWE?

For all s ∈ Zq [x]/f , we define the distribution P fq,α(s):

(ai , ai · s + ei ), with ai ←↩ U(Zq [x]/f ) and ei ←↩ Dnαq .

One P-LWE sample encodes n correlated LWE samples:

Each coefficient of a · s is an inner product between thecoefficient vector s and a vector a derived from a and f .

One P-LWE sample is cheap to encode and to create:

Producing 1 sample costs O(n log q).

Why P-LWE?

For all s ∈ Zq [x]/f , we define the distribution P fq,α(s):

(ai , ai · s + ei ), with ai ←↩ U(Zq [x]/f ) and ei ←↩ Dnαq .

One P-LWE sample encodes n correlated LWE samples:

Each coefficient of a · s is an inner product between thecoefficient vector s and a vector a derived from a and f .

One P-LWE sample is cheap to encode and to create:

Producing 1 sample costs O(n log q).

Hardness results on P-LWE

[SSTX09] - oversimplified

For any f monic irreducible, there is a quantum reductionfrom ApproxSVP for ideals of Z[x ]/f to search P-LWEf .P-LWE’s noise rate α is proportional to

EF (f ) = maxi<2n ‖x i mod f ‖.

[LPR10] - oversimplified

If f is cyclotomic, search P-LWEf reduces to decision P-LWEf .

Hardness results on P-LWE

[SSTX09] - oversimplified

For any f monic irreducible, there is a quantum reductionfrom ApproxSVP for ideals of Z[x ]/f to search P-LWEf .P-LWE’s noise rate α is proportional to

EF (f ) = maxi<2n ‖x i mod f ‖.

[LPR10] - oversimplified

If f is cyclotomic, search P-LWEf reduces to decision P-LWEf .

P-LWE, pros and cons

3 Faster cryptographic primitives, even practical [ADPS16].

7 Hardness of P-LWEf related only to lattices over Z[x ]/f ,but:

ApproxSVP for ideals of Z[x ]/f is esoteric.It is easier than expected for some f ’s and γ’s [CDW17].

7 For f 6= g , P-LWEf and P-LWEg seem unrelated.

Road-map

Middle-Product LWE: MP, MP-LWE, Hardness

Our result

We propose an LWE variant, MP-LWE, such that P-LWEf

reduces to MP-LWE for all degree n monic irreducible f withbounded expansion factor EF (f ) = maxi<2n ‖x i mod f ‖.

MP-LWE is defined independently of any f .

The reduction works for the search and decision variants.

This adapts to the LWE setting a similar result byLyubashevsky for the SIS setting [Lyu16].

Our result

We propose an LWE variant, MP-LWE, such that P-LWEf

reduces to MP-LWE for all degree n monic irreducible f withbounded expansion factor EF (f ) = maxi<2n ‖x i mod f ‖.

MP-LWE is defined independently of any f .

The reduction works for the search and decision variants.

This adapts to the LWE setting a similar result byLyubashevsky for the SIS setting [Lyu16].

Middle product

Let a ∈ Z[x ] of degree < n and s ∈ Z[x ] of degree < 2n − 1.

Their product has 3n − 2 non-trivial coefficients.

We define a ◦n s as the middle n coefficients.

a �n s :=

⌊(a · b) mod x2n−1

xn−1

MP was studied in computer algebra for acceleratingcomputations on polynomials and power series [Sho99,HQZ04].

MP-LWE

Let q ≥ 2, α ∈ (0, 1), n ≥ 2.

For all s ∈ Z<2n−1q [x ], we define the distribution MPq,α,n(s):

(ai , ai ◦n s + ei), with ai ←↩ U(Z<nq [x ]) and ei ←↩ Dn

Search MP-LWE

For all s: Given arbitrarily many samples from MPq,α,n(s),find s.

Decision MP-LWE

With non-negligible probability over s ←↩ U(Z<2n−1q [x ]):

distinguish between MPq,α,n(s) and uniform.

MP-LWE

Let q ≥ 2, α ∈ (0, 1), n ≥ 2.

Search MP-LWE

Decision MP-LWE

MP-LWE

Let q ≥ 2, α ∈ (0, 1), n ≥ 2.

Search MP-LWE

Decision MP-LWE

P-LWEf and MP-LWE with matrices

Rewriting b = a · s + e ∈ Z[x ]/f with matrices:

Rotf (b) = Rotf (a) · Rotf (s) + Rotf (e),

where the i -th row of Rotf (a) ∈ Zn×n is x i−1 · a mod f .

Rewriting b = a �n s + e ∈ Z[x ] with matrices:

b = Toep(a) · s + e,

where the i -th row of Toep(a) ∈ Zn×2n−1 is x i−1 · a.

P-LWEf and MP-LWE with matrices

Rewriting b = a · s + e ∈ Z[x ]/f with matrices:

Rotf (b) = Rotf (a) · Rotf (s) + Rotf (e),

where the i -th row of Rotf (a) ∈ Zn×n is x i−1 · a mod f .

Rewriting b = a �n s + e ∈ Z[x ] with matrices:

b = Toep(a) · s + e,

where the i -th row of Toep(a) ∈ Zn×2n−1 is x i−1 · a.

Two transformation matrices

Modf : its i -th row is x i−1 mod f .

Mf : its (i , j)-entry is the constant coeff of x i+j−2 mod f .

Both are small if EF(f ) is small.

Two useful properties

Rotf (a) = Toep(a) ·Modf .Rotf (a) · (1, 0, . . . , 0)T = Mf · a.

Reducing P-LWEf to MPLWE

Rotf (b) = Rotf (a) · Rotf (s) + Rotf (e)

⇓Mf · b = Rotf (a) ·Mf · s + Mf · e

The reduction

a 7→ a′ = a, b 7→ b′ = Mf · b.

⇓Mf · b = Rotf (a) ·Mf · s + Mf · e

= Toep(a) ·Modf ·Mf · s + Mf · e

The reduction

a 7→ a′ = a, b 7→ b′ = Mf · b.

⇓Mf · b = Rotf (a) ·Mf · s + Mf · e︸︷︷︸

= Toep(a) ·Modf ·Mf · s︸︷︷︸s′

+Mf · e︸︷︷︸e′

The reduction

a 7→ a′ = a, b 7→ b′ = Mf · b.

⇓Mf · b = Rotf (a) ·Mf · s + Mf · e︸︷︷︸

= Toep(a) ·Modf ·Mf · s︸︷︷︸s′

+Mf · e︸︷︷︸e′

The reduction

a 7→ a′ = a, b 7→ b′ = Mf · b.

Two minor difficulties

a′, b′ = a′ �n s′ + e ′

s ′ is not uniform

Sample t uniform and add a′ �n t to b′.

e ′ is skewed

Add a Gaussian with covariance t · Id−MTf Mf to b′.

(t = poly(EF(f )) large enough so that this is definite positive )

a′, b′ = a′ �n s′ + e ′

e ′ is skewed

a′, b′ = a′ �n s′ + e ′

e ′ is skewed

Road-map

Middle-Product LWE

Key generation

Decision MP-LWE

distinguish between Pq,α,n(s) and uniform.

For i ≤ m = O(log q):

ai ←↩ U(Z<nq [x ])

ei ←↩ bDαqen

bi = ai �n s + 2 · ei

sk = s, pk = (ai , bi)i .

Encryption

sk = s, pk = (ai , bi = ai �n s + 2ei)i

To encrypt µ ∈ Z<n/2[x ] binary:

For i ≤ n, sample ri ∈ Z<n/2+1[x ] binary

c1 =∑

i ri · aic2 =

∑i ri �n/2 bi + µ

Return (c1, c2)

This is an adaptation of (primal) Regev encryption

Encryption

sk = s, pk = (ai , bi = ai �n s + 2ei)i

To encrypt µ ∈ Z<n/2[x ] binary:

For i ≤ n, sample ri ∈ Z<n/2+1[x ] binary

c1 =∑

i ri · aic2 =

∑i ri �n/2 bi + µ

Return (c1, c2)

This is an adaptation of (primal) Regev encryption

Decryption

sk = s, pk = (ai , bi = ai �n s + 2ei)ic1 =

∑ri · ai , c2 =

∑ri �n/2 bi + µ

Compute (c2 − c1 �n/2 s mod q) mod 2.

Correctness

r �n/2 (a �n s) = (r · a)�n/2 s

Decryption

∑ri · ai , c2 =

Compute (c2 − c1 �n/2 s mod q) mod 2.

Correctness

r �n/2 (a �n s) = (r · a)�n/2 s

Security

∑ri · ai , c2 =

Game 1: use MP-LWE hardness

Replace pk by a uniform (ai , bi).

Game 2: use Leftover Hash Lemma

Given (ai , bi)i and∑

ri · ai , the quantity∑

ri �n/2 bi isessentially uniform.

Security

∑ri · ai , c2 =

Security

∑ri · ai , c2 =

Efficiency

It’s all quasi-optimal.

all algorithms are quasi-linear time

ciphertext expansion is quasi-constant

Road-map

Middle-Product LWE

MP-LWE, pros

3 Asymptotically fast IND-CPA encryption.

3 No easier than P-LWEf for an exponential family of f ’s ofdegree n.

Open problems

On the utilitarian front:

Practical efficiency.

More advanced cryptographic functionalities.

On the foundations front:

Get a search to decision reduction.

Is there a ’natural’ underlying worst-case problem?

Make sense out of these matrix equations.

What is the link between P-LWE and Ring-LWE?

Open problems

On the utilitarian front:

Practical efficiency.

More advanced cryptographic functionalities.

On the foundations front:

Get a search to decision reduction.

Is there a ’natural’ underlying worst-case problem?

Make sense out of these matrix equations.

What is the link between P-LWE and Ring-LWE?

Middle-Product Learning With Errors - Inria · PDF fileMiddle-Product Learning With Errors...

Documents

Transcript of Middle-Product Learning With Errors - Inria · PDF fileMiddle-Product Learning With Errors...