Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random...

Oded RegevOded RegevTel-Aviv UniversityTel-Aviv University

On Lattices, On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptographyand Cryptography

OutlineOutline

• Introduction to latticesIntroduction to lattices•Main theorem: a hard learning problemMain theorem: a hard learning problem•Application: a stronger and more efficient Application: a stronger and more efficient

public key cryptosystempublic key cryptosystem•Proof of main theoremProof of main theorem

•OverviewOverview•Part I: QuantumPart I: Quantum•Part II: ClassicalPart II: Classical

Basis: Basis: vv11,…,v,…,vnn vectors in R vectors in Rnn

The lattice L is The lattice L is

L={aL={a11vv11+…+a+…+annvvnn| a| ai i integers}integers}

The dual lattice of L isThe dual lattice of L is

LL**={x | ={x | 88 y y22L, L, hhx,yx,yii 22 Z} Z}

LatticesLattices

v1 v2

0

2v1v1+v2 2v2

2v2-v1

2v2-2v1

• SVP: Given a lattice, find an approximately SVP: Given a lattice, find an approximately shortest vectorshortest vector

Shortest Vector Problem Shortest Vector Problem (SVP)(SVP)

0

v2

v1

• CVPCVPdd: Given a lattice and a target vector : Given a lattice and a target vector within within distance ddistance d, find the closest lattice point, find the closest lattice point

Closest Vector Problem (CVPClosest Vector Problem (CVPdd))

0

vv

Main TheoremMain Theorem

Hardness of LearningHardness of Learning

Learning from parity with Learning from parity with errorerror

•Let Let ss22ZZ22nn be a secret be a secret

•We have random equations modulo 2 We have random equations modulo 2 with error (everything independent):with error (everything independent):

•Without error, it’s easy!Without error, it’s easy!

ss22+s+s33+s+s44+ s+ s66+…+s+…+snn 00

ss11+s+s22+ s+ s44+ s+ s66+…+s+…+snn 11

ss11+ s+ s33+s+s44+s+s55+ …+s+ …+snn 11

ss22+s+s33+s+s44+ s+ s66+…+s+…+snn 00

..

..

..

•More formally, we need to learn More formally, we need to learn ss from from samples of the form samples of the form (t,st+e)(t,st+e) where where tt is is chosen uniformly from chosen uniformly from ZZ22

nn and and ee is a bit is a bit that is 1 with probability 10%. that is 1 with probability 10%.

•Easy algorithms need 2Easy algorithms need 2O(n) O(n) equations/timeequations/time

•Best algorithm needs 2Best algorithm needs 2O(n/logn)O(n/logn) equations/time [equations/time [BlumKalaiWasserman’00BlumKalaiWasserman’00]]

•Open question: Open question: why is this problem so why is this problem so hard?hard?

Learning from parity with Learning from parity with errorerror

Learning modulo pLearning modulo p

• Fix some Fix some p<poly(n)p<poly(n)

• Let Let ss22ZZppnn be a secret be a secret

• We have random equations modulo We have random equations modulo pp with error:with error:

2s2s11+0s+0s22+2s+2s33+1s+1s44+2s+2s55+4s+4s66+…+4s+…+4snn 22




..

..

..

Learning modulo pLearning modulo p• More formally, we need to learn More formally, we need to learn ss from from

samples of the form samples of the form (t,st+e)(t,st+e) where where tt is is chosen uniformly from chosen uniformly from ZZpp

n n and and ee is is chosen from Zchosen from Zpp

•Easy algorithms need 2Easy algorithms need 2O(nlogn) O(nlogn)

equations/timeequations/time

• Best algorithm needs 2Best algorithm needs 2O(n)O(n) equations/time equations/time [[BlumKalaiWasserman’00BlumKalaiWasserman’00]]

Main TheoremMain Theorem

Learning modulo p is as hard as worst-Learning modulo p is as hard as worst-case lattice problems using a quantum case lattice problems using a quantum

reductionreduction

• In other words: solving the problem In other words: solving the problem implies an efficient quantum algorithm implies an efficient quantum algorithm for latticesfor lattices

Equivalent formulationEquivalent formulation

• For m=poly(n), let C be a random mFor m=poly(n), let C be a random m££n n matrix with elements in Zmatrix with elements in Zpp. Given Cs+e . Given Cs+e for some sfor some sZZpp

nn and some noise vector and some noise vector eeZZpp

mm, recover s. , recover s. • This is the problem of decoding from a This is the problem of decoding from a

random linear coderandom linear code

Why QuantumWhy Quantum??

• As part of the reduction, we need to As part of the reduction, we need to perform a certain algorithmic task on perform a certain algorithmic task on latticeslattices• We do not know how to do it classically, We do not know how to do it classically,

only quantumly! only quantumly!

Why QuantumWhy Quantum??

• We are given an oracle that solves CVPWe are given an oracle that solves CVPdd for for some small dsome small d• As far as I can see, the only way to generate As far as I can see, the only way to generate

inputs to this oracle is:inputs to this oracle is:

• Somehow choose xSomehow choose xLL• Let y be some random vector within dist d of Let y be some random vector within dist d of

xx• Call the oracle with yCall the oracle with y

• The answer is x. But we already know the The answer is x. But we already know the answer !!answer !!• Quantumly, being able to compute x from y is Quantumly, being able to compute x from y is

very useful: it allows us to transform the state |very useful: it allows us to transform the state |y,x> to the state |y,0> y,x> to the state |y,0> reversiblyreversibly (and then we (and then we can apply the quantum Fourier transform)can apply the quantum Fourier transform)

xy

Application:Application:

New Public Key Encryption New Public Key Encryption SchemeScheme

Previous lattice-based PKESPrevious lattice-based PKES[AjtaiDwork96,GoldreichGoldwasserHalevi97,R’03][AjtaiDwork96,GoldreichGoldwasserHalevi97,R’03]

• Main advantages:Main advantages:•Based on a lattice problemBased on a lattice problem•Worst-case hardnessWorst-case hardness

• Main disadvantages: Main disadvantages: •Based only on unique-SVPBased only on unique-SVP•Impractical (think of n asImpractical (think of n as100):100):

•Public key size O(nPublic key size O(n44))•Encryption expands by O(nEncryption expands by O(n22))

Ajtai’s recent PKES Ajtai’s recent PKES [Ajtai05][Ajtai05]

• Main advantages: Main advantages:

•Practical (think of n asPractical (think of n as100):100):• Public key size O(n)Public key size O(n)• Encryption expands by O(n)Encryption expands by O(n)

• Main disadvantages: Main disadvantages: •Not based on lattice problemNot based on lattice problem•No worst-case hardnessNo worst-case hardness

New lattice-based PKESNew lattice-based PKES[This work][This work]

• Main advantages: Main advantages:

•Worst-case hardnessWorst-case hardness•Based on the main lattice problems (SVP, Based on the main lattice problems (SVP,

SIVP)SIVP)•Practical (think of n asPractical (think of n as100):100):• Public key size O(n)Public key size O(n)• Encryption expands by O(n)Encryption expands by O(n)• Breaking the cryptosystem implies an efficient Breaking the cryptosystem implies an efficient

quantumquantum algorithm for lattices algorithm for lattices • In fact, security is based on the learning In fact, security is based on the learning

problem (no quantum needed here)problem (no quantum needed here)

quantumquantum

The CryptosystemThe Cryptosystem• Everything modulo 4Everything modulo 4

• Private key: 4 random numbersPrivate key: 4 random numbers11 22 00 33

• Public key: a 6x4 matrix and approximate inner Public key: a 6x4 matrix and approximate inner productproduct

• Encrypt the bit 0:Encrypt the bit 0:

• Encrypt the bit 1:Encrypt the bit 1:

22··1 +1 + 0 0··2 +2 + 1 1··0 +0 + 2 2··3 3 ≈≈ 11

11··1 +1 + 2 2··2 +2 + 2 2··0 +0 + 3 3··3 3 ≈≈ 22

00··1 +1 + 2 2··2 +2 + 0 0··0 +0 + 3 3··3 3 ≈≈ 11

11··1 +1 + 2 2··2 +2 + 0 0··0 +0 + 2 2··3 3 ≈≈ 00

00··1 +1 + 3 3··2 +2 + 1 1··0 +0 + 3 3··3 3 ≈≈ 33

33··1 +1 + 3 3··2 +2 + 0 0··0 +0 + 2 2··3 3 ≈≈ 22

22 0 0 1 1 2 2

11 2 2 2 2 3 3

00 2 2 0 0 3 3

11 2 2 0 0 2 2

00 3 3 1 1 3 3

33 3 3 0 0 2 2

22··? +? + 0 0··? +? + 1 1··? +? + 2 2··? ? ≈≈ 11

11··? +? + 2 2··? +? + 2 2··? +? + 3 3··? ? ≈≈ 22

00··? +? + 2 2··? +? + 0 0··? +? + 3 3··? ? ≈≈ 11

11··? +? + 2 2··? +? + 0 0··? +? + 2 2··? ? ≈≈ 00

00··? +? + 3 3··? +? + 1 1··? +? + 3 3··? ? ≈≈ 33

33··? +? + 3 3··? +? + 0 0··? +? + 2 2··? ? ≈≈ 22

33··? +? + 2 2··? +? + 1 1··? +? + 0 0··? ? ≈≈ 33

22··1 +1 + 0 0··2 +2 + 1 1··0 +0 + 2 2··3 3 == 00

11··1 +1 + 2 2··2 +2 + 2 2··0 +0 + 3 3··3 3 == 22

00··1 +1 + 2 2··2 +2 + 0 0··0 +0 + 3 3··3 3 == 11

11··1 +1 + 2 2··2 +2 + 0 0··0 +0 + 2 2··3 3 == 33

00··1 +1 + 3 3··2 +2 + 1 1··0 +0 + 3 3··3 3 == 33

33··1 +1 + 3 3··2 +2 + 0 0··0 +0 + 2 2··3 3 == 33

33··? +? + 2 2··? +? + 1 1··? +? + 0 0··? ? ≈≈ 11

Proof of the Main TheoremProof of the Main Theorem

OverviewOverview

Gaussian DistributionGaussian Distribution

•Define a Gaussian distribution on a Define a Gaussian distribution on a lattice (normalization omitted) lattice (normalization omitted)

•We can efficiently sample from DWe can efficiently sample from Drr for for large r=2large r=2nn

The ReductionThe Reduction

•Assume the existence of an algorithm for Assume the existence of an algorithm for the learning modulo p problem for p=2the learning modulo p problem for p=2√n√n

•Our lattice algorithm:Our lattice algorithm:•r=2r=2nn

•Take poly(n) samples from DTake poly(n) samples from Drr

•Repeat:Repeat:

•Given poly(n) samples from DGiven poly(n) samples from Drr compute poly(n) samples from Dcompute poly(n) samples from Dr/2r/2

•Set Set r←r/2r←r/2 •When r is small, output a short vectorWhen r is small, output a short vector

Obtaining DObtaining Dr/2r/2 from D from Drr

•Lemma 1:Lemma 1:

Given poly(n) samples from DGiven poly(n) samples from Drr, and an , and an oracle for ‘learning modulo p’, we can oracle for ‘learning modulo p’, we can solve solve

CVPCVPp/rp/r in L in L**

•No quantum here No quantum here •Lemma 2:Lemma 2:

Given a solution to CVPGiven a solution to CVPdd in L in L**, we can , we can obtain samples from Dobtain samples from D√n/d√n/d

•Quantum Quantum •Based on the quantum Fourier Based on the quantum Fourier

transformtransform

p=2p=2√n√n

Samples from Samples from DDrr in Lin L

Solution to Solution to CVPCVPp/rp/r in Lin L**

Samples from Samples from DDr/2r/2 in L in L

Solution to Solution to CVPCVP2p/r2p/r in Lin L**

Samples from Samples from DDr/4r/4 in Lin L

Solution to Solution to CVPCVP4p/r4p/r in Lin L**

Classical, uses learning oracleClassical, uses learning oracleQuantumQuantum

Fourier TransformFourier TransformPrimal world (L) Dual world (L*)

Fourier TransformFourier Transform

•The Fourier transform of DThe Fourier transform of Drr is given by is given by

• Its value isIts value is•1 for x in L1 for x in L**,,•ee-1-1 at points of distance 1/r from L at points of distance 1/r from L**,,• ¼¼0 at points far away from L0 at points far away from L**..


Lemma 2: Obtaining DLemma 2: Obtaining D√n/d √n/d from from CVPCVPdd

From CVPFrom CVPdd to D to D√n/d√n/d

•Assume we can solve CVPAssume we can solve CVPdd; we’ll show ; we’ll show how to obtain samples from Dhow to obtain samples from D√n/d√n/d

•Step 1:Step 1:Create the quantum state Create the quantum state

by adding a Gaussian to each lattice by adding a Gaussian to each lattice point and uncomputing the lattice point point and uncomputing the lattice point by using the CVP algorithmby using the CVP algorithm

•Step 2:Step 2:Compute the quantum Compute the quantum Fourier transform ofFourier transform of

It is exactly It is exactly DD√n/d √n/d !!!!•Step 3:Step 3:

Measure and obtain one Measure and obtain one sample from Dsample from D√n/d√n/d

•By repeating this By repeating this process, we can obtain process, we can obtain poly(n) samplespoly(n) samples


• More precisely, create the stateMore precisely, create the state

• And the stateAnd the state

• Tensor them together and add first to secondTensor them together and add first to second

• UncomputeUncompute first register by solving CVP first register by solving CVPp/rp/r



Lemma 1: Solving CVPLemma 1: Solving CVPp/rp/r given given samples from Dsamples from Dr r and an oracle and an oracle

for learning mod pfor learning mod p

It’s enough to approximate It’s enough to approximate ffp/rp/r

•Lemma: being able to approximate fLemma: being able to approximate fp/rp/r implies a solution to CVPimplies a solution to CVPp/rp/r

•Proof Idea – walk uphill:Proof Idea – walk uphill:

•ffp/rp/r(x)>(x)>¼¼ for points x of distance < p/r for points x of distance < p/r •Keep making small modifications to x Keep making small modifications to x

as long as as long as ffp/rp/r(x) increases(x) increases

•Stop when fStop when fp/rp/r(x)=1 (then we are on a (x)=1 (then we are on a lattice point)lattice point)

What’s ahead in this partWhat’s ahead in this part

•For warm-up, we show how to For warm-up, we show how to approximate approximate ff1/r1/r given samples from D given samples from Drr

•No need for learningNo need for learning•This is main idea in This is main idea in [AharonovR’04][AharonovR’04]

•Then we show how to Then we show how to approximateapproximate ff2/r2/r given samples from Dgiven samples from Drr and an oracle for and an oracle for the learning problemthe learning problem

•ApproximatingApproximating ffp/rp/r is similar is similar

Warm-up: approximating fWarm-up: approximating f1/r1/r

•Let’s write fLet’s write f1/r1/r in its Fourier in its Fourier representation:representation:

•Using samples from DUsing samples from Drr, we can compute , we can compute a good approximation to fa good approximation to f1/r1/r (this is the (this is the main idea in main idea in [AharonovR’04][AharonovR’04]))

Fourier TransformFourier Transform

• Consider the Fourier representation again:Consider the Fourier representation again:

• For xFor x22LL**, , hhw,xw,xii is integer for all w in L and is integer for all w in L and therefore we get ftherefore we get f1/r1/r(x)=1(x)=1

• For x that is close to LFor x that is close to L**, , hhw,xw,xii is distributed is distributed around an integer. Its standard deviation can around an integer. Its standard deviation can be (say) 1.be (say) 1.

Approximating fApproximating f2/r2/r

•Main idea: partition DMain idea: partition Drr into 2 into 2nn distributionsdistributions

•For tFor t((ZZ22))nn, denote the translate t by D, denote the translate t by Dttrr

•Given a lattice point we can compute its tGiven a lattice point we can compute its t

•The probability on (ZThe probability on (Z22))nn obtained by obtained by sampling from Dsampling from Dr r and outputting t is close and outputting t is close to uniformto uniform0,00,0

0,10,11,01,01,11,1

•Hence, by using samples from DHence, by using samples from Dr r we can we can produce samples from the following produce samples from the following distribution on pairs (t,w):distribution on pairs (t,w):

•Sample tSample tZZ22))nn uniformly at random uniformly at random

•Sample w from DSample w from Dttrr

•Consider the Fourier transform of DConsider the Fourier transform of Dttrr


• The functions fThe functions ftt2/r2/r look almost like f look almost like f2/r2/r

• Only difference is that some Gaussians have Only difference is that some Gaussians have their sign flippedtheir sign flipped

• Approximating fApproximating ftt2/r2/r is enough: we can easily take is enough: we can easily take

the absolute value and obtain fthe absolute value and obtain f2/r2/r

• For this, however, we need to obtain several For this, however, we need to obtain several pairs (t,w) for the same tpairs (t,w) for the same t

• The problem is that each sample (t,w) The problem is that each sample (t,w) has a has a different tdifferent t ! !


• Fix x close to LFix x close to L**

• The sign of its Gaussian is The sign of its Gaussian is ±1 depending on ±1 depending on hhs,ts,ti i mod 2 for smod 2 for s(Z(Z22))nn that depends only on x that depends only on x

• The distribution of The distribution of x,wx,wmod 2 when w is mod 2 when w is sampled from Dsampled from Dtt

rr is centred around is centred around s,ts,t mod 2 mod 2

• Hence, we obtain equations modulo 2 with Hence, we obtain equations modulo 2 with error: error: hs,t1i¼dhx,w1ic mod 2

hs,t2i¼dhx,w2ic mod 2hs,t3i¼dhx,w3ic mod 2

.

.

.


•Using the learning algorithm, we solve Using the learning algorithm, we solve these equations and obtain sthese equations and obtain s

•Knowing s, we can cancel the signKnowing s, we can cancel the sign•Averaging over enough samples gives us Averaging over enough samples gives us

an approximation to fan approximation to f2/r2/r


Open Problems 1/4Open Problems 1/4

•Dequantize the reduction:Dequantize the reduction:•This would lead to the ‘ultimate’ This would lead to the ‘ultimate’

lattice-based cryptosystem lattice-based cryptosystem (based on (based on SVP, efficient)SVP, efficient)

•Main obstacle: what can one do Main obstacle: what can one do classically with a solution to CVPclassically with a solution to CVPdd??

•Construct even more efficient schemes Construct even more efficient schemes based on special classes of lattices such based on special classes of lattices such as cyclic latticesas cyclic lattices•For hash functions this was done by For hash functions this was done by

MicciancioMicciancio


•Extend to learning from parity (i.e., p=2) Extend to learning from parity (i.e., p=2) or even some constant por even some constant p• Is there something inherently different Is there something inherently different

about the case of constant p?about the case of constant p?

•Use the ‘learning mod p’ problem to Use the ‘learning mod p’ problem to derive other lattice-based hardness derive other lattice-based hardness resultsresults•Recently, used by Klivans and Sherstov Recently, used by Klivans and Sherstov

to derive hardness of learning to derive hardness of learning problemsproblems


•CryptanalysisCryptanalysis•Current attacks limited to low Current attacks limited to low

dimension dimension [NguyenStern98][NguyenStern98]

•New systems New systems [Ajtai05,R05][Ajtai05,R05] are efficient are efficient and can be easily used with dimension and can be easily used with dimension 100+100+

•Security against chosen-ciphertext Security against chosen-ciphertext attacksattacks•Known lattice-based cryptosystems are Known lattice-based cryptosystems are

not secure against CCAnot secure against CCA


•Comparison with number theoretic Comparison with number theoretic cryptographycryptography•E.g., can one factor integers using an E.g., can one factor integers using an

oracle for n-approximate SVP?oracle for n-approximate SVP?

•Signature schemesSignature schemes•Can one construct provably secure Can one construct provably secure

lattice-based signature schemes?lattice-based signature schemes?

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random...

Documents

Transcript of Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random...