Connections between Learning with Errors and the Dihedral Coset Problem Elena Kirshanova joint work with Zvika Brakerski, Damien Stehlé, and Weiqiang Wen
LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ( a 1 , � a 1 , s � + e 1 mod q ) . . . ( a m , � a m , s � + e m mod q ) with � e � ≪ q , find s .
LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given DCP: Given ( a 1 , � a 1 , s � + e 1 mod q ) | 0 , x 1 � + | 1 , x 1 + s mod N � . . . . . . ( a m , � a m , s � + e m mod q ) | 0 , x ℓ � + | 1 , x ℓ + s mod N � with � e � ≪ q , find s . find s .
LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ≤ DCP: Given [Regev’02] ( a 1 , � a 1 , s � + e 1 mod q ) | 0 , x 1 � + | 1 , x 1 + s mod N � . . . . . . ( a m , � a m , s � + e m mod q ) | 0 , x ℓ � + | 1 , x ℓ + s mod N � with � e � ≪ q , find s . find s .
LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ≤ DCP: Given [Regev’02] ( a 1 , � a 1 , s � + e 1 mod q ) | 0 , x 1 � + | 1 , x 1 + s mod N � . . . . . . ( a m , � a m , s � + e m mod q ) | 0 , x ℓ � + | 1 , x ℓ + s mod N � with � e � ≪ q , find s . find s . Does not improve upon classical algorithms
LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ≤ DCP: Given [Regev’02] ( a 1 , � a 1 , s � + e 1 mod q ) | 0 , x 1 � + | 1 , x 1 + s mod N � . . . . . . ( a m , � a m , s � + e m mod q ) | 0 , x ℓ � + | 1 , x ℓ + s mod N � with � e � ≪ q , find s . find s . Does not improve upon classical algorithms BKW / lattices: Kuperberg: � � log q 2 O (log ℓ +log N/ log ℓ ) O n · (log q − log ei )2 2 The reduction produces ℓ = poly( n ) , N = 2 n 2
Inverse direction Is DCP ≤ LWE? ◮ might give a strong evidence for quantum hardness of LWE ◮ DCP might be too ‘hard’ for LWE: DCP ≤ SubsetSum 1 · c [Reg’02], but SubsetSum log n ≤ LWE ≤ Vec. SubsetSum > log n 1
Inverse direction Is DCP ≤ LWE? ◮ might give a strong evidence for quantum hardness of LWE ◮ DCP might be too ‘hard’ for LWE: DCP ≤ SubsetSum 1 · c [Reg’02], but SubsetSum log n ≤ LWE ≤ Vec. SubsetSum > log n 1 No, but we show that EDCP ≤ LWE
Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D )
Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D ) G - EDCP U - EDCP � M − 1 � ρ r ( j ) | j � | x + j · s � j =0 | j � | x + j · s � j ∈ Z
Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D ) G - EDCP U - EDCP � M − 1 � ρ r ( j ) | j � | x + j · s � j =0 | j � | x + j · s � j ∈ Z Main result: LWE G - EDCP U - EDCP < DCP ⇐ ⇒ ⇐ ⇒ ⇐ ⇒ hides polynomial loses
Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D ) G - EDCP n,q,r U - EDCP n,q,M � M − 1 � ρ r ( j ) | j � | x + j · s � j =0 | j � | x + j · s � j ∈ Z LWE n,q, G - EDCP n,q,r U - EDCP n,q,c · r q DCP 2 n log q r · poly( n ) Dimension modulus st. dev. G - EDCP n,q,r/ √ n LWE n,q,q/r
Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D ) G - EDCP n,q,r U - EDCP n,q,M � M − 1 � ρ r ( j ) | j � | x + j · s � j =0 | j � | x + j · s � j ∈ Z Quantum rejection sampling, Ozols et al. LWE n,q, G - EDCP n,q,r U - EDCP n,q,c · r q DCP 2 n log q r · poly( n ) Dimension modulus st. dev. G - EDCP n,q,r/ √ n LWE n,q,q/r
Results via average case lattice problems [Reg02]+[LM09] LWE n,q, DCP 2 n log q [2 n 2 ] q G - EDCP n,q,r U - EDCP n,q,c · r r · poly( n )
Results via average case lattice problems [Reg02]+[LM09] LWE n,q, DCP 2 n log q [2 n 2 ] q G - EDCP n,q,r U - EDCP n,q,c · r r · poly( n ) 1 -dim UDCP was already considered in [Childs-van Dam’07]: M − 1 � | j � | x + j · s mod 2 n � j =0 √ n 2 n/c 2 2 M Runtime 2 n poly( n ) poly( n ) [CvD’07] [Brakerski et. al] LWE √ n, 2 LWE 1 , 2 n , 2 n √ n G - EDCP 1 , 2 n ,M U - EDCP 1 , 2 n ,M √ n , 2 M M
G-EDCP ≤ LWE � � e � |� a , s � + e � ρ 1 QFT q r e ∈ Z q QFT a � ρ r ( j ) | j � | x + j · s mod q � j ∈ Z (1) (2)
G-EDCP ≤ LWE � � e � |� a , s � + e � ρ 1 QFT q r e ∈ Z q QFT a � ρ r ( j ) | j � | x + j · s mod q � j ∈ Z (1) (2) � � ω � ( x + j · s ) , a � (1) : · ρ r ( j ) | j � | a � q a ∈ Z n j ∈ Z q
G-EDCP ≤ LWE � � e � |� a , s � + e � ρ 1 QFT q r e ∈ Z q QFT a � ρ r ( j ) | j � | x + j · s mod q � j ∈ Z (1) (2) � � ω � ( x + j · s ) , a � (1) : · ρ r ( j ) | j � | a � q a ∈ Z n j ∈ Z q j + � a , s � + b � � � � PSF � � ω j · ( � a , s � + b ) (2) : · ρ r ( j ) | b � − − → ρ 1 /r | b � q q b ∈ Z q j ∈ Z b ∈ Z q j ∈ Z
Open questions ◮ how to make use of several shifts (exact complexity of Kuperberg’s algorithm with multiple shifts). ◮ trade samples vs. shifts: UDCP self-reduction allowing to trade ℓ for M ? ◮ extend quantum rejection sampling to ring-lwe states
Recommend
More recommend
