module lwe vs ring lwe
play

Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of - PowerPoint PPT Presentation

Feb 02, 2024 •208 likes •990 views

Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56 Main Aim of the Talk 1. Discuss popular variants of the LWE problem 2. Present a collection of reductions between the variants 3. Explicitly state

  1. Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56

  2. Main Aim of the Talk 1. Discuss popular variants of the LWE problem 2. Present a collection of reductions between the variants 3. Explicitly state parameter expansions in the reductions 2/56

  3. Outline 1. Definitions 2. Motivation for Ring/Module-LWE 3. Normal Form Secrets 4. “BLPRS13” Style Reductions 5. “Structure-Building” Reduction 3/56

  4. Section 1 Definitions 4/56

  5. Notation Vectors x ∈ Z n q : ◮ Entries integers modulo q , i.e. Z q ◮ Dimension n , i.e. x = ( x 0 , . . . , x n − 1 ) Ring elements r ∈ R q = Z q [ X ] / ( X n + 1): ◮ Coefficients integers modulo q ◮ Degree at most n − 1 i.e. r = r 0 + r 1 · X + · · · + r n − 1 · X n − 1 ∈ Z q [ X ] / ( X n + 1) ◮ Coefficient Embedding r = ( r 0 , . . . , r n − 1 ) ∈ Z n q 5/56

  6. Notation Module elements m ∈ R d q : ◮ A d -tuple of ring elements m = ( m 0 , . . . , m d − 1 ) ◮ Multiplication: m · n := m 0 n 0 + · · · + m d − 1 · n d − 1 Terminology : ◮ q is a “modulus” ◮ n is a “(ring) dimension” ◮ d is a “module rank” ◮ m is the number of samples 6/56

  7. Notation: Distributions ◮ U ( X ) - uniform distribution over set X 7/56

  8. Notation: Distributions ◮ U ( X ) - uniform distribution over set X ◮ χ σ - discrete gaussian over the integers, s.d. σ ◮ D Λ ,σ - discrete gaussian over lattice Λ, s.d. σ ◮ D Λ , r - discrete ellipsoidal gaussian with s.d.’s r i ∈ R 7/56

  9. Notation: Distributions ◮ U ( X ) - uniform distribution over set X ◮ χ σ - discrete gaussian over the integers, s.d. σ ◮ D Λ ,σ - discrete gaussian over lattice Λ, s.d. σ ◮ D Λ , r - discrete ellipsoidal gaussian with s.d.’s r i ∈ R ◮ D σ - continuous gaussian over R ◮ D r - continuous ellipsoidal gaussian over R n with s.d.’s r i 7/56

  10. Generic LWE Problem Framework Given some uniform random a , b = a · s + e : ◮ (search LWE) decode the noisy product b i.e. recover s from b for “small” e ◮ (decision LWE) distinguish b from uniform random 8/56

  11. Generic LWE Problem Framework Given some uniform random a , b = a · s + e : ◮ (search LWE) decode the noisy product b i.e. recover s from b for “small” e ◮ (decision LWE) distinguish b from uniform random Plain LWE sample: a ← Z n q ; s ← U or χ n σ , e ← χ σ ; b ∈ Z q a 1 e 1 b 1 a 2 e 2 b 2 . + a m = s a 1 a 2 … , … … … a m e m b m 8/56

  12. Distributions and Parameters ◮ Uniform a ◮ Error distribution: discrete gaussian e ← χ σ ◮ Secret distribution: uniform s or s ← χ n σ Plain LWE sample: a ← Z n q ; s ← χ n σ , e ← χ σ ; b ∈ Z q 9/56

  13. Distributions and Parameters ◮ Uniform a ◮ Error distribution: discrete gaussian e ← χ σ ◮ Secret distribution: uniform s or s ← χ n σ Plain LWE sample: a ← Z n q ; s ← χ n σ , e ← χ σ ; b ∈ Z q ◮ Absolute error σ ◮ Error rate α := σ/ q 9/56

  14. Practical Ring-LWE Let R q = Z q [ X ] / ( X n + 1). Given some uniform random a ∈ R q , ◮ (search) recover s ∈ R q from b = a · s + e for “small” e ∈ R q ◮ (decision) decide whether b = a · s + e or b is random 10/56

  15. Practical Ring-LWE Let R q = Z q [ X ] / ( X n + 1). Given some uniform random a ∈ R q , ◮ (search) recover s ∈ R q from b = a · s + e for “small” e ∈ R q ◮ (decision) decide whether b = a · s + e or b is random Error distribution: s , e ← χ n σ n a . s + e a = b , n 10/56

  16. Almost Proper Ring-LWE Given some uniform random a ∈ R q , ◮ (search) recover s ∈ ( R q ) d from b = 1 q a · s + e mod 1 for “small” e ∈ R q ◮ (decision) decide whether b = 1 q a · s + e mod 1 or b is random Notes: ◮ The error distribution is now continuous ◮ The discrete Gaussian distribution χ σ becomes continuous Gaussian D α where α := σ/ q ◮ Ignoring canonical embedding and dual ring 11/56

  17. Practical Module-LWE Given some uniform random a ∈ ( R q ) d , ◮ (search) recover s ∈ ( R q ) d from b = a · s + e for “small” e ∈ R q ◮ (decision) decide whether b = a · s + e or b is random 12/56

  18. Practical Module-LWE Given some uniform random a ∈ ( R q ) d , ◮ (search) recover s ∈ ( R q ) d from b = a · s + e for “small” e ∈ R q ◮ (decision) decide whether b = a · s + e or b is random Error distribution: s ← χ nd σ , e ← χ n σ nd a . a + = s b e , n 12/56

  19. Almost Proper Module-LWE Given some uniform random a ∈ ( R q ) d , ◮ (search) recover s ∈ ( R q ) d from b = 1 q a · s + e mod 1 for “small” e ∈ R q ◮ (decision) decide whether b = 1 q a · s + e mod 1 or b is random Notes: ◮ The error distribution is now continuous ◮ The discrete Gaussian distribution χ σ becomes continuous Gaussian D α where α := σ/ q ◮ Once again, we ignore canonical embedding and dual ring 13/56

  20. Other Variants ◮ Learning with Rounding (LWR) ◮ Compact-LWE ◮ Binary-LWE ◮ And many more 14/56

  21. Section 2 Motivation for Ring-LWE/Module-LWE 15/56

  22. Efficiency vs. Security ◮ Representing n LWE samples: ◮ O ( n ) integers (Ring-LWE) ◮ O ( nd ) integers (Module-LWE) ◮ O ( n 2 ) integers (LWE) 16/56

  23. Efficiency vs. Security ◮ Representing n LWE samples: ◮ O ( n ) integers (Ring-LWE) ◮ O ( nd ) integers (Module-LWE) ◮ O ( n 2 ) integers (LWE) ◮ Lattice hardness: ◮ Ideal lattices SIVP (Ring-LWE) ◮ Module lattices SIVP (Module-LWE) ◮ General lattices SIVP (LWE) 16/56

  24. Flexibility of Module-LWE ◮ R = Z q [ X ] / ( X n + 1) for power-of-two n ◮ Effective Ring-LWE dimensions: 256 , 512 , 1024 , 2048 , . . . ◮ Effective Module-LWE dimensions: 256 · d , d = 1 , 2 , . . . Note: The cost of multiplying using Module-LWE is larger than the cost of multiplying for Ring-LWE of the same effective dimension. 17/56

  25. Section 3 Transforming Secret Distributions 18/56

  26. Normal Form LWE Lemma Let q be prime. Given m > n uniform secret LWE samples ( A , b ) ∈ Z n × m × Z m q , we can produce m − n normal form LWE q samples ( A ′ , b ′ ) ∈ Z n × ( m − n ) × Z ( m − n ) (with significant probability q q 1 − O (1 / q ) ). 19/56

  27. Normal Form LWE Lemma Let q be prime. Given m > n uniform secret LWE samples ( A , b ) ∈ Z n × m × Z m q , we can produce m − n normal form LWE q samples ( A ′ , b ′ ) ∈ Z n × ( m − n ) × Z ( m − n ) (with significant probability q q 1 − O (1 / q ) ). Proof. 1. Write A = [ A 1 | A 2 ] where A 1 ∈ Z n × n is invertible. q 2. b = [ b 1 | b 2 ] T := [ A 1 | A 2 ] T s + [ e 1 | e 2 ] T 3. Set A ′ := − A − 1 1 A 2 , b ′ := A ′ T b 1 + b 2 = A ′ e 1 + e 2 . 19/56

  28. Non-Uniform Secret − → Uniform Secret Lemma Given a LWE sample ( a , b ) with non-uniform secret s, we can obtain a LWE sample ( a , ˜ b ) with a uniform secret ˜ s. Proof. 1. Sample s ′ ← U . 2. Output LWE sample � � b := b + a · s ′ = a · ( s ′ + s ) + e = ( a , a · ( s ′ + s ) + e ). a , ˜ 20/56

  29. Section 4 BLPRS13 Style Reductions 21/56

  30. Modulus-Dimension Switching LWE Reduction 1 Lemma There exists a reduction from → LWE m , n ′ = n / k , q ′ = q k , D β where β = O ( α √ n ) . LWE m , n , q , D α − “We can reduce the dimension at the cost of increasing the modulus while changing the error rate by a √ n factor without decreasing hardness.” 1 Z. Brakerski, A. Langlois, C. Peikert, O. Regev, D. St´ ehle. Classical hardness of learning with errors. STOC13 22/56

  31. Reduction Intuition Goal Find a reduction (i.e. transformation F ) such that the original LWE distribution almost maps to the target LWE distribution where the effect that F has on the secret is reversible. F (LWE) ∼ indist. LWE ′ a ′ ∈ Z n / k F a ∈ Z n − → q q k s ′ ∈ Z n / k F s ∈ Z n − → q q k � 1 � 1 � � b ′ = q k a ′ · s ′ + e ′ F b = q a · s + e mod 1 − → mod 1 23/56

  32. Reduction Intuition n = 3 , n / k = 1 a ′ = a 0 + qa 1 + q 2 a 2 s ′ = s 2 + qs 1 + q 2 s 0 24/56

  33. Reduction Intuition n = 3 , n / k = 1 a ′ = a 0 + qa 1 + q 2 a 2 s ′ = s 2 + qs 1 + q 2 s 0 q 3 a ′ · s ′ ≡ 0 + 1 1 q a · s + 1 = ⇒ q 2 ( a 0 · s 1 + a 1 · s 2 ) + . . . mod 1 ≅ 1 q a · s mod 1 24/56

  34. Reduction Intuition n = 3 , n / k = 1 a ′ = a 0 + qa 1 + q 2 a 2 s ′ = s 2 + qs 1 + q 2 s 0 q 3 a ′ · s ′ ≡ 0 + 1 1 q a · s + 1 = ⇒ q 2 ( a 0 · s 1 + a 1 · s 2 ) + . . . mod 1 ≅ 1 q a · s mod 1 Therefore take b ′ = b 24/56

  35. A Closer Look at the Error Distribution Want to analyse the distribution of: b ′ − 1 q n a ′ · s ′ = e − � q j − i − 1 a j s i i > j Problem: ◮ q j − i − 1 a j s i are not continuous gaussians ✗ 25/56

  36. INTERLUDE: Fixing a “Bad” Error Distribution - Discrete Version Aim Given bad non-Gaussian distribution ˆ e , make it look like a discrete Gaussian. How? Drown by adding a wide discrete Gaussian i.e. consider ˆ e + χ σ 26/56

  37. Fixing a “Bad” Error Distribution - Discrete Version 0.35 0.3 0.25 0.2 0.15 0.1 0.05 -4 -2 2 4 27/56

  38. Drowning ( σ = 3) 0.14 0.12 0.1 0.08 0.06 0.04 0.02 -15 -10 -5 5 10 15 28/56

  39. Drowning ( σ = 10) 0.04 0.03 0.02 0.01 -30 -20 -10 10 20 30 29/56

  40. Drowning ( σ = 10) 0.04 0.03 0.02 0.01 -4 -2 2 4 30/56

Recommend

Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. Albrecht, Amit Deo, Kenneth G.

Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. Albrecht, Amit Deo, Kenneth G.

Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. Albrecht, Amit Deo, Kenneth G. Paterson Royal Holloway, University of London September 12, 2018 1 / 30 Cold boot attack scenario Originally investigated by [HSHCPCFAF09]

1.16k views • 48 slides
On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory

On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory

( ) On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory Symposium Okayama University of Science Masahisa Sato Aichi University & University of Yamanashi 13:10-13:40

514 views • 25 slides
1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

MODULE SPECIFICATION Project Management and Credit Module Title: Level : 5 20 Presentation Techniques Value : Is this a Code of module Module code : ENG543 new NO being replaced : module? Cost Centre : GAME JACS3 code : F311

261 views • 4 slides
WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3

WebEOC Training 1 Topics Module 1 WebEOC Overview Module 2 Getting Started Module 3 Status Boards Position Log Request for Assistance Mission/Task Significant Events Module 4 Forms Module 5 Links Module 6

847 views • 72 slides
Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design: Ring Background : Randomized, double-blind, phase 3, placebo-controlled trial of a

341 views • 6 slides
Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio

Canadian Bioinformatics Workshops www.bioinformatics.ca Module #: Title of Module 2 Module bio informatics .ca Module 7 Data Visualization Anamaria Crisan Learning Objectives of Module Understand the process of encoding and decoding

1.31k views • 79 slides
Module 3 Supervisory Transition Module 3: Superivsory Transition 1 Objectives Learn about

Module 3 Supervisory Transition Module 3: Superivsory Transition 1 Objectives Learn about

Module 2 was an overview about leadership. But, how do we or did we gain an opportunity to lead? Module 3 gives us insight into transitioning from an employee into a supervisor and/or manager. 0 Module 3 Supervisory Transition Module 3:

1.03k views • 18 slides
Module 12 Effective Communication, The Who Stakeholder Identification & Engagement 1 Module

Module 12 Effective Communication, The Who Stakeholder Identification & Engagement 1 Module

As you learned to take your leadership vision and create a progressive strategy in Module 11, it should be apparent that our stakeholders are a priority. Module 12 identifies how to effectively communicate with our stakeholders. 0 Module 12

473 views • 15 slides
Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 -

Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 -

Agenda Module 1 - Risk, Volatility & Timescale Module 2 - Asset Allocation Module 3 - Identifying the Building Blocks Module 4 - Reviewing a portfolio This Module Active vs Passive investing Off the shelf solutions Trackers and ETFs and

648 views • 32 slides
lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

Crystal Extraction from the Recycler Ring A.I. Drozhdin Fermi National Accelerator Laboratory P.O. Box 500, Batavia, Illinois 60510 May 31, 2012 1 Recycler Ring Lattice The choices to install the crystal in the Recycler Ring would be

427 views • 13 slides
New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of Sheffield) V. V. Bavula, New criteria for a ring to have a semisim- ple left quotient ring. Arxiv:math.RA:1303.0859. talk-NewCrit-SS-lQuot.tex 1

359 views • 15 slides
A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic stat No el magnetic states es induced b induced by ring e ring exchange change Members: Tsutomu Momoi (RIKEN) Kenn Kubo (Aoyama Gakuinn Univ.)

489 views • 31 slides
T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

The generic model Nongeometric properties A systematic source A topos-theoretic Nullstellensatz This talk in a nutshell: There is a certain ring, the generic ring , which is special in that it is conserva- tive : It has exactly

855 views • 26 slides
1 The objectives of this e-module are to learn how to register for a Data Universal Numbering

1 The objectives of this e-module are to learn how to register for a Data Universal Numbering

Welcome to our e-module series on How to Work with USAID. This e- module is the first part on Registering for Federal Award Systems and focuses on DUNS registration. This e-module is geared towards non- governmental organizations

498 views • 22 slides
6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ

6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ

6.15 Module 15: Research and Presentation Module Title Research and Presentation Module NFQ Level (only if an NFQ level can be 7 demonstrated) Module number/Reference BAAMT206 Parent Programme BA (Hons) in Audio and Music Technology Stage

340 views • 6 slides
Emergency Management Roles and Responsibilities Joe Myers Agenda MODULE 1 WHAT IS MODULE

Emergency Management Roles and Responsibilities Joe Myers Agenda MODULE 1 WHAT IS MODULE

Emergency Management Roles and Responsibilities Joe Myers Agenda MODULE 1 WHAT IS MODULE 2 MODULE 3 LAWS MODULE 4 UTILIZING MODULE 5 BLUE MODULE 6 FUNDING EMERGENCY COURTHOUSE AND AUTHORITIES THE UNIFIED

654 views • 40 slides
EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union: challenges and strategic responses Colloquium 27 October 2015 Dr. Graeme P. Herd , Professor of Transnational Security Studies, George C. Marshall

344 views • 9 slides
From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms II. Universal localisations III. Recollements Throughout, A will denote a ring (with unit) and K a field. I. Ring epimorphisms Ring epimorphisms

418 views • 5 slides
os Module Today File I/O from last time Behind the scenes, this module loads a module

os Module Today File I/O from last time Behind the scenes, this module loads a module

os Module Today File I/O from last time Behind the scenes, this module loads a module for your particular operating system Slides 38-48 The os and sys modules Regardless of your actual OS, Python imports os The exec()

346 views • 11 slides
Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res esona onator tors s Initial patterning and update by Agn iuiulkait Uppsala University Motivation Fabricate magneto-plasmonic

321 views • 28 slides
Evil Module 1 Module 3 OS OS Module 2 Module 4 Safe? Safe? Yes! Yes! 5 6 1 5/23/10

Evil Module 1 Module 3 OS OS Module 2 Module 4 Safe? Safe? Yes! Yes! 5 6 1 5/23/10

5/23/10 A Travel Story Bryan Parno, Jonathan McCune, Adrian Perrig Carnegie Mellon University 1 2 Does program P compute F? Trust is CriAcal Is F what the programmer intended? Will I regret having done this? X Other Y Other F X Alice Y

429 views • 5 slides
Module 3 Doing a Noise Audit This module and Module 2 provide the necessary training needed

Module 3 Doing a Noise Audit This module and Module 2 provide the necessary training needed

Module 3 Doing a Noise Audit This module and Module 2 provide the necessary training needed to do a noise audit. This module covers the following topics: Conducting basic noise measurements Assessing hearing protection use

506 views • 21 slides
Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB Ring-HF 1 Elektrische Anlagen im AEB Ring HF BG1016 Sicherheitsbelehrung AEB Ring-HF 2 Elektr. Anlagen im BG1016 Netzgerte fr

290 views • 17 slides

More recommend