On error distributions in ring-based LWE Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik Vercauteren 1 , 3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 0 / 21
Motivation for LWE 1981 A basic concept of a quantum computer by Feynman 1994 Shor’s algorithm ◮ Factorization and DLP are easy ◮ Broken: RSA, Diffie-Hellman, ECDLP etc. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 1 / 21
Motivation for LWE 1981 A basic concept of a quantum computer by Feynman 1994 Shor’s algorithm ◮ Factorization and DLP are easy ◮ Broken: RSA, Diffie-Hellman, ECDLP etc. 1995 First quantum logic gate by Monroe, Meekhof, King, Itano and Wineland 14 12 10 Qubits 8 6 4 2 1995 2000 2006 2011 Year ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 1 / 21
Motivation for LWE 2016 CNSA Suite and Quantum Computing FAQ by NSA “Many experts predict a quantum computer capable of effectively breaking public key cryptography within a few decades, and therefore NSA believes it is important to address that concern.” NIST report on post-quantum crypto “We must begin now to prepare our information secu- rity systems to be able to resist quantum computing.” ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 2 / 21
Learning With Errors (LWE) The LWE problem (Regev, ‘05): solve a linear system with noise b 1 a 11 a 12 . . . a 1 , n s 1 e 1 b 2 a 21 a 22 . . . a 2 , n s 2 e 2 = · + . . . . . . ... . . . . . . . . . . . . b m a m 1 a m 2 . . . a m , n s n e m over a finite field F q for a secret ( s 1 , s 2 , . . . , s n ) ∈ F n q where ◮ a modulus q = poly ( n ) ◮ the a ij ∈ F q are chosen uniformly randomly, ◮ an adversary can ask for new equations ( m > n ). ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 3 / 21
Learning With Errors (LWE) The LWE problem is easy when ∀ e i = 0. b 1 a 11 a 12 . . . a 1 , n s 1 . . . b 2 a 21 a 22 a 2 , n s 2 = · . . . . . ... . . . . . . . . . . b m a m 1 a m 2 . . . a m , n s n Gaussian elimination solves the problem. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 4 / 21
Learning With Errors (LWE) The LWE problem is easy when ∀ e i = 0. b 1 a 11 a 12 . . . a 1 , n s 1 . . . b 2 a 21 a 22 a 2 , n s 2 = · . . . . . ... . . . . . . . . . . b m a m 1 a m 2 . . . a m , n s n Gaussian elimination solves the problem. Otherwise, LWE might be hard. b 1 a 11 a 12 . . . a 1 , n s 1 e 1 b 2 a 21 a 22 . . . a 2 , n s 2 e 2 = · + . . . . . . ... . . . . . . . . . . . . b m a m 1 a m 2 . . . a m , n s n e m Gaussian elimination amplifies errors. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 4 / 21
Learning With Errors (LWE) The errors e i are sampled independently from a Gaussian with standard deviation σ > 2 √ n : F p −√ n √ n 0 When viewed jointly, the error vector e 1 . . . e m is sampled from a spherical Gaussian. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 5 / 21
Learning With Errors (LWE) LWE is tightly related to classical lattice problems. ◮ Bounded Distance Decoding (BDD) R m b ≡ A · s + e Given b , find the closest point of the q -ary lattice { w ∈ Z m | ∃ s ∈ Z n : w ≡ A · s mod q } ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 6 / 21
Learning With Errors (LWE) LWE is tightly related to classical lattice problems. ◮ Shortest Vector Problem (SVP) R m Given a basis, find a shortest non-zero vector of the lattice. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 7 / 21
Learning With Errors (LWE) LWE is tightly related to classical lattice problems. ◮ Shortest Vector Problem (SVP) R m Given a basis, find a shortest non-zero vector of the lattice. ◮ LWE is at least as hard as worst-case SVP-type problems (Regev‘05, Peikert‘09). ◮ Not known to be broken by quantum computers. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 7 / 21
Learning With Errors (LWE) Known attacks for q = poly ( n ) : Time Samples 2 O ( n log n ) Trial and error O ( n ) 2 O ( n ) 2 O ( n ) Blum, Kalai, Wasserman ‘03 2 O ( σ 2 log n ) 2 O ( σ 2 log n ) Arora, Ge ‘11 ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 8 / 21
Learning With Errors (LWE) Known attacks for q = poly ( n ) : Time Samples 2 O ( n log n ) Trial and error O ( n ) 2 O ( n ) 2 O ( n ) Blum, Kalai, Wasserman ‘03 2 O ( σ 2 log n ) 2 O ( σ 2 log n ) Arora, Ge ‘11 Idea: if all errors (almost) certainly lie in {− T , . . . , T } , then T � ( a 1 s 1 + a 2 s 2 + · · · + a n s n − b + i ) = 0 . i = − T View as linear system of equations in ≈ n 2 T monomials. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 8 / 21
Learning With Errors (LWE) Known attacks for q = poly ( n ) : Time Samples 2 O ( n log n ) Trial and error O ( n ) 2 O ( n ) 2 O ( n ) Blum, Kalai, Wasserman ‘03 2 O ( σ 2 log n ) 2 O ( σ 2 log n ) Arora, Ge ‘11 Idea: if all errors (almost) certainly lie in {− T , . . . , T } , then T � ( a 1 s 1 + a 2 s 2 + · · · + a n s n − b + i ) = 0 . i = − T View as linear system of equations in ≈ n 2 T monomials. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 8 / 21
Learning With Errors (LWE) Application: public-key encryption of a bit (Regev’05). ◮ Private key: s ∈ F n q . ◮ Public key pair: ( A , b = A · s + e ) . ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 9 / 21
Learning With Errors (LWE) Application: public-key encryption of a bit (Regev’05). ◮ Private key: s ∈ F n q . ◮ Public key pair: ( A , b = A · s + e ) . ◮ Encrypt: pick random row vector r T ∈ { 0 , 1 } m ⊂ F m q . Output the pair � r T · b if the bit is 0, c T := r T · A and d := r T · b + ⌊ q / 2 ⌋ if the bit is 1. ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 9 / 21
Learning With Errors (LWE) Application: public-key encryption of a bit (Regev’05). ◮ Private key: s ∈ F n q . ◮ Public key pair: ( A , b = A · s + e ) . ◮ Encrypt: pick random row vector r T ∈ { 0 , 1 } m ⊂ F m q . Output the pair � r T · b if the bit is 0, c T := r T · A and d := r T · b + ⌊ q / 2 ⌋ if the bit is 1. ◮ Decryption of pair c T , d : compute � 0 if bit was 0, d − c T · s = d − r T · A · s = d − r T b − r T e ≈ ⌊ q / 2 ⌋ if bit was 1. ↑ small enough ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 9 / 21
Learning With Errors (LWE) ◮ Features: ◮ Hardness reduction from classical lattice problems ◮ Linear operations ◮ simple and efficient implementation ◮ highly parallelizable ◮ Source of exciting applications ◮ FHE, attribute-based encryption for arbitrary access policies, general-purpose code obfuscation ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 10 / 21
Learning With Errors (LWE) ◮ Features: ◮ Hardness reduction from classical lattice problems ◮ Linear operations ◮ simple and efficient implementation ◮ highly parallelizable ◮ Source of exciting applications ◮ FHE, attribute-based encryption for arbitrary access policies, general-purpose code obfuscation ◮ Drawback: key size. ◮ To hide the secret one needs an entire linear system: b 1 a 11 a 12 . . . a 1 , n s 1 e 1 b 2 a 21 a 22 . . . a 2 , n s 2 e 2 · = + . . . . . . ... . . . . . . . . . . . . b m a m 1 a m 2 . . . a m , n s n e m ↑ ↑ ↑ m log p mn log p n log p ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 10 / 21
Ring-based LWE ◮ Identify vector space F n with R q = Z [ x ] / ( q , f ( x )) q for some irreducible monic f ( x ) ∈ Z [ x ] s.t. deg f = n , by viewing s 1 + s 2 x + · · · + s n x n − 1 . ( s 1 , s 2 , . . . , s n ) as ANTS-XII, Kaiserslautern, August 29, 2016 On error distributions in ring-based LWE 11 / 21
Recommend
More recommend