Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/15
Last Time. . . ◮ SIS: find “small” nontrivial z 1 , . . . , z m ∈ Z such that: | | | ∈ Z n a 1 a 2 · · · a m q | | | Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15
Last Time. . . ◮ SIS: find “small” nontrivial z 1 , . . . , z m ∈ Z such that: | | | | + z 2 · + · · · + z m · = ∈ Z n z 1 · a 1 a 2 a m 0 q | | | | Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15
Last Time. . . ◮ SIS: find “short” nonzero z ∈ Z m such that: = 0 ∈ Z n · · · · · · · · A z q � �� � m Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15
Last Time. . . ◮ SIS: find “short” nonzero z ∈ Z m such that: = 0 ∈ Z n · · · · · · · · A z q � �� � m ◮ This talk: a complementary problem, Learning With Errors Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15
Overview of LWE Hardness quantum [R’05] GapSVP, ≤ SIVP search-LWE ≤ decision-LWE ≤ crypto ≤ [BFKL’94,R’05, [R’05,PW’08, GapSVP P’09,. . . ] GPV’08,. . . ] classical (large q ) [P’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/15
History of LWE Crypto papers with “something new” regarding LWE: Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/15
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Errors e i ← χ = Gaussian over Z , param αq α · q > √ n Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ | | , b t = s t A + e t A = · · · a 1 a m | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ | | , b t = s t A + e t A = · · · a 1 a m | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ | | , b t = s t A + e t A = · · · a 1 a m | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] ◮ Why error αq > √ n ? ⋆ Required by worst-case hardness proofs [R’05,P’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ | | , b t = s t A + e t A = · · · a 1 a m | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] ◮ Why error αq > √ n ? ⋆ Required by worst-case hardness proofs [R’05,P’09] ⋆ There’s an exp(( αq ) 2 ) -time attack! [AG’11] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then b t z = e t z is small, but b t z is ‘well-spread’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes ‘minicrypt’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
Recommend
More recommend