session 5 learning with errors chris peikert
play

Session #5: Learning With Errors Chris Peikert Georgia Institute - PowerPoint PPT Presentation

Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto & Applications,


  1. Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/15

  2. Last Time. . . ◮ SIS: find “small” nontrivial z 1 , . . . , z m ∈ Z such that:       | | | ∈ Z n a 1 a 2 · · · a m       q | | | Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

  3. Last Time. . . ◮ SIS: find “small” nontrivial z 1 , . . . , z m ∈ Z such that:         | | | |  + z 2 ·  + · · · + z m ·  =  ∈ Z n z 1 · a 1 a 2 a m 0     q | | | | Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

  4. Last Time. . . ◮ SIS: find “short” nonzero z ∈ Z m such that:        = 0 ∈ Z n    · · · · · · · · A  z    q � �� � m Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

  5. Last Time. . . ◮ SIS: find “short” nonzero z ∈ Z m such that:        = 0 ∈ Z n    · · · · · · · · A  z    q � �� � m ◮ This talk: a complementary problem, Learning With Errors Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

  6. Overview of LWE Hardness quantum [R’05] GapSVP, ≤ SIVP search-LWE ≤ decision-LWE ≤ crypto ≤ [BFKL’94,R’05, [R’05,PW’08, GapSVP P’09,. . . ] GPV’08,. . . ] classical (large q ) [P’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/15

  7. History of LWE Crypto papers with “something new” regarding LWE: Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/15

  8. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  9. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  10. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Errors e i ← χ = Gaussian over Z , param αq α · q > √ n Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  11. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  12. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  13. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  14. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] ◮ Why error αq > √ n ? ⋆ Required by worst-case hardness proofs [R’05,P’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  15. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] ◮ Why error αq > √ n ? ⋆ Required by worst-case hardness proofs [R’05,P’09] ⋆ There’s an exp(( αq ) 2 ) -time attack! [AG’11] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  16. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  17. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  18. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  19. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  20. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  21. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then b t z = e t z is small, but b t z is ‘well-spread’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  22. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  23. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  24. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes ‘minicrypt’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

Recommend


More recommend