Transcript ppt

On Ideal Lattices
and
Learning With Errors Over Rings
Vadim Lyubashevsky
Chris Peikert
Oded Regev
Partly based on slides by Vadim
To appear in Eurocrypt 2010; see also survey prepared for CCC’2010
Overview of the
Learning With Errors Problem
Learning With Errors (LWE) Problem
• There is a secret vector s in qn (we'll use 174 as a running example)
• An oracle (who knows s) generates a random vector a in qn and
“small” noise element e in 
• The oracle outputs (a, b=<a,s>+e mod 17)
• This procedure is repeated with the same s and fresh a and e
• Our task is to find s
2
13
7
3
4
7
9
1
6
14
5
11
•
8
3
12
5
+
1
=
13
-1
12
2
3
Learning With Errors (LWE) Problem
• Once there are enough ai , the s is uniquely determined
• Thm [Regev'05] : There is a polynomial-time quantum reduction
from solving certain lattice problems in the worst case to solving LWE
a1
a2
...
am
s
+
e
=
b
Decision LWE Problem
a1
a2
...
World 1
a1
a2
s
+ e
= b
...
am
b
am
am
a1
a2
...
World 2
Decision
LWE
Oracle
b
uniformly
random in Zqm
I am in World 1 (or 2)
Search LWE < Decision LWE
• Idea: Use the Decision oracle to figure out the coefficients of s one at
a time
• Let g be our guess for the first coordinate
of s
• Repeat the following:
• Receive LWE pair (a,b)
2
13
7
3
·
8
+
1
=
13
3
a
12
b
5
• Pick random r in Z17
• Send sample below to the Decision Oracle
2+r 13
7
3
13+rg
• If g is right, then we are
sending a distribution from
World 1
• If g is wrong, then we are
sending a distribution from
World 2
• We will find the right g in
O(q) time
• Use the same idea to recover
all coefficients of s one at a
time
What is LWE useful for?

Public Key Encryption [Reg '05, Pei '09]

CCA-Secure PKE [PW ’08, Pei ’09]

Identity-Based Encryption [GPV '08]

Oblivious Transfer [PVW '08]

Circular-Secure Encryption [ACPS '09]


Hierarchical Identity-Based Encryption [CHKP
'09, ABB '09]
And more…
Public Key Encryption Based on LWE
Secret Key: s in Zqn
Public Key: A in Zqm x n , b=As+e
s
+ e
A
= b
represents 1
To encrypt a single bit z in {0,(q-1)/2}: Pick r in {0,1}m . Send (rA,<r,b>+z)
r
r
A
+
b
z
Proof of Semantic Security
r
s
A
+ e = b
r
+ z
A
b
r
A
b
1. The public key is
pseudo-random
based on LWE
A
b
2. If A,b is truly random, then the distribution
of r(A||b) (over r chosen from {0,1}m) is
statistically extremely close to uniform
Some Inefficiencies of
LWE-Based Schemes
r
s
A
+ e = b
public key is O(n2)
r
A
+ z
b
encryption of 1 bit requires O(n2) (or
O(n)) operations
Source of Inefficiency
2
13
7
3
·
8
+
1
=
3
12
13
• Getting just one extra randomlooking number requires n
random numbers!
5
• Wishful thinking: get n random numbers and produce
O(n) pseudo-random numbers in “one shot”
2
8
1
13
3
-1
7
3
*
12
5
+
2
-1
=
Cryptosystem Possibility
LWE-Based Cryptosystem
r
r
s
A
A
+ e = b
+ z
b
Wishful Thinking-Based Cryptosystem
r
s
A
+ e = b
r
A
b
+ z
Main Question
2
8
1
13
3
-1
7
3
*
12
5
+
2
=
-1
• How do we define multiplication so that the resulting distribution is pseudorandom?
(Coordinate-wise multiplication is not secure)
• Answer: Define it as multiplication of polynomials over some
carefully-chosen ring
• Similar ideas used in the heuristic design of NTRU [HPS98], and
in compact one-way functions [Mic02,PR06,LM06,…].
Our Results
0. We define a compact version of LWE called Ring-LWE
1. We show that Ring-LWE is as hard as (quantumly) solving
certain lattice problems in the worst case
•
A quantitatively weaker result was independently shown by Stehle,
Steinfeld, Tanaka, and Xagawa [SSTX’09] using different
techniques of independent interest.
2. We show that decision Ring-LWE is as hard as (search) RingLWE
•
Works with any cyclotomic ring
3. We demonstrate some basic cryptographic applications
Learning With Errors over Rings
The Search Ring-LWE Problem
• Let R be the ring q[x]/xn+1 for n a power of 2 and q a
prime satisfying q=1 (mod 2n).
s
e
b
a
• E.g., q=17, n=4, 17[x]/x4+1
2
8
1
8
• The secret s is now an element in R
• The elements a are chosen uniformly 13 * 3 + -1 = 1
7
12
2
16
from R
3
5
-1
6
• The coefficients of the noise
polynomial e are chosen as small independent normal vars
(a1, b1 = a1s+e1)
(a2, b2= a2s+e2)
…
(ak, bk = aks+ek)
Search
Ring-LWE
Solver
s
Our First Result:
Hardness of Search Ring-LWE
• We show that the search ring-LWE problem is as hard as
quantumly solving worst-case lattice problems on ideal
lattices
• In our running example, these are lattices satisfying that if
(x1,…,xn)L then also (x2,…,xn,-x1)L
• The result applies to rather general rings
• The proof is by adapting the proof of [R05] to rings
• The quantum part remains the same; only the classical part needs
to be adapted
Our First Result:
Hardness of Search Ring-LWE
• One technical issue is that the distribution of the
coefficients of the error polynomial e is Gaussian,
but unfortunately not a spherical one
• Luckily this does not cause any serious problems, and we
ignore it here
• It is possible to get hardness for the spherical noise case if
we restrict the number of ring-LWE samples (as in
[SSTX’09] or as a corollary to our main result)
Our Second Result:
Reducing
Search Ring-LWE
to
Decision Ring-LWE
Decision Ring-LWE Problem
World 1:
s in R
ai uniform in R
ei random and “small”
(a1, b1 = a1s+e1)
(a2, b2= a2s+e2)
…
(ak, bk = aks+ek)
World 2:
ai,bi uniform in R
(a1,b1)
(a2,b2)
…
(ak,bk)
Decision Ring-LWE
Oracle
I am in World 1 (or 2)
What We Want to Construct
s in R
ai uniform in R
ei random and “small”
(a1, b1 = a1s+e1)
(a2, b2= a2s+e2)
…
(ak, bk = aks+ek)
Search
Ring-LWE
Solver
I am in World 1 (or 2)
Decision
Ring-LWE
Oracle
s
Why Does the Search-to-Decision
Reduction for LWE not Work?
• Recall the reduction for LWE:
• Let g be our guess for the first coordinate of s (only 17 possibilities).
• Repeat the following:
2 13 7 3 · 8
1
• Receive LWE pair (a,b):
+
=
13
3
a
12
• Pick random r in Z17
• Send sample below to the Decision Oracle:
2+r 13
7
3
• Then:
1. If g is correct, we have legal LWE samples;
2. If g is incorrect, we have uniform samples
b
5
13+rg
Why Does the Search-to-Decision
Reduction for LWE not Work?
• Now consider what happens in ring-LWE:
• Repeat the following:
• Receive LWE pair (a,b):
a
s
e
b
2
8
-1
8
13
3
-1
16
7
• Pick random r in Z17
*
12
3
• Send sample to the Decision Oracle:
5
+
2
=
8
1
1
2+r
?
13
?
7
?
3
?
• How do we satisfy (1), namely, output legal ring-LWE samples? It
seems we have to guess n numbers!
The Ring q[x]/xn+1
• Let tq be such that tn=-1 (i.e., a root of xn+1).
• Then, for any p1,p2q[x]/xn+1, p1(t)·p2(t)=(p1·p2)(t), and
obviously p1(t)+p2(t)=(p1+p2)(t), hence the function mapping
p to p(t) is a ring homomorphism
• By our assumption that q=1 (mod 2n), the polynomial xn+1
has n roots in the field q,
t1=g(q-1)/2n, t3=g3(q-1)/2n, …, t2n-1=g(2n-1)(q-1)/2n
• Hence the mapping :Rnq that maps each pR to
n
(p(t1),…,p(t2n-1))q is a ring isomorphism, with both
addition and multiplication in 
n
q being
coordinate-wise
The Search Ring-LWE Problem
• So we can equivalently think of ring-LWE as follows:
n
• The secret is an element ŝ in q
• The elements â are chosen uniformly
n
from q
• Multiplication is coordinate-wise
• The coordinates of the noise
vector ê are chosen from some
‘strange’ distribution
(â1, b̂1 = â1ŝ+e1)
(â2, b̂2= â2ŝ+e2)
…
(âk, b̂k = âkŝ+ek)
â
ŝ
ê
b̂
2
8
9
8
13
3
7
3
Search
Ring-LWE
Solver

12
5
+
11
9
3
ŝ
=
16
8
1
Search-to-Decision Reduction for
Ring-LWE (better attempt)
• Let g be our guess for the first coordinate of ŝ (only 17 possibilities).
• Repeat the following:
• Receive LWE pair (â,b̂):
â
ŝ
ê
b̂
2
8
9
8
13
3
11
16
7
3
• Pick random r in Z17
• Send sample to the Decision Oracle:

12
5
+
9
=
8
3
1
2+r
8+rg
13
16
7
8
3
1
• Then:
1. If g is correct, we have legal ring-LWE samples! 
2. BUT if g is incorrect, we don’t have uniform samples 
A Hybrid Argument
Correct g
Wrong g
(
(
(
(
(
â1 â2 â3 â4
â1 â2 â3 â4
â1 â2 â3 â4
â1 â2 â3 â4
â1 â2 â3 â4
,
,
,
,
,
b̂1 b̂2 b̂3 b̂4

b̂2 b̂3 b̂4

b̂3 b̂4

b̂4

)
)
)
)
)
Decision
Ring-LWE
Oracle
“I am in World 1”
Decision
Ring-LWE
Oracle
“I am in World 1”
Decision
Ring-LWE
Oracle
“I am in World 1”
Decision
Ring-LWE
Oracle
“I am in World 2”
Decision
Ring-LWE
Oracle
“I am in World 2”
• To summarize, using the decision oracle, we are able to find ŝi for
one fixed i
• But how can we recover all of ŝ?
Recovering All of s
• Idea: permute the coordinates of (the unknown) ŝ by permuting â
and b
ŝ
ê
b̂
â
• Repeat the following:
• Receive ring-LWE pair (â,b̂):
2
8
9
8
13
3
11
16
7
3

12
+
5
• Output the pair ((â), (b̂)= (â)(ŝ)+(ê)):
9
=
8
3
1
13
16
2
8
3
1
7
8
• If the output pairs were legal ring-LWE samples with secret (ŝ),
we would be done
• But why would (ê) be distributed correctly??
Recovering All of s
• It turns out that there are n special permutations 1,…,n that
have the remarkable property that they preserve the error
distribution!
• For instance, assume q=17 and n=4.
• In this case, the mapping  maps each polynomial
•
•
•
•
•
p(x)17[x]/x4+1 to p̂=(p(2),p(23),p(25),p(27)) 174
Now assume we permute this to (p(23),p(2),p(27),p(25))
This is equal to p̂’ where p’(x)=p(x3)
Hence, if p(x)=c0+c1x+c2x2+c3x3 then p’(x)= c0+c1x-c2x2+c3x3
We see that all the permutation does is permute the
coefficients of the polynomial and possibly negate their sign.
In particular, it preserves the error distribution!
Summary of Reduction
• By using a hybrid argument on the decision oracle, we are able to
recover one fixed coordinate of ŝ
• Repeating this procedure with all n permutations allows us to recover
all of ŝ, and hence also s, as required
• Actually, one also need several delicate amplification steps and
random self reductions… details in the paper!
• The reduction might seem mysterious and ad-hoc…
• In fact, we are relying here on the properties of the cyclotomic
number field (2n), its n Galois automorphisms, its canonical
embedding, and the factorization of the ideal q
• Viewed this way, the reduction is easy to extend to all cyclotomic
polynomials (and not just xn+1)
Final Summary




Search Ring-LWE is as hard as (quantumly) solving
certain lattice problems in the worst case
Decision Ring-LWE (in cyclotomic rings) is as hard as
Search Ring-LWE
Ring-LWE allows for much more efficient cryptographic
constructions than regular LWE
Open questions:


Develop more advanced cryptographic constructions based on
Ring-LWE, as was done for LWE
Theoretically sound fully-homomorphic encryption scheme
based on ring-LWE?