#### Transcript ppt

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky Chris Peikert Oded Regev Partly based on slides by Vadim To appear in Eurocrypt 2010; see also survey prepared for CCC’2010 Overview of the Learning With Errors Problem Learning With Errors (LWE) Problem • There is a secret vector s in qn (we'll use 174 as a running example) • An oracle (who knows s) generates a random vector a in qn and “small” noise element e in • The oracle outputs (a, b=<a,s>+e mod 17) • This procedure is repeated with the same s and fresh a and e • Our task is to find s 2 13 7 3 4 7 9 1 6 14 5 11 • 8 3 12 5 + 1 = 13 -1 12 2 3 Learning With Errors (LWE) Problem • Once there are enough ai , the s is uniquely determined • Thm [Regev'05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst case to solving LWE a1 a2 ... am s + e = b Decision LWE Problem a1 a2 ... World 1 a1 a2 s + e = b ... am b am am a1 a2 ... World 2 Decision LWE Oracle b uniformly random in Zqm I am in World 1 (or 2) Search LWE < Decision LWE • Idea: Use the Decision oracle to figure out the coefficients of s one at a time • Let g be our guess for the first coordinate of s • Repeat the following: • Receive LWE pair (a,b) 2 13 7 3 · 8 + 1 = 13 3 a 12 b 5 • Pick random r in Z17 • Send sample below to the Decision Oracle 2+r 13 7 3 13+rg • If g is right, then we are sending a distribution from World 1 • If g is wrong, then we are sending a distribution from World 2 • We will find the right g in O(q) time • Use the same idea to recover all coefficients of s one at a time What is LWE useful for? Public Key Encryption [Reg '05, Pei '09] CCA-Secure PKE [PW ’08, Pei ’09] Identity-Based Encryption [GPV '08] Oblivious Transfer [PVW '08] Circular-Secure Encryption [ACPS '09] Hierarchical Identity-Based Encryption [CHKP '09, ABB '09] And more… Public Key Encryption Based on LWE Secret Key: s in Zqn Public Key: A in Zqm x n , b=As+e s + e A = b represents 1 To encrypt a single bit z in {0,(q-1)/2}: Pick r in {0,1}m . Send (rA,<r,b>+z) r r A + b z Proof of Semantic Security r s A + e = b r + z A b r A b 1. The public key is pseudo-random based on LWE A b 2. If A,b is truly random, then the distribution of r(A||b) (over r chosen from {0,1}m) is statistically extremely close to uniform Some Inefficiencies of LWE-Based Schemes r s A + e = b public key is O(n2) r A + z b encryption of 1 bit requires O(n2) (or O(n)) operations Source of Inefficiency 2 13 7 3 · 8 + 1 = 3 12 13 • Getting just one extra randomlooking number requires n random numbers! 5 • Wishful thinking: get n random numbers and produce O(n) pseudo-random numbers in “one shot” 2 8 1 13 3 -1 7 3 * 12 5 + 2 -1 = Cryptosystem Possibility LWE-Based Cryptosystem r r s A A + e = b + z b Wishful Thinking-Based Cryptosystem r s A + e = b r A b + z Main Question 2 8 1 13 3 -1 7 3 * 12 5 + 2 = -1 • How do we define multiplication so that the resulting distribution is pseudorandom? (Coordinate-wise multiplication is not secure) • Answer: Define it as multiplication of polynomials over some carefully-chosen ring • Similar ideas used in the heuristic design of NTRU [HPS98], and in compact one-way functions [Mic02,PR06,LM06,…]. Our Results 0. We define a compact version of LWE called Ring-LWE 1. We show that Ring-LWE is as hard as (quantumly) solving certain lattice problems in the worst case • A quantitatively weaker result was independently shown by Stehle, Steinfeld, Tanaka, and Xagawa [SSTX’09] using different techniques of independent interest. 2. We show that decision Ring-LWE is as hard as (search) RingLWE • Works with any cyclotomic ring 3. We demonstrate some basic cryptographic applications Learning With Errors over Rings The Search Ring-LWE Problem • Let R be the ring q[x]/xn+1 for n a power of 2 and q a prime satisfying q=1 (mod 2n). s e b a • E.g., q=17, n=4, 17[x]/x4+1 2 8 1 8 • The secret s is now an element in R • The elements a are chosen uniformly 13 * 3 + -1 = 1 7 12 2 16 from R 3 5 -1 6 • The coefficients of the noise polynomial e are chosen as small independent normal vars (a1, b1 = a1s+e1) (a2, b2= a2s+e2) … (ak, bk = aks+ek) Search Ring-LWE Solver s Our First Result: Hardness of Search Ring-LWE • We show that the search ring-LWE problem is as hard as quantumly solving worst-case lattice problems on ideal lattices • In our running example, these are lattices satisfying that if (x1,…,xn)L then also (x2,…,xn,-x1)L • The result applies to rather general rings • The proof is by adapting the proof of [R05] to rings • The quantum part remains the same; only the classical part needs to be adapted Our First Result: Hardness of Search Ring-LWE • One technical issue is that the distribution of the coefficients of the error polynomial e is Gaussian, but unfortunately not a spherical one • Luckily this does not cause any serious problems, and we ignore it here • It is possible to get hardness for the spherical noise case if we restrict the number of ring-LWE samples (as in [SSTX’09] or as a corollary to our main result) Our Second Result: Reducing Search Ring-LWE to Decision Ring-LWE Decision Ring-LWE Problem World 1: s in R ai uniform in R ei random and “small” (a1, b1 = a1s+e1) (a2, b2= a2s+e2) … (ak, bk = aks+ek) World 2: ai,bi uniform in R (a1,b1) (a2,b2) … (ak,bk) Decision Ring-LWE Oracle I am in World 1 (or 2) What We Want to Construct s in R ai uniform in R ei random and “small” (a1, b1 = a1s+e1) (a2, b2= a2s+e2) … (ak, bk = aks+ek) Search Ring-LWE Solver I am in World 1 (or 2) Decision Ring-LWE Oracle s Why Does the Search-to-Decision Reduction for LWE not Work? • Recall the reduction for LWE: • Let g be our guess for the first coordinate of s (only 17 possibilities). • Repeat the following: 2 13 7 3 · 8 1 • Receive LWE pair (a,b): + = 13 3 a 12 • Pick random r in Z17 • Send sample below to the Decision Oracle: 2+r 13 7 3 • Then: 1. If g is correct, we have legal LWE samples; 2. If g is incorrect, we have uniform samples b 5 13+rg Why Does the Search-to-Decision Reduction for LWE not Work? • Now consider what happens in ring-LWE: • Repeat the following: • Receive LWE pair (a,b): a s e b 2 8 -1 8 13 3 -1 16 7 • Pick random r in Z17 * 12 3 • Send sample to the Decision Oracle: 5 + 2 = 8 1 1 2+r ? 13 ? 7 ? 3 ? • How do we satisfy (1), namely, output legal ring-LWE samples? It seems we have to guess n numbers! The Ring q[x]/xn+1 • Let tq be such that tn=-1 (i.e., a root of xn+1). • Then, for any p1,p2q[x]/xn+1, p1(t)·p2(t)=(p1·p2)(t), and obviously p1(t)+p2(t)=(p1+p2)(t), hence the function mapping p to p(t) is a ring homomorphism • By our assumption that q=1 (mod 2n), the polynomial xn+1 has n roots in the field q, t1=g(q-1)/2n, t3=g3(q-1)/2n, …, t2n-1=g(2n-1)(q-1)/2n • Hence the mapping :Rnq that maps each pR to n (p(t1),…,p(t2n-1))q is a ring isomorphism, with both addition and multiplication in n q being coordinate-wise The Search Ring-LWE Problem • So we can equivalently think of ring-LWE as follows: n • The secret is an element ŝ in q • The elements â are chosen uniformly n from q • Multiplication is coordinate-wise • The coordinates of the noise vector ê are chosen from some ‘strange’ distribution (â1, b̂1 = â1ŝ+e1) (â2, b̂2= â2ŝ+e2) … (âk, b̂k = âkŝ+ek) â ŝ ê b̂ 2 8 9 8 13 3 7 3 Search Ring-LWE Solver 12 5 + 11 9 3 ŝ = 16 8 1 Search-to-Decision Reduction for Ring-LWE (better attempt) • Let g be our guess for the first coordinate of ŝ (only 17 possibilities). • Repeat the following: • Receive LWE pair (â,b̂): â ŝ ê b̂ 2 8 9 8 13 3 11 16 7 3 • Pick random r in Z17 • Send sample to the Decision Oracle: 12 5 + 9 = 8 3 1 2+r 8+rg 13 16 7 8 3 1 • Then: 1. If g is correct, we have legal ring-LWE samples! 2. BUT if g is incorrect, we don’t have uniform samples A Hybrid Argument Correct g Wrong g ( ( ( ( ( â1 â2 â3 â4 â1 â2 â3 â4 â1 â2 â3 â4 â1 â2 â3 â4 â1 â2 â3 â4 , , , , , b̂1 b̂2 b̂3 b̂4 b̂2 b̂3 b̂4 b̂3 b̂4 b̂4 ) ) ) ) ) Decision Ring-LWE Oracle “I am in World 1” Decision Ring-LWE Oracle “I am in World 1” Decision Ring-LWE Oracle “I am in World 1” Decision Ring-LWE Oracle “I am in World 2” Decision Ring-LWE Oracle “I am in World 2” • To summarize, using the decision oracle, we are able to find ŝi for one fixed i • But how can we recover all of ŝ? Recovering All of s • Idea: permute the coordinates of (the unknown) ŝ by permuting â and b ŝ ê b̂ â • Repeat the following: • Receive ring-LWE pair (â,b̂): 2 8 9 8 13 3 11 16 7 3 12 + 5 • Output the pair ((â), (b̂)= (â)(ŝ)+(ê)): 9 = 8 3 1 13 16 2 8 3 1 7 8 • If the output pairs were legal ring-LWE samples with secret (ŝ), we would be done • But why would (ê) be distributed correctly?? Recovering All of s • It turns out that there are n special permutations 1,…,n that have the remarkable property that they preserve the error distribution! • For instance, assume q=17 and n=4. • In this case, the mapping maps each polynomial • • • • • p(x)17[x]/x4+1 to p̂=(p(2),p(23),p(25),p(27)) 174 Now assume we permute this to (p(23),p(2),p(27),p(25)) This is equal to p̂’ where p’(x)=p(x3) Hence, if p(x)=c0+c1x+c2x2+c3x3 then p’(x)= c0+c1x-c2x2+c3x3 We see that all the permutation does is permute the coefficients of the polynomial and possibly negate their sign. In particular, it preserves the error distribution! Summary of Reduction • By using a hybrid argument on the decision oracle, we are able to recover one fixed coordinate of ŝ • Repeating this procedure with all n permutations allows us to recover all of ŝ, and hence also s, as required • Actually, one also need several delicate amplification steps and random self reductions… details in the paper! • The reduction might seem mysterious and ad-hoc… • In fact, we are relying here on the properties of the cyclotomic number field (2n), its n Galois automorphisms, its canonical embedding, and the factorization of the ideal q • Viewed this way, the reduction is easy to extend to all cyclotomic polynomials (and not just xn+1) Final Summary Search Ring-LWE is as hard as (quantumly) solving certain lattice problems in the worst case Decision Ring-LWE (in cyclotomic rings) is as hard as Search Ring-LWE Ring-LWE allows for much more efficient cryptographic constructions than regular LWE Open questions: Develop more advanced cryptographic constructions based on Ring-LWE, as was done for LWE Theoretically sound fully-homomorphic encryption scheme based on ring-LWE?