Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices I Full-rank additive subgroup in Zm . O 2 / 17 Recall: Lattices I Full-rank additive subgroup in Zm . I Basis B = (b1 , . . . , bm ) : m L(B) = B · Z = m X b2 (Z · bi ) i=1 b1 O 2 / 17 Recall: Lattices I Full-rank additive subgroup in Zm . I Basis B = (b1 , . . . , bm ) : m L(B) = B · Z = m X b1 (Z · bi ) i=1 O b2 2 / 17 Recall: Lattices I Full-rank additive subgroup in Zm . I Basis B = (b1 , . . . , bm ) : m L(B) = B · Z = m X b1 (Z · bi ) i=1 O b2 (Other representations too . . . ) 2 / 17 Recall: Lattices I Full-rank additive subgroup in Zm . I Basis B = (b1 , . . . , bm ) : m L(B) = B · Z = m X b1 (Z · bi ) i=1 O b2 (Other representations too . . . ) Hard Problems I Find/detect short nonzero lattice vector(s): SVP, GapSVP, SIVP I Decode under small amount of error: BDD 2 / 17 A Hard Problem: Short Integer Solution I Znq = n-dimensional vectors modulo q (e.g., q ≈ n3 ) 3 / 17 A Hard Problem: Short Integer Solution I Znq = n-dimensional vectors modulo q | a1 | | a2 | (e.g., q ≈ n3 ) ··· | am | ∈ Znq 3 / 17 A Hard Problem: Short Integer Solution I Znq = n-dimensional vectors modulo q (e.g., q ≈ n3 ) I Goal: find nontrivial small z1 , . . . , zm ∈ Z such that: | | | | z1 · a1 + z2 · a2 + · · · + zm · am = 0 ∈ Znq | | | | 3 / 17 A Hard Problem: Short Integer Solution I Znq = n-dimensional vectors modulo q (e.g., q ≈ n3 ) I Goal: find nontrivial short z ∈ Zm such that: · · · · A · · · · z = 0 ∈ Znq | {z } m 3 / 17 A Hard Problem: Short Integer Solution I Znq = n-dimensional vectors modulo q (e.g., q ≈ n3 ) I Goal: find nontrivial short z ∈ Zm such that: · · · · A · · · · z = 0 ∈ Znq | {z } m One-Way & Collision-Resistant Hash Function I Set m > n lg q. Define fA : {0, 1}m → Znq as fA (x) = Ax. 3 / 17 A Hard Problem: Short Integer Solution I Znq = n-dimensional vectors modulo q (e.g., q ≈ n3 ) I Goal: find nontrivial short z ∈ Zm such that: · · · · A · · · · z = 0 ∈ Znq | {z } m One-Way & Collision-Resistant Hash Function I Set m > n lg q. Define fA : {0, 1}m → Znq as fA (x) = Ax. I Collision x, x0 ∈ {0, 1}m where Ax = Ax0 . . . 3 / 17 A Hard Problem: Short Integer Solution I Znq = n-dimensional vectors modulo q (e.g., q ≈ n3 ) I Goal: find nontrivial short z ∈ Zm such that: · · · · A · · · · z = 0 ∈ Znq | {z } m One-Way & Collision-Resistant Hash Function I Set m > n lg q. Define fA : {0, 1}m → Znq as fA (x) = Ax. I Collision x, x0 ∈ {0, 1}m where Ax = Ax0 . . . . . . yields solution z = x − x0 ∈ {0, ±1}m , of norm kzk ≤ √ m. 3 / 17 Cool! (but what does this have to do with lattices?) 4 / 17 Cool! (but what does this have to do with lattices?) I Parity-check matrix A = (a1 , . . . , am ) ∈ Zn×m q defines the ‘q-ary’ integer lattice L⊥ (A) = {z ∈ Zm : Az = 0}. O 4 / 17 Cool! (but what does this have to do with lattices?) I Parity-check matrix (0, q) A = (a1 , . . . , am ) ∈ Zn×m q defines the ‘q-ary’ integer lattice L⊥ (A) = {z ∈ Zm : Az = 0}. (q, 0) O 4 / 17 Cool! (but what does this have to do with lattices?) I Parity-check matrix (0, q) A = (a1 , . . . , am ) ∈ Zn×m q defines the ‘q-ary’ integer lattice L⊥ (A) = {z ∈ Zm : Az = 0}. I SIS is SVP on random lattices L⊥ (A)! (q, 0) O 4 / 17 Cool! (but what does this have to do with lattices?) I Parity-check matrix (0, q) A = (a1 , . . . , am ) ∈ Zn×m q defines the ‘q-ary’ integer lattice L⊥ (A) = {z ∈ Zm : Az = 0}. I SIS is SVP on random lattices L⊥ (A)! I Syndrome u ∈ Znq defines coset x (q, 0) O L⊥ u (A) = {x : Ax = u}, x 7→ Ax reduces x modulo L⊥ (A). 4 / 17 Cool! (but what does this have to do with lattices?) I Parity-check matrix (0, q) A = (a1 , . . . , am ) ∈ Zn×m q defines the ‘q-ary’ integer lattice L⊥ (A) = {z ∈ Zm : Az = 0}. I SIS is SVP on random lattices L⊥ (A)! (q, 0) I Syndrome u ∈ Znq defines coset O L⊥ u (A) = {x : Ax = u}, x 7→ Ax reduces x modulo L⊥ (A). Worst-Case/Average-Case Connection [Ajtai’96,. . . ] Finding short (kzk ≤ β q) nonzero z ∈ L⊥ (A) for uniformly random A ∈ Zn×m q ⇓ solving GapSVPβ √n and SIVPβ √n on any n-dim lattice. 4 / 17 A “Key” Trick I Generate uniform A with a short solution x (s.t. Ax = 0): 5 / 17 A “Key” Trick I Generate uniform A with a short solution x (s.t. Ax = 0): 1 Choose Ā ← Zqn×m̄ and x̄ ← {0, 1} m̄ for (say) m̄ ≥ 2n lg q. 5 / 17 A “Key” Trick I Generate uniform A with a short solution x (s.t. Ax = 0): 1 2 Choose Ā ← Zqn×m̄ and x̄ ← {0, 1} Let A = [Ā | −Āx̄] and x = [ x̄1 ]. m̄ for (say) m̄ ≥ 2n lg q. (We just reduced −x̄ modulo L⊥ (Ā).) 5 / 17 A “Key” Trick I Generate uniform A with a short solution x (s.t. Ax = 0): 1 2 Choose Ā ← Zqn×m̄ and x̄ ← {0, 1} Let A = [Ā | −Āx̄] and x = [ x̄1 ]. m̄ for (say) m̄ ≥ 2n lg q. (We just reduced −x̄ modulo L⊥ (Ā).) I For many short solutions, let A = [Ā | −ĀX̄] and X = X̄ I . 5 / 17 A “Key” Trick I Generate uniform A with a short solution x (s.t. Ax = 0): 1 2 Choose Ā ← Zqn×m̄ and x̄ ← {0, 1} Let A = [Ā | −Āx̄] and x = [ x̄1 ]. m̄ for (say) m̄ ≥ 2n lg q. (We just reduced −x̄ modulo L⊥ (Ā).) I For many short solutions, let A = [Ā | −ĀX̄] and X = X̄ I . m̄ I Nothing special about {0, 1} : enough entropy suffices (essentially). 5 / 17 A “Key” Trick I Generate uniform A with a short solution x (s.t. Ax = 0): 1 2 Choose Ā ← Zqn×m̄ and x̄ ← {0, 1} Let A = [Ā | −Āx̄] and x = [ x̄1 ]. m̄ for (say) m̄ ≥ 2n lg q. (We just reduced −x̄ modulo L⊥ (Ā).) I For many short solutions, let A = [Ā | −ĀX̄] and X = X̄ I . m̄ I Nothing special about {0, 1} : enough entropy suffices (essentially). ‘Leftover Hash’ Lemma s I Over choice of Ā and x̄, matrix A = [Ā | −Āx̄] ≈ uniform. I Proof: family fĀ : {0, 1}m̄ → Znq is pairwise independent; x̄ has sufficient (min-)entropy. 5 / 17 A “Key” Trick I Generate uniform A with a short solution x (s.t. Ax = 0): 1 2 Choose Ā ← Zqn×m̄ and x̄ ← {0, 1} Let A = [Ā | −Āx̄] and x = [ x̄1 ]. m̄ for (say) m̄ ≥ 2n lg q. (We just reduced −x̄ modulo L⊥ (Ā).) I For many short solutions, let A = [Ā | −ĀX̄] and X = X̄ I . m̄ I Nothing special about {0, 1} : enough entropy suffices (essentially). ‘Leftover Hash’ Lemma s I Over choice of Ā and x̄, matrix A = [Ā | −Āx̄] ≈ uniform. I Proof: family fĀ : {0, 1}m̄ → Znq is pairwise independent; x̄ has sufficient (min-)entropy. Dirty Little Secret I This trick — reducing a short vector modulo a lattice — is the only one-way function used in all of lattice crypto! 5 / 17 Another Hard Problem: Learning With Errors [Regev’05] I As before, dimension n and modulus q ≥ 2 6 / 17 Another Hard Problem: Learning With Errors [Regev’05] I As before, dimension n and modulus q ≥ 2 I Search: find s ∈ Znq given ‘noisy random inner products’ a1 ← Znq , b1 = hs , a1 i + e1 a2 ← Znq , b2 = hs , a2 i + e2 .. . 6 / 17 Another Hard Problem: Learning With Errors [Regev’05] I As before, dimension n and modulus q ≥ 2, error rate α 1 I Search: find s ∈ Znq given ‘noisy random inner products’ a1 ← Znq , b1 = hs , a1 i + e1 a2 ← Znq , b2 = hs , a2 i + e2 .. . Errors ei ← χ = Gaussian over Z, width αq. αq > √ n 6 / 17 Another Hard Problem: Learning With Errors [Regev’05] I As before, dimension n and modulus q ≥ 2, error rate α 1 I Search: find s ∈ Znq given ‘noisy random inner products’ | | A = a1 · · · am , bt = st A + et | | Errors ei ← χ = Gaussian over Z, width αq. αq > √ n 6 / 17 Another Hard Problem: Learning With Errors [Regev’05] I As before, dimension n and modulus q ≥ 2, error rate α 1 I Search: find s ∈ Znq given ‘noisy random inner products’ | | A = a1 · · · am , bt = st A + et | | Errors ei ← χ = Gaussian over Z, width αq. αq > √ n I Decision: distinguish (A, bt = st A + et ) from uniform (A, bt ). 6 / 17 Another Hard Problem: Learning With Errors [Regev’05] I As before, dimension n and modulus q ≥ 2, error rate α 1 I Search: find s ∈ Znq given ‘noisy random inner products’ | | A = a1 · · · am , bt = st A + et | | Errors ei ← χ = Gaussian over Z, width αq. αq > √ n I Decision: distinguish (A, bt = st A + et ) from uniform (A, bt ). I Foundation for a huge amount of crypto [R’05,PW’08,GPV’08,PVW’08,CDMW’08,AGV’09,ACPS’09,CHKP’10,ABB’10a,ABB’10b,GKV’10,BV’11,BGV’12,. . . ] 6 / 17 LWE as a Lattice Problem · · · · A · · · · ∈ Zn×m q | {z m , bt = st A + et vs. b ← Zm q } I Lattice interpretation: L(A) = {zt ≡ st A mod q} b b Finding s, e: BDD on L(A)! Distinguishing b vs. b: decision-BDD. 7 / 17 LWE as a Lattice Problem · · · · A · · · · ∈ Zn×m q | {z m , bt = st A + et vs. b ← Zm q } I Lattice interpretation: L(A) = {zt ≡ st A mod q} b b Finding s, e: BDD on L(A)! Distinguishing b vs. b: decision-BDD. I Also enjoys worst-case hardness [R’05,P’09] . . . but results are more subtle. 7 / 17 Overview of LWE Hardness GapSVP, SIVP ≤ quantum [R’05] search-LWE ≤ decision-LWE ≤ crypto ≤ GapSVP [BFKL’94,R’05, P’09,. . . ] classical n (q ≥ 2 ) [P’09] I Dim-modulus tradeoff [BLPRS’13]: e.g., n, q = 2n for n2 , q = poly(n). √ I Why error αq > n? F Required by worst-case hardness proofs F There’s an exp((αq)2 )-time attack! [AG’11] 8 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH I Many valid solutions z 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH I Many valid solutions z I Unique solution s, e 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH I Many valid solutions z I Unique solution s, e I LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH I Many valid solutions z I Unique solution s, e I LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ I SIS ≤ LWE quantumly [R’05] 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH I Many valid solutions z I Unique solution s, e I LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ I SIS ≤ LWE quantumly [R’05] I Applications: OWF / CRHF, signatures, ID schemes 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH I Many valid solutions z I Unique solution s, e I LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ I SIS ≤ LWE quantumly [R’05] I Applications: OWF / CRHF, signatures, ID schemes ‘minicrypt’ 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH I Many valid solutions z I Unique solution s, e I LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ I SIS ≤ LWE quantumly [R’05] I Applications: OWF / CRHF, signatures, ID schemes I Applications: PKE, OT, ID-based encryption, FHE, . . . ‘minicrypt’ 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) I ‘Computational’ (search) problem a la factoring, CDH I ‘Decisional’ problem a la QR, DCR, DDH I Many valid solutions z I Unique solution s, e I LWE ≤ SIS: if Az = 0, then bt z = et z is small, but bt z is ‘well-spread’ I SIS ≤ LWE quantumly [R’05] I Applications: OWF / CRHF, signatures, ID schemes I Applications: PKE, OT, ID-based encryption, FHE, . . . ‘minicrypt’ ‘CRYPTOMANIA’ 9 / 17 SIS versus LWE SIS LWE Az = 0, ‘short’ z 6= 0 (A, bt = st A + et ) vs. (A, bt ) Average-case SVP: Average-case BDD: L⊥ (A) = {z ∈ Zm : Az = 0} L(A) = {zt ≡ st A mod q} (0, q) (q, 0) O 10 / 17 Warm-Up: Simple Properties of LWE 1 Check a candidate solution s0 ∈ Znq : test if all b − hs0 , ai small. If s0 6= s, then b − hs0 , ai = hs − s0 , ai + e is ‘well-spread’ in Zq . 2 Shift the secret by any t ∈ Znq : given (a, b = hs, ai + e), output a , b0 = b + ht, ai = hs + t, ai + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Znq 3 =⇒ ≈ 1 on any s ∈ Znq Multiple secrets: (a, b1 ≈ hs1 , ai, . . . , bt ≈ hst , ai) vs. (a, b1 , . . . , bt ). Simple hybrid argument, since a’s are public. 11 / 17 Warm-Up: Simple Properties of LWE 1 Check a candidate solution s0 ∈ Znq : test if all b − hs0 , ai small. If s0 6= s, then b − hs0 , ai = hs − s0 , ai + e is ‘well-spread’ in Zq . 2 Shift the secret by any t ∈ Znq : given (a, b = hs, ai + e), output a , b0 = b + ht, ai = hs + t, ai + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Znq 3 =⇒ ≈ 1 on any s ∈ Znq Multiple secrets: (a, b1 ≈ hs1 , ai, . . . , bt ≈ hst , ai) vs. (a, b1 , . . . , bt ). Simple hybrid argument, since a’s are public. 11 / 17 Warm-Up: Simple Properties of LWE 1 Check a candidate solution s0 ∈ Znq : test if all b − hs0 , ai small. If s0 6= s, then b − hs0 , ai = hs − s0 , ai + e is ‘well-spread’ in Zq . 2 Shift the secret by any t ∈ Znq : given (a, b = hs, ai + e), output a , b0 = b + ht, ai = hs + t, ai + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Znq 3 =⇒ ≈ 1 on any s ∈ Znq Multiple secrets: (a, b1 ≈ hs1 , ai, . . . , bt ≈ hst , ai) vs. (a, b1 , . . . , bt ). Simple hybrid argument, since a’s are public. 11 / 17 Warm-Up: Simple Properties of LWE 1 Check a candidate solution s0 ∈ Znq : test if all b − hs0 , ai small. If s0 6= s, then b − hs0 , ai = hs − s0 , ai + e is ‘well-spread’ in Zq . 2 Shift the secret by any t ∈ Znq : given (a, b = hs, ai + e), output a , b0 = b + ht, ai = hs + t, ai + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Znq 3 =⇒ ≈ 1 on any s ∈ Znq Multiple secrets: (a, b1 ≈ hs1 , ai, . . . , bt ≈ hst , ai) vs. (a, b1 , . . . , bt ). Simple hybrid argument, since a’s are public. 11 / 17 Warm-Up: Simple Properties of LWE 1 Check a candidate solution s0 ∈ Znq : test if all b − hs0 , ai small. If s0 6= s, then b − hs0 , ai = hs − s0 , ai + e is ‘well-spread’ in Zq . 2 Shift the secret by any t ∈ Znq : given (a, b = hs, ai + e), output a , b0 = b + ht, ai = hs + t, ai + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Znq 3 =⇒ ≈ 1 on any s ∈ Znq Multiple secrets: (a, b1 ≈ hs1 , ai, . . . , bt ≈ hst , ai) vs. (a, b1 , . . . , bt ). Simple hybrid argument, since a’s are public. 11 / 17 Warm-Up: Simple Properties of LWE 1 Check a candidate solution s0 ∈ Znq : test if all b − hs0 , ai small. If s0 6= s, then b − hs0 , ai = hs − s0 , ai + e is ‘well-spread’ in Zq . 2 Shift the secret by any t ∈ Znq : given (a, b = hs, ai + e), output a , b0 = b + ht, ai = hs + t, ai + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Znq 3 =⇒ ≈ 1 on any s ∈ Znq Multiple secrets: (a, b1 ≈ hs1 , ai, . . . , bt ≈ hst , ai) vs. (a, b1 , . . . , bt ). Simple hybrid argument, since a’s are public. 11 / 17 Warm-Up: Simple Properties of LWE 1 Check a candidate solution s0 ∈ Znq : test if all b − hs0 , ai small. If s0 6= s, then b − hs0 , ai = hs − s0 , ai + e is ‘well-spread’ in Zq . 2 Shift the secret by any t ∈ Znq : given (a, b = hs, ai + e), output a , b0 = b + ht, ai = hs + t, ai + e. Random t’s (with fresh samples) ⇒ random self-reduction. Lets us amplify success probabilities (both search & decision): non-negl on uniform s ← Znq 3 =⇒ ≈ 1 on any s ∈ Znq Multiple secrets: (a, b1 ≈ hs1 , ai, . . . , bt ≈ hst , ai) vs. (a, b1 , . . . , bt ). Simple hybrid argument, since a’s are public. 11 / 17 Search/Decision Equivalence [BFKL’94,R’05] I Suppose D solves decision-LWE: it perfectly∗ distinguishes between pairs (a, b = hs, ai + e) and (a, b). 12 / 17 Search/Decision Equivalence [BFKL’94,R’05] I Suppose D solves decision-LWE: it perfectly∗ distinguishes between pairs (a, b = hs, ai + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. 12 / 17 Search/Decision Equivalence [BFKL’94,R’05] I Suppose D solves decision-LWE: it perfectly∗ distinguishes between pairs (a, b = hs, ai + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ? I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1 = 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2 , s3 , . . . , sn . 12 / 17 Search/Decision Equivalence [BFKL’94,R’05] I Suppose D solves decision-LWE: it perfectly∗ distinguishes between pairs (a, b = hs, ai + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ? I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1 = 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2 , s3 , . . . , sn . The test: for each (a, b), choose fresh r ← Zq . Invoke D on pairs (a0 = a − (r, 0, . . . , 0) , b). 12 / 17 Search/Decision Equivalence [BFKL’94,R’05] I Suppose D solves decision-LWE: it perfectly∗ distinguishes between pairs (a, b = hs, ai + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ? I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1 = 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2 , s3 , . . . , sn . The test: for each (a, b), choose fresh r ← Zq . Invoke D on pairs (a0 = a − (r, 0, . . . , 0) , b). I Notice: b = hs, a0 i + s1 · r + e. 12 / 17 Search/Decision Equivalence [BFKL’94,R’05] I Suppose D solves decision-LWE: it perfectly∗ distinguishes between pairs (a, b = hs, ai + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ? I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1 = 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2 , s3 , . . . , sn . The test: for each (a, b), choose fresh r ← Zq . Invoke D on pairs (a0 = a − (r, 0, . . . , 0) , b). I Notice: b = hs, a0 i + s1 · r + e. F If s1 = 0, then b = hs, a0 i + e ⇒ D accepts. 12 / 17 Search/Decision Equivalence [BFKL’94,R’05] I Suppose D solves decision-LWE: it perfectly∗ distinguishes between pairs (a, b = hs, ai + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ? I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1 = 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2 , s3 , . . . , sn . The test: for each (a, b), choose fresh r ← Zq . Invoke D on pairs (a0 = a − (r, 0, . . . , 0) , b). I Notice: b = hs, a0 i + s1 · r + e. F If s1 = 0, then b = hs, a0 i + e ⇒ D accepts. F If s1 6= 0 and q prime then b = uniform ⇒ D rejects. 12 / 17 Search/Decision Equivalence [BFKL’94,R’05] I Suppose D solves decision-LWE: it perfectly∗ distinguishes between pairs (a, b = hs, ai + e) and (a, b). We want to solve search-LWE: given pairs (a, b), find s. ? I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1 = 0, because we can shift s1 by 0, 1, . . . , q − 1. Same for s2 , s3 , . . . , sn . The test: for each (a, b), choose fresh r ← Zq . Invoke D on pairs (a0 = a − (r, 0, . . . , 0) , b). I Notice: b = hs, a0 i + s1 · r + e. F If s1 = 0, then b = hs, a0 i + e ⇒ D accepts. F If s1 6= 0 and q prime then b = uniform ⇒ D rejects. I (Don’t actually need prime q = poly(n) .) [P’09,ACPS’09,MM’11,MP’12,BGV’12] 12 / 17 Decision-LWE with ‘Short’ Secret Theorem [M’01,ACPS’09] I LWE is no easier if the secret is drawn from the error distribution χn . 13 / 17 Decision-LWE with ‘Short’ Secret Theorem [M’01,ACPS’09] I LWE is no easier if the secret is drawn from the error distribution χn . (This is called the “Hermite normal form” of LWE.) 13 / 17 Decision-LWE with ‘Short’ Secret Theorem [M’01,ACPS’09] I LWE is no easier if the secret is drawn from the error distribution χn . (This is called the “Hermite normal form” of LWE.) I Intuition: finding e ⇔ finding s: take bt − et = st A, solve for s. 13 / 17 Decision-LWE with ‘Short’ Secret Theorem [M’01,ACPS’09] I LWE is no easier if the secret is drawn from the error distribution χn . (This is called the “Hermite normal form” of LWE.) I Intuition: finding e ⇔ finding s: take bt − et = st A, solve for s. Transformation from secret s ∈ Znq to secret ē ← χn : 13 / 17 Decision-LWE with ‘Short’ Secret Theorem [M’01,ACPS’09] I LWE is no easier if the secret is drawn from the error distribution χn . (This is called the “Hermite normal form” of LWE.) I Intuition: finding e ⇔ finding s: take bt − et = st A, solve for s. Transformation from secret s ∈ Znq to secret ē ← χn : 1 t Draw samples to get (Ā, b̄ = st Ā + ēt ) for square, invertible Ā. 13 / 17 Decision-LWE with ‘Short’ Secret Theorem [M’01,ACPS’09] I LWE is no easier if the secret is drawn from the error distribution χn . (This is called the “Hermite normal form” of LWE.) I Intuition: finding e ⇔ finding s: take bt − et = st A, solve for s. Transformation from secret s ∈ Znq to secret ē ← χn : t 1 Draw samples to get (Ā, b̄ = st Ā + ēt ) for square, invertible Ā. 2 Transform each additional sample (a, b = hs, ai + e) to a0 = −Ā −1 a , b0 = b + hb̄, a0 i 13 / 17 Decision-LWE with ‘Short’ Secret Theorem [M’01,ACPS’09] I LWE is no easier if the secret is drawn from the error distribution χn . (This is called the “Hermite normal form” of LWE.) I Intuition: finding e ⇔ finding s: take bt − et = st A, solve for s. Transformation from secret s ∈ Znq to secret ē ← χn : t 1 Draw samples to get (Ā, b̄ = st Ā + ēt ) for square, invertible Ā. 2 Transform each additional sample (a, b = hs, ai + e) to a0 = −Ā −1 a , b0 = b + hb̄, a0 i = hē, a0 i + e. 13 / 17 Decision-LWE with ‘Short’ Secret Theorem [M’01,ACPS’09] I LWE is no easier if the secret is drawn from the error distribution χn . (This is called the “Hermite normal form” of LWE.) I Intuition: finding e ⇔ finding s: take bt − et = st A, solve for s. Transformation from secret s ∈ Znq to secret ē ← χn : t 1 Draw samples to get (Ā, b̄ = st Ā + ēt ) for square, invertible Ā. 2 Transform each additional sample (a, b = hs, ai + e) to a0 = −Ā −1 a , b0 = b + hb̄, a0 i = hē, a0 i + e. I This maps (a, b) to (a0 , b0 ), so it applies to decision-LWE too. 13 / 17 Public-Key Cryptosystem using LWE s ← Znq (Images courtesy xkcd.org) [Regev’05] A ← Zn×m q 14 / 17 Public-Key Cryptosystem using LWE s ← Znq [Regev’05] A ← Zn×m q bt = st A + et (public key) (Images courtesy xkcd.org) 14 / 17 Public-Key Cryptosystem using LWE s ← Znq A ← Zn×m q [Regev’05] x ← {0, 1}m bt = st A + et (public key) u = Ax (ciphertext ‘preamble’) (Images courtesy xkcd.org) 14 / 17 Public-Key Cryptosystem using LWE s ← Znq [Regev’05] x ← {0, 1}m A ← Zn×m q bt = st A + et (public key) u = Ax (ciphertext ‘preamble’) u0 = bt x + bit · q 2 (‘payload’) (Images courtesy xkcd.org) 14 / 17 Public-Key Cryptosystem using LWE s ← Znq [Regev’05] x ← {0, 1}m A ← Zn×m q bt = st A + et (public key) u = Ax (ciphertext ‘preamble’) u0 − st u ≈ bit · 2q (Images courtesy xkcd.org) u0 = bt x + bit · q 2 (‘payload’) 14 / 17 Public-Key Cryptosystem using LWE s ← Znq [Regev’05] x ← {0, 1}m A ← Zn×m q bt = st A + et (public key) u = Ax (ciphertext ‘preamble’) u0 − st u ≈ bit · 2q u0 = bt x + bit · q 2 (‘payload’) (A, bt ), (u, u0 ) (Images courtesy xkcd.org) 14 / 17 Public-Key Cryptosystem using LWE s ← Znq [Regev’05] x ← {0, 1}m A ← Zn×m q bt = st A + et (public key) u = Ax (ciphertext ‘preamble’) u0 − st u ≈ bit · 2q u0 = bt x + bit · q 2 (‘payload’) (A, bt ), (u, u0 ) by LWE (Images courtesy xkcd.org) 14 / 17 Public-Key Cryptosystem using LWE s ← Znq [Regev’05] x ← {0, 1}m A ← Zn×m q bt = st A + et (public key) u = Ax (ciphertext ‘preamble’) u0 − st u ≈ bit · 2q u0 = bt x + bit · q 2 (‘payload’) (A, bt ), (u, u0 ) by LWE and by LHL when m ≥ n log q (Images courtesy xkcd.org) 14 / 17 “Dual” Cryptosystem x ← {0, 1}m [GPV’08] A ← Zn×m q 15 / 17 “Dual” Cryptosystem x ← {0, 1}m [GPV’08] A ← Zn×m q u = Ax (public key, uniform when m ≥ n log q) 15 / 17 “Dual” Cryptosystem x ← {0, 1}m [GPV’08] A ← Zn×m q s ← Znq u = Ax (public key, uniform when m ≥ n log q) bt = st A + et (ciphertext ‘preamble’) 15 / 17 “Dual” Cryptosystem [GPV’08] x ← {0, 1}m s ← Znq A ← Zn×m q u = Ax (public key, uniform when m ≥ n log q) bt = st A + et (ciphertext ‘preamble’) b0 = st u + e0 + bit · q 2 (‘payload’) 15 / 17 “Dual” Cryptosystem [GPV’08] x ← {0, 1}m s ← Znq A ← Zn×m q u = Ax (public key, uniform when m ≥ n log q) bt = st A + et (ciphertext ‘preamble’) b0 − bt x ≈ bit · 2q b0 = st u + e0 + bit · q 2 (‘payload’) 15 / 17 “Dual” Cryptosystem [GPV’08] x ← {0, 1}m s ← Znq A ← Zn×m q u = Ax (public key, uniform when m ≥ n log q) bt = st A + et (ciphertext ‘preamble’) b0 − bt x ≈ bit · 2q b0 = st u + e0 + bit · q 2 (‘payload’) (A, u), (b, b0 ) 15 / 17 “Dual” Cryptosystem [GPV’08] x ← {0, 1}m s ← Znq A ← Zn×m q u = Ax (public key, uniform when m ≥ n log q) bt = st A + et (ciphertext ‘preamble’) b0 − bt x ≈ bit · 2q b0 = st u + e0 + bit · q 2 (‘payload’) (A, u), (b, b0 ) by LWE 15 / 17 Most Efficient Cryptosystem s ← χn [A’03,LPS’10,LP’11] A ← Zn×n q 16 / 17 Most Efficient Cryptosystem s ← χn [A’03,LPS’10,LP’11] A ← Zn×n q ut = st A + et (public key) 16 / 17 Most Efficient Cryptosystem s ← χn [A’03,LPS’10,LP’11] A ← Zn×n q r ← χn ut = st A + et (public key) b = Ar + x (ciphertext ‘preamble’) 16 / 17 Most Efficient Cryptosystem s ← χn [A’03,LPS’10,LP’11] r ← χn A ← Zn×n q ut = st A + et (public key) b = Ar + x (ciphertext ‘preamble’) b0 = ut r + x0 + bit · q 2 (‘payload’) 16 / 17 Most Efficient Cryptosystem s ← χn [A’03,LPS’10,LP’11] r ← χn A ← Zn×n q ut = st A + et (public key) b = Ar + x (ciphertext ‘preamble’) b0 −st b ≈ bit· 2q b0 = ut r + x0 + bit · q 2 (‘payload’) 16 / 17 Most Efficient Cryptosystem s ← χn [A’03,LPS’10,LP’11] r ← χn A ← Zn×n q ut = st A + et (public key) b = Ar + x (ciphertext ‘preamble’) b0 −st b ≈ bit· 2q b0 = ut r + x0 + bit · q 2 (‘payload’) (A, u, b, b0 ) 16 / 17 Most Efficient Cryptosystem s ← χn [A’03,LPS’10,LP’11] r ← χn A ← Zn×n q ut = st A + et (public key) b = Ar + x (ciphertext ‘preamble’) b0 −st b ≈ bit· 2q b0 = ut r + x0 + bit · q 2 (‘payload’) (A, u, b, b0 ) by LWE (HNF) 16 / 17 Most Efficient Cryptosystem s ← χn [A’03,LPS’10,LP’11] r ← χn A ← Zn×n q ut = st A + et (public key) b = Ar + x (ciphertext ‘preamble’) b0 −st b ≈ bit· 2q b0 = ut r + x0 + bit · q 2 (‘payload’) (A, u, b, b0 ) by LWE (HNF) by LWE (HNF) 16 / 17 Wrapping Up I Now you know all the basic techniques for working with SIS and LWE. I We’ve covered a lot: do the exercises to reinforce your understanding! I Tomorrow: more advanced applications, using “strong trapdoors.” 17 / 17