EDIC RESEARCH PROPOSAL 1 The Learning With Error Problem Alexandre Duc LASEC, I&C, EPFL

Abstract—Every public-key cryptosystem relies on problems definitions and results about lattices and more generally in that are believed computationally hard. Most of the systems . used in practice rely on the problem or the problem. However, these two problems can be solved in polynomial time on a quantum computer. A. Preliminaries It is, thus, important to develop secure alternatives in the Given x R, we write x Z for the integer closest case quantum computers become practical. In this proposal, ∈ ⌊ ⌉ ∈ we study the Learning With Error (LWE) problem which is to x. In case of equality, we select the smallest one. Next, a a fundamental problem in lattice-based cryptography and was function ǫ: N R is called negligible if for every constant introduced by Regev in 2005. In particular it possesses an elegant → c c R>0, there exists k0 N such that ǫ(k) < k− quantum reduction to well-studied problems on lattices like the ∈ ∈ R| n | Shortest Vector Problem (SVP). In 2010, Lyubashevsky et al. for all k > k0. The open unit ball over is denoted by and is defined as := x Rn : x < 1 . The introduced the Ring-Learning With Error problem (Ring-LWE), Bn Bn { ∈ k k } an algebraic variant of the problem. Applications based on this statistical distance between two distributions and D1 D2 problem have the advantage of being much more practical. On over a countable domain S is defined as ∆( 1, 2) := the other hand, its hardness relies on less general problems, D D maxA S ( 1(x) 2(x)) . Given a probability distri- namely on problems on ideal lattices. ⊆ x A bution , we∈ defineD its min-entropy−D over a countable domain We propose to analyze further the hardness of the (Ring-)LWE D P problem as well as the algorithms used to solve it. Another goal S as H ( ) := mini S log (i) . We say that two ∞ D ∈ {− D } is to design a new cryptosystem based on the LWE problem. distributions and over a domain S are statistically D1 D2 Index Terms ǫ-indistinguishable if for every A S, x A( 1(x) —Cryptography, Learning With Error, Learning ⊆ | ∈ D − 2(x)) <ǫ. We will use the following lemma. from Parity with Noise, lattices, Shortest Vector Problem, post- D | P quantum cryptography. Lemma 1 (Leftover Hash Lemma [1]). Let be a distribu- tion, let ǫ > 0 and let ℓ H ( ) 2 log(1D/ǫ). Let be a ≤ ∞ D − H I. INTRODUCTION universal family of hash functions with a range of ℓ bits, i.e., ℓ for all x = x′, Prh [h(x)= h(x′)]=1/2 . Then, (h( ),h) EFORE defining the LWE problem and its reductions and (U, h6 ), where U∈His the uniform distribution are statisticallyD B precisely, we introduce first some necessary notations, ǫ-indistinguishable. Proposal submitted to committee: June 06th, 2012; Candi- We will use Lemma 1 in the following and we will take as Zℓ n dacy exam date: June 13th, 2012; Candidacy exam committee: a family of universal functions random matrices in q× . Emre Telatar, Serge Vaudenay, Arjen Lenstra. 1) Gaussian Distribution: Given an s > 0, we denote the Gaussian function over Rn by This research plan has been approved: ρ (x) := exp π x/s 2 . s − k k   Date: ———————————— We denote by νs the Gaussian probability density function with parameter s> 0, which is defined by

n Doctoral candidate: ———————————— νs(x) := ρs(x)/s . (name and signature) Given a countable set A Rn and a parameter s > 0, we ⊂ define the discrete Gaussian distribution DA,s as Thesis director: ———————————— (name and signature) ρs(x) DA,s(x) := , y A ρs(y) ∈ Thesis co-director: ———————————— for x A. We will typicallyP take this distribution over a ∈ + (if applicable) (name and signature) lattice. Finally, for β R , we denote by Ψβ the probability distribution over R/(q∈Z) which is defined as a sampling from a normal variable with zero mean and standard deviation Doct. prog. director:———————————— βq/√2π and reducing the result modulo q, i.e., (R. Urbanke) (signature) 2 ∞ 1 r kq Ψ (r) := exp π − β βq × − βq EDIC-ru/05.05.2009 k=   ! X−∞ EDIC RESEARCH PROPOSAL 2 for r [0,q). We define also the discretization Ψ¯ of Ψ for all 1 j 0, the smoothing parameter ηǫ(L) ± is defined as arg min ρ (L∗ 0 ) ǫ. Many technical generate the same lattice. Given a basis v1,..., vn for a r 1/r \ { } ≤ lattice L, the set of points in Rn belonging{ to the lattice} is results were proven for the smoothing parameter in [3], [4] and we provide in this proposal an informal description of n some of these. The first result from Micciancio and Regev [4] L(v ,..., v ) := k v : k ,...,k Z . 1 n i i 1 n ∈ shows that if we choose a random lattice point and if we add (i=1 ) X some continuous Gaussian noise νs for s>ηǫ(L), then the We denote the Gram-Schmidt orthogonalization of a basis resulting distribution is within statistical distance ǫ from the B := v ,..., v by B := v ,..., v . The vectors uniform distribution on Rn. Finally, they show the following { 1 n} { 1 n} vi are defined iteratively as follows: v1 = v1 and vi = lemmas i 1 v − v , v / v , v ev for i [2, n]. Note that the i j=1 i j j j j f f Lemma 3 . Gram-Schmidt− h basisi h is usuallyi not a basis∈ of the lattice. ([4, Lemma 3.2 and 3.3]) e P f e The dual of ae latticee Leise denoted by L∗. It is defined as η2−n (L) √n/λ1(L∗) ≤ n L∗ := x R : x, y Z, y L , and { ∈ h i∈ ∀ ∈ } ln(2n(1+1/ǫ)) η (L) λ (L) . i.e., it is the set of all vectors whose inner-product with any ǫ ≤ π × n lattice vector is an integer. For instance, the dual of L = Z is r L∗ = Z and the dual of L = 2Z is L∗ = (1/2)Z. ∗ ∗ 2 The following relation holds. bi = b n i+1/ b n i+1 . We will need to sample from discrete Gaussian distributions − k − k This implies that the norm of a Gram-Schmidt basis vector is over a lattice L in an efficient way. The following proposition inversely proportional to the norme of af Gram-Schmidtf basis was shown by Gentry et al. vector of the dual lattice if we take the vectors in reverse order. Proposition 1 ([5, Theorem 4.1]). There exists a probabilistic Given a basis B = v1,..., vn of a lattice L, we define the fundamental parallelepiped{ } (B) as the half open polynomial time (ppt) algorithm that, given any basis of B of P a lattice L and r max b ω(√log n) outputs a sample parallelepiped ≥ ik ik× that is within negligible statistical distance of DL,r. n e (B) := α v : α ,...,α [0, 1) . P i i 1 n ∈ (i=1 ) B. Hard Problems on Lattices X The volume of any fundamental parallelepiped of a lattice L is In this section, we introduce several hard problems on invariant of the choice of the basis. We call it the determinant lattices on which lattice-based cryptosystems rely. 1) Shortest Vector Problem: The first problem we introduce of the lattice (det(L)). We denote the ℓ2-length of one of the shortest non-zero vector in a lattice L by λ (L). Similarly, we is the Shortest Vector Problem (SVP), which consists in 1 finding one of the shortest vectors in a lattice. denote by λk(L), the ℓ2-length of the smallest radius of a ball containing k linearly independent vectors. Definition 1 (Shortest Vector Problem). The Shortest Vector We can now state a useful Lemma: Problem (SVPL) for a lattice L consists, given a basis B of L, in returning a vector x L such that x = λ1(L). Lemma 2. For a lattice L we have λ1(L) mini bi for ∈ k k ≥ k k any Gram-Schmidt basis B of L. for a function γ(n) 1, the corresponding approximation e problem is ≥ An LLL-reduced basis [2] can be seen as a basis for which e the Gram-Schmidt vectors are not decreasing too quickly. Definition 2 (SVPL,γ ). Given a basis B of L, find a non-zero More formally, a basis B is LLL-reduced if vector x L such that x γ(n)λ (L). ∈ k k≤ 1 The decisional version of the problem is more used in bi, bj 1 h 2i cryptography: bj ≤ 2 k ke Definition 3 (GapSVPL,γ ). Given a basis B of L and a 1 In this proposal, we will consider e only full rank lattices. number d> 0, the GapSVPL,γ problem consists in answering EDIC RESEARCH PROPOSAL 3

YES, if λ (L) < 1 Problem (CVP ) consists in finding y L such that • 1 L,γ NO, if λ (L) >γ(n)d. ∈ • 1 y x γ(n) min z x . k − k≤ × z L {k − k} The answer in the other possible cases is undefined. ∈ Finally, we define the Shortest Independent Vectors Prob- We will also use the Bounded Distance Decoding Prob- lem (SIVP ) lem (BDD), which is a variant of SVP and consists in finding L,γ the closest vector to a point given the promise that this point Definition 4 (Shortest Independent vectors Problem). Given a is within a bounded distance from the lattice. basis B of an n-dimensional lattice L, the Shortest Indepen- Definition 7 (BDD ). Given a basis of , and a vector dent Vectors Problem (SIVP ) consists in finding n linearly L,d B L L,γ x Rn such that its distance to L is less or equal to d, the independent vectors of length at most γ(n)λn(L). ∈ Bounded Distance Decoding Problem (BDDL,d) consists in Many results are known about the hardness of these prob- finding y L such that lems. For a lattice of dimension n, the NP-hardness of ∈ c/ log log n y x = min z x . GapSVPL,γ has been shown when γ(n) < n [6], [7], k − k z L {k − k} [8]. The best exact algorithms known for SVP have complexity ∈ Note that when d<λ (L)/2, the solution is always unique. O (2n) (e.g. [9], [10]). However, for approximation factors 1 γ(n) > 2n log log n/ log n, some polynomial time algorithms are Hardness results and algorithms for CVP are similar to those known. For instance, one can use the LLL algorithm and its for SVP (e.g. [2], [9], [13]). improvements [2], [11], [9]. Interestingly, no better quantum In the following, we will drop the indices L in front of the algorithm is known. This makes lattice-based cryptosystems problems (e.g. SVPγ ) whenever they can be guessed obviously good candidates for post-quantum cryptosystems. from the context. Peikert defined in [12] the ζ-to-γ-GapSVP problem, a generalization of the GapSVPL,γ problem. This new problem II. THE LEARNING WITH ERROR PROBLEM is denoted by GapSVPL,ζ,γ . Now that the basic hard problems on lattices are introduced, Definition 5 (ζ-to-γ-GapSVP problem). Let ζ(n) γ(n) 1 we can define the hard problem on which most lattice-based ≥ ≥ cryptosystems rely: the Learning With Error Problem (LWE). be functions. The input of the GapSVPL,ζ,γ problem is a pair (B,d) with We introduce first a subproblem: the Learning from Parity with Noise Problem (LPN). B a basis of an n-dimensional lattice L for which • λ (L) ζ(n), 1 ≤ min b 1, where v ’s are vectors of the Gram- A. The LPN Problem • i i i Schmidtk k basis ≥ B, and The goal of this problem is to find out an unknown n 1 d e ζ(n)/γ(n). vector s 0, 1 , given some noisy versions of its scalar • ≤ ≤ e ∈ { } The output should bee product with some known random vector. More formally YES, if λ (L) < 1 Definition 8 (LPN Oracle). An LPN oracle for a hidden • 1 Πs,p n 1 NO, if λ1(L) >γ(n)d. vector s 0, 1 and 0 ζ(n)/γ(n), this implies that γ(n)d ζ(n) λ1(L) LPNn,p consists, given an LPN Oracle Πs,p, to recover the and, hence, the answer is trivially YES. Thus,≥ the important≥ hidden vector s. condition is the first. When ζ(n) 2n/2, GapSVP is L,ζ,γ The LPN problem is NP-Hard [14] and no good algorithm equivalent to GapSVP . Indeed,≥ one can easily find, in L,γ is known for the average case. The LPN problem has also polynomial time, using the LLL algorithm, a basis B such a decisional form. The problem is the following: let U that λ (L) b 2n/2 min b . For smaller ζ, the n+1 1 1 i i be an oracle returning random n + 1-bit vectors. Then, an problem is obviously≤ k k ≤ not harder thank k GapSVP , but no L,γ algorithm solves the decisional LPN problem (DLPN ) if know algorithm exist that can exploite efficiently the bound n,p it can distinguish the output of Π from the output of ζ. Hence, the problem still appears exponentially hard in n s,p U . It is shown that the decisional and the search LPN for ζ(n) poly(n). n+1 are equivalent [15], [16]. Thus, the hardness of the LPN 2) Closest∈ Vector Problem: given a vector x in Rn, the problem implies that the output of the LPN vector oracle is Closest Vector Problem (CVP) consists in finding the vector in indistinguishable from a random source. L that is the closest to x. We define directly the approximation The first subexponential algorithm to solve the LPN problem version: was given by Blum Kalai, and Wasserman in [17]. They esti- Definition 6 (Closest Vector Problem). Given a lattice L, mated its complexity to 2O(n/ log n). We denote this algorithm a basis B of L, and a vector x Rn, the Closest Vector by BKW algorithm. ∈ EDIC RESEARCH PROPOSAL 4

The idea behind the BKW algorithm is to first query the LWE oracle. In conclusion, for a large set of q’s, the search LPN oracle to obtain a large amount of LPN vectors. It and decisional problem are equivalent. searches then for basis vectors ej by finding a low amount The algorithms solving the LWE problem are the same as of vectors that xor to ej. If the number of vectors that xor the algorithms solving the LPN problem, i.e., BKW and its to ej is small, the noise for this vector will be small as improvements. In particular, the problem is believed to be hard well. Using different independent instances that xor to the when the noise is drawn according to a Discrete Gaussian 2 same ej, one can recover the jth bit of the secret vector s distribution Ψ¯ α as we will see in the next sections. with good probability. All this procedure can be done using a large amount of queries. The BKW algorithm was analyzed III. REGEV’S QUANTUM REDUCTION in details and improved in [18], [19]. In this section, we give an overview of Regev’s quantum reduction from worst-case GapSVP and SIVP to LWE. It is B. The LWE Problem important to emphasize that this reduction is quantum. This The LWE problem can be seen as a generalisation of LPN means that LWE can be considered as hard as long as there is over a finite field Zq. There, instead of using a Bernoulli noise, no quantum algorithm solving GapSVP or SIVP. Hence, this another noise distribution is used, typically a Gaussian noise. result is weaker than a classical result. Let χ be a probability distribution over Z and let s Zn. The proof shows how one can, using an LWE oracle, q ∈ q q,Ψα We define the following LWE oracle. quantumly generate vectors from the distribution DL,r, for r √2nη (L)/α, for α (0, 1) such that αq > 2√n. The Definition 10 (LWE Oracle). An LWE oracle Aq for a ǫ s,χ reduction≥ to GapSVP follows∈ then from Peikert’s result (see hidden vector s Zn and a probability distribution χ over q Section IV) using these samples. For SIVP, one simply gathers Z is an oracle returning∈ an LWE vector, i.e., vectors of the q slightly more than n samples from the distribution (so that form they are linearly independent and have the correct size). Since a U Zn a s Zn Z q , , + e q q , η (L) ω(log n) λ (L), when ǫ is negligible we can ←− h i ∈ × ǫ ≤ × n   solve SIVP e by Lemma 3. where, e χ. pO(n/α) ← Thus, the main part of Regev’s work consists in generating As for LPN, the LWEq,χ problem consists in recovering samples of the distribution DL,r. This is done using a iterative q s using an LWE oracle As,χ. The decisional-LWE problem algorithm which starts with samples of a very broad Gaussian 2n DLWEq,χ consists in distinguishing the uniform distribution distribution with parameter r = 2 λn(L). Samples from this n q over Z Zq from an LWE oracle A using an uniformly wide Gaussian distribution can easily be gathered using the q × s,χ random secret s Zn. We discuss the distribution of s in more LLL algorithm (see Lemma 4). These samples along with ∈ q details in Section VI. If we limit to m the number of queries ∗ the LWEq,Ψα oracle are used to solve the BDDL ,αq/√2r to the oracle, we write LWEm,q,α. A set of m LWE samples problem on the dual lattice . This part of the proof is classical can be written in the following matrix format: (A, As + e), (Lemma 5). Using the newly created BDD oracle, one can with A an m n matrix and e a vector of size m. generate with a quantum algorithm new samples from a × 1) Equivalence Between Search-LWE and Decisional-LWE: narrower Gaussian distribution DL,r√n/(αq) (Lemma 6). By It is shown in [16], [20] that for q poly(n) and prime, there iterating these two lemmas, we obtain at each step a narrower ∈ is a reduction from LWE to DLWE. The reduction consists in Gaussian distribution. We stop once we reach D . L,√2nηǫ(L)/α guessing every component of s one by one. We show in this We describe now in more details the three steps of the proof. proposal how to recover s . For this, given a LWE pair (a,b), 1 Lemma 4 (Regev’s bootstrapping lemma [3, Lemma 3.2]). we submit to the DLWE oracle the vector (a (r, 0,..., 0), b) Z − One can efficiently generate samples from a distribution that for r drawn uniformly at random in q. The oracle will Ω(n) 2n is within statistical distance 2− of DL,r for r> 2 λn(L). recognize an LWE sample only if s1 = 0 else b looks uniform. If s1 = 0, one can change the LWE pair to (a,b + a, t ) for Z6 n h i t in q . This sample follows exactly the same distribution as Proof (idea): These samples can easily be generated a sample from an oracle with secret s + t. Thus, we can test using the LLL algorithm. First, generate an LLL reduced basis Zn again if (s + t)1 = 0 for t’s in q . Note that q is required B of L. Then take a random sample y from νr, the continuous to be prime so that the distribution of the sample is uniform Gaussian distribution over R and output y (y mod B). − when s1 = 0. In at most q trials, we recover s1 and, hence, we recover6 s in at most qn poly(n) queries. Lemma 5 (Regev’s reduction: classical part [3, Lemma 3.4]). ∈ Let ǫ(n) be a negligible function, q(n) 2 be an integer and This result is extended in [12] to all q = q1 qt, t N ×···× ∈ α(n) (0, 1) be a real number. Assume≥ that we have access to with each qi poly(n), prime, qi ω(√log n), and under the ∈ ∈ an oracle∈ W that solves LWE given a polynomial number restriction that the LWE noise is Gaussian. The proof is similar q,Ψα of samples. Then, there exists a constant c> 0 and an efficient to the one for q poly(n) but is performed modulo each qi and recovers s using∈ the Chinese remainder theorem. An even algorithm R that, given as an input a basis B of of a lattice more general result is presented in [21] where the condition 2In some papers, the LWE problem is defined with b ∈ R/Z, i.e., a q ω(√log n) is removed at the expense of an increase of the i ∈ continuous value. Both results are equivalent as shown in [3] and we will parameter of the Gaussian distribution used in the decisional use the discrete version for simplicity. EDIC RESEARCH PROPOSAL 5

c L, a number r √2q ηǫ(L∗) and n samples from DL∗,r, The main theorem is the following solves BDD ≥ .× L,αq/(√2r) Theorem 1 ([12, Theorem 3.1]). Let α(n) (0, 1) be a Proof (idea): Let v be the solution of the BDD problem real number and γ(n) n/(α√log n). Let ∈ζ(n) γ(n) and let x be its input. The idea is to generate LWE samples and q(n) (ζ/√n) ω≥(√log n). There is a ppt reduction≥ 1 ≥ × with secret s = B− v mod q. Once s is recovered using from worst-case GapSVPζ,γ to LWEq,Ψα using a polynomial 1 the LWE oracle, we have the least significant digit of B− v number of samples. in basis q. The second digit is recovered by running the The proof is given in details in [12]. In this proposal, we same procedure on (x s)/q instead. The LWE samples provide a high-level description of the proof. are generated as follows.− We take first a sample y from Proof (idea): The proof makes use Lemma 5, the clas- D ∗ . Let a := B 1y mod q = Bty mod q. The vector L ,r ∗− sical component of Regev’s proof given in Section III. Recall a looks uniformly distributed since r q η (L ) [3]. Let ǫ ∗ that this lemma solves BDD using an LWE oracle and samples also b := y, x + e mod q, where≥e is× some additional from a discrete Gaussian distribution. However, it is not known continuous⌊h Gaussiani error⌋ term. We have y, x = y, v + how to perform classically the step that allows us to get e = Bty, B 1v + y, e = a, s + hy, ei modh q, for − samples from a Gaussian distribution with a smaller parameter ani e h αq/(√2r)i. Theh termi yh, e isi essentiallyh i normally as done quantumly in Regev’s proof. Peikert’s reduction is distributedk k≤ with standard deviationh i αq. The extra noise e the following. Let (B,d) be a GapSVP input. Iterate the is added so that this noise looks non-discrete.≤ Also, since the ζ,γ following procedure N poly(n) times. amount of noise obtained from y, e depends on the distance ∈ between x and the lattice, it mighth i be too low for our LWE 1) Choose a random point v on L and a point w uniformly at random from the ball d′ with d′ := d oracle and, hence, we need to add some more noise. We refer × Bn × the reader to [3] for more details. n/(4 log n) and let x := v + w. 2) Use Regev’s R algorithm from Lemma 5 on x with p Lemma 6 (Regev’s reduction: quantum part [3, Lemma 3.14]). parameter r := q √2n/(γd). Note that this algorithm Given any n-dimensional lattice L, a number d<λ (L )/2, × ∗ 1 ∗ needs also samples from DL ,r. This can be done and an oracle that solves BDDL∗,d, there exists a quantum using Proposition 1 since r √2 ω(√log n) algorithm that outputs efficiently a sample from D . ≥ ∗ × ≥ L,√n/(√2d) 1/ mini bi ω(√log n) = maxi b i √log n. Let the resultk ofk×R be v′. k k× ′ Proof (idea): The main quantum tool required here is the 3) If v = vereturn YES. f 6 quantum Fourier transform. The Fourier transform of DL,r is If the procedure never returned YES, return NO. 2 given by f (x) : exp π(r dist(x,L∗)) . The idea We analyze briefly the correctness of this procedure. First, 1/r ≈ − × is to build a quantum state z Rn f1/r(z) z . Then, taking note that r and γ are selected such that d′ αq/(√2r). the quantum Fourier transform, one∈ can measure| i the state and Hence, the point v is always within the radius≤ of the BDD obtain a sample from the requiredP distribution. Up to this point, algorithm. Now, if (B,d) is a NO instance, this means that it seems that the BDD oracle is never used. In fact, the oracle λ1(L) γd, i.e., the minimum distance in the lattice is 3 ≥ is required to construct the quantum state z Rn f1/r(z) z . large compared to d. For a NO instance, the condition on This state is obtain by adding the quantum∈ Gaussian| statei r in Regev’s algorithm is verified, since r = √2nq/(γd) > 2 P − of width 1/r: z Rn exp( π rz ) z to x L∗ z and √2nq/λ1(L) √2qηs n (L∗) using Lemma 3. Note also that ∈ − k 2 k | i ∈ | i ≥ obtain ∗ n exp( π rz ) x, x + z . We want to in this case d′ < λ1(L)/2. This means that the closest point x L ,Pz R P measure the∈ quantum∈ Fourier− k transformk | of thei second reg- is unique. Hence, Regev’s algorithm returns at each iteration ister. Hence,P we need to erase the first one. However, this the vector v. operation is usually not reversible. By carefully analyzing In the case of a YES instance, we have λ (L) d. Note that 1 ≤ exp( π rz 2), we notice that most of the mass occurs when in this case, Regev’s algorithm condition on r is not verified. − k k z √n/r. Hence, we can use the BDD oracle to recover Since λ1(L) is small one can compare the distribution of x kx fromk ≤ x + z. Thus, the erasure can be made reversible. when v is chosen as a lattice point and the distribution of x′ when v + z is chosen as a lattice point, with z a vector IV. PEIKERT’S CLASSICAL REDUCTION of length λ1(L). Since both spheres in which we pick x and ′ In [12], Peikert showed how one can reduce classically LWE x are really close, it is shown that Pr[R(x) = v] 1 ≤ − to GapSVP . Compared to Regev’s reduction presented in 1/poly(n). Hence, if we perform N poly(n) iterations of ζ,γ ∈ Section III, this reduction has the advantage of being non- the procedure, Regev’s algorithm will output a vector different quantum, which is a stronger result. On the other hand, it from v with good probability. reduces LWE to GapSVPζ,γ which is equivalent to GapSVPγ only for large values of ζ. We will see in this section V. THE Ring-LWE PROBLEM that this occurs when q is exponential in n. Also, Regev’s One drawback of cryptosystems based on LWE is usually the reduction solves also the search problem SIVP and not only size of their public keys. Indeed, most of these systems require the decisional problem GapSVP. Zn as a public key about n vectors in q , i.e., a size of order 2 3We take the sum over Rn to avoid some technicalities. In the actual proof, O n . The Ring-LWE problem reduces this size to roughly the sum is taken over a finite set. linear, which makes the cryptosystems more practical. This can  EDIC RESEARCH PROPOSAL 6

n be done by working over the ring Rq := Zq[x]/ x +1 instead we can distinguish for a non-negligible fraction of the s’s, we Zn h i of q and, hence, using only O (n) memory. In the following, can solve DLWE for any s by repeating the experiment with n we will fix q 1 mod 2n and Rq := Zq[x]/ x + 1 but all various t’s. Note that we need to be able to distinguish for a results are shown≡ in [22] for a much larger classh of rings.i 4 We non-negligible fraction of the s’s for this reduction to work. formalize now the Ring-LWE problem. We present in this proposal two other results concerning the distribution of the secret s. First, it was shown by Applebaum Definition 11 (Ring-LWE). Let q and R be as above. The q et al. that DLWE is not easier when s is drawn from the Ring-LWE search problem for s R and ψ a probability s,ψ q same distribution χ as the noise [25]. We give here a high distribution over R , consists in recovering∈ the element s using q level description of this clever reduction. First we collect Ring-LWE samples, i.e., samples of the form q n samples (ai,bi) from the oracle As,χ whose secret is U drawn uniformly. We choose these samples such that the a Rq, a s + e Rq Rq , ←− · ∈ × ai’s are linearly independent. We can write these samples as for e ψ.   (A¯, ¯b := A¯T s + e¯), where A¯ is a matrix whose columns ← consists in vectors a ,where ¯b is a vector of b ’s, and where The decisional version Ring-DLWE is defined the same way i i e¯ is a vector of errors drawn according to the distribution χ. as for standard LWE. ¯ Since the ai’s are linearly independent, A is invertible. If we Lyubashevsky et al. showed that Ring-LWE can be reduced ¯ 1 ¯ 1 ¯ replace every sample (a,b) by ( A− a,b A− a, b ), we to SIVP using a similar reduction than Regev’s reduction q − −h i get samples from A¯ which is exactly the LWE problem with (Section III) but on ideal lattices, i.e., lattices that are an e,χ the secret drawn according to the error distribution. ideal in a group. In the following, we will consider only ideals in Rq. On these lattices, it is important to note that A. Choosing s from “Any” Distribution GapSVP√n is easy [23]. It is, thus, necessary that the result is based on the hardness of a problem which is believed A more general result is shown in [26]. In their work, hard even on these particular lattices. This is the case for they generalize the result to a larger class of probability instance for SIVP. The proof differs slightly from Regev’s distributions. We present their theorem in this section. proof in the part corresponding to Lemma 5. Recall that in Theorem 2 ([26, Theorem 4]). Let be integers, this proof, the amount of noise in the generated LWE samples n, q 1 Zn ≥ let be any distribution over q with H ( ) k. Let was dependent on e, y and that the solution was to add some D ∞ D ≥ h i γ,β > 0 such that γ/β is negligible in n. Then for any ℓ more noise to hit the correct amount of noise. In Ring-LWE, ∈ O (k ω(log n)), there is a ppt reduction from DLWE ¯ this inner product is replaced by a ring product, which implies − ℓ,q,Ψγ with uniform secret distribution to DLWE ¯ with secret a Gaussian distribution whose variance depends on the entire n,q,Ψβ distribution drawn according to using poly sam- vector e and not only its norm. It is not possible to solve this m (n) ples.5 D ∈ issue by adding some more noise. Hence, it is necessary to assume that the Ring-LWE oracle works for a large range of We discuss now the result. First note that with this reduction noise distributions and not only a single one. we have a loss in the dimension of the secret, i.e., we go from With Ring-LWE, truly effective cryptosystems [22] and n to ℓ O (k ω(log n)). This change in the dimension homomorphic encryption schemes (e.g. [24]) were designed. makes sense,∈ since− we work with secrets of much lower entropy. Note also that we have now a condition on the VI. THE CHOICE OF THE SECRET s parameter of the Gaussian distribution used in LWE: γ should be negligible compared to β. Since we need q ω(√n/γ) for In the definition of DLWE, we are in the presence of a the reduction from LWE to standard lattice problems≥ to hold, worst-case problem and not of an average case problem like it this implies that q should be super-polynomial in n. The result is usually the case in cryptography. This fact will be one of the remains nonetheless interesting since it holds for extremely strengths of cryptosystems based on DLWE, since we have not general distributions. to be scared of weak instances of the problem. Indeed, there The theorem can also be interpreted (with a slight change in is the following worst-case to average-case reduction. the proof) as a reduction from the standard DLWEℓ,q,Ψ¯ γ prob- Lemma 7 ([23, Lemma 3.2]). Let n, q 1 be some integers, lem with ℓ O (k ω(log n)) to the standard DLWE ¯ ≥ ∈ − n,q,Ψβ and χ be some distribution on Zq. Assume that we have access with some auxiliary input h(s) using the same (polynomial) q Zn to a distinguisher W that distinguishes As,χ from the uniform number of queries, for a secret s, for a function h: q k → distribution for a non-negligible fraction of the s’s in Zq. Then, 0, 1 ∗ that is 2 hard to invert, and with γ/β negligible. there exists an efficient algorithm that for all s accepts (resp. { We} give now an overview of the proof of Theorem 2. rejects) with probability exponentially close to 1 on inputs from Proof (idea): The idea is to use the DLWE assumption q As,χ (resp. from the uniform distribution). and Lemma 1. We will use the leftover hash lemma with, as a family of universal hash functions, matrix multiplication by The proof is based on the idea that for any t Zn, given an q a random matrix Zℓ n. Using such a matrix, we can “hide” DLWE input (a,b), the pair (a,b + a, t ) is either∈ a sample q× q h i the secret s, such that its distribution looks uniform. of As+t,χ or a sample from the uniform distribution. Thus, if 5In [26], they prove the result for D a distribution over {0, 1}n but the 4The result is shown for any cyclotomic ring. more general result is given as a remark. EDIC RESEARCH PROPOSAL 7

For this, we first use the DLWE assumption to show that the indistinguishable from uniform by the LWE assumption and ′ Zm ℓ Zℓ n m n+1 matrix A := BC + Z, with B q × , C q× drawn the leftover hash lemma. This holds since 2 q . ← ¯ m n ← ≫ uniformly at random and with Z Ψγ × is computationally A dual version of this scheme (aka. dual Regev scheme) was indistinguishable from a uniformly← drawn matrix. Hence, we introduced later [5]. In this scheme, the generation and encryp- ′ Zn m can replace A by A in the following. We need now to tion algorithms are essentially swapped. A matrix A q × ′ ′ ∈ show that (A , A s + e), e Ψ¯ β is indistinguishable from is common to all users and is chosen uniformly at random. ∈ Zm uniform. The proof shows that (B, C, Z, BCs + Zs + e) is The secret key is an error vector e q drawn according to computationally indistinguishable from (B, C, Z, u), with u a Gaussian distribution. The public∈ key is u := Ae mod q. Zn uniform. By carefully looking at the Gaussian coefficients and To encrypt a bit b 0, 1 , pick s q uniformly at ¯ m ∈ { } ∈ T since γ/β is negligible, this distribution is statistically close to random and x Ψα , for an α > 0. Then output (A s + ′ ′ ¯ m T ← ¯ (B, C, Z, BCs + e ), where e is drawn from Ψβ . Since Z x, u s + x + b q/2 ), for x Ψα. ×⌊ ⌋ ← T is efficiently sampleable and by the leftover hash lemma, we To decrypt a ciphertext (p,c), compute b′ := c e p and − get that (C, Cs) is statistically indistinguishable from (C,u). output 0 if b′ is closer to 0 than to q/2 and 1 else. Interestingly, this scheme can easily⌊ be⌋ converted into an identity based encryption scheme by replacing the public key Using this new result, Goldwasser et al. designed a symmet- u by a hash of the identity. The corresponding secret key is ric encryption scheme secure against chosen plaintext attacks then A 1u. Note that in this case, A has to remain secret (it and this, even if the key is selected according to a weak prob- − is a master key). ability distribution with a low min-entropy or in the presence More efficient (and elaborated) schemes are presented of an auxiliary input which is hard to invert. This scheme is in [28], [29]. These schemes can be made truly practical if a straightforward application of the LWE problem. The secret we use the ring-LWE problem. key is a vector s 0, 1 n. The ciphertext corresponding to a ∈ {m } message w 0, 1 is Encs(w)=(A, As + x + q/2 w). ∈ { } × Another application presented in [26] is the design of an VIII. RESEARCH PROPOSAL obfuscator for the class of point functions with multi-bit output The TCHo trapdoor cipher was first introduced in [30] by I(k,m) k,m 0, 1 ∗ , where Ik,m(x) := m if x = k and Finiasz and Vaudenay and improved in [31] by Aumasson { else. An| obfuscator∈ { } for} a class of functions takes as an input ⊥ et al. Roughly, a message is encrypted by adding some one of these functions and outputs a circuit that has essentially random biased noise and some contribution from a linear code. the same behavior as the input function, but such that it does In TCHo, this noise is introduced using a linear feedback not give any information about the function that cannot be shift register (LFSR). The security of TCHo is based on the found out given an oracle access to it. We refer the reader hardness of Low-Weight Polynomial Multiple problem, which to [27], [26] for more details. consists in finding a multiple of a polynomial so that its Hamming weight is smaller than a fixed bound. TCHo relies VII. APPLICATIONS TO PUBLIC-KEY CRYPTOGRAPHY also on heuristic assumptions. We replaced this linear code generated by the LFSR with The LWE problem has many applications in cryptography. A a linear code indistinguishable from a random linear code. large number of public key cryptosystems were designed based This allowed us to reduce the hardness of distinguishing two on the hardness of LWE. We describe here Regev’s original ciphertexts to the LPN problem and to remove the heuristic scheme which is an interesting application of LWE [16], [23]. assumptions. Our reduction also relies on the hardness of the The parameters are three integers n, m and q and a real Low Weight Codeword (LWC) problem. This problem is well- number α > 0. The scheme is secure and correct if we studied in coding theory and consists in finding a codeword in take q prime between n2 and 2n2, m = 1.1 n log q and a linear code with a Hamming weight which is smaller than a 2 × α = 1/(√n log n), for a security parameter n. given bound. Both problems are believed to be hard and some The private key is a random vector s Zn. lower-bound on the complexity of the LWC problem is given ∈ q To generate the public key take m vectors a ... a Zn by Finiasz and Sendrier [32]. Later, this bound was shown to 1 m ∈ q uniformly at random and m elements e ,...,e Z be incorrect for some parameters [33] in ASIACRYPT 2011 1 m ∈ q according to Gaussian distribution Ψ¯ α. The public key is and more recently in [34]. m (ai,bi := ai, s + ei) , i.e., LWE samples. We now plan to study the Ring-LPN problem introduced h i i=1 To encrypt a bit b 0, 1 , select a random set S in [35] and see if it applies to our new encryption scheme, ∈ { } ⊆ 0,...,m and return ( a ,b q/2 + b ). since this new problem seems to allow more efficient designs. { } i S i ×⌊ ⌋ i S i To decrypt a pair (a,b), return∈ 0 if b a, s is∈ closer to 0 Our plan is also to see how this new system can be improved than to q/2 modulo q.P Else, return 1.−h Pi using the LWE and the Ring-LWE problem. We believe that ⌊ ⌋ Correctness is easy to show. We sum at most m error this generalization will lead to more practical parameters. We terms, each of them having standard deviation αq. Hence, will then compare this new cryptosystem with existing lattice- the standard deviation of the sum of these terms is smaller based systems. than √mαq < q/ log n. Then, Pr[ (0,q2/ log2 n) q/4] = As a second step, we plan to convert our scheme into Pr[ (0, 1) log n/4] which is negligibleN in n. The≥ security a homomorphic cryptosystem. A cryptosystem is said to be of theN scheme≥ follows from the fact that the sum of pairs is homomorphic if one can evaluate a function on the ciphertexts EDIC RESEARCH PROPOSAL 8 without knowing the secret key such that a specific operation [14] E. R. Berlekamp, R. J. McEliece, and H. C. A. Van Tilborg, “On the is performed on the corresponding plaintexts. One has to dis- inherent intractability of certain coding problems,” IEEE Transactions on Information Theory, vol. 24, no. 3, pp. 384–386, 1978. tinguish between partially homomorphic schemes which allow [15] J. Katz and J. S. Shin, “Parallel and Concurrent Security of the HB and only one type of homomorphic operation (typically addition or HB+ Protocols,” in EUROCRYPT, 2006, pp. 73–87. multiplication) and fully homomorphic schemes which allow [16] O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in STOC, H. N. Gabow and R. Fagin, Eds. ACM, 2005, any type of operation. To design such a system, we first need pp. 84–93. to find some good way of performing homomorphic operations [17] A. Blum, A. Kalai, and H. Wasserman, “Noise-Tolerant Learning, the without increasing the noise in the ciphertext too much. Parity Problem, and the Statistical Query Model,” J. ACM, vol. 50, no. 4, pp. 506–519, 2003. Another research direction is to study the algorithms used [18] E.´ Levieil and P.-A. Fouque, “An Improved LPN Algorithm,” in SCN, to solve the (Ring-)LPN and (Ring-)LWE problem. Very few ser. Lecture Notes in Computer Science, R. D. Prisco and M. Yung, algorithm for solving these problems are known. The first was Eds., vol. 4116. Springer, 2006, pp. 348–359. [19] M. P. C. Fossorier, M. J. Mihaljevic, H. Imai, Y. Cui, and K. Matsuura, the BKW algorithm introduced by Blum Kalai and Wasser- “An Algorithm for Solving the LPN Problem and Its Application to man [17] for the LPN problem and requires a subexponential Security Evaluation of the HB Protocols for RFID Authentication,” in number of queries. The BKW algorithm was analyzed in de- INDOCRYPT, 2006, pp. 48–62. [20] A. Blum, M. L. Furst, M. J. Kearns, and R. J. Lipton, “Cryptographic tails and improved in [18], [19], but these new algorithms have Primitives Based on Hard Learning Problems,” in CRYPTO, ser. Lecture still the same asymptotic complexity. No better algorithm is Notes in Computer Science, D. R. Stinson, Ed., vol. 773. Springer, currently known. By studying more carefully these algorithms, 1993, pp. 278–291. [21] D. Micciancio and C. Peikert, “Trapdoors for Lattices: Simpler, Tighter, we can understand better the underlying problems and can use Faster, Smaller,” in EUROCRYPT, ser. Lecture Notes in Computer them safely to prove the security of our design. In particular, Science, D. Pointcheval and T. Johansson, Eds., vol. 7237. Springer, as discussed in Section V, a lot of work has still to be done 2012, pp. 700–718. [22] V. Lyubashevsky, C. Peikert, and O. Regev, “On Ideal Lattices and regarding the hardness of Ring-LWE, which is a brand new Learning with Errors over Rings,” in EUROCRYPT, ser. Lecture Notes problem. in Computer Science, H. Gilbert, Ed., vol. 6110. Springer, 2010, pp. We can then use these new algorithms to attack recent 1–23. [23] O. Regev, “The Learning with Errors Problem (Invited Survey),” in IEEE lattice-based cryptosystems. There is a large number of such Conference on Computational Complexity. IEEE Computer Society, systems and the security of some of them is not well un- 2010, pp. 191–204. derstood. In particular, systems based on Ring-LWE or the [24] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) fully homo- morphic encryption without bootstrapping,” in ITCS, S. Goldwasser, Ed. NTRU cryptosystem [36], which are currently among the most ACM, 2012, pp. 309–325. efficient lattice-based cryptosystems, might be vulnerable to [25] B. Applebaum, D. Cash, C. Peikert, and A. Sahai, “Fast Cryptographic new attacks. Primitives and Circular-Secure Encryption Based on Hard Learning Problems,” in CRYPTO, ser. Lecture Notes in Computer Science, REFERENCES S. Halevi, Ed., vol. 5677. Springer, 2009, pp. 595–618. [26] S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan, “Robust- [1] R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random Generation ness of the Learning with Errors Assumption,” in ICS, A. C.-C. Yao, from one-way functions (Extended Abstracts),” in STOC, D. S. Johnson, Ed. Tsinghua University Press, 2010, pp. 230–240. Ed. ACM, 1989, pp. 12–24. [27] R. Canetti, Y. T. Kalai, M. Varia, and D. Wichs, “On Symmetric [2] A. Lenstra, H. Lenstra, and L. Lovasz,´ “Factoring polynomials with Encryption and Point Obfuscation,” in TCC, ser. Lecture Notes in rational coefficients,” Mathematische Annalen, vol. 261, no. 4, pp. 515– Computer Science, D. Micciancio, Ed., vol. 5978. Springer, 2010, 534, 1982. pp. 52–71. [3] O. Regev, “On lattices, learning with errors, random linear codes, and [28] R. Lindner and C. Peikert, “Better Key Sizes (and Attacks) for LWE- cryptography,” J. ACM, vol. 56, no. 6, 2009. Based Encryption,” in CT-RSA, ser. Lecture Notes in Computer Science, [4] D. Micciancio and O. Regev, “Worst-Case to Average-Case Reductions A. Kiayias, Ed., vol. 6558. Springer, 2011, pp. 319–339. Based on Gaussian Measures,” SIAM J. Comput., vol. 37, no. 1, pp. [29] D. Micciancio and O. Regev, “Lattice-based Cryptography,” in Post- 267–302, 2007. Quantum Cryptography, D. J. Bernstein, J. Buchmann, and E. Dahmen, [5] C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard Eds. Springer, 2009, pp. 147–191. lattices and new cryptographic constructions,” in STOC, C. Dwork, Ed. [30] M. Finiasz and S. Vaudenay, “When Stream Cipher Analysis Meets ACM, 2008, pp. 197–206. Public-Key Cryptography,” in Selected Areas in Cryptography, ser. [6] M. Ajtai, “The Shortest Vector Problem in L2 is NP-hard for Random- Lecture Notes in Computer Science, E. Biham and A. M. Youssef, Eds., ized Reductions,” Electronic Colloquium on Computational Complexity vol. 4356. Springer, 2006, pp. 266–284. (ECCC), vol. 4, no. 47, 1997. [31] J.-P. Aumasson, M. Finiasz, W. Meier, and S. Vaudenay, “TCHo: A [7] S. Khot, “Hardness of Approximating the Shortest Vector Problem in Hardware-Oriented Trapdoor Cipher,” in ACISP, ser. Lecture Notes in Lattices,” in FOCS. IEEE Computer Society, 2004, pp. 126–135. Computer Science, J. Pieprzyk, H. Ghodosi, and E. Dawson, Eds., vol. [8] I. Haviv and O. Regev, “Tensor-based hardness of the shortest vector 4586. Springer, 2007, pp. 184–199. problem to within almost polynomial factors,” in STOC, D. S. Johnson [32] M. Finiasz and N. Sendrier, “Security bounds for the design of code- and U. Feige, Eds. ACM, 2007, pp. 469–477. based cryptosystems,” in ASIACRYPT, ser. Lecture Notes in Computer [9] M. Ajtai, R. Kumar, and D. Sivakumar, “Sampling Short Lattice Vectors Science, M. Matsui, Ed., vol. 5912. Springer, 2009, pp. 88–105. and the Closest Lattice Vector Problem,” in IEEE Conference on [33] A. May, A. Meurer, and E. Thomae, “Decoding Random Linear Codes in Computational Complexity, 2002, pp. 53–57. O˜(20.054n),” in ASIACRYPT, ser. Lecture Notes in Computer Science, [10] D. Micciancio and P. Voulgaris, “Faster Exponential Time Algorithms D. H. Lee and X. Wang, Eds., vol. 7073. Springer, 2011, pp. 107–124. for the Shortest Vector Problem,” in SODA, M. Charikar, Ed. SIAM, [34] A. Becker, A. Joux, A. May, and A. Meurer, “Decoding Random Binary 2010, pp. 1468–1480. Linear Codes in 2n/20: How 1+1 = 0 Improves Information Set [11] C.-P. Schnorr, “A Hierarchy of Polynomial Time Lattice Basis Reduction Decoding,” in EUROCRYPT, 2012, pp. 520–536. Algorithms,” Theoretical Computer Science, vol. 53, pp. 201–224, 1987. [35] S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, and K. Pietrzak, “LAPIN: [12] C. Peikert, “Public-key cryptosystems from the worst-case shortest An Efficient Authentication Protocol Based on Ring-LPN,” in FSE, vector problem: extended abstract,” in STOC, M. Mitzenmacher, Ed. 2012, to appear. ACM, 2009, pp. 333–342. [36] J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: A Ring-Based [13] I. Dinur, G. Kindler, R. Raz, and S. Safra, “Approximating CVP to Public Key Cryptosystem,” in ANTS, ser. Lecture Notes in Computer Within Almost-Polynomial Factors is NP-Hard,” Combinatorica, vol. 23, Science, J. Buhler, Ed., vol. 1423. Springer, 1998, pp. 267–288. no. 2, pp. 205–243, 2003.