arXiv:1310.1861v3 [cs.IT] 10 Jan 2017 et onain hswr a upre npr yteNFC NSF the by Fanni CCF-0939370. part the Grant in by under supported Information supported was of is work Science Dean This T. Foundation. Spain. Hertz Seville, in Workshop om fapiainlyrecyto htaecretyk currently are that low- encryption for application-layer sophisti provides of most system propertie forms the with MIMO layer commensurate massive encryption physical the complexity the channel, radio exploiting the by secur to computa Thus, little used and overhead. be secret could pre-shared common a scheme most without Diffie-Hellman this communicate the and that RSA of show as that we such Additionally, than today h security used scheme of methods encryption encryption notion proposed robust the more solve, a to standard hard that comp are conjecture quantum problems b widely-held the and to under classical conjectured Hence, ers. both decoder are to for eavesdropper’s equivalent that complexity is problems the exponential modulation lattice that M-PAM standard with show solving system We MIMO lattice. the MIMO for massive a the complexity. to mapping prohibitive by system of analyzed decodin is terms complexity in whereas not decoding hard pair, decod is need and transmitter-receiver eavesdropper a encoding which an desired low-complexity as receiver, for the channel desired is by goal MIMO and The massive sender secret. be the a between using key on based cryptography nvriy 5 er al tnod A935(-al trd (e-mail: 94305 CA [email protected]). Stanford, Mall, Serra 350 University, hsdcmoiinde o i nteaiiyt eoethe decode to ability the in channel, different aid a of not has both does who to decomposition Eve, known this eavesdropper, assumed an with channel, To receive communicate MIMO them. and their to precoding of linear Bob, decomposition performing shaping and only channel Alice of parallel overhead users, an a two Here, for 1. allows Figure in exploits shown encryption channel. MIMO the massive for Rather, the key allows of scheme. shared properties This physical a agreement decode. without key exchanged to or be order exponential to an in messages confidential perform operations has must who of model eavesdropper channel number efficient an different a to but physically present able messages, a We is decode eavesdropper. pair and transmitter-receiver encode an given of a the where presence chann allow wireless the to a over in is messages cryptography confidential cryptography this of physical-layer physical-layer transmission exploit of of we notion premise paper, a The form this to In complexity problem. computational plex puting hswr a rsne npr tte21 EEIfrainT Information IEEE 2013 the at part in presented was work This h uhr r ihteDprmn fEetia Engineeri Electrical of Department the with are authors The Abstract u IOwrtpcanlmdlfrcmuiainis communication for model channel wiretap MIMO Our com- a forms systems MIMO massive of decoding The ne Terms Index W rps h e ehiu fphysical-layer of technique new the propose —We Cytgah,Ltie,MM,QatmCom- Quantum MIMO, Lattices, —Cryptography, .I I. hmsR Dean, R. Thomas NTRODUCTION hsclLyrCryptography Physical-Layer hog asv MIMO Massive Through ebr IEEE, Member, [email protected]; g Stanford ng, n John and e ne for enter lattice nown. tional cated by g heory of s of e The ing ely ut- as ly el n nraJ Goldsmith J. Andrea and r . . a erltdt ovn tnadltiepolm.Tecon The problems. lattice standard eavesdropper solving an to by related systems be MIMO is can decoding (or of cannot complexity oracle of an length such the exist. that are not) of follows to which factor it conjectured runtime exponential problems then whose an input), to ones within the (i.e., input) to hard the bounded be is to of polynomial conjectured) a length (or within known the to bounded of is solutio factor runtime efficient whose imply operation would ones oracle single (i.e., an a such vector in of received oracle, existence vector a an the and transmitted channel to proper a access the given have returns which, method box we the black this that In a [1]. of suppose i.e., in overview we found reductions, detailed be of more can cryptography a to wi while method approach computational below, this the of provided description in be brief found A reductions cryptography. of of study method the use we the tran where of number size, the constellation to large antennas. related our is a hard, size use constellation be and Bob required to maintains and Eve Eve that Alice by SNR the that decoding on maximum For a secret. requires model no kept does have be knowledge to this to receiver but need channel, and the transmitter of the knowledge perfect both requires model The atc rbesi h os ae hc r ojcue to conjectured are which case, worst hard. the in problems lattice fcetydcd lc’ esg.I v sntphysically not is Eve of If knowledge message. Alice’s decode efficiently hne ihlna opeiy npriua,w rv tha prove we hard particular, exponentially In is complexity. linear with channel sub-expo in problems such solve to shown tran t includi of been algorithms, Hence, have number existing problems. computer, no the particular, lattice in In hard standard uses. exponentially as Alice be Alice hard to decoding Through as conjectured Eve complexity. least is of low at complexity is with the Bob message that show the we decoding reductions in her aid iue1 IOwrtpcanlmdl endb hne ga channel a by defined model, channel wiretap MIMO A A 1. Figure hne ewe lc n o.W ee otechannel the to refer We the a knows Bob. as it and key if encryption even Alice model between system channel our in vector transmitted 1 = eso nti okta ne rprcniin,the conditions, proper under that work this in show We systems, MIMO decoding of hardness the characterize To oepeiey epoeta ti tlata ada solving as hard as least at is it that prove we precisely, More UΣV H A where , hc ecl h hne tt nomto e,de not does key, information state channel the call we which , A skont ohAieadBb hsalw o to Bob allows This Bob. and Alice both to known is 1 hne tt Information- State Channel o h aedoprt eoeAlice’s decode to eavesdropper the for elw IEEE Fellow, , gtoeo quantum a of those ng eexponentially be mte antennas smitter olctd then co-located, i complexity his or smsaeto message ’s eta time nential h s of use the CSI-key nmatrix in standard smit If . it t ns ll 1 - t , . 2

nection between MIMO and lattices is not new: for example, k/√2π. This distribution is henceforth written Ψk. The vector m see Damen et al. [2], where the maximum-likelihood decoder e R is the channel noise with each entry i.i.d. Ψα. is related to solving the Closest Vector Problem. Problems on It is∈ assumed that A is known to both the transmitter and lattices have been widely studied in cryptography and other receiver. If we constrain the vector x to use a discrete, fields and many standard lattice problems are conjectured to periodic constellation, then the set of received points becomes be hard ([3]–[13]). Lattice problems are also conjectured to be analogous to points on a lattice, perturbed by a Gaussian hard even when solved using quantum computers when they random variable. exist ([3], [13]). Creating efficient cryptosystems that achieve We assume that there are an arbitrary number of receive security given the presence of quantum computers is currently antennas, restricted to an amount within a polynomial factor an active area of research, since most cryptosystems today, of the number of transmit antennas, n. By making this such as RSA (a public-key algorithm named after its inventors, assumption, we are considering the advantage an eavesdropper Rivest, Shimir, and Adleman, [14]) or the Diffie-Hellman would gain by having an arbitrarily large number of receive key exchange (see [15]), could efficiently be broken by a antennas, but we are assuming that building a receiver with quantum computer ([16]–[18]). Our physical-layer cryptosys- an exponential number of antennas relative to those at the tem provides quantum-resistant cryptography by exploiting the legitimate user’s transmitter would be prohibitively expensive. hardness associated with the eavesdropper’s decoding in a Assuming that certain requirements on SNR and constellation massive MIMO system. size are met, as described below, the security of the system The idea of exploiting properties of the physical layer to can be quantified solely by the number of transmit antennas. achieve secrecy is not new and dates back to Shannon’s notion This number plays the role of the security parameter com- of information theoretic secrecy [19] and Wyner’s wiretap monly used by cryptographers in designing cryptosystems. channel [20] (for a survey on the subject see [21]). In informa- Essentially, we are saying that decoding the system requires tion theoretic secrecy, the goal is to communicate in a manner a number of operations that is exponential in n and we such that legitimate users may communicate at a positive rate, parameterize the remaining variables in our system based on while the mutual information between the eavesdropper and n. the sender is negligibly small. Note that since in our model We consider real systems with the transmitted signal con- Bob and Eve have statistically-identical channels, information stellation, , defined as the set of integers [0,M). Lattices theoretic secrecy is not possible without a key rate, coding, or can easilyX be scaled and shifted, so we use this constellation using properties of Alice’s and/or Bob’s channel in the trans- without loss of generality over all possible M-PAM constella- mission strategy. Along these lines, Shimizu et al. [22], have tions. Our analysis assumes channels with a zero-mean gain, suggested using properties of the radio propagation channel to but this is for simplicity of exposition as the proof given in achieve information theoretic secrecy. These notions all differ Appendix A can easily be generalized to systems with non- from ours as we consider encryption based on computational zero mean. We consider uncoded systems, but our results can complexity at the eavesdropper’s decoder rather than through be extended to coded systems as we discuss in Section V. equivocation at the eavesdropper related to entropy and mutual Let the vector a Rn denote the gains between the i ∈ information. We believe this work makes significant progress transmitter and the ith receive antenna, let ei denote the noise in addressing some of the challenges that have been identified sample at this antenna, and let x represent the transmitted in applying physical layer security to existing and future vector which is drawn from n. The ith receive antenna gets systems [23]. a noisy, random inner-productX of the form The remainder of this paper is organized as follows. Section II outlines our system model and the underlying assumptions yi = ai, x + ei. (2) upon which the security of our system is based. In Section h i III we discuss lattices, lattice problems, and lattice-based Our work can easily be extended to complex channels, cryptography in order to provide the background for our main where the real and imaginary portions of the channel gain result, which is stated in Section IV and proved in Appendix matrix and noise are drawn independently, and M-QAM A. In Section V we discuss additional notions of security for symbols are sent, using an equivalent constellation as in the our model, including how to achieve security under adversarial real case. models commonly considered by cryptographers. Our model considers static channels. However, our model can easily be extended to time-varying channels: consider a II. PROBLEM FORMULATION single message is transmitted t times, no more than once per channel coherence period. Each transmission is equivalent to A. The Wiretap Model Eve receiving the original message with t times as many re- Consider an n m real-valued MIMO system consisting of ceive antennas which does nothing to aid in the computational × n transmit antennas and m receive antennas: complexity of her decoding. Let user have transmit antennas which are used to send y = Ax + e, (1) n a message toA user who has a number of receive antennas that n n m B where x R , and A R × is the channel gain matrix. is within a polynomial factor of n. Let the channel between Each entry∈ of the channel∈ gain matrix is drawn i.i.d. from the and be represented by A, where each entry is i.i.d. GaussianA B Gaussian distribution with zero mean and standard deviation Ψk. The noise at each receive antenna is drawn from ΨMα. 3

The results in this paper show that MIMO decoding can be related to solving standard lattice problems when a certain minimum noise level and constellation size are met. If the noise power is below the required level, efficient decoding methods such as the zero-forcing decoder could be applied to our system. In other words, if these conditions are not met, then our results provide no insight on the complexity 0.4 0.3 of decoding, and hence on the security of the MIMO wiretap 10 channel. Specifically, for some arbitrary m > 0, we require 0.2 the following constraints on the transmission from user to 0.1 5 user : A B 0.0 - 10 0 2 Minimum Noise: mα/k > √n (3) - 5

- 0 5 n log log n/ log n Constellation Size: M >m 2 (4) 5 - 10 where the parameter m may be chosen by a user or system 10 designer in order to trade off the SNR requirement for the size Figure 2. A Gaussian distribution on a two-dimensional lattice of the constellation. Now consider an eavesdropper, , which has poly(n) EVE Ω(n) receive antennas, and receives message x with channel rep- 1 2− . A probability is overwhelming if it holds with − c resented by B, where each entry is again i.i.d. Ψk. Let the probability 1 n− for some c> 0. An algorithm is efficient or − channel have noise be drawn from ΨMβ, where β α. In efficiently computable if its run time is within some polynomial ≥ other words, the eavesdropper must meet at least the minimum factor of the parameter n. An algorithm is hard if its run time noise requirement stated above. Discussion on how to ensure is at least 2n. We assume that, as input, algorithms accept nc this requirement is met is also provided in Section V. real numbers approximated to within 2− for some c > 0. In order to send message x to user , user performs a Z represents the set of all integers and Z represents the set B A q linear precoding as described in [25]. Let the singular value of integers modulo q. Given two probability density functions H n decomposition of A be given as A = UΣV . now sends φ1, φ2 on R , we define the total variational distance as x˜ = Vx. Upon receiving a transmission from userA , user H A B 1 computes y˜ = U y. It is easy to show that this expands to ∆(φ1, φ2)= φ1(x) φ2(x) dx. (6) ˜y = Σx + ˜e. Since Σ, representing the singular values of A, 2 ˆRn | − | is a diagonal matrix, can efficiently estimate x with linear complexity in n. NoticeB that U is unitary so e = ˜e . C. MIMO Signal Distributions Now consider the message received by k: k k k EVE In this subsection, we define various distributions that are ˜y = BVx + ˜e. (5) used in our problem. Specifically, we discuss distributions of lattice points and distributions which can be empirically Note that V consists of the right singular vectors of A, related to received MIMO signals. which is independent of B and unitary. Gaussian random First, in the proof of our work, we will need to generate matrices are orthogonally invariant [26], so since V is unitary, lattice points according to a Gaussian distribution. Since a multiplying by V returns the matrix to an identical, indepen- lattice is a discrete set of points, we define a discrete Gaussian dent distribution. In other words, the entries of BV are i.i.d., distribution, DA,α, for any countable set A and parameter α following the same distribution as B. as As the main result of this work, we will prove that the Ψα(x) x A, DA,α(x)= . (7) computational complexity for to efficiently recover x can ∀ ∈ Ψα(A) be mapped to the problem of solvingEVE standard lattice problems We now define the distribution, A on Rn R. The which are conjectured to be computationally hard. M,α,k × distribution AM,α,k is the distribution of channel gains and the received signal from a single antenna in a MIMO system B. Definitions for a transmitted vector. This distribution is defined for a The following definitions will be used in the proofs of our single antenna so a MIMO system with m receive antennas results. We define a negligible amount in n, denoted negl. (n) would get m samples from this distribution. This distribution c as any amount being asymptotically smaller than n− for any is the input to the MIMO decoding problem which we will c > 0. Similarly a non-negligible amount is one that is at define in this section. For some arbitrary x n, we c ∈ X n least n− for some c > 0. We define a polynomial amount, define the distribution AM,α,k as the distribution on R R denoted as poly(n), as an amount that is at most nc for some given by drawing a as defined above, choosing e Ψ× i ∼ Mα c > 0. An expression is exponentially small in n when it and outputting (ai,yi = ai, x + ei). We could alternatively Ω(n) h i is at most 2− , and exponentially close to 1 when it is express our system as drawing e Ψ and outputting i ∼ α 4

(ai,yi = ai, x /M + ei), which would result in the same Problem Definition 2. MIMO DecisionM,α,k. Let M 2, received SNR.h i α (0, 1), k R,n> 0.− Given a polynomial number≥ of ∈ ∈ samples, distinguish between samples of AM,α,k and samples of Ψ D. The MIMO Decoding Problem M(α+k)

Given these distributions, we now precisely define MIMO E. Assumptions decoding for the eavesdropper in the MIMO wiretap channel, In this work we offer a proof of security by showing that which we denote as the MIMO-Search problem. The search breaking our cryptosystem is at least as hard as solving well- problem asks us to recover the transmitted vector x without known lattice problems in the worst case. These problems error. In Section V, we discuss how to use the hardness are conjectured to require exponential running time. This of the problem to achieve cryptographically secure systems, conjecture and the large body of research behind it is discussed and provide a comparison between cryptographer’s notions of in the following section. For a more through treatment of the security with information theoretic ones. In Appendix A, we hardness of these problems, see [3]–[12]. Our proof is also prove that the search problem is as hard as solving certain based upon the following assumptions: lattice problems. We also use the term “MIMO decoding We assume that the Gaussian channel noise has suf- problem” to refer to the search problem. • 2 We wish to show that the MIMO decoding problem, defined ficiently large power so that mα/k > √n. If the below, is hard to solve, i.e., that this decoding is of exponential noise is too small, it is possible that a subexponential complexity in the number of transmit antennas. We say that an algorithm exists to recover the message (for motivation algorithm solves this problem if it returns the correct answer of this belief consider the subexponential attack on the c LWE problem with low noise described by [27]). One with a probability greater than 1 n− , for some c> 0. − possible way to ensure this requirement is met is to add Problem Definition 1. MIMO SearchM,α,k. Let M 2, noise at the transmitter. This intentionally degrades the − ≥ α (0, 1), k R, n > 0. Given a polynomial number of communication SNR for a trade-off of security. A further ∈ ∈ samples of AM,α,k, output x. discussion and characterization of our system in terms of The MIMO search problem above will be related to solving received SNR is found in Section V. We assume that the constellation size of the system standard lattice problems (discussed in Section III) through • standard reductions. In Section III and Appendix B we will is large relative to the number of transmit antennas. also discuss the complexity of solving these lattice problems. Specifically, in order for the proof of Theorem 1 to hold, n log log n/ log n The result of our reduction implies that the complexity of we require that M >m 2 . Unlike the noise decoding a MIMO system grows exponentially in the number requirement, it is unclear that sub-exponential decoding of transmit antennas, i.e., MIMO decoding is at least as immediately follows if this bound is not strictly met; it hard as the lattice problems to which we relate them. More is an open problem as to whether or not this requirement precisely, we state this in a contrapositive manner below. This is needed. We assume that each entry in the channel gain ma- contrapositive statement allows us to conjecture a lower bound • on the complexity of solving the MIMO decoding problems, trix is independent and Gaussian. More importantly, we based on the conjectured hardness of solving lattice problems. assume that the two receivers of Bob and Eve, have independent channels. The fact that channels between Main Result. Let M >m 2n log log n/ log n for some m > 0, different antennas are independent is well justified in α R, and k R be such that mα/k2 > √n. Given access most scattering environments. For example, in a uniform ∈ ∈ to an efficient algorithm that can solve MIMO SearchM,α,k, scattering environment, it has been shown that channels − there exist efficient classical and quantum solutions to standard are independent over a distance of 0.4λ, see e.g. [28] or lattice problems, which are conjectured to be hard. [29]. This independence analysis is extended to MIMO We breifly introduce a second problem, the channels in [30] and [31]. MIMO-Decision problem. This problem asks whether or not received samples are transmitted from a MIMO system III. LATTICES (with known channel gain matrix) or are generated from a We now provide an overview of lattices and lattice-based Gaussian distribution. Similar decision problems are common cryptography. This section contains all of the concepts used in cryptography, for example, in [13], Regev shows that in the cryptography literature that are required in the proof of the decision variant of the LWE problem is hard, and uses our main result. We first define several problems on lattices this fact to achieve semantic security – effectively hiding that are all conjectured to be hard to solve and are all used information in a random variable that is uniformly random. in the proof of our main result to show that MIMO decoding Due to the exponential requirement on the constellation size is at least as hard as solving standard lattice problems. We in our main result, a reduction from the MIMO-Decision next provide a discussion on the complexity of solving these problem to the MIMO-Search problem is not apparent. It lattice problems, followed by a discussion on the Learning is an open problem to show whether or not this problem is With Errors (LWE) problem. The Learning With Errors problem hard, and if so, how the result could be used to construct a has a striking similarity to the problem of MIMO decoding. secure cryptosystem. We follow a very similar approach to show the hardness of 5

MIMO decoding as is used to show the hardness of LWE is discussed in detail in Appendix B. For a survey on the decoding. hardness of these problems, see [3] or [4]. Lattice-based cryptography has generated much research The first problem we describe is the shortest vector problem. interest in recent years. Cryptographers’ interest in lattices In general, these problems can be efficiently solved if γ is at largely began with the surprising result of Ajtai [5] which least O (2n), but are conjectured to require exponential run created a connection between the average-case and worst- time for exact solutions or even for polynomial approximation case complexity of lattice problems. Cryptographers have factors. A close variant of this problem, the decision Shortest used these results to create a wide variety of cryptographic Vector Problem (GapSVP), asks whether or not the shortest constructions which enjoy strong proofs of security. Important vector generated by the lattice is shorter than some distance to this paper is the work of Micciancio and Regev [34] which d. In general, for an arbitrary basis, short vectors are hard to explores Gaussian measures on lattices. The Learning With find. Errors problem, first introduced by Regev [13], shows that Definition 1. GapSVP is defined as follows: given an n- recovering a point that is perturbed by a small Gaussian γ dimensional lattice (A) and a number d> 0, output YES if amount from a random integer lattice can be related to approx- λ (A) d or NO ifL λ (A) >γ(n) d. imating solutions to standard lattice problems. This problem is 1 ≤ 1 · discussed more thoroughly below. The hardness reduction in The following problem, the shortest independent vectors this work very closely follows the work in [13]. For a survey problem (SIVP), is often referred to as a lattice basis reduction. on lattice-based cryptography, see [3]. Definition 2. SIVP is defined as follows: given an n- A lattice is a discrete periodic subgroup of Rn that is closed γ dimensional lattice (A), output a set of n linearly indepen- under addition. Alternatively, a lattice can be defined as the set dent vectors of lengthL at most γ(n) λ (A). of all integer combinations of n linearly independent vectors, · n known as a basis, One well-known algorithm for finding approximate solu- n tions to the SIVP problem is the Lentra-Lentra-Lovász (LLL) (A)= Ax = x A : x Zn . (8) lattice basis reduction algorithm, which creates an “LLL- L i i ∈ ( i=1 ) reduced” basis in polynomial time. For large values of n, X A lattice is not defined by a unique set of basis vectors. Any the LLL algorithm returns a basis that is exponentially larger basis A multiplied by a unimodal matrix results in an alter- than the shortest possible basis of the lattice. It is generally native basis representation of the same lattice. We can define conjectured that no polynomial time algorithm could approx- imate SIVP to within a polynomial factor of n. For a more a set of lengths, in the l2-sense, λi(A), for i 1,...,n , as the radius of the smallest ball around the origin∈{ that contai}ns i in-depth discussion of lattice basis reduction algorithms and linearly independent vectors. These lengths are known as the their complexity, see [3]. successive minima. It is easy to show that there exists vector The following two lattice problems are important in the ˜ reduction given in this paper. They are also used by Regev vi = λi(A) for all 1 i n and that λ1(A) mini Ai , wherek k A˜ is the Gram-Schmidt≤ ≤ orthonormalization≥ of thek basisk in [13] in his proof of the security of LWE. The first problem, the Bounded Distance Decoding (BDD) problem, is equivalent A, where the norm is taken as the l2 norm. n to decoding a linear code, where the received vector is at most The dual of a lattice (A) R , ∗(A), is the lattice given by all y Rn such thatL for every∈ x L (A), x, y Z. Since some distance d from the nearest codeword. Exact solutions to ∈ T 1 ∈ L h i ∈ this problem are conjectured to require exponential run time. A is full rank, ((A )− ) is the dual of the lattice (A). L L By requiring d < λ1/2, we ensure that the closest vector is unique. The Closest Vector Problem (CVP) is identical to A. Lattice Problems. this problem but without a bounding distance. The closest This section considers a set of standard problems on lattices vector problem arrises in many other contexts, for example it that are conjectured to be computationally hard. These prob- is equivalent to decoding a linear code, and also the maximum- lems will be used in the characterization of the computational likelihood decoding problem in MIMO systems. complexity of MIMO decoding. These problems are defined Definition 3. The BDD (A),d problem is defined as follows: with an approximation factor, γ(n) 1, and input given L given an n-dimensional lattice (A), a distance 0 λn( (A)) ω √log n , outputs a sampleL from a distribution thatL is within· negligible distance algorithm to solve BDD, it is possible to generate a distribution
of lattice points which has a smaller second moment than input of D (A),r. L in the previous step. The above process can now be iterated with this new distribution of lattice points to solve BDD with a B. Learning With Errors larger bounding distance than before. Repeating this step will We now give an overview of the Learning With Errors eventually result in a distribution of lattice points with a very problem. The reader may note the similarities between this small second moment, which will reveal information about problem and the problem of MIMO decoding. In particular, the the shortest vectors of the lattice, allowing us to approximate Learning with Errors problem is very similar to the problem solutions to GapSVP and SIVP. presented in this paper except that Learning with Errors is set This step, using an LWE algorithm to solve any instance entirely over integer fields, whereas MIMO decoding is set of the BDD problem, turns out to be extremely useful to in the reals. We take advantage of the results related to the characterize the hardness of MIMO decoding. In particular, Learning with Errors problem to show the hardness of MIMO we will show that if we have an efficient algorithm for MIMO decoding. decoding, then this algorithm can be used to efficiently to solve The Learning with Errors (LWE) problem was first presented instances of the BDD problem. Then, with an efficient BDD by Regev in [13]. The problem allows one to have an arbitrary algorithm, Regev’s quantum reductions to worst-case lattice number of samples of “noisy random inner products” of the problems follow. Additionally for large M, Peikert’s classical form reduction follows. (a,y = a, x + e) , (9) h i Zn Zn Z C. Lattice-Based Cryptography where a q , x q , and e q. Each a is random from ∈ ∈ Z∈n the uniform distribution over q , and each e is drawn from In recent years, lattice-based cryptography has become a discrete Gaussian distribution with a small second moment a very attractive field for cryptographers for a number of (relative to q). This problem is an extension of the classic reasons. The security guarantees provided by many lattice- learning-parity with noise problem of machine learning. As based schemes far exceeds that of many modern schemes such with many hard problems, the LWE problem has two variants: as RSA and Diffie-Hellman, since lattice problems enjoy an the search and decision variants. These two problems are average-to-worst case connection, as discussed in Appendix related in complexity. In the search variant of the problem, the B. Lattice problems also appear to be resistant to quantum 7

problem. The relation between the reductions used to show the hardness of MIMO decoding and the reductions used to show the hardness of LWE is shown in Figure 3. Examples of parameters which meet the requirements stated in Theorem 1 are shown in Table I. The proof of this theorem is found in Appendix A.

Theorem 1. MIMO SearchM,α,k to GapSVPn/α and − R R n log log n/ log n SIVPn/α. Let m> 0, α , k , M >m 2 , be such that mα/k2 > √∈ n. Assume∈ we have an efficient al- gorithm that solves MIMO Search , given a polynomial − M,α,k number of samples from Ax,α,k. Then there exists an efficient quantum algorithm that, given an n-dimensional lattice (A), L Figure 3. A map of reductions relating MIMO decoding (the MIMO-search solves the problems GapSVPn/α and SIVPn/α. Hence, since problem) to solving standard lattice problems and the LWE problem. If there GapSVPn/α and SIVPn/α are conjectured to be hard, it is exists an efficient algorithm to solve the MIMO-Search problem, then this also conjectured that MIMO-Search is hard. implies solutions to standard lattice problems. Since lattice problems are conjectured to be hard, this conjecture follows for the hardness of the MIMO- An outline of the reductions is shown in Figure 3. Figure 3 search problem. In this figure, M refers to the constellation size used in the also relates the work of Regev and Peikert to our work. The MIMO system. steps used to prove the theorem are outlined as follows: We first show that, given the MIMO oracle as described in • computers. The creation of such computers poses a significant Section II, we can solve problems where the coefficients challenge to the state of modern cryptography, since a quantum of the channel gain matrix are instead drawn from a computer could break most modern number-theoretic schemes. discrete Gaussian distribution as described in Lemma 1 In addition, many proposed lattice schemes are competitive in Appendix A. We begin by reducing a lattice basis A by using the with, or better than, many modern number-theoretic schemes • in terms of both key size and the computational efficiency of Lensta-Lensta-Lovász (LLL) lattice-basis reduction algo- encryption and decryption [37]. For these reasons, a number rithm. We then, using the procedure described in [33], of lattice-based cryptography standards are being developed create a discrete Gaussian distribution on this lattice, with or have been developed recently by both the IEEE and the a second moment around the length of the largest vector financial industry ([38], [39]). given in the reduced basis. We use this as the starting Lattice-based cryptography provides cryptographers with a point for the iterative portion of the algorithm. The main step in the proof is given in Lemma 7, where we wide variety of tools to create many different cryptographic • constructions. We here reference some of these constructions use this MIMO decoding oracle to solve the BDD problem as it is possible that some of them could be applied to the given access to a DGS oracle. This allows us to directly MIMO decoding problem or even that the MIMO decoding use the results from Regev [13] and Peikert [24]. In Lemma 8, from [13], the BDD oracle is used to construction could inspire entirely new cryptographic con- • (quantumly) solve ∗ , that is return samples structions. Importantly, the LWE problem can be extended to DGSL ,√n/(√2d) cyclotomic rings ([40]), which can improve the efficiency of DL∗,r. Note that we can efficiently sample from DL,r (in terms of key size and complexity of the encryption and for r > ηǫ(L). If in Lemma 7 we set parameters so decryption operations) of cryptosystems based on LWE. In [13], that √2d > √n, then we can reduce the value of r to a system that is secure against Chosen-Plaintext Attack (CPA- below the value for which we could previously efficiently secure) is presented and in [24] a Chosen-Ciphertext Attack sample, that is we can construct a distribution that is more secure (CCA-secure) system is presented. In addition, the LWE narrow than previously possible. The BDD and DGS oracles can now be applied iteratively, problem has been used to create a wide range of useful cryp- • tographic primitives such as identity-based encryption ([41]), shrinking the second moment of the discrete Gaussian oblivious transfer ([42]), zero-knowledge systems ([43]), and distribution with each iteration. Eventually, the distribu- pseudorandom functions ([44]). The LWE problem was also tion becomes narrow enough to reveal information about used to construct a fully homomorphic cryptosystem [45], the shortest vectors of the lattice, thereby solving the solving a long-standing open problem in cryptography. GapSVPn/α and SIVPn/α problems.

IV. MAIN THEOREM V. SECURITYANDTHE MIMO WIRETAP CHANNEL In this section we state our main theorem regarding the computational hardness of MIMO SearchM,α,k. We show In the previous sections we have shown that the MIMO wiretap that given an efficient algorithm which− can solve this problem, model is secure in the sense that the decoding complexity of there exist efficient solutions to the problems of GapSVPn/α any eavesdropper is exponential in the number of transmit and SIVPn/α. The reduction is based off the work of [13] and antennas. In this section, we relate this notion of security for involves a step using a quantum computer. In [24] this step our system to other notions of security used by information is removed, but the hardness is only related to the GapSVP theorists and cryptographers. 8

Table I MAXIMUM SNRS that, information-theoretically, Eve receives no information about the message. Consider that Eve applies some suboptimal n log2 M SNR (dB) decoder that runs in polynomial time (for example, successive 80 33.7 87.1 128 51.3 139.2 interference cancellation or zero-forcing decoding). Eve would 196 75.4 210.7 then get some estimate for Alice’s message with some bit error 256 96 272.2 rate that is potentially less than half. In some sense, this is Example sets of parameters for various numbers of transmit antennas. In order insecure as it implies that Eve in fact receives information for the security proofs contained in this paper, the system must meet these about Alice’s message. In this section, we provide a means minimum constellation size and maximum SNR values. Here we set m = 1. to use our system in a manner that is in fact secure under cryptographic notions of security rather than information- Until this section, we have referred to the third user on theoretic ones. Alice and Bob’s public channel to be an eavesdropper. This Under the widely accepted conjecture that lattice problems implies that the eavesdropper is passive and has no ability cannot efficiently be approximated to even subexponential but to receive and decode information. In practice, this model factors, Eve can at best recover a constellation point that is limited and, in order to provide more practical and robust is exponentially far away from Alice’s transmitted vector. notions of security, a more powerful adversarial model should Effectively, this means that for a single channel use, Eve can be considered. The need for using more robust security models reduce the number of possible transmitted vectors from M n in the study of physical-layer security was recently discussed to 2O(n). in [23]. In this work the author suggests bridging the gap We could use this result in an information-theoretic sense between notions of security in information theory and cryp- along with our hardness result to say that there is now a tography in order to make physical-layer schemes more widely positive secrecy rate in the wiretap channel, which could accepted by the security community. Considering an adversary be accomplished through either a key rate, coding, or using which, for example, has the ability to manipulate, inject, a transmission strategy that takes into account the channel alter or duplicate information is considered essential when characteristics of Bob and/or Eve (e.g. puts a null in the a cryptographer develops and designs a cryptosystem, but is direction of Eve). While this approach would extend existing rarely, if ever, considered in information-theoretic settings. In results on information-theoretic secrecy, it is different from this section, we discuss stronger adversarial models which our approach in two main aspects, as we now describe. are commonly considered in cryptography and show how to First, assume that the average received SNR at Bob’s use the hardness result derived in Section IV in order to location is identical to the average received SNR at Eve’s construct secure schemes under these models. We note that location and, at both locations, the sufficient conditions of our there are many other adversarial models studied in the field of hardness result holds. Since the channel gain matrices between cryptography which we do not discuss here. A more complete Alice and Bob and Alice and Eve have the same distribution, discussion of these models is provided in [1]. on average they have the same number of spatial streams that In this section, we present two ways in which Alice and Bob can be supported and at the same SNR. In other words, the can securely use our result. In the first scheme, we show how mutual information between the channel input and the output Alice may securely transmit a message to Bob. This scheme at Bob and at Eve is the same, unless the input is encoded achieves both the notion of Chosen Plaintext Security (also in a manner that allows Bob to decode whereas Eve cannot. known as Semantic Security) as well as Chosen Ciphertext This will reduce the mutual information between Alice and Security. However, the downside of this scheme is that it Eve, possibly to zero. On the other hand, our approach shows relies on additional cryptographic primitives and assumptions: that there is (likely) no efficient algorithm that allows Eve to this scheme is secure in what cryptographers call the Random decode, and thus, practically, if Eve is subject to complexity Oracle Model, which we describe in Section V.B. In Section constraints she will receive less information than Bob. To our V.C, we present a simple scheme which allows Alice and knowledge, this notion of information exchange, based on the Bob to agree on a secret key which, in order to be practical, conjectured complexity of decoding, is novel. must take on additional assumptions about Eve’s ability to Second, relying on the information theoretic secrecy argu- approximately decode. Constructing a cryptosystem which is ment does not provide a constructive result. By this we mean provably secure using only the assumptions listed in Section II that it merely shows the existence of a scheme that allows for is not readily apparent. We believe that the schemes proposed Alice and Bob to reliably and securely communicate, rather are practical and that applying these notions of security in than actually providing such a scheme, as is the case for most the context of physical-layer security is not only novel, but information-theoretic results. In contrast, the cryptographic makes substantial progress in bridging ideas from information- notion of security that we use in fact gives a practical scheme theoretic security and cryptography, as discussed in [23]. for secure communication.

A. Information-Theoretic Security B. Secure Message Transmission in the Random Oracle Model We have shown that it is hard for Eve to decode Alice’s We have shown that it is computationally infeasible for Eve message. However, we defined decoding as exactly recovering to exactly recover Alice’s transmitted message, but Bob can the message without error. This is not the same as stating decode in polynomial time. This implies that (assuming lattice 9 problems are hard) the MIMO channel naturally forms what which candidate received Alice’s vote. If instead Alice trans- cryptographers call a secure one-way trapdoor function2. In mits her vote using a scheme that is CPA secure, receiving this subsection, we construct a secure cryptosystem by usinga the vector y will convey no information about Alice’s vote to standard cryptographic construction, known as OAEP+ (Opti- Eve. mal Asymmetric Encryption Padding). OAEP+ was introduced Security under Chosen Ciphertext Attack (CCA) is a in [46] as an improvement to the original OAEP scheme given stronger notion than CPA security (and in fact CCA security, in [47]. The results of [46] allow for the construction of a as described here, implies CPA security, see [48]). Under the secure cryptographic system given any one-way permutation. CCA adversarial model, an adversary first gets access to a The results imply that, in the random oracle model, the re- decryption oracle (but not the secret key) and is allowed to sulting system has the properties of Chosen Ciphertext (CCA) present his choice of ciphertext to the oracle and learn the Security and Chosen Plaintext (CPA) Security. Precisely, the corresponding plaintext. Then after loosing access to this ora- security of our system follows from the following theorem, cle, the adversary is then challenged to match pairs of plaintext which is proven in [46] for any one way permutation. The and ciphertext. This is also referred to as a “lunchtime”, non- fact that the MIMO-Search problem is one way, under the adaptive CCA security, or IND-CCA1. In a stronger notion of assumption that lattice problems are hard, is given by Theorem CCA security (known as adaptive CCA or IND-CCA2), the 23. Theorem 2 gives strong evidence that at least one bit (and adversary can continue to submit queries to the oracle after likely more) will remain computationally hidden from Eve, being presented with the challenge plaintext and ciphertext and thus Eve will learn no information about the transmitted pairs, under the condition that he does not submit the challenge message. ciphertext to the oracle. The necessity for CCA security in the context of our system Theorem 2. [51, Thm. 3] If the underlying trapdoor permuta- is not as readily apparent as it is in a traditional keyed tion is one way, then OAEP+ is secure against adaptive chosen cryptosystem. Suppose, for example, a device exists which ciphertext attack in the random oracle model. decrypts ciphertext, but from which a party cannot recover the We now give an informal treatment of CPA and CCA secret key. If an adversary is given access to such a device, Security, as well as the random oracle model. For a formal then a CCA secure cryptosystem is still secure given that this treatment, see [1] or [48]. A reader familiar with these notions access is temporary. In our system model however, such a may wish to skip ahead to Algorithm 1. device cannot exist: the ability for Bob to decode Alice’s Succinctly, the condition necessary to achieve security under messages depends on both Alice and Bob to be at certain Chosen Plaintext Attack (CPA security – here we describe spatial locations and not on the possession of a key. In fact, the notion referred to as IND-CPA) is that an adversary when Eve receives a message through the wiretap channel, she must be unable (without violating our computational hardness receives the vector BVx + e, which was precoded for Bob’s assumptions) to match up pairs of plaintext (unencrypted data) channel. There is no way for anyone to efficiently decode and ciphertext (encrypted data). This notion of CPA security this vector. Nonetheless, our system is still secure if such an was formally introduced in [49]. There are many reasons why oracle were to exist, as adaptive CCA security (and hence CPA such a notion of security is needed. For example, consider security) follows from using the OAEP+ construction. that an adversary knows that a user communicates with only a The Random Oracle model was introduced by [50]. The known small subset of possible messages. If the adversary model assumes that parties have access to an oracle which can match plaintext and ciphertext, then the adversary can choses uniformly at random a function which maps each pos- exhaustively search over the possible transmitted messages and sible input query into its output domain. When implemented learn the message. in a practical scheme, such an oracle can be replaced by We illustrate the value of this notion of security with an a cryptographic hash function, such as the SHA family of example from our model in Figure 1. Sending non-random hashes. For many cryptographic hash functions, proving cer- messages, or messages from a source with a small entropy, tain security properties is a difficult task. The Random Oracle could be problematic from a security perspective. Consider, model provides cryptographers an idealized model of a hash for example, that Alice is casting a vote in an election function to make possible rigorous analysis of cryptographic which she sends to the election official, Bob. In the election, constructions that include such hash functions. Constructions there are a small number, v, of candidates. Alice votes by which are provably secure under the Random Oracle model sending some message xi, for i [0, v), which is predefined, have been standardized and their use is extremely common. and publicly known, for each candidate.∈ Eve could receive The proposed scheme is given in Algorithm 1, which simply y = Bxi + e, and compute the l2 norm between y and encodes a message using the OAEP+ construction given in each possible Bx0,..., Bxv 1 and tell with some certainty [46] before transmitting the message over the MIMO channel. { − } As a result of this encoding, the decoder must receive the 2 A one-way function is a function which can be evaluated in polynomial message x without error in order to decode. If the decoder time, but requires exponential complexity to invert. Such functions are conjectured to exist, but proving their existence is an open problem and would has even a single error, then the resulting output will be prove P = NP. computationally indistinguishable from uniform random by 6 3The MIMO channel maps messages from bits to real values and thus is Theorem 2 and the one-wayness of the MIMO channel. a function and not a permutation. However, the MIMO search problem asks Eve to decode a MIMO signal back to bits, and thus we can view the process We note that this algorithm requires Bob to receive a perfect of transmitting, detecting and decoding as a permutation of the message bits. copy of the message x through the MIMO channel. However, 10

Algorithm 1 MIMO-OAEP+ uniformly, across her channel. Eve receives this message Let K = n log M be the number of bits transmitted per MIMO through her channel and can apply her favorite lattice-basis channel use. Alice wishes to send Bob a message, m, that is reduction algorithm to decoding the message, but is unable η = K 2n bits. Assume Alice and Bob both have access to to obtain a lattice basis that is within a polynomial factor − n η three random oracle functions: G : 0, 1 0, 1 , H′ : of the shortest basis. She can use this shorter basis along n+η n {n+η } → { }n 0, 1 0, 1 , H : 0, 1 0, 1 . Alice with Babai’s nearest plane algorithm [52] to recover a vector, { } → { n}+η { }n → { K } computes s 0, 1 , t 0, 1 , x 0, 1 as shown x′, that is a super-polynomial distance away from xˆ, that is ∈{ } ∈{ } ∈{ } ω(log n) under Encrypt below. Alice then multiplies x by the right x′ xˆ > 2 . The fact that Eve can recover this vector k − k singular vectors of Bob’s channel and transmits the message x′ implies that Eve can in fact learn a non-negligible amount to Bob. Bob recovers x through his channel and then recovers of information about Alice’s message. m using the proceedure shown under Decrypt. Bob verifies In order to more precisely determine the length of the that c = H′(r m). If these quantities are not equal then Bob basis which Eve can practically find, one can consider the k has not properly received Alice’s message and he rejects. current state-of-the-art for lattice basis reduction algorithms, For a study on limits of lattice basis reduction algorithms, see [53], for a more general overview see [3]. In [53], the Encrypt Decrypt authors suggest that the closest Eve can decode relative to the s = (G(r) m) H′(r m) s = x[0,...,η + n 1] ⊕ k k − original message (given a realistic amount of computational 2√n log M log 1.005 t = H(s) r t = x[η + n,...,k] resources) is bounded by x′ xˆ > 2 . ⊕ k − k x = s t r = H(s) t According to [53], this is an extremely conservative estimate, k ⊕ and we claim that it would require either an infeasible amount m = G(r) s[0,...,η 1] ⊕ − of computational resources or a substantial advancement in c = s[η...,η + n 1] − lattice-basis reduction algorithms for Eve to learn more about ? c = H′(r m) the original message than this bound indicates. k In order to prevent Eve from being able to recover a coded version of the message x, we apply a code which 2√n log M log 1.005 has a minimum distance dmin 2 . With Bob receives this message through a channel with Gaussian high probability, Eve will be unable≤ to recover an error-free noise and thus has some probability of error that he does not estimate of x, and will be unable learn any information about receive this message perfectly. In fact, given the large noise the message m sent using Algorithm 1. requirement in Theorem 2, it can be shown that the symbol 2) Correctness: We now show that, if Alice encodes the error rate at Bob’s location will be close to one, even when output of Algorithm 1 with an error-correcting code of dmin = Bob has a large number of antennas. 22√n log M log 1.005, then given a sufficient number of recieve In order to allow Alice and Bob to communicate, we must antennas, Bob will be able to receive and decode the vector reduce the rate of communication between them; however, in x without error, thus allowing him to recover the message m order to allow for Theorem 2 to hold, we must still maintain from Algorithm 1. We proceed by choosing the parameters the large constellation size and noise requirement. Both of M = 2n log log n/ log n,m = 1, α = 1, and k = 1, but this these objectives can be accomplished through the use of error analysis is easily generalized to other parameters which meet correcting codes. Note, however, that if we encode the message our security condition. x with a code that can correct up to e errors, then this also Assume that Bob has nr = t n receiever antennas for some · n/2 aids Eve in recovering the plaintext. Because Eve cannot apply t> 2. With probability at most 2e− , the smallest singular ML decoding, she will experience an increased error rate over value in the channel between Alice and Bob will be at least Bob. We can use this fact to construct a code which Bob can (t 2)n (see for example \cite{rudelson}, Eq. 2.3). This decode but Eve cannot. implies− that the noise variance in each of the decomposed p 1) Eavesdropper Decoding: We now consider the limits channels between Alice and Bob will decrease by at least of a to which Eve can estimate the message x which is not factor of (t 2)n compared to the ambient channel noise. precoded for her channel. The analysis in this section describes For Bob to be− able to decode, we now require the following p how much Eve’s estimate of x differs from its maximum- condition to hold with some reasonable probability: likelihood, which we denote as xˆ. We obtain a lower bound on Mα this distortion by considering state-of-the-art algorithms which < 22√n log M log 1.005, (10) are used to attack lattice-based cryptography schemes. We (t 2)n begin by stating a conjecture about the limits of approximating − where the left-hand side is an upper bound of the noise lattice algorithms. This conjecture is widely accepted to be p variance in each of Alice and Bob’s parallel channels, and true (see [3], for example) and discussed in more detail in the right-hand side is the minimum distance of the error Appendix B: correcting code employed by Alice. Substituting the values Conjecture 1. There is no polynomial time algorithm which of our constants, this gives us: can approximate SIVP to within polynomial factors. 2.86 Alice transmits a message x [0,M)n, which is distributed t> (11) ∈ n 11 and thus, for any t > 2, the probabily of having a symbol Algorithm 2 Key-Agreement Scheme error when Bob decodes is bounded below by: Alice wishes to send Bob η secret bits. Alice generates some number c = c(n), such that 2c √n log M log 1.005 > η, n n erfc r = negl(n), (12) of random messages m [0,M) and sends them to Bob 2.86 over the MIMO channel∈ with channel parameters meeting   where erfc( ) represents the complimentary error function. We the constraints in Theorem 1. Alice and Bob ensure that note that the· condition that t > 2 is only neccessary so that, the message is exchanged without error for example through with overhelming probability, there will be no ill conditioned channel coding. Alice and Bob then hash the message (after channels in the parallel decomposition between Alice and Bob. decoding if channel coding is used), using a universal hash For large n, the probability of error will remain small for which outputs η bits and use the result as their secret. values of t close to 1. Table II COMPUTATIONAL SECRECY CAPACITY C. Secret Key Agreement and Computational Secrecy Capac- n log2 M SNR (dB) Computational Secrecy Capacity ity 80 33.7 87.1 8.80 We now proceed to describe a secret key transmission pro- 128 51.3 139.2 13.75 196 75.4 210.7 20.62 tocol. In the context of our model in Figure 1, such a protocol 256 96 272.2 26.60 allows Alice to transmit a “secret” to Bob in the form of bits For unit channel gain variance, the minimum constellation size, and the undecodable by Eve. Information-theoretic protocols which minimum SNR that meets the noise requirements for the hardness condition achieve this secret key transmission based on equivocation to hold. Computational Secrecy Capacity gives the number of bits Alice can at the eavesdropper are known, for example [51]. Here we securely transmit to Bob per channel use using Algorithm 1. present a protocol in which the key is kept secret under computational rather than information-theoretic assumptions. We note that if Alice and Bob use channel coding to We call the number of bits Alice can securely transmit to ensure for reliable communications, then the rate of the coding Bob per channel use under computational assumptions the scheme employed would also effect the number of bits Alice Computational Secrecy Capacity. and Bob could securely exchange per channel use. That is, Alice transmits a message n chosen uniformly at m [0,M) if Alice and Bob used a scheme that could correct up to random through her channel. This∈ message has n log M bits e bit errors, then the bound on η must be reduced by e of entropy. By similar reasoning to the previous subsection, bits. Similarly, this quantity, 2√n log M log 1.005, also serves Eve receives this message through her channel and recovers maximum number of bit errors that can be allowed to be a vector, , such that 2√n log M log 1.005. The m′ m m′ > 2 corrected in any code chosen between Alice and Bob in the fact that Eve can recoverk this− vectork implies that Eve can m′ scheme given in Section V.B. in fact learn a non-negligible amount of information about Alice’s message. Here we argue that, in the context of our proposed schemes, this information is in fact useless unless D. Computational Attacks Eve can violate our computational assumptions. We wish to briefly note the importance of maintaining Achieving this bound in terms of Eve’s ability to decode the security parameters as stated in Theorem 1. When the the transmitted message implies that the entropy associated minimum noise requirement is not met, it is possible that with Eve’s estimate of m is at least 2√n log M log 1.005. By attacks follow on our system. By attack, we mean that an applying the leftover hash lemma [55], it follows that Alice adversary could, by applying a sub-exponential algorithm in can transmit to Bob 2√n log M log 1.005 bits of information order to decode. As an example, in [56], the authors show an per message without Eve learning any (non-negligible) amount attack on a version of our system with security parameters not of information about the message. Thus, the security of the meeting those defined in Theorem 1. Finally, we note that it bits transmitted via the scheme described in Algorithm 2 is not apparent that an attack follows immediately for smaller immediately holds. The quantity 2√n log M log 1.005 is the values of M than required in Theorem 1, but we leave it as an Computational Secrecy Capacity of our model in Figure 1. open question as to whether or not it can be shown that Eve Table II gives examples of the computational secrecy capacity can successfully decode with non-exponential complexity for for various parameters. smaller values of M, or if a smaller bound on the requirement Algorithm 2 requires the use of a universal hash function, for M can be found that still entails decoding to be hard for which we briefly define as a function which takes an arbitrary- Eve. sized input and returns a fixed-size output (the hash value). A universal hash is constructed so that there is a low expectation that two distinct inputs chosen adversarially hash to the same VI. CONCLUSION value (collide). The leftover hash lemma [55] essentially states We have demonstrated that the complexity of an eaves- that using a universal hash function allows us to extract dropper decoding a large-scale MIMO systems with M-PAM randomness from a source from which an adversary has modulation can be related to solving certain lattice problems partial information, such that the adversary is left almost no which are widely conjectured to be hard. This suggests that information about the output of the hash function. the complexity of solving these problems grows exponentially 12 with the number of transmitter antennas. Unlike the computa- 2) We begin with an arbitrary lattice basis A and apply tionally hard problems underlying many of the most common the LLL algorithm. We then create a discrete Gaussian encryption methods used today, such as RSA and Diffie- distribution on this lattice, with a second moment around Hellman, it is believed that the underlying lattice problems are the length of the largest vector given in the reduced hard to solve using a quantum computer, and thus this scheme basis. We use this as the starting point for the iterative presents a practical solution to post-quantum cryptography. portion of the algorithm. It is not new to exploit properties of a communication 3) In Lemma 7, we use this MIMO decoding oracle to channel to achieve security; however, to our knowledge, this solve the BDD problem. The input to this problem is is the first scheme which uses physical properties of the an (arbitrary) n-dimensional lattice (A), a number L channel to achieve security based on computational complexity r > √2ηǫ ( (A)), and a target point y within distance arguments. Indeed, the notion of the channel is not typically d < Mσα/kL 2r√2 (the bounding distance) of (A). considered by cryptographers. We thus describe our system as We take this instance of a BDD problem and, usingL a a way of achieving physical-layer cryptography. number of samples from the distribution DL∗,r, we are Further novel to our scheme is the role that the channel gain able to construct a number of samples in the form of matrix plays in decoding. A transmitted message can only be (A,y = a, x + e), in the exact form of distribution decoded by a user with the corresponding channel gain matrix. expectedh by MIMOi decoding oracle using Lemma 1. The channel gain matrix, or more specifically the precoding Here, returning the correct vector x solves the BDD of the message using the right-singular vectors of the channel problem. We now have an oracle which solves the BDD gain matrix, essentially plays the role of a secret key in that problem for arbitrary lattices. it allows for efficient decoding at the receiver. However, this 4) In Lemma 8, from [13], the BDD oracle is used to (quan- value does not need to be kept secret, nor does it play the tumly) solve ∗ , that is return samples DGSL ,√n/(√2d) traditional role of a public key. We term this type of key as of DL∗,r. Note we can efficiently sample from DL,r the Channel State Information- or CSI-key. In cryptography for r > ηǫ(L). If, in Lemma 7 we set parameters so terminology, this system is a trapdoor function, for which the that √2d > √n, then we can reduce the value of trapdoor varies both spatially and temporally. The fact that r to below the value for which we could previously this is a new type of cryptographic primitive suggests the efficiently sample, that is we can construct a distribution possibility of entirely new cryptographic constructions. that is more narrow than previously possible. We have used the hardness result, in conjunction with a 5) In [13], the steps of Lemma 7 and 8 are iteratively new notion of computational secrecy capacity, to construct applied, resulting in a more narrow distribution of lat- a method in which two users can perform a key-agreement tice points. Eventually, this distribution becomes narrow scheme, without a pre-shared secret. In addition, we give a enough to reveal information about the shortest vectors scheme that allows Alice and Bob to securely communicate of the lattice, solving the GapSVPn/α and SIVPn/α. We in the presence of an eavesdropper. We relate the parame- refer the reader to [13] for the rigorous treatment of this ters required to maintain security to SNR requirements and process. constellation size and show that they are practical to achieve 6) We refer the reader to [24] for the classical reduction, assuming a system with enough transmitter antennas and which requires an oracle to solve the BDD problem. Re- the corresponding number of receivers, and relatively large placing Regev’s LWE-based BDD oracle with our MIMO- constellation sizes. based BDD oracle, the classical reduction follows.

APPENDIX A A. Smoothing Parameter. PROOF OF MAIN THEOREM Before we prove the main theorem, we review the smoothing Theorem 1. MIMO Search to GapSVP and − M,α,k n/α parameter and state some of its properties that we will require SIVPn/α. Let α > 0, m > 0 , k > 0 be such that in our proof. The smoothing parameter was introduced in [34] mα/k2 > √n, and M >m 2n log log n/ log n. Assume we have and is an important property of the behavior of a discrete access to an oracle that solves MIMO SearchM,α,k, given a Gaussian distribution on lattices. It is precisely defined as − polynomial number of samples from AM,α,k. Then there exists follows. an efficient quantum algorithm that given an n-dimensional Definition 5. For an n-dimensional lattice (A) and a real lattice (A), solves the problems GapSVPn/α and SIVPn/α. L L ǫ> 0, the smoothing parameter, ηǫ( (A)), is the smallest α Additionally, there exists a classical solution to GapSVPn/α. L such that Ψ1/α ( ∗(A) 0 ) ǫ. Proof: The lemmas required to prove this theorem are The smoothingL parameter\{ } ≤ defines the smallest standard given below. We summarize the proof of the main theorem as deviation such that, when the inverse is sampled over the follows. dual ∗(A), all but a negligible amount of weight is on the 1) We first show that, given the MIMO oracle as described origin.L More intuitively, it is the width at which a discrete in Section II, we can solve problems where the coeffi- Gaussian measure begins to behave as a continuous one. The cients of the channel gain matrix are instead drawn from motivation for the name ‘smoothing parameter’ is given in a discrete Gaussian distribution as described in Lemma [34]. For α> √2η ( ), if we sample lattice points from D ǫ L L,α 1. then add Gaussian noise Ψα, then the resulting distribution is 13 at most distance 4ǫ from Gaussian. We borrow the following Take two samples from the discrete distribution, call them two technical claims from [34]. (a , y ) and (a , y ). Now generate two numbers c ,c i i j j i j ∈ Z nc , uniformly, and output Claim 2. [34, Lemma 3.2]. For any n-dimensional lattice 2 n (A), ηǫ ( ) √n/λ1 ( ∗(A)) where ǫ =2− . c a + c a c y + c y L L ≤ L i i j j , i i j j = More generally, we can characterize the smoothing param- ci + cj ci + cj   eter for any ǫ. c a + c a c a + c a c e + c e Claim 3. [34, Lemma 3.3]. For any n-dimensional lattice i i j j , i i j j , x + i i j j c + c c + c c + c (A) and ǫ> 0,  i j  i j  i j  L since each e is generated i.i.d., it is not hard to see that the ln(2n(1+1/ǫ)) noise has the correct distribution. Similarly, since each a is ηǫ( ) λn(A). (13) a a L ≤ π · i.i.d., moments of the quantity ci i+cj j will be unchanged, r ci+cj Equivalently, for any superlogarithmic function ω (log n), and this quantity will be proportional to the desired Gaussian ηǫ( ) ω (log n) λn(A). distribution. We have now increased the support of the distri- L ≤ · cj bution. Indeed, the support of the quantities ci and We willp also note the following property of the smoothing ci+cj ci+cj parameter, which follows from the linearity of lattices. If we covers every point in the interval [0, 1) to within a factor of nc scale the basis of a lattice, then all of the successive minima 2− , and this new distribution will be indistinguishable from will scale by the same amount: the distribution expected by the MIMO oracle. We next state the following claim which is proven in [13] Claim 4. For any n-dimensional lattice (A),ǫ> 0, and c> L and shows that a small change in α results in a small change 0,ηǫ( (c A)) = c ηǫ( (A)). L · · L in the distribution of Ψα. This claim is required in the proofs of Lemmas 2 and 3. B. Preliminary Lemmas Claim 5. [13, Claim 2.2]. For any 0 <β<α 2β, Before we can proceed with the main part of the proof show- ≤ α ing the reduction from standard lattice problems to the MIMO ∆(Ψ , Ψ ) 9 1 . (15) α β ≤ β − decoding problem, we require several preliminary lemmas. We   will first show, in Lemma 1, that it is sufficient to solve the We next show that given a vector x, it is easy to verify MIMO decoding from a discrete Gaussian distribution rather whether or not it is the correct solution to the MIMO-Search than a continuous one. This distribution is used as input to the problem: MIMO oracle in Lemma 7. We define the distribution DM,α,k, which is the discrete analog of the distribution A . Given Lemma 2. Verifying solutions of MIMO SearchM,α,k . There M,α,k − an arbitrary lattice (A), and a number r> √2η ( (A)), we exists an efficient algorithm that, given x′ and a polynomial L ǫ L first sample a vector a from the distribution D (A),r, and a number of samples from Ax,α,k, for an unknown x, outputs L point e from the distribution ψα. We now output: whether x = x′ with overwhelming probability.

ka ka Proof: Let ξ be the distribution on y a, x′ . The , y = , x /M + e (14) − h i r r same distribution can be obtained by sampling e Ψα and     ∼ outputting e + a, x x′ . In the case x = x′, this reduces to Lemma 1. Continuous-to-Discrete Samples. Given an oracle h − i e, and the distribution on ξ is exactly Ψα. In the case where which can solve MIMO DecisionM,α,k, there exists an effi- − x = x′, x x′ > 1 by the restriction on our choices of x. cient algorithm to recover x given samples from DM,α,k. 6 k − k The inner product of a, x x′ is Gaussian with zero mean h − i Proof: We first claim that every point in the distribution and a standard deviation of at least k/√2π, and the standard 2 2 D (A),r is proportional to ψr, to within a negligible amount. deviation on e + a, x x′ must be at least √α + k /√2π. L h − i This effectively follows from the fact that we choose r to We now must distinguish between the random variables of Ψα be larger than the square root of two times the smoothing and Ψ√α2+k2 . parameter of the lattice (formally, see equation 11 of [13, Assuming that k2 is non-negligible in n, then given an Claim 3.9]). arbitrary number of samples within a polynomial factor of We now create a unitary transformation that can be applied n, we can distinguish between the two distributions with to both a and y, creating a and y, so that the support of a is overwhelming probability by estimating the sample standard effectively Rn. W do not have to actually cover all of Rn, nor deviation. do we in fact have to comee closee to doing so. Our algorithms,e The following lemma is used from [13, Lem. 3.7]. In [13], by assumption, can only approximate points in Rn to within the lemma applies to the case of LWE over an integer field, nc a factor of 2− , for some c> 0. Thus, we only need to have this proof is repeated in this appendix in order to demonstrate nc a support in which no point is more than a distance of 2− that it follows for the case of MIMO channels, given Lemma away from any point in Rn. Then, by the fact that we choose 7. Specifically, this lemma shows that if we can solve the a unitary transformation, all norms and inner products will be MIMO problems with noise parameter α, then we can solve preserved, and we will achieve our desired result. We describe the problems given samples with noise drawn according to an appropriate transformation as follows. Ψ for any β α. β ≤ 14

Lemma 3. [13, Lem 3.7]. Error Handling for β We now state the following claim about a polynomial-time α. Assume we have access to an oracle which solves≤ lattice basis reduction algorithm, the LLL algorithm, given in MIMO Search by using a polynomial number of sam- [32] and improved by Schnorr in [36]. − M,α,k ples. Then there exists an efficient algorithm that given sam- Claim 6. [32], [36]. For some (A), we apply Schnorr’s ples from A for some (unknown) β α, outputs x with L x,β,k ≤ variant of the LLL algorithm, and obtain a new, shorter basis overwhelming probability. for this lattice A. The norms of the new basis vectors in this Proof: Assume we have at most nc samples for some lattice, given by σ1, ..., σn, are bounded by: c > 0. Let Z be the set of all integer multiples of n 2cα2 e n log log n/ log n − σn < 2 λn (16) between 0 and α2. For each γ Z, do the following n times. For each sample, add a small amount∈ of noise sampled from and σ < 2n log log n/ log nλ (17) Ψ , which creates samples in the form A 2 . Apply 1 1 √γ x,√β +γ,k the oracle and recover a candidate x′. Use Lemma 2 and check The rest of this proof proceeds with the following assump- whether x′ = x. If yes, output x′, otherwise continue. tion: We now show the correctness of this algorithm. By Lemma λ 2, a result can be verified to be a correct solution of 1 n < 2n log log n/ log n (18) MIMO SearchM,α,k with probability exponentially close to ≤ λ1 1. Thus− we must only show that in one iteration of the The lower bound is evident from Minkowski’s bound, and algorithm, we output samples that are close to Ax,α,k. Con- the upper bound comes from the fact that we have reduced the sider the smallest γ Z such that γ α2 β2. Then basis by applying the LLL algorithm. While no such upper 2 2 2c 2∈ ≥ − γ α β + n− α . And bound would exist on an arbitrary lattice, were this ratio to be ≤ − bigger than this bound, then the LLL algorithm would have 2 2 2c 2 2c α β + γ α + n α 1+ n− α. ≤ ≤ − ≤ returned exactly the shortest basis and we would have already p p 2c exactly solved the GapSVP and SIVP problems. And by Claim 5, ∆ Ψ , Ψ 2 9n− ,
which is α √β +γ ≤ negligible in n.   Standard lattice problems are formulated with coefficient C. Reducing MIMO Decoding to Standard Lattice Problems vectors that span all integers. In our definition, we have limited We now begin the main procedure of the reduction. We our constellation size. Regev in [13] introduces a variant on begin by taking the basis and applying the LLL algorithm. (M) BDD A , which we designate as BDD . This problem is ( ),d (A),d Lemma 6. We start with an arbitrary lattice A , and apply L L ( ) identical to the BDD (A),d problem, with the exception that L L the LLL algorithm to the basis A. We now the use procedure the coefficient vectors of the solution are reduced modulo given in [33] and Schnorr’s variant of LLL to get a distribution M, for arbitrary M. Regev shows that if we can solve this n log log n/ log n DL,r, for some r> 2 λn variant of the problem in polynomial time, there in fact exists a polynomial time algorithm which solves BDD (A),d in the The following lemma is the main mathematical contribution general case. Thus for further lemmas, we can ignoreL the effect of this work, and allows the MIMO oracle to be used in place of the limited constellation size. of the LWE oracle in the framework of Regev’s reduction for LWE. From Figure 3, this replacement implies that an Lemma 4. [13, Lem. 3.5]. Finding coefficients modulo M is efficient solution of the MIMO decoding problem would also sufficient. Given a lattice (A), a number d < λ1( (A)/2, provide an efficient solution for standard lattice problems. and an integer M 2,L access to an oracle whichL solves (M) ≥ We briefly restate notation defined in Section II.C: AM,α,k BDD (A),d, there exists an efficient algorithm that solves is the distribution of channel gains and the received signal L BDD (A),d. L from a single antenna in a MIMO system, and DA,α is The following lemma shows that when sufficient noise the discrete Gaussian distribution drawn over lattice A with is added to a discrete Gaussian variable, it behaves like variance proportional to α. a continuous one. This establishes a formal notion of the Lemma 7. MIMO SearchM,α,k to BDDL,r. Let α> 0, k> 0, structure of the lattice being ‘statistically hidden’ by the noise. m> 0, and M>m− 2n log log n/ log n. Assume we have access This lemma is used to show that the distribution constructed to an oracle that, for all β α, finds x given a polynomial in the proof of the main theorem is negligibly close to the ≤ number of samples from AM,β,k (without knowing β). Then distribution required by the MIMO Search oracle. − there exists an efficient algorithm that given an n-dimensional Lemma 5. [13, Cor. 3.10]. For a lattice (A), vectors lattice (A), a number r> √2η( (A)), and a target point y L L z, u Rn , and two reals r,α > 0.L Assume that within distance d < Mσα/ k2r√2 of (A), where σ is the ∈ T L 2 2 1 smallest eigenvalue of A A, returns the unique x (A) 1/ 1/r + (P/α) ηǫ(A) for some ǫ < . Then the
∈ L ≥ 2 closest to y with overwhelming probability. distributionq of z, v + e, where v is distributed according to h i DL+u,r, the norm of z is constrained to P , and e is a normal Proof: We describe a procedure that, given y, outputs a variable with zero mean and standard deviation α/√2π, is polynomial number of samples from the distribution of Dx,β,k. within total variational distance 2ǫ of a normal variable with Then, using the MIMO-Search oracle returns the closest point zero mean and standard deviation (rP )2 + α2/√2π. x = As. p 15

First, using Claim 1, sample a vector v ∗ (A) from can iterate between the BDD and the DGS oracles, shrinking ∈ L DL∗,r. We now output the Gaussian distribution with each step, to a limit, and the 1 stated standard lattice problems. kv/r, k v, A− y /rM + ke/r (19) Lemma 9. DGS to standard lattice problems. For We note that the right-hand side is equal to
L,√n/(√2d) n-dimensional lattice (A), α> 0, m> 0, k R such that 1 2 L n log log n/ log n ∈ k v, A− y /rM + ke/r = mα/k > √n, and M >m 2 . Given an oracle which solves BDD ∗ and DGS , then there exists an 1 L ,d L,√n/(√2d) kv/r, s /M + k v, A− δ /rM + ke/r h i efficient algorithm that given an n-dimensional lattice (A), L We are guaranteed that δ < r. We first note that the solves the problems GapSVPn/α and SIVPn/α. 1 k k quantity k v, A− δ /r is distributed according to DkL∗/r,ξ, where ξ < kd/σ. We note that σ relates to the maximum APPENDIX B 1 ‘skew’ that results from inverting the matrix A. Since A− δ COMPLEXITY OF LATTICE PROBLEMS is fixed for all samples, this ‘skew’ is also fixed, meaning the The security of any lattice-based cryptosystem is based on inner product v A 1 is symmetric since the distribution , − δ the presumed hardness of lattice problems. In this subsection on v is symmetric. we limit our discussion to the GapSVP and SIVP problems. We now add some noise from the distribution so that γ γ e ψα One well-known algorithm for solving lattice problems is the discrete nature of D ∗ is effectively washed out and kL /r,ξ the LLL algorithm [32]. The algorithm solves SIVP and can we are left with a distribution that is essentially Gaussian as γ be adapted to solving many other lattice problems as well. expected by the MIMO oracle. That is the distribution of the The algorithm runs in polynomial time but only achieves an noise is within negligible total variational distance of ψ for β approximation factor of O (2n). There have been a number of 2 2 . This condition will be true precisely β = ξ + α /2 < α improvements to this algorithm, such as Schnorr’s algorithm when the condition given in Lemma 5 is met. We can see that p [36] but none that achieve small approximation factors (to this holds: within even a polynomial factor of n) that run in polynomial 2 2 time. All known algorithms that return exact solutions to lattice 1/ (1/k + (√2ξ/Mα) ) k/√2 > ηǫ( ∗(kA/r)) (20) ≥ L problems in fact require a running time on the order of 2n, q Therefore, the distribution in equation 16 is the distribution see for example [11] or [12]. The hardness of these problems expected by the MIMO oracle and we can recover the vector leads to the following conjecture, stated in [3, Conj. 1.1]: x. Conjecture 1. There is no polynomial time algorithm that In order to relate the MIMO problem to standard lattice approximates lattice problems to within an approximation problems, we need the following lemma, given in [13], which factor that is within a polynomial factor of . uses a quantum computer. n Within certain approximation factors, the complexity class Lemma 8. [13, Lem. 3.14]. BDD to D ∗ . There L,α,k L ,√n/(√2d) of solving lattice problems is known. It is NP-Hard to approx- exists an efficient quantum algorithm that, given any n- imate GapSVP to within constant factors [5], [8]–[10]. For a dimensional lattice L, a number d < λ (A)/2, and an oracle 1 factor of √n, it belongs to the class NP CoNP [6], [7]. It that solves BDD , outputs a sample from D ∗ . L,d L ,√n/(√2d) should be noted that our results are based on∩ an approximation In order for the reduction to hold, we must have d > factor of n/c. While such a strong hardness result is not √n/√2, or the Gaussian distribution will actually grow in known for this regime, constructing algorithms to achieve such each iteration of the procedure. We show this in the following approximation factors within polynomial time seems to be out claim. of reach. These results are summarized in Table III. 2 Claim 7. The inequality Mσα/ k r√2 > √n/√2 is true Table III given the constraints stated in Theorem 1. HARDNESS RESULTS FOR STANDARD LATTICE PROBLEMS
2 Proof: We first set the constraint that mα/k > √n, and γ Hardness Reference thus we only require that Mσ/mr > 1. We can see this is O (1) NP-Hard [5],[8],[9],[10] true: √n<γ > 1 > 1 (21) 2 P [32],[36] mr r λn Here, the first step simply applies the bound given on M/m Another interesting result related to the hardness of lattice in Theorem 1, and the second step follows from applying the problems considers quantum computation. If a quantum com- bounds on r and σ from Lemma 7 and Claim 6. The final puter were to be realized, this could have profound implica- step follows from applying the bound in equation 13 on the tions for the field of cryptography. A quantum computer could quantity λn/λ1. efficiently factor numbers and solve the discrete-logarithm Finally, we require the following lemma from [13, Sec. 3.3], problem, which would allow for virtually all key-exchange which uses both the BDD and DGS oracles iteratively to solve protocols to be broken in polynomial time [18]. In addition, standard lattice problems. By setting d = Mσα/ k2r√2 , we algorithms such as Grover’s search algorithm could improve
16 exhaustive searches by a factor of a square root, weakening the This means that there may certain structured inputs which security of systems like AES (the Advanced Encryption Stan- may make MIMO decoding easy – for example consider dard, based on the Rijndael cipher) [17]. There are currently the case that x is sparse. Finding a solution for decoding no known quantum algorithms that perform significantly better MIMO for sparse signals, would certainly not lead to a than the best known classical algorithms. However, it should solution to approximating all lattice problems to within linear be noted that quantum algorithms are far less understood factors. A general polynomial-time algorithm that decodes all and studied than classical algorithms, and thus we have less MIMO signals under the conditions given in this paper, would, assurance that such an algorithm does not exist. We will still however lead to a solution to approximating lattice problem, state the following conjecture, given in [3, Conj. 1.2], but note and this is unlikely. that this is a weaker conjecture than Conjecture 1: Conjecture 2. There is no polynomial time quantum algo- ACKNOWLEDGEMENT rithm that approximates lattice problems to within polynomial The authors would like to thank Dan Boneh for his dis- factors. cussions on lattice-based cryptography, Martin Hellman for his comments on a preliminary version of this work, Shlomo Since we show in our main result that the hardness of Shamai for discussions regarding information-theoretic se- decoding MIMO is based on lattice problems, this implies that crecy in the context of our model, Mainak Chowdhury for MIMO decoding cannot be performed any faster on a quantum discussions on algorithms for MIMO decoding and linear computer. In more general terms, this means that lattice- codes, and Yonathan Morin for his useful discussions and based cryptography currently provides promise for efficient comments on a preliminary version of this work. constructions of classical cryptosystems that are secure against quantum computers. REFERENCES Besides being conjectured to be hard, many lattice problems have an additional property that makes them attractive to [1] J.Katz, and Y. Lindell, Introduction to Modern Cryptography. New York: Chapman & Hall/CRC, 2007. cryptographers: for certain problems, there are connections [2] M. O. Damen, H. El Gamal, and G. Caire, "On maximum likelihood between the average-case and worst-case complexities. This detection and the search for the closest lattice point", IEEE Trans. Inf. allows for the construction of systems which are based on Theory, vol. 49, no. 10, pp.2389–2402, 2003. [3] D. Micciancio and O. Regev, “Lattice-based Cryptography,” in Post- robust proofs of security. This property and its significance is Quantum Cryptography, Berlin, German: Springer Berlin/Heidelberg, described next. pp. 147–191, 2009. The worst-case complexity refers to the complexity of [4] D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective. Boston, MA: Kluwer Academic Publishers, solving the problem for the worst possible input of a fixed Mar. 2002. size; whereas average-case complexity of a problem refers [5] M. Ajtai, “Generating hard instances of lattice problems”, Complexity to the average complexity of solving a problem given some of computations and proofs, vol. 13 of Quad. Mat., pp. 1–32, 2004. Preliminary version in STOC 1996. underlying distribution of inputs of a fixed size (typically [6] O. Goldreich and S. Goldwasser. On the limits of nonapproximability of uniformly random over all possible inputs). A worst-to-average lattice problems. Journal of Computer and System Sciences, 60(3):540- case reduction gives a distribution of inputs for which the 563, 2000. Preliminary version in STOC 1998. [7] D. Aharonov and O. Regev. Lattice problems in NP intersect coNP. J. average complexity of solving a problem is as hard as the of the ACM, 52(5):749–765, 2005. Preliminary version in FOCS 2004. worst case complexity (potentially of a different problem). The [8] S. Khot. Hardness of approximating the shortest vector problem in connections between worst- and average-case complexity of lattices. In Proc. 45th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages 126–135, 2004. certain lattice problems was first found by Ajtai [5]. Ajtai con- [9] I. Haviv and O. Regev. Tensor-based hardness of the shortest vector structed a function that is one-way (that is, it can be computed problem to within almost polynomial factors. In Proc. 39th ACM Symp. in polynomial time, but is hard to invert) on average based on Theory of Computing (STOC), pp. 469–477, 2007. [10] D. Micciancio. The shortest vector in a lattice is hard to approximate to on the worst-case hardness of lattice problems. This result within some constant. SIAM J. on Computing, 30(6): 2008–2035, 2001. was used by Ajtai and Dwork to construct a cryptosystem [11] D. Micciancio, and P. Voulgaris, Faster exponential time algorithms for [35]. These worst-to-average case reductions were extended the shortest vector problem. Proc. of the Twenty-First Annual ACM- SIAM Symp. on Discrete Algorithms, pages 1468–1480, 2010. by many, but most important to this paper is the reduction [12] M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest found in [34]. lattice vector problem. In Proc. of the ACM Symp. on the Theory of Basing cryptographic systems on problems where a worst- Computing, number 33, pages 601-610, 2001. [13] O. Regev, “On lattices, learning with errors, random linear codes, and to-average case reduction exists is an extremely strong guar- cryptography”, Proc. 37th ACM Symp. on Theory of Computing (STOC), antee of security. It means that it is at least as hard to break pp. 84–93, 2005. the cryptosystem as it is to solve any instance of the related [14] R. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of problems. Such a strong guarantee is not provided by most the ACM 21 (2): 120–126, 1978. cryptosystems today. For example, breaking a cryptosystem [15] W. Diffie, and M. Hellman, "New directions in cryptography". IEEE that is based on factoring (e.g. RSA) only implies a solution Transactions on Information Theory 22 (6): 644–654, 1976. [16] M. A. Nielson and I. L. Chuang. Quantum Computation and Quantum to factoring numbers of a specific form; namely, the specific Information. Cambridge, MA: Cambridge Univ. Press, 2000. form used to generate RSA keys and not a solution to worst- [17] L. K. Grover. Quantum mechanics helps in searching for a needle in a case factoring problems. haystack. Phys. Rev. Lett., 79(2):325, 1997. [18] P. W. Shor. Polynomial-time algorithsm for prime factorization Our scheme does not have an average-to-worst case reduc- and discrete logarithms on a quantum computer. SIAM J. Comp., tion, and it is not clear that such a reduction is possible. 26(5):1484–1509, 1997. 17

[19] C. E. Shannon, "Communication theory of secrecy systems", Bell Syst. [49] S. Goldwater and S. Micali. Probabilistic encryption. J. of Comp. and Tech. J., vol. 28, pp.656–715, 1949. Syst. Sciences, no. 2, pages 270–299, 1984. [20] A. D. Wyner, "The wire-tap channel", Bell Syst. Tech. J., vol. 54, [50] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm pp.1355–1387, 1975. for designing efficient protocols. In First ACM Conference on Computer [21] A. Mukherjee, S. A. A. Fakoorian, J. Huang and A. L. Swindlehurst, and Communications Security, pages 62–73, 1993. “Principles of physical-layer security in multiuser wireless networks: [51] R. Ahlswede and I. Csiszàr. “Common Randomness in Information survey”, Commun. Surveys Tuts, 16 (3): 1550–1573, 2010. Theory and Cryptography–Part I: Secret Sharing”. IEEE Trans. Inf. [22] T. Shimizu , H. Iwai , H. Sasaoka and A. Paulraj, "Secret key agreement Theory vol. 39, no. 4, pp.1121–1132, 1993. based on radio propagation characteristics in two-way relaying systems", [52] L. Babai. On Lovasz’ lattice reducition and the nearest lattice point Proc. 2010 IEEE Global Commun. Conf., pp.1–6, 2010. problem. Combinatorica, 6(1):1–13, 1986. [23] W. Trappe, “The Challenges Facing Physical Layer Security,” IEEE [53] D. Micciancio and M. Walter. Practical, predictable lattice basis reduc- Commun. Mag., pp. 16–20, June, 2015. tion. In Proc. of EUROCRYPT, volume 9665 of LNCS, page 1123. [24] C. Peikert, “Public-Key Cryptosystems from the Worst-Case Shortest Springer, 2016. Vector Problem”, Proceedings of the 41st annual ACM symposium on [54] M. Rudelson and R. Vershynin. “Non-asymptotic theory of random ma- Theory of computing, pp. 333–342, 2009. trices: extreme singular values.” \emph{arXiv preprint} arXiv:1003.2990 [25] A. Goldsmith, Wireless Communications. Cambridge, MA: Cambridge (2010). Univ. Press, 2004. [55] R. Impagliazzo, L. Levin, and M. Luby. Pseudo-random generation from [26] A. Edelman and N. Rao, "Random matrix theory", Acta Numerica, vol. one-way functions (extended abstract). In STOC, pages 12–24, 1989. 14, pp.233–297, 2005. [56] R. Steinfeld and A. Sakzad. On Massive MIMO Physical Layer Cryp- [27] S. Arora, and R. Ge, "New algorithms for learning in presence of errors." tosystem. Preprint, arXiv:1507.08015, 2015. In Automata, Languages and Programming, pages 403–415, 2011. [57] Y. Ishai, Amit Sahai, and D. Wagner. Private circuits: Securing hardware [28] R. H. Clarke, “A statistical theory of mobile radio reception,” Bell against probing attacks. In CRYPTO, pages 463–481, 2003. Systems Tech. J., pp. 957–1000, July/August 1968. [58] S. Micali and L. Reyzin. Physically observable cryptography (extended [29] W. C. Jakes, Jr., Microwave Mobile Communications, Wiley, New York, abstract). In TTC, pages 278–297, 2004. 1974. [30] Y. Mohasseb and M. P. Fitz, “A 3-D spatio-temporal simulation model for wireless channels,” IEEE J. Sel. Areas Commun., pages 1193–1203, August 2002. [31] R. Ertel, P. Cardieri, K. W. Sowerby, T. Rappaport, and J. H. Reed, “Overview of spatial channel models for antenna array communication systems,” IEEE Per. Commun. Mag., pp. 10–22, February, 1998. [32] A. Lenstra, H. Lenstra, Jr., and L. Lovasz, “Factoring polynomials with rational coefficients”, Math. Ann., vol. 261, no. 4, pp. 515–534, 1982. [33] C. Gentry, C. Peikert, and V. Vaikuntanathan. “Trapdoors for hard lattices and new cryptographic constructions”, Proc. 38th Annual ACM Symp. on Theory of Computing (STOC), pages 197–206, 2008. [34] D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures”, SIAM J. of Computing, vol. 37,no. 1, pp. 267–302, 2007. [35] M. Ajtai and C. Dwork. “A public-key cryptosystem with worst- case/average-case equivalence”, Proc. 29th Annual ACM Symp. on Theory of Computing (STOC), pp. 284–293, 1997. [36] C. P. Schnorr. “Factoring integers and computing discrete logarithms via Diophantime approximation”, Advances in comptutational complexity, pages 171–182, 1987. [37] R. El Bansarkhan, and J. Buchmann. "Improvement and efficient im- plementation of a lattice-based signature scheme," Selected Areas in Cryptography–SAC 2013. Springer Berlin Heidelberg, 2014. 48–67. [38] IEEE Standard Specification for Public Key Cryptographic Techniques Based on Hard Problems over Lattices, 1363.1-2008 - 2009. [39] Lattice-Based Polynomial Public Key Establishment Algorithm for the Financial Services Industry, ANSI X9.98-2010, 2010. [40] V. Lyubashevsky, C. Peikert, and O. Regev. "On ideal lattices and learning with errors over rings", Advances in Cryptology–EUROCRYPT 2010. Springer, Heidelberg, pp. 1–23, 2010. [41] D. Boneh, E. Goh, and X. Boyen, “Hierarchical Identity Based En- cryption with Constant Size Ciphertext”, Proc. of Eurocrypt ’05, LNCS 3493, pages 440–456, 2005. [42] C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and composable oblivious transfer”, in Proc. of CRYPTO ’08, 2008, pp. 554–571. [43] D. Micciancio, and S. P. Vadhan. “Statistical zero-knowledge proofs with efficient provers: Lattice problems and more”. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003). [44] A. Banerjee, C. Peikert, and A. Rosen. “Pseudorandom functions and lattices”, Proc. of CRYPTO ’12: 719-737. [45] C. Gentry, “A fully homomorphic encryption scheme,” Ph.D. disserta- tion, Dept. of Comp. Sci., Stanford Univ., Stanford, CA, 2009. [46] V. Shoup. “OAEP Reconsidered.” Annual International Cryptology Conf. Springer Berlin Heidelberg, 2001. [47] M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Ad- vances in Cryptology—Eurocrypt ’94, pages 92–111, 1994. [48] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryption schemes. In Advances in Cryptology–Crypto ’98, pages 26–45, 1998.