Robustness of the Learning with Errors Assumption

Shaﬁ Goldwasser1 Yael Kalai2 Chris Peikert3 Vinod Vaikuntanathan4 1MIT and the Weizmann Institute 2Microsoft Research 3Georgia Institute of Technology 4IBM Research shaﬁ@csail.mit.edu [email protected] [email protected] [email protected]

Abstract: Starting with the work of Ishai-Sahai-Wagner and Micali-Reyzin, a new goal has been set within the theory of cryptography community, to design cryptographic primitives that are secure against large classes of side-channel attacks. Recently, many works have focused on designing various cryptographic primitives that are robust (retain security) even when the secret key is “leaky”, under various intractability assumptions. In this work we propose to take a step back and ask a more basic question: which of our cryptographic assumptions (rather than cryptographic schemes) are robust in presence of leakage of their underlying secrets? Our main result is that the hardness of the learning with error (LWE) problem implies its hardness with leaky secrets. More generally, we show that the standard LWE assumption implies that LWE is secure even if the secret is taken from an arbitrary distribution with sufficient entropy, and even in the presence of hard-to-invert auxiliary inputs. We exhibit various applications of this result. 1. Under the standard LWE assumption, we construct a symmetric-key encryption scheme that is robust to secret key leakage, and more generally maintains security even if the secret key is taken from an arbitrary distribution with sufficient entropy (and even in the presence of hard-to-invert auxiliary inputs). 2. Under the standard LWE assumption, we construct a (weak) obfuscator for the class of point functions with multi-bit output. We note that in most schemes that are known to be robust to leakage, the parameters of the scheme depend on the maximum leakage the system can tolerate, and hence the efficiency degrades with the maximum anticipated leakage, even if no leakage occurs at all! In contrast, the fact that we rely on a robust assumption allows us to construct a single symmetric-key encryption scheme, with parameters that are independent of the anticipated leakage, that is robust to any leakage (as long as the secret key has sufficient entropy left over). Namely, for any k < n (where n is the size of the secret key), if the secret key has only entropy k, then the security relies on the LWE assumption with secret size roughly k. Keywords: Leakage-resilient Cryptography, Learning with Errors, Symmetric-key Encryption, Pro- gram Obfuscation.

1 Introduction modeled as a Turing machine (whose description is known to all) initialized with a secret key. Ad- The development of the theory of cryptogra- versarial entities, modeled as arbitrary (probabilis- phy, starting from the foundational work in the tic) polynomial-time machines have input/output early 80’s has led to rigorous definitions of se- access to the algorithm. The requirement is that it curity, mathematical modeling of cryptographic is infeasible for any such adversary to “break” the goals, and what it means for a cryptographic al- system at hand. The (often implicit) assumption in gorithm to achieve the stated security goals. such a definition is that the secret keys used by the A typical security definition builds on the fol- algorithm are perfectly secret and chosen afresh for lowing framework: a cryptographic algorithm is

1 the algorithm. In practice, however, information problem is 2k-hard (for some k > 0) directly im- about keys does get compromised for a variety of plies its security in the presence of roughly k bits reasons, including: various side-channel attacks, of leakage.1 However, in practice, what is inter- the use of the same secret key across several ap- esting is a cryptographic assumption that is secure plications, or the use of correlated and imperfect against leakage of a constant fraction of its secret. sources of randomness to generate the keys. In The problem with the above approach is that it short, adversaries in the real world can typically fails this goal, since none of the cryptographic as- obtain information about the secret keys other than sumptions in common use are 2O(N)-hard to break through the prescribed input/output interface. (where N is the length of the secret key). In recent years, starting with the work of Thus, most of the recent work on leakage- Ishai, Sahai and Wagner [19] and Micali and resilient cryptography focuses on constructing Reyzin [21], a new goal has been set within the cryptographic schemes whose leakage-resilience theory of cryptography community to build gen- can be reduced to standard cryptographic assump- eral theories of security in the presence of infor- tions such as the polynomial hardness of problems mation leakage. A large body of work has accu- based on factoring, discrete-log or various lattice mulated by now (see [1, 3, 6, 8, 12–14, 14, 16, 19, problems, or in some cases, general assumptions 21, 22, 25, 26, 28] and the references therein) in such as the existence of one-way functions. which security against different classes of informa- However, a question that still remains is: Which tion leakage has been deﬁned, and different crypto- of the (standard) cryptographic assumptions are graphic primitives have been designed to provably themselves naturally “robust to leakage”. Speciﬁ- withstand these attacks. A set of works particularly cally: relevant to our work are those that design crypto- • Is it hard to factor an RSA composite N = graphic primitives which are “robust” in the fol- pq (where p and q are random n-bit primes) lowing sense: they remain secure even in the pres- given arbitrary, but bounded, information ence of attacks which obtain arbitrary polynomial- about p and q? time computable information about the secret keys, • Is it hard to compute x given gx (mod p), as long as “the secret key is not fully revealed” where p is a large prime and x is uniformly (either information theoretically or computation- random given arbitrary, but bounded, infor- ally) [1, 11, 12, 20, 22]. mation about x? In this paper, we turn our attention to the notion As for factoring with leakage, there are known of robust cryptographic assumptions rather than negative results: a long line of results starting from robust cryptographic constructions. the early work of Rivest and Shamir [29] show how to factor N = pq given a small fraction of the Robustness of Cryptographic Assumptions bits of one of the factors [10, 17]. Similar nega- Suppose one could make a non-standard as- tive results are known for the RSA problem, and sumption of the form “cryptographic assumption the square-root extraction problem. A holds even in the presence of arbitrary leakage As for the discrete-logarithm problem with leak- of its secrets”. An example would be that the fac- age, it could very well be hard. In fact, an assump- toring problem is hard even given partial information of this nature has been put forward by Canetti tion about the prime factors. Once we are at liberty and used to construct an obfuscator for point func- to make such an assumption, the task of coming tions [7], and later to construct a symmetric en- up with leakage-resilient cryptographic algorithms cryption scheme that is robust to leakage [9]. How- becomes substantially easier. However, such as- ever, we do not have any evidence for the validity sumptions are rather unappealing, unsubstantiated of such an assumption, and in particular, we are and sometimes (as in the case of factoring) even far from showing that a standard cryptographic as- false! (See below.) sumption implies the discrete-log assumption with In addition, it is often possible to show that a leakage. quantitatively stronger hardness assumption translates to some form of leakage-resilience. For ex- 1It is worth noting that such an implication is not entirely ample, the assumption that the discrete logarithm obvious for decisional assumptions.

2 Recently, Dodis, Kalai and Lovett [12] consider Our second contribution is a symmetric-key en- this question in the context of the learning parity cryption scheme with a graceful degradation of se- with noise (LPN) problem. They showed that the curity. The construction is based on the LWE as- LPN assumption with leakage follows from a re- sumption, and uses the fact that the LWE assump- lated, but non-standard assumption they introduce, tion is robust to leakage. (See Section 1.1 and The- called the learning subspaces with noise (LSN) as- orem 2 below for details.) sumption. Our final contribution is a (weak) obfuscator for In light of this situation, we ask: the class of point functions with multi-bit output with a graceful degradation of security. (See Sec- Is there a standard cryptographic tion 1.1 and Theorem 3 below for details.) assumption that is robust with leakage? Our first contribution is to show that the learn- 1.1 Our Results and Techniques ing with errors (LWE) assumption [27] that The learning with error (LWE) problem, intro- has recently gained much popularity (and whose duced by Regev [27] is a generalization of the average-case complexity is related to the worst- well-known “learning parity with noise” problem. case complexity of various lattice problems) is in For a security parameter n, and a prime number q, n fact robust in the presence of leakage (see Sec- the LWE problem with secret s ∈ Zq is defined as tion 1.1 and Theorem 1 below for details). follows: given polynomially many random, noisy Leakage versus Efficiency linear equations in s, find s. More precisely, given n Typically, the way leakage-resilient crypto- (ai, hai, si + xi), where ai ← Zq is uniformly graphic primitives are designed is as follows: first, random, and xi is drawn from a “narrow error dis- the designer determines the maximum amount of tribution”, the problem is to find s. The decisional leakage he is willing to tolerate. Then, the scheme version of LWE is to distinguish between polyno- is designed, and the parameters of the scheme mially many LWE samples {(ai, hai, si+xi)} and (and hence its efficiency) depend on the maxi- uniformly random samples. Typically, the LWE mum amount of leakage the scheme can tolerate. problem is considered with a Gaussian-like error The more this quantity is, the less efficient the distribution (see Section 2 for details). For nota- scheme becomes. In other words, the efficiency tional convenience, we use a compact matrix no- of the scheme depends on the maximum antici- tation for LWE: we will denote m samples from pated amount of leakage. In cases where there is the LWE distribution compactly as (A, As + x), no leakage at all in a typical operation of the sys- where A is an m-by-n matrix over Zq. tem, this is grossly inefficient. To our knowledge, Our confidence in the LWE assumption stems all known leakage-resilient cryptographic schemes from a worst-case to average-case reduction of that rely on standard assumptions follow this de- Regev [27], who showed that the (average-case, sign paradigm. search) LWE problem is (quantumly) as hard as the In contrast, what we would like is a scheme approximation versions of various standard lattice whose security, and not efficiency, degrades with problems in the worst-case. Furthermore, the de- the actual amount of leakage. In other words, we cisional and search LWE problems are equivalent would like to design a single scheme whose se- (up to polynomial in q factors). curity with different amounts of leakage can be 1.1.1 LWE with Weak Secrets proven under a (standard) cryptographic assump- We prove that the LWE assumption is robust to tion, with degraded parameters. The larger the leakage. More generally, we prove that it is robust leakage, the stronger the security assumption. In to weak keys and to auxiliary input functions that other words, the amount of leakage never shows are (computationally) hard to invert. Namely, we up in the design phase, and comes up only in the show that (for some setting of parameters) the stan- proof of security. We call this a “graceful degrada- dard LWE assumption implies that LWE is hard tion of security”. This leads us to ask: even if the secret s is chosen from an arbitrary Are there cryptosystems that exhibit a distribution with sufficient min-entropy, and even graceful degradation of security? given arbitrary hard-to-invert auxiliary input f(s).

3 For the sake of clarity, in the introduction we fo- matrix with rank at most ` (and exactly ` if both B cus on the case that the secret s is distributed ac- and C are full rank). The LWE distribution then cording to an arbitrary distribution with sufficient becomes min-entropy, and defer the issue of auxiliary input to the body of the paper (though all our theorems As + x = B · (Cs) + x hold also w.r.t. auxiliary inputs). 3 We show that if the modulus q is any super- At this point, we use the leftover hash lemma, polynomial function of n, then the LWE assump- which states that matrix multiplication over Zq tion with weak binary secrets (i.e., when the se- (and in fact, any universal hash function) acts as cret s is distributed according to an arbitrary dis- a (strong) randomness extractor. In other words, tribution over {0, 1}n with sufficient min-entropy) Cs is statistically close to a uniformly random vec- follows from the standard LWE assumption. More tor t (even given C). Now, Bt + x is exactly the specifically, we show that the LWE assumption LWE distribution with a uniformly random secret where the secret s is drawn from an arbitrary weak t which, by the LWE assumption with security pa- source with min-entropy k over {0, 1}n is true, rameter `, is pseudorandom. It seems that we are assuming the LWE assumption is true with uni- done, but that is not quite the case. ` The problem is that B · C does not look any- form (but smaller) secrets from Zq, where ` = thing like a uniformly random m-by-n matrix; it is k−ω(log n) . Namely, we reduce the LWE assump- log q in fact easily distinguishable from the uniform dis- tion with weak keys to the standard LWE assump- tribution. At first, one may be tempted to simply tion with “security parameter” `. A caveat is that change the LWE assumption, by choosing A = we need to assume that the (standard) LWE as- B · C as above, rather than a random m-by-n ma- sumption is true with a super-polynomial mod- trix. The problem with this approach is that if C ulus q, and a super-polynomially small “error- is fixed then the min-entropy of the secret s may rate”. Translated into the worst-case regime us- depend on C, in which case we cannot use the left- ing Regev’s worst-case to average-case reduction, over hash lemma and claim that C · s is uniformly the assumption is that standard lattice problems distributed. On the other hand, if C is chosen at are (quantumly) hard to approximate with quasi- random each time, then we essentially reduced the polynomial time and within quasi-polynomial fac- problem of LWE with weak keys, to the problem tors.2 to LWE with related secrets C1s,... Cts, where Theorem 1 (Informal). For any super-polynomial C1,..., Ct are known. modulus q = q(n), any k ≥ log q, and any dis- We take a different approach: we use the LWE n assumption to “hide” the fact that B · C is not a tribution D = {Dn}n∈N over {0, 1} with min- entropy k, the (non-standard) LWE assumption, full-rank matrix. More precisely, we claim that where the secret is drawn from the distribution D, the matrix B · C + Z, where Z is chosen from follows from the (standard) LWE assumption with the LWE error distribution, is computationally indistinguishable from a uniformly random matrix secret size ` k−ω(log n) (where the “error-rate” , log q A ∈ m×n. This is simply because each col- is super-polynomially small and the adversaries Zq umn B · ci + zi can be thought of as a bunch of run in time poly(n)). ` LWE samples with “secret” ci ∈ Zq. By the LWE We sketch the main ideas behind the proof of assumption with security parameter `, this looks this theorem. Let us first perform a mental ex- random to a polynomial-time observer. This tech- periment where the matrix A in the definition of nique was used in the work of Alekhnovitch [2] in the LWE problem is a non-full-rank matrix. i.e, the context of learning parity with noise, and was m×` `×n later used in a number of works in the context of A = B · C where B ← Zq and C ← Zq are uniformly random; this is a uniformly random the LWE assumption [24, 27]. An astute reader might have noticed that intro- 2By taking q to be smooth, and following an argument ducing this trick in fact undid the “extraction” ar- from [23], our assumption translates to the assumption that standard lattice problems are (quantumly) hard to approximate 3In the regime of auxiliary inputs, we use the Goldreich- in polynomial time and within super-polynomial factors. Levin theorem over Zq from the recent work of [11].

4 gument. In particular, now one has to consider The secret-key is a uniformly random vector s ← {0, 1}n. To encrypt a message w ∈ {0, 1}m, the (B · C + Z)s + x = (B · Cs) + Zs + x encryption algorithm computes Indeed, B · Cs + x = Bt + x by itself is pseu- E (w) = (A, As + x + q/2 · w) dorandom (as before), but is not necessarily pseu- s dorandom after the addition of the correlated Zs m×n where A ∈R Zq and each component of x is component. We mitigate this problem by using the drawn from the error distribution. To decrypt a ci- following elementary property of a Gaussian dis- phertext (A, y) using the secret-key s, the decryp- tribution: shifting a Gaussian distributed random tion algorithm computes y − As and it deciphers variable by any number that is super-polynomially each coordinate i ∈ [m] separately, as follows: If smaller than its standard deviation results in dis- the i’th coordinate of y − As is close to q/2 (i.e., tribution that is statistically close to the original 3q 5q between 8 and 8 ) then it deciphers the i’th coor- Gaussian distribution. Thus, if we set each entry of dinate of the message to be 1. If the i’th coordinate Z to be super-polynomially smaller than the stan- q of y−As is close to 0 or q (i.e., is smaller than 8 or dard deviation of x and choose s ∈ {0, 1}n, we 7q larger than 8 ) then it deciphers the i’th coordinate see that Zs + x is distributed statistically close to of the message to be 0. Otherwise, it outputs ⊥. a Gaussian. Namely, the noise x “eats up” the cor- The ciphertext corresponding to a message related and troublesome term Zs. This is where w consists of polynomially many samples from the restrictions of the LWE secret s being binary, the LWE distribution with secret s, added to the as well as q being super-polynomial and the noise- message vector. Robustness of LWE means that rate being negligibly smaller than q come into play. the ciphertext is pseudorandom even if the secret 1.1.2 Applications key is chosen from an arbitrary distribution with min-entropy k (assuming that the standard LWE Our main result has several applications. ` We construct an efficient symmetric encryption assumption holds with secrets drawn from Zq scheme secure against chosen plaintext attacks, where ` = (k − ω(log n))/ log q). The same even if the secret key is chosen from an arbitrary argument also shows that the scheme is secure distribution with sufficient min-entropy (and even in the presence of computationally uninvertible in the presence of arbitrary hard-to-invert auxil- auxiliary input functions of s. iary input). We also construct an obfuscator for the class of point functions with multi-bit output Finally, we use a very recent work Canetti et. al. [9], that shows a tight connection between se- I = {I(K,M)}, that is secure w.r.t. any distribution with sufficient min-entropy. A point function cure encryption w.r.t. weak keys and obfuscation of point functions with multi-bit output. The se- with multi-bit output is a function I(K,M) that al- ways outputs ⊥, except on input K in which it out- curity definition that they (and we) consider is a puts M. Both of these results rely on the standard distributional one: Rather than requiring the ob- LWE assumption. fuscation to be secure w.r.t. every function in the class, as defined in the seminal work of [5], se- Theorem 2 (Informal). For any super-polynomial curity is required only when the functions are dis- q = q(n) there is a symmetric-key encryption tributed according to a distribution with sufficient scheme with the following property: For any k ≥ min-entropy. Using this connection, together with log q, the encryption scheme is CPA-secure when our encryption scheme described above, we get the the secret-key is drawn from an arbitrary distribu- following theorem. tion with min-entropy k. The assumption we rely on is the (standard) LWE assumption with a secret Theorem 3 (Informal). There exists an obfusca- k−ω(log n) tor for the class of point functions with multi-bit of size ` , log q (where the “error-rate” is super-polynomially small and the adversaries run output under the (standard) LWE assumption. in time poly(n)). 1.2 Related Work The encryption scheme is simple, and similar There is a long line of work that considers vari- versions of it were used in previous works [4, 12]. ous models of leakage [1, 3, 8, 9, 11, 11, 12, 14, 14,

5 16, 19–22, 25, 26]. Still, most of the schemes that their scheme entails increasing the modulus q cor- are known to be resilient to leakage suffer from respondingly. Roughly speaking, to obtain robust- the fact that the parameters of the scheme depend ness against a leakage of (1 − ) fraction of the se- on the maximum anticipated leakage, and thus cret key, the modulus has to be at least n1/ (where they are inefficient even in the absence of leakage! n is the security parameter). In short, the scheme There are a few exceptions. For example, the work does not degrade gracefully with leakage (much of [7, 9] exhibit a symmetric encryption scheme like the later works of [11, 22]). In fact, construct- that is based on a leakage-resilient DDH assump- ing a public-key encryption scheme with a graceful tion, which says that DDH holds even if one of degradation of security remains a very interesting its secrets is taken from an arbitrary distribution open question. with sufficient min-entropy. We also mention several results in the continual-leakage model which 2 Preliminaries rely on exponential hardness assumptions [14, 26]. We emphasize that all these examples rely on non- We will let n denote the main security parameter standard assumptions. throughout the paper. The notation X ≈c Y (resp. The work of Katz and Vaikuntanathan [20] con- X ≈s Y ) means that the random variables X and structs signature schemes that are resilient to leak- Y are computationally indistinguishable (resp. sta- age. They, similarly to us, “push” the leak- tistically indistinguishable). age to the assumption level. To construct their 2.1 Learning with Errors (LWE) signature schemes, they use the observation that any collision-resistant hash function (and even a The LWE problem was introduced by universally one-way hash function) is a leakage- Regev [27] as a generalization of the “learn- resilient one-way function. In other words, they ing noisy parities” problem. Let T = R/Z be use the fact that if h is collision-resistant, then the reals modulo 1, represented by the interval h(x) is hard to invert even given some partial in- [0, 1). For positive integers n and q ≥ 2, a n formation about the pre-image x. This can be in- vector s ∈ Zq , and a probability distribution φ n terpreted as saying that the collision-resistant hash on R, let As,φ be the distribution over Zq × T n function assumption is a robust assumption. obtained by choosing a ∈ Zq uniformly at random and an error term x ← φ, and outputting This differs from our work in several ways. The (a, b = ha, si/q + x) ∈ n × . most significant difference is that we show that Zq T We also consider a discretized version of the pseudorandomness (and not only one-wayness) of LWE distribution. For a distribution φ over and the LWE distribution is preserved in the pres- R an (implicit) modulus q, let χ = φ¯ denote the ence of leakage. This enables us to construct distribution over obtained by drawing x ← φ various cryptographic objects which we do not Z and outputting bq · xe. The distribution A over know how to construct with the [20] assump- s,χ n × is obtained by choosing a ∈ n uni- tion. We mention that, whereas the [20] obser- Zq Zq Zq formly at random, an error term x ← χ, and out- vation follows by a straightforward counting ar- putting (a, b = ha, si+x), where all operations are gument, our proof requires non-trivial computa- performed over . (Equivalently, draw a sample tional arguments: roughly speaking, this is be- Zq (a, b) ← A and output (a, bb · qe) ∈ n × .) cause the secret s is uniquely determined (and s,φ Zq Zq thus has no information-theoretic entropy) given Definition 1. For an integer q = q(n) and an er- the LWE samples (A, As + x). Thus, we have to ror distribution φ = φ(n) over T, the (worst-case, employ non-trivial computational claims to prove search) learning with errors problem LWEn,q,φ in our statements. n dimensions is: given access to arbitrarily many Finally, we would like to contrast our results independent samples from As,φ, output s with non- with those of Akavia et al. [1], who show that negligible probability. The problem for discretized the public-key encryption scheme of Regev [27] χ = φ¯ is defined similarly. based on LWE is in fact leakage-resilient. Un- The (average-case) decision variant of the LWE fortunately, achieving larger and larger leakage in problem, denoted DLWEn,q,φ, is to distinguish,

6 n with non-negligible advantage given arbitrarily Lemma 1. Let D be a distribution over Zq with many independent samples, the uniform distribu- min-entropy k. For any > 0 and ` ≤ (k − n tion over Zq ×T from As,φ for a uniformly random 2 log(1/) − O(1))/ log q, the joint distribution of n `×n (and secret) s ∈ Zq . The problem for discretized (C, C · s) where C ← Zq is uniformly random ¯ n χ = φ is defined similarly. and s ∈ Zq is drawn from the distribution D is - `×n ` close to the uniform distribution over Zq × Zq. In this work, we are also concerned with the average-case decision LWE problem where the secret s is drawn from a distribution D 2.3 Goldreich-Levin Theorem over Zq n over Zq (which may not necessarily be the uni- We also need a “computational version” of form distribution). We denote this problem by the leftover hash lemma, which is essentially a DLWEn,q,φ(D). Goldreich-Levin type theorem over Zq. The origi- Observe that simply by rounding, the nal Goldreich-Levin theorem proves that for every DLWEn,q,χ(D) problem is no easier than the uninvertible function h, hc, si (mod 2) is pseudo- ¯ DLWEn,q,φ(D) problem, where χ = φ. random, given h(s) and c for a uniformly random n We are primarily interested in the LWE prob- c ∈ Z2 . Dodis et al. [11] (following the work lems where the error distribution φ is a Gaussian. of Goldreich, Rubinfeld and Sudan [15]) show the For any α > 0, the density function of a one- following variant of the Goldreich-Levin theorem dimensional Gaussian probability distribution over over a large field Zq. 2 R is given by Dα(x) = exp(−π(x/α) )/α. We write LWEn,q,α as an abbreviation for LWEn,q,D . Lemma 2. Let q be prime, and let H be any poly- α n ∗ It is known [4, 23, 27] that for moduli q of a cer- nomial size subset of Zq. Let f : H → {0, 1} tain form, the (average-case decision) DLWEn,q,φ be any (possibly randomized) function. Let C ← `×n problem is equivalent to the (worst-case search) Zq be uniformly random and s be drawn from n LWEn,q,φ problem, up to a poly(n) factor in the the distribution D over H . number of samples used. In particular, this equiv- If there is a PPT algorithm A that distinguishes alence holds for any q that is a product of suffi- between (C, Cs) and the uniform distribution over ciently large poly(n)-bounded primes. the range given h(s), then there is a PPT algorithm ` Evidence for the hardness of LWEn,q,α fol- B that inverts h(s) with probability roughly 1/(q · lows from results of Regev [27] and Peikert [23], poly(n, 1/)). who (informally speaking) showed that solving h 1/q2` LWEn,q,α (for appropriate parameters) is no eas- In other words, if is (roughly) -hard ier than solving approximation problems on n- to invert (by polynomial-time algorithms), then (C, C · s) is pseudorandom given h(s). dimensional lattices in the worst case. More√ precisely, under the hypothesis that q ≥ ω( n)/α, ˜ these reductions obtain O(n/α)-factor approxima- 3 LWE with Weak Secrets tions for various worst-case lattice problems. (We refer the reader to [23, 27] for the details.) Note In this section, we show that if the modulus q that if q 1/α, then the LWEn,q,α problem is is some super-polynomial function of n, then the trivially solvable because the exact value of each LWE assumption with weak binary secrets (i.e., ha, si can be recovered (with high probability) when the secret s is distributed according to an from its noisy version simply by rounding. arbitrary distribution over {0, 1}n with sufficient min-entropy) follows from the standard LWE as- 2.2 Leftover Hash Lemma sumption. More specifically, let s ∈ {0, 1}n be Informally, the leftover hash lemma [18] states any random variable with min-entropy k, and let that any universal hash function acts as a random- q = q(n) ∈ 2ω(log n) be any super-polynomial ness extractor. We will use a variant of this state- function in n. Then, we show that for every m = ment applied to a particular universal hash func- poly(n), tion, i.e, matrix multiplication over Zq. In particular: (A, As + x) ≈c (A, u),

7 m×n m m where A ∈R Zq , x ← Ψβ and u ← Zq . We duction of Peikert [23] that uses a modulus q of a show this statement under the (standard) LWE as- special form. sumption with the following parameters: The se- k−ω(log n) 3.1 Proof of Theorem 4 cret size is ` , log q , the number of examples remains m, and the standard deviation of the In the proof of Theorem 4 we rely on the follow- noise is any γ such that γ/β = negl(n). An exam- ing lemma, which was proven in [11]. ple of a parameter setting that achieves the latter is Lemma 3. Let β > 0 and q ∈ . β = q/poly(n) and γ = poly(n). Z 1. Let y ← Ψβ. Then√ with overwhelming prob- Theorem 4. Let n, q ≥ 1 be integers, let D be ability, |y| ≤ βq · n. any distribution over {0, 1}n having min-entropy 2. Let y ∈ Z be arbitrary. The statistical dis- at least k, and let α, β > 0 be such that α/β = tance between the distributions Ψβ and Ψβ + k−ω(log n) y is at most |y|/(βq). negl(n). Then for any ` ≤ log q , there is a PPT reduction from DLWE`,q,α to DLWEn,q,β(D). Proof. Fix any q, m, k, `, β, γ as in the statement theorem. We define the distribution Dγ , as fol- m×` `×n Remark 1. When converting the non-standard ver- lows: Let B ← Zq and C ← Zq be uni- sion of the LWE assumption to the standard LWE m×n formly random and Z ← Ψγ . Output the ma- assumption we lose in two dimensions. The first trix A0 = BC + Z. The following claim about the k−ω(log n) is that the secret size becomes ` , log q distribution Dγ is then immediate: rather than n. This loss seems to be inevitable Claim 1. Under the LWE Assumption, A0 since in the non-standard assumption, although the `,m,q,γ is computationally indistinguishable from uniform secret s was in {0, 1}n, it had only k bits of en- in m×n. tropy, so when converting this assumption to the Zq standard LWE assumption is seems like we can- Claim 1 implies that it suffices to prove that not hope to get a secret key with more than k bits 0 0 0 of entropy, which results with the key size being (A , A s + x) ≈c (A , u). at most k/ log q. We remark that the dimension ` can be increased to O(k − ω(log n)) (thus making Note that the underlying LWE assumption weaker) by con- 0 n A s + x = (BC + Z)s + x = BCs + Zs + x. sider secrets s over Zq (rather than binary secrets). This modification makes the proof of the theorem Thus, it suffices to prove that a bit more cumbersome, and hence we choose not to present it. (BC + Z, BCs + Zs + x) ≈c (BC + Z, u). Another dimension in which we lose is in the error distribution. The standard deviation of the We prove the stronger statement that error distribution becomes γ which is negligibly small compared to the original standard deviation (B, C, Z, BCs + Zs + x) ≈c (B, C, Z, u). (1) β. This loss which does not seem to be inherent, The first item of Lemma 3 implies that with and seems to be a byproduct of our proof, induces overwhelming probability each entry of Z is of the restriction on q to be super-polynomial in n. √ size at most γq · n. This implies that, with Remark 2. The analogous statement for the search overwhelming probability (over Z), for every s ∈ version of LWE follows immediately from The- {0, 1}n each coordinate of Zs is of size at most γq· orem 4 and the search to decision reduction for n. Let x0 be a random variable distributed accord- m LWE. However, doing so naively involves relying ing to (Ψβ) . Then, the second item of Lemma 3 on the assumption that LWE`,m,q,γ is hard (for the implies that for every i ∈ [m] the statistical dis- 0 parameters `, m, q and γ as above) for algorithms tance between (Z, s, xi) and (Z, s, (Zs)i + xi) is γq·n that run in superpolynomial time. The superpoly- at most βq . Using the fact that γ/β = negl(n), 0 nomial factor in the running time can be removed we conclude that (Z, s, xi) and (Z, s, (Zs)i + xi) by using the more involved search to decision re- are statistically close, and thus that (Z, s, x0) and

8 (Z, s, Zs + x) are statistically close. Therefore, it 4 Symmetric-Key Encryption Scheme suffices to prove that In this section we present a symmetric-key encryption scheme that is secure even if the secret (B, C, Z, BCs + x0) ≈ (B, C, Z, u). c key is distributed according to an arbitrary distri- 0 m bution with sufficient min-entropy, assuming the where x is drawn from Ψβ . The fact that Z is efficiently sampleable implies standard LWE assumption holds (for some setting that it suffices to prove that of parameters). More precisely, if the secret key s ∈ {0, 1}n is distributed according to some dis- 0 (B, C, BCs + x ) ≈c (B, C, u). tribution D min-entropy k then the assumption we rely on is that there exists a super-polynomial func- A standard application of leftover hash lemma [18] tion q = q(n) and a parameter β = q/poly(n) for using the fact that the min-entropy of s is at least which DLWEk,q,β(D) holds. According to Theo- ` log q + ω(log n) implies that rem 4, this assumption follows from the (standard) k−ω(log n) assumption LWE`,q,γ , where ` , log q and γ (C, Cs) ≈s (C, u) is any function that satisfies γ/q = negl(n).

Thus, the LWE`,m,q,β Assumption (which fol- 4.1 The Scheme lows from the LWE Assumption), immedi- `,m,q,γ We next describe our encryption scheme E = ately implies that (G, E, D), which is very similar to schemes that appeared in previous work [4, 12]. (B, C, BCs + x) ≈ (B, C, u), • Parameters. Let q = q(n) be any super- as desired. polynomial function, let β = q/poly(n), and let m = poly(n). The same technique used to prove Theorem 4, • Key generation algorithm G. On input 1n, with the exception of using the Goldreich Levin G(1n) outputs a uniformly random secret key n theorem over Zq (i.e, Lemma 2) instead of the left- s ← {0, 1} . over hash lemma shows that the LWE assumption • Encryption algorithm E. On input a secret holds even given auxiliary input h(s), where h is key s and a message w ∈ {0, 1}m, any uninvertible function (See below). In essence, q E (w) = (A, As + x + w) the proof of the auxiliary input theorem below pro- s 2 ceeds by using Lemma 2 to extract from the “com- m×n m putational entropy” in the secret (as opposed to us- where A ∈R Zq and x ← (Ψβ) . ing the leftover hash lemma to extract from the • Decryption algorithm D. on input a secret “information-theoretic entropy”). key s and a ciphertext (A, y), the decryption algorithm computes y − As and it deciphers Theorem 5. Let k ≥ log q, and let H be the class each coordinate i ∈ [m] separately, as fol- of all functions h : {0, 1}n → {0, 1}∗ that are 2−k lows: If the i’th coordinate of y − As is close hard to invert, i.e, given h(s), no PPT algorithm 3q 5q to q/2, i.e., is between 8 and 8 , then it can ﬁnd s with probability better than 2−k. deciphers the i’th coordinate of the message For any super-polynomial q = q(n), any m = to 1. If the i’th coordinate of y − As is far poly(n), any β, γ ∈ (0, q) such that γ/β = q from q/2, i.e., is smaller than 8 or larger than negl(n) 7q 8 , then it deciphers the i’th coordinate of the message to 0. Otherwise, it outputs ⊥. (A, As + x, h(s)) ≈c (A, u, h(s)) Remark. We note that, as opposed to most known m×n n m where A ← Zq , s ← Zq and u ← Zq are leakage resilient schemes, the parameters of this m scheme do not depend on any amount of leakage uniformly random and x ← Ψβ . assuming the (or min-entropy) that the scheme can tolerate. (standard) DLWE assumption, where ` `,m,q,γ , Nevertheless, using Theorem 4, we are able to k−ω(log n) . log q prove that this scheme is secure w.r.t. weak keys,

9 and in particular is leakage resilient. We empha- we denote by GD the key generation algorithm that size the change in the order of quantifiers: Rather samples the secret key s according to the distribu- n than proving that for every leakage parameter tion D. Namely, GD(1 ) outputs s ← Dn. there exists a scheme that is secure w.r.t. such Theorem 4 implies that in order to prove The- leakage, we show that there exists a scheme that orem 6 it suffices to prove the following lemma, is secure w.r.t. any leakage parameter, under a which states that if the secret key is samples ac- standard assumption, whose parameters depend cording to some distribution D, rather than sam- on the leakage parameter. We note that the only pled uniformly, then the scheme is secure under other encryption scheme that is known to have the (non-standard) DLWEn,q,β(D) assumption. this property is based on a non-standard version of the DDH assumption, which says that the Lemma 4. Let D = {Dn}n∈N be an arbitrary dis- DDH assumption holds even if one of its secrets tribution with min-entropy k = k(n). Then, the is chosen from an arbitrary distribution with encryption scheme ED = (GD,E,D) is CPA se- sufficient min-entropy [7, 9]. cure under the DLWEn,q,β(D) assumption. We first prove the correctness of our scheme. 4.2 Proof of Lemma 4 Claim 2. There exists a negligible function µ such that for every n and every w ∈ {0, 1}m, Let D = {Dn}n∈N be an arbitrary distribution with min-entropy k = k(n). We will prove that Pr[Ds(Es(w)) = w] = 1 − µ(n) no PPT adversary can distinguish between the case Proof. Fix any n and any message w ∈ {0, 1}m. that it is given access to a valid encryption oracle and the case that it is given access to an oracle that

Pr[(Ds(Es(w))) = w] = simply outputs random strings. Suppose for the sake of contradiction that there exists a PPT ad- Pr[∀i ∈ [m], (Ds(Es(w)))i = wi] = q versary A that succeeds in distinguishing between Pr[∀i ∈ [m], (D (A, As + x + w)) = w ] = the two oracles with probability , where is not a s 2 i i h q q i negligible function. We will show that this implies Pr ∀i ∈ [m], x ∈ − , ≥ i 8 8 that there exists a polynomial t = poly(n) and a q 7q PPT algorithm B such that 1 − m Pr x ∈ , = i 8 8 |Pr[B(A, As + x) = 1] − Pr[B(A, u) = 1]| ≥ (n) 1 − negl(n). (2) t×n t where A ∈R Zq , s ← Dn and x ← (Ψβ) . This will contradict the DLWEn,q,β(D) assump- We next argue the security of this scheme. tion. Algorithm B simply emulates A’s oracle. Every time that A asks for an encryption of some Deﬁnition 2. We say that a symmetric encryption message w, the algorithm B takes m fresh rows of scheme is CPA secure w.r.t. k(n)-weak keys, if for his input, denoted by (A, y) and feeds A the ci- any distribution {D } with min-entropy k(n), n n∈N phertext (A, y + q w). We choose t so that t/m the scheme is CPA secure even if the secret key is 2 is larger than the number of oracle queries that A chosen according to the distribution D . n makes. Note that if the input of B is an LWE in- Theorem 6. For any k = k(n), the encryption stance then B perfectly simulates the encryption scheme E = (G, E, D) is CPA secure with k(n)- oracle. On the other hand, if the input of B is ran- weak keys, under the (standard) DLWE`,q,γ as- dom, then B perfectly simulates the random oracle. k−ω(log n) Thus, Equation (2) indeed holds. sumption, where ` = log q and where γ sat- isﬁes γ/q = negl(n). Using Theorem 5 and a proof along similar lines as In order to prove Theorem 6, we use the follow- above, this scheme can also be shown to be secure ing notation: For any distribution D = {Dn}n∈N against uninvertible auxiliary inputs.

10 n 5 Point Function Obfuscation with {0, 1} and H∞(Xn) ≥ α(n), and for every mes- Multibit Output sage m ∈ {0, 1}`(n), In this section we consider the task of obfuscat- Pr A(O(I(k,m))) = 1 ing the class of point functions with multibit output h i I(k,m)(·) n (or multi-bit point functions (MBPF) for short), − Pr S (1 ) = 1 ≤ negl(n)

∗ I = {I(k,m) | k, m ∈ {0, 1} }, where the probability is taken over the randomness of k ← Xn, the randomness of the obfuscator O ∗ ∗ where each I(k,m) : {0, 1} ∪{⊥} → {0, 1} ∪⊥ and the randomness of A, S. is defined by Applying the work of [9] to our encryption m if x = k scheme, gives us the stronger notion of self- I (x) = (k,m) ⊥ otherwise composable obfuscation, defined below. Definition 4 (Composability [9]). A multi-bit Namely, I(k,m) outputs the message m given a cor- rect key k, and ⊥ otherwise. point function obfuscator O with α(n)-entropic security is said to be self-composable if for any PPT We show that our encryption scheme implies a adversary A with 1 bit output and any polynomial (weak) obfuscator for the class of multi-bit point `(·), there exists a PPT simulator S such that for functions. To this end, we use a recent result of every distribution {X } with X taking values Canetti et. al. [9] that shows a tight connection be- n n∈N n in {0, 1}n and H (X ) ≥ α(n), and for every tween encryption schemes with weak keys and a ∞ n m , . . . , m ∈ {0, 1}`(n), weak form of obfuscation of multi-bit point func- 1 t tions. The obfuscation definition they consider is | Pr[A(O(I ),..., O(I )) = 1] − a distributional one: Rather than requiring the ob- (k,m1) (k,mt) I (·),...,I (·) n fuscation to be secure w.r.t. every function in the Pr[S (k,m1) (k,mt) (1 ) = 1]| ≤ negl(n) class, as defined in the seminal work of [5], security is required only when the functions are dis- where the probabilities are over k ← Xn and over tributed according to a distribution with sufficient the randomness of A, S, O. min-entropy. Keeping Definitions 3 and 4 in mind, we can finally state our result. Definition 3 (Obfuscation of Point Functions with Multi-bit Output [9]). A multi-bit point function Theorem 7. There exists an obfuscator for the (MBPF) obfuscator is a PPT algorithm O which class of point functions with multibit output which takes as input values (k, m) describing a function is self-composable α(n)-entropic secure under the I(k,m) ∈ I and outputs a circuit C. DLWE`,q,γ assumption, where q = q(n) is super- Correctness: For all I(k,m) ∈ I with |k| = polynomial, ` = α(n)−ω(log n) and γ/q is negligi- n log q n, |m| = poly(n), all x ∈ {0, 1} , ble in n.

Pr[C(x) 6= I(k,m)(x) | C ← O(I(k,m))] ≤ negl(n) As was mentioned above, the proof of this theorem follows from the tight connection between en- where the probability is taken over the randomness cryptions scheme that are secure w.r.t. weak keys, of the obfuscator algorithm. and multibit point function obfuscation. To state Polynomial Slowdown: For any k, m, the size this connection formally, we need the following of the circuit C = O(I(k,m)) is polynomial in definition. |k| + |m|. Entropic Security: We say that the obfuscator Definition 5 (Wrong-Key Detection [9, 12]). We has α(n)-entropic security if for any PPT adver- say that an encryption scheme E = (G, E, D) sary A with 1 bit output and any polynomial `(·), satisfies the wrong-key detection property if for 0 n there exists a PPT simulator S such that for every all k 6= k ∈ {0, 1} , and every message m ∈ poly(n) {0, 1} , Pr[Dk0 (Ek(m)) 6= ⊥] ≤ negl(n). distribution {Xn}n∈N, where Xn takes values in

11 Lemma 5. [9] Let E = (G, E, D) be an en- [4] Benny Applebaum, David Cash, Chris Peikert, and cryption scheme with CPA security for α(n)-weak Amit Sahai. Fast cryptographic primitives and keys and having the wrong-key detection prop- circular secure encryption based on hard learning erty. We define the obfuscator O which, on in- problems. In CRYPTO, pages ??–??, 2009. [5] Boaz Barak, Oded Goldreich, Russell Impagli- put I(k,m), computes a ciphertext c = Ek(m) and outputs the circuit C (·) (with hard-coded cipher- azzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, c and Ke Yang. On the (im)possibility of obfuscat- text c) defined by C (x) = D (c). Then, O is a c x ing programs. In CRYPTO, pages 1–18, 2001. self-composable multi-bit point function obfusca- [6] Victor Boyko. On the security properties of oaep tor with α(n)-entropic security. as an all-or-nothing transform. In CRYPTO, pages 503–518, 1999. The proof of Theorem 7 follows immediately [7] Ran Canetti. Towards realizing random oracles: from Lemma 5, Theorem 6, and the following Hash functions that hide all partial information. In claim. CRYPTO, pages 455–469, 1997. [8] Ran Canetti, Yevgeniy Dodis, Shai Halevi, Eyal Claim 3. The encryption scheme E = (G, E, D), Kushilevitz, and Amit Sahai. Exposure-resilient defined in Section 4, has the wrong-key detection functions and all-or-nothing transforms. In EU- property. ROCRYPT, pages 453–469, 2000. [9] Ran Canetti, Yael Kalai, Mayank Varia, and Daniel 5.1 Proof of Claim 3 Wichs. On symmetric encryption and point func- Let s, s0 ∈ {0, 1}n be any two distinct secret tion obfuscation, 2009. Manuscript in Submission. [10] Don Coppersmith. Finding a small root of a bi- keys, and let w ∈ {0, 1}m be any message. variate integer equation; factoring with high bits known. In EUROCRYPT, pages 178–189, 1996. Pr[D 0 (E (w)) 6= ⊥] = s s [11] Yevgeniy Dodis, Shafi Goldwasser, Yael Kalai, m −q q Chris Peikert, and Vinod Vaikuntanathan. Public- Pr A(s − s0) + x ∈ , ≤ 8 8 key encryption schemes with auxiliary inputs, 2009. Manuscript in Submission. m×n m [12] Yevgeniy Dodis, Yael Tauman Kalai, and Shachar where A ∈R Zq and x ← (Ψβ) . The fact that s 6= s0 implies that the vector A(s − s0) is Lovett. On cryptography with auxiliary input. In uniformly distributed in m, and thus the vector STOC, pages 621–630, 2009. Zq [13] Yevgeniy Dodis, Shien Jin Ong, Manoj Prab- A(s − s0) + x is uniformly distributed in m. This Zq hakaran, and Amit Sahai. On the (im)possibility implies that of cryptography with imperfect randomness. In FOCS, pages 196–205, 2004. h q q mi 1m Pr A(s − s0) + x ∈ − , ≤ [14] Stefan Dziembowski and Krzysztof Pietrzak. 8 8 4 Leakage-resilient cryptography. In FOCS, pages = negl(n) 293–302, 2008. [15] Oded Goldreich, Ronitt Rubinfeld, and Madhu Su- as desired. dan. Learning polynomials with queries: The highly noisy case. SIAM J. Discrete Math., 13(4):535–570, 2000. References [16] Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. One-time programs. In CRYPTO, pages [1] Adi Akavia, Shafi Goldwasser, and Vinod Vaikun- 39–56, 2008. tanathan. Simultaneous hardcore bits and cryptog- [17] Nadia Heninger and Hovav Shacham. Recon- raphy against memory attacks. In TCC, pages 474– structing rsa private keys from random key bits. In 495, 2009. CRYPTO, pages 1–17, 2009. [2] Michael Alekhnovich. More on average case vs [18] Russell Impagliazzo, Leonid A. Levin, and approximation complexity. In FOCS, pages 298– Michael Luby. Pseudo-random generation from 307, 2003. one-way functions (extended abstracts). In STOC, [3] Joel Alwen, Yevgeniy Dodis, and Daniel Wichs. pages 12–24, 1989. Leakage-resilient public-key cryptography in the [19] Yuval Ishai, Amit Sahai, and David Wagner. Pri- bounded-retrieval model. In CRYPTO, pages ??– vate circuits: Securing hardware against probing ??, 2009.

12 attacks. In CRYPTO, pages 463–481, 2003. [20] Jonathan Katz and Vinod Vaikuntanathan. Sig- nature schemes with bounded leakage. In ASI- ACRYPT, pages ??–??, 2009. [21] Silvio Micali and Leonid Reyzin. Physically ob- servable cryptography (extended abstract). In TCC, pages 278–296, 2004. [22] Moni Naor and Gil Segev. Public-key cryptosystems resilient to key leakage. In CRYPTO, pages ??–??, 2009. [23] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In STOC, pages 333–342, 2009. [24] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efﬁcient and composable oblivious transfer. In CRYPTO, pages 554–571, 2008. [25] Christophe Petit, Franc¸ois-Xavier Standaert, Olivier Pereira, Tal Malkin, and Moti Yung. A block cipher based pseudo random number gener- ator secure against side-channel key recovery. In ASIACCS, pages 56–65, 2008. [26] Krzysztof Pietrzak. A leakage-resilient mode of operation. In EUROCRYPT, pages 462–482, 2009. [27] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In STOC, pages 84–93, 2005. [28] Ronald L. Rivest. All-or-nothing encryption and the package transform. In FSE, pages 210–218, 1997. [29] Alon Rosen and Gil Segev. Chosen-ciphertext security via correlated products. Cryptology ePrint Archive, Report 2008/116, 2008.