Indian Institute of Technology Kanpur

CS682A Course Project Report

Lattice Based Cryptography

Advisor: Author: Prof. Rajat Mittal Nikhil Vanjani (14429) IIT Kanpur

November 15, 2017 Based Cryptography Nikhil Vanjani (14429)

Contents

1 Abstract 2

2 Background 2 2.1 Cryptography...... 2 2.2 Post Quantum Cryptography...... 3

3 Lattices in Computer Science3 3.1 Introduction...... 3 3.2 LLL Algorithm...... 7 3.3 Dual Lattices...... 8 3.4 Fourier Transform...... 10

4 On Lattices, , Random Linear Codes, and Cryptography 10 4.1 Preliminaries...... 10 4.2 Some Results that will be useful in proving Main Theorem...... 12 4.3 Main Theorem...... 13 4.4 Public Key Cryptosystem...... 17

1 Lattice Based Cryptography Nikhil Vanjani (14429)

1 Abstract

There are three main contributions of Regev’s paper[1] studied in this project - first being the reduction from worst-case lattice problems to the Learning With Errors (LWE) problem introduced by Regev. Second being explaining the necessity of this reduction being quantum and its implication in showing relation between two worst-case lattice problems - Bounded Distance Decoding (a variant of CVP) and Discrete Gaussian Sampling (DGS) problem. Third being the proposal of a first of its kind classical cryptosystem whose hardness is based on quantum hardness assumptions.

2 Background

2.1 Cryptography

Cryptography is the study of techniques used for secure communication in presence of third party adversaries. The central problems that cryptography tries to solve are - • Confidentiality : If Alice wants to communicate something confidential to Bob, any third party adversary Eve who can tap the communication should not be able to understand what is being communicated. • Integrity : If Bob is receiving some message from Alice, he needs to be sure that the message hasn’t been tampered with while being transmitted to him. • Authentication : If Alice is communicating something to Bob, Bob needs to be sure that it is indeed Alice who is sending the message and not someone else. • Non-repudiation : If Alice communicates something to Bob, at a later point she should not be able to deny authority of what she communicated. Modern day cryptographic protocols are based on mathematical theory. When we say that some stan- dard protocol is secure, we mean that the protocol is based on computational hardness assumptions, meaning that breaching security of the protocol would be equivalent to solving the computationally hard problem it is based on. This is considered to be not possible as by definition, the hard problems are the ones which can’t be solved efficiently in polynomial time.

Today’s most popular public key algorithms are based on the problems - Problem[2], Problem[3], Elliptic Curve Discrete Logarithm Problem[4].

Peter Shor, in 1994 formulated Shor’s algorithm[5] which can solve all these three problems in poly- nomial time on a quantum computer. In 2001, IBM demonstrated an implementation of Shor’s Algorithm to factor 15. An intutive question which follows after Shor’s algorithm is could Quantum Computers solve NP-complete problems ? Lance Fortnow[6] explains that this is unlikely to happen and the majority of researchers believes likewise for now.

2 Lattice Based Cryptography Nikhil Vanjani (14429)

Unlike public key cryptography, secret key cryptography is considered to be secure against quan- tum computers. Though Grover’s Algorithm[7] reduces the run time quatratically, it can be tackled by doubling the key size[8].

2.2 Post Quantum Cryptography

After Shor’s breakthrough algorithm, people have started exploring and building algorithms which would be resistant to attacks by quantum computers. Such algorithms come under the purview of Post Quantum Cryptography (PQC).

Note Often post quantum cryptography and quantum cryptography are confused to be same, but they are not. Quantum Cryptography explores using quantum mechanical properties to achieve con- fidentiality, integrity, authentication and non-repudibility. More recently, advances in PQC have been made majorly by the following 3 approaches: • Lattice Based Cryptography : This approach is based on Lattice-based constructions. Ajtai[9], in 1996 introduced the first lattice based cryptographic protocol, based on the lattice problem - Short Integer Solutions. More recently, works revolve around Regev’s[1] lattice based public key encryption key based on Learning With Errors problem. • Code Based Cryptography : This apporach is based on Error Correction Codes. The most popular algorithm based on this apporach is McEliece’s Algorithm which is based on random Goppa codes. • Hash Based Cryptography : Hash based digital signatures were introduced by Merkle in 1970s through Merkle Signature Scheme[10]. Research in this approach revived when people came to that this was resistant to attacks by quantum computers. Note Proofs of Lemmas/Theorems/Claims marked with # in subsequent sections are provided in the appendix

3 Lattices in Computer Science

3.1 Introduction

In this subsection, we define lattices, thier span, fundamental parallelopipid and its properties, de- terminant of a lattice. Then, we proceeded to defining Successive Minima and finding some upper bounds on them, namely Blichfeld’s Theorem and Minkowski’s theorems. Lastly, popular computa- tional problems in lattices - Shortest Vector Problem and Closest Vector Problem are defined along with their approximation variants.

m Definition 3.1.1 (Lattice) Given n linearly independent vectors b1, b2, ..., bn ∈ R , the lattice generated by them is defined as

3 Lattice Based Cryptography Nikhil Vanjani (14429)

n L(B) = L(b1, b2, ..., bn) = {Σxibi|xi ∈ Z} = {Bx|x ∈ Z }

We refer to b1, b2, ..., bn as a of the lattice

Figure 1: A lattice in R2[11]

Definition 3.1.2 (Span) The span of a lattice L(B) is the linear space spanned by its vectors, span(L(B)) = span(B) = {By|y ∈ Rn} Definition 3.1.3 (Fundamental Parallelopipid) For any lattice basis B we define

n P (B) = {Bx|x ∈ R , ∀i : 0 ≤ xi < 1}

Figure 2: A lattice in R2[11]

# Lemma 3.1.4 Let Λ be a lattice of rank n and let b1, b2, ..., bn ∈ Λ be n independent lattice vectors. Then b1, b2, ..., bn form a basis of Λ if and only if P (b1, b2, ..., bn) ∩ Λ = {0}

mxn Lemma 3.1.5 Two bases B1,B2 ∈ R are equivalent iff B2 = B1U for some unimodular matrix U.

Definition 3.1.6 (Determinant) For a rank n lattice Λ, its determinant denoted by det(Λ) is defined as the n-dimensional volume of P(B). Mathematically, det(Λ) := pdet(BT B). When Λ is full rank, det(Λ) := |det(B)|

Definition 3.1.7 (Successive Minima) Let Λ be a lattice of rank n. For i ∈ {1, 2, ...n} we define the ith successive minimum as

λi(Λ) = inf{r|dim(span(Λ ∩ B(0, r))) ≥ i} where B(0, r) = {x ∈ Rm| ||x|| ≤ r} is the closed ball of radius r around 0.

4 Lattice Based Cryptography Nikhil Vanjani (14429)

Figure 3: Some lattice bases[11]

Figure 4: Successive Minimas: λ1(Λ) = 1, λ2(Λ) = 2.3[11]

Blichfeld’s Theorem : For any full rank lattice Λ ⊆ Rn and set S ⊆ Rn with vol(S) > det(Λ), there exist two non-equal points z1, z2 ∈ S such that z1 − z2 ∈ Λ

Figure 5: Blichfeld’s Theorem[11]

5 Lattice Based Cryptography Nikhil Vanjani (14429)

Minkowski’s Convex Body Theorem : Let Λ be a full rank lattice of rank n. Then for any centrally symmetric convex set S, if vol(S) > 2ndet(Λ) then S contains a non-zero lattice point.

ˆ 1 ˆ Figure 6: Intuitive proof of Minkowski’s Convex Body Theorem : S = 2 S; S satisfies Blichfeld’s Theorem; Lastly, z1 − z2 ∈ S because S is centrally symmetric[11]

Minkowski’s First Theorem : For any full-rank lattice Λ of rank n,

√ 1/n λ1(Λ) ≤ n(det(Λ)) Proof

√2r n • Claim: The volume of an n-dimensional ball of radius r is vol(B(0, r)) ≥ ( n )

• By definition, the open ball B(0, λ1(Λ)) contains no nonzero lattice points. By Minkowski’s Convex Body Theorem and Claim 1, 2λ (Λ) √1 n n ( n ) ≤ vol(B(0, λ1(Λ))) ≤ 2 det(Λ)

and we obtain the bound on λ1(Λ) by rearranging.  Minkowski’s Second Theorem : For any full-rank lattice Λ of rank n, n √ Q 1/n 1/n ( λi(Λ)) ≤ n(det(Λ)) i=1

Computational Problems : Minkowski’s√ first theorem implies that any lattice Λ of rank n contains a nonzero vector of length at most n(det(Λ))1/n. Its proof, however, is non-constructive: it does not give us an algorithm to find such a lattice vector. In fact there is no known efficient algorithm that finds such short vectors. The computational problems presented below are conjectured to be hard problems.

Shortest Vector Problem (SVP) We are given a lattice and we are supposed to find the shortest nonzero lattice point

mxn • Search SVP : Given a lattice basis B ∈ Z find v ∈ L(B) such that ||v|| = λ1(L(B)). mxn • Optimization SVP : Given a lattice basis B ∈ Z , find λ1(L(B)). • Decisional SVP : Given a lattice basis B ∈ Zmxn and a rational r ∈ Q, determine whether λ1(L(B)) ≤ r or not.

6 Lattice Based Cryptography Nikhil Vanjani (14429)

Approximation variants of SVP: Here, instead of finding the shortest vector, we are interested in an approximation of it. The factor of approximation is given by some parameter γ ≥ 1

mxn • Search SVPγ: Given a lattice basis B ∈ Z find v ∈ L(B) such that v 6= 0 and ||v|| ≤ γλ1(L(B)). mxn • Optimization SVPγ: Given a lattice basis B ∈ Z , find d such that d ≤ λ1(L(B)) ≤ γd. mxn • Promise SVPγ: An instance of a problem is given by a pair (B, r) where B ∈ Z is a lattice basis and r ∈ Q. In YES instances, λ1(L(B)) ≤ r. In NO instances, λ1(L(B)) ≥ γr

The latter variant is usally denoted by GapSV Pγ.

Approximation variants of CVP Another fundamental lattice problem is the Closest Vector Problem(CVP). Here, the goal is to find the lattice point closest to the given lattice point in space. As before, for an approximation factor γ ≥ 1, we can define three variants -

mxn m • Search CVPγ: Given a lattice basis B ∈ Z and a vector t ∈ Z , find v ∈ L(B) such that ||v − t|| ≤ γdist(t, L(B)).

mxn m • Optimization CVPγ: Given a lattice basis B ∈ Z and a vector t ∈ Z , find d such that d ≤ dist(t, L(B)) ≤ γd.

mxn • Promise CVPγ: An instance of a problem is given by a triple (B, t, r) where B ∈ Z is a lattice basis, t ∈ Zm and r ∈ Q. In YES instances, dist(t, L(B)) ≤ r. In NO instances, dist(t, L(B)) ≥ γr

3.2 LLL Algorithm

n Definition 3.2.1 Given n linearly independent vectors b1, ..., bn ∈ R , the Gram-Schmidt orthog- onaolization of b1, ..., bn is defined as- ˜ ˜ Pi−1 ˜ hbi,bj i bi = bi − µi,jbj, where, µi,j = . j=1 hb˜j ,b˜j i n Definition 3.2.2 A basis B = {b1, ..., bn} ∈ R is a δ-LLL Reduced Basis if the following holds: 1 •∀ 1 ≤ i ≤ n and j < i : |µi,j| ≤ 2 ˜ 2 ˜ ˜ 2 •∀ 1 ≤ i < n : δ||bi|| ≤ ||µi+1,ibi + bi+1|| n Claim 3.2.3 Let b1, ..., bn ∈ R be a δ-LLL reduced basis. Then,

||b || ≤ ( √ 2 )n−1λ (L) 1 4δ−1 1 Claim 3.2.3 provides us with an approximation to the SVP problem. For δ = 3/4, we obtain a 2(n−1)/2 2 1 3 n approximation. The best approximation obtained by it can be ( √ )n−1 by setting δ = + ( ) n−1 3 4 4 The LLL Algorithm

Running Time is polynomial in M = max{n, log(maxi||bi||)}

7 Lattice Based Cryptography Nikhil Vanjani (14429)

Algorithm 1 The LLL Algorithm n 1: Input: Lattice Basis b1, ..., bn ∈ Z 2: Output: δ-LLL reduced basis for L(B) ˜ ˜ 3: Start: compute b1, ..., bn 4: Reduction Step: 5: for i = 2 to n do 6: for j = i − 1 to 1 do ˜ ˜ ˜ 7: bi ← bi − ci,jbj where ci,j = dhbi, bji/hbj, bjic 8: Swap Step: ˜ 2 ˜ ˜ 2 9: if ∃i s.t. δ||bi|| > ||µi+1,ibi + bi+1|| then 10: bi ↔ bi+1 11: goto Start

12: Return b1, ..., bn

3.3 Dual Lattices

Defintion 3.3.1 (Dual Lattices) For a full rank lattice Λ we define its dual lattice as - Λ∗ = {y ∈ Rn|∀x ∈ Λ, hx, yi ∈ Z} In general, we define- Λ∗ = {y ∈ span(Λ)|∀x ∈ Λ, hx, yi ∈ Z}

Figure 7: A lattice and its dual[11]

mxn Definition 3.3.2 (Dual Basis) For a basis B = (b1, ..., bn) ∈ R , define the dual basis D = mxn (d1, ..., dn) ∈ R as the unique basis which satisfies- • span(D) = span(B) • BT D = I Property 3.3.3 If D is the dual basis of B then (L(B))∗ = L(D)

8 Lattice Based Cryptography Nikhil Vanjani (14429)

Property 3.3.4 For any lattice Λ, (Λ∗)∗ = Λ

∗ 1 Property 3.3.5 For any lattice Λ, det(Λ ) = det(Λ)

∗ Property 3.3.6 For any rank lattice Λ, λ1(Λ)λ1(Λ ) ≤ n

∗ Property 3.3.7 For any rank lattice Λ, λ1(Λ)λn(Λ ) ≥ 1

Note Properties 3.3.6 and 3.3.7 give some relations between properties of a lattice and that of its dual. Such properties are known as Transference Theorems. Transference theorems allow to infer information about a lattice, studying the properties of its dual. Using transference theorems, one can give simple reductions between corresponding lattice problems.

Definition 3.3.8 (πi Notation) : For a basis b1, ..., bn, let πi denote the projection on the space ⊥ span(b1, ..., bi−1) . In particular, π1(b1), ..., πn(bn) is the Gram-Schmidt Orthogonalization of b1, ..., bn

0 0 Property 3.3.9 Let B,D be the dual bases. Then, for all i, B = (πi(bi), ..., πn(bn)) and D = (di, ..., dn) are also dual bases.

˜ ˜ Property 3.3.10 Let b1, ..., bn be some basis and let b1, ..., bn be its Gram-Schmidt Orthogonaliza- ˜ ˜ tion. Let dn, ..., d1 be the dual basis of b1, ..., bn in reverse order and let dn, ..., d1 be its Gram-Schmidt Orthogonalization. Then, for all i, ˜ ˜ bi di = 2 ||b˜i|| Definition 3.3.11 (Korkine Zolotarev (KZ) Bases) For a rank n lattice Λ, we define its KZ 0 basis b1, ..., bn recursively as follows. We let b1 be the shortest vector in Λ. We then let Λ be the lattie basis given by the projection of Λ on the subspace of span(Λ) orthogonal to b1. Let c2, ..., cn 0 1 1 be the KZ basis of Λ . Define bi = ci + αibi where αi ∈ (− 2 , 2 ] is the unique number such that bi ∈ Λ • KZ basis gives one way to formalize the idea of a shortest possible basis.

• An application of KZ bases is that we can prove that GapSV Pn ∈ coNP

Figure 8: A lattice and its KZ basis[11]

9 Lattice Based Cryptography Nikhil Vanjani (14429)

3.4 Fourier Transform

Fourier Series of Λ-periodic function Let B be a basis of some full-rank lattice Λ and let f be a Λ-periodic function, ie, a function f : Rn → C such that f(x + y) = f(x), ∀x ∈ Rn, ∀y ∈ Λ The Fourier series of f is the function fˆ :Λ∗ → C given by 1 Z fˆ(y) = f(x)e−2πihx,yidx det(Λ) P (B)

Lemma 3.4.1 For any f : Rn → C and any full-rank lattice Λ, f(Λ) = det(Λ∗)fˆ(Λ∗)

4 On Lattices, Learning With Errors, Random Linear Codes, and Cryptography

In this section, we present Oded Regev’s paper with the above title. We begin with some prelimiaries, namely, defining the Discrete Gaussian Gaussian Distribution, a variant of CVP, DGS problem, Learning Parity with Noise (LPN) problem and its extention to higher moduli, ie, Learning With Errors Problem (LWE). In subsection 4.2 we describe the Main Theorem of the paper along with its proof. Lastly, we describe the cryptosystem presented by Regev.

4.1 Preliminaries

Gaussian Distributions:

−π||x/s||2 n • ρs(x) := e , a gaussian function scaled by a factor of s for a vector x ∈ R n • υs := ρs/s , n-dimensional probability density function P • ρs(A) = x∈A ρs(x), extension of the function to any countable set A

• Periodic Normal Distribution (Ψβ) is obtained by sampling from a gaussian variable with mean 0 and standard deviation √β and reducing the result modulo 1 (taking modulo 1 peri- 2π odizes the gaussian distribution)

∞ X 1 −π( r−k )2 ∀r ∈ [0, 1), Ψ (r) := · e β β β k=−∞

• discrete Gaussian probability distribution D : ∀x ∈ A, D (x) := ρs(x) A,s A,s ρs(A)

−||x/r||2 • For a lattice L, for x ∈ L, DL,r(x) = e

10 Lattice Based Cryptography Nikhil Vanjani (14429)

Figure 9: DL,2 for a two dimensional lattice L. z-axis represents probability[1]

Bounded Distance Decoding Problem (BDDr) or (CVPL,r) : Given a lattice and any point x ∈ Rn within distance find the closest lattice point.

Figure 10: An example of BDD problem. The red vector point is given, we need to find the closest lattice point

Discrete√ Gaussian Sampling Problem (DGS): Given an n-dimensional lattice L and a number r ≥ 2n · η(L)/α,(α ∈ (0, 1)) output a sample from DL,r

• Smoothening parameter η(L) : it gives the smallest r starting from which DL,r ‘behaves like’ a continuous Gaussian distribution

n Learning Parity with Noise (LPN) : The goal is to find s∈ Z2 , given a list of equations with error -

hs, a1i ≈ b1 (mod 2) hs, a2i ≈ b2 (mod 2) ...

n where ai’s are chosen independently from uniform distribution on Z2 and bi’s are chosen independently to be equal to hs, aii with probability 1 − . When  = 0, the problem can be solved efficiently using Gaussian Elimination with O(n) equations and O(poly(n)) time. But for any  > 0, the problem becomes significantly difficult to solve. Using

11 Lattice Based Cryptography Nikhil Vanjani (14429)

Gaussian elminiation, suppose we find a set of equations such that ΣSai = (1, 0, 0, ..., 0). A simple 1 −Θ(n) calculation shows that this yields the first bit of s with probability 2 + 2 . Hence, to confidently tell the first bit of s, we need to repeat the process 2Θ(n) times. We can then use this whole process to find each bit of • LPN is conjectured to be hard problem • An important open question is to explain apparent difficulty in finding efficient solution to it. • This paper explains the difficulty for extension of this problem to higher moduli

n Learning With Errors (LW Ep,χ) : The goal is to find s∈ Zp , given a list of equations with error -

hs, a1i ≈χ b1 (mod p) hs, a2i ≈χ b2 (mod p) ...

n n where p = poly(n), s ∈ Zp , ai’s are chosen independently from uniform distribution on Zp , bi ∈ Zp, + th errors are sampled from a probability distribution χ : Zp → R . Equivalently, i equation is given by bi = hs, aii + ei, ei ∈ Zp is chosen according to χ. We say that an algorithm solves LW Ep,χ if it outputs s with probability exponentially close to 1.

Figure 11: Ψα for p=127 with α = 0.05. The elements are arranged in a circle.[1]

• Easy algorithms need 2O(nlogn) equations/time • Best known algorithm needs 2O(n) equations/time

4.2 Some Results that will be useful in proving Main Theorem

Claim 4.2.1 : For all s, t, l > 0 and x, y ∈ Rn with ||x|| ≤ t and ||x − y|| ≤ l,

2 2 ρs(y) ≥ (1 − π(2lt + l )/s )ρs(x)

12 Lattice Based Cryptography Nikhil Vanjani (14429)

Claim 4.2.2 : For any 0 < α < β ≤ 2α, β ∆(Ψ , Ψ ) ≤ 9( − 1) α β α

Lemma 4.2.3 : For any n-dimensional lattice L,

∗ 1 ≤ λ1(L) · λn(L ) ≤ n

Lemma 4.2.4 : For any lattice L and a ≥ 1,

n ρa(L) ≤ a ρ(L)

Lemma 4.2.5 : Let Bn be the Euclidean unit ball. Then, for any lattice L and any r > 0,

√ −2n ρr(L\ nrBn) < 2 · ρr(L) √ √ where L\ nrBn is the set of lattice points of norm greater than nr. Lemma 4.2.6 : For an n-dimensional lattice L and  = 2−n,

√ ∗ η(L) ≤ n/λ1(L )

Lemma 4.2.7 : For an n-dimensional lattice L and  > 0, r ln(2n(1 + 1/)) η (L) ≤ · λ (L)  π n

Claim 4.2.8 : For any lattice L and any  > 0, r r ln(1/) 1 ln(1/) λn(L) η(L) ≥ · ∗ ≥ · π λ1(L ) π n

4.3 Main Theorem

Theorem 4.3.1 (Main Theorem) : Let  = (n) be some√ negligible function of n. Let p = p(n) be some integer and α = α(n) ∈ (0, 1) be such that αp > 2 n. Assume that we have access to an oracle that solves LW Ep,χ given a polynomial number of samples. Then there exists an efficient for DGS√ . 2nη(L)/α Algorithmic Proof : √ √ • Inputs: Inputs: n-dimensional lattice L, a number r > 2pη(L), LWE oracle for αp > 2 n

• Output: A sample from DL,r c i • Step 1: Generate n samples from DL,r3n , where ri = r · (αp/n)

13 Lattice Based Cryptography Nikhil Vanjani (14429)

c c • Step 2 (iterative step): for i = 3n, 3n − 1, ..., 1, using n samples from DL,ri generate n

samples from DL,ri−1 c • Step 3: We get n samples from DL,r0 =DL,r. Output the first sample from it. I We show how to generate samples for step 1 in Lemma 4.3.2 (Bootstrapping) and we show how to perform step 2 in Lemma 4.3.3 (The Iterative Step)

2n Lemma 4.3.2 (Bootstrapping) : For an n-dimensional lattice L and r > 2 λn(L), there exists an efficient algorithm that outputs a sample from a distribution that is within statistical distance 2−Ω(n) of DL,r Algorithmic Proof

n • Use LLL algorithm to reduce basis and get a basis of length at most 2 λn(L). Let P (L) be the corresponding fundamental parallelopipid.

• Sample y from υr and output y − (ymodP (L)) ∈ L.

I We need to show that statistically, the resulting distribution is exponentially close to DL,r. This is easy to see as follows - By Lemma√ 4.2.5, we know that almost all√ the points sampled from DL,r are concentrated within norm nr. So, consider x ∈ L with ||x|| ≤ nr. By definition,

ρr(x) DL,r(x) = ρr(L)

∗ n ∗ ∗ n . By Lemma 3.4.1, we know that ρr(L) = det(L ) · r ρ1/r(L ) ≥ det(L ) · r . Hence,

∗ n DL,r(x) ≤ ρr(x)/(det(L ) · r ) = det(L)υr(x)

Also, by Claim 4.2.1, the probability given to x ∈ L by our procedure is Z −Ω(n) υr(y)dy ≥ (1 − 2 )det(L)υ(x) x+P (L)

−Ω(n) Hence, we get that our output distribution is within statistical distance 2 of DL,r.  Lemma 4.3.3 (The Iterative Step) Let  = (n) be a negligible function, α = α(n) ∈ (0, 1) be a real number, and p = p(n) ≥ 2 be an integer. Assume that we have access to an oracle W that solves LW E given a polynomial number of samples. Then, there exists a constant c¿0 and an efficient p,Ψα √ c quantum algorithm that, given any n-dimensional lattice L, a number r > 2pη(L) and n samples √ of DL,r produces a sample from DL,r n/αp Proof : The algorithm consists of two parts. The first part is shown in Lemma 4.3.4 and second part is shown in Lemma 4.3.8. In the first part, we describe a classical algorithm that using LWE √ oracle and samples from DL,r generates samples from CVPL∗,αp/ 2r. In second part, we describe a √ √ quantum algorithm that using an oracle to solve CVPL∗,αp/ 2n outputs samples from DL,r n/αp.  Lemma 4.3.4 (First part of iterative step) Let  = (n) be a negligible function, p = p(n) ≥ 2 be an integer, and α = α(n) ∈ (0, 1) be a real number. Assume that we have access to an oracle

W that solves LW Ep,Ψα given a polynomial number of samples. Then, there exist a constant c > 0

14 Lattice Based Cryptography Nikhil Vanjani (14429)

Figure 12: Two iterations of the algorithm[1]

√ c and an efficient algorithm that, given any n-dimensional lattice L, a number r > 2pη(L), and n √ samples from DL,r , solves CVPL∗,αp/ 2r . I The above lemma can be proved using the following three lemmas. The first two are easy to show, the third is quite involved and hence we skip it from this report. Lemma 4.3.5 (Finding coefficients modulo p is sufficient) : There exists an efficient algorithm that given a lattice L, a number d < λ1(L)/2 and an integer p ≥ 2, solves CVPL,d given access to an (p) oracle for CVPL,d

Lemma 4.3.6 (Handling error Ψβ for β ≤ α) : Let p = p(n) ≥ 2 be some integer and α = α(n) ∈

(0, 1). Assume that we have access to an oracle W that solves LW Ep,Ψα by using a polynomial number of samples. Then, there exists an efficient algorithm W that, given samples from As,Ψβ for some (unknown) β ≤ α, outputs s with probability exponentially close to 1. Lemma 4.3.7 : Let  = (n) be a negligible function, p = p(n) ≥ 2 be an integer, and α = α(n) ∈ (0, 1) be a real number. Assume that we have access to an oracle W that for all β ≤ α, finds s given a polynomial number of samples from A (without knowing β). Then, there exists an efficient s,Ψβ √ algorithm that given an n-dimensional lattice L, a number r > 2pη(L), and a polynomial number (p) of samples from D , solves CVP √ . L,r L∗,αp/ 2r Lemma 4.3.8 (Second Part of the iterative step) There exists an efficient quantum algorithm ∗ that, given any n-dimensional lattice L, a number d < λ1(L )/2, and an oracle that solves CVPL∗,d √ √ , outputs a sample from DL, n/( 2d). √ 3n ∗ Proof : WLoG, let d = n. Let R ≥ 2 λn(L ) be a large enough integer. • Step 1: Create the quantum state X X ρ(x − y)|xi x∈L∗/R∩P (L∗) y∈L∗

15 Lattice Based Cryptography Nikhil Vanjani (14429)

• Step 2: Apply Quantum Fourier Transform. The resulting state is - X X ρ(y − x)|xi x∈L∩P (RL) y∈RL

This state can be shown to be exponentially close to the state -

P √ x∈L,||x||< n ρ(x)|x mod(P (RL))i √ • Step 3: Measure this state and obtain x mod(P (RL)) such that ||x|| < n. Since it is within √ 3n n distance of the lattice RL and λ1(RL) ≥ 2 , we can recover x using Babai’s nearest plane algorithm[12]. Then output of the algorithm is x. It is easy to see that distribution of x is √ statistically, exponentially close to DL,1/ 2 - √ 2 √ – Probability of obtaining x ∈ L st ||x|| < n is proportional to ρ(x) = ρ1/ 2(x). √ √ – By Lemma 4.2.5, exponentially high fraction of DL,1/ 2 is within norm less than n – By above two, the statistical distance between the two distributions is exponentially small.  I The only thing that remains to prove is how to create the quantum state in Step 1. We do it as follows - • Create a gaussian state of width 1/R. This can be done using known techniques. X X ρ1/R(x)|xi = ρ(x)|xi x∈L∗ x∈L∗/R

• By Lemma 4.2.5, this state is exponentially close to - X ρ(x)|xi √ x∈L∗/R,||x||< n

• Similarly, create state x(mod(P (L∗))) on separate register and combine both states X ρ(x)|x, x(mod(P (L∗)))i √ x∈L∗/R,||x||< n

• Next, uncompute the first register to 0. We do this by applying CVP oracle on second register to recover x and subtract it from the first register. This leaves us with - X ρ(x)|x(mod(P (L∗)))i √ x∈L∗/R,||x||< n

• It can be shown that the above state is exponentially close to the required state. 

16 Lattice Based Cryptography Nikhil Vanjani (14429)

Necessity of the Quantum Steps We performed two tasks above quantumly. One is ofcourse the well known Quantum Fourier Trans- form. The second task also shows the relation between two worst-case lattice problems - DGS and CVP. The task was of uncomputing the first register. Usually, uncomputing is a irreversible step. But because we have access to CVP oracle, this step can be made reversible and hence a quantum gate corresponing to it can be made. Using this gate when we go from |x, x + yi to |0, x + yi, essen- tially, we are removing the entanglement between the two states. This helps us to get the elegant output after QFT, ie, samples from DGSr0 . We don’t know anyway to use the CVP oracle classically.

4.4 Public Key Cryptosystem

n • Private Key (s) : s ∈ Zp chosen uniformly random m n • Public Key (ai, bi)i=1 : each ai ∈ Zp chosen uniformly random and independently. Choose ei ∈ Zp according to χ. Consequently, bi = hs, aii + ei (mod p). • Encryption: To encrypt a bit, choose a set S uniformly randomly from all 2m subsets of [m]. P P P p P Encryption is ( i∈S ai, i∈S bi) if the bit is 0 and ( i∈S ai, b 2 c i∈S bi) if the bit is 1. p • Decryption : The decryption of a pair (a,b) is 0 if b − hs, ai is closer to 0 than b 2 c modulo p. Otherwise 1.

2 I Note that public key size if O(mnlogp) = O(n ) and encryption increases the size of message by a factor of O(nlogp) = O(n). The public key size can be reduced using a simple idea by Ajtai[13] - if all users share some fixed, trusted, random choice of a1, ..., am, then the key size reduces. As overhead, each user will only have to store their own choice of b1, ..., bm.

17 Lattice Based Cryptography Nikhil Vanjani (14429)

References

[1] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography.

[2] Integer factorization problem.

[3] Discrete logarithm problem.

[4] Elliptic curve discrete logarithm problem.

[5] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer.

[6] Lance Fortnow. The status of the p versus np problem.

[7] Lov Grover.

[8] Daniel J. Bernstein. Grover vs. mceliece.

[9] Miklos Ajtai. Generating hard instances of lattice problems.

[10] Ralph Merkle. A digital signature based on a conventional encryption function.

[11] Oded Regev. Lattices in computer science.

[12] L. Babai. On lovasz’ and the nearest lattice point problem.

[13] Miklos Ajtai. Representing hard lattices with o(n log n) bits.

18