EDIC RESEARCH PROPOSAL 1 The Learning With Error Problem Alexandre Duc LASEC, I&C, EPFL Abstract—Every public-key cryptosystem relies on problems definitions and results about lattices and more generally in that are believed computationally hard. Most of the systems cryptography. used in practice rely on the integer factorization problem or the discrete logarithm problem. However, these two problems can be solved in polynomial time on a quantum computer. A. Preliminaries It is, thus, important to develop secure alternatives in the Given x R, we write x Z for the integer closest case quantum computers become practical. In this proposal, ∈ ⌊ ⌉ ∈ we study the Learning With Error (LWE) problem which is to x. In case of equality, we select the smallest one. Next, a a fundamental problem in lattice-based cryptography and was function ǫ: N R is called negligible if for every constant introduced by Regev in 2005. In particular it possesses an elegant → c c R>0, there exists k0 N such that ǫ(k) < k− quantum reduction to well-studied problems on lattices like the ∈ ∈ R| n | Shortest Vector Problem (SVP). In 2010, Lyubashevsky et al. for all k > k0. The open unit ball over is denoted by and is defined as := x Rn : x < 1 . The introduced the Ring-Learning With Error problem (Ring-LWE), Bn Bn { ∈ k k } an algebraic variant of the problem. Applications based on this statistical distance between two distributions and D1 D2 problem have the advantage of being much more practical. On over a countable domain S is defined as ∆( 1, 2) := the other hand, its hardness relies on less general problems, D D maxA S ( 1(x) 2(x)) . Given a probability distri- namely on problems on ideal lattices. ⊆ x A bution , we∈ defineD its min-entropy−D over a countable domain We propose to analyze further the hardness of the (Ring-)LWE D P problem as well as the algorithms used to solve it. Another goal S as H ( ) := mini S log (i) . We say that two ∞ D ∈ {− D } is to design a new cryptosystem based on the LWE problem. distributions and over a domain S are statistically D1 D2 Index Terms ǫ-indistinguishable if for every A S, x A( 1(x) —Cryptography, Learning With Error, Learning ⊆ | ∈ D − 2(x)) <ǫ. We will use the following lemma. from Parity with Noise, lattices, Shortest Vector Problem, post- D | P quantum cryptography. Lemma 1 (Leftover Hash Lemma [1]). Let be a distribu- tion, let ǫ > 0 and let ℓ H ( ) 2 log(1D/ǫ). Let be a ≤ ∞ D − H I. INTRODUCTION universal family of hash functions with a range of ℓ bits, i.e., ℓ for all x = x′, Prh [h(x)= h(x′)]=1/2 . Then, (h( ),h) EFORE defining the LWE problem and its reductions and (U, h6 ), where U∈His the uniform distribution are statisticallyD B precisely, we introduce first some necessary notations, ǫ-indistinguishable. Proposal submitted to committee: June 06th, 2012; Candi- We will use Lemma 1 in the following and we will take as Zℓ n dacy exam date: June 13th, 2012; Candidacy exam committee: a family of universal functions random matrices in q× . Emre Telatar, Serge Vaudenay, Arjen Lenstra. 1) Gaussian Distribution: Given an s > 0, we denote the Gaussian function over Rn by This research plan has been approved: ρ (x) := exp π x/s 2 . s − k k Date: ———————————— We denote by νs the Gaussian probability density function with parameter s> 0, which is defined by n Doctoral candidate: ———————————— νs(x) := ρs(x)/s . (name and signature) Given a countable set A Rn and a parameter s > 0, we ⊂ define the discrete Gaussian distribution DA,s as Thesis director: ———————————— (name and signature) ρs(x) DA,s(x) := , y A ρs(y) ∈ Thesis co-director: ———————————— for x A. We will typicallyP take this distribution over a ∈ + (if applicable) (name and signature) lattice. Finally, for β R , we denote by Ψβ the probability distribution over R/(q∈Z) which is defined as a sampling from a normal variable with zero mean and standard deviation Doct. prog. director:———————————— βq/√2π and reducing the result modulo q, i.e., (R. Urbanke) (signature) 2 ∞ 1 r kq Ψ (r) := exp π − β βq × − βq EDIC-ru/05.05.2009 k= ! X−∞ EDIC RESEARCH PROPOSAL 2 for r [0,q). We define also the discretization Ψ¯ of Ψ for all 1 j<i n and ∈ β β ≤ ≤ which is obtained by sampling a normal variable with mean 2 2 0 and standard deviation βq/√2π, rounding the result to the 3 bi, bi+1 bi h 2ibi + bi+1 nearest integer and reducing it modulo q. 4 ≤ bi+1 k k 2) Lattices: We denote the standard inner-product over Rn e e e e 2 2 by , . A (full rank) lattice L in Rn is a discrete additive for 1 i < n. Such a basise verifies bi+1 1/2 bi . ≤ (n 1)/2k k ≥ k k h· ·i Rn Note that this enforces b1 2 − λ1(L) by Lemma 2. subgroup of generated by all integer combinations of n k k≥ × linearly independent vectors.1 We call this set of vectors B := The LLL algorithm introduced by Lenstra,e Lenstra and Love asz´ finds in polynomial time an LLL-reduced basis. It permits, v1,..., vn a basis of the lattice. Note that this basis is not { } thus, to find an exponential approximation of the shortest unique. Two basis B and B′ are called equivalent iff B′ = BU, with U an unimodular n n matrix, i.e., an integer vector in the lattice. × matrix whose determinant is equal to 1. Two equivalent basis For a lattice L and ǫ > 0, the smoothing parameter ηǫ(L) ± is defined as arg min ρ (L∗ 0 ) ǫ. Many technical generate the same lattice. Given a basis v1,..., vn for a r 1/r \ { } ≤ lattice L, the set of points in Rn belonging{ to the lattice} is results were proven for the smoothing parameter in [3], [4] and we provide in this proposal an informal description of n some of these. The first result from Micciancio and Regev [4] L(v ,..., v ) := k v : k ,...,k Z . 1 n i i 1 n ∈ shows that if we choose a random lattice point and if we add (i=1 ) X some continuous Gaussian noise νs for s>ηǫ(L), then the We denote the Gram-Schmidt orthogonalization of a basis resulting distribution is within statistical distance ǫ from the B := v ,..., v by B := v ,..., v . The vectors uniform distribution on Rn. Finally, they show the following { 1 n} { 1 n} vi are defined iteratively as follows: v1 = v1 and vi = lemmas i 1 v − v , v / v , v ev for i [2, n]. Note that the i j=1 i j j j j f f Lemma 3 . Gram-Schmidt− h basisi h is usuallyi not a basis∈ of the lattice. ([4, Lemma 3.2 and 3.3]) e P f e The dual of ae latticee Leise denoted by L∗. It is defined as η2−n (L) √n/λ1(L∗) ≤ n L∗ := x R : x, y Z, y L , and { ∈ h i∈ ∀ ∈ } ln(2n(1+1/ǫ)) η (L) λ (L) . i.e., it is the set of all vectors whose inner-product with any ǫ ≤ π × n lattice vector is an integer. For instance, the dual of L = Z is r L∗ = Z and the dual of L = 2Z is L∗ = (1/2)Z. ∗ ∗ 2 The following relation holds. bi = b n i+1/ b n i+1 . We will need to sample from discrete Gaussian distributions − k − k This implies that the norm of a Gram-Schmidt basis vector is over a lattice L in an efficient way. The following proposition inversely proportional to the norme of af Gram-Schmidtf basis was shown by Gentry et al. vector of the dual lattice if we take the vectors in reverse order. Proposition 1 ([5, Theorem 4.1]). There exists a probabilistic Given a basis B = v1,..., vn of a lattice L, we define the fundamental parallelepiped{ } (B) as the half open polynomial time (ppt) algorithm that, given any basis of B of P a lattice L and r max b ω(√log n) outputs a sample parallelepiped ≥ ik ik× that is within negligible statistical distance of DL,r. n e (B) := α v : α ,...,α [0, 1) . P i i 1 n ∈ (i=1 ) B. Hard Problems on Lattices X The volume of any fundamental parallelepiped of a lattice L is In this section, we introduce several hard problems on invariant of the choice of the basis. We call it the determinant lattices on which lattice-based cryptosystems rely. 1) Shortest Vector Problem: The first problem we introduce of the lattice (det(L)). We denote the ℓ2-length of one of the shortest non-zero vector in a lattice L by λ (L). Similarly, we is the Shortest Vector Problem (SVP), which consists in 1 finding one of the shortest vectors in a lattice. denote by λk(L), the ℓ2-length of the smallest radius of a ball containing k linearly independent vectors. Definition 1 (Shortest Vector Problem). The Shortest Vector We can now state a useful Lemma: Problem (SVPL) for a lattice L consists, given a basis B of L, in returning a vector x L such that x = λ1(L). Lemma 2. For a lattice L we have λ1(L) mini bi for ∈ k k ≥ k k any Gram-Schmidt basis B of L. for a function γ(n) 1, the corresponding approximation e problem is ≥ An LLL-reduced basis [2] can be seen as a basis for which e the Gram-Schmidt vectors are not decreasing too quickly.