on the concrete hardness of learning with errors Martin R. Albrecht @martinralbrecht joint work with Rachel Player and Sam Scott ACE Seminar, UCL. May 7, 2015 Information Security Group Royal Holloway, University of London 1 outline Learning With Errors Strategies and Algorithms Lattice Reduction Estimator Conclusion 2 outline Learning With Errors Strategies and Algorithms Lattice Reduction Estimator Conclusion 3 lattice-based cryptography Lattice A lattice is a discrete additive subgroup of Rm. Basis f g Rm Let B = b1; :::;Pbm be a set of m linearly independent vectors in . f m j 2 Zg Then L(B) = i=1 xibi xi is the lattice generated by this basis. Dual Lattice Given a lattice L(B) ⊂ Rm, define its dual as fx 2 Rm j xB 2 Zmg. f 2 Zm j ≡ g We’ll only use scaled-by-q dual lattices, i.e. x q xB 0 4 learning with errors The Learning with Errors (LWE) problem was defined by Oded Regev [Reg05]. ∙ Suppose a public matrix A and a secret vector s. ∙ If we were also given b = As we could compute s by linear algebra. ∙ Now imagine this is noisy: c = As + e with e small. ∙ From A and c can we find s? Was c even computed this way? 5 learning with errors 2 Zm 2 Zm×n 2 Zn 2 Zm×` Given (A; c) with c q , A q , s q and e q do we have 0 1 0 1 0 1 n ! B C B C B C B C B C B C B C B C 0 1 B C B C B C B C B C B C B C B C B C B C B C B c C = B A C × @ s A + B e C B C B C B C B C B C B C B C B C B C @ A @ A @ A U Zm or c $ ( q ). 6 parameters ∙ Parameters are: 1 ∙ dimension n, ≈ 2 0:8 ∙ modulus q (e.g. q n ),p ∙ noise size α (e.g. αq ≈ n), ) : x 0 6 ( ∙ number of samples m. Pr ≈ 0:4 ∙ Elements of A; s; e; c are in Zq. 0:2 ∙ e is sampled from a discrete 0 Gaussian with width −10 −5 0 5 10 αq σ = p : x 2π 7 search and decision Search LWE From samples (A; c) recover s. Decision LWE Determine if samples (A; c) are LWE or uniformly random. These problems are polynomial-time equivalent. 8 lwe normal form Given samples h i 2 Zn × Z (a; c) = (a; a; s + e) q q U Zn 2 Zn with a ( q), e Dαq;0 and s q, we can construct samples h i 2 Zn × Z (a; c) = (a; a; e + e) q q U Zn with a ( q), e Dαq;0 and e such that all components ei Dαq;0 in polynomial time. 9 switching moduli h i 2 Zn × Z Let (a; c) = (a; a; s + e) q q be an LWE sample and r 2π n σ p ≈ · s ; 12 α where σs is the standard deviation of components of the secret s. If p < q then (⌊ ⌉ ⌊ ⌉) p p · a ; · c in Zn × Z q q p p followsp a distribution close to an LWE distribution with parameters n; 2α; p. 10 why care? Learning With Errors ∙ is assumed to be a hard problem like discrete logarithms, factoring, etc. ∙ reduces to hard problems on lattices, such as GapSVP. ∙ is assumed to have resistance against quantum computers, unlike discrete logarithms and factoring. ∙ is remarkably versatile for constructing cryptographic schemes. 11 applications Identity-based encryption [GPV08] Ciphertexts are of the form (p; c) = (As + e; u · s + e + b · bq=2c) where H(id) = u = xTA is the public key for the private key x. Decryption is done by c − hx; pi = −⟨x; ei + e + b · bq=2c: 12 applications Fully homomorphic encryption [BV11, AFFP11] Think of LWE encryptions h i · b c (ai; ci) = (ai; ai; s + ei + bi q=2 ) as noisy linear polynomials X − ci + aijxj: Add, multiply and decrypt as usual. 13 how hard is lwe? Given n (and α, q) how many operations does it take to solve? ∙ Problem 1. Algorithms/attacks are not well understood in terms of concrete running times. ∙ Runtimes are given asymptotically. ∙ Algorithms are better in practice than the theoretical bounds. ∙ Many heuristic assumptions. ∙ Problem 2. Many variables ∙ dimension, modulus, secret size ∙ distribution of the secret ∙ number of samples available to an attacker ∙ variants of the problem (e.g. small secrets, BinaryError-LWE) 14 what do people do currently? Often, in the literature, the following assumptions were made when estimating concrete security of an LWE-based scheme: ∙ the best attack is a lattice-based distinguishing attack; ∙ BKZ runs in roughly the time given in [LP11]; ∙ the use of a small secret makes no difference for attacks. All three of these assumptions turn out not to be correct. 15 so, what did we do? ∙ Overview the strategies for attacking LWE. ∙ Analyse and present running times. ∙ Produce concrete estimates for attack timings for parameters sets. The estimation code is available as a Sage module. 16 outline Learning With Errors Strategies and Algorithms Lattice Reduction Estimator Conclusion 17 strategies for solving lwe BDD in L(A) SIS in dual of L(A) Recover s Dec Kannan Distinguish BKW Guess Arora-GB Lattice Reduction SVP Oracle 18 arora-gb ∙ The error is from a small 1 subset of Zq, say, (−τ · σ; : : : ; τ · σ) 0:8 ∙ Each candidate gives rise 0:6 to one linear equation. ∙ Construct equations of 0:4 degree 2 τ · σ + 1 0:2 encoding that one of these linear equations 0 must hold. −15 −10 −5 0 5 10 15 ∙ Solve the system using Gröbner bases. 19 arora-gb p Arora-Ge (Linearisation) with σ = n ( ) O 2! n log(8n log n)−!n log n p Gröbner Bases with σ = n ( ) O 22:82 ! n under some regularity assumption. M.A., Carlos Cid, Jean-Charles Faugère, and Ludovic Perret. Algebraic algorithms for LWE. Cryptology ePrint Archive, Report 2014/1018, 2014. http://eprint.iacr.org/2014/1018. 20 what is sis? Short Integer Solutions (SIS) Given q 2 Z, a matrix B, and t < q; find y with 0 < kyk ≤ t and yB ≡ 0 (mod q): ∙ Recall the dual lattice: L∗ = fx 2 Rm j xB 2 Zmg. ∙ Then the scaled dual lattice, qL∗ has the property that xB ≡ 0 (mod q) for all x 2 qL∗. ∙ Therefore, a short vector of qL∗ is equivalent to solving SIS on B. 21 strategy ∙ Find a short y solving SIS on A. ∙ Given LWE samples A; c where either c = As + e or c uniformly random. ∙ Compute hy; ci. ∙ If c = As + e, then hy; ci = hyA; si + hy; ei ≡ hy; ei (mod q). ∙ If c is uniformly random, so is hy; ci. ∙ If y is sufficiently short, since e is also small, then hy; ei will also be short, and can be distinguished from uniform values. 22 distinguish (lattice reduction) A reduced lattice basis is made of short vectors, in particular the first vector. 1. Construct a basis of the dual from the instance. 2. Feed to a lattice reduction algorithm to obtain short vectors vi. 3. Check if vi A are small. Daniele Micciancio and Oded Regev. Lattice-based cryptography. In Bernstein et al. [BBD09], pages 147–191. 23 bkw algorithm We revisit Gaussian elimination: 0 1 a a a ··· a c B 11 12 13 1n 1 C B ··· C B a21 a22 a23 a2n c2 C B . C @ . .. A am1 am2 am3 ··· amn cm 0 1 a a a ··· a ha ; si + e B 11 12 13 1n 1 1 C B ··· h ; i + C ? B a21 a22 a23 a2n a2 s e2 C = B . C @ . .. A am1 am2 am3 ··· amn ham; si + em 24 bkw algorithm 0 1 a a a ··· a ha ; si + e B 11 12 13 1n 1 1 C a21 B 0 a~22 a~23 ··· a~2n ha~2; si + e2 − e1 C ) B a11 C B . C @ . .. A 0 a~ a~ ··· a~ ha~ ; si + e − am1 e m2 m3 mn m m a11 1 ∙ ai1 is essentially random in Z wiping all “smallness”. a11 q ∙ If ai1 is 1 noise-size doubles because of the addition. a11 25 bkw algorithm We considering a ≈ log n ‘blocks’ of b elements each. 0 1 a a a ··· a c B 11 12 13 1n 0 C B ··· C B a21 a22 a23 a2n c1 C B . C @ . .. A am1 am2 am3 ··· amn cm 26 bkw algorithm For each block we build a table of all qb possible values indexed by Zb q. 2 3 −⌊ q c −⌊ q c ··· 2 2 t13 t1n ct;0 6 q q 7 6 −⌊ c −⌊ c + 1 t23 ··· t2n ct;1 7 0 6 2 2 7 T = 6 . 7 4 . .. 5 b q c b q c ··· 2 2 tq23 tq2n ct;q2 2 Zb For each z q find row in A which contains z as a subvector at the target indices. 27 bkw algorithm 0 1 a a a ··· a c B 11 12 13 1n 0 C B ··· C B a21 a22 a23 a2n c1 C B . C @ . .. A a a a ··· a c 2 m1 m2 m3 mn m 3 −⌊ q c −⌊ q c t ··· t c 6 2 2 13 1n t;0 7 6 −⌊ q c −⌊ q c + ··· 7 6 2 2 1 t23 t2n ct;1 7 + 6 .