An Introduction to the Learning with Errors Problem in 3 Hours 賴奕甫 Peter W. Shor There are polynomial-time quantum algorithms that can solve • Factorization Problem • Discrete Logarithm Problem (over ℤ푝) About ECC There is also a quantum algorithm that can solve • Discrete Logarithm Problem over Elliptic Curves ; ( If there was a practical quantum computer, then it was able to break • RSA encryption, signature scheme • Diffie-Hellman Key Exchange, Elgamal, DSA • Elliptic Curve Diffie-Hellman (ECDH), Elliptic Curve DSA (ECDSA) • …etc No more forward secrecy. Post-Quantum Cryptography Lattice-based cryptography • Post-quantum cryptography • is a branch of cryptography • Multivariate cryptography that considers cryptographic • Hash-based cryptography algorithms which is still • Code-based cryptography secure against quantum • Supersingular elliptic curve isogeny cryptography attack. LWE Problem • The learning with errors problem (LWE) is included in the lattice- based cryptography. • The LWE problem is versatile (it can be used to construct a variety of cryptographic algorithms). For example, A Simple Introduction to the Lattice • This is a lattice in ℝ2. It can be written as… • 푥, 푦 |푥, 푦 ∈ ℤ Also written as… 1 0 • ℤ + ℤ 0 1 1 0 • ℤ + ℤ 1 1 1 1 • ℤ + ℤ 0 1 • ... A Lattice A Simple Introduction to the Lattice 푛 • Definition 1. For a linear independent set 퐵 = 푢1, … , 푢푘 ⊂ ℝ , a lattice 퐿 generated by 퐵 in ℝ푛 is defined to be 퐿 = ℤ푢푖 . (If 푘 = 푛, then the lattice is said to be a full-rank lattice.) There is an equivalent definition for the lattice in ℝ푛-- A Simple Introduction to the Lattice • Definition 2. A set 퐿 ⊂ ℝ푛 is said to be a discrete additive subgroup if it satisfies the following two conditions: 1. It is closed under addition and substraction. (additive subgroup) 2. There is a constant 휖 > 0 such that for any 푣 ∈ 퐿 퐿 ∩ 푤 ∈ ℝ푛: 푣 − 푤 = 푣 . (discrete) • Theorem. In ℝ푛, a subset of ℝ푛 is a lattice if and only if it is a discrete additive subgroup. (see p.25 in Algebraic Number Theory by Neukirch ) Mythology in Lattice-Based Cryptography • Given a linear independent generating set of a lattice 퐿 in ℝ푛 . • 퐶푙표푠푒푠푡 푣푒푐푡표푟 푝푟표푏푙푒푚 (CVP): Given: a vector 푤 in ℝ푛. Request: Find 푣 ∈ 퐿 such that 푤 − 푣 = min 푤 − 푢 푢∈퐿 • 푆ℎ표푟푒푠푡 푣푒푐푡표푟 푝푟표푏푙푒푚 (SVP): Request: Find a nonzero vector 푣 ∈ 퐿 such that 푣 = min 푢 푢∈퐿− 0 Hardness: CVP≥SVP (sketch) • Given a lattice 퐿 generated by a independent set 푏1, … , 푏푛 . • Write the shortest nonzero lattice point 푣 = 푎푖푏푖. (Note that 푎푖 ∈ ℤ can not be all even.) ′ ′ • For each 푖, feed the CVP oracle with 퐿푖, 푏푖 where lattice 퐿푖 is generated by {푏1, … , 푏푖−1, 2푏푖, 푏푖+1, 푏푛} • And the output is 푣푖 • Then 푣푗 − 푏푗 is the shortest nonzero vector for some 푗. (Why?) Linear Equations 푇 4 • There is a secret vector 풔 = 푠1, 푠2, 푠3, 푠4 ∈ ℤ13 • Given 1푠1 + 2푠2 + 5푠3 + 2푠4 = 9 푚표푑 13 12푠1 + 1푠2 + 1푠3 + 6푠4 = 7 푚표푑 13 6푠1 + 10푠2 + 3푠3 + 6푠4 = 1 푚표푑 13 10푠1 + 4푠2 + 12푠3 + 8푠4 = 0 푚표푑 13 . • Solve for 풔 The Learning with Errors Problem (Search) 푇 4 • There is a secret vector 풔 = 푠1, 푠2, 푠3, 푠4 ∈ ℤ13 • Given 5푠1 + 5푠2 + −3 푠3 + 7푠4 ≈ 6 푚표푑 13 −1푠1 + 1푠2 + 2푠3 + −5 푠4 ≈ −4 푚표푑 13 −3 푠1 + 3푠2 + 7푠3 + 4푠4 ≈ 2 푚표푑 13 5푠1 + 4푠2 + −1 푠3 + 2푠4 ≈ −5 푚표푑 13 −4 푠1 + 6푠2 + 3푠3 + −2 푠4 ≈ 5 푚표푑 13 −2 푠1 + 3푠2 + 1푠3 + 6푠4 ≈ −3 푚표푑 13 . • There is an odds of ½ for each equation that is added by 1. • Solve for 풔 LWE distribution • (Definition) 푛 1. For a secret vector 풔 ∈ ℤ푞 and distribution 휒, an LWE 푛 distribution 풜풔,푛,푞,휒 generates a sample 풂, 푏 ∈ ℤ푞 × 푚×푛 푚 ℤ푞 or (퐴, 풃) ∈ ℤ푞 × ℤ푞 where 풂 sampled uniformly from 푛 ℤ푞 and 푏 = 풂, 풔 + 푒 where 푒 ← 휒. 풂ퟏ 풂ퟐ LWE Problem (Search) × 풔 풂 + 풆 풃 = ퟑ ⋮ • (Definition) 2. LWE problem (Search): 풏 • Secret 풔 ∈ ℤ풒. Given 푝표푙푦 푛 LWE samples 퐴, 풃 from 풜풔,푛,푞,휒. • Find 풔. LWE Problem (Search) Dimension 푛 Modulus 푞 Error distribution 휒 Adversary Challenger 퐴, 풃 풏 풏 Output: 풔 ∈ ℤ풒 Secret 풔 ∈ ℤ풒 Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 from 풜풔,푛,푞,휒 LWE Problem (Decisional) • (Definition) 3. Decisional LWE problem: $ 풏 • 풔 ← ℤ풒. Given 푝표푙푦(푛) samples (퐴, 풃) which are either from 풜풔,푛,푞,휒 푚×푛 푚 or generated uniformly over ℤ푞 × ℤ푞 (with fair probabilities) • Determine which is the case in non-negligible advantage. LWE Problem (Decisional) Dimension 푛 Modulus 푞 Error distribution 휒 Adversary Challenger 퐴, 풃 $ 풏 풔 ← ℤ풒 Output: {“LWE”, ”uniform at random”} Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 either from 풜풔,푛,푞,휒 or uniformly at random over 푚×푛 푚 ℤ푞 × ℤ푞 For example • Dimension 푛 = 4 • Modulus 푞 = 13 • Error distribution 휒. (±1 ← 휒 with prob ¼, 0 ← 휒 with ½ ) Given 0 6 0 −2 5 1 −6 6 0 −2 4 7 −5 6 6 3 −3 , 4 4 3 −2 1 1 9 −5−3−5−4−1 0 Q: LWE distribution or uniform distribution? Remark. • The distribution 휒 is called the “error distribution”. 휒 is typically chosen to be a discrete Gaussian (normal) distribution with small standard deviation. • The hardness varies with the S.D. of 휒 • Oded Regev shows that 퐿푊퐸 ≥ 푎푝푝푟표푥−푆(퐼)푉푃 & 푎푝푝푟표푥−GapSVP with a quantum reduction. • Specifically, with 푑푖푚푒푛푠푖표푛 푛, modulus 푞 = 푝표푙푦 푛 , and error distribution (discrete Gaussian distribution) 휒 of standard deviation 훼푞, 퐿푊퐸푛,푞,휒 ≥ ( 푛/ 훼)−푆(퐼)푉푃. Little Knowledge: How to check candidate 풔 ? 푚×푛 푚 • Given 푝표푙푦(푛) LWE samples (퐴, 풃 = 퐴풔 + 풆) ∈ ℤ푞 × ℤ푞 for some 푛 fixed secret 풔 ∈ ℤ푞 . • Assume you find an algorithm that can generate a small set of candidate answers. How can you check which one may be the correct one? A Little Question For any 푐 ∈ ℤ푞. 휒 is some distribution over ℤ푞. Pr 푎 + 푏 = 푐 =? (푎 and b are generated independently) $ b←ℤ푞 푎←휒 If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem “≤” • Given 푝표푙푦(푛) samples either from a LWE distribution 풜풔,푛,푞,휒 for some 푛 푚×푛 푚 unknown 풔 ∈ ℤ푞 or generated uniformly over ℤ푞 × ℤ푞 . 푛 • Take some of them to the oracle of SLWE problem to find 풔 ∈ ℤ푞. • Then ? “≥” 푛 • Given 푝표푙푦(푛) samples a LWE distribution 풜풔,푛,푞,휒 for some unknown 풔 ∈ ℤ푞 . Claim we can solve it with a DLWE oracle. If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem “≥” • Given 푝표푙푦(푛) samples 풂풊, 푏푖 from a LWE distribution 풜풔,푛,푞,휒 for some 푇 푛 unknown 풔 = 푠1, … , 푠푛 ∈ ℤ푞 . Claim we can solve for 푠1 with a DLWE oracle. 1. Choose guessing 푘 ∈ ℤ푞. 푛 푛 2. Define a transformation 휙푘: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 by ′ 풂 + 푟 , 푏 + 푘 ∙ 푟 ← 휙푘 풂, 푏 , ′ 푇 푛 where 푟 ∈ ℤ푞 is generated uniformly at random and 푟 = 푟, 0, … , 0 ∈ ℤ푞. <Uniformly random>: ⇒? If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem “≥” 푛 푛 • Define a transformation 휙푘: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 by ′ 풂 + 푟 , 푏 + 푘 ∙ 푟 ← 휙푘 풂, 푏 , ′ 푇 푛 where 푟 ∈ ℤ푞 is generated uniformly at random and 푟 = 푟, 0, … , 0 ∈ ℤ푞. <LWE samples>: 풂풊, 푏푖 = 풂풊, 풂풊, 풔 + 푒푖 ′ ′ ′ 풂풊 + 푟 , 푏푖 + 푘 ∙ 푟 = 풂풊 + 풓 , 풂풊 + 풓 , 푠 + 푒푖 + 푟 ∙ 푘 − 푠1 If 푘 = 푠1, ⇒? If 푘 ≠ 푠1, ⇒? Short Secret DLWE Problem: Dimension 푛 Modulus 푞 Error distribution 휒 Adversary Challenger 퐴, 풃 Output: {“LWE”, ”uniform at random”} 풔 ← 흌풏 Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 either from 풜풔,푛,푞,휒 or uniformly at random over 푚×푛 푚 ℤ푞 × ℤ푞 Lemma: Short Secret DLWE Problem≥DLWE problem • Given access to the short secret LWE problem. $ 푛×푛 푇 푛×푛 • Given LWE instances (퐴 ∈ ℤ푞 , 풃 = 퐴 푠 + 풆풔) where 퐴 ← ℤ푞 , $ 푛 unknown 푠 ← ℤ푞 and 푒푠 generated from 휒. (DLWE problem setting) • Say 퐴 is invertible. 푛 푛 • Consider a transformation 휙: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 휙 풂′, 푏′ = −퐴−1풂′, 푏′ + −퐴−1풂′, 푏 ′ 푛 ′ ′ ′ • Given a LWE instance (풂 ∈ ℤ푞, 푏 = 풂 , 푠 + 푒 ) • Compute:휙 풂′, 푏′ −1 ′ −1 ′ = −퐴 풂 , −퐴 풂 , 푒푠 + 푒′ ⇒ ? A Taste of Passive Security Proof with DLWE problem $ 푛×푛 퐴 ← ℤ푞 푛 푛 풔풂 ← 휒 ; 풆풂 ← 휒 푛 풃 = 퐴풔풂 + 풆풂 ∈ ℤ푞 푛×푛 푛 퐴, 풃 ∈ ℤ푞 × ℤ푞 ′ 푛 풃 , 푐 ∈ ℤ푞 × ℤ푞 푚 ∈ 0,1 풔 , 풆 ← 휒푛 Decrypt: 푩 푩 푞 푒퐵′ ← 휒 푐 − 풃′풔 = 푒′ − 풆푻 푠 ≈ 푚 ∙ 푚표푑 푞 풂 푏 푩 푎 2 ′ 푻 푻 푛 풃 = 풔푩퐴 + 풆푩 ∈ ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game0 (original protocol) $ 푛×푛 퐴 ← ℤ푞 푛 푛 풔풂 ← 휒 ; 풆풂 ← 휒 푛 풃 = 퐴풔풂 + 풆풂 ∈ ℤ푞 퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 풔 , 풆 ← 휒푛 Decrypt: 푩 푩 ′ ′ 푻 푒퐵′ ← 휒 푐 − 풃 풔풂 = 푒퐵 − 풆푩푠푎 푞 풃′ = 풔푻 퐴 + 풆푻 ∈ ℤ푛 ≈ 푚 ∙ 푚표푑 푞 푩 푩 푞 2 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game1 $ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞 퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 푛 풔푩, 풆푩 ← 휒 푒퐵′ ← 휒 ′ 푻 푻 푛 풃 = 풔푩퐴 + 풆푩 ∈ ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game2 $ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞 퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 푛 풔푩 ← 휒 푒퐵′ ← 휒 $ ′ 푛 풃 ← ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game3 $ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞 퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 $ 푚 ← 0,1 $ ′ 푛 풃 ← ℤ푞 $ 푐 ← ℤ푞 Public Key Cryptosystems Based on the LWE Problem or Related Problems Contents • Review • Diffie-Hellman Like Key Exchange • Peikert’s Method • RLWE in Brief • NewHope Review Lattice-based cryptography Multivariate cryptography Shor Post-Quantum Algorithm Cryptography Code-based etc.