On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky1 Chris Peikert 2 Oded Regev1 1Tel Aviv University 2Georgia Institute of Technology Eurocrypt 2010 1 / 12 (After enough uniform ai’s, secret s is uniquely determined w/hp.) p n ≤ error q I Decision: distinguish (A ; b) from uniform (A ; b) LWE is Hard (. maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09]) n I Search: find secret s 2 Zq given many ‘noisy inner products’ The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). 2 / 12 (After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A ; b) from uniform (A ; b) LWE is Hard (. maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09]) p n ≤ error q The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s 2 Zq given many ‘noisy inner products’ n a1 Zq ; b1 ≈ ha1 ; si mod q n a2 Zq ; b2 ≈ ha2 ; si mod q . 2 / 12 I Decision: distinguish (A ; b) from uniform (A ; b) LWE is Hard (. maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09]) (After enough uniform ai’s, secret s is uniquely determined w/hp.) The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s 2 Zq given many ‘noisy inner products’ n a1 Zq ; b1 = ha1 ; si + e1 2 Zq n a2 Zq ; b2 = ha2 ; si + e2 2 Zq . p n ≤ error q 2 / 12 I Decision: distinguish (A ; b) from uniform (A ; b) LWE is Hard (. maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09]) (After enough uniform ai’s, secret s is uniquely determined w/hp.) The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s 2 Zq given many ‘noisy inner products’ 0 . 1 0 . 1 . B C B C t B At C ; BbC = A s + e @ A @ A . p n ≤ error q 2 / 12 I (Also some classical hardness for search-LWE [P’09]) I Decision: distinguish (A ; b) from uniform (A ; b) LWE is Hard (. maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s 2 Zq given many ‘noisy inner products’ 0 . 1 0 . 1 . B C B C t B At C ; BbC = A s + e @ A @ A . p n ≤ error q (After enough uniform ai’s, secret s is uniquely determined w/hp.) 2 / 12 I (Also some classical hardness for search-LWE [P’09]) LWE is Hard (. maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s 2 Zq given many ‘noisy inner products’ 0 . 1 0 . 1 . B C B C t B At C ; BbC = A s + e @ A @ A . p n ≤ error q (After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A ; b) from uniform (A ; b) 2 / 12 I (Also some classical hardness for search-LWE [P’09]) The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s 2 Zq given many ‘noisy inner products’ 0 . 1 0 . 1 . B C B C t B At C ; BbC = A s + e @ A @ A . p n ≤ error q (After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A ; b) from uniform (A ; b) LWE is Hard (. maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] 2 / 12 The ‘Learning With Errors’ Problem [Regev’05] I Parameters: dimension n, prime modulus q = poly(n). n I Search: find secret s 2 Zq given many ‘noisy inner products’ 0 . 1 0 . 1 . B C B C t B At C ; BbC = A s + e @ A @ A . p n ≤ error q (After enough uniform ai’s, secret s is uniquely determined w/hp.) I Decision: distinguish (A ; b) from uniform (A ; b) LWE is Hard (. maybe even for quantum!) worst case ≤ ≤ ≤ crypto lattice problems search-LWE decision-LWE (quantum [R’05]) [BFKL’93,R’05] I (Also some classical hardness for search-LWE [P’09]) 2 / 12 I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09] I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10] UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. LWE is Versatile What kinds of crypto can we do with LWE? 3 / 12 I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10] UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. LWE is Versatile What kinds of crypto can we do with LWE? I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09] 3 / 12 UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. LWE is Versatile What kinds of crypto can we do with LWE? I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09] I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10] 3 / 12 LWE is Versatile What kinds of crypto can we do with LWE? I Public Key Encryption [R’05,PVW’08] CCA-Secure PKE (w/o RO) [PW’08,P’09] I Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10] UC Oblivious Transfer [PVW’08] Leakage Resilience [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. ] Circular/KDM-Secure Encryption [ACPS’09,BHHI’10] Quadratic-Formula Homomorphic Encryption [GHV’10] Bi-Deniable Encryption [OP’10] and more. 3 / 12 I Can amortize each a over many secrets si, but still O~(n) work per scalar output. I Public key crypto schemes have rather large keys: 0 1 0 19 . > B C B C= pk = B At C ; BbC Ω(n) @ . A @ . A> . ;> | {z } n I Can fix A for all users, but at best, still Ω(~ n2) work to encrypt & decrypt an n-bit message LWE is Efficient (. sort of) I Getting one extra pseudorandom scalar requires 0j1 an n-dim inner product a @sA + e = b 2 Zq j 4 / 12 I Public key crypto schemes have rather large keys: 0 1 0 19 . > B C B C= pk = B At C ; BbC Ω(n) @ . A @ . A> . ;> | {z } n I Can fix A for all users, but at best, still Ω(~ n2) work to encrypt & decrypt an n-bit message LWE is Efficient (. sort of) I Getting one extra pseudorandom scalar requires 0j1 an n-dim inner product a s + e = b 2 @ A Zq I Can amortize each a over j many secrets si, but still O~(n) work per scalar output. 4 / 12 I Can fix A for all users, but at best, still Ω(~ n2) work to encrypt & decrypt an n-bit message LWE is Efficient (. sort of) I Getting one extra pseudorandom scalar requires 0j1 an n-dim inner product a s + e = b 2 @ A Zq I Can amortize each a over j many secrets si, but still O~(n) work per scalar output. I Public key crypto schemes have rather large keys: 0 1 0 19 . > B C B C= pk = B At C ; BbC Ω(n) @ . A @ . A> . ;> | {z } n 4 / 12 LWE is Efficient (. sort of) I Getting one extra pseudorandom scalar requires 0j1 an n-dim inner product a s + e = b 2 @ A Zq I Can amortize each a over j many secrets si, but still O~(n) work per scalar output. I Public key crypto schemes have rather large keys: 0 1 0 19 . > B C B C= pk = B At C ; BbC Ω(n) @ . A @ . A> . ;> | {z } n I Can fix A for all users, but at best, still Ω(~ n2) work to encrypt & decrypt an n-bit message 4 / 12 F Careful: w/ small error, coordinate-wise multiplication is not secure! I Similar ring structures appear in heuristic NTRU scheme [HPS’98], in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,.