session #5: learning with errors · session #5: learning with errors chris peikert georgia...
TRANSCRIPT
![Page 1: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/1.jpg)
Session #5:Learning With Errors
Chris PeikertGeorgia Institute of Technology
Winter School on Lattice-Based Cryptography and ApplicationsBar-Ilan University, Israel
19 Feb 2012 – 22 Feb 2012
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/15
![Page 2: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/2.jpg)
Last Time. . .
I SIS: find “small” nontrivial z1, . . . , zm ∈ Z such that:
z1 ·
|a1|
+ z2 ·
|a2|
+
· · ·
+ zm ·
|am|
=
|0|
∈ Znq
I This talk: a complementary problem, Learning With Errors
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15
![Page 3: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/3.jpg)
Last Time. . .
I SIS: find “small” nontrivial z1, . . . , zm ∈ Z such that:
z1 ·
|a1|
+ z2 ·
|a2|
+ · · · + zm ·
|am|
=
|0|
∈ Znq
I This talk: a complementary problem, Learning With Errors
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15
![Page 4: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/4.jpg)
Last Time. . .
I SIS: find “short” nonzero z ∈ Zm such that:
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
I This talk: a complementary problem, Learning With Errors
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15
![Page 5: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/5.jpg)
Last Time. . .
I SIS: find “short” nonzero z ∈ Zm such that:
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
I This talk: a complementary problem, Learning With Errors
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15
![Page 6: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/6.jpg)
Overview of LWE Hardness
GapSVP,SIVP ≤
quantum[R’05]
search-LWE ≤
[BFKL’94,R’05,P’09,. . . ]
decision-LWE ≤
[R’05,PW’08,GPV’08,. . . ]
crypto
≤
classical(large q)[P’09]
GapSVP
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/15
![Page 7: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/7.jpg)
History of LWE
Crypto papers with “something new” regarding LWE:
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/15
![Page 8: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/8.jpg)
Learning With Errors [Regev’05]
I Dimension n (security param), modulus q ≥ 2
, ‘error rate’ α� 1
I Search: find s ∈ Znq given ‘noisy random inner products’
Errors ei ← χ = Gaussian over Z, param αq
α · q >√n
I Decision: distinguish (ai, bi) from uniform (ai, bi) pairs
Generalizes LPN (q = 2, Bernoulli noise) [AL’88,BFKL’94,. . . ]
I Why error αq >√n?
F Required by worst-case hardness proofs [R’05,P’09]
F There’s an exp((αq)2)-time attack! [AG’11]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
![Page 9: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/9.jpg)
Learning With Errors [Regev’05]
I Dimension n (security param), modulus q ≥ 2
, ‘error rate’ α� 1
I Search: find s ∈ Znq given ‘noisy random inner products’
a1 ← Znq , b1 = 〈s , a1〉+ e1
a2 ← Znq , b2 = 〈s , a2〉+ e2
...
Errors ei ← χ = Gaussian over Z, param αq
α · q >√n
I Decision: distinguish (ai, bi) from uniform (ai, bi) pairs
Generalizes LPN (q = 2, Bernoulli noise) [AL’88,BFKL’94,. . . ]
I Why error αq >√n?
F Required by worst-case hardness proofs [R’05,P’09]
F There’s an exp((αq)2)-time attack! [AG’11]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
![Page 10: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/10.jpg)
Learning With Errors [Regev’05]
I Dimension n (security param), modulus q ≥ 2, ‘error rate’ α� 1
I Search: find s ∈ Znq given ‘noisy random inner products’
a1 ← Znq , b1 = 〈s , a1〉+ e1
a2 ← Znq , b2 = 〈s , a2〉+ e2
...
Errors ei ← χ = Gaussian over Z, param αq
α · q >√n
I Decision: distinguish (ai, bi) from uniform (ai, bi) pairs
Generalizes LPN (q = 2, Bernoulli noise) [AL’88,BFKL’94,. . . ]
I Why error αq >√n?
F Required by worst-case hardness proofs [R’05,P’09]
F There’s an exp((αq)2)-time attack! [AG’11]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
![Page 11: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/11.jpg)
Learning With Errors [Regev’05]
I Dimension n (security param), modulus q ≥ 2, ‘error rate’ α� 1
I Search: find s ∈ Znq given ‘noisy random inner products’
a1 ← Znq , b1 = 〈s , a1〉+ e1
a2 ← Znq , b2 = 〈s , a2〉+ e2
...
Errors ei ← χ = Gaussian over Z, param αq
α · q >√n
I Decision: distinguish (ai, bi) from uniform (ai, bi) pairs
Generalizes LPN (q = 2, Bernoulli noise) [AL’88,BFKL’94,. . . ]
I Why error αq >√n?
F Required by worst-case hardness proofs [R’05,P’09]
F There’s an exp((αq)2)-time attack! [AG’11]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
![Page 12: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/12.jpg)
Learning With Errors [Regev’05]
I Dimension n (security param), modulus q ≥ 2, ‘error rate’ α� 1
I Search: find s ∈ Znq given ‘noisy random inner products’
A =
| |a1 · · · am| |
, bt = stA + et
Errors ei ← χ = Gaussian over Z, param αq
α · q >√n
I Decision: distinguish (ai, bi) from uniform (ai, bi) pairs
Generalizes LPN (q = 2, Bernoulli noise) [AL’88,BFKL’94,. . . ]
I Why error αq >√n?
F Required by worst-case hardness proofs [R’05,P’09]
F There’s an exp((αq)2)-time attack! [AG’11]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
![Page 13: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/13.jpg)
Learning With Errors [Regev’05]
I Dimension n (security param), modulus q ≥ 2, ‘error rate’ α� 1
I Search: find s ∈ Znq given ‘noisy random inner products’
A =
| |a1 · · · am| |
, bt = stA + et
Errors ei ← χ = Gaussian over Z, param αq
α · q >√n
I Decision: distinguish (ai, bi) from uniform (ai, bi) pairs
Generalizes LPN (q = 2, Bernoulli noise) [AL’88,BFKL’94,. . . ]
I Why error αq >√n?
F Required by worst-case hardness proofs [R’05,P’09]
F There’s an exp((αq)2)-time attack! [AG’11]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
![Page 14: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/14.jpg)
Learning With Errors [Regev’05]
I Dimension n (security param), modulus q ≥ 2, ‘error rate’ α� 1
I Search: find s ∈ Znq given ‘noisy random inner products’
A =
| |a1 · · · am| |
, bt = stA + et
Errors ei ← χ = Gaussian over Z, param αq
α · q >√n
I Decision: distinguish (ai, bi) from uniform (ai, bi) pairs
Generalizes LPN (q = 2, Bernoulli noise) [AL’88,BFKL’94,. . . ]
I Why error αq >√n?
F Required by worst-case hardness proofs [R’05,P’09]
F There’s an exp((αq)2)-time attack! [AG’11]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
![Page 15: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/15.jpg)
Learning With Errors [Regev’05]
I Dimension n (security param), modulus q ≥ 2, ‘error rate’ α� 1
I Search: find s ∈ Znq given ‘noisy random inner products’
A =
| |a1 · · · am| |
, bt = stA + et
Errors ei ← χ = Gaussian over Z, param αq
α · q >√n
I Decision: distinguish (ai, bi) from uniform (ai, bi) pairs
Generalizes LPN (q = 2, Bernoulli noise) [AL’88,BFKL’94,. . . ]
I Why error αq >√n?
F Required by worst-case hardness proofs [R’05,P’09]
F There’s an exp((αq)2)-time attack! [AG’11]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15
![Page 16: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/16.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 17: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/17.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 18: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/18.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 19: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/19.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 20: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/20.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 21: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/21.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 22: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/22.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 23: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/23.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 24: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/24.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 25: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/25.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 26: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/26.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
I ‘Computational’ (search)problem a la factoring, CDH
I Many valid solutions z
I LWE ≤ SIS: if Az = 0, thenbt z = et z is small, butbt z is ‘well-spread’
I Applications: OWF / CRHF,signatures, ID schemes
‘minicrypt’
LWE
(A,bt = stA + et) vs. (A,bt)
I ‘Decisional’ problem a la QR,DCR, DDH
I Unique solution s (w/short e)
I SIS??≤ LWE (stay till Wed...)
I Applications: PKE, OT,ID-based encryption, FHE
‘CRYPTOMANIA’
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15
![Page 27: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/27.jpg)
SIS versus LWE
SIS
Az = 0, ‘short’ z 6= 0
Average-case SVP:
L⊥(A) = {z ∈ Zm : Az = 0}
O
(0, q)
(q, 0)
LWE
(A,bt = stA + et) vs. (A,bt)
Average-case BDD:
L(A) = {zt ≡ stA mod q}
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 7/15
![Page 28: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/28.jpg)
Warm-Up: Simple Properties of LWE
1 Check a candidate solution s′ ∈ Znq : test if all b− 〈s′,a〉 ‘small.’
If s′ 6= s, then b− 〈s′,a〉 = 〈s− s′,a〉+ e is ‘well-spread’ in Zq.
2 ‘Shift’ the secret by any t ∈ Znq : given (a, b = 〈s,a〉+ e), output
a , b′ = b+ 〈t,a〉= 〈s + t,a〉+ e.
Random t’s (with fresh samples) ⇒ random self-reduction.
Lets us amplify success probabilities (both search & decision):
non-negl on uniform s← Znq =⇒ ≈ 1 on any s ∈ Zn
q
3 Multiple secrets: (a, b1 ≈ 〈s1,a〉, . . . , bt ≈ 〈st,a〉) vs. (a, b1, . . . , bt).
Simple hybrid argument, since a’s are public.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15
![Page 29: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/29.jpg)
Warm-Up: Simple Properties of LWE
1 Check a candidate solution s′ ∈ Znq : test if all b− 〈s′,a〉 ‘small.’
If s′ 6= s, then b− 〈s′,a〉 = 〈s− s′,a〉+ e is ‘well-spread’ in Zq.
2 ‘Shift’ the secret by any t ∈ Znq : given (a, b = 〈s,a〉+ e), output
a , b′ = b+ 〈t,a〉= 〈s + t,a〉+ e.
Random t’s (with fresh samples) ⇒ random self-reduction.
Lets us amplify success probabilities (both search & decision):
non-negl on uniform s← Znq =⇒ ≈ 1 on any s ∈ Zn
q
3 Multiple secrets: (a, b1 ≈ 〈s1,a〉, . . . , bt ≈ 〈st,a〉) vs. (a, b1, . . . , bt).
Simple hybrid argument, since a’s are public.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15
![Page 30: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/30.jpg)
Warm-Up: Simple Properties of LWE
1 Check a candidate solution s′ ∈ Znq : test if all b− 〈s′,a〉 ‘small.’
If s′ 6= s, then b− 〈s′,a〉 = 〈s− s′,a〉+ e is ‘well-spread’ in Zq.
2 ‘Shift’ the secret by any t ∈ Znq : given (a, b = 〈s,a〉+ e), output
a , b′ = b+ 〈t,a〉= 〈s + t,a〉+ e.
Random t’s (with fresh samples) ⇒ random self-reduction.
Lets us amplify success probabilities (both search & decision):
non-negl on uniform s← Znq =⇒ ≈ 1 on any s ∈ Zn
q
3 Multiple secrets: (a, b1 ≈ 〈s1,a〉, . . . , bt ≈ 〈st,a〉) vs. (a, b1, . . . , bt).
Simple hybrid argument, since a’s are public.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15
![Page 31: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/31.jpg)
Warm-Up: Simple Properties of LWE
1 Check a candidate solution s′ ∈ Znq : test if all b− 〈s′,a〉 ‘small.’
If s′ 6= s, then b− 〈s′,a〉 = 〈s− s′,a〉+ e is ‘well-spread’ in Zq.
2 ‘Shift’ the secret by any t ∈ Znq : given (a, b = 〈s,a〉+ e), output
a , b′ = b+ 〈t,a〉= 〈s + t,a〉+ e.
Random t’s (with fresh samples) ⇒ random self-reduction.
Lets us amplify success probabilities (both search & decision):
non-negl on uniform s← Znq =⇒ ≈ 1 on any s ∈ Zn
q
3 Multiple secrets: (a, b1 ≈ 〈s1,a〉, . . . , bt ≈ 〈st,a〉) vs. (a, b1, . . . , bt).
Simple hybrid argument, since a’s are public.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15
![Page 32: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/32.jpg)
Warm-Up: Simple Properties of LWE
1 Check a candidate solution s′ ∈ Znq : test if all b− 〈s′,a〉 ‘small.’
If s′ 6= s, then b− 〈s′,a〉 = 〈s− s′,a〉+ e is ‘well-spread’ in Zq.
2 ‘Shift’ the secret by any t ∈ Znq : given (a, b = 〈s,a〉+ e), output
a , b′ = b+ 〈t,a〉= 〈s + t,a〉+ e.
Random t’s (with fresh samples) ⇒ random self-reduction.
Lets us amplify success probabilities (both search & decision):
non-negl on uniform s← Znq =⇒ ≈ 1 on any s ∈ Zn
q
3 Multiple secrets: (a, b1 ≈ 〈s1,a〉, . . . , bt ≈ 〈st,a〉) vs. (a, b1, . . . , bt).
Simple hybrid argument, since a’s are public.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15
![Page 33: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/33.jpg)
Warm-Up: Simple Properties of LWE
1 Check a candidate solution s′ ∈ Znq : test if all b− 〈s′,a〉 ‘small.’
If s′ 6= s, then b− 〈s′,a〉 = 〈s− s′,a〉+ e is ‘well-spread’ in Zq.
2 ‘Shift’ the secret by any t ∈ Znq : given (a, b = 〈s,a〉+ e), output
a , b′ = b+ 〈t,a〉= 〈s + t,a〉+ e.
Random t’s (with fresh samples) ⇒ random self-reduction.
Lets us amplify success probabilities (both search & decision):
non-negl on uniform s← Znq =⇒ ≈ 1 on any s ∈ Zn
q
3 Multiple secrets: (a, b1 ≈ 〈s1,a〉, . . . , bt ≈ 〈st,a〉) vs. (a, b1, . . . , bt).
Simple hybrid argument, since a’s are public.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15
![Page 34: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/34.jpg)
Warm-Up: Simple Properties of LWE
1 Check a candidate solution s′ ∈ Znq : test if all b− 〈s′,a〉 ‘small.’
If s′ 6= s, then b− 〈s′,a〉 = 〈s− s′,a〉+ e is ‘well-spread’ in Zq.
2 ‘Shift’ the secret by any t ∈ Znq : given (a, b = 〈s,a〉+ e), output
a , b′ = b+ 〈t,a〉= 〈s + t,a〉+ e.
Random t’s (with fresh samples) ⇒ random self-reduction.
Lets us amplify success probabilities (both search & decision):
non-negl on uniform s← Znq =⇒ ≈ 1 on any s ∈ Zn
q
3 Multiple secrets: (a, b1 ≈ 〈s1,a〉, . . . , bt ≈ 〈st,a〉) vs. (a, b1, . . . , bt).
Simple hybrid argument, since a’s are public.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/15
![Page 35: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/35.jpg)
Search/Decision Equivalence [BFKL’94,R’05]
I Suppose D solves decision-LWE: it ‘perfectly’ distinguishes betweenpairs (a, b = 〈s,a〉+ e) and (a, b).
We want to solve search-LWE: given pairs (a, b), find s.
I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1?= 0,
because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.
The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs
(a′ = a− (r, 0, . . . , 0) , b).
I Notice: b = 〈s,a′〉+ s1 · r + e.
F If s1 = 0, then b = 〈s,a′〉+ e⇒ D accepts.
F If s1 6= 0 and q prime then b = uniform⇒ D rejects.
I Don’t really need prime q = poly(n) [P’09,ACPS’09,MM’11,MP’12]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15
![Page 36: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/36.jpg)
Search/Decision Equivalence [BFKL’94,R’05]
I Suppose D solves decision-LWE: it ‘perfectly’ distinguishes betweenpairs (a, b = 〈s,a〉+ e) and (a, b).
We want to solve search-LWE: given pairs (a, b), find s.
I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1?= 0,
because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.
The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs
(a′ = a− (r, 0, . . . , 0) , b).
I Notice: b = 〈s,a′〉+ s1 · r + e.
F If s1 = 0, then b = 〈s,a′〉+ e⇒ D accepts.
F If s1 6= 0 and q prime then b = uniform⇒ D rejects.
I Don’t really need prime q = poly(n) [P’09,ACPS’09,MM’11,MP’12]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15
![Page 37: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/37.jpg)
Search/Decision Equivalence [BFKL’94,R’05]
I Suppose D solves decision-LWE: it ‘perfectly’ distinguishes betweenpairs (a, b = 〈s,a〉+ e) and (a, b).
We want to solve search-LWE: given pairs (a, b), find s.
I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1?= 0,
because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.
The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs
(a′ = a− (r, 0, . . . , 0) , b).
I Notice: b = 〈s,a′〉+ s1 · r + e.
F If s1 = 0, then b = 〈s,a′〉+ e⇒ D accepts.
F If s1 6= 0 and q prime then b = uniform⇒ D rejects.
I Don’t really need prime q = poly(n) [P’09,ACPS’09,MM’11,MP’12]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15
![Page 38: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/38.jpg)
Search/Decision Equivalence [BFKL’94,R’05]
I Suppose D solves decision-LWE: it ‘perfectly’ distinguishes betweenpairs (a, b = 〈s,a〉+ e) and (a, b).
We want to solve search-LWE: given pairs (a, b), find s.
I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1?= 0,
because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.
The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs
(a′ = a− (r, 0, . . . , 0) , b).
I Notice: b = 〈s,a′〉+ s1 · r + e.
F If s1 = 0, then b = 〈s,a′〉+ e⇒ D accepts.
F If s1 6= 0 and q prime then b = uniform⇒ D rejects.
I Don’t really need prime q = poly(n) [P’09,ACPS’09,MM’11,MP’12]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15
![Page 39: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/39.jpg)
Search/Decision Equivalence [BFKL’94,R’05]
I Suppose D solves decision-LWE: it ‘perfectly’ distinguishes betweenpairs (a, b = 〈s,a〉+ e) and (a, b).
We want to solve search-LWE: given pairs (a, b), find s.
I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1?= 0,
because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.
The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs
(a′ = a− (r, 0, . . . , 0) , b).
I Notice: b = 〈s,a′〉+ s1 · r + e.
F If s1 = 0, then b = 〈s,a′〉+ e⇒ D accepts.
F If s1 6= 0 and q prime then b = uniform⇒ D rejects.
I Don’t really need prime q = poly(n) [P’09,ACPS’09,MM’11,MP’12]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15
![Page 40: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/40.jpg)
Search/Decision Equivalence [BFKL’94,R’05]
I Suppose D solves decision-LWE: it ‘perfectly’ distinguishes betweenpairs (a, b = 〈s,a〉+ e) and (a, b).
We want to solve search-LWE: given pairs (a, b), find s.
I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1?= 0,
because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.
The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs
(a′ = a− (r, 0, . . . , 0) , b).
I Notice: b = 〈s,a′〉+ s1 · r + e.
F If s1 = 0, then b = 〈s,a′〉+ e⇒ D accepts.
F If s1 6= 0 and q prime then b = uniform⇒ D rejects.
I Don’t really need prime q = poly(n) [P’09,ACPS’09,MM’11,MP’12]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15
![Page 41: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/41.jpg)
Search/Decision Equivalence [BFKL’94,R’05]
I Suppose D solves decision-LWE: it ‘perfectly’ distinguishes betweenpairs (a, b = 〈s,a〉+ e) and (a, b).
We want to solve search-LWE: given pairs (a, b), find s.
I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1?= 0,
because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.
The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs
(a′ = a− (r, 0, . . . , 0) , b).
I Notice: b = 〈s,a′〉+ s1 · r + e.
F If s1 = 0, then b = 〈s,a′〉+ e⇒ D accepts.
F If s1 6= 0 and q prime then b = uniform⇒ D rejects.
I Don’t really need prime q = poly(n) [P’09,ACPS’09,MM’11,MP’12]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15
![Page 42: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/42.jpg)
Search/Decision Equivalence [BFKL’94,R’05]
I Suppose D solves decision-LWE: it ‘perfectly’ distinguishes betweenpairs (a, b = 〈s,a〉+ e) and (a, b).
We want to solve search-LWE: given pairs (a, b), find s.
I If q = poly(n) , to find s1 ∈ Zq it suffices to test whether s1?= 0,
because we can shift s1 by 0, 1, . . . , q − 1. Same for s2, s3, . . . , sn.
The test: for each (a, b), choose fresh r ← Zq. Invoke D on pairs
(a′ = a− (r, 0, . . . , 0) , b).
I Notice: b = 〈s,a′〉+ s1 · r + e.
F If s1 = 0, then b = 〈s,a′〉+ e⇒ D accepts.
F If s1 6= 0 and q prime then b = uniform⇒ D rejects.
I Don’t really need prime q = poly(n) [P’09,ACPS’09,MM’11,MP’12]
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/15
![Page 43: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/43.jpg)
Decision-LWE with ‘Short’ Secrets
Theorem ([M’01,ACPS’09])
LWE is no easier if the secret is drawn from the error distribution χn.
(This is the ‘Hermite normal form’ of LWE.)
I Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.
Transformation from secret s ∈ Znq to secret e← χn:
1 Draw samples to get (A, bt
= stA + et) for square, invertible A.
2 Transform each additional sample (a, b = 〈s,a〉+ e) to
a′ = −A−1a , b′ = b+ 〈b,a′〉
= 〈e,a′〉+ e.
I This maps (a, b) to (a′, b′), so it applies to decision-LWE too.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15
![Page 44: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/44.jpg)
Decision-LWE with ‘Short’ Secrets
Theorem ([M’01,ACPS’09])
LWE is no easier if the secret is drawn from the error distribution χn.
(This is the ‘Hermite normal form’ of LWE.)
I Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.
Transformation from secret s ∈ Znq to secret e← χn:
1 Draw samples to get (A, bt
= stA + et) for square, invertible A.
2 Transform each additional sample (a, b = 〈s,a〉+ e) to
a′ = −A−1a , b′ = b+ 〈b,a′〉
= 〈e,a′〉+ e.
I This maps (a, b) to (a′, b′), so it applies to decision-LWE too.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15
![Page 45: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/45.jpg)
Decision-LWE with ‘Short’ Secrets
Theorem ([M’01,ACPS’09])
LWE is no easier if the secret is drawn from the error distribution χn.
(This is the ‘Hermite normal form’ of LWE.)
I Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.
Transformation from secret s ∈ Znq to secret e← χn:
1 Draw samples to get (A, bt
= stA + et) for square, invertible A.
2 Transform each additional sample (a, b = 〈s,a〉+ e) to
a′ = −A−1a , b′ = b+ 〈b,a′〉
= 〈e,a′〉+ e.
I This maps (a, b) to (a′, b′), so it applies to decision-LWE too.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15
![Page 46: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/46.jpg)
Decision-LWE with ‘Short’ Secrets
Theorem ([M’01,ACPS’09])
LWE is no easier if the secret is drawn from the error distribution χn.
(This is the ‘Hermite normal form’ of LWE.)
I Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.
Transformation from secret s ∈ Znq to secret e← χn:
1 Draw samples to get (A, bt
= stA + et) for square, invertible A.
2 Transform each additional sample (a, b = 〈s,a〉+ e) to
a′ = −A−1a , b′ = b+ 〈b,a′〉
= 〈e,a′〉+ e.
I This maps (a, b) to (a′, b′), so it applies to decision-LWE too.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15
![Page 47: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/47.jpg)
Decision-LWE with ‘Short’ Secrets
Theorem ([M’01,ACPS’09])
LWE is no easier if the secret is drawn from the error distribution χn.
(This is the ‘Hermite normal form’ of LWE.)
I Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.
Transformation from secret s ∈ Znq to secret e← χn:
1 Draw samples to get (A, bt
= stA + et) for square, invertible A.
2 Transform each additional sample (a, b = 〈s,a〉+ e) to
a′ = −A−1a , b′ = b+ 〈b,a′〉
= 〈e,a′〉+ e.
I This maps (a, b) to (a′, b′), so it applies to decision-LWE too.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15
![Page 48: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/48.jpg)
Decision-LWE with ‘Short’ Secrets
Theorem ([M’01,ACPS’09])
LWE is no easier if the secret is drawn from the error distribution χn.
(This is the ‘Hermite normal form’ of LWE.)
I Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.
Transformation from secret s ∈ Znq to secret e← χn:
1 Draw samples to get (A, bt
= stA + et) for square, invertible A.
2 Transform each additional sample (a, b = 〈s,a〉+ e) to
a′ = −A−1a , b′ = b+ 〈b,a′〉
= 〈e,a′〉+ e.
I This maps (a, b) to (a′, b′), so it applies to decision-LWE too.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15
![Page 49: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/49.jpg)
Decision-LWE with ‘Short’ Secrets
Theorem ([M’01,ACPS’09])
LWE is no easier if the secret is drawn from the error distribution χn.
(This is the ‘Hermite normal form’ of LWE.)
I Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.
Transformation from secret s ∈ Znq to secret e← χn:
1 Draw samples to get (A, bt
= stA + et) for square, invertible A.
2 Transform each additional sample (a, b = 〈s,a〉+ e) to
a′ = −A−1a , b′ = b+ 〈b,a′〉= 〈e,a′〉+ e.
I This maps (a, b) to (a′, b′), so it applies to decision-LWE too.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15
![Page 50: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/50.jpg)
Decision-LWE with ‘Short’ Secrets
Theorem ([M’01,ACPS’09])
LWE is no easier if the secret is drawn from the error distribution χn.
(This is the ‘Hermite normal form’ of LWE.)
I Intuition: finding e ⇔ finding s: take bt − et = stA, solve for s.
Transformation from secret s ∈ Znq to secret e← χn:
1 Draw samples to get (A, bt
= stA + et) for square, invertible A.
2 Transform each additional sample (a, b = 〈s,a〉+ e) to
a′ = −A−1a , b′ = b+ 〈b,a′〉= 〈e,a′〉+ e.
I This maps (a, b) to (a′, b′), so it applies to decision-LWE too.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/15
![Page 51: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/51.jpg)
Public-Key Cryptosystem [R’05]
s← Znq A← Zn×m
q
x← {0, 1}m
bt = stA + et
(public key)
u = Ax(ciphertext ‘preamble’)
u′ − st u ≈bit · q
2
u′ = bt x + bit · q2(‘payload’)
(A,bt), (u, u′)
by LWE and
by LHL when
m ≥ n log q
(Images courtesy xkcd.org)Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15
![Page 52: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/52.jpg)
Public-Key Cryptosystem [R’05]
s← Znq A← Zn×m
q
x← {0, 1}m
bt = stA + et
(public key)
u = Ax(ciphertext ‘preamble’)
u′ − st u ≈bit · q
2
u′ = bt x + bit · q2(‘payload’)
(A,bt), (u, u′)
by LWE and
by LHL when
m ≥ n log q
(Images courtesy xkcd.org)Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15
![Page 53: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/53.jpg)
Public-Key Cryptosystem [R’05]
s← Znq A← Zn×m
q x← {0, 1}m
bt = stA + et
(public key)
u = Ax(ciphertext ‘preamble’)
u′ − st u ≈bit · q
2
u′ = bt x + bit · q2(‘payload’)
(A,bt), (u, u′)
by LWE and
by LHL when
m ≥ n log q
(Images courtesy xkcd.org)Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15
![Page 54: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/54.jpg)
Public-Key Cryptosystem [R’05]
s← Znq A← Zn×m
q x← {0, 1}m
bt = stA + et
(public key)
u = Ax(ciphertext ‘preamble’)
u′ − st u ≈bit · q
2
u′ = bt x + bit · q2(‘payload’)
(A,bt), (u, u′)
by LWE and
by LHL when
m ≥ n log q
(Images courtesy xkcd.org)Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15
![Page 55: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/55.jpg)
Public-Key Cryptosystem [R’05]
s← Znq A← Zn×m
q x← {0, 1}m
bt = stA + et
(public key)
u = Ax(ciphertext ‘preamble’)
u′ − st u ≈bit · q
2
u′ = bt x + bit · q2(‘payload’)
(A,bt), (u, u′)
by LWE and
by LHL when
m ≥ n log q
(Images courtesy xkcd.org)Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15
![Page 56: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/56.jpg)
Public-Key Cryptosystem [R’05]
s← Znq A← Zn×m
q x← {0, 1}m
bt = stA + et
(public key)
u = Ax(ciphertext ‘preamble’)
u′ − st u ≈bit · q
2
u′ = bt x + bit · q2(‘payload’)
(A,bt), (u, u′)
by LWE and
by LHL when
m ≥ n log q
(Images courtesy xkcd.org)Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15
![Page 57: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/57.jpg)
Public-Key Cryptosystem [R’05]
s← Znq A← Zn×m
q x← {0, 1}m
bt = stA + et
(public key)
u = Ax(ciphertext ‘preamble’)
u′ − st u ≈bit · q
2
u′ = bt x + bit · q2(‘payload’)
(A,bt), (u, u′)by LWE
and
by LHL when
m ≥ n log q
(Images courtesy xkcd.org)Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15
![Page 58: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/58.jpg)
Public-Key Cryptosystem [R’05]
s← Znq A← Zn×m
q x← {0, 1}m
bt = stA + et
(public key)
u = Ax(ciphertext ‘preamble’)
u′ − st u ≈bit · q
2
u′ = bt x + bit · q2(‘payload’)
(A,bt), (u, u′)by LWE and
by LHL when
m ≥ n log q
(Images courtesy xkcd.org)Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/15
![Page 59: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/59.jpg)
‘Dual’ Cryptosystem [GPV’08]
x← {0, 1}m A← Zn×mq
s← Znq
u = Ax(public key, uniform when m ≥ n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q
2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15
![Page 60: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/60.jpg)
‘Dual’ Cryptosystem [GPV’08]
x← {0, 1}m A← Zn×mq
s← Znq
u = Ax(public key, uniform when m ≥ n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q
2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15
![Page 61: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/61.jpg)
‘Dual’ Cryptosystem [GPV’08]
x← {0, 1}m A← Zn×mq s← Zn
q
u = Ax(public key, uniform when m ≥ n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q
2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15
![Page 62: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/62.jpg)
‘Dual’ Cryptosystem [GPV’08]
x← {0, 1}m A← Zn×mq s← Zn
q
u = Ax(public key, uniform when m ≥ n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q
2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15
![Page 63: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/63.jpg)
‘Dual’ Cryptosystem [GPV’08]
x← {0, 1}m A← Zn×mq s← Zn
q
u = Ax(public key, uniform when m ≥ n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q
2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15
![Page 64: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/64.jpg)
‘Dual’ Cryptosystem [GPV’08]
x← {0, 1}m A← Zn×mq s← Zn
q
u = Ax(public key, uniform when m ≥ n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q
2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15
![Page 65: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/65.jpg)
‘Dual’ Cryptosystem [GPV’08]
x← {0, 1}m A← Zn×mq s← Zn
q
u = Ax(public key, uniform when m ≥ n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q
2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)by LWE
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/15
![Page 66: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/66.jpg)
Primal vs. Dual Systems
Primal
I pk = (A,bt = stA + et) ispseudorandom withunique sk = s
I c’text (u = Ax, u′ ≈ st u) isa fresh LWE sample, withmany possible Enc coins x
I security: encrypting to‘malformed’ pk = (A,bt)induces uniform ciphertext
Dual
I pk = (A,u = Ax) isstatistically random withmany possible sk = x
I c’text (b, b′) ≈ st(A,u) ismany LWE RHS’s, withunique Enc coins s, e
I security: switch ciphertext touniform using LWE
(shared) A size: n× (n log q) elements of Zq
(user) pk & ct size: n log q & n elements, or vice-versa
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15
![Page 67: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/67.jpg)
Primal vs. Dual Systems
Primal
I pk = (A,bt = stA + et) ispseudorandom withunique sk = s
I c’text (u = Ax, u′ ≈ st u) isa fresh LWE sample, withmany possible Enc coins x
I security: encrypting to‘malformed’ pk = (A,bt)induces uniform ciphertext
Dual
I pk = (A,u = Ax) isstatistically random withmany possible sk = x
I c’text (b, b′) ≈ st(A,u) ismany LWE RHS’s, withunique Enc coins s, e
I security: switch ciphertext touniform using LWE
(shared) A size: n× (n log q) elements of Zq
(user) pk & ct size: n log q & n elements, or vice-versa
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15
![Page 68: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/68.jpg)
Primal vs. Dual Systems
Primal
I pk = (A,bt = stA + et) ispseudorandom withunique sk = s
I c’text (u = Ax, u′ ≈ st u) isa fresh LWE sample, withmany possible Enc coins x
I security: encrypting to‘malformed’ pk = (A,bt)induces uniform ciphertext
Dual
I pk = (A,u = Ax) isstatistically random withmany possible sk = x
I c’text (b, b′) ≈ st(A,u) ismany LWE RHS’s, withunique Enc coins s, e
I security: switch ciphertext touniform using LWE
(shared) A size: n× (n log q) elements of Zq
(user) pk & ct size: n log q & n elements, or vice-versa
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15
![Page 69: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/69.jpg)
Primal vs. Dual Systems
Primal
I pk = (A,bt = stA + et) ispseudorandom withunique sk = s
I c’text (u = Ax, u′ ≈ st u) isa fresh LWE sample, withmany possible Enc coins x
I security: encrypting to‘malformed’ pk = (A,bt)induces uniform ciphertext
Dual
I pk = (A,u = Ax) isstatistically random withmany possible sk = x
I c’text (b, b′) ≈ st(A,u) ismany LWE RHS’s, withunique Enc coins s, e
I security: switch ciphertext touniform using LWE
(shared) A size: n× (n log q) elements of Zq
(user) pk & ct size: n log q & n elements, or vice-versa
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15
![Page 70: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/70.jpg)
Primal vs. Dual Systems
Primal
I pk = (A,bt = stA + et) ispseudorandom withunique sk = s
I c’text (u = Ax, u′ ≈ st u) isa fresh LWE sample, withmany possible Enc coins x
I security: encrypting to‘malformed’ pk = (A,bt)induces uniform ciphertext
Dual
I pk = (A,u = Ax) isstatistically random withmany possible sk = x
I c’text (b, b′) ≈ st(A,u) ismany LWE RHS’s, withunique Enc coins s, e
I security: switch ciphertext touniform using LWE
(shared) A size: n× (n log q) elements of Zq
(user) pk & ct size: n log q & n elements, or vice-versa
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15
![Page 71: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/71.jpg)
Primal vs. Dual Systems
Primal
I pk = (A,bt = stA + et) ispseudorandom withunique sk = s
I c’text (u = Ax, u′ ≈ st u) isa fresh LWE sample, withmany possible Enc coins x
I security: encrypting to‘malformed’ pk = (A,bt)induces uniform ciphertext
Dual
I pk = (A,u = Ax) isstatistically random withmany possible sk = x
I c’text (b, b′) ≈ st(A,u) ismany LWE RHS’s, withunique Enc coins s, e
I security: switch ciphertext touniform using LWE
(shared) A size: n× (n log q) elements of Zq
(user) pk & ct size: n log q & n elements, or vice-versa
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15
![Page 72: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/72.jpg)
Primal vs. Dual Systems
Primal
I pk = (A,bt = stA + et) ispseudorandom withunique sk = s
I c’text (u = Ax, u′ ≈ st u) isa fresh LWE sample, withmany possible Enc coins x
I security: encrypting to‘malformed’ pk = (A,bt)induces uniform ciphertext
Dual
I pk = (A,u = Ax) isstatistically random withmany possible sk = x
I c’text (b, b′) ≈ st(A,u) ismany LWE RHS’s, withunique Enc coins s, e
I security: switch ciphertext touniform using LWE
(shared) A size: n× (n log q) elements of Zq
(user) pk & ct size: n log q & n elements, or vice-versa
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 13/15
![Page 73: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/73.jpg)
Most Efficient Cryptosystem [A’03,LPS’10,LP’11]
s← χn A← Zn×nq
r← χn
ut = stA + et
(public key)
b = Ar + x(ciphertext ‘preamble’)
b′−st b ≈ bit· q2b′ = ut r + x′ + bit · q2
(‘payload’)
(A,u,b, b′)
by LWE (HNF)
by LWE (HNF)
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15
![Page 74: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/74.jpg)
Most Efficient Cryptosystem [A’03,LPS’10,LP’11]
s← χn A← Zn×nq
r← χn
ut = stA + et
(public key)
b = Ar + x(ciphertext ‘preamble’)
b′−st b ≈ bit· q2b′ = ut r + x′ + bit · q2
(‘payload’)
(A,u,b, b′)
by LWE (HNF)
by LWE (HNF)
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15
![Page 75: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/75.jpg)
Most Efficient Cryptosystem [A’03,LPS’10,LP’11]
s← χn A← Zn×nq r← χn
ut = stA + et
(public key)
b = Ar + x(ciphertext ‘preamble’)
b′−st b ≈ bit· q2b′ = ut r + x′ + bit · q2
(‘payload’)
(A,u,b, b′)
by LWE (HNF)
by LWE (HNF)
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15
![Page 76: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/76.jpg)
Most Efficient Cryptosystem [A’03,LPS’10,LP’11]
s← χn A← Zn×nq r← χn
ut = stA + et
(public key)
b = Ar + x(ciphertext ‘preamble’)
b′−st b ≈ bit· q2
b′ = ut r + x′ + bit · q2(‘payload’)
(A,u,b, b′)
by LWE (HNF)
by LWE (HNF)
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15
![Page 77: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/77.jpg)
Most Efficient Cryptosystem [A’03,LPS’10,LP’11]
s← χn A← Zn×nq r← χn
ut = stA + et
(public key)
b = Ar + x(ciphertext ‘preamble’)
b′−st b ≈ bit· q2b′ = ut r + x′ + bit · q2
(‘payload’)
(A,u,b, b′)
by LWE (HNF)
by LWE (HNF)
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15
![Page 78: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/78.jpg)
Most Efficient Cryptosystem [A’03,LPS’10,LP’11]
s← χn A← Zn×nq r← χn
ut = stA + et
(public key)
b = Ar + x(ciphertext ‘preamble’)
b′−st b ≈ bit· q2b′ = ut r + x′ + bit · q2
(‘payload’)
(A,u,b, b′)
by LWE (HNF)
by LWE (HNF)
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15
![Page 79: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/79.jpg)
Most Efficient Cryptosystem [A’03,LPS’10,LP’11]
s← χn A← Zn×nq r← χn
ut = stA + et
(public key)
b = Ar + x(ciphertext ‘preamble’)
b′−st b ≈ bit· q2b′ = ut r + x′ + bit · q2
(‘payload’)
(A,u,b, b′)by LWE (HNF)
by LWE (HNF)
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15
![Page 80: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/80.jpg)
Most Efficient Cryptosystem [A’03,LPS’10,LP’11]
s← χn A← Zn×nq r← χn
ut = stA + et
(public key)
b = Ar + x(ciphertext ‘preamble’)
b′−st b ≈ bit· q2b′ = ut r + x′ + bit · q2
(‘payload’)
(A,u,b, b′)by LWE (HNF)
by LWE (HNF)
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 14/15
![Page 81: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/81.jpg)
When We Come Back. . .
I A different kind of LWE application: Efficient pseudorandom functions
Selected bibliography for this talk:
R’05 O. Regev, “On lattices, learning with errors, random linear codes, andcryptography,” STOC’05 / JACM’09.
GPV’08 C. Gentry, C. Peikert, V. Vaikuntanathan, “Trapdoors for hard latticesand new cryptographic constructions,” STOC’08.
ACPS’09 B. Applebaum, D. Cash, C. Peikert, A. Sahai, “Fast CryptographicPrimitives and Circular-Secure Encryption Based on Hard LearningProblems,” CRYPTO’09.
LPS’10 V. Lyubashevsky, A. Palacio, G. Segev, “Public-Key CryptographicPrimitives Provably as Secure as Subset Sum,” TCC’10.
LP’11 R. Lindner, C. Peikert, “Better Key Sizes (and Attacks) for LWE-BasedEncryption,” CT-RSA’11.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 15/15
![Page 82: Session #5: Learning With Errors · Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan](https://reader034.vdocuments.us/reader034/viewer/2022050117/5f4e2c8d22f1ed050a122dd9/html5/thumbnails/82.jpg)
When We Come Back. . .
I A different kind of LWE application: Efficient pseudorandom functions
Selected bibliography for this talk:
R’05 O. Regev, “On lattices, learning with errors, random linear codes, andcryptography,” STOC’05 / JACM’09.
GPV’08 C. Gentry, C. Peikert, V. Vaikuntanathan, “Trapdoors for hard latticesand new cryptographic constructions,” STOC’08.
ACPS’09 B. Applebaum, D. Cash, C. Peikert, A. Sahai, “Fast CryptographicPrimitives and Circular-Secure Encryption Based on Hard LearningProblems,” CRYPTO’09.
LPS’10 V. Lyubashevsky, A. Palacio, G. Segev, “Public-Key CryptographicPrimitives Provably as Secure as Subset Sum,” TCC’10.
LP’11 R. Lindner, C. Peikert, “Better Key Sizes (and Attacks) for LWE-BasedEncryption,” CT-RSA’11.
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 15/15