BEFORE defining the LWE problem and its reductions

Transcription

1 EDIC RESEARCH PROPOSAL 1 The Learning With Error Problem Alexandre Duc LASEC, I&C, EPFL Abstract Every public-key cryptosystem relies on problems that are believed computationally hard. Most of the systems used in practice rely on the integer factorization problem or the discrete logarithm problem. However, these two problems can be solved in polynomial time on a quantum computer. It is, thus, important to develop secure alternatives in the case quantum computers become practical. In this proposal, we study the Learning With Error (LWE) problem which is a fundamental problem in lattice-based cryptography and was introduced by Regev in In particular it possesses an elegant quantum reduction to well-studied problems on lattices like the Shortest Vector Problem (SVP). In 2010, Lyubashevsky et al. introduced the Ring-Learning With Error problem (Ring-LWE), an algebraic variant of the problem. Applications based on this problem have the advantage of being much more practical. On the other hand, its hardness relies on less general problems, namely on problems on ideal lattices. We propose to analyze further the hardness of the (Ring-)LWE problem as well as the algorithms used to solve it. Another goal is to design a new cryptosystem based on the LWE problem. Index Terms Cryptography, Learning With Error, Learning from Parity with Noise, lattices, Shortest Vector Problem, postquantum cryptography. I. INTRODUCTION BEFORE defining the LWE problem and its reductions precisely, we introduce first some necessary notations, Proposal submitted to committee: June 06th, 2012; Candidacy exam date: June 13th, 2012; Candidacy exam committee: Emre Telatar, Serge Vaudenay, Arjen Lenstra. This research plan has been approved: Date: Doctoral candidate: (name and signature) Thesis director: (name and signature) Thesis co-director: (if applicable) (name and signature) Doct. prog. director: (R. Urbanke) (signature) EDIC-ru/ definitions and results about lattices and more generally in cryptography. A. Preliminaries Given x R, we write x Z for the integer closest to x. In case of equality, we select the smallest one. Next, a function ǫ: N R is called negligible if for every constant c R >0, there exists k 0 N such that ǫ(k) < k c for all k > k 0. The open unit ball over R n is denoted by B n and is defined as B n := {x R n : x < 1}. The statistical distance between two distributions D 1 and D 2 over a countable domain S is defined as (D 1,D 2 ) := max A S x A (D 1(x) D 2 (x)). Given a probability distribution D, we define its min-entropy over a countable domain S as H (D) := min i S { logd(i)}. We say that two distributions D 1 and D 2 over a domain S are statistically ǫ-indistinguishable if for every A S, x A (D 1(x) D 2 (x)) < ǫ. We will use the following lemma. Lemma 1 (Leftover Hash Lemma [1]). Let D be a distribution, let ǫ > 0 and let l H (D) 2log(1/ǫ). Let H be a universal family of hash functions with a range of l bits, i.e., for all x x, Pr h H [h(x) = h(x )] = 1/2 l. Then, (h(d),h) and(u,h), whereu is the uniform distribution are statistically ǫ-indistinguishable. We will use Lemma 1 in the following and we will take as a family of universal functions random matrices in Z l n q. 1) Gaussian Distribution: Given an s > 0, we denote the Gaussian function over R n by ( ρ s (x) := exp π x/s 2). We denote by ν s the Gaussian probability density function with parameter s > 0, which is defined by ν s (x) := ρ s (x)/s n. Given a countable set A R n and a parameter s > 0, we define the discrete Gaussian distribution D A,s as D A,s (x) := ρ s (x) y A ρ s(y), for x A. We will typically take this distribution over a lattice. Finally, for β R +, we denote by Ψ β the probability distribution over R/(qZ) which is defined as a sampling from a normal variable with zero mean and standard deviation βq/ 2π and reducing the result modulo q, i.e., Ψ β (r) := k= 1 βq exp ( ( ) ) 2 r kq π βq

2 EDIC RESEARCH PROPOSAL 2 for r [0,q). We define also the discretization Ψ β of Ψ β which is obtained by sampling a normal variable with mean 0 and standard deviation βq/ 2π, rounding the result to the nearest integer and reducing it modulo q. 2) Lattices: We denote the standard inner-product over R n by,. A (full rank) lattice L in R n is a discrete additive subgroup of R n generated by all integer combinations of n linearly independent vectors. 1 We call this set of vectors B := {v 1,...,v n } a basis of the lattice. Note that this basis is not unique. Two basis B and B are called equivalent iff B = BU, with U an unimodular n n matrix, i.e., an integer matrix whose determinant is equal to ±1. Two equivalent basis generate the same lattice. Given a basis {v 1,...,v n } for a lattice L, the set of points in R n belonging to the lattice is { n } L(v 1,...,v n ) := k i v i : k 1,...,k n Z. i=1 We denote the Gram-Schmidt orthogonalization of a basis B := {v 1,...,v n } by B := {ṽ 1,...,ṽ n }. The vectors ṽ i are defined iteratively as follows: ṽ 1 = v 1 and ṽ i = v i i 1 j=1 v i,ṽ j / ṽ j,ṽ j ṽ j for i [2,n]. Note that the Gram-Schmidt basis is usually not a basis of the lattice. The dual of a lattice L is denoted by L. It is defined as L := {x R n : x,y Z, y L}, i.e., it is the set of all vectors whose inner-product with any lattice vector is an integer. For instance, the dual of L = Z is L = Z and the dual of L = 2Z is L = (1/2)Z. The following relation holds. b i = b n i+1/ b n i+1 2. This implies that the norm of a Gram-Schmidt basis vector is inversely proportional to the norm of a Gram-Schmidt basis vector of the dual lattice if we take the vectors in reverse order. Given a basis B = {v 1,...,v n } of a lattice L, we define the fundamental parallelepiped P(B) as the half open parallelepiped { n } P(B) := α i v i : α 1,...,α n [0,1). i=1 The volume of any fundamental parallelepiped of a lattice L is invariant of the choice of the basis. We call it the determinant of the lattice (det(l)). We denote the l 2 -length of one of the shortest non-zero vector in a lattice L by λ 1 (L). Similarly, we denote by λ k (L), the l 2 -length of the smallest radius of a ball containing k linearly independent vectors. We can now state a useful Lemma: Lemma 2. For a lattice L we have λ 1 (L) min i b i for any Gram-Schmidt basis B of L. An LLL-reduced basis [2] can be seen as a basis for which the Gram-Schmidt vectors are not decreasing too quickly. More formally, a basis B is LLL-reduced if b i, b j b j In this proposal, we will consider only full rank lattices. for all 1 j < i n and 3 2 b i, b i+1 b i 4 b b i+1 2 i + b i+1 for 1 i < n. Such a basis verifies b i+1 2 1/2 b i 2. Note that this enforces b 1 2 (n 1)/2 λ 1 (L) by Lemma 2. The LLL algorithm introduced by Lenstra, Lenstra and Lovász finds in polynomial time an LLL-reduced basis. It permits, thus, to find an exponential approximation of the shortest vector in the lattice. For a lattice L and ǫ > 0, the smoothing parameter η ǫ (L) is defined as argmin r { ρ1/r (L \{0}) } ǫ. Many technical results were proven for the smoothing parameter in [3], [4] and we provide in this proposal an informal description of some of these. The first result from Micciancio and Regev [4] shows that if we choose a random lattice point and if we add some continuous Gaussian noise ν s for s > η ǫ (L), then the resulting distribution is within statistical distance ǫ from the uniform distribution on R n. Finally, they show the following lemmas Lemma 3 ([4, Lemma 3.2 and 3.3]). and η 2 n(l) n/λ 1 (L ) ln(2n(1+1/ǫ)) η ǫ (L) λ n (L). π We will need to sample from discrete Gaussian distributions over a lattice L in an efficient way. The following proposition was shown by Gentry et al. Proposition 1 ([5, Theorem 4.1]). There exists a probabilistic polynomial time (ppt) algorithm that, given any basis of B of a lattice L and r max i b i ω( logn) outputs a sample that is within negligible statistical distance of D L,r. B. Hard Problems on Lattices In this section, we introduce several hard problems on lattices on which lattice-based cryptosystems rely. 1) Shortest Vector Problem: The first problem we introduce is the Shortest Vector Problem (SVP), which consists in finding one of the shortest vectors in a lattice. Definition 1 (Shortest Vector Problem). The Shortest Vector Problem (SVP L ) for a lattice L consists, given a basis B of L, in returning a vector x L such that x = λ 1 (L). for a function γ(n) 1, the corresponding approximation problem is Definition 2 (SVP L,γ ). Given a basis B of L, find a non-zero vector x L such that x γ(n)λ 1 (L). The decisional version of the problem is more used in cryptography: Definition 3 (GapSVP L,γ ). Given a basis B of L and a number d > 0, the GapSVP L,γ problem consists in answering 2

3 EDIC RESEARCH PROPOSAL 3 YES, if λ 1 (L) < 1 NO, if λ 1 (L) > γ(n)d. The answer in the other possible cases is undefined. Finally, we define the Shortest Independent Vectors Problem (SIVP L,γ ) Definition 4 (Shortest Independent vectors Problem). Given a basis B of an n-dimensional lattice L, the Shortest Independent Vectors Problem (SIVP L,γ ) consists in finding n linearly independent vectors of length at most γ(n)λ n (L). Many results are known about the hardness of these problems. For a lattice of dimension n, the NP-hardness of GapSVP L,γ has been shown when γ(n) < n c/loglogn [6], [7], [8]. The best exact algorithms known forsvp have complexity O(2 n ) (e.g. [9], [10]). However, for approximation factors γ(n) > 2 nloglogn/logn, some polynomial time algorithms are known. For instance, one can use the LLL algorithm and its improvements [2], [11], [9]. Interestingly, no better quantum algorithm is known. This makes lattice-based cryptosystems good candidates for post-quantum cryptosystems. Peikert defined in [12] the ζ-to-γ-gapsvp problem, a generalization of the GapSVP L,γ problem. This new problem is denoted by GapSVP L,ζ,γ. Definition 5 (ζ-to-γ-gapsvp problem). Let ζ(n) γ(n) 1 be functions. The input of the GapSVP L,ζ,γ problem is a pair (B,d) with B a basis of an n-dimensional lattice L for which λ 1 (L) ζ(n), min i b i 1, where ṽ i s are vectors of the Gram- Schmidt basis B, and 1 d ζ(n)/γ(n). The output should be YES, if λ 1 (L) < 1 NO, if λ 1 (L) > γ(n)d. The answer in the other possible cases is undefined. We discuss briefly these new conditions on B. The second condition is only useful for the proof and one can easily ignore this assumption by scaling the basis. The third condition is there to avoid the problem to be trivial to solve. Indeed, if d > ζ(n)/γ(n), this implies that γ(n)d ζ(n) λ 1 (L) and, hence, the answer is trivially YES. Thus, the important condition is the first. When ζ(n) 2 n/2, GapSVP L,ζ,γ is equivalent to GapSVP L,γ. Indeed, one can easily find, in polynomial time, using the LLL algorithm, a basis B such that λ 1 (L) b 1 2 n/2 min i b i. For smaller ζ, the problem is obviously not harder than GapSVP L,γ, but no know algorithm exist that can exploit efficiently the bound ζ. Hence, the problem still appears exponentially hard in n for ζ(n) poly(n). 2) Closest Vector Problem: given a vector x in R n, the Closest Vector Problem (CVP) consists in finding the vector in L that is the closest to x. We define directly the approximation version: Definition 6 (Closest Vector Problem). Given a lattice L, a basis B of L, and a vector x R n, the Closest Vector Problem (CVP L,γ ) consists in finding y L such that y x γ(n) min{ z x }. z L We will also use the Bounded Distance Decoding Problem (BDD), which is a variant of SVP and consists in finding the closest vector to a point given the promise that this point is within a bounded distance from the lattice. Definition 7 (BDD L,d ). Given a basis B of L, and a vector x R n such that its distance to L is less or equal to d, the Bounded Distance Decoding Problem (BDD L,d ) consists in finding y L such that y x = min{ z x }. z L Note that when d < λ 1 (L)/2, the solution is always unique. Hardness results and algorithms forcvp are similar to those for SVP (e.g. [2], [9], [13]). In the following, we will drop the indices L in front of the problems (e.g. SVP γ ) whenever they can be guessed obviously from the context. II. THE LEARNING WITH ERROR PROBLEM Now that the basic hard problems on lattices are introduced, we can define the hard problem on which most lattice-based cryptosystems rely: the Learning With Error Problem (LWE). We introduce first a subproblem: the Learning from Parity with Noise Problem (LPN). A. The LPN Problem The goal of this problem is to find out an unknown vector s {0,1} n, given some noisy versions of its scalar product with some known random vector. More formally Definition 8 (LPN Oracle). An LPN oracle Π s,p for a hidden vector s {0,1} n and 0 < p < 1 2 is an oracle returning an LPN vector, i.e., vectors of the form where, ν Ber(p). a U {0,1} n, a s ν, Definition 9 (Learning from Parity with Noise Problem). The LPN n,p consists, given an LPN Oracle Π s,p, to recover the hidden vector s. The LPN problem is NP-Hard [14] and no good algorithm is known for the average case. The LPN problem has also a decisional form. The problem is the following: let U n+1 be an oracle returning random n + 1-bit vectors. Then, an algorithm solves the decisional LPN problem (DLPN n,p ) if it can distinguish the output of Π s,p from the output of U n+1. It is shown that the decisional and the search LPN are equivalent [15], [16]. Thus, the hardness of the LPN problem implies that the output of the LPN vector oracle is indistinguishable from a random source. The first subexponential algorithm to solve the LPN problem was given by Blum Kalai, and Wasserman in [17]. They estimated its complexity to 2 O(n/logn). We denote this algorithm by BKW algorithm.

4 EDIC RESEARCH PROPOSAL 4 The idea behind the BKW algorithm is to first query the LPN oracle to obtain a large amount of LPN vectors. It searches then for basis vectors e j by finding a low amount of vectors that xor to e j. If the number of vectors that xor to e j is small, the noise for this vector will be small as well. Using different independent instances that xor to the same e j, one can recover the jth bit of the secret vector s with good probability. All this procedure can be done using a large amount of queries. The BKW algorithm was analyzed in details and improved in [18], [19]. B. The LWE Problem The LWE problem can be seen as a generalisation of LPN over a finite field Z q. There, instead of using a Bernoulli noise, another noise distribution is used, typically a Gaussian noise. Let χ be a probability distribution over Z q and let s Z n q. We define the following LWE oracle. Definition 10 (LWE Oracle). An LWE oracle A q s,χ for a hidden vector s Z n q and a probability distribution χ over Z q is an oracle returning an LWE vector, i.e., vectors of the form ( ) a U Z n q, a,s +e Z n q Z q, where, e χ. As for LPN, the LWE q,χ problem consists in recovering s using an LWE oracle A q s,χ. The decisional-lwe problem DLWE q,χ consists in distinguishing the uniform distribution over Z n q Z q from an LWE oracle A q s,χ using an uniformly random secrets Z n q. We discuss the distribution ofsin more details in Section VI. If we limit to m the number of queries to the oracle, we write LWE m,q,α. A set of m LWE samples can be written in the following matrix format: (A,As+e), with A an m n matrix and e a vector of size m. 1) Equivalence Between Search-LWE and Decisional-LWE: It is shown in [16], [20] that for q poly(n) and prime, there is a reduction from LWE to DLWE. The reduction consists in guessing every component of s one by one. We show in this proposal how to recover s 1. For this, given a LWE pair (a,b), we submit to thedlwe oracle the vector(a (r,0,...,0), b) for r drawn uniformly at random in Z q. The oracle will recognize an LWE sample only if s 1 = 0 else b looks uniform. If s 1 0, one can change the LWE pair to (a,b+ a,t ) for t in Z n q. This sample follows exactly the same distribution as a sample from an oracle with secret s+t. Thus, we can test again if (s + t) 1 = 0 for t s in Z n q. Note that q is required to be prime so that the distribution of the sample is uniform when s 1 0. In at most q trials, we recover s 1 and, hence, we recover s in at most qn poly(n) queries. This result is extended in [12] to all q = q 1 q t, t N with each q i poly(n), prime, q i ω( logn), and under the restriction that thelwe noise is Gaussian. The proof is similar to the one for q poly(n) but is performed modulo each q i and recovers s using the Chinese remainder theorem. An even more general result is presented in [21] where the condition q i ω( logn) is removed at the expense of an increase of the parameter of the Gaussian distribution used in the decisional LWE oracle. In conclusion, for a large set of q s, the search and decisional problem are equivalent. The algorithms solving the LWE problem are the same as the algorithms solving the LPN problem, i.e., BKW and its improvements. In particular, the problem is believed to be hard when the noise is drawn according to a Discrete Gaussian distribution Ψ α as we will see in the next sections. 2 III. REGEV S QUANTUM REDUCTION In this section, we give an overview of Regev s quantum reduction from worst-case GapSVP and SIVP to LWE. It is important to emphasize that this reduction is quantum. This means that LWE can be considered as hard as long as there is no quantum algorithm solving GapSVP or SIVP. Hence, this result is weaker than a classical result. The proof shows how one can, using an LWE q,ψα oracle, quantumly generate vectors from the distribution D L,r, for r 2nη ǫ (L)/α, for α (0,1) such that αq > 2 n. The reduction to GapSVP follows then from Peikert s result (see Section IV) using these samples. For SIVP, one simply gathers slightly more than n samples from the distribution (so that they are linearly independent and have the correct size). Since η ǫ (L) ω(logn) λ n (L), when ǫ is negligible we can solve SIVPÕ(n/α) by Lemma 3. Thus, the main part of Regev s work consists in generating samples of the distribution D L,r. This is done using a iterative algorithm which starts with samples of a very broad Gaussian distribution with parameter r = 2 2n λ n (L). Samples from this wide Gaussian distribution can easily be gathered using the LLL algorithm (see Lemma 4). These samples along with the LWE q,ψα oracle are used to solve the BDD L,αq/ 2r problem on the dual lattice. This part of the proof is classical (Lemma 5). Using the newly created BDD oracle, one can generate with a quantum algorithm new samples from a narrower Gaussian distribution D L,r n/(αq) (Lemma 6). By iterating these two lemmas, we obtain at each step a narrower Gaussian distribution. We stop once we reach D L, 2nηǫ(L)/α. We describe now in more details the three steps of the proof. Lemma 4 (Regev s bootstrapping lemma [3, Lemma 3.2]). One can efficiently generate samples from a distribution that is within statistical distance2 Ω(n) ofd L,r forr > 2 2n λ n (L). Proof (idea): These samples can easily be generated using the LLL algorithm. First, generate an LLL reduced basis B of L. Then take a random sample y from ν r, the continuous Gaussian distribution over R and output y (y mod B). Lemma 5 (Regev s reduction: classical part [3, Lemma 3.4]). Let ǫ(n) be a negligible function, q(n) 2 be an integer and α(n) (0,1) be a real number. Assume that we have access to an oracle W that solves LWE q,ψα given a polynomial number of samples. Then, there exists a constant c > 0 and an efficient algorithm R that, given as an input a basis B of of a lattice 2 In some papers, the LWE problem is defined with b R/Z, i.e., a continuous value. Both results are equivalent as shown in [3] and we will use the discrete version for simplicity.

5 EDIC RESEARCH PROPOSAL 5 L, a number r 2q η ǫ (L ) and n c samples from D L,r, solves BDD L,αq/( 2r). Proof (idea): Let v be the solution of the BDD problem and let x be its input. The idea is to generate LWE samples with secret s = B 1 v mod q. Once s is recovered using the LWE oracle, we have the least significant digit of B 1 v in basis q. The second digit is recovered by running the same procedure on (x s)/q instead. The LWE samples are generated as follows. We take first a sample y from D L,r. Let a := B 1 y mod q = B t y mod q. The vector a looks uniformly distributed since r q η ǫ (L ) [3]. Let also b := y,x + e mod q, where e is some additional continuous Gaussian error term. We have y,x = y,v + e = B t y,b 1 v + y,e = a,s + y,e mod q, for an e αq/( 2r). The term y,e is essentially normally distributed with standard deviation αq. The extra noise e is added so that this noise looks non-discrete. Also, since the amount of noise obtained from y,e depends on the distance between x and the lattice, it might be too low for our LWE oracle and, hence, we need to add some more noise. We refer the reader to [3] for more details. Lemma 6 (Regev s reduction: quantum part [3, Lemma 3.14]). Given any n-dimensional lattice L, a number d < λ 1 (L )/2, and an oracle that solves BDD L,d, there exists a quantum algorithm that outputs efficiently a sample from D L, n/( 2d). Proof (idea): The main quantum tool required here is the quantum Fourier transform. The Fourier transform of D L,r is given by f 1/r (x) : exp { π(r dist(x,l )) 2}. The idea is to build a quantum state z R f 1/r(z) z. Then, taking n the quantum Fourier transform, one can measure the state and obtain a sample from the required distribution. Up to this point, it seems that the BDD oracle is never used. In fact, the oracle is required to construct the quantum state z R f 1/r(z) z. 3 n This state is obtain by adding the quantum Gaussian state of width 1/r: z R n exp( π rz2 ) z to x L z and obtain x L,z R n exp( π rz 2 ) x,x + z. We want to measure the quantum Fourier transform of the second register. Hence, we need to erase the first one. However, this operation is usually not reversible. By carefully analyzing exp( π rz 2 ), we notice that most of the mass occurs when z n/r. Hence, we can use the BDD oracle to recover x from x+z. Thus, the erasure can be made reversible. IV. PEIKERT S CLASSICAL REDUCTION In [12], Peikert showed how one can reduce classicallylwe to GapSVP ζ,γ. Compared to Regev s reduction presented in Section III, this reduction has the advantage of being nonquantum, which is a stronger result. On the other hand, it reduces LWE to GapSVP ζ,γ which is equivalent to GapSVP γ only for large values of ζ. We will see in this section that this occurs when q is exponential in n. Also, Regev s reduction solves also the search problem SIVP and not only the decisional problem GapSVP. 3 We take the sum over R n to avoid some technicalities. In the actual proof, the sum is taken over a finite set. The main theorem is the following Theorem 1 ([12, Theorem 3.1]). Let α(n) (0, 1) be a real number and γ(n) n/(α logn). Let ζ(n) γ(n) and q(n) (ζ/ n) ω( logn). There is a ppt reduction from worst-case GapSVP ζ,γ to LWE q,ψα using a polynomial number of samples. The proof is given in details in [12]. In this proposal, we provide a high-level description of the proof. Proof (idea): The proof makes use Lemma 5, the classical component of Regev s proof given in Section III. Recall that this lemma solves BDD using an LWE oracle and samples from a discrete Gaussian distribution. However, it is not known how to perform classically the step that allows us to get samples from a Gaussian distribution with a smaller parameter as done quantumly in Regev s proof. Peikert s reduction is the following. Let (B,d) be a GapSVP ζ,γ input. Iterate the following procedure N poly(n) times. 1) Choose a random point v on L and a point w uniformly at random from the ball d B n with d := d n/(4logn) and let x := v +w. 2) Use Regev s R algorithm from Lemma 5 on x with parameter r := q 2n/(γd). Note that this algorithm needs also samples from D L,r. This can be done using Proposition 1 since r 2 ω( logn) 1/min i b i ω( logn) = max i b i logn. Let the result of R be v. 3) If v v return YES. If the procedure never returned YES, return NO. We analyze briefly the correctness of this procedure. First, note that r and γ are selected such that d αq/( 2r). Hence, the point v is always within the radius of the BDD algorithm. Now, if (B,d) is a NO instance, this means that λ 1 (L) γd, i.e., the minimum distance in the lattice is large compared to d. For a NO instance, the condition on r in Regev s algorithm is verified, since r = 2nq/(γd) > 2nq/λ1 (L) 2qη s n(l ) using Lemma 3. Note also that in this case d < λ 1 (L)/2. This means that the closest point is unique. Hence, Regev s algorithm returns at each iteration the vector v. In the case of a YES instance, we have λ 1 (L) d. Note that in this case, Regev s algorithm condition on r is not verified. Since λ 1 (L) is small one can compare the distribution of x when v is chosen as a lattice point and the distribution of x when v + z is chosen as a lattice point, with z a vector of length λ 1 (L). Since both spheres in which we pick x and x are really close, it is shown that Pr[R(x) = v] 1 1/poly(n). Hence, if we perform N poly(n) iterations of the procedure, Regev s algorithm will output a vector different from v with good probability. V. THE Ring-LWE PROBLEM One drawback of cryptosystems based on LWE is usually the size of their public keys. Indeed, most of these systems require as a public key about n vectors in Z n q, i.e., a size of order O ( n 2). The Ring-LWE problem reduces this size to roughly linear, which makes the cryptosystems more practical. This can

6 EDIC RESEARCH PROPOSAL 6 be done by working over the ringr q := Z q [x]/ x n +1 instead of Z n q and, hence, using only O(n) memory. In the following, we will fix q 1 mod 2n and R q := Z q [x]/ x n +1 but all results are shown in [22] for a much larger class of rings. 4 We formalize now the Ring-LWE problem. Definition 11 (Ring-LWE). Let q and R q be as above. The Ring-LWE s,ψ search problem for s R q and ψ a probability distribution overr q, consists in recovering the elementsusing Ring-LWE samples, i.e., samples of the form ( ) a U R q, a s+e R q R q, for e ψ. The decisional version Ring-DLWE is defined the same way as for standard LWE. Lyubashevsky et al. showed that Ring-LWE can be reduced to SIVP using a similar reduction than Regev s reduction (Section III) but on ideal lattices, i.e., lattices that are an ideal in a group. In the following, we will consider only ideals in R q. On these lattices, it is important to note that GapSVP n is easy [23]. It is, thus, necessary that the result is based on the hardness of a problem which is believed hard even on these particular lattices. This is the case for instance for SIVP. The proof differs slightly from Regev s proof in the part corresponding to Lemma 5. Recall that in this proof, the amount of noise in the generated LWE samples was dependent on e,y and that the solution was to add some more noise to hit the correct amount of noise. In Ring-LWE, this inner product is replaced by a ring product, which implies a Gaussian distribution whose variance depends on the entire vector e and not only its norm. It is not possible to solve this issue by adding some more noise. Hence, it is necessary to assume that the Ring-LWE oracle works for a large range of noise distributions and not only a single one. With Ring-LWE, truly effective cryptosystems [22] and homomorphic encryption schemes (e.g. [24]) were designed. VI. THE CHOICE OF THE SECRET s In the definition of DLWE, we are in the presence of a worst-case problem and not of an average case problem like it is usually the case in cryptography. This fact will be one of the strengths of cryptosystems based on DLWE, since we have not to be scared of weak instances of the problem. Indeed, there is the following worst-case to average-case reduction. Lemma 7 ([23, Lemma 3.2]). Let n,q 1 be some integers, and χ be some distribution on Z q. Assume that we have access to a distinguisher W that distinguishes A q s,χ from the uniform distribution for a non-negligible fraction of thes s inz q. Then, there exists an efficient algorithm that for all s accepts (resp. rejects) with probability exponentially close to 1 on inputs from A q s,χ (resp. from the uniform distribution). The proof is based on the idea that for any t Z n q, given an DLWE input (a,b), the pair (a,b+ a,t ) is either a sample of A q s+t,χ or a sample from the uniform distribution. Thus, if 4 The result is shown for any cyclotomic ring. we can distinguish for a non-negligible fraction of the s s, we can solve DLWE for any s by repeating the experiment with various t s. Note that we need to be able to distinguish for a non-negligible fraction of the s s for this reduction to work. We present in this proposal two other results concerning the distribution of the secret s. First, it was shown by Applebaum et al. that DLWE is not easier when s is drawn from the same distribution χ as the noise [25]. We give here a high level description of this clever reduction. First we collect n samples (a i,b i ) from the oracle A q s,χ whose secret is drawn uniformly. We choose these samples such that the a i s are linearly independent. We can write these samples as (Ā, b := Ā T s + ē), where Ā is a matrix whose columns consists in vectors a i,where b is a vector of b i s, and where ē is a vector of errors drawn according to the distribution χ. Since the a i s are linearly independent, Ā is invertible. If we replace every sample (a,b) by ( Ā 1 a,b Ā 1 a, b ), we get samples from A q ē,χ which is exactly the LWE problem with the secret drawn according to the error distribution. A. Choosing s from Any Distribution A more general result is shown in [26]. In their work, they generalize the result to a larger class of probability distributions. We present their theorem in this section. Theorem 2 ([26, Theorem 4]). Let n, q 1 be integers, let D be any distribution over Z n q with H (D) k. Let γ,β > 0 such that γ/β is negligible in n. Then for any l O(k ω(logn)), there is a ppt reduction from DLWE l,q, Ψγ with uniform secret distribution to DLWE n,q, Ψβ with secret distribution drawn according to D using m poly(n) samples. 5 We discuss now the result. First note that with this reduction we have a loss in the dimension of the secret, i.e., we go from n to l O(k ω(log n)). This change in the dimension makes sense, since we work with secrets of much lower entropy. Note also that we have now a condition on the parameter of the Gaussian distribution used in LWE: γ should be negligible compared to β. Since we need q ω( n/γ) for the reduction from LWE to standard lattice problems to hold, this implies that q should be super-polynomial in n. The result remains nonetheless interesting since it holds for extremely general distributions. The theorem can also be interpreted (with a slight change in the proof) as a reduction from the standard DLWE l,q, Ψγ problem with l O(k ω(logn)) to the standard DLWE n,q, Ψβ with some auxiliary input h(s) using the same (polynomial) number of queries, for a secret s, for a function h: Z n q {0,1} that is 2 k hard to invert, and with γ/β negligible. We give now an overview of the proof of Theorem 2. Proof (idea): The idea is to use the DLWE assumption and Lemma 1. We will use the leftover hash lemma with, as a family of universal hash functions, matrix multiplication by a random matrix Z l n q. Using such a matrix, we can hide the secret s, such that its distribution looks uniform. 5 In [26], they prove the result for D a distribution over {0,1} n but the more general result is given as a remark.

7 EDIC RESEARCH PROPOSAL 7 For this, we first use the DLWE assumption to show that the matrix A := BC +Z, with B Zq m l, C Z l n q drawn m n uniformly at random and with Z Ψ γ is computationally indistinguishable from a uniformly drawn matrix. Hence, we can replace A by A in the following. We need now to show that (A,A s + e), e Ψ β is indistinguishable from uniform. The proof shows that (B,C,Z,BCs+Zs+e) is computationally indistinguishable from (B, C, Z, u), with u uniform. By carefully looking at the Gaussian coefficients and since γ/β is negligible, this distribution is statistically close to (B,C,Z,BCs+e ), where e is drawn from Ψ m β. Since Z is efficiently sampleable and by the leftover hash lemma, we get that (C, Cs) is statistically indistinguishable from (C, u). Using this new result, Goldwasser et al. designed a symmetric encryption scheme secure against chosen plaintext attacks and this, even if the key is selected according to a weak probability distribution with a low min-entropy or in the presence of an auxiliary input which is hard to invert. This scheme is a straightforward application of the LWE problem. The secret key is a vector s {0,1} n. The ciphertext corresponding to a message w {0,1} m is Enc s (w) = (A,As+x+q/2 w). Another application presented in [26] is the design of an obfuscator for the class of point functions with multi-bit output {I (k,m) k,m {0,1} }, where I k,m (x) := m if x = k and else. An obfuscator for a class of functions takes as an input one of these functions and outputs a circuit that has essentially the same behavior as the input function, but such that it does not give any information about the function that cannot be found out given an oracle access to it. We refer the reader to [27], [26] for more details. VII. APPLICATIONS TO PUBLIC-KEY CRYPTOGRAPHY TheLWE problem has many applications in cryptography. A large number of public key cryptosystems were designed based on the hardness of LWE. We describe here Regev s original scheme which is an interesting application of LWE [16], [23]. The parameters are three integers n, m and q and a real number α > 0. The scheme is secure and correct if we take q prime between n 2 and 2n 2, m = 1.1 nlogq and α = 1/( nlog 2 n), for a security parameter n. The private key is a random vector s Z n q. To generate the public key take m vectors a 1...a m Z n q uniformly at random and m elements e 1,...,e m Z q according to Gaussian distribution Ψ α. The public key is (a i,b i := a i,s +e i ) m i=1, i.e., LWE samples. To encrypt a bit b {0, 1}, select a random set S {0,...,m} and return ( i S a i,b q/2 + i S b i). To decrypt a pair (a,b), return 0 if b a,s is closer to 0 than to q/2 modulo q. Else, return 1. Correctness is easy to show. We sum at most m error terms, each of them having standard deviation αq. Hence, the standard deviation of the sum of these terms is smaller than mαq < q/logn. Then, Pr[N(0,q 2 /log 2 n) q/4] = Pr[N(0,1) logn/4] which is negligible in n. The security of the scheme follows from the fact that the sum of pairs is indistinguishable from uniform by the LWE assumption and the leftover hash lemma. This holds since 2 m q n+1. A dual version of this scheme (aka. dual Regev scheme) was introduced later [5]. In this scheme, the generation and encryption algorithms are essentially swapped. A matrix A Zq n m is common to all users and is chosen uniformly at random. The secret key is an error vector e Z m q drawn according to a Gaussian distribution. The public key is u := Ae mod q. To encrypt a bit b {0,1}, pick s Z n q uniformly at random and x Ψ m α, for an α > 0. Then output (A T s + x,u T s+x+b q/2 ), for x Ψ α. To decrypt a ciphertext (p,c), compute b := c e T p and output 0 if b is closer to 0 than to q/2 and 1 else. Interestingly, this scheme can easily be converted into an identity based encryption scheme by replacing the public key u by a hash of the identity. The corresponding secret key is then A 1 u. Note that in this case, A has to remain secret (it is a master key). More efficient (and elaborated) schemes are presented in [28], [29]. These schemes can be made truly practical if we use the ring-lwe problem. VIII. RESEARCH PROPOSAL The TCHo trapdoor cipher was first introduced in [30] by Finiasz and Vaudenay and improved in [31] by Aumasson et al. Roughly, a message is encrypted by adding some random biased noise and some contribution from a linear code. In TCHo, this noise is introduced using a linear feedback shift register (LFSR). The security of TCHo is based on the hardness of Low-Weight Polynomial Multiple problem, which consists in finding a multiple of a polynomial so that its Hamming weight is smaller than a fixed bound. TCHo relies also on heuristic assumptions. We replaced this linear code generated by the LFSR with a linear code indistinguishable from a random linear code. This allowed us to reduce the hardness of distinguishing two ciphertexts to the LPN problem and to remove the heuristic assumptions. Our reduction also relies on the hardness of the Low Weight Codeword (LWC) problem. This problem is wellstudied in coding theory and consists in finding a codeword in a linear code with a Hamming weight which is smaller than a given bound. Both problems are believed to be hard and some lower-bound on the complexity of the LWC problem is given by Finiasz and Sendrier [32]. Later, this bound was shown to be incorrect for some parameters [33] in ASIACRYPT 2011 and more recently in [34]. We now plan to study the Ring-LPN problem introduced in [35] and see if it applies to our new encryption scheme, since this new problem seems to allow more efficient designs. Our plan is also to see how this new system can be improved using the LWE and the Ring-LWE problem. We believe that this generalization will lead to more practical parameters. We will then compare this new cryptosystem with existing latticebased systems. As a second step, we plan to convert our scheme into a homomorphic cryptosystem. A cryptosystem is said to be homomorphic if one can evaluate a function on the ciphertexts

8 EDIC RESEARCH PROPOSAL 8 without knowing the secret key such that a specific operation is performed on the corresponding plaintexts. One has to distinguish between partially homomorphic schemes which allow only one type of homomorphic operation (typically addition or multiplication) and fully homomorphic schemes which allow any type of operation. To design such a system, we first need to find some good way of performing homomorphic operations without increasing the noise in the ciphertext too much. Another research direction is to study the algorithms used to solve the (Ring-)LPN and (Ring-)LWE problem. Very few algorithm for solving these problems are known. The first was the BKW algorithm introduced by Blum Kalai and Wasserman [17] for the LPN problem and requires a subexponential number of queries. The BKW algorithm was analyzed in details and improved in [18], [19], but these new algorithms have still the same asymptotic complexity. No better algorithm is currently known. By studying more carefully these algorithms, we can understand better the underlying problems and can use them safely to prove the security of our design. In particular, as discussed in Section V, a lot of work has still to be done regarding the hardness of Ring-LWE, which is a brand new problem. We can then use these new algorithms to attack recent lattice-based cryptosystems. There is a large number of such systems and the security of some of them is not well understood. In particular, systems based on Ring-LWE or the NTRU cryptosystem [36], which are currently among the most efficient lattice-based cryptosystems, might be vulnerable to new attacks. REFERENCES [1] R. Impagliazzo, L. A. Levin, and M. Luby, Pseudo-random Generation from one-way functions (Extended Abstracts), in STOC, D. S. Johnson, Ed. ACM, 1989, pp [2] A. Lenstra, H. Lenstra, and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, vol. 261, no. 4, pp , [3] O. Regev, On lattices, learning with errors, random linear codes, and cryptography, J. ACM, vol. 56, no. 6, [4] D. Micciancio and O. Regev, Worst-Case to Average-Case Reductions Based on Gaussian Measures, SIAM J. Comput., vol. 37, no. 1, pp , [5] C. Gentry, C. Peikert, and V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in STOC, C. Dwork, Ed. ACM, 2008, pp [6] M. Ajtai, The Shortest Vector Problem in L 2 is NP-hard for Randomized Reductions, Electronic Colloquium on Computational Complexity (ECCC), vol. 4, no. 47, [7] S. Khot, Hardness of Approximating the Shortest Vector Problem in Lattices, in FOCS. IEEE Computer Society, 2004, pp [8] I. Haviv and O. Regev, Tensor-based hardness of the shortest vector problem to within almost polynomial factors, in STOC, D. S. Johnson and U. Feige, Eds. ACM, 2007, pp [9] M. Ajtai, R. Kumar, and D. Sivakumar, Sampling Short Lattice Vectors and the Closest Lattice Vector Problem, in IEEE Conference on Computational Complexity, 2002, pp [10] D. Micciancio and P. Voulgaris, Faster Exponential Time Algorithms for the Shortest Vector Problem, in SODA, M. Charikar, Ed. SIAM, 2010, pp [11] C.-P. Schnorr, A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms, Theoretical Computer Science, vol. 53, pp , [12] C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem: extended abstract, in STOC, M. Mitzenmacher, Ed. ACM, 2009, pp [13] I. Dinur, G. Kindler, R. Raz, and S. Safra, Approximating CVP to Within Almost-Polynomial Factors is NP-Hard, Combinatorica, vol. 23, no. 2, pp , [14] E. R. Berlekamp, R. J. McEliece, and H. C. A. Van Tilborg, On the inherent intractability of certain coding problems, IEEE Transactions on Information Theory, vol. 24, no. 3, pp , [15] J. Katz and J. S. Shin, Parallel and Concurrent Security of the HB and HB + Protocols, in EUROCRYPT, 2006, pp [16] O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in STOC, H. N. Gabow and R. Fagin, Eds. ACM, 2005, pp [17] A. Blum, A. Kalai, and H. Wasserman, Noise-Tolerant Learning, the Parity Problem, and the Statistical Query Model, J. ACM, vol. 50, no. 4, pp , [18] É. Levieil and P.-A. Fouque, An Improved LPN Algorithm, in SCN, ser. Lecture Notes in Computer Science, R. D. Prisco and M. Yung, Eds., vol Springer, 2006, pp [19] M. P. C. Fossorier, M. J. Mihaljevic, H. Imai, Y. Cui, and K. Matsuura, An Algorithm for Solving the LPN Problem and Its Application to Security Evaluation of the HB Protocols for RFID Authentication, in INDOCRYPT, 2006, pp [20] A. Blum, M. L. Furst, M. J. Kearns, and R. J. Lipton, Cryptographic Primitives Based on Hard Learning Problems, in CRYPTO, ser. Lecture Notes in Computer Science, D. R. Stinson, Ed., vol Springer, 1993, pp [21] D. Micciancio and C. Peikert, Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller, in EUROCRYPT, ser. Lecture Notes in Computer Science, D. Pointcheval and T. Johansson, Eds., vol Springer, 2012, pp [22] V. Lyubashevsky, C. Peikert, and O. Regev, On Ideal Lattices and Learning with Errors over Rings, in EUROCRYPT, ser. Lecture Notes in Computer Science, H. Gilbert, Ed., vol Springer, 2010, pp [23] O. Regev, The Learning with Errors Problem (Invited Survey), in IEEE Conference on Computational Complexity. IEEE Computer Society, 2010, pp [24] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping, in ITCS, S. Goldwasser, Ed. ACM, 2012, pp [25] B. Applebaum, D. Cash, C. Peikert, and A. Sahai, Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems, in CRYPTO, ser. Lecture Notes in Computer Science, S. Halevi, Ed., vol Springer, 2009, pp [26] S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan, Robustness of the Learning with Errors Assumption, in ICS, A. C.-C. Yao, Ed. Tsinghua University Press, 2010, pp [27] R. Canetti, Y. T. Kalai, M. Varia, and D. Wichs, On Symmetric Encryption and Point Obfuscation, in TCC, ser. Lecture Notes in Computer Science, D. Micciancio, Ed., vol Springer, 2010, pp [28] R. Lindner and C. Peikert, Better Key Sizes (and Attacks) for LWE- Based Encryption, in CT-RSA, ser. Lecture Notes in Computer Science, A. Kiayias, Ed., vol Springer, 2011, pp [29] D. Micciancio and O. Regev, Lattice-based Cryptography, in Post- Quantum Cryptography, D. J. Bernstein, J. Buchmann, and E. Dahmen, Eds. Springer, 2009, pp [30] M. Finiasz and S. Vaudenay, When Stream Cipher Analysis Meets Public-Key Cryptography, in Selected Areas in Cryptography, ser. Lecture Notes in Computer Science, E. Biham and A. M. Youssef, Eds., vol Springer, 2006, pp [31] J.-P. Aumasson, M. Finiasz, W. Meier, and S. Vaudenay, TCHo: A Hardware-Oriented Trapdoor Cipher, in ACISP, ser. Lecture Notes in Computer Science, J. Pieprzyk, H. Ghodosi, and E. Dawson, Eds., vol Springer, 2007, pp [32] M. Finiasz and N. Sendrier, Security bounds for the design of codebased cryptosystems, in ASIACRYPT, ser. Lecture Notes in Computer Science, M. Matsui, Ed., vol Springer, 2009, pp [33] A. May, A. Meurer, and E. Thomae, Decoding Random Linear Codes in Õ( n ), in ASIACRYPT, ser. Lecture Notes in Computer Science, D. H. Lee and X. Wang, Eds., vol Springer, 2011, pp [34] A. Becker, A. Joux, A. May, and A. Meurer, Decoding Random Binary Linear Codes in 2 n/20 : How = 0 Improves Information Set Decoding, in EUROCRYPT, 2012, pp [35] S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, and K. Pietrzak, LAPIN: An Efficient Authentication Protocol Based on Ring-LPN, in FSE, 2012, to appear. [36] J. Hoffstein, J. Pipher, and J. H. Silverman, NTRU: A Ring-Based Public Key Cryptosystem, in ANTS, ser. Lecture Notes in Computer Science, J. Buhler, Ed., vol Springer, 1998, pp