Ideal Lattices and Ring-LWE: Overview and Open Problems: Chris Peikert

Ideal Lattices and Ring-LWE:
Overview and Open Problems
Chris Peikert
Georgia Institute of Technology
ICERM
23 April 2015
1 / 16
Agenda
1 Ring-LWE and its hardness from ideal lattices
2 Open questions
Selected bibliography:
LPR’10 V. Lyubashevsky, C. Peikert, O. Regev.
“On Ideal Lattices and Learning with Errors Over Rings,” Eurocrypt’10
and JACM’13.
LPR’13 V. Lyubashevsky, C. Peikert, O. Regev.
“A Toolkit for Ring-LWE Cryptography,” Eurocrypt’13.
2 / 16
A Brief, Selective History of Lattice Cryptography
1996 Ajtai’s worst-case/average-case reduction, one-way function
& public-key encryption (very inefficient)
3 / 16
1996 NTRU efficient ring-based encryption (heuristic security)
3 / 16
2002 Micciancio’s ring-based one-way function

with worst-case hardness (no encryption)
3 / 16

2005 Regev’s LWE: encryption with worst-case hardness

(inefficient)
3 / 16


(inefficient)
2008– Countless applications of LWE (still inefficient)
3 / 16


(inefficient)
2008– Countless applications of LWE (still inefficient)
2010 Ring-LWE: efficient encryption, worst-case hardness ()
3 / 16
Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n).
4 / 16

I Search: find secret s ∈ Znq given many ‘noisy inner products’
a1 ← Znq , b1 ≈ ha1 , si mod q

a2 ← Znq , b2 ≈ ha2 , si mod q
..
.
4 / 16

a1 ← Znq , b1 = ha1 , si + e1 ∈ Zq
a2 ← Znq , b2 = ha2 , si + e2 ∈ Zq
..
. √
n ≤ error q
4 / 16

.. ..
   
 .  .
 A  , b = As + e
.. ..
   
. . √
n ≤ error q
4 / 16

.. ..
   
 .  .
 A  , b = As + e
.. ..
   
. . √
n ≤ error q
I Decision: distinguish (A , b) from uniform (A , b)
4 / 16

.. ..
   
 .  .
 A  , b = As + e
.. ..
   
. . √
n ≤ error q
LWE is Hard (. . . maybe even for quantum!)
worst case
≤ search-LWE ≤ decision-LWE ≤ crypto
lattice problems
(quantum [R’05]) [BFKL’93,R’05,. . . ]
4 / 16

.. ..
   
 .  .
 A  , b = As + e
.. ..
   
. . √
n ≤ error q
LWE is Hard (. . . maybe even for quantum!)
worst case
≤ search-LWE ≤ decision-LWE ≤ crypto
lattice problems
(quantum [R’05]) [BFKL’93,R’05,. . . ]
I Also a classical reduction for search-LWE [P’09,BLPRS’13]

4 / 16
LWE is Versatile
What kinds of crypto can we do with LWE?
5 / 16
LWE is Versatile
Public Key Encryption and Oblivious Transfer [R’05,PVW’08]
Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12]
5 / 16
LWE is Versatile
Identity-Based Encryption (in RO model) [GPV’08]

Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
5 / 16
LWE is Versatile
Identity-Based Encryption (in RO model) [GPV’08]

Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10]
Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ]

Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ]
Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ]
Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ]
Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ]
the list goes on. . .

5 / 16
LWE is (Sort Of) Efficient
I Getting one pseudorandom
scalar requires an n-dim inner
..
 
product mod q
.
· · · ai · · · s + e = b ∈ Zq

..
.
6 / 16
..
 
product mod q
.
· · · ai · · · s + e = b ∈ Zq

I Can amortize each ai over many
..
. secrets sj , but still Õ(n) work
per scalar output.
6 / 16
..
 
product mod q
.
· · · ai · · · s + e = b ∈ Zq

..
per scalar output.
I Cryptosystems have rather large keys:
 
.. .. 
 
 .   . 

pk =  A  , b Ω(n)
.. .. 
   
. . 
| {z }
n
6 / 16
..
 
product mod q
.
· · · ai · · · s + e = b ∈ Zq

..
per scalar output.
I Cryptosystems have rather large keys:
 
.. .. 
 
 .   . 

pk =  A  , b Ω(n)
.. .. 
   
. . 
| {z }
n
I Can fix A for all users, but still ≥ n2 work to encrypt & decrypt an
n-bit message
6 / 16
Wishful Thinking. . .
.. .. .. ..
       
I Get n pseudorandom scalars
 .  .  .  . from just one (cheap)
ai ?s+ei  = bi  ∈ Znq
.. ..
     
..
 
.. product operation?
. . . .
7 / 16
.. .. .. ..
       
ai ?s+ei  = bi  ∈ Znq
.. ..
     
..
 
. . . .
Question
I How to define the product ‘?’ so that (ai , bi ) is pseudorandom?
7 / 16
.. .. .. ..
       
ai ?s+ei  = bi  ∈ Znq
.. ..
     
..
 
. . . .
Question
I Careful! With small error, coordinate-wise multiplication is insecure!
7 / 16
.. .. .. ..
       
ai ?s+ei  = bi  ∈ Znq
.. ..
     
..
 
. . . .
Question
Answer
I ‘?’ = multiplication in a polynomial ring: e.g., Zq [X]/(X n + 1).
Fast and practical with FFT: n log n operations mod q.
7 / 16
.. .. .. ..
       
ai ?s+ei  = bi  ∈ Znq
.. ..
     
..
 
. . . .
Question
Answer
I ‘?’ = multiplication in a polynomial ring: e.g., Zq [X]/(X n + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
& in compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
7 / 16
LWE Over Rings, Over Simplified
I Let R = Z[X]/(X n + 1) for n a power of two, and Rq = R/qR
8 / 16
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
8 / 16
I Search: find secret ring element s(X) ∈ Rq , given:
a1 ← Rq , b1 = a1 · s + e1 ∈ Rq
a2 ← Rq , b2 = a2 · s + e2 ∈ Rq
a3 ← Rq , b3 = a3 · s + e3 ∈ Rq (ei ∈ R are ‘small’)
..
.
8 / 16
a1 ← Rq , b1 = a1 · s + e1 ∈ Rq
a2 ← Rq , b2 = a2 · s + e2 ∈ Rq
..
.
Note: (ai , bi ) are uniformly random subject to bi − ai · s ≈ 0
8 / 16
a1 ← Rq , b1 = a1 · s + e1 ∈ Rq
a2 ← Rq , b2 = a2 · s + e2 ∈ Rq
..
.
Note: (ai , bi ) are uniformly random subject to bi − ai · s ≈ 0

I Decision: distinguish (ai , bi ) from uniform (ai , bi ) ∈ Rq × Rq
(with noticeable advantage)
8 / 16
Hardness of Ring-LWE
I Two main theorems (reductions):
worst-case approx-SVP
≤ search R-LWE ≤ decision R-LWE
on ideal lattices in R
(quantum, (classical,
any R = OK ) any cyclotomic R)
9 / 16
1 If you can find s given (ai , bi ), then you can find approximately
shortest vectors in any ideal lattice in R (using a quantum algorithm).
9 / 16
2 If you can distinguish (ai , bi ) from (ai , bi ), then you can find s.
9 / 16
I Then:
decision R-LWE ≤ lots of crypto
9 / 16
I Then:
decision R-LWE ≤ lots of crypto
F If you can break the crypto, then you can distinguish (ai , bi ) from
(ai , bi ). . .
9 / 16
Ideal Lattices
I Say R = Z[X]/(X n + 1) for power-of-two n. (Or R = OK .)
I An ideal I ⊆ R is closed under + and −, and under · with R.
10 / 16
Ideal Lattices
To get ideal lattices, embed R and its ideals into Rn . How?
10 / 16
Ideal Lattices

1 ‘Obvious’ answer: ‘coefficient embedding’
a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn
10 / 16
Ideal Lattices

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn
+ is coordinate-wise, but analyzing · is cumbersome.
10 / 16
Ideal Lattices
To get ideal lattices, embed R and its ideals into Cn . How?

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn
2 [Minkowski]: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots

of X n + 1 are ω 1 , ω 3 , . . . , ω 2n−1 . Embed:
a(X) ∈ R 7→ (a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn
10 / 16
Ideal Lattices
To get ideal lattices, embed R and its ideals into Cn . How?

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn

a(X) ∈ R 7→ (a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn
Both + and · are coordinate-wise.
10 / 16
Ideal Lattices

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn

a(X) ∈ R 7→ (a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn
Both + and · are coordinate-wise.

(NB: LWE error distribution is Gaussian in canonical embedding.)
10 / 16
Ideal Lattices
I Say R = Z[X]/(X 2 + 1). Embeddings map X 7→ ±i.
σ(X) = (i, −i) σ(1) = (1, 1)

Ideal Lattices
I I = hX − 2, −3X + 1i is an ideal in R.
σ(X) = (i, −i) σ(1) = (1, 1)
σ(X − 2)
σ(−3X + 1)
11 / 16
Ideal Lattices
I I = hX − 2, −3X + 1i is an ideal in R.
σ(X) = (i, −i) σ(1) = (1, 1)
σ(X − 2)
σ(−3X + 1)
(Approximate) Shortest Vector Problem

I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R,
find a nearly shortest nonzero a ∈ I.
11 / 16
Hardness of Search Ring-LWE
Theorem 1
For any large enough q, solving search R-LWE
is as hard as quantumly solving poly(n)-approx SVP
in any (worst-case) ideal lattice in R = OK .
12 / 16
Theorem 1
I Proof follows the template of [Regev’05] for LWE & arbitrary lattices.
Quantum component used as ‘black-box;’ only classical part needs
adaptation to the ring setting.
12 / 16
Theorem 1
I Proof follows the template of [Regev’05] for LWE & arbitrary lattices.
Quantum component used as ‘black-box;’ only classical part needs
adaptation to the ring setting.
I Main technique: ‘clearing ideals’ while preserving R-module structure:
I/qI 7→ R/qR,
∨ ∨
I /qI 7→ R∨ /qR∨ .
Uses Chinese remainder theorem and theory of duality for ideals.

12 / 16
Hardness of Decision Ring-LWE
Theorem 2
Solving decision R-LWE in any cyclotomic R = Z[ζm ] ∼
= Z[X]/Φm (X)
(for any poly(n)-bounded prime q = 1 mod m)
is as hard as solving search R-LWE.
13 / 16
Theorem 2
= Z[X]/Φm (X)
Facts Used in the Proof

I Z∗q has order q − 1 = 0 mod m, so has an element ω of order m.
13 / 16
Theorem 2
= Z[X]/Φm (X)

I Modulo q, Φm (X) has n = ϕ(m) roots ω j , for j ∈ Z∗m .
13 / 16
Theorem 2
= Z[X]/Φm (X)

I Modulo q, Φm (X) has n = ϕ(m) roots ω j , for j ∈ Z∗m .
I So there is a ring isomorphism Rq ∼
= Znq given by
a(ω j ) ∈ Znq .

a(X) ∈ Rq 7→ j∈Z∗m
13 / 16
Theorem 2
Solving decision Ring-LWE in Rq = Zq [X]/Φm (X)
is as hard as solving search Ring-LWE.
Proof Sketch
Given: O distinguishes samples (a , b ≈ a · s) from uniform (a , b).
Goal: Find s ∈ Rq , given samples (a , b ≈ a · s).
14 / 16
Theorem 2
Proof Sketch
1 Equivalent to finding s(ω j ) ∈ Zq for all j ∈ Z∗m .
14 / 16
Theorem 2
Proof Sketch
2 Hybrid argument: randomize one b(ω j ) ∈ Zq ; or two; or three; or . . .
∗
Then O must distinguish relative to some ω j .
14 / 16
Theorem 2
Proof Sketch
∗
∗
3 Using O, guess-and-check to find s(ω j ) ∈ Zq .
14 / 16
Theorem 2
Proof Sketch
∗
∗
4 How to find other s(ω j )? Couldn’t O be useless at other roots?
14 / 16
Theorem 2
Proof Sketch
∗
∗
ω 7→ ω k (k ∈ Z∗m ) permutes roots of Φm (X), and preserves error.
14 / 16
Theorem 2
Proof Sketch
∗
∗
ω 7→ ω k (k ∈ Z∗m ) permutes roots of Φm (X), and preserves error.
∗
So send each ω j to ω j , and use O to find s(ω j ).
14 / 16
Open Problems: Reductions
1 Search-R-LWE is quantumly at least as hard as approx-R-SVP.
Is there a classical reduction?
15 / 16
F [P’09] reduces GapSVP (i.e., estimate λ1 (L)) on general lattices to
plain-LWE, classically.
15 / 16
F But estimating λ1 (L) is trivially easy on ideal lattices!
Finding short vectors is what appears hard.
15 / 16
2 Search- and decision-R-LWE are equivalent in cyclotomic R.

Does this hold in other kinds of rings?
15 / 16

F Yes, for any Galois number field (identical proof).
15 / 16

F Probably not, for carefully constructed rings S, moduli q, and errors!
Decision-S-LWE easily broken, but search unaffected. [EHL’14,ELOS’15]
Update 8/2016: both search and decision are broken [CIV’16,P’16]
15 / 16

F Probably not, for carefully constructed rings S, moduli q, and errors!
Decision-S-LWE easily broken, but search unaffected. [EHL’14,ELOS’15]
Update 8/2016: both search and decision are broken [CIV’16,P’16]
“cyclotomic fields, used for Ring-LWE, are uniquely protected against
the attacks presented in this paper”
15 / 16
Open Problems: Attacks
1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction?
Can we solve R-LWE using an oracle for approx-R-SVP?
16 / 16
F R-LWE samples (ai , bi )i=1,...,` don’t readily translate to ideals in R.
16 / 16
F They do yield a BDD instance on an R-module lattice:
L = (vi ) : vi = ai · z (mod qR) ⊆ R`

16 / 16
L = (vi ) : vi = ai · z (mod qR) ⊆ R`

2 How hard/easy is approx-R-SVP, anyway? (In cyclotomics etc.)
16 / 16
L = (vi ) : vi = ai · z (mod qR) ⊆ R`


F Despite abundant ring structure (e.g., subfields, Galois), no substantial
improvement over attacks on general lattices.
16 / 16
L = (vi ) : vi = ai · z (mod qR) ⊆ R`


F Next up: attacks on a specialized variant: given a principal ideal I
guaranteed to have an “unusually short” generator, find it.
16 / 16
L = (vi ) : vi = ai · z (mod qR) ⊆ R`


F Next up: attacks on a specialized variant: given a principal ideal I
guaranteed to have an “unusually short” generator, find it.
F These conditions are extremely rare for general ideals, so (worst-case)
approx-R-SVP is unaffected.
16 / 16

Ideal Lattices and Ring-LWE: Overview and Open Problems: Chris Peikert

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ideal Lattices and Ring-LWE: Overview and Open Problems: Chris Peikert

Uploaded by

Copyright:

Available Formats

Ideal Lattices and Ring-LWE:

Overview and Open Problems

1996 NTRU efficient ring-based encryption (heuristic security)

1996 NTRU efficient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function

1996 NTRU efficient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function

2005 Regev’s LWE: encryption with worst-case hardness

1996 NTRU efficient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function

2005 Regev’s LWE: encryption with worst-case hardness

2008– Countless applications of LWE (still inefficient)

1996 NTRU efficient ring-based encryption (heuristic security)

2002 Micciancio’s ring-based one-way function

2005 Regev’s LWE: encryption with worst-case hardness

2008– Countless applications of LWE (still inefficient)

2010 Ring-LWE: efficient encryption, worst-case hardness ()

I Parameters: dimension n, modulus q = poly(n).

I Parameters: dimension n, modulus q = poly(n).

a1 ← Znq , b1 ≈ ha1 , si mod q

I Parameters: dimension n, modulus q = poly(n).

I Parameters: dimension n, modulus q = poly(n).

I Parameters: dimension n, modulus q = poly(n).

I Decision: distinguish (A , b) from uniform (A , b)

I Parameters: dimension n, modulus q = poly(n).

I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!)

I Parameters: dimension n, modulus q = poly(n).

I Decision: distinguish (A , b) from uniform (A , b)

LWE is Hard (. . . maybe even for quantum!)

I Also a classical reduction for search-LWE [P’09,BLPRS’13]

Identity-Based Encryption (in RO model) [GPV’08]

Identity-Based Encryption (in RO model) [GPV’08]

Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ]

the list goes on. . .

Note: (ai , bi ) are uniformly random subject to bi − ai · s ≈ 0

Note: (ai , bi ) are uniformly random subject to bi − ai · s ≈ 0

decision R-LWE ≤ lots of crypto

decision R-LWE ≤ lots of crypto

To get ideal lattices, embed R and its ideals into Rn . How?

To get ideal lattices, embed R and its ideals into Rn . How?

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn

To get ideal lattices, embed R and its ideals into Rn . How?

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn

+ is coordinate-wise, but analyzing · is cumbersome.

To get ideal lattices, embed R and its ideals into Cn . How?

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn

+ is coordinate-wise, but analyzing · is cumbersome.

2 [Minkowski]: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots

a(X) ∈ R 7→ (a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn

To get ideal lattices, embed R and its ideals into Cn . How?

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn

+ is coordinate-wise, but analyzing · is cumbersome.

2 [Minkowski]: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots

a(X) ∈ R 7→ (a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn

Both + and · are coordinate-wise.

To get ideal lattices, embed R and its ideals into Rn . How?

a0 + a1 X + · · · + an−1 X n−1 ∈ R 7→ (a0 , . . . , an−1 ) ∈ Zn

+ is coordinate-wise, but analyzing · is cumbersome.

2 [Minkowski]: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots

a(X) ∈ R 7→ (a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn

Both + and · are coordinate-wise.