An Introduction to

the Learning with Errors Problem

in 3 Hours
賴奕甫
Peter W. Shor

There are polynomial-time

quantum algorithms that can solve
• Factorization Problem
• Discrete Logarithm Problem
(over ℤ𝑝 )
About ECC
There is also a quantum
algorithm that can solve
• Discrete Logarithm Problem
over Elliptic Curves
 ;(
If there was a practical quantum computer, then it was able to
break
• RSA encryption, signature scheme
• Diffie-Hellman Key Exchange, Elgamal, DSA
• Elliptic Curve Diffie-Hellman (ECDH), Elliptic Curve DSA (ECDSA)
• …etc

No more forward secrecy.

Post-Quantum Cryptography
• Lattice-based cryptography
• Post-quantum cryptography
is a branch of cryptography • Multivariate cryptography

that considers cryptographic • Hash-based cryptography

algorithms which is still • Code-based cryptography

secure against quantum • Supersingular elliptic curve

isogeny cryptography
attack.
LWE Problem
• The learning with errors problem (LWE) is included in the lattice-
based cryptography.
• The LWE problem is versatile (it can be used to construct a
variety of cryptographic algorithms). For example,
A Simple Introduction to the Lattice
• This is a lattice in ℝ2 .

It can be written as…

• 𝑥, 𝑦 |𝑥, 𝑦 ∈ ℤ

Also written as…

1 0
• ℤ+ ℤ
0 1
1 0
• ℤ+ ℤ
1 1
1 1
• ℤ+ ℤ
0 1
• ...
A Lattice
A Simple Introduction to the Lattice

• Definition 1. For a linear independent set 𝐵 = 𝑢1 , … , 𝑢𝑘 ⊂ ℝ𝑛 , a

lattice 𝐿 generated by 𝐵 in ℝ𝑛 is defined to be
𝐿= ℤ𝑢𝑖 .

(If 𝑘 = 𝑛, then the lattice is said to be a full-rank lattice.)

There is an equivalent definition for the lattice in ℝ𝑛 --

A Simple Introduction to the Lattice

• Definition 2. A set 𝐿 ⊂ ℝ𝑛 is said to be a discrete additive subgroup

if it satisfies the following two conditions:
1. It is closed under addition and substraction. (additive subgroup)

2. There is a constant 𝜖 > 0 such that for any 𝑣 ∈ 𝐿

𝐿 ∩ 𝑤 ∈ ℝ𝑛 : 𝑣 − 𝑤 = 𝑣 . (discrete)

• Theorem. In ℝ𝑛 , a subset of ℝ𝑛 is a lattice if and only if it is a discrete

additive subgroup.

(see p.25 in Algebraic Number Theory by Neukirch )

Mythology in Lattice-Based Cryptography
• Given a linear independent generating set of a lattice 𝐿 in ℝ𝑛 .
• 𝐶𝑙𝑜𝑠𝑒𝑠𝑡 𝑣𝑒𝑐𝑡𝑜𝑟 𝑝𝑟𝑜𝑏𝑙𝑒𝑚 (CVP):
Given: a vector 𝑤 in ℝ𝑛 .
Request: Find 𝑣 ∈ 𝐿 such that
𝑤 − 𝑣 = min 𝑤 − 𝑢
𝑢∈𝐿

• 𝑆ℎ𝑜𝑟𝑒𝑠𝑡 𝑣𝑒𝑐𝑡𝑜𝑟 𝑝𝑟𝑜𝑏𝑙𝑒𝑚 (SVP):

Request: Find a nonzero vector 𝑣 ∈ 𝐿 such that

𝑣 = min 𝑢
𝑢∈𝐿− 0

Hardness:
CVP≥SVP (sketch)
• Given a lattice 𝐿 generated by a independent set 𝑏1 , … , 𝑏𝑛 .
• Write the shortest nonzero lattice point 𝑣 = 𝑎𝑖 𝑏𝑖 .
(Note that 𝑎𝑖 ∈ ℤ can not be all even.)

• For each 𝑖, feed the CVP oracle with 𝐿′𝑖 , 𝑏𝑖 where lattice 𝐿′𝑖 is
generated by {𝑏1 , … , 𝑏𝑖−1 , 2𝑏𝑖 , 𝑏𝑖+1 , 𝑏𝑛 }
• And the output is 𝑣𝑖

• Then 𝑣𝑗 − 𝑏𝑗 is the shortest nonzero vector for some 𝑗.

(Why?)
Linear Equations
• There is a secret vector 𝒔 = 𝑠1 , 𝑠2 , 𝑠3 , 𝑠4 𝑇 4
∈ ℤ13

• Given
1𝑠1 + 2𝑠2 + 5𝑠3 + 2𝑠4 = 9 𝑚𝑜𝑑 13
12𝑠1 + 1𝑠2 + 1𝑠3 + 6𝑠4 = 7 𝑚𝑜𝑑 13
6𝑠1 + 10𝑠2 + 3𝑠3 + 6𝑠4 = 1 𝑚𝑜𝑑 13
10𝑠1 + 4𝑠2 + 12𝑠3 + 8𝑠4 = 0 𝑚𝑜𝑑 13 .
• Solve for 𝒔
The Learning with Errors Problem (Search)
• There is a secret vector 𝒔 = 𝑠1 , 𝑠2 , 𝑠3 , 𝑠4 𝑇 4
∈ ℤ13
• Given
5𝑠1 + 5𝑠2 + −3 𝑠3 + 7𝑠4 ≈ 6 𝑚𝑜𝑑 13
−1𝑠1 + 1𝑠2 + 2𝑠3 + −5 𝑠4 ≈ −4 𝑚𝑜𝑑 13
−3 𝑠1 + 3𝑠2 + 7𝑠3 + 4𝑠4 ≈ 2 𝑚𝑜𝑑 13
5𝑠1 + 4𝑠2 + −1 𝑠3 + 2𝑠4 ≈ −5 𝑚𝑜𝑑 13
−4 𝑠1 + 6𝑠2 + 3𝑠3 + −2 𝑠4 ≈ 5 𝑚𝑜𝑑 13
−2 𝑠1 + 3𝑠2 + 1𝑠3 + 6𝑠4 ≈ −3 𝑚𝑜𝑑 13 .
• There is an odds of ½ for each equation that is added by 1.
• Solve for 𝒔
LWE distribution

• (Definition)

1. For a secret vector 𝒔 ∈ ℤ𝑛𝑞 and distribution 𝜒, an LWE

distribution 𝒜𝒔,𝑛,𝑞,𝜒 generates a sample 𝒂, 𝑏 ∈ ℤ𝑛𝑞 ×
ℤ𝑞 or (𝐴, 𝒃) ∈ ℤ𝑚×𝑛
𝑞 𝑞 where 𝒂 sampled uniformly from
× ℤ𝑚
ℤ𝑛𝑞 and 𝑏 = 𝒂, 𝒔 + 𝑒 where 𝑒 ← 𝜒.
 𝒂𝟏
𝒂𝟐
LWE Problem (Search) 𝒂𝟑
× 𝒔
+ 𝒆
𝒃 =
⋮

• (Definition)

2. LWE problem (Search):

• Secret 𝒔 ∈ ℤ𝒏𝒒 . Given 𝑝𝑜𝑙𝑦 𝑛 LWE samples 𝐴, 𝒃 from 𝒜𝒔,𝑛,𝑞,𝜒 .
• Find 𝒔.
 LWE Problem (Search)
Dimension 𝑛
Modulus 𝑞
Error distribution 𝜒

Adversary Challenger

𝐴, 𝒃

Output: 𝒔 ∈ ℤ𝒏𝒒 Secret 𝒔 ∈ ℤ𝒏𝒒

Generate :
𝑝𝑜𝑙𝑦 𝑛 LWE samples
𝐴, 𝒃 from 𝒜𝒔,𝑛,𝑞,𝜒
LWE Problem (Decisional)

• (Definition)

3. Decisional LWE problem:

$
• 𝒔 ← ℤ𝒏𝒒 . Given 𝑝𝑜𝑙𝑦(𝑛) samples (𝐴, 𝒃) which are either from 𝒜𝒔,𝑛,𝑞,𝜒

or generated uniformly over ℤ𝑚×𝑛

𝑞 𝑞 (with fair probabilities)
× ℤ𝑚
• Determine which is the case in non-negligible advantage.
 LWE Problem (Decisional)
Dimension 𝑛
Modulus 𝑞
Error distribution 𝜒
Adversary Challenger

𝐴, 𝒃

$
𝒔 ← ℤ𝒏𝒒
Output: {“LWE”, ”uniform at random”}
Generate :
𝑝𝑜𝑙𝑦 𝑛 LWE samples 𝐴, 𝒃
either from 𝒜𝒔,𝑛,𝑞,𝜒 or
uniformly at random over
ℤ𝑚×𝑛
𝑞 × ℤ𝑚
𝑞
For example
• Dimension 𝑛 = 4
• Modulus 𝑞 = 13
• Error distribution 𝜒. (±1 ← 𝜒 with prob ¼, 0 ← 𝜒 with ½ )

Given
0 6 0 −2 5 1
−6 6 0 −2 4 7
−5 6 6 3 −3 , 4
4 3 −2 1 1 9
−5−3−5−4−1 0
Q: LWE distribution or uniform distribution?
Remark.
• The distribution 𝜒 is called the “error distribution”. 𝜒 is
typically chosen to be a discrete Gaussian (normal) distribution
with small standard deviation.
• The hardness varies with the S.D. of 𝜒

• Oded Regev shows that 𝐿𝑊𝐸 ≥ 𝑎𝑝𝑝𝑟𝑜𝑥−𝑆(𝐼)𝑉𝑃 &

𝑎𝑝𝑝𝑟𝑜𝑥−GapSVP with a quantum reduction.
• Specifically, with 𝑑𝑖𝑚𝑒𝑛𝑠𝑖𝑜𝑛 𝑛, modulus 𝑞 = 𝑝𝑜𝑙𝑦 𝑛 , and error
distribution (discrete Gaussian distribution) 𝜒 of standard
deviation 𝛼𝑞,
𝐿𝑊𝐸𝑛,𝑞,𝜒 ≥ ( 𝑛/ 𝛼)−𝑆(𝐼)𝑉𝑃.
Little Knowledge:
How to check candidate 𝒔 ?

• Given 𝑝𝑜𝑙𝑦(𝑛) LWE samples (𝐴, 𝒃 = 𝐴𝒔 + 𝒆) ∈ ℤ𝑚×𝑛

𝑞 𝑞 for some
× ℤ𝑚
fixed secret 𝒔 ∈ ℤ𝑛𝑞 .

• Assume you find an algorithm that can generate a small set of

candidate answers. How can you check which one may be the
correct one?
A Little Question

For any 𝑐 ∈ ℤ𝑞 . 𝜒 is some distribution over ℤ𝑞 .

Pr 𝑎 + 𝑏 = 𝑐 =? (𝑎 and b are generated independently)

$
b←ℤ𝑞
𝑎←𝜒
If the modulus 𝑞 is 𝑝𝑜𝑙𝑦 𝑛 -bounded,
then DLWE=SLWE problem
“≤”
• Given 𝑝𝑜𝑙𝑦(𝑛) samples either from a LWE distribution 𝒜𝒔,𝑛,𝑞,𝜒 for some
unknown 𝒔 ∈ ℤ𝑛𝑞 or generated uniformly over ℤ𝑚×𝑛
𝑞 𝑞 .
× ℤ𝑚
• Take some of them to the oracle of SLWE problem to find 𝒔 ∈ ℤ𝑛𝑞 .
• Then ?

“≥”
• Given 𝑝𝑜𝑙𝑦(𝑛) samples a LWE distribution 𝒜𝒔,𝑛,𝑞,𝜒 for some unknown 𝒔 ∈ ℤ𝑛𝑞 .
Claim we can solve it with a DLWE oracle.
If the modulus 𝑞 is 𝑝𝑜𝑙𝑦 𝑛 -bounded,
then DLWE=SLWE problem
“≥”
• Given 𝑝𝑜𝑙𝑦(𝑛) samples 𝒂𝒊 , 𝑏𝑖 from a LWE distribution 𝒜𝒔,𝑛,𝑞,𝜒 for some
unknown 𝒔 = 𝑠1 , … , 𝑠𝑛 𝑇
∈ ℤ𝑛𝑞 . Claim we can solve for 𝑠1 with a DLWE oracle.

1. Choose guessing 𝑘 ∈ ℤ𝑞 .
2. Define a transformation 𝜙𝑘 : ℤ𝑛𝑞 × ℤ𝑞 → ℤ𝑛𝑞 × ℤ𝑞 by
𝒂 + 𝑟 ′ , 𝑏 + 𝑘 ∙ 𝑟 ← 𝜙𝑘 𝒂, 𝑏 ,
where 𝑟 ∈ ℤ𝑞 is generated uniformly at random and 𝑟 ′ = 𝑟, 0, … , 0 𝑇
∈ ℤ𝑛𝑞 .

<Uniformly random>:
⇒?
If the modulus 𝑞 is 𝑝𝑜𝑙𝑦 𝑛 -bounded,
then DLWE=SLWE problem
“≥”
• Define a transformation 𝜙𝑘 : ℤ𝑛𝑞 × ℤ𝑞 → ℤ𝑛𝑞 × ℤ𝑞 by
𝒂 + 𝑟 ′ , 𝑏 + 𝑘 ∙ 𝑟 ← 𝜙𝑘 𝒂, 𝑏 ,
where 𝑟 ∈ ℤ𝑞 is generated uniformly at random and 𝑟 ′ = 𝑟, 0, … , 0 𝑇
∈ ℤ𝑛𝑞 .

<LWE samples>: 𝒂𝒊 , 𝑏𝑖 = 𝒂𝒊 , 𝒂𝒊 , 𝒔 + 𝑒𝑖

𝒂𝒊 + 𝑟 ′ , 𝑏𝑖 + 𝑘 ∙ 𝑟 = 𝒂𝒊 + 𝒓′ , 𝒂𝒊 + 𝒓′ , 𝑠 + 𝑒𝑖 + 𝑟 ∙ 𝑘 − 𝑠1
If 𝑘 = 𝑠1 , ⇒?

If 𝑘 ≠ 𝑠1 , ⇒?
 Short Secret DLWE Problem:
Dimension 𝑛
Modulus 𝑞
Error distribution 𝜒

Adversary Challenger

𝐴, 𝒃

Output: {“LWE”, ”uniform at random”} 𝒔 ← 𝝌𝒏

Generate :
𝑝𝑜𝑙𝑦 𝑛 LWE samples 𝐴, 𝒃
either from 𝒜𝒔,𝑛,𝑞,𝜒 or
uniformly at random over
ℤ𝑚×𝑛
𝑞 × ℤ𝑚𝑞
Lemma:
Short Secret DLWE Problem≥DLWE problem
• Given access to the short secret LWE problem.

$
• Given LWE instances (𝐴 ∈ ℤ𝑛×𝑛
𝑞 , 𝒃 = 𝐴𝑇 𝑠 + 𝒆𝒔 ) where 𝐴 ← ℤ𝑛×𝑛
𝑞 ,
$
unknown 𝑠 ← ℤ𝑛𝑞 and 𝑒𝑠 generated from 𝜒. (DLWE problem setting)
• Say 𝐴 is invertible.
• Consider a transformation 𝜙: ℤ𝑛𝑞 × ℤ𝑞 → ℤ𝑛𝑞 × ℤ𝑞
𝜙 𝒂′ , 𝑏′ = −𝐴−1 𝒂′ , 𝑏′ + −𝐴−1 𝒂′ , 𝑏
• Given a LWE instance (𝒂′ ∈ ℤ𝑛𝑞 , 𝑏′ = 𝒂′ , 𝑠 + 𝑒 ′ )
• Compute:𝜙 𝒂′ , 𝑏′
= −𝐴−1 𝒂′ , −𝐴−1 𝒂′ , 𝑒𝑠 + 𝑒′
⇒?
 A Taste of
Passive Security Proof with DLWE problem
$
𝐴 ← ℤ𝑛×𝑛
𝑞
𝒔𝒂 ← 𝜒 ; 𝒆𝒂 ← 𝜒 𝑛
𝑛

𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 ∈ ℤ𝑛𝑞

𝐴, 𝒃 ∈ ℤ𝑛×𝑛
𝑞 × ℤ𝑛𝑞

𝒃′ , 𝑐 ∈ ℤ𝑛𝑞 × ℤ𝑞

𝑚 ∈ 0,1
𝒔𝑩 , 𝒆𝑩 ← 𝜒 𝑛
Decrypt:
𝑞 𝑒𝐵 ′ ← 𝜒
𝑐 − 𝒃′ 𝒔𝒂 = 𝑒𝑏′ − 𝒆𝑻𝑩 𝑠𝑎 ≈ 𝑚 ∙ 𝑚𝑜𝑑 𝑞
2 𝒃′ = 𝒔𝑻𝑩 𝐴 + 𝒆𝑻𝑩 ∈ ℤ𝑛𝑞
𝑞
𝑐= 𝒔𝑻𝑩 𝒃 + 𝑒𝐵′ +𝑚∙
2
 Game0 (original protocol)
$
𝐴 ← ℤ𝑛×𝑛
𝑞
𝒔𝒂 ← 𝜒 𝑛 ; 𝒆𝒂 ← 𝜒 𝑛
𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 ∈ ℤ𝑛𝑞

𝐴, 𝒃
𝐴, 𝒃
𝒃′ , 𝑐
𝒃′ , 𝑐
𝑚
𝑚 ∈ 0,1
𝒔𝑩 , 𝒆𝑩 ← 𝜒 𝑛
Decrypt:
𝑒𝐵 ′ ← 𝜒
𝑐 − 𝒃′ 𝒔𝒂 = 𝑒𝐵′ − 𝒆𝑻𝑩 𝑠𝑎
𝑞 𝒃′ = 𝒔𝑻𝑩 𝐴 + 𝒆𝑻𝑩 ∈ ℤ𝑛𝑞
≈ 𝑚 ∙ 2 𝑚𝑜𝑑 𝑞 𝑞
𝑐= 𝒔𝑻𝑩 𝒃 + 𝑒𝐵′ +𝑚∙
2
 Game1
$
𝐴 ← ℤ𝑛×𝑛
𝑞
$
𝒃 ← ℤ𝑛𝑞

𝐴, 𝒃
𝐴, 𝒃
𝒃′ , 𝑐
𝒃′ , 𝑐
𝑚
𝑚 ∈ 0,1
𝒔𝑩 , 𝒆𝑩 ← 𝜒 𝑛
𝑒𝐵 ′ ← 𝜒
𝒃′ = 𝒔𝑻𝑩 𝐴 + 𝒆𝑻𝑩 ∈ ℤ𝑛𝑞
𝑞
𝑐= 𝒔𝑻𝑩 𝒃 + 𝑒𝐵′ +𝑚∙
2
 Game2
$
𝐴 ← ℤ𝑛×𝑛
𝑞
$
𝒃 ← ℤ𝑛𝑞

𝐴, 𝒃
𝐴, 𝒃
𝒃′ , 𝑐
𝒃′ , 𝑐
𝑚
𝑚 ∈ 0,1
𝒔𝑩 ← 𝜒 𝑛
𝑒𝐵 ′ ← 𝜒
$
𝒃′ ← ℤ𝑛𝑞 𝑞
𝑻 ′
𝑐 = 𝒔𝑩 𝒃 + 𝑒𝐵 + 𝑚 ∙
2
 Game3
$
𝐴 ← ℤ𝑛×𝑛
𝑞
$
𝒃 ← ℤ𝑛𝑞

𝐴, 𝒃
𝐴, 𝒃
𝒃′ , 𝑐
𝒃′ , 𝑐
𝑚

$
𝑚 ← 0,1
$
𝒃′ ← ℤ𝑛𝑞
$
𝑐 ← ℤ𝑞
Public Key Cryptosystems
Based on the LWE Problem
or Related Problems
Contents
• Review
• Diffie-Hellman Like Key Exchange
• Peikert’s Method
• RLWE in Brief
• NewHope
 Review Lattice-based
cryptography

Multivariate
cryptography
Shor
Post-Quantum
Algorithm
Cryptography Code-based
etc. cryptography
Break
(quantum)
Hash-based
Integer cryptography
Factoring
Problem
Supersingular
Diffie-Hellman elliptic curve
Problem isogeny
(over ℤ𝑞 or elliptic curves)
cryptography
 Review Lattice-based CVP
cryptography SVP

Multivariate
cryptography LWE

Post-Quantum
Cryptography Code-based
cryptography

Hash-based
cryptography

Supersingular
elliptic curve
isogeny
cryptography
Lattices in
Cryptography

• Definition 1. For a linear independent set 𝐵 = 𝑢1 , … , 𝑢𝑘 ⊂ ℝ𝑛 , a lattice 𝐿

generated by 𝐵 in ℝ𝑛 is defined to be
𝐿= ℤ𝑢𝑖 .

• Given a generating set of a lattice 𝐿 in ℝ𝑛 .

• 𝑪𝒍𝒐𝒔𝒆𝒔𝒕 𝒗𝒆𝒄𝒕𝒐𝒓 𝒑𝒓𝒐𝒃𝒍𝒆𝒎 (CVP):
Given: and a vector 𝑤 in ℝ𝑛
Request: Find 𝑣 ∈ 𝐿 such that
𝑤 − 𝑣 = min 𝑤 − 𝑢
𝑢∈𝐿

• 𝑺𝒉𝒐𝒓𝒆𝒔𝒕 𝒗𝒆𝒄𝒕𝒐𝒓 𝒑𝒓𝒐𝒃𝒍𝒆𝒎 (SVP):

Request: Find a nonzero vector 𝑣 ∈ 𝐿 such that

𝑣 = min 𝑢
𝑢∈𝐿− 0
Hardness
• Oded Regev shows that 𝐿𝑊𝐸 ≥ 𝑎𝑝𝑝𝑟𝑜𝑥−𝑆(𝐼)𝑉𝑃 &
𝑎𝑝𝑝𝑟𝑜𝑥−GapSVP with a quantum reduction. There is also a
classical one in a bit more wider condition provided by Chris
Peikert.
• Specifically, with 𝑑𝑖𝑚𝑒𝑛𝑠𝑖𝑜𝑛 𝑛, modulus 𝑞 = 𝑝𝑜𝑙𝑦 𝑛 , and error
distribution (discrete normal/Gaussian distribution) 𝜒 of
standard deviation 𝛼𝑞,
𝐿𝑊𝐸𝑛,𝑞,𝜒 ≥ ( 𝑛/ 𝛼)−𝑆(𝐼)𝑉𝑃.
 Diffie-Hellman Like Structure [DXL12]
$
𝐴 ← ℤ𝑛×𝑛
𝑞
𝒔𝒂 ← 𝜒 ; 𝒆𝒂 ← 𝜒 𝑛
𝑛 𝒔𝑩 , 𝒆𝑩 ← 𝜒 𝑛
𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 ∈ ℤ𝑛𝑞 𝒃′ = 𝐴𝑇 𝒔𝑩 + 𝒆𝑩 ∈ ℤ𝑛𝑞

𝐴, 𝒃 ∈ ℤ𝑛×𝑛
𝑞 × ℤ𝑛𝑞

𝒃′ ∈ ℤ𝑞

𝒔𝑻𝒂 𝒃′ = 𝒔𝑻𝒂 𝐴𝑇 𝒔𝑩 + 𝒔𝑻𝒂 𝒆𝑩 𝑚𝑜𝑑 𝑞 𝒔𝑻𝑩 𝒃 = 𝒔𝑻𝑩 𝐴𝒔𝒂 + 𝒔𝑻𝑩 𝒆𝒂 𝑚𝑜𝑑 𝑞

 Example:
Diffie-Hellman Like Structure
2 42 −31 0 3
𝐴 = 45 −26 21 𝒔𝑩 = 1 ; 𝒆𝑩 = −1
14 −5 −23 0 1
−1 1 −8
𝒔𝒂 = 2 ; 𝒆𝒂 = 0 ′ 𝑇
𝒃 = 𝐴 𝒔𝑩 + 𝒆𝑩 = −7
−2 −3 19
40
𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 = −24
𝐴, 𝒃
−37
𝒃′

𝒔𝑻𝒂 𝒃′ = 𝒔𝑻𝒂 𝐴𝑇 𝒔𝑩 + 𝒔𝑻𝒂 𝒆𝑩 = 48 𝑚𝑜𝑑 𝑞 𝒔𝑻𝑩 𝒃 = 𝒔𝑻𝑩 𝐴𝒔𝒂 + 𝒔𝑻𝑩 𝒆𝒂 = −47 𝑚𝑜𝑑 𝑞
 Peikert’s Key Exchange (Sketch)
Chris Peikert

Error Tolerance: 𝑠𝑎 𝑒𝑏 − 𝑠𝑏 𝑒𝑎 ∞ ≤𝑞 8

43
 2 42 −31
𝐴 = 45 −26 21
Example:
14 −5 −23 Peikert’s Method
−1 1 0 3
𝒔𝒂 = 2 ; 𝒆𝒂 = 0 𝒔𝑩 = 1 ; 𝒆𝑩 = −1
−2 −3 0 1
40 −8
𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 = −24 𝒃′ = 𝐴𝑇 𝒔𝑩 + 𝒆𝑩 = −7
−37 19

𝒔𝑻𝒂 𝒃′ = 48 𝑚𝑜𝑑 𝑞 𝒔𝑻𝑩 𝒃 = −47 𝑚𝑜𝑑 𝑞

𝒔𝑻𝑩 𝒃 2
=0
𝑘𝑒𝑦 = 1 𝑘𝑒𝑦 = 𝒔𝑻𝑩 𝒃 2
=1
Remark.
• The previous scheme has been (over) simplified.

• Is the output, conditioned on the transmitting messages,

unbiased?
Drawback:
1. Public key size (bit length)≈ 𝑛2 ⋅ log 2 𝑞
2. Transmission bandwidth ≈ 2 ⋅ (𝑛 ⋅ log 2 𝑞)
3. Computation ≈ 2𝑛2 (modular multiplications)
Intuition of Ring-LWE (on the public key).
• In LWE problem (or LWE-based cryptosystem), we need a matrix
$ $
𝐴 ← ℤ𝑛×𝑛
𝑞 or 𝐴 ← ℤ𝑚×𝑛
𝑞 . 𝒂𝟏
𝒂𝟐
𝒂𝟑
⋮

• What if we only generated the first row uniformly at random and

generating an anti-cyclic matrix ?
(𝒄𝟏 , 𝒄𝟐 , … , 𝒄𝒏 )

• (The multiplication can be sped up in (−𝒄𝒏 , 𝒄𝟏 , … , 𝒄𝒏−𝟏 )

some specific condition.) (−𝒄𝒏−𝟏 , −𝒄𝒏 , … , 𝒄𝒏−𝟐 )

• Hardness Guarantee? ⋮
(−𝒄𝒏−𝟐 , −𝒄𝒏−𝟏 , … , 𝒄𝒏−𝟑 )
Hardness of Ring LWE
• Ring-LWE>approx-SIVP over ideal lattices.

• Suspicion:
1. Gap-SVP is not hard on ideal lattices.
2. SVP/SIVP is an NP-hard problem.
SIVP over ideal lattices???

•
Ring-LWE (RLWE)
• LWE is over ℤ𝑚×𝑛
𝑞 .
• Ring-LWE is over a ring 𝑅.
• Consider an ideal lattice on it.
• Typically, 𝑅 = ℤ 𝑥 𝑥 𝑛 + 1 where 𝑛 is power-of-2.

Omitting the tough version, we

introduce a simple and widely
used one.
 Ring-DLWE Problem

• 𝑅 = ℤ 𝑥 < 𝑥 𝑛 + 1 > , where 𝑛 is power−of−2

• 𝑅𝑞 = 𝑅/𝑞𝑅, where 𝑞 ∈ ℕ
• 𝒳 ∶ an error distribution over 𝑅

$
• For 𝑠 ← 𝜒, the RLWE distribution 𝐴𝑠,𝒳,𝑞,𝑛 over 𝑅𝑞 × 𝑅𝑞
$
which is sampled by choosing 𝑎 ∈ 𝑅𝑞 uniformly at random and 𝑒 ← 𝒳,
and output 𝑎, 𝑏 = 𝑎 ∙ 𝑠 + 𝑒 𝑚𝑜𝑑 𝑞
• Given poly(n) samples from 𝐴𝑠,𝒳,𝑞,𝑛 or uniformly random in 𝑅𝑞 × 𝑅𝑞 ,
determine where the samples from.

50
Diffie-Hellman Like Structure (Ring LWE form)
𝑅 = ℤ 𝑥 < 𝑥𝑛 + 1 >
𝑅𝑞 = 𝑅/𝑞𝑅
𝒳 ∶ an error distribution over 𝑅

(𝐴, 𝑢𝑎 = 𝐴𝑠𝑎 + 𝑒𝑎 )
$ $
𝐴 ← 𝑅𝑞 𝑠𝑏 , 𝑒𝑏 ← 𝜒
$
𝑠𝑎 , 𝑒𝑎 ← 𝜒 𝑢𝑏 = 𝐴𝑠𝑏 + 𝑒𝑏 𝑢𝑏 = 𝐴𝑠𝑏 + 𝑒𝑏

𝑢𝑎 = 𝐴𝑠𝑎 + 𝑒𝑎

𝑣𝑎 = 𝑠𝑎 𝑢𝑏 𝑣𝑏 = 𝑠𝑏 𝑢𝑎
𝑣𝑎 − 𝑣𝑏 = 𝑠𝑎 𝑒𝑏 − 𝑠𝑏 𝑒𝑎
= 𝑠𝑎 𝐴𝑠𝑏 + 𝑠𝑎 𝑒𝑏 = 𝑠𝑏 𝐴𝑠𝑎 + 𝑠𝑏 𝑒𝑎

If 𝒳 is 𝛽-bounded, then
𝑣𝑎 − 𝑣𝑏 ∞ = 𝑠𝑎 𝑒𝑏 − 𝑠𝑏 𝑒𝑎 ∞ ≤ 2𝑛𝛽2
with overwhelming probability
51
• The following is a “sketch” of the reconciliation mechanism.
 Reconciliation in New Hope – Intuition1 (2 in 1 out)

• 𝑣0 , 𝑣1 ∈ ℤ𝟐𝒒 , consider 𝑣0 /𝑞, 𝑣1 /𝑞 ∈ ℝ𝟐

1 1
𝐿𝑎𝑡𝑡𝑖𝑐𝑒 𝑔𝑒𝑛𝑒𝑟𝑎𝑡𝑒𝑑 𝑏𝑦 1,0 , ,
2 2

Bob
Alice

Grey : k=1
White: k=0
 Example

K=1 Alice Bob K=1

Alice Bob
Reconciliation in New Hope - Security

“0”?

“1”?
Drawback
• Whole “difference vector” is too heavy
Reconciliation in New Hope – Intuition2 (quantization)
Example

K=1 Alice Bob K=1

Alice
Bob
 Reconciliation in New Hope

1 1 1 1
• 𝐷4 ⊆ ℤ4 𝑏𝑒 𝑎 𝑓𝑢𝑙𝑙 𝑙𝑎𝑡𝑡𝑖𝑐𝑒 𝑤𝑖𝑡ℎ 𝑏𝑎𝑠𝑖𝑠 𝑢1 , 𝑢2 , 𝑢3 , 𝑔 = , , ,
2 2 2 2
,
4
𝑤ℎ𝑒𝑟𝑒 𝑢𝑖 𝑖=1 𝑖𝑠 𝑡ℎ𝑒 𝑠𝑡𝑎𝑛𝑑𝑎𝑟𝑑 𝑏𝑎𝑠𝑖𝑠 𝑓𝑜𝑟 ℤ4
• 𝑪𝑽𝑷𝑫𝟒 ∶ 𝑎𝑛 𝐶𝑉𝑃 𝑎𝑙𝑔𝑜𝑟𝑖𝑡ℎ𝑚 𝑓𝑟𝑜𝑚 ℝ4 𝑡𝑜 𝐷4
$
• 𝑯𝒆𝒍𝒑𝑹𝒆𝒄 𝒙; 𝒃 ← 𝟎, 𝟏 ∶ 𝑎𝑛 𝑎𝑙𝑔. 𝑒𝑛𝑐𝑜𝑑𝑖𝑛𝑔 𝑡ℎ𝑒 𝑙𝑜𝑐𝑎𝑡𝑖𝑜𝑛 𝑖𝑛𝑓𝑜𝑟𝑚𝑎𝑡𝑖𝑜𝑛
• 𝑹𝒆𝒄 𝒙, 𝒓 ∶ 𝑟𝑒𝑐𝑜𝑛𝑐𝑖𝑙𝑖𝑎𝑡𝑖𝑜𝑛 𝑤𝑖𝑡ℎ 𝑡ℎ𝑒 𝑖𝑛𝑓𝑜𝑟𝑚𝑎𝑡𝑖𝑜𝑛 𝑟

Note: Including b, there are some technique in 𝐻𝑒𝑙𝑝𝑅𝑒𝑐 to remove the bias.
New Hope

From the paper

𝝍𝟏𝟔

From the paper

𝝍𝟏𝟔 ∶
Replace Rounded Gaussian with binomial
distribution
• High-precision Gaussian sampling is expensive

• 𝜓16 ∶ the centered binomial distribution of variance 8 is rather

trivial in hardware and software without decreasing too much
security for the protocol

• More precisely,
𝐹𝑟𝑒𝑠ℎ 𝒂

From the paper

𝐹𝑟𝑒𝑠ℎ 𝒂:
Against the all-for-the-price-of-one attacks
Unusually Large n=1024
 Unusually Large n=1024

• In security of level 128, the previous schemes are built with n at most 512

• The security of LWE-based schemes has not been thoroughly studied

• In view of RSA, the standardization and deployment of a scheme awakens

further cryptanalytic effort
q=1 mod 2n and 14-bit Prime

From the paper

 Number-Theoretic Transform (NTT)

• Algorithm speeding up modular polynomial multiplications

• 𝑎, 𝑏 ∈ ℛ. 𝐶𝑜𝑚𝑝𝑢𝑡𝑒 𝑎𝑏 = 𝑁𝑇𝑇 −1 𝑁𝑇𝑇 𝑎 ∙ 𝑁𝑇𝑇 𝑏

• q=1 mod 2n: ensures the 𝑛𝑡ℎ root of unity 𝜔 & its square root 𝛾 exist in ℤ𝑞 ,
auxiliary elements in the algorithm.

e.g: For q=12287, n=1024 here, 𝜔 = 49 and 𝛾 = 7

with 𝜔1024 = 1 𝑚𝑜𝑑 𝑞 and 𝜔 = 𝛾 2
NTT

• With the Montgomery multiplication constant 𝑅 = 218 > 𝑞 < 214

• 218 214 ≤ 232 (within 32-bits) is nice for software implementation
 Parameter Considerations in Conclusion

Speed/cost:
• 𝑞 = 1 𝑚𝑜𝑑 2𝑛 & 𝑞 < 214 (NTT)
• 𝜓16 (cost down)
• Improved Rec/HelpRec (decreasing the modulus q)

Security/failure:
• Fresh 𝒂 (Against the all-for-the-price-of-one attacks)
• Improved Rec/HelpRec
• 𝑛 = 1024 (be wary)
Reference
• Google Security Blog:
https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html

• CECPQ1results:
https://www.imperialviolet.org/2016/11/28/cecpq1.html

• V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings.

• E. Alkim, Léo Ducas, Thomas Pöppelmann, Peter Schwabe . Post-quantum key exchange - a new
hope.

• Chris Peikert. Lattice cryptography for the internet. In International Workshop on Post-
Quantum Cryptography, pages 197–219. Springer, 2014.

• Jintai Ding. A simple provably secure key exchange scheme based on the learning with
errors problem. Cryptology ePrint Archive, Report 2012/688, 2012.
https://eprint.iacr.org/2012/688/20121210:115748.

• Jintai Ding, Xiang Xie, and Xiaodong Lin. A simple provably secure key exchange scheme
based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688
(29 Jul 2014 revised), 2012. http://eprint.iacr.org/2012/688.

• Oded Regev. The learning with errors problem. Invited survey in CCC, page 15, 2010.
Reference

• Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable
oblivious transfer. In Annual International Cryptology Conference, pages 554–571. Springer, 2008.

• Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. SIAM Journal on
Computing, 40(6):1803–1844, 2011.

• Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In
Proceedings of the forty-first annual ACM symposium on Theory of computing, pages
333–342. ACM, 2009.

• Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic
encryption without bootstrapping. ACM Transactions on Computation Theory (TOCT),
6(3):13, 2014.

• Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and
composable oblivious transfer. In Annual International Cryptology Conference, pages 554–
571. Springer, 2008.

• Gerald J.Janusz. Algebraic Number Fields, 2𝑛𝑑 ed.

END