LWE问题求解策略
参考文献:
- Regev O. On lattices, learning with errors, random linear codes, and cryptography[J]. Journal of the ACM (JACM), 2009, 56(6): 1-40.
- Albrecht M R, Player R, Scott S. On the concrete hardness of learning with errors[J]. Journal of Mathematical Cryptology, 2015, 9(3): 169-203.
- Babai L. On Lovász’lattice reduction and the nearest lattice point problem[J]. Combinatorica, 1986, 6(1): 1-13.
- Lenstra A K, Lenstra H W, Lovász L. Factoring polynomials with rational coefficients[J]. Mathematische annalen, 1982, 261(ARTICLE): 515-534.
- Blum A, Kalai A, Wasserman H. Noise-tolerant learning, the parity problem, and the statistical query model[J]. Journal of the ACM (JACM), 2003, 50(4): 506-519.
- Lindner R, Peikert C. Better key sizes (and attacks) for LWE-based encryption[C]//Cryptographers’ Track at the RSA Conference. Springer, Berlin, Heidelberg, 2011: 319-339.
- Schnorr C P, Euchner M. Lattice basis reduction: Improved practical algorithms and solving subset sum problems[J]. Mathematical programming, 1994, 66(1): 181-199.
- Chen Y, Nguyen P Q. BKZ 2.0: Better lattice security estimates[C]//International Conference on the Theory and Application of Cryptology and Information Security. Springer, Berlin, Heidelberg, 2011: 1-20.
- Gama N, Nguyen P Q, Regev O. Lattice enumeration using extreme pruning[C]//Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Berlin, Heidelberg, 2010: 257-278.
- Arora S, Ge R. New algorithms for learning in presence of errors[C]//International Colloquium on Automata, Languages, and Programming. Springer, Berlin, Heidelberg, 2011: 403-415.
文章目录
-
- LWE问题
- 求解LWE的三种策略
- 算法
LWE问题
LWE分布 L s , χ L_{s,\chi} Ls,χ:选定秘密向量 s ∈ Z q n s \in Z_q^n s∈Zqn,随机均匀地选择 a ∈ Z q n a \in Z_q^n a∈Zqn,从离散高斯分布中选择 e ← χ e \leftarrow \chi e←χ,输出: ( a , b = < a , s > + e m o d q ) ∈ Z q n × Z q (a,b=
对于 m m m个LWE样本,可以写作 ( A , c = A s + e ) (A,c=As+e) (A,c=As+e),其中 A ∈ Z q m × n , s ∈ Z q n , e ← χ m A \in Z^{m \times n}_q,\, s \in Z^n_q,\, e \leftarrow \chi^m A∈Zqm×n,s∈Zqn,e←χm
LWE问题的硬度与样本数量完全独立。
一般地,错误分布 χ \chi χ取做离散高斯分布 D Z , α q D_{Z,\alpha q} DZ,αq:整数集 Z Z Z上,以 0 0 0为分布中心,宽度参数为 α \alpha α;使用连续高斯分布的标准差 σ = α q 2 π \sigma = \dfrac{\alpha q}{\sqrt{2 \pi}} σ=2παq来近似离散情况,要求标准差大于平滑参数 σ ≥ η ϵ ( Z ) \sigma \ge \eta_\epsilon(Z) σ≥ηϵ(Z)
normal form:对于秘密 s ∈ Z q n s \in Z_q^n s∈Zqn,错误分布 D Z m + n , α q D_{Z^{m+n},\alpha q} DZm+n,αq,得到了 m + n m+n m+n个LWE样本,将其中 n n n个样本写作 ( A 0 , c 0 ) = ( A 0 , A 0 ⋅ s + e 0 ) (A_0,c_0) = (A_0,A_0 \cdot s+e_0) (A0,c0)=(A0,A0⋅s+e0),其中 A 0 ∈ Z q n × n A_0 \in Z^{n \times n}_q A0∈Zqn×n满秩的概率为
P r = ∏ i = 1 n q n − q i − 1 q n Pr = \prod_{i=1}^n \dfrac{q^n-q^{i-1}}{q^n} Pr=i=1∏nqnqn−qi−1
另外 m m m个样本写作 ( A 1 , c 1 ) = ( A 1 , A 1 ⋅ s + e 1 ) (A_1,c_1) = (A_1,A_1 \cdot s+e_1) (A1,c1)=(A1,A1⋅s+e1),其中 A 1 ∈ Z q m × n A_1 \in Z^{m \times n}_q A1∈Zqm×n
计算
A 1 A 0 − 1 ⋅ c 0 − c 1 = A 1 A 0 − 1 ( A 0 s + e 0 ) − A 1 s − e 1 = A 1 s + A 1 A 0 − 1 e 0 − A 1 s − e 1 = A 1 A 0 − 1 ⋅ e 0 − e 1 \begin{aligned} A_1 A_0^{-1} \cdot c_0 - c_1 &=& A_1A_0^{-1}(A_0s+e_0) - A_1s - e_1\\ &=& A_1s + A_1A_0^{-1}e_0 - A_1s - e_1\\ &=& A_1A_0^{-1} \cdot e_0 - e_1 \end{aligned} A1A0−1⋅c0−c1===A1A0−1(A0s+e0)−A1s−e1A1s+A1A0−1e0−A1s−e1A1A0−1⋅e0−e1
于是
( A 1 A 0 − 1 , A 1 A 0 − 1 ⋅ c 0 − c 1 ) = ( A 1 A 0 − 1 , A 1 A 0 − 1 ⋅ e 0 − e 1 ) (A_1 A_0^{-1},\,\,A_1 A_0^{-1} \cdot c_0 - c_1) = (A_1 A_0^{-1},\,\, A_1 A_0^{-1} \cdot e_0 - e_1) (A1A0−1,A1A0−1⋅c0−c1)=(A1A0−1,A1A0−1⋅e0−e1)
简记 A ′ : = A 1 A 0 − 1 A':=A_1 A_0^{-1} A′:=A1A0−1, c ′ = A 1 A 0 − 1 ⋅ c 0 − c 1 c'=A_1 A_0^{-1} \cdot c_0 - c_1 c′=A1A0−1⋅c0−c1, s ′ : = e 0 s':=e_0 s′:=e0, e ′ = − e 1 e'=-e_1 e′=−e1
由于错误分布 D Z m + n , α q D_{Z^{m+n},\alpha q} DZm+n,αq是对称的,并且 A 0 − 1 A_0^{-1} A0−1满秩,所以 ( A ′ , c ′ ) = ( A ′ , A ′ s ′ + e ′ ) (A',c')=(A',A's'+e') (A′,c′)=(A′,A′s′+e′)是m个LWE样本,其中 s ′ ← D Z n , α q s' \leftarrow D_{Z^n,\alpha q} s′←DZn,αq
解决 ( A ′ , A ′ s ′ + e ′ ) (A',A's'+e') (A′,A′s′+e′)等价于解决 ( A 0 , A 0 ⋅ s + e 0 ) (A_0,A_0 \cdot s+e_0) (A0,A0⋅s+e0),因为 s = A 0 − 1 ( c 0 − s ′ ) s = A_0^{-1}(c_0-s') s=A0−1(c0−s′)
modulus switching:对于足够小的秘密 s ∈ Z q n s \in Z_q^n s∈Zqn,
∥ < p q ⋅ a − ⌊ p q ⋅ a ⌉ , s > ≈ p q ⋅ ∥ e ∥ \| <\frac{p}{q} \cdot a - \lfloor \frac{p}{q} \cdot a \rceil,\, s> \approx \frac{p}{q} \cdot \|e\| ∥<qp⋅a−⌊qp⋅a⌉,s>≈qp⋅∥e∥
对于 ( a , c ) ← L s , D Z , α q (a,c) \leftarrow L_{s,D_{Z,\alpha q}} (a,c)←Ls,DZ,αq,令 p ≈ 2 π n 12 ⋅ σ s α p \approx \sqrt{\dfrac{2\pi n}{12}} \cdot \dfrac{\sigma_s}{\alpha} p≈122πn⋅ασs,其中 σ s \sigma_s σs是秘密 s s s的每个分量的标准差;如果 p < q pp<q
,那么
( a ˉ , c ˉ ) = ( ⌊ p q ⋅ a ⌉ , ⌊ p q ⋅ c ⌉ ) ∈ Z p n × Z p (\bar a,\bar c) = (\lfloor \frac{p}{q} \cdot a \rceil,\, \lfloor \frac{p}{q} \cdot c \rceil) \in Z_p^n \times Z_p (aˉ,cˉ)=(⌊qp⋅a⌉,⌊qp⋅c⌉)∈Zpn×Zp
是一个LWE样本,其错误分布的标准差是 2 α p 2 π + O ( 1 ) \dfrac{\sqrt 2 \alpha p}{\sqrt{2\pi}}+O(1) 2π2αp+O(1),即是 L s , D Z , 2 α q + 1 L_{s,D_{Z,\sqrt 2 \alpha q + 1}} Ls,DZ,2αq+1
切比雪夫不等式:对于任意分布,都有 P r [ ∥ X − E ( X ) ∥ ≥ ϵ ] ≤ D ( X ) ϵ 2 Pr[\|X-E(X)\| \ge \epsilon] \le \dfrac{D(X)}{\epsilon^2} Pr[∥X−E(X)∥≥ϵ]≤ϵ2D(X)
错误长度分布:令 χ \chi χ是标准差为 σ \sigma σ且均值为 0 0 0的连续高斯分布,对于任意常数 C C C,都有
P r [ e ← χ : ∥ e ∥ > C ⋅ σ ] ≤ 2 C 2 π ⋅ e − C 2 / 2 Pr[e \leftarrow \chi:\, \|e\| > C \cdot \sigma] \le \dfrac{2}{C\sqrt{2\pi}} \cdot e^{-C^2/2} Pr[e←χ:∥e∥>C⋅σ]≤C2π2⋅e−C2/2
即,错误 e e e出现的概率,随 ∥ e ∥ \|e\| ∥e∥的增长,呈指数级衰减。
求解LWE的三种策略
对于搜索版本的LWE问题,给定 m m m个独立的LWE样本 ( A , c ) ← L s , χ (A,c) \leftarrow L_{s,\chi} (A,c)←Ls,χ;对于决策版本的LWE问题,给定 m m m个独立样本,要么 ( A , c = A s + e ) ← L s , χ (A,c=As+e) \leftarrow L_{s,\chi} (A,c=As+e)←Ls,χ,要么 ( A , c ) ← U ( Z q n × Z q ) (A,c) \leftarrow U(Z_q^n \times Z_q) (A,c)←U(Zqn×Zq)
-
SIS策略:
将决策版本,转化为解决由 A A A生成的格的对偶格(scaled (by q q q) dual lattice)上的SIS问题,即在 L = { w ∈ Z q m ∣ w A ≡ 0 m o d q } L=\{w \in Z_q^m|wA \equiv 0 \mod q\} L={w∈Zqm∣wA≡0modq}中找到向量 v ∈ L v \in L v∈L,使得 ∥ v ∥ \|v\| ∥v∥足够小。计算 v ⋅ c ≡ v ⋅ A s + v ⋅ e ≡ v ⋅ e m o d q v \cdot c \equiv v \cdot As + v \cdot e \equiv v \cdot e\mod q v⋅c≡v⋅As+v⋅e≡v⋅emodq
当样本是LWE分布时, v , e v,e v,e都足够短,于是 < v , e >
当样本是均匀分布时, < v , e >
对于参数 n , q , α n,q,\alpha n,q,α的LWE实例,假设找到了短向量 v v v,那么将 < v , e >
-
BDD策略:
将搜索版本,转化为解决由 A A A生成的格上的BDD问题,即在 L = { A z ∈ Z q n ∣ z ∈ Z n } L=\{Az \in Z_q^n|z \in Z^n\} L={Az∈Zqn∣z∈Zn}中找到格点 v ∈ L v \in L v∈L,使得向量 c c c与格点 v v v的欧几里得距离足够近。计算 s = A − 1 ⋅ v s = A^{-1} \cdot v s=A−1⋅v即可。
如果 A A A不满秩,再次采样,直到它可逆。
-
直接求解策略:
望文生义,直接搜索一个合适的 s s s,使得 ∥ A s − c ∥ \|As-c\| ∥As−c∥足够小。这是上述BDD策略的变体。
算法
- 穷举算法(策略三)
- BKW算法(策略一)
- BKZ算法(策略一)
- Babai最近平面算法(策略二)
- Kannan嵌入技术(策略二)
- Arora-Ge算法(策略三)
不写啦,以后想起来再更新(ಥ_ಥ)