Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin

Learning with Errors (LWE)

February 26, 2013 Scribe: Clement Canonne
1 Learning with Errors (LWE) [Reg05]
Parameters and Setting. We have three parameters:
n (security parameter)
=
1
poly(n)
(noise parameter)
q = (poly(n)), sometimes exponential in n (modulus)
For a xed s Z
n
q
, dene the distribution
LWE
s
def
=
_
(a, b) Z
n
q
Z
q

a |
Z
n
q
,
q
, b
def
= s, a + mod q
_
(1)
where
q
is a distribution with good properties (for instance a continuous
1
gaussian A(0, q)).
1.1 Computational problems
Denition 1 (Search problem). In SearchLWE[n, , q], the goal is, given oracle access to LWE
s
for
some xed s |
Z
n
q
, to nd and output s.
Denition 2 (Decision problem). In DecisionLWE[n, , q], given oracle access to some oracle O
along with the promise that it either outputs samples (a) from LWE
s
(for some xed s |
Z
n
q
) or
(b) drawn uniformly at random in Z
n
q
Z
q
, the goal is to decide which one of these two cases hold.
A distinguisher D for LWE
s
is said to have advantage if [P
LWEs
D = 1 P
U
D = 1 [ = .
Theorem 1. Given a distinguisher D for DecisionLWE[n, , q] with advantage , one can obtain a
D

that, for every s distinguishes LWE

s
from uniform with advantage 1 e
n
and runs in time
poly(n, 1/).
Proof. For any xed r Z
n
q
, consider the mapping
r
: (a, b) Z
n
q
Z
q
(a, b +a, r) Z
n
q
Z
q
.
It is easy to check that if (a, b) LWE
s
, then
r
(a, b) LWE
s+r
; while if (a, b) |, then so does

r
(a, b).
Reduction (distinguisher D

)
1. Use sampling to nd a threshold such that P
LWEs
D = 1 +

4
and P
U
D = 1

4
.
2. Repeat N = poly(n, 1/) times:
(a) draw r |
Z
n
q
;
(b) run D, answering each query by drawing (a, b) from the oracle and giving
r
(a, b) to D;
(c) record the nal decision of D as a vote v
i
0, 1.
3. return 1 if
1
N

N
i=1
v
i
> , and 0 otherwise.
1
In which case the second component b belongs to Rq = R/Zq = [0, q) instead of Zq, and the modulo is dened
similarly as in the discrete case. In general, all the results below still hold for b Rq.
1
Analysis We deal here with the case where the oracle answers according to LWE
s
for an arbitrary
s; the uniform distribution case is similar.
Since i [N], P v
i
= 1 +

4
, an (additive) Cherno bound yields that P
_
1
N

N
i=1
v
i

_
e
n
,
as long as N =
_
n

2
_
.
Theorem 2. Given a distinguisher D for DecisionLWE[n, , q] with advantage 1 negl(n)/q, one
can construct a solver S for SearchLWE[n, , q] that succeeds w.p. 1 negl(n) and runs in time
q poly(n).
Proof. For i [n] and , Z
q
, consider the transformation

i,,
: (a, b) Z
n
q
Z
q
(a + e
i
. .
a

, b +
. .
b

) Z
n
q
Z
q
where e
i
def
= (0, . . . , 0, 1, 0, . . . , 0).
if b =

n
j=1
s
j
a
j
+ and s
i
= , then b

n
j=1
s
j
a
j
+ + =

n
j=1
s
j
a

j
+
if b =

n
j=1
s
j
a
j
+ and s
i
=

,= , then b

n
j=1
s
j
a

j
+ + (

)
. .
u.a.r. if U
so, for any xed i and , choosing u.a.r. changes the distribution of (a, b) to
i,,
(a, b) according
to:
LWE
s

s
i
=
LWE
s
LWE
s

s
i
=
|
The idea is then to try for each possible values of i, , repeating for each couple poly(n) times the
following: draw u.a.r. each time, and call D to detect if the current simulated oracle is uniform
or not. If not, then the i
th
component of s has been found it is .
Remark 1. Theorem 2 has been extended to other classes of moduli ([Pei09]): if q =

j=1
q
j
where
each q
j
is poly(n), and all are distinct primes, the resulting solver can run in time poly(n, q
1
+ + q

).
Instead of running in time proportional to q (which may be exponential), the algorithm will run in
time proportional to

q
i
(which is much smaller, maybe even polynomial).
Theorem 3. DecisionLWE[n, , q] remains hard even when s is drawn from the error distribution,
that is if s ,
q
| mod q.
Proof. We show that a distinguisher D for the error distribution can be turned into a distinguisher
D

for uniform.
2
Description of D

1. choose n samples (a
i
, b
i
)
i[n]
according to LWE
s
(recall that s |
Z
n
q
), and consider the matrix
A
def
=
_
a
1
[. . .[a
n
_
(assume that A is invertible)
2. Set b
def
= (b
1
, . . . , b
n
) (so that we have b = A
T
s + x for some x ,
q
|), and dene the
mapping
f
A,b
: (, ) Z
n
q
Z
q

_
(A
1
)
T

. .

,
_
(A
1
)
T
, b
_
. .

_
3. Run D to distinguish LWE
x
from uniform, answering the queries by sampling (, ) from the
oracle and providing D with f
A,b
(, ).
Analysis
if (, ) |
Z
n
q
Zq
, then so is f
A,b
(, ) for every A (full-rank);
if (, ) LWE
s
, it holds that

=
_
(A
1
)
T
, b
_
= (, s + )

, A
T
s + x
_
= , s +
_
(A
1
)
T
, A
T
s
_
+

, x
_
=

, s +

, s +

, x
_
=

, x
_
+
with ,
q
|; and therefore (

) LWE
x
.
2 Application: Secret-Key encryption scheme
Recall that a public-key encryption scheme is a tuple of (possibly randomized) algorithms (Keygen, Enc, Dec)
working as below n being a security parameter given as input to the generation algorithm:
s
k
Keygen
n
, c Enc(m, s
k
), m Dec(c, s
k
)
where s
k
/ (key space), m / (message space), c ( (cyphertext space), and such that
s
k
/, m /, c (, P( Dec(c, s
k
) = m [ Enc(m, s
k
) = c ) = 1 (Correctness guarantee)
Security against Chosen-Plaintext Attacks (CPA) This is a game between and attacker
/ and a challenger B, where, for an arbitrary xed n,
1. A (secret) key s
k
is generated by B, running Keygen
n
;
2. / is given 1
n
as input, and oracle access to Enc(, s
k
), and must output a pair of messages
m
0
, m
1
of same length;
3. B chooses a random bit |
{0,1}
and computes the challenge cyphertext c Enc(m

, s
k
);
3
4. / is then given c, and continues to have oracle access to Enc(, s
k
); it must output a guess

0, 1;
5. the output of the game is 1 is / wins (i.e., if =

), 0 otherwise.
The scheme is CPA-secure if for any feasible attacker /, P / wins
1
2
+ negl(n).
Regev-like cryptosystem We now describe a secret-key encryption scheme based on the
LWE hardness assumption; hereafter, n, , q are xed as in the LWE setting.
Denition 3. Let / = 0, 1 (messages are bits), and for key s / = Z
n
q
, dene the encryption
algorithm
2
Enc
s
as follows: on input 0, 1,
choose a |
Z
n
q
and
q
output (a, b), where b
def
= a, s +
. .
()
+
_
q
2
_

Remark 2. information theoretically, getting encryptions of 0 is sucient to determine s. However,

with the LWE assumption, distinguishing between () and a uniform random bit is hard.
Theorem 4. If an attacker / has advantage in guessing , it can be transformed into a DecisionLWE[n, , q]
distinguisher D with advantage /2.
Proof. D will draw many samples (a
i
, b
i
) from the oracle and use them to provide / with encryp-
tions of 0 and encryptions of 1. Then, it chooses a random bit and another sample (a, b), and
provides / with the cyphertext (a, b

def
= b +
_
q
2
_
). / then guesses

, and D outputs uniform

if ,=

, LWE otherwise.
Analysis we know that P
A
=

1
2
+, so when D has a LWE oracle it will output LWE
w.p. at least
1
2
+ .
When D has a uniform oracle, then the attacker receives a cyphertext (a, b +
_
q
2
_
) which is
distributed u.a.r, regardless of so P
A
=

1
2
.
Remark 3 (Decryption). The scheme is actually slightly modied (without aecting the previous
proof) namely, the key will be (n + 1) bits long:
s
k
def
= (s[[1)
c
def
= (a[[ b) (instead of (a, b))
Given this small modication, the decryption works by computing s
k
, c =
_
q
2
_
+ , and
outputting 1 if this quantity is closer to
q
2
than to 0, and 0 otherwise. This succeeds w.h.p (over
the draw of in the encryption).
Remark 4 (Additive homomorphism). Note that if c
1
encrypts
1
and c
2
encrypts
2
, then c
1
+c
2
mod q decrypts to
1

2
(as long as the errors
1
,
2
were not too large). Thus, albeit c
1
+ c
2
might not be a valid cyphertext (not exactly distributed according to the output of Enc
s
, as the
errors are also summed), we do get what is called additive homomorphism for free.
2
The decryption algorithm will be described shortly after.
4
References
[Reg05] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In
Proceedings of the thirty-seventh annual ACM symposium on Theory of computing, STOC
05, pages 8493, New York, NY, USA, 2005. ACM.
[Pei09] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem:
extended abstract. In Proceedings of the 41st annual ACM symposium on Theory of com-
puting, STOC 09, pages 333342, New York, NY, USA, 2009. ACM.
5