May 1 (lattice-based crypto) scribe notes; first draft of merge #38
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
blueapple128
changed the title
blueapple128
force-pushed
the
master
branch
2 times, most recently
from
936a5dc to
9433cf2
Compare
blueapple128
commented
May 20, 2019
| In previous sections, we have seen constructions for asymmetric cryptography based on hardness assumptions like the RSA factoring assumption and the discrete logarithm problem. While these problems are assumed to the hard for classical machines, fast quantum algorithms are known. At a high level, quantum computers use phenomenon from quantum mechanism such as superimposition and entanglement to perform computations. | ||
| In 1994, Peter Shor gave a quantum algorithm \cite{Shor1994} to factor composite number $N$ that runs in $\mathcal{O}\left( (\log N)^2(\log \log N) (\log \log \log N)\right)$. Variations of this algorithm can also be used to compute discrete logarithms even for elliptic curves. Contrast this with the fastest classical algorithm which runs in $O(e^{1.9 (\log N)^{1/3} (\log \log N)^{2/3}})$. Shor's quantum algorithm achieves an exponential speedup over classical algorithms allowing quantum computers to break all previously discussed asymmetric schemes in polynomial time. | ||
| In previous sections, we have seen constructions for asymmetric cryptography based on hardness assumptions like RSA's prime factorization assumption and the discrete logarithm problem. While these problems are assumed to be hard for classical machines, fast quantum algorithms are known. At a high level, quantum computers use phenomenon from quantum mechanisms such as superimposition and entanglement to perform computations. | ||
| In 1994, Peter Shor gave a quantum algorithm \cite{Shor1994} to factor an $n$-bit composite number that runs in $\mathcal{O}\left( n^2(\log n) (\log \log n)\right)$. Variations of this algorithm can also be used to compute discrete logarithms even for elliptic curves. Contrast this with the fastest classical algorithm which runs in $O(e^{1.9 n^{1/3} (\log n)^{2/3}})$. Shor's algorithm achieves an exponential speedup over classical algorithms allowing quantum computers to break all previously discussed asymmetric schemes in polynomial time. |
There was a problem hiding this comment.
feel like describing the input as an n-bit number instead of a number of magnitude N makes the difference between exponential and polynomial more obvious; e.g. O(N) is exponential time (or technically psuedo-polynomial time) but this is less obvious than O(2^n).
blueapple128
commented
May 20, 2019
|
|
||
| Although quantum computers are expensive and not readily available today, many consider their advent inevitable spawning new research into so called ``quantum-resistant'' or ``post-quantum'' cryptography. In this section, we introduce a new asymmetric encryption scheme based on lattice problems that are assumed to be hard even for quantum computers. | ||
| Although quantum computers are expensive and none available today have enough stable qubits to perform Shor's algorithm on a real-world sized input, many consider their advent inevitable, spawning new research into ``quantum-resistant'' or ``post-quantum'' cryptography. In this section, we introduce a new asymmetric encryption scheme based on lattice problems that are assumed to be hard even for quantum computers. |
There was a problem hiding this comment.
clarifying the extent of what's physically available and what isn't
blueapple128
commented
May 20, 2019
| @@ -105,8 +105,7 @@ \subsection{Introduction to Lattices} | |||
| \caption{Lattice Problems} | |||
| \end{figure} | |||
|
|
|||
| \noindent It is known that $\gapsvpy \Rightarrow \svpy$. To build cryptosystems, the strategy is to find constructions whose security reduces first to the $\gapsvpy$ problem rather than directly to $\svpy$. It is easy to see that $\gapsvpy$ and $\svpy$ both get easier as $\gamma$ increases. | |||
| Figure \ref{fig:SVP for Gamma} shows the complexity of the best known algorithms for $\gapsvpy$ for different values of $\gamma$. | |||
| \noindent It is known that $\gapsvpy \Rightarrow \svpy$. It is also easy to see that $\gapsvpy$ and $\svpy$ both get easier as $\gamma$ increases. Figure \ref{fig:SVP for Gamma} shows the complexity of the best known algorithms for $\gapsvpy$ for different values of $\gamma$. | |||
There was a problem hiding this comment.
just reordering some sentences to make the section flow better to a reader
blueapple128
commented
May 20, 2019
| @@ -128,28 +127,29 @@ \subsection{Introduction to Lattices} | |||
| \label{fig:SVP for Gamma} | |||
| \end{figure} | |||
|
|
|||
| \noindent However, critically, the above hardness classifications are believed to apply to both classical computers and quantum computers. Thus to build a quantum-resistant cryptosystem, the strategy is to find constructions whose security can reduce to the $\gapsvpy$ problem. | |||
There was a problem hiding this comment.
should mention that the best known algorithm complexities for \gapsvpy apply to quantum computers as well
blueapple128
commented
May 20, 2019
|
|
||
| \begin{problem} | ||
| \textnormal{\textbf{(Search-Learning with Errors: $\searchlwe$)}} Suppose that $\varvect{s}$, called the secret vector is sampled uniformly at random from $\Z^n_q$. Let $\varvect{A} \getsr \Z^{m \times n}_q$ be a random $m \times n$ matrix and $\varvect{e} \getsr \chi^m$ be a ``noise vector'' containing $m$ samples from $\chi$. Compute the secret vector $\varvect{s}$ given $\left(\varvect{A}, \varvect{A}\varvect{s} + \varvect{e} \right)$ | ||
| \textnormal{\textbf{(Search-Learning with Errors: $\searchlwe$)}} Suppose that $\varvect{s}$, called the secret vector, is sampled uniformly at random from $\Z^n_q$. Let $\varvect{A} \getsr \Z^{m \times n}_q$ be a random $m \times n$ matrix and $\varvect{e} \getsr \chi^m$ be a ``noise vector'' containing $m$ independent samples from $\chi$. Compute the secret vector $\varvect{s}$ given $\left(\varvect{A}, \varvect{A}\varvect{s} + \varvect{e} \right)$. (Note that this is effectively a system of $m$ linear equations in $m+n$ unknowns.) |
There was a problem hiding this comment.
extra sentence at the end is really just there to be a hint for Exercise 3. Remove if you feel it's not necessary.
blueapple128
commented
May 20, 2019
| \end{problem} | ||
|
|
||
| \noindent It is easy to see how the decision version can be solved using the search version assuming $\chi$ is distinguishable from a uniform distribution over $\Z_q$. Intuitively, given a solver $\advA$ for $\searchlwe$, we can construct $\advA'$ that solves $\decisionlwe$ as follows: $\advA'$ feeds its input into $\advA$. Compute $\varvect{e} = \varvect{A}\varvect{s} - \varvect{D}_b$ using the $\varvect{s}$ returned by $\advA$. When $b=0$, $\varvect{e}$ will be a uniformly random vector from $\Z^m_q$ and when $b=1$, $\varvect{e}$ will be from $\chi^m$. Perhaps surprisingly, under some restrictions, the search variant can also be solved using the decision variant. Oded Regev showed in \cite{Regev2005} that the search and decision variants of the LWE problem are equivalent when $q$ is a prime that is polynomial in $n$. This result was extended in \cite{Peikert2009} for any $q$ that is a product of distinct primes that are polynomial in $n$. | ||
|
|
||
| \begin{remark} | ||
| If $\varvect{e}$ is uniform over $\Z^m_q$, then finding $\varvect{s}$ is impossible. At the other extreme, if the error is 0, then the problem reduces to $m$ equations in $n$ unknowns which can be solved using Gaussian elimination to obtain a unique solution when $m \geq n$ | ||
| If $\varvect{e}$ is uniform over $\Z^m_q$, then finding $\varvect{s}$ is impossible following the same intuition as the one-time pad. At the other extreme, if $\vece = \textbf{0}$, then the problem reduces to $m$ equations in $n$ unknowns which can be solved using Gaussian elimination to obtain a unique solution when $m \geq n$. In between, when the error is drawn from an uneven Discrete Gaussian distribution, the solution becomes computationally intractable to find. If one attempts to use row reduction anyway (despite the presence of a nonzero error), the linear combination operations performed repeatedly on every row causes the errors to accumulate. |
There was a problem hiding this comment.
Mention intuition for why row reduction becomes hard when errors are present
blueapple128
commented
May 20, 2019
| \end{remark} | ||
|
|
||
| \subsection{LWE as a lattice problem and Regev's construction} | ||
| The connection between LWE and lattices stems from the fact that | ||
| the LWE problem can be viewed as a lattice problem. For certain range of parameters, worst-case hardness of $\gapsvpy$ implies LWE. Regev \cite{Regev2005} built a public key encryption scheme for single bit messages that tightly reduces to the $\decisionlwe$ problem. The details of Regev's construction are given below. | ||
| As very briefly touched upon above, for certain ranges of parameters, worst-case hardness of $\gapsvpy$ implies LWE. This reduction applies for both quantum algorithms \cite{Regev2005} and classical algorithms (the latter as long as $q \ge 2^n$) [\textbf{Peikert '09}]. Regev \cite{Regev2005} built a public key encryption scheme for single bit messages that tightly reduces to the $\decisionlwe$ problem. The details of Regev's construction are given below. |
There was a problem hiding this comment.
from lecture: covering that the reduction/implication applies to both classical and quantum algorithms, which were shown in separate papers
blueapple128
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.