lattice based cryptography - cse - iit kanpur...lattice based cryptography nikhil vanjani (14429) 1...

Indian Institute of Technology

Kanpur

CS682A

Quantum Computing Course Project Report

Lattice Based Cryptography

Author:Nikhil Vanjani (14429)

Advisor:Prof. Rajat Mittal

IIT Kanpur

November 15, 2017

Lattice Based Cryptography Nikhil Vanjani (14429)

Contents

1 Abstract 2

2 Background 22.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 Post Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3 Lattices in Computer Science 33.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33.2 LLL Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.3 Dual Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.4 Fourier Transform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4 On Lattices, Learning With Errors, Random Linear Codes, and Cryptography 104.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.2 Some Results that will be useful in proving Main Theorem . . . . . . . . . . . . . . . 124.3 Main Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.4 Public Key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1


1 Abstract

There are three main contributions of Regev’s paper[1] studied in this project - first being the reductionfrom worst-case lattice problems to the Learning With Errors (LWE) problem introduced by Regev.Second being explaining the necessity of this reduction being quantum and its implication in showingrelation between two worst-case lattice problems - Bounded Distance Decoding (a variant of CVP) andDiscrete Gaussian Sampling (DGS) problem. Third being the proposal of a first of its kind classicalcryptosystem whose hardness is based on quantum hardness assumptions.

2 Background

2.1 Cryptography

Cryptography is the study of techniques used for secure communication in presence of third partyadversaries. The central problems that cryptography tries to solve are -

• Confidentiality : If Alice wants to communicate something confidential to Bob, any thirdparty adversary Eve who can tap the communication should not be able to understand whatis being communicated.

• Integrity : If Bob is receiving some message from Alice, he needs to be sure that the messagehasn’t been tampered with while being transmitted to him.

• Authentication : If Alice is communicating something to Bob, Bob needs to be sure that itis indeed Alice who is sending the message and not someone else.

• Non-repudiation : If Alice communicates something to Bob, at a later point she should notbe able to deny authority of what she communicated.

Modern day cryptographic protocols are based on mathematical theory. When we say that some stan-dard protocol is secure, we mean that the protocol is based on computational hardness assumptions,meaning that breaching security of the protocol would be equivalent to solving the computationallyhard problem it is based on. This is considered to be not possible as by definition, the hard problemsare the ones which can’t be solved efficiently in polynomial time.

Today’s most popular public key algorithms are based on the problems - Integer FactorizationProblem[2], Discrete Logarithm Problem[3], Elliptic Curve Discrete Logarithm Problem[4].

Peter Shor, in 1994 formulated Shor’s algorithm[5] which can solve all these three problems in poly-nomial time on a quantum computer. In 2001, IBM demonstrated an implementation of Shor’sAlgorithm to factor 15. An intutive question which follows after Shor’s algorithm is could QuantumComputers solve NP-complete problems ? Lance Fortnow[6] explains that this is unlikely to happenand the majority of researchers believes likewise for now.

2


Unlike public key cryptography, secret key cryptography is considered to be secure against quan-tum computers. Though Grover’s Algorithm[7] reduces the run time quatratically, it can be tackledby doubling the key size[8].

2.2 Post Quantum Cryptography

After Shor’s breakthrough algorithm, people have started exploring and building algorithms whichwould be resistant to attacks by quantum computers. Such algorithms come under the purview ofPost Quantum Cryptography (PQC).

Note Often post quantum cryptography and quantum cryptography are confused to be same, butthey are not. Quantum Cryptography explores using quantum mechanical properties to achieve con-fidentiality, integrity, authentication and non-repudibility.

More recently, advances in PQC have been made majorly by the following 3 approaches:

• Lattice Based Cryptography : This approach is based on Lattice-based constructions.Ajtai[9], in 1996 introduced the first lattice based cryptographic protocol, based on the latticeproblem - Short Integer Solutions. More recently, works revolve around Regev’s[1] lattice basedpublic key encryption key based on Learning With Errors problem.

• Code Based Cryptography : This apporach is based on Error Correction Codes. The mostpopular algorithm based on this apporach is McEliece’s Algorithm which is based on randomGoppa codes.

• Hash Based Cryptography : Hash based digital signatures were introduced by Merkle in1970s through Merkle Signature Scheme[10]. Research in this approach revived when peoplecame to that this was resistant to attacks by quantum computers.

Note Proofs of Lemmas/Theorems/Claims marked with # in subsequent sections are provided in theappendix

3 Lattices in Computer Science

3.1 Introduction

In this subsection, we define lattices, thier span, fundamental parallelopipid and its properties, de-terminant of a lattice. Then, we proceeded to defining Successive Minima and finding some upperbounds on them, namely Blichfeld’s Theorem and Minkowski’s theorems. Lastly, popular computa-tional problems in lattices - Shortest Vector Problem and Closest Vector Problem are defined alongwith their approximation variants.

Definition 3.1.1 (Lattice) Given n linearly independent vectors b1, b2, ..., bn ∈ Rm, the latticegenerated by them is defined as

3


L(B) = L(b1, b2, ..., bn) = Σxibi|xi ∈ Z = Bx|x ∈ Zn

We refer to b1, b2, ..., bn as a basis of the lattice

Figure 1: A lattice in R2[11]

Definition 3.1.2 (Span) The span of a lattice L(B) is the linear space spanned by its vectors,

span(L(B)) = span(B) = By|y ∈ Rn

Definition 3.1.3 (Fundamental Parallelopipid) For any lattice basis B we define

P (B) = Bx|x ∈ Rn,∀i : 0 ≤ xi < 1

Figure 2: A lattice in R2[11]

Lemma 3.1.4# Let Λ be a lattice of rank n and let b1, b2, ..., bn ∈ Λ be n independent lattice vectors.Then b1, b2, ..., bn form a basis of Λ if and only if P (b1, b2, ..., bn) ∩ Λ = 0

Lemma 3.1.5 Two bases B1, B2 ∈ Rmxn are equivalent iff B2 = B1U for some unimodular matrix U .

Definition 3.1.6 (Determinant) For a rank n lattice Λ, its determinant denoted by det(Λ) isdefined as the n-dimensional volume of P(B). Mathematically, det(Λ) :=

√det(BTB). When Λ is

full rank, det(Λ) := |det(B)|

Definition 3.1.7 (Successive Minima) Let Λ be a lattice of rank n. For i ∈ 1, 2, ...n we definethe ith successive minimum as

λi(Λ) = infr|dim(span(Λ ∩ B(0, r))) ≥ i

where B(0, r) = x ∈ Rm| ||x|| ≤ r is the closed ball of radius r around 0.

4


Figure 3: Some lattice bases[11]

Figure 4: Successive Minimas: λ1(Λ) = 1, λ2(Λ) = 2.3[11]

Blichfeld’s Theorem : For any full rank lattice Λ ⊆ Rn and set S ⊆ Rn with vol(S) > det(Λ),there exist two non-equal points z1, z2 ∈ S such that z1 − z2 ∈ Λ

Figure 5: Blichfeld’s Theorem[11]

5


Minkowski’s Convex Body Theorem : Let Λ be a full rank lattice of rank n. Then for anycentrally symmetric convex set S, if vol(S) > 2ndet(Λ) then S contains a non-zero lattice point.

Figure 6: Intuitive proof of Minkowski’s Convex Body Theorem : S = 12S; S satisfies Blichfeld’s

Theorem; Lastly, z1 − z2 ∈ S because S is centrally symmetric[11]

Minkowski’s First Theorem : For any full-rank lattice Λ of rank n,

λ1(Λ) ≤√n(det(Λ))1/n

Proof

• Claim: The volume of an n-dimensional ball of radius r is vol(B(0, r)) ≥ ( 2r√n)n

• By definition, the open ball B(0, λ1(Λ)) contains no nonzero lattice points. By Minkowski’sConvex Body Theorem and Claim 1,

(2λ1(Λ)√n

)n ≤ vol(B(0, λ1(Λ))) ≤ 2ndet(Λ)

and we obtain the bound on λ1(Λ) by rearranging.

Minkowski’s Second Theorem : For any full-rank lattice Λ of rank n,

(n∏i=1

λi(Λ))1/n ≤√n(det(Λ))1/n

Computational Problems : Minkowski’s first theorem implies that any lattice Λ of rank n containsa nonzero vector of length at most

√n(det(Λ))1/n. Its proof, however, is non-constructive: it does

not give us an algorithm to find such a lattice vector. In fact there is no known efficient algorithmthat finds such short vectors. The computational problems presented below are conjectured to behard problems.

Shortest Vector Problem (SVP) We are given a lattice and we are supposed to find the shortestnonzero lattice point

• Search SV P : Given a lattice basis B ∈ Zmxn find v ∈ L(B) such that ||v|| = λ1(L(B)).

• Optimization SV P : Given a lattice basis B ∈ Zmxn, find λ1(L(B)).

• Decisional SV P : Given a lattice basis B ∈ Zmxn and a rational r ∈ Q, determine whetherλ1(L(B)) ≤ r or not.

6


Approximation variants of SVP: Here, instead of finding the shortest vector, we are interestedin an approximation of it. The factor of approximation is given by some parameter γ ≥ 1

• Search SV Pγ: Given a lattice basis B ∈ Zmxn find v ∈ L(B) such that v 6= 0 and ||v|| ≤γλ1(L(B)).

• Optimization SV Pγ: Given a lattice basis B ∈ Zmxn, find d such that d ≤ λ1(L(B)) ≤ γd.

• Promise SV Pγ: An instance of a problem is given by a pair (B, r) where B ∈ Zmxn is a latticebasis and r ∈ Q. In YES instances, λ1(L(B)) ≤ r. In NO instances, λ1(L(B)) ≥ γr

The latter variant is usally denoted by GapSV Pγ.

Approximation variants of CVP Another fundamental lattice problem is the Closest VectorProblem(CVP). Here, the goal is to find the lattice point closest to the given lattice point in space.As before, for an approximation factor γ ≥ 1, we can define three variants -

• Search CV Pγ: Given a lattice basis B ∈ Zmxn and a vector t ∈ Zm, find v ∈ L(B) such that||v − t|| ≤ γdist(t, L(B)).

• Optimization CV Pγ: Given a lattice basis B ∈ Zmxn and a vector t ∈ Zm, find d such thatd ≤ dist(t, L(B)) ≤ γd.

• Promise CV Pγ: An instance of a problem is given by a triple (B, t, r) where B ∈ Zmxn isa lattice basis, t ∈ Zm and r ∈ Q. In YES instances, dist(t, L(B)) ≤ r. In NO instances,dist(t, L(B)) ≥ γr

3.2 LLL Algorithm

Definition 3.2.1 Given n linearly independent vectors b1, ..., bn ∈ Rn, the Gram-Schmidt orthog-onaolization of b1, ..., bn is defined as-

bi = bi −∑i−1

j=1 µi,j bj, where, µi,j =〈bi,bj〉〈bj ,bj〉

.

Definition 3.2.2 A basis B = b1, ..., bn ∈ Rn is a δ-LLL Reduced Basis if the following holds:

• ∀1 ≤ i ≤ n and j < i : |µi,j| ≤ 12

• ∀1 ≤ i < n : δ||bi||2 ≤ ||µi+1,ibi + bi+1||2

Claim 3.2.3 Let b1, ..., bn ∈ Rn be a δ-LLL reduced basis. Then,

||b1|| ≤ ( 2√4δ−1

)n−1λ1(L)

Claim 3.2.3 provides us with an approximation to the SVP problem. For δ = 3/4, we obtain a 2(n−1)/2

approximation. The best approximation obtained by it can be ( 2√3)n−1 by setting δ = 1

4+ (3

4)

nn−1

The LLL Algorithm

Running Time is polynomial in M = maxn, log(maxi||bi||)

7


Algorithm 1 The LLL Algorithm

1: Input: Lattice Basis b1, ..., bn ∈ Zn

2: Output: δ-LLL reduced basis for L(B)3: Start: compute b1, ..., bn4: Reduction Step:5: for i = 2 to n do6: for j = i− 1 to 1 do7: bi ← bi − ci,jbj where ci,j = d〈bi, bj〉/〈bj, bj〉c8: Swap Step:9: if ∃i s.t. δ||bi||2 > ||µi+1,ibi + bi+1||2 then10: bi ↔ bi+1

11: goto Start

12: Return b1, ..., bn

3.3 Dual Lattices

Defintion 3.3.1 (Dual Lattices) For a full rank lattice Λ we define its dual lattice as -

Λ∗ = y ∈ Rn|∀x ∈ Λ, 〈x, y〉 ∈ Z

In general, we define-

Λ∗ = y ∈ span(Λ)|∀x ∈ Λ, 〈x, y〉 ∈ Z

Figure 7: A lattice and its dual[11]

Definition 3.3.2 (Dual Basis) For a basis B = (b1, ..., bn) ∈ Rmxn, define the dual basis D =(d1, ..., dn) ∈ Rmxn as the unique basis which satisfies-

• span(D) = span(B)

• BTD = I

Property 3.3.3 If D is the dual basis of B then (L(B))∗ = L(D)

8


Property 3.3.4 For any lattice Λ, (Λ∗)∗ = Λ

Property 3.3.5 For any lattice Λ, det(Λ∗) = 1det(Λ)

Property 3.3.6 For any rank lattice Λ, λ1(Λ)λ1(Λ∗) ≤ n

Property 3.3.7 For any rank lattice Λ, λ1(Λ)λn(Λ∗) ≥ 1

Note Properties 3.3.6 and 3.3.7 give some relations between properties of a lattice and that of itsdual. Such properties are known as Transference Theorems. Transference theorems allow to inferinformation about a lattice, studying the properties of its dual. Using transference theorems, one cangive simple reductions between corresponding lattice problems.

Definition 3.3.8 (πi Notation) : For a basis b1, ..., bn, let πi denote the projection on the spacespan(b1, ..., bi−1)⊥. In particular, π1(b1), ..., πn(bn) is the Gram-Schmidt Orthogonalization of b1, ..., bn

Property 3.3.9 Let B,D be the dual bases. Then, for all i, B′ = (πi(bi), ..., πn(bn)) and D′ =(di, ..., dn) are also dual bases.

Property 3.3.10 Let b1, ..., bn be some basis and let b1, ..., bn be its Gram-Schmidt Orthogonaliza-tion. Let dn, ..., d1 be the dual basis of b1, ..., bn in reverse order and let dn, ..., d1 be its Gram-SchmidtOrthogonalization. Then, for all i,

di = bi||bi||2

Definition 3.3.11 (Korkine Zolotarev (KZ) Bases) For a rank n lattice Λ, we define its KZbasis b1, ..., bn recursively as follows. We let b1 be the shortest vector in Λ. We then let Λ′ be thelattie basis given by the projection of Λ on the subspace of span(Λ) orthogonal to b1. Let c2, ..., cnbe the KZ basis of Λ′. Define bi = ci +αibi where αi ∈ (−1

2, 1

2] is the unique number such that bi ∈ Λ

• KZ basis gives one way to formalize the idea of a shortest possible basis.

• An application of KZ bases is that we can prove that GapSV Pn ∈ coNP

Figure 8: A lattice and its KZ basis[11]

9


3.4 Fourier Transform

Fourier Series of Λ-periodic function Let B be a basis of some full-rank lattice Λ and let f bea Λ-periodic function, ie, a function f : Rn → C such that

f(x+ y) = f(x), ∀x ∈ Rn, ∀y ∈ Λ

The Fourier series of f is the function f : Λ∗ → C given by

f(y) =1

det(Λ)

∫P (B)

f(x)e−2πi〈x,y〉dx

Lemma 3.4.1 For any f : Rn → C and any full-rank lattice Λ,

f(Λ) = det(Λ∗)f(Λ∗)

4 On Lattices, Learning With Errors, Random Linear Codes,

and Cryptography

In this section, we present Oded Regev’s paper with the above title. We begin with some prelimiaries,namely, defining the Discrete Gaussian Gaussian Distribution, a variant of CVP, DGS problem,Learning Parity with Noise (LPN) problem and its extention to higher moduli, ie, Learning WithErrors Problem (LWE). In subsection 4.2 we describe the Main Theorem of the paper along with itsproof. Lastly, we describe the cryptosystem presented by Regev.

4.1 Preliminaries

Gaussian Distributions:

• ρs(x) := e−π||x/s||2

, a gaussian function scaled by a factor of s for a vector x ∈ Rn

• υs := ρs/sn , n-dimensional probability density function

• ρs(A) =∑

x∈A ρs(x), extension of the function to any countable set A

• Periodic Normal Distribution (Ψβ) is obtained by sampling from a gaussian variable withmean 0 and standard deviation β√

2πand reducing the result modulo 1 (taking modulo 1 peri-

odizes the gaussian distribution)

∀r ∈ [0, 1),Ψβ(r) :=∞∑

k=−∞

1

β· e−π( r−k

β)2

• discrete Gaussian probability distribution DA,s : ∀x ∈ A, DA,s(x) := ρs(x)ρs(A)

• For a lattice L, for x ∈ L, DL,r(x) = e−||x/r||2

10


Figure 9: DL,2 for a two dimensional lattice L. z-axis represents probability[1]

Bounded Distance Decoding Problem (BDDr) or (CV PL,r) : Given a lattice and any pointx ∈ Rn within distance find the closest lattice point.

Figure 10: An example of BDD problem. The red vector point is given, we need to find the closestlattice point

Discrete Gaussian Sampling Problem (DGS): Given an n-dimensional lattice L and a numberr ≥√

2n · ηε(L)/α, (α ∈ (0, 1)) output a sample from DL,r

• Smoothening parameter ηε(L) : it gives the smallest r starting from which DL,r ‘behaveslike’ a continuous Gaussian distribution

Learning Parity with Noise (LPN) : The goal is to find s∈ Zn2 , given a list of equations witherror -

〈s, a1〉 ≈ε b1 (mod 2)〈s, a2〉 ≈ε b2 (mod 2)

...

where ai’s are chosen independently from uniform distribution on Zn2 and bi’s are chosen independentlyto be equal to 〈s, ai〉 with probability 1− ε.

When ε = 0, the problem can be solved efficiently using Gaussian Elimination with O(n) equationsand O(poly(n)) time. But for any ε > 0, the problem becomes significantly difficult to solve. Using

11


Gaussian elminiation, suppose we find a set of equations such that ΣSai = (1, 0, 0, ..., 0). A simplecalculation shows that this yields the first bit of s with probability 1

2+ 2−Θ(n). Hence, to confidently

tell the first bit of s, we need to repeat the process 2Θ(n) times. We can then use this whole processto find each bit of

• LPN is conjectured to be hard problem

• An important open question is to explain apparent difficulty in finding efficient solution to it.

• This paper explains the difficulty for extension of this problem to higher moduli

Learning With Errors (LWEp,χ) : The goal is to find s∈ Znp , given a list of equations with error -

〈s, a1〉 ≈χ b1 (mod p)〈s, a2〉 ≈χ b2 (mod p)

...

where p = poly(n), s ∈ Znp , ai’s are chosen independently from uniform distribution on Znp , bi ∈ Zp,errors are sampled from a probability distribution χ : Zp → R+. Equivalently, ith equation is givenby bi = 〈s, ai〉 + ei, ei ∈ Zp is chosen according to χ. We say that an algorithm solves LWEp,χ if itoutputs s with probability exponentially close to 1.

Figure 11: Ψα for p=127 with α = 0.05. The elements are arranged in a circle.[1]

• Easy algorithms need 2O(nlogn) equations/time

• Best known algorithm needs 2O(n) equations/time

4.2 Some Results that will be useful in proving Main Theorem

Claim 4.2.1 : For all s, t, l > 0 and x, y ∈ Rn with ||x|| ≤ t and ||x− y|| ≤ l,

ρs(y) ≥ (1− π(2lt+ l2)/s2)ρs(x)

12


Claim 4.2.2 : For any 0 < α < β ≤ 2α,

∆(Ψα,Ψβ) ≤ 9(β

α− 1)

Lemma 4.2.3 : For any n-dimensional lattice L,

1 ≤ λ1(L) · λn(L∗) ≤ n

Lemma 4.2.4 : For any lattice L and a ≥ 1,

ρa(L) ≤ anρ(L)

Lemma 4.2.5 : Let Bn be the Euclidean unit ball. Then, for any lattice L and any r > 0,

ρr(L\√nrBn) < 2−2n · ρr(L)

where L\√nrBn is the set of lattice points of norm greater than

√nr.

Lemma 4.2.6 : For an n-dimensional lattice L and ε = 2−n,

ηε(L) ≤√n/λ1(L∗)

Lemma 4.2.7 : For an n-dimensional lattice L and ε > 0,

ηε(L) ≤√ln(2n(1 + 1/ε))

π· λn(L)

Claim 4.2.8 : For any lattice L and any ε > 0,

ηε(L) ≥√ln(1/ε)

π· 1

λ1(L∗)≥

√ln(1/ε)

π· λn(L)

n

4.3 Main Theorem

Theorem 4.3.1 (Main Theorem) : Let ε = ε(n) be some negligible function of n. Let p = p(n) besome integer and α = α(n) ∈ (0, 1) be such that αp > 2

√n. Assume that we have access to an oracle

that solves LWEp,χ given a polynomial number of samples. Then there exists an efficient quantumalgorithm for DGS√2nηε(L)/α.

Algorithmic Proof :

• Inputs: Inputs: n-dimensional lattice L, a number r >√

2pηε(L), LWE oracle for αp > 2√n

• Output: A sample from DL,r

• Step 1: Generate nc samples from DL,r3n , where ri = r · (αp/n)i

13


• Step 2 (iterative step): for i = 3n, 3n − 1, ..., 1, using nc samples from DL,ri generate nc

samples from DL,ri−1

• Step 3: We get nc samples from DL,r0=DL,r. Output the first sample from it.

I We show how to generate samples for step 1 in Lemma 4.3.2 (Bootstrapping) and we showhow to perform step 2 in Lemma 4.3.3 (The Iterative Step)

Lemma 4.3.2 (Bootstrapping) : For an n-dimensional lattice L and r > 22nλn(L), there exists anefficient algorithm that outputs a sample from a distribution that is within statistical distance 2−Ω(n)

of DL,r

Algorithmic Proof

• Use LLL algorithm to reduce basis and get a basis of length at most 2nλn(L). Let P (L) be thecorresponding fundamental parallelopipid.

• Sample y from υr and output y − (ymodP (L)) ∈ L.

I We need to show that statistically, the resulting distribution is exponentially close to DL,r. Thisis easy to see as follows - By Lemma 4.2.5, we know that almost all the points sampled from DL,r

are concentrated within norm√nr. So, consider x ∈ L with ||x|| ≤

√nr. By definition,

DL,r(x) =ρr(x)

ρr(L)

. By Lemma 3.4.1, we know that ρr(L) = det(L∗) · rnρ1/r(L∗) ≥ det(L∗) · rn. Hence,

DL,r(x) ≤ ρr(x)/(det(L∗) · rn) = det(L)υr(x)

Also, by Claim 4.2.1, the probability given to x ∈ L by our procedure is∫x+P (L)

υr(y)dy ≥ (1− 2−Ω(n))det(L)υ(x)

Hence, we get that our output distribution is within statistical distance 2−Ω(n) of DL,r.

Lemma 4.3.3 (The Iterative Step) Let ε = ε(n) be a negligible function, α = α(n) ∈ (0, 1) be areal number, and p = p(n) ≥ 2 be an integer. Assume that we have access to an oracle W that solvesLWEp,Ψα given a polynomial number of samples. Then, there exists a constant c¿0 and an efficientquantum algorithm that, given any n-dimensional lattice L, a number r >

√2pηε(L) and nc samples

of DL,r produces a sample from DL,r√n/αp

Proof : The algorithm consists of two parts. The first part is shown in Lemma 4.3.4 and secondpart is shown in Lemma 4.3.8. In the first part, we describe a classical algorithm that using LWEoracle and samples from DL,r generates samples from CV PL∗,αp/

√2r. In second part, we describe a

quantum algorithm that using an oracle to solve CV PL∗,αp/√

2n outputs samples from DL,r√n/αp.

Lemma 4.3.4 (First part of iterative step) Let ε = ε(n) be a negligible function, p = p(n) ≥ 2be an integer, and α = α(n) ∈ (0, 1) be a real number. Assume that we have access to an oracleW that solves LWEp,Ψα given a polynomial number of samples. Then, there exist a constant c > 0

14


Figure 12: Two iterations of the algorithm[1]

and an efficient algorithm that, given any n-dimensional lattice L, a number r >√

2pηε(L), and nc

samples from DL,r , solves CV PL∗,αp/√

2r .

I The above lemma can be proved using the following three lemmas. The first two are easy to show,the third is quite involved and hence we skip it from this report.

Lemma 4.3.5 (Finding coefficients modulo p is sufficient) : There exists an efficient algorithmthat given a lattice L, a number d < λ1(L)/2 and an integer p ≥ 2, solves CV PL,d given access to an

oracle for CV P(p)L,d

Lemma 4.3.6 (Handling error Ψβ for β ≤ α) : Let p = p(n) ≥ 2 be some integer and α = α(n) ∈(0, 1). Assume that we have access to an oracle W that solves LWEp,Ψα by using a polynomialnumber of samples. Then, there exists an efficient algorithm W that, given samples from As,Ψβ forsome (unknown) β ≤ α, outputs s with probability exponentially close to 1.

Lemma 4.3.7 : Let ε = ε(n) be a negligible function, p = p(n) ≥ 2 be an integer, and α = α(n) ∈(0, 1) be a real number. Assume that we have access to an oracle W that for all β ≤ α, finds s givena polynomial number of samples from As,Ψβ (without knowing β). Then, there exists an efficient

algorithm that given an n-dimensional lattice L, a number r >√

2pηε(L), and a polynomial number

of samples from DL,r , solves CV P(p)

L∗,αp/√

2r.

Lemma 4.3.8 (Second Part of the iterative step) There exists an efficient quantum algorithmthat, given any n-dimensional lattice L, a number d < λ1(L∗)/2, and an oracle that solves CV PL∗,d, outputs a sample from DL,

√n/(√

2d).

Proof : WLoG, let d =√n. Let R ≥ 23nλn(L∗) be a large enough integer.

• Step 1: Create the quantum state ∑x∈L∗/R∩P (L∗)

∑y∈L∗

ρ(x− y)|x〉

15


• Step 2: Apply Quantum Fourier Transform. The resulting state is -∑x∈L∩P (RL)

∑y∈RL

ρ(y − x)|x〉

This state can be shown to be exponentially close to the state -∑x∈L,||x||<

√n ρ(x)|x mod(P (RL))〉

• Step 3: Measure this state and obtain x mod(P (RL)) such that ||x|| <√n. Since it is within√

n distance of the lattice RL and λ1(RL) ≥ 23n, we can recover x using Babai’s nearest planealgorithm[12]. Then output of the algorithm is x. It is easy to see that distribution of x isstatistically, exponentially close to DL,1/

√2 -

– Probability of obtaining x ∈ L st ||x|| <√n is proportional to ρ(x)2 = ρ1/

√2(x).

– By Lemma 4.2.5, exponentially high fraction of DL,1/√

2 is within norm less than√n

– By above two, the statistical distance between the two distributions is exponentially small.

I The only thing that remains to prove is how to create the quantum state in Step 1. We do it asfollows -

• Create a gaussian state of width 1/R. This can be done using known techniques.∑x∈L∗

ρ1/R(x)|x〉 =∑

x∈L∗/R

ρ(x)|x〉

• By Lemma 4.2.5, this state is exponentially close to -∑x∈L∗/R,||x||<

√n

ρ(x)|x〉

• Similarly, create state x(mod(P (L∗))) on separate register and combine both states∑x∈L∗/R,||x||<

√n

ρ(x)|x, x(mod(P (L∗)))〉

• Next, uncompute the first register to 0. We do this by applying CVP oracle on second registerto recover x and subtract it from the first register. This leaves us with -∑

x∈L∗/R,||x||<√n

ρ(x)|x(mod(P (L∗)))〉

• It can be shown that the above state is exponentially close to the required state.

16


Necessity of the Quantum Steps

We performed two tasks above quantumly. One is ofcourse the well known Quantum Fourier Trans-form. The second task also shows the relation between two worst-case lattice problems - DGS andCVP. The task was of uncomputing the first register. Usually, uncomputing is a irreversible step.But because we have access to CVP oracle, this step can be made reversible and hence a quantumgate corresponing to it can be made. Using this gate when we go from |x, x+ y〉 to |0, x+ y〉, essen-tially, we are removing the entanglement between the two states. This helps us to get the elegantoutput after QFT, ie, samples from DGSr′ . We don’t know anyway to use the CVP oracle classically.

4.4 Public Key Cryptosystem

• Private Key (s) : s ∈ Znp chosen uniformly random

• Public Key (ai, bi)mi=1 : each ai ∈ Znp chosen uniformly random and independently. Choose

ei ∈ Zp according to χ. Consequently, bi = 〈s, ai〉+ ei (mod p).

• Encryption: To encrypt a bit, choose a set S uniformly randomly from all 2m subsets of [m].Encryption is (

∑i∈S ai,

∑i∈S bi) if the bit is 0 and (

∑i∈S ai, b

p2c∑

i∈S bi) if the bit is 1.

• Decryption : The decryption of a pair (a,b) is 0 if b− 〈s, a〉 is closer to 0 than bp2c modulo p.

Otherwise 1.

I Note that public key size if O(mnlogp) = O(n2) and encryption increases the size of message bya factor of O(nlogp) = O(n). The public key size can be reduced using a simple idea by Ajtai[13]- if all users share some fixed, trusted, random choice of a1, ..., am, then the key size reduces. Asoverhead, each user will only have to store their own choice of b1, ..., bm.

17


References

[1] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography.

[2] Integer factorization problem.

[3] Discrete logarithm problem.

[4] Elliptic curve discrete logarithm problem.

[5] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms ona quantum computer.

[6] Lance Fortnow. The status of the p versus np problem.

[7] Lov Grover.

[8] Daniel J. Bernstein. Grover vs. mceliece.

[9] Miklos Ajtai. Generating hard instances of lattice problems.

[10] Ralph Merkle. A digital signature based on a conventional encryption function.

[11] Oded Regev. Lattices in computer science.

[12] L. Babai. On lovasz’ lattice reduction and the nearest lattice point problem.

[13] Miklos Ajtai. Representing hard lattices with o(n log n) bits.

18

lattice based cryptography - cse - iit kanpur...lattice based cryptography nikhil vanjani (14429) 1...

Documents