coded-bkw: solving lwe using lattice codescryptool.hgi.rub.de/slides/johansson_codedbkw.pdf ·...

Coded-BKW: Solving LWE Using Lattice

Codes

Qian Guo1,2 Thomas Johansson1 Paul Stankovski1

1Dept. of Electrical and Information Technology, Lund University2School of Computer Science, Fudan University

CRYPTO 2015 August 17th, 2015

Outline

1 IntroductionThe LWE ProblemMotivationRelated WorksLattice Codes

2 The New AlgorithmCoded-BKWNew FFT Testing Technique

3 ResultsAssumptionsComplexityResults and Applications

4 Conclusions

Qian Guo, Thomas Johansson, Paul Stankovski, 2 / 24

Outline




4 Conclusions


Learning with Errors (LWE)

There is a secret vector s in Znq. We then have access to an oracle

(who knows s):

The LWE oracle with parameters (n, q,X ):

1. Uniformly picks r from Znq.

2. Picks a 'noise' e ← X .3. Outputs the pair (r, v = 〈r, s〉+ e) as a sample.

Binary-LWE: the secret s is in {0, 1}n or a small interval.

The search problem (informal):

Find s after collecting enough samples.

Error distribution Xαq

Discrete Gaussian over Znq with mean 0 and standard deviation αq.


Motivation

I LWE's claim to fame.I A generalization of Learning parity with noise (LPN).

I LPN: q = 2 and the noise distribution is a Bernoulli one.

I Known to be as hard as worst-case hard lattice problems.I E�cient cryptographic primitives.I Extremely versatile, e.g., Fully Homomorphic Encryption

(FHE) schemes.I Post-quantum cryptography

I Complexity of solving LWE?I Especially for practical security. Say, how to choose the

smallest parameters for a security level (e.g., 80-bit security)?


Solving Algorithms

Mainly three types:

1. Reduce to lattice problems.I Short Integer Solution (SIS) problemI Bounded Distance Decoding (BDD) problem

2. Arora-Ge [AroraGe11]I Performs asymptotically well, but not practically.

3. BKW1

1Unbounded number of samples are provided.


The BKW Algorithm

The BKW (Blum, Kalai, and Wasserman) algorithm:

I Originally proposed for solving LPN.I The best asymptotic algorithm with sub-exponential

complexity 2O(n/ log(n)) for LPN (exponential for LWE).

I Main idea:I Divide the length n vector r into a parts, each with size

b = dn/ae.I Merge and Sort (called one BKW step)�A trade-o�:

I Store all the samples.I Sort according to the bottom b entries of the vector r.I Subtract samples in the same partition.

v1 = 〈[r1, r0], s〉+ e1v2 = 〈[r2, r0], s〉+ e2

v1 − v2 = 〈[r1 − r2, 0], s〉+ e1 − e2I Do a− 1 BKW steps iteratively to zero out the bottom a− 1

blocks.


Related Works

[BKW03]

[LF06]

[ACFFP13]

[BL13/Kirchner11] [GJL14]

[DTV15]

[AFFP14]

[BlumKalaiWasserman03]I LPN

[LevieilFouque06]I Add Fast Walsh-Hadamard transform (FWHT).

[BernsteinLange13/Kirchner11]I Secret-error transformation for LPN.

[GuoJohanssonLöndahl14]I Subspace hypothesis testing using covering codes.


Related Works

[BKW03]

[LF06]

[ACFFP13]

[BL13/Kirchner11] [GJL14]

[DTV15]

[AFFP14]

[BlumKalaiWasserman03]I LWE

[AlbrechtCidFaugèreFitzpatrickPerret13]I Apply BKW for solving LWE.

[ApplebaumCashPeikertSahai09]I Secret-error transformation for LWE.

[AlbrechtFaugèreFitzpatrickPerret14]I Introduce the lazy modulus switching technique.I The best known BKW-type binary-LWE solver.

[DucTramèrVaudenay15]I Add Fast Fourier transform (FFT).I The best known BKW-type LWE solver.


Lattice Codes

1. Lattices are the Euclidean space counterpart of binary linearcodes in Hamming space.

2. A narrow class: lattices associated with a code, especially,constructed based on Construction A.

I Let C be a q-ary linear code.I Construct a lattice over this code

Λ(C) = {λ ∈ Rn : λ ≡ c mod q, c ∈ C}.

Why lattice codes?

1. Better shaping2.

2. Theory for estimating the noise variance when using q-arylinear codes (e.g., subspace hypothesis testing technique).

2Compared with the work [AlbrechtFaugèreFitzpatrickPerret14], in whichthey use n-cube quantization.


Lattice Codes

1. Lattices are the Euclidean space counterpart of binary linearcodes in Hamming space.

2. A narrow class: lattices associated with a code, especially,constructed based on Construction A.

I Let C be a q-ary linear code.I Construct a lattice over this code

Λ(C) = {λ ∈ Rn : λ ≡ c mod q, c ∈ C}.

Second moment

The second moment of Λ is de�ned as the second moment perdimension of a uniform distribution over its fundamental region V,i.e.,

σ2 =E[‖e‖2]

N=

1

N·∫V‖x‖2 1

Vol(V)dx. (1)


Outline




4 Conclusions


The New Algorithm2

Main Steps:

1. Gaussian elimination.I Make the secret s follow the

noise distribution.

2. t1 standard BKW reductions.I Zero out the bottom t1b

entries of r.

3. t2 coded-BKW reductions.I Make the next bottom ncod

entries of r small.

4. Partial guessing.I Exhaust the top ntop entries of

s with the absolute value lessthan d .

5. Subspace hypothesis testing using aq-ary [ntest , l ] linear code.

Guessing part ntop

Rows[1, n]

Length ncod

Code length ntest

BKW part, length t1b

2We can modify the algorithm slightly for an e�cient binary-LWE solver.


The New Algorithm

Main Steps:

1. Gaussian elimination.

2. Standard BKW reductions.

3. Coded-BKW reductions.

4. Partial guessing.

5. New subspace hypothesistesting.

Guessing part ntop

Rows[1, n]

Length ncod

Code length ntest



Coded-BKW

I Recall standard BKW: use qb−12 partitions to zero out b

positions.

I New idea: use a q-ary linear code with parameters [Ni , b] foreach reduction step3.

I Rewrite rI = cI + eI . Thus,

〈sI , rI 〉 = 〈sI , cI 〉+ 〈sI , eI 〉 .

I Summing or subtracting two vectors mapped to the samecodeword will cancel out the �rst part.

Advantage: use qb−12 partitions to make Ni entries small4. (Ni > b)

3A generalization: standard BKW can be viewed as coded-BKW using a[b, b] trivial code.

4The remaining noise is controllable.


Coded-BKW

Noise Formula:

e =2t∑

j=1

eij +n∑

i=1

s i (δI1i E

(1)i + δI2

i E(2)i + · · ·+ δ

It2i E

(t2)i ), (2)

where E(h)i =

∑2t2−h+1

j=1 e(h)ij

and e(h)ij

is the coding noise introduced

in the h-th coded BKW reduction.

I A noise tower.

I Preset a variance value σ2set .

1. Make the contribution of each E(h)i the same.

2. σ2set = 2t2−i+1σ2ΛNi ,b.

3. A better trade-o� compared with [AlbrechtFaugèreFitzpatrickPerret14].4. Bound the noise.


Variance Estimation

Theorem

Assume that good5 lattice codes are employed. Let the noise level

introduced by coding be σset . Then, the variance of the total

coding noise is ‖stot‖2 σ2set , where the vector6 stot is a sub-vector

of s that the corresponding entries in r are reduced by using lattice

codes.

5This means that the fundamental regions are spherical.6Its length is ntot = ncod + ntest .


Determine the Code Length

σ2set = 2t2−i+1σ2ΛNi ,b

Compute the second moment of Λ

I σ2 = G (Λ) · Vol(V)2N , where G (Λ) is called the normalized

second moment.

I1

2πe< G (ΛN,k ) ≤ 1

12.

I For a lattice built from an [N, k] linear code by ConstructionA, the volume of V is qN−k .

To determine Ni : σ2set = 2t2−i+1GΛNi ,b

q2(1− b

Ni).

I ncod =∑t2

i=1Ni .


Subspace Hypothesis Testing

I Use a polynomial Hy(X ) in the quotient ring Z[X ]/(X q − 1)to record the occurrences.

I The right guess: the polynomial Hy(X ) will record theoccurrences of the error symbols which are discrete Gaussiandistributed; otherwise: uniformly distributed.

I A [DTV15] style FFT distinguisherI Use one FFT to compute Hy(ω), where ω = 2πi/q and

i =√−1.

I Return argmaxy R(Hy(ω)).

New solution

I Evaluate q values of the polynomial Hy(X ) at the q di�erentpoints (1, ω, ω2, . . . , ωq−1) by using q FFTs.

I Interpolate the polynomial Hy(X ).



Comments

I Less e�cient by a factor of q. But does not a�ect the �nalcomplexity much.

I Maximum likelihood (ML) testing.I Applicable to other error distributions.I Potential improvements from using advanced ML testing

techniques, e.g., list-decoding, using soft-information, e.t.c..


Outline




4 Conclusions


Assumptions

Assumption One: The noise variable is (approximately) discreteGaussian distributed.

1. Follows the previous research line.I Intuition from the central limit theorem (CLT).

2. Our experiments verify this assumption.

5000

10000

15000

20000


Assumptions

Assumption Two: The theory of lattice codes is accurate.

1. In the fundamental region: uniform over integerpoints versus uniform continuously.

2. We numerically verify it: the computed Gbehaves as expected.

q 631 2053 16411

code [2,1] [3,1] [4,1] [2,1] [3,1] [4,1] [2,1] [3,1]

E[‖e‖2] 101.26† 1277.29† 4951.53 329.24† 6185.67 29107.73 2631.99† 99166.251/G 12.46 12.71 12.80 12.47 12.65 12.78 12.47 12.62

The value with a † sign means that it is optimal.


Complexity

The complexity consists of two parts:7

1. Inner complexity Cone−iteration.I The accumulated complexity of

all the steps.

2. The success probability of oneiteration.

I Guessing probability Fg .I The probability that all the

top ntop entries of s have anabsolute value less than d .

I Testing probability Ft .I The probability that the

Euclidean length of vector stotis bounded correctly.

Guessing part ntop

Rows[1, n]

Length ncod

Code length ntest


7For any γ ≥ 1, Pr[‖v‖ > γσ√n; v

$← DZn,σ] < (γe(1−γ2)

2 )n. [Lyu12]


Complexity Formula

Theorem (Informal)

The complexity of the new algorithm is

C =Cone−iteration

Fg · Ft. (3)

The required number of samples M for testing is set to be8

M =4 ln((2d + 1)ntop ql )

∆(Xσfinal ‖U),

where U is the uniform distribution in Zq and σ2final = 2t1+t2σ2 + γ2σ2σ2set ntot . Thus,

the number of calls to the LWE oracle is m = (t1+t2)(qb−1)2

+ M.

8The constant factor in the formula is chosen as 4. The divergence ∆(Xσfinal

‖U) will be computed

numerically.


Results

Table: Time complexity comparison for solving various LWE instances.

n q σ Complexity (log2

#Zq)

This paper [DTV15] NTL-BKZ BKZ 2.0LP Model Simulator Model

[Regev05]128 16,411 11.81 84.5 95.0 61.6 61.9256 65,537 25.53 145.1 178.7 175.5 174.5512 262,147 57.06 287.6 357.5 386.8 518.6[LindnerPeikert11]

128 2,053 2.70 69.7 83.7 54.5 57.1256 4,099 3.34 123.8 154.2 156.2 151.2512 4,099 2.90 209.2 271.8 341.9 424.5

I Works well for both LWE and binary-LWE.I The table shows results for solving various classic LWE

parameters.I The improvement is signi�cant when n is large.I For example, we gain a factor of almost 270 when solving the

Regev instance with n = 512.


Results



#Zq)



128 2,053 2.70 69.7 83.7 54.5 57.1256 4,099 3.34 123.8 154.2 156.2 151.2512 4,099 2.90 209.2 271.8 341.9 424.5

I For recently proposed ring-LWE based cryptosystems, someshould increase their security parameters.

I For example, the ones ([GFSBH12] [RVMCV14] [DRVV15])employing ring-LWE (256, 7681, 4.51) (ring-LWE(512, 12289, 4.86)) for 128(256)-bit security.


Results



#Zq)



128 2,053 2.70 69.7 83.7 54.5 57.1256 4,099 3.34 123.8 154.2 156.2 151.2512 4,099 2.90 209.2 271.8 341.9 424.5

Pessimistic results: upper bound of the worst-case complexity.I We set G = 1

12and it is LF1 type.

I Actual performance will be better.I Many heuristics, e.g., the hybrid, LF2, unnatural selection (pruning),

e.t.c..I Adopting the hybrid and LF2 heuristics, we solve the Regev instance with

n = 512 in 2271 Zq operations.


Simulations

15 30 45 60

5

10

15

20 variance roof

standard BKW

coded-BKW theory

coded-BKW simulation

w/ unnatural selection

Figure: Number of eliminated rows vs. log2 of error variance.

I A toy example to show the improved trade-o� using lattice codes.

I (q, σ,#samples) =(2053, 2.70, 225

)I Four standard 2-row BKW steps were used initially, followed by

three iterations each of [3,2]-, [4,2]-, [5,2]- and [6,2]-coding steps.


Outline




4 Conclusions


Conclusions

Conclusions :

1. We present a new LWE solver which is the state-of-the-artwhen the dimension n is large enough, for some parametersettings.

I Proposing a new reduction variant�coded-BKW�by usinglattice codes.

I Combining most of the recent developed techniques for LPNand applying them to solving LWE.

I Carefully varying the code-rate for a better trade-o�. (See alsothe next talk.)

2. We also give a new subspace hypothesis testing techniqueusing FFT, which is a Maximum Likelihood (ML) testing.


Thank you for your attention!

Questions?


Variance Estimation

Lemma

For one good lattice code with length N , let the vector

(s1, s2, . . . , sN) be the information sub-vector corresponding to the

code and we use e = (e1, e2, . . . , eN) to denote the error vector.

Denote Y =∑N

i=1 siei , then Var[Y ] =∑N

i=1 s2i E[‖e‖2]N .

Sketch of proof.W.l.o.g., assume that the volume of V is 1. The LHS is

E

N∑i=1

si ei

2 =

∫V

(N∑

i=1

s2i e2i +∑

1≤i<j≤N

2si sj ei ej )dV (4)

=

∫V

N∑i=1

s2i e2i dV =N∑

i=1

s2i

∫V

e2i dV (5)

Each∫Ve2i dV is equal to E[‖e‖2]

N .



I Use a polynomial in the quotient ring Z[X ]/(X q − 1) to recordthe occurrences.

I Employ an [ntest , l ] systematic linear code, group the samples(a′i , z

′i ) in sets L(ci ) and de�ne the function f ci

L (X ) as

f ci

L (X ) =∑

(a′i ,z′i )∈L(ci )

X z′i (mod q).

I Rewrite f ci

L (X ) as a function of the information part u of thecodeword ci , denoted by hu(X ) = f ci

L (X ).I De�ne Hy(X ) =

∑u∈Zl

qhu(X ) · X−〈y,u〉.


Complexity Formula

1. Fg = (P(d))ntop , where9 P(d) > erf( d√2σ

).

2. We preset a value γ√ntotσ to bound the Euclidean length of

stot. Then the probability Ft is lower bounded10 by

1− (γe1−γ22 )ntot .

9erf is the error function erf(x) = 2√π

∫ x

0e−t2dt. This formula upper

bounds the complexity.

10For any γ ≥ 1, Pr[‖v‖ > γσ√n; v

$← DZn,σ] < (γe(1−γ2)

2 )n. [Lyu12]


Error Shape

5000

10000

15000

20000

Figure: q = 631, storage size = 222, error distribution after 21 eliminatedrows.


Error Shape

5000

10000

15000

20000

Figure: q = 631, storage size = 222, error distribution after 25 eliminatedrows.


coded-bkw: solving lwe using lattice codescryptool.hgi.rub.de/slides/johansson_codedbkw.pdf ·...

Documents