TheLearningWithErrorsProblem.pptVIP

The Learning With Errors Problem;Overview;A secret vector s in ?174 We are given an arbitrary number of equations, each correct up to ?1 Can you find s?;LWE’s Claim to Fame;LWE’s Origins;LWE – More Precisely;LWE – Parameters: n, q, ?;Algorithms;Algorithm 1: More Luck Than Sense;Algorithm 2: Maximum Likelihood;Algorithm 3: [BlumKalaiWasserman’03];Algorithm 4: [AroraGe’10];Versatility;LWE is Versatile;Decision LWE Problem;;Search LWE Decision LWE;Worst Case to Average Case;Simple Cryptosystem;Public Key Encryption Based on LWE;Proof of Semantic Security;Other Applications;Hardness;Hardness;Hardness;The SIS problem;Hardness of LWE;Lattices;Discrete Gaussian Distribution;‘Algebraic’ lattice problems are easy; ‘geometric’ problems are hard Shortest Vector Problem (GapSVP?): given a lattice ?, approximate length of shortest (nonzero) vector??1(?) to within ? Another lattice problem: SIVP?. Asks to find n short linearly independent lattice vectors.;Conjecture: for any ?=poly(n), GapSVP? is hard Best known algorithms run in time 2n [AjtaiKumarSivakumar01, MicciancioVoulgaris10] Quantum computation doesn’t seem to help On the other hand, not believed to be NP-hard [GoldreichGoldwasser00, AharonovR04] ;BDDd: given a lattice ? and a point x within distance d of ?, find the nearest lattice point;The following was shown in [AharonovR04, LiuLyubashevskyMicciancio06]: Proposition: Assume we have a polynomial number of samples from D?*,r for some lattice ? and a not too small r0. Then we can solve BDD on ? to within distance 1/r ;The core of the LWE hardness result is the following: Proposition [R05]: Assume we have a polynomial number of samples from D?*,r for some lattice ? and a not too small r0. Assume we also have access to an oracle that solves LWE with modulus q and error parameter ?. Then we can solve BDD on ? to within distance ?q/r This is already some kind of hardness result: without the LWE oracle, the best known algorithms for solving the above task require e