LWE study

Lyutoon

cryptographyalgorithm

发布于：2021年3月15日

次浏览

Learning With Errors

1. What is LWE?

Here Oded Regev gives a definition of LWE :

2. Get started

linear system of equations:

$\begin{cases}3x_1 + 4x_2 + x_3 = 0\\4x_1 + 2x_2 + 6x_3 = 1\\x_1 + x_2 + x_3 = 1\end{cases}$

if we want to get the value of $x_1, x_2, x_3$, we can use Gaussian Elimination to solve this problem. Or we can just use matrix to represent this problem:

$Ax = b$ $\begin{bmatrix}3&4&1\\4&2&6\\1&1&1\end{bmatrix}\cdot\begin{bmatrix}x_1\\x_2\\x_3\end{bmatrix} =\begin{bmatrix}0\\1\\1\end{bmatrix}$

LWE settings:

How about add an small error term $e?$

This time, we get:

$\begin{cases}3x_1 + 4x_2 + x_3 \approx 0\\ 4x_1 + 2x_2 + 6x_3 \approx 1\\ x_1 + x_2 + x_3 \approx 1\end{cases}$

Or in other words, we can represent it in matrix style where $e$ is the error term:

$Ax + e = b$ $\begin{bmatrix}3&4&1\\4&2&6\\1&1&1\end{bmatrix}\cdot\begin{bmatrix}x_1\\x_2\\x_3\end{bmatrix} + \begin{bmatrix}e_1\\e_2\\e_3\end{bmatrix} =\begin{bmatrix}0\\1\\1\end{bmatrix}$

Then now we put the equations into finite field:

$\begin{cases}3x_1 + 4x_2 + x_3 \approx 0\, mod\, p\\ 4x_1 + 2x_2 + 6x_3 \approx 1\, mod\, p\\ x_1 + x_2 + x_3 \approx 1\, mod\, p\end{cases}$

Then we need to recover the secret $x$.

General situation:

$s\cdot A+e = a$ $=>s_0A_{i,0} + s_1A_{i,1} + \cdots+s_nA_{i, n} = a_i - e_i\,mod\,p$ $=>s_0A_{i,0} + s_1A_{i,1} + \cdots+s_nA_{i, n} + k_ip + e_i = a_i$

As the same, we need to recover $s.$ Where $e$ is small.

Then from this equation we can construct a lattice $L$ that satisfies:

$s\cdot L+e = [s_0, s_1, \cdots, s_n, k_0, k_1,\cdots,k_m]\begin{bmatrix}A_{0,0}&A_{1,0}&\cdots&A_{m, 0}\\A_{0,1}&A_{1,1}&\cdots&A_{m, 1}\\\vdots&\vdots&\ddots&\vdots\\A_{0,n}&A_{1,24}&\cdots&A_{m, n}\\p&0&\cdots&0\\0&p&\cdots&0\\\vdots&\vdots&\ddots&\vdots\\0&0&\cdots&p\end{bmatrix} + [e_0,e_1,\cdots,e_m] = [a_0,a_1\cdots,a_m] = a$

Our target is to recover secret $s.$

Solve LWE

Step 1: LLL algorithm

First we apply LLL algorithm to lattice $L$ to get a good basis.

Step 2: Solve CVP using Babai’s algorithm

We know that there is a close vector named $b$ that belongs to $L$ and is close to $a$ because $e$ is small which is a CVP. So we can solve for $b$ using Baibai’s algorithm to get rid of the error term $e$ which is:

$A_{lwe}\cdot s = b^{T}$

so we just need to solve this equation over the ring mod p.

Example code

def Babai_closest_vector(L, w):
    '''
    Yet another method to solve apprCVP, using a given good basis.
    INPUT:
    * "L" -- a matrix representing the LLL-reduced basis (v1, ..., vn) of a lattice.
    * "w" -- a target vector to approach to.
    OUTPUT:
    * "v" -- a approximate closest vector.
    Quoted from "An Introduction to Mathematical Cryptography":
    In both theory and practice, Babai's closest plane algorithm
    seems to yield better results than Babai's closest vertex algorithm.
    '''
    G, _ = L.gram_schmidt()
    t = w
    i = L.nrows() - 1
    while i >= 0:
        w -= round( (w*G[i]) / G[i].norm()^2 ) * L[i]
        i -= 1
    return t - w

A_value = [...] # exactly 'A' in General situation
b_value = [...] # exactly 'a' in General situation
m = ... 
n = ...
p = ...
# construct the lattice L after applying LLL
Lattice = matrix(ZZ, m + n, m)
for x in range(m):
    for y in range(n):
        Lattice[m + y, x] = A_value[x, y]
    Lattice[x, x] = p
lattice = IntegerLattice(Lattice, lll_reduce=True)
print('LLL done')
# prepare for Babai's algorithm
target = vector(ZZ, b_value)
closest_v = Babai_closest_vector(lattice.reduced_basis, target)
print('Find closest vector:{} '.format(closest_v))
# solve the equation: A*s = b
A_LWE = matrix(Zmod(p), A_value)
s = A_LWE.solve_right(closest_v)
print(s)

Solve LWE by solving SVP

After participating in 天融信杯 I have searched a lot of papers to find how to solve LWE problem in a faster way. So it comes a method called Embedding method to convert CVP to SVP:

Always, we set $M=1$ to increase the chance that BKZ will return the correct answer.

Also there will be some optimization to help us solve LWE.

Conclusion

Solving LWE problem is NP hard which can be reduced to CVP, SVP . So is we wanna solve LWE we mush solve CVP, SVP first or we must solve NP problem. In other words, we can make lattice reduction algorithm faster to help us solve LWE much more easily. Low dimention only!!

更新于：2021年3月15日

两个容易被我忽视的trick

这是两个容易被我忽视的trickTRICK1: Factor N with knowing N % (p-1) 起因：闲逛github发现一道题，虽然很简单，但这里面的trick很容易被我忽视，...

Pollard Rho Algorithm Study

一、引言在上一篇博客中,我们了解了Pollard p-1 算法,这次,请随我看看另一个名叫Pollard Rho的算法又能对大整数分解问题提供什么帮助吧！不过同样的,大整数分解问题在因子选取得当...