Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem

Public-Key Cryptosystems from the

Worst-Case Shortest Vector Problem

Chris Peikert∗

November 13, 2008

Abstract

We construct public-key cryptosystems that are secure assuming theworst-casehardness of approxi-mating the length of a shortest nonzero vector in ann-dimensional lattice to within a smallpoly(n)factor. Prior cryptosystems with worst-case connections were based either on the shortest vector problem for aspecial classof lattices (Ajtai and Dwork, STOC 1997; Regev, J. ACM 2004), or on the conjectured hardness of lattice problems forquantumalgorithms (Regev, STOC 2005).

Our main technical innovation is a reduction from certain variants of the shortest vector problem to corresponding versions of the “learning with errors” (LWE) problem; previously, only aquantumreduction of this kind was known. In addition, we construct new cryptosystems based on thesearchversion ofLWE, including a very naturalchosen ciphertext-securesystem that has a much simpler description and tighter underlying worst-case approximation factor than prior constructions.

Keywords: Lattice-based cryptography, learning with errors, quantum computation

∗

1

Introduction

The seminal work of Ajtai in 1996 revealed the intriguing possibility of basing cryptography onworst-case complexity assumptions related tolattices[Ajt04]. (Ann-dimensional lattice is a discrete additive subgroup ofRn.) Since then, basic cryptographic primitives such as one-way functions and collision-resistant hash

functions (along with other notions from “Minicrypt” [Imp95]) have been based on the conjectured hardness of important and well-studied lattice problems. Perhaps the most well-known of these, theshortest vector problemGapSVP, is to approximate the length (typically, in the Euclidean norm) of the shortest nonzero vector in a given lattice; another, called theshort independent vectors problemSIVP, is (essentially) to find a full-rank set of lattice vectors that are relatively short.

Forpublic-key encryption(and related strong notions from “Cryptomania”), however, the underlying worst-case lattice assumptions are somewhat more subtle. The ground-breaking cryptosystem of Ajtai and Dwork [AD97] and subsequent improvements [Reg04b, AD07] are based on a special case of the shortest vector problem, called “unique-SVP,” in which the shortest nonzero vector of the input lattice must be significantly shorter than all other lattice vectors that are not parallel to it. Compared to other standard problems, the complexity of unique-SVPis not as well-understood. While it does appear to be asymptotically difficult, there is both theoretical and experimental evidence [Cai98, GN08] that it may not be as hard as problems ongenerallattices, due to the extra geometric structure.

A different class of cryptosystems (and the only others known to enjoy worst-case hardness) stem from a work of Regev [Reg05], who defined a natural intermediate problem calledlearning with errors(LWE). The LWE problem is a generalization of the well-known “learning parity with noise” problem to larger moduli. It is parameterized by a dimensionn, a modulusq, and an error distributionχoverZq; typically, one considers a Gaussian-like distributionχthat is relatively concentrated around0, whereZqis represented by the integer residuesd−q₂e, . . . ,bq−₂1c. In thesearchversion ofLWE, the goal is to solve for an unknown vectors ∈ Znq (chosen uniformly at random, say), given any desiredm = poly(n) independent “noisy random inner products”

(ai, bi =hai,si+xi)∈Znq ×Zq, i= 1, . . . , m,

where eachai ∈Znq is uniformly random and eachxiis drawn from the error distributionχ. In thedecision version, the goal is merely to distinguish between noisy inner products as above anduniformsamples over

Znq ×Zq. It turns out that when the modulusqis prime and polynomial inn, the search and decision variants areequivalentvia an elementary reduction (but no such equivalence is known for largerq).

TheLWEproblem has turned out to be amazingly versatile. In addition to its first application in a public-key cryptosystem [Reg05], it has provided the foundation for chosen ciphertext-secure cryptosystems [PW08], identity-based encryption [GPV08], and universally composable oblivious transfer [PVW08], as well as for strong hardness of learning results relating to halfspaces [KS06]. We emphasize that all of the above cryptographic applications are based on thedecisionversion ofLWE.

Due to the relative novelty of quantum computing, however, it may yet be premature to place a great deal of confidence in such conjectures, and in any case, it is worthwhile to base hardness results and cryptographic schemes on the weakest possible assumptions. A central question left open in [Reg05] is whether there is a classicalreduction from lattice problems toLWE. More generally, basing a public-key cryptosystem on any “conventional” worst-case lattice assumption has remained an elusive open question.

1.1 Results

Our main result is the first public-key cryptosystem whose security is based on the conjectured worst-case hardness of approximating the shortest vector problem on general lattices. The core technical innovation is aclassicalreduction from certain lattice problems to corresponding versions of the learning with errors problem. In more detail:

• We show that thesearchversion ofLWE, for any sufficiently large modulusq ≥2n_{, is at least as hard} as approximatingGapSVPin the worst case, via a classical (probabilistic polynomial-time) reduction. The concrete approximation factor for GapSVPhas essentially the same dependence on the error distribution as in the quantum reduction of [Reg05].

• Our main reduction additionally shows that for moduli as small asq ≥ω(√n), the search version of

LWEis at least as hard as (classically) approximating anovel variantof the shortest vector problem on general lattices in the worst case. The new problem is essentially theGapSVPproblem on “higher quality” representations of the input lattice; hence, it is no harder than standardGapSVP, yet it still appears to be exponentially hard given the state of the art in lattice algorithms [AKS01].

By the above-mentioned equivalence between search- and decision-LWEfor primeq= poly(n), our result provides a classical (but incomparable) foundation for the hardness of decision-LWEand the many cryptographic applications that are based upon it.

• We construct new cryptosystems based on thesearchversion ofLWE(for any modulusq), including a simple and natural cryptosystem that is secure underchosen-ciphertext attack.

In our basic (semantically secure) system, public keys are of sizeO(n2log2q), and the expansion factor of ann-bit plaintext can be as small asO(logq). (The chosen ciphertext-secure cryptosystem just incurs additionalnδfactors.) The underlying worst-case approximation factor forGapSVP(or its new variant) isO˜(n2logq), and has the potential to be reduced toO˜(n1.5√logq)with an improved key-generation algorithm.1

Assuming hardness of the standardGapSVPproblem (and lettingq= 2O(n)), the public key size and ciphertext expansion factor are thereforeO(n4)andO(n), respectively; these quantities match the (amortized) Ajtai-Dwork cryptosystem based on unique-SVP[AD07].

Assuming hardness of the newGapSVPvariant (and lettingq = poly(n)), the public key size and ciphertext expansion can be as small as O(n2) and O(logn), respectively; these match the most efficient known cryptosystems based ondecision-LWE[PVW08, GPV08].

Our chosen ciphertext-secure cryptosystem provides an alternative to a recent construction of Peikert and Waters [PW08] based on the decision-LWEproblem. In addition to the new system’s classical worst-case foundation, other key advantages include its tighter underlying approximation factor and its relatively simple description and analysis (the construction in [PW08] is somewhat cumbersome in both regards).

1

1.2 Overview

1.2.1 Conceptual Summary

We start by giving a high-level description of the common design and analysis paradigm of prior cryptosystems with worst-case connections [AD97, Reg04b, Reg05, AD07]. These works consider two types of probability distributions over some additive domain: one is the uniform distribution, while the other type consists of “lumpy” distributions that areperiodicandconcentrated around multiples of the period. As a simple example, in [Reg04b] the domain is the real interval[0,1)with addition modulo1, and lumpy distributions are concentrated around integer multiples of1/hfor some large integerh.

The cryptosystems are constructed roughly as follows: the secret key is a period chosen at random, and the public key consists of several samples from the corresponding lumpy distribution. A0bit is encrypted by letting the ciphertext be arandom subset-sumof the samples in the public key; a1is encrypted by choosing a uniformly randomvalue in the domain (other slight variations are also possible). Decryption simply tests whether the ciphertext is “relatively close” to a multiple of the secret period (to decrypt as0) or not (to decrypt as1).

Semantic security is proved by a thought experiment in which the public key is instead made up of samples drawn from theuniform distribution. It so happens that encrypting under such a key hides the message bitstatistically(i.e., information-theoretically), because random subset sums are distributed almost uniformly. It follows that an adversary capable of breaking the semantic security of the cryptosystem can likewise distinguish between the uniform and lumpy distributions.

Finally, the core technical component is a reduction demonstrating that the two kinds of distributions are computationally indistinguishable, assuming the worst-case hardness of some lattice problem. Essentially, the reduction takes a lattice as input and produces samples from one of the two kinds of distributions, depending on the geometric properties of the lattice. Crucially, in order to guarantee that the reduction produces samples from the specific kinds ofstructuredlumpy distributions that are used in the cryptosystem, it has so far been necessary to impose additional geometric constraints on the reduction’s input. This is why prior works have relied on specialized assumptions, e.g., relating to unique-SVP.

Our Approach. We retain the use of uniform and (a certain kind of) lumpy distributions, and give a reduction that samples from one of the two types. Our cryptosystems, on the other hand, depart substantially from the previous design and analysis paradigm: public keys in our systems are instead drawn from the uniformdistribution, whereas lumpy distributions are used only in thesecurity proof to show statistical hiding. The principal advantage of this approach is that it significantly relaxes the structural propertiesrequired of the lumpy distributions: first, because they no longer need to support decryption, and more importantly, because they never need to be sampled in the “real world” at all! This makes additional geometric constraints on the reduction’s input unnecessary, and allows for a security proof under worst-case assumptions on general lattices.

1.2.2 New Cryptosystems

Here we describe new cryptosystems based on the search-LWEproblem. At their heart is a certain collection of injective (i.e., one-to-one) trapdoor functions. This collection appeared in a recent work of Gentry, Peikert, and Vaikuntanathan [GPV08], and is closely related to an earlier proposal by Goldreich, Goldwasser, and Halevi [GGH97]. In this work, we prove that the collection is one-way under classical worst-case assumptions, and we establish additional properties that are useful in constructing cryptosystems.

The description of a functiongAfrom the collection is a matrixA ∈Znq×m made up ofmuniformly random and independent columnsai∈Znq, for some large enoughm. A random input togAcomes in two

parts: a uniformly randoms∈Znq, and an error vectorx∈Zmq whose entriesxiare chosen independently from the error distributionχof theLWEproblem. The function is defined simply as

b=gA(s,x) =Ats+x∈Zmq .

Note that in the output vectorb, each entrybi = hai,si+xi, so inverting the function is syntactically identical to solving search-LWE givenm noisy inner products (note thatxis easily computed onces is known, and vice versa). Moreover, ifgA is one-way, then there is a generic hard-core predicateh(s)for

gA(s,x)[GL89].

As shown in [GPV08], the functiongAhas atrapdoorthat enables efficient recovery of the inputsfrom b, so long as the error distributionχis sufficiently concentrated. Concretely, the trapdoorTis a “good” basis for a certain lattice defined by A, which can be generated together with an Ahaving the desired (almost-)uniform distribution [Ajt99, AP08]. The inversion algorithm uses the trapdoor basisTin a simple rounding algorithm to recovers.

Using this collection of trapdoor functions, it is straightforward to construct a basic semantically secure cryptosystem. The secret and public keys areTandA(respectively), as above. An encryption of a message bitµconsists ofb=gA(s,x)for randomsandxas above, as well asµ⊕h(s). The decryption algorithm

uses the trapdoorTto recoversfromb, recomputes the predicateh(s), and recovers the messageµ.

Improved efficiency and chosen-ciphertext security. One of our technical results is that the functiongA

actually admits a very simple hard-core predicate, namely, theparityof any coordinatesi∈Zqofs(when

q is even). Moreover, we show how to extend this hard bit into`simultaneouslyhard bits, by lifting the

LWEproblem from dimensionnton+`−1via an elementary reduction. This results in an “amortized” cryptosystem that can encrypt messages of length, say,`=nbits using public keys and ciphertexts that are only a constant factor larger than in the basic system. (Similar amortization techniques for other lattice-based cryptosystems were also recently proposed in [PVW08, AD07].) As a further optimization, we also show that the output ofgAcan be represented in a “coarser” groupZmq0 for some modulusq0 = poly(n), which

reduces the ciphertext size by an almost-linear factor innwhenqis large (e.g.,q= 2n).

To construct cryptosystems that are secure under chosen-ciphertext attacks, we rely on a recent approach of [PW08] and additional perspectives of Rosen and Segev [RS08]. The key observation is thatk indepen-dently chosen functionsgA1, gA2, . . . , gAk remain one-way even when evaluated on thesameinputs(but

1.2.3 Classical Hardness ofLWE

Here we give a simplified description of our worst-caseGapSVPtoLWEreduction, which conveys all the essential ideas (we refer the reader to Section 3 for full details). The input to the reduction is some arbitrary

n-dimensional latticeΛ(represented by a basis), and the goal is to approximateGapSVPgiven access to an oracle that solves the search-LWEproblem onmsamples. That is, the reduction should determine if the minimum distance ofΛ(i.e., the length of its shortest nonzero vector) is “small” or “large,” where these quantities are separated by somepoly(n)multiplicative gap (and in between, any answer is acceptable).

Abstractly, the reduction first invokes a certain sampling procedure over thedual latticeΛ∗to generate independenta1, . . . ,am∈Znq according to some (unknown) distribution. Concretely, the procedure samples vectorsyi ∈ Λ∗ from a Gaussian-likedistribution (as first used in [Reg04b], and refined in subsequent works [MR07, Reg05, GPV08]), and letsaiidentify the residue class of(Λ∗/qΛ∗)≡Znq containingyi. The reduction then chooses a random secrets∈Znq and error termsxifromχ, and gives the noisy inner products

(ai, bi = hai,si+xi)to theLWEoracle. If the oracle correctly producessas its solution, the reduction outputs “large,” otherwise it outputs “small.”

When the minimum distance ofΛ is large, the ai are distributed essentially uniformlyoverZnq; this follows by a bound on thesmoothing parameterofΛ∗ due to Micciancio and Regev [MR07]. Therefore, the input provided to the oracle is faithful to theLWEdistribution, the oracle solves forsby hypothesis, and the reduction outputs “large” as desired.

The case of small minimum distance is more interesting, and constitutes the chief novelty of our approach and analysis. In this case, the distribution of theaiislumpy, in the following sense: there is some (unknown) nonzeros0∈Znq such that the distribution ofhai,s0imodqis relatively concentrated around0. (Concretely,

s0 is the coefficient vector, reduced moduloq, of a short vector inΛ). For a sufficiently wide error distribution

χover Zq, the noisy inner products then statistically hidethe reduction’s choice ofs, i.e., it is about as likely to bes+s0, conditioned on the view of the oracle. The oracle must therefore guess incorrectly with noticeable probability, and the reduction outputs “small” as desired. (Using a more technical argument, we also show that a particularpredicateonsis essentially uniform, hence hard-core, conditioned on the view.)

Additional details. The modulus q must be large enough so that in the lumpy case, the distribution of

hai,siis well-concentrated relative to the size ofq. The degree of concentration is dictated by the tightness of the reduction’s main sampling algorithm, which in turn is governed by the “quality” of the input basis. Using an LLL-reduced basis [LLL82] (which may be computed in polynomial time), the valueq = 2n_suffices. However, if the reduction is given a basis of better quality, then a smallerqmay be used; this is where the new variant ofGapSVPcomes into play.

The reduction we have outlined above, while technically correct, is still not quite as strong as we would like. This is because in the lumpy case, the amount of noise required to hides grows with the number of samplesmthat the oracle uses, whereas ideally it should be independent ofm. This is important for optimizing the underlying worst-case approximation factors (especially for chosen-ciphertext security, which uses more samples), and is also needed for theLWEsearch/decision equivalence for primeq = poly(n).

1.3 Discussion and Open Problems

Note that the (simplified) reduction above essentially chooses a functiongAunder an unknown distribution

onA, evaluates it on a known input, and checks whether the oracle recovers that same input. The uniform distribution onAinduces an injective (trapdoor) function, whereas a lumpy distribution induces a function that statistically hides its input. This is essentially the notion of alossy trapdoor functionfrom [PW08], but in a slightly relaxed sense: in our case, there is nosingle, fully-specified(and efficiently-sampleable) distribution that induces a lossy function — butanylattice with small minimum distance does so.

It is worth pointing out explicitly how our reduction avoids quantum computation. Recall that the

LWEoracle solves for a secrets(alternately, a vectorvin the input lattice) that the reduction chooses itself. In [Reg05], this allowed the quantum part of the reduction to “uncompute”sand create a useful quantum state, but it was unclear whether such an oracle was of any use classically. Here we avoid quantum computation by introducing, as a complementary case, a lattice with small minimum distance that statistically hides the reduction’s random choices. In this case, the inputs provided to the oracle (in particular, theais) arenot faithful to theLWEdistribution, but this is of absolutely no consequence! We mention that related forms of statistical hiding via small minimum distance have also appeared in the context of interactive proofs for lattice problems [GG00, MV03] and algorithms for the shortest vector problem [AKS01].

Currently, our core reductions are non-adaptive (all queries to the LWE oracle can be prepared in advance), and seem to be limited to solving thedecisionversionGapSVPof the shortest vector problem. It would be very interesting if the reductions could be made “iterative” and/or extended to solvesearch problems such asSIVP, like the quantum reduction of [Reg05] and prior reductions for “Minicrypt” primitives (e.g., [Ajt04, MR07]). Another open problem is to design a reduction that solves thesearchversion of the shortest vector problem; such a result would be quite surprising, because even the prior reductions mentioned above have also been limited to the decision version.

Finally, we believe that it may be very fruitful to study the complexity of our new variant ofGapSVP

(and related lattice problems), in which a gap of intermediate quality is already promised and a tighter approximation is desired.

2

Preliminaries

We denote the set of real numbers by R and the set of integers by Z. For a positive integer n, define

[n] ={1, . . . , n}. We extend any real functionf(·)to any countable setAby definingf(A) =P

x∈Af(x). The main security parameter throughout the paper isn, and all other quantities are implicitly functions ofn. We use standardO(·), o(·),Ω(·), andω(·)notation to describe the growth of functions, and write

f(n) = ˜O(g(n))iff(n) =O(g(n)·logcn)for some fixed constantc. We letpoly(n)denote an unspecified polynomial functionf(n) =O(nc)for some constantc. A functionf(n)isnegligible, writtennegl(n), if

f(n) =o(n−c)for every constantc. We say that a probability isoverwhelmingif it is1−negl(n).

Vector spaces. By convention, all vectors are in column form and are named using bold lower-case letters (e.g.,x), andxi denotes theith component ofx. Matrices are named using bold capital letters (e.g.,X), andxi denotes theith column vector ofX. We identify a matrixXwith the (ordered) set of its column vectors. For a setS ⊆ _Rn_{, pointx ∈}

Rn, and scalar c ∈ R, we defineS +x = {y+x : y∈S}and

cS ={cy : y∈S}.

The Euclidean (or`2) norm onRniskxk=

q P

For any (ordered) setS = {s₁, . . . ,sn} ⊂ Rnof linearly independent vectors, letS˜ = {s˜1, . . . ,s˜n} denote its Gram-Schmidt orthogonalization, defined iteratively as follows: let s˜1 = s1, and for each

i = 2, . . . , n, lets˜i be the projection ofsi ontospan⊥(s1, . . . ,si−1), i.e.,s˜i = si −P_ji−₌₁1 µi,js˜j, where

µi,j =hsi,s˜ji/hs˜j,s˜ji. Observe thatks˜ik ≤ ksikfor alli.

Probability. For a probability distributionXover a domainD, letfX :D→Rdenote its density function.

LetXndenote then-fold product distribution overDn, which has density functionfXn(x) =fn

X(x) :=

fX(x1)· · ·fX(xn). Thestatistical distancebetween two distributionsXandY overD(or two random variables having those distributions) is defined as ∆(X, Y) = maxA⊆D|fX(A)−fY(A)|. Statistical distance is a metric on probability distributions; in particular, it obeys the triangle inequality. Applying a (possibly randomized) functiongcannot increase the statistical distance:∆(g(X), g(Y))≤∆(X, Y). The uniform distribution overDis denotedU(D).

LetXandY be two distributions, and letDbe a probabilistic algorithm. We say that theadvantageofD

in distinguishingXfromY is|Pr[D(X) = 1]−Pr[D(Y) = 1]|. We say that two ensembles{Xn}and{Yn} of distributions indexed bynarecomputationally indistinguishableif every probabilistic polynomial-timeD

has negligible advantagenegl(n)in distinguishingXnfromYn.

For anyr >0, define the one-dimensional Gaussian functionρr:R→Rwith parameterras

ρr(x) = exp(−π(x/r)2).

(We taker = 1when it is omitted.) The total measure associated toρris

R

Rnρr(x)dx=r, so we can define

a continuous Gaussian probability distribution overRby its density functionDr(x) =ρr(x)/r(as before, we may omitr). These extend toRnin the usual way asρnr(x) =ρr(x1)· · ·ρr(xn) = exp(−π(kxk/r)2) andDr(x) =ρr(x)/rn. We also define the Gaussian norm distributionSr(n), which is obtained by sampling a vectorx∈RnfromDnr and outputtingkxk.

The Gaussian distributionD_rnis spherically symmetric, so forxdistributed according toD_rnand any unit vectoru ∈_Rn_{,hu,xiis distributed according toD}

r. Forx∈Rdistributed according toDrand anyt≥1, a standard tail inequality says that|x|< r·texcept with probability at mostexp(−πt2). In addition, for

x∈_Rn_{distributed according toD}n

r, we havekxk< r

√

nexcept with probability at most2−n.

It is possible to sample efficiently from Dr (henceDrn) to within any desired level of precision. It is possible to sample efficiently fromU(Bn)by first choosing anxaccording toDnto select a random direction, then scalingxto have (Euclidean) normr∈[0,1)with probability proportional torn−1. For simplicity, we use real numbers in this work and assume that we can sample fromD_rnexactly; all the arguments can be made rigorous by using a suitable amount of precision.

To prove the hardness of search-LWE, we need the following lemma about the statistical distance between the uniform distributions over twon-dimensional balls whose centers are relatively close.

Lemma 2.1([GG00]). For any constantsc, d >0and anyz∈_Rn_{withkzk ≤dandd}0_=d·p

n/(clogn), we have∆(U(d0· B_n), U(z+d0· B_n))≤1−1/poly(n).

2.1 Learning with Errors

LetT=R/Zbe the additive group on the real interval[0,1)with modulo1addition. For positive integers

nandq ≥2, a vectors ∈ _Zn

q, and a probability distributionφonT, defineAs,φto be the distribution on

We are primarily concerned with error distributionsφoverTthat are derived from Gaussians. Forα >0,

defineΨαto be the distribution onTobtained by taking a sample from the one-dimensional GaussianD(1)α and reducing modulo1. At times we consider an error distributionφthat isitself a random variable, e.g.,Ψβ forβ chosen according to some distribution. We point out such cases explicitly when they arise, but retain the same notation as whenφis a fixed distribution.

Definition 2.2. For an integer functionq =q(n)and an error distributionφonT, the goal of thelearning

with errorsproblemLWEq,φinndimensions is to finds∈Znq (with overwhelming probability) given access to any desiredpoly(n)number of samples fromAs,φfor some arbitrarys.

The above definition ofLWEis for a “worst-case” search problem. As shown in [Reg05], it is equivalent (up to a polynomial factor in the number of samples used) to an “average-case” version in which the goal is to find auniformly randoms∈_Zn

q withnon-negligibleprobability givenAs,φ(where the probability is taken over all the randomness in the experiment). This equivalence follows by a simple reduction from arbitrary

sto uniformly randoms0 ∈_Zn

q [Reg05, Lemma 4.1], and the ability to verify a correct value ofs0 once it is found [Reg05, Lemma 3.6]). Specifically, supposeW is an oracle that solves the average-case version ofLWE. To find an arbitraryswith overwhelming probability givenAs,φ, we transform it intoAs0_,φfor a

uniformly randoms0=s+tby choosing randomt∈_Zn

q and mapping pairs(a, b)to(a, b+ha,ti/q). By invokingW, we obtain a candidate solution˜s, check whether˜s=s0, and outputs= ˜s−tif so. By repeating a polynomial number of times, we findswith overwhelming probability.

For a function π : Znq → {0,1}`, we say thatπ ishard-corefor LWEq,φ (inndimensions) if, given access toAs,φ for uniformly randoms ∈ Znq,π(s)is computationally indistinguishable fromU({0,1}`). When` = 1, this is equivalent (via standard reductions) to saying that no probabilistic polynomial-time algorithm computesπ(s) with probability better than 1/2 + negl(n). We are interested in a particular candidate collection of hard-core functions forLWE. Forevenqand any`≥1, define

h` :Z≥q` → {0,1}` as h`(s) =h(s1)◦ · · · ◦h(s`),

whereh(s)fors= ¯s+qZ∈Zqdenotes theparityof the integer residues¯∈Z, and◦denotes concatenation.

(Note that becauseqis even, any choice of residues¯forshas the same parity.)

2.2 Lattices

Ann-dimensionallatticeis a discrete additive subgroup ofRn. Equivalently, letB={b1, . . . ,bn} ⊂Rn

consist ofnlinearly independent vectors; the latticeΛgenerated by thebasisBis

Λ =L(B) ={Bc=X

i∈[n]ci·bi : c∈Z n_}.

(Technically, this is the definition of afull-ranklattice, which is all we will be concerned with in this work.) Theminimum distanceλ1(Λ)ofΛ(in the`2norm) is the length of its shortest nonzero vector:λ1(Λ) =

min06=x∈Λkxk. It is well-known (and easy to prove) that for any basisB ofΛ, the minimum distance

λ1(Λ)≥minikb˜ik.

Thedual latticeofΛ, denotedΛ∗, is defined asΛ∗={x∈_Rn _{: ∀v∈Λ,hx,vi ∈}

Z}. By symmetry,

it can be seen that(Λ∗)∗ = Λ. IfBis a basis ofΛ, it can be seen that the dual basisB∗ = (B−1)tis in fact a basis ofΛ∗. The following standard fact relates the Gram-Schmidt orthogonalizations of a basis and its dual (a proof can be found in [Reg04a, Lecture 8]).

Computational problems. We are mainly interested in the shortest vector problem on lattices.

Definition 2.4(Shortest Vector Problem). For a functionγ(n)≥1, an input toGapSVP_γ is a pair(B, d), whereBis a basis of ann-dimensional latticeΛ =L(B)andd >0is a real number. It is a YES instance if

λ1(Λ)≤d, and is a NO instance ifλ1(Λ)> γ(n)·d.

Note that given an oracle forGapSVP_γ, the minimum distanceλ1 of any lattice can be computed to

within a factor of (say)2γ by binary search on the valued.

We now define a variant of the shortest vector problem, which is the problem that our main worst-case to average-case reductions will be based upon.

Definition 2.5. For functionsζ(n)≥γ(n)≥1, an input toGapSVP_ζ,γ is a pair(B, d), where:

• Bis a basis of ann-dimensional latticeΛ =L(B)for whichλ1(Λ)≤ζ(n),

• minikb˜ik ≥1, and

• 1≤d≤ζ(n)/γ(n).

It is a YES instance ifλ1(Λ)≤d, and is a NO instance ifλ1(Λ)> γ(n)·d.

A few remarks about this definition are in order. First, note that the second condition minkb˜ik ≥ 1 implies thatλ1(Λ)≥1, and is without loss of generality by scaling the basisB. Similarly, the last condition

1≤d≤ζ(n)/γ(n)is without loss of generality, because the instance is trivially solvable whendlies outside that range.

The first condition is the interesting one. For anyζ(n)≥2(n−1)/2,GapSVP_ζ,γ is actuallyequivalentto the standardGapSVP_γproblem, because an arbitrary basisB0ofΛcan be reduced in polynomial time using the LLL algorithm [LLL82] to another basisBofΛso thatλ1(Λ)≤ kb1k ≤ 2(n−1)/2·minikb˜ik. (In fact, alternate parameters and analysis of the LLL algorithm imply that we can even takeζ(n)≈(2/√3)n.) For smaller functionsζ(n), particularlyζ(n) = poly(n), the condition is nontrivial and more interesting. The nature of the problem is to approximate the minimum distance to within a gapγ(n), given a promise that it lies within a looser range having a gapζ(n). The promise could be made efficiently verifiable by restricting to “high quality” bases that contain (or guarantee the existence of) a vector of length at mostζ(n), though this could potentially make the problem easier. To our knowledge, none of the lattice algorithms in the literature are able to solveGapSVP_ζ,γ forγ(n)< ζ(n) = poly(n)in time better than exponential2Ω(n), even when the promise is verifiable efficiently, and even when, say,ζ(n) = 2γ(n).

Gaussians on lattices. Micciancio and Regev [MR07] introduced a lattice quantity called thesmoothing parameter, and related it to the minimum distance of the dual lattice.

Definition 2.6. For ann-dimensional latticeΛand positive real >0, thesmoothing parameterη(Λ)is defined to be the smallestrsuch thatρ1/r(Λ∗\{0})≤.

Lemma 2.7([MR07, Lemma 3.2]). For anyn-dimensional latticeΛ, we haveη₂−n(Λ)≤

√

n/λ1(Λ∗).

For an n-dimensional latticeΛ, realr > 0, and c ∈ _Rn_{, define the discrete Gaussian probability} distribution overΛ(with parameterr, centered atc) as:

∀x∈Λ, DΛ,r,c(x) =

ρr(x−c)

ρr(Λ−c)

(As above,randcare taken to be1and0, respectively, when omitted.) Note that the denominator in the above expression is merely a normalization factor.

Our reductions use, as a subroutine, an efficient algorithm that generates samples from discrete Gaussian distributions.

Proposition 2.8([GPV08, Theorem 4.1]). There is a probabilistic polynomial-time algorithm that, given any

n-dimensional lattice basisB, anyr ≥maxikb˜ik ·ω(

√

logn), and an arbitraryc∈_Rn_{, outputs a sample} from a distribution that is withinnegl(n)statistical distance ofDL(B),r,c.

To demonstrate a particular hard-core predicate forLWE, we also need the following simple (but new, to our knowledge) fact about discrete Gaussians.

Lemma 2.9. LetBbe a basis of ann-dimensional latticeΛ = L(B), and letv=Bz∈Λbe a nonzero lattice vector whoseith coefficientzi isodd. Letr ≥ kvk ·ω(

√

logn), letc ∈ Rnbe arbitrary, and let

x=Bz0be a random variable having distributionDΛ,r,c. Then theparityof coefficientzi0 (i.e.,z 0

i mod 2) is negligibly close to uniform over{0,1}.

We remark that the lemma easily generalizes to any prime modulusp, where for zi 6= 0 modpand

r≥p· kvk ·ω(√logn), we have thatz_i0 modpis negligibly close to uniform overZp.

Proof. Define a basisB0of a sublatticeΛ0 =L(B0)⊂Λasb0_i = 2biandb0j =bj for allj 6=i. Then we havev=Bz6∈Λ0, andΛ = Λ0∪(Λ0+v). Observe that forx=Bz0 ∈Λ, the parity ofz0_iis zero ifx∈Λ0, and is one ifx∈Λ0+v.

Forxdistributed according toDΛ,r,c, the probability thatzi0is even or odd is therefore proportional to

P0=ρr(Λ0−c)orP1 =ρr(Λ0+v−c), respectively. A routine argument (using techniques from [MR07]) shows that forr ≥ kvk ·ω(√logn), the quantitiesP0andP1 are within a(1±negl(n))factor of each other,

which proves the claim. We defer a complete proof to the full version.

3

Classical Hardness of

LWE

In this section we show that certain versions of the learning with errors problem are at least as hard as classically solving corresponding versions of the shortest vector problem. In Section 3.1 we give a reduction establishing the hardness ofLWEin its search version. This proves that the injective trapdoor functions from [GPV08] are indeed one-way, hence have a generic hard-core predicate that can be used to encrypt a single bit at a time. In Section 3.2 we give a more technical proof showing thatLWEadmits aspecificnatural hard-core predicate, which has the advantage that it can be easily extended into manysimultaneouslyhard bits (as shown in Section 4.1); this leads to more efficient multi-bit cryptosystems.

3.1 Hardness of Search-LWE

Theorem 3.1. Letα=α(n)∈(0,1)be a real number andγ =γ(n)≥n/(α√logn). Letζ =ζ(n)≥γ

andq=q(n)≥(ζ/√n)·ω(√logn).

There is a (classical) probabilistic polynomial-time reduction from solvingGapSVP_ζ,γ in the worst case (with overwhelming probability) to solvingLWEq,Ψα with non-negligible probability (for uniformly random

Note thatGapSVP_ζ,γ is potentially hard in the worst case wheneverζ > γ, so Theorem 3.1 allows for a choice ofqas small as

q >(γ/√n)·ω(plogn) =ω(√n/α).

We also mention that using results from [Pei08], Theorem 3.1 can easily be generalized to work forGapSVP_ζ,γ

in any`pnorm,2≤p≤ ∞, for essentially the same approximation factorγ.

Our proof of Theorem 3.1 relies on the core classical component of Regev’s reduction.

Proposition 3.2([Reg05, Lemma 3.4]). Let=(n)be a negligible function,q =q(n)≥2be an integer,

α = α(n) ∈ (0,1)andφ = Ψα, and Λbe anyn-dimensional lattice. There is a classical probabilistic polynomial-time reductionRthat solvesCVP_αq/(√

2r)onΛin the worst case (with overwhelming probability),

given:

1. an oracleW that solvesLWEq,φwith non-negligible probability (for uniformly randoms∈Znq) using a polynomial number of samples, and

2. an oracle that samples fromDΛ∗_,r for a given numberr≥

√

2q·η(Λ∗).

For completeness, we give a brief description of the reduction claimed in Proposition 3.2 (however, this is not required to understand the proof of Theorem 3.1 and may be safely skipped). It is given a basisBof Λand a pointx∈_Rn_{within distanceαq/(}√_{2r)of some vectorv∈Λ. Supposes=B}−1_{vmodqis the}

coefficient vector ofvreduced moduloq. To generate a sample fromAs,φ, the reduction obtains a sampley fromDΛ∗_,r, letsa= (B∗)−1y=Btymodq, and outputs

(a, b=hy,xi/q+e)∈_Zn_q ×_T,

wheree∈_Ris a small extra error term chosen from a continuous Gaussian. Omitting many details, this faithfully simulates the LWE distribution for two reasons: first, a is essentially uniform over Znq since

r≥q·η(Λ), and second,

hy,xi ≈ hy,vi=hBt_y,B−1_{vi=ha,simodq.}

The oracleW solves fors=B−1vmodqby hypothesis, and the entire vectorvcan be obtained by iterating the procedure as described in [Reg05, Lemma 3.5].

We stress that the precise error distribution in thehy,xiterm requires some care to analyze precisely; the exact distance betweenxandvand the extra error termeboth play an important role. The details are not relevant at this point, though they will be more important later on in Section 3.2 when we analyze specific hard-core predicates.

Proving the theorem. We are now ready to prove Theorem 3.1. Essentially, the reduction works as follows: given a latticeΛ, it perturbs a pointv∈Λ, invokes the reductionRfrom Proposition 3.2 on the perturbed point, and checks whetherR successfully recovers v. When λ1(Λ) is large, R must indeed recover v

by hypothesis. When λ1(Λ)is small, vis statistically hiddenand R must guess incorrectly with some

non-negligible probability. (The same basic principle underlies the interactive proofs of Goldreich and Goldwasser [GG00], where here the reductionRis playing the role of the unbounded prover.)

Proof of Theorem 3.1. The input to our reduction is an instance ofGapSVP_ζ,γ, i.e., a pair(B, d) where minkb˜ik ≥1, the minimum distanceλ1(L(B))≤ζ, and1≤d≤ζ/γ. LetΛ =L(B).

1. Choose a pointwuniformly at random from the balld0· B_n whered0 =d·p

n/(4 logn), and let

x=wmodB.

2. Invoke the reductionRfrom Proposition 3.2 onΛandxwith parameter

r= q·

√

2n γ·d ,

where the required oracle for sampling fromDΛ∗_,r is implemented by the algorithm from

Proposi-tion 2.8 on the reversed dual basisDofB. LetvbeR’s output.

Ifv6=x−win any of theN iterations, thenaccept. Otherwise,reject.

We now analyze the reduction. First recall thatmaxikd˜ik= 1/minikb˜ik ≤1, and the parameter

r= q·

√

2n γ·d ≥

q·√2n ζ ≥ω(

p

logn)

by hypothesis ondandq, so the algorithm from Proposition 2.8 correctly samples from a distribution that is within negligible statistical distance ofDΛ∗_,r.

Now consider the case when(B, d)is a NO instance, i.e.,λ1(Λ)> γ·d. Then by Lemma 2.7, we have

η(Λ∗)≤

√

n γ·d

for (n) = 2−n = negl(n). Thereforer ≥ √2q·η(Λ∗) as required by Proposition 3.2. Now because

x−w∈Λ, the distance fromxtoΛis at most

d0 =d·

r _n

4 logn ≤

α·γ·d

√

4n = αq

√

2r,

by hypothesis onγ and the definition ofr. Moreover,λ1(Λ) > γ·d >2d0, therefore the reduction from

Proposition 3.2 must returnv=x−win each of the iterations (with overwhelming probability), and the reduction rejects as desired.

Finally, consider the case when (B, d) is a YES instance, i.e., λ1(Λ) ≤ d. Letz ∈ Λ have norm

kzk=λ1(Λ). Consider an alternate experiment in which ofwis replaced byw0 =z+wforwchosen

uniformly fromd0· Bn, sox0 =w0 modBandRis invoked onx0. Then by Lemma 2.1 and the fact that statistical distance cannot increase under any randomized function, we have

Pr[R(x) =x−w] ≤ 1−1/poly(n) + Pr[R(x0) =x0−w0]

≤ 2−1/poly(n)−Pr[R(x0) =x0−w].

3.2 Hard-Core Predicate

Here we demonstrate a particular hard-core predicate forLWE(assuming the worst-case hardness ofGapSVP), namely, theparityof the first entrys1of the secrets∈Znq. (By symmetry, it follows that the parity ofany single entrysiis hard-core).

Our strategy is similar to the one used above in the proof of Theorem 3.1, but is more technically involved. Given a latticeΛ, the reduction perturbs a pointv∈Λ(this time using a sufficiently wide Gaussian), uses the perturbed point to simulate anLWEdistribution to an oracleP that predicts the predicate, and checks whether

P’s output matches a corresponding predicate onv. Whenλ1(Λ)is large, the simulation is faithful to an

LWEdistribution andP’s prediction is correct (with non-negligible advantage over1/2) by hypothesis. When

λ1(Λ)is small, the predicate onvis (almost) uniform conditioned onP’s input, henceP has essentially no

advantage over1/2.

For technical reasons, we need to impose two extra conditions on theLWEq,φproblem in order to make the proof work. The first is thatqmust be aneveninteger; otherwise, the notion of parity inZqis ill-defined. The second is that the noise distributionφ= Ψβisitself is a random variable; more precisely, the parameter

βis chosen from a certain distribution and kept secret (and fixed). This condition is an artifact of the main proof technique in the context of hard-core predicates; we elaborate below.

When reducing to the searchproblemLWEq,Ψα, the main step in the reduction from Proposition 3.2

above actually generates samples from a distributionAs,Ψβ for someunknownβ≤α. The reduction then

emulatesAs,Ψβ0 for many different values ofβ

0 _{≥βby adding different amounts of extra noise toA}

s,Ψβ. In

at least one of these instances,β0is sufficiently close toαthat the oracle forLWEq,Ψα is obliged to return the

correct solutions. Because candidate solutions to theLWEproblem can be checked efficiently, the reduction can therefore recognize the correctsand continue on.

When attempting to prove that a predicateπishard-coreforLWEq,Ψα, however, this kind of strategy

breaks down. Here we have an oracle that predictsπ(s)givenAs,Ψα, but it appears that the correct value

ofπ(s)cannotbe recognized efficiently on its own. So even though the reduction may emulate different instances ofAs,Ψβ0, it has no way of checkingwhichof the oracle’s predictions is correct (and the oracle may

intentionally give bad predictions under noise distributions other thanΨα). Our solution to this difficulty is to strengthen the hypothesis by requiring the oracle to predictπ(s)under error distributionΨβ, whereβitself is a random variable that emerges from the main reduction technique. The distribution ofβ is somewhat unnatural, but presents no problems in usage.

Theorem 3.3. Letα=α(n)∈(0,1)be a real number andγ =γ(n)≥ω(n√logn/α). Letζ =ζ(n)≥γ

andq=q(n)≥(ζ/√n)·ω(√logn)be aneveninteger.

There is a classical probabilistic polynomial-time reduction from solvingGapSVP_ζ,γ in the worst case (with overwhelming probability) to distinguishingh1(s)fromU({0,1})(with non-negligible advantage) givenAs,Ψβ, fors∈Z

n

q chosen uniformly at random and (secret)β =

p

α2_{/2 +l}2_{, wherelis distributed}

according toS(n)

α/√2n.

In other words,h1_{is hard-core forLWE}

q,Ψβ assuming thatGapSVPζ,γ is hard in the worst case.

We start with a couple of elementary reductions that make the proof of Theorem 3.3 simpler. First, define a variant problemGapSVP0_ζ,γ whose input, just as forGapSVP_ζ,γ, is a pair(B, d)such thatλ1(L(B))≤ζ(n),

minikb˜ik ≥1, and1≤d≤ζ(n)/γ(n). It is a YES instance if there exists az∈Znsuch thatz1isoddand

kBzk ≤d; it is a NO instance ifλ1(L(B))> γ(n)·d.

Lemma 3.4. For anyζ(n) ≥ γ(n) ≥ 1, there is a deterministic polynomial-time Cook reduction from

Proof. Given an input instance(B, d)ofGapSVP_ζ,γ, the reduction generatesninstances(B(i), d)fori∈[n] as described below, and invokes theGapSVP0_ζ,γ oracle on each of them. If the oracle accepts any of the instances, the reduction accepts, otherwise it rejects.

The instances(B(i), d)are defined as follows: fori= 1, letB(1) =B. Fori= 2, . . . , n, letb(_ii) =

bi +b1, and let b(ji) = bj for all j 6= i. Observe that L(B(i)) = L(B) and that the Gram-Schmidt orthogonalizations ofBandB(i)are identical, for everyi∈[n]. Therefore, the instances(B(i), d)satisfy the requirements of theGapSVP0problem.

If (B, d) is a NO instance ofGapSVP, then by the first observations above, every (B(i), d) is a NO instance ofGapSVP0.

If (B, d) is a YES instance of GapSVP, then there exists some z ∈ _Zn _{such that Bz is a shortest} nonzero vector inL(B)(i.e.,kBzk ≤d) and ani∈[n]such thatziisodd; for if not, thenz∈(2Z)nand

Bz/2∈ L(B)is nonzero and shorter thanBz, a contradiction. We claim that(B(i), d)is a YES instance of

GapSVP0. Ifz1 is odd, then we may takei= 1and the claim holds trivially. Now suppose thatz1is even.

Lettingz0∈Znbe such thatB(i)z0 =Bz, we havez10 =z1−zi, which is odd, and the claim follows.

Next, observe thatAs,φfor anarbitrarys∈Znq can be transformed intoAs0_,φfor auniformly random

s0 = s+t ∈ Znq, simply by choosing t ∈ Znq uniformly at random and mapping each pair (a, b) to

(a, b+ha,ti/q) ∈_Zn

q ×T. Moreover,h1(s0) = h1(s)⊕h1(t)whenqis even. Therefore, if we have an oracleDthat distinguishesh1(s)from uniform with advantageδ givenAs,φ foruniforms ∈Znq, then we have an efficient predictorP that computesh1(s)with probability1/2 +δgivenAs,φforarbitrarys∈Znq.

The final tool we need is a technical lemma relating to the generation of samples from anLWEdistribution.

Lemma 3.5([Reg05, Proof of Lemma 3.8]). Let =(n)be a negligible function,q =q(n) ≥ 2be an integer, andα=α(n)∈(0,1)be a real number. LetBbe a basis for ann-dimensional latticeΛ =L(B), letr ≥√2q·η(Λ), and letx∈Rnbe at distanced0from somev∈Λ.

Consider the following experiment: let ybe drawn fromDΛ∗_,r and lete∈ _Rbe drawn fromD1

α/√2.

Then the distribution of

(a=Btymodq , b=hy,xi/q+e)∈_Zn q ×T

is within negligible statistical distance ofAs,Ψβ, wheres=B

−1_{vmodqandβ =}p

α2_{/2 + (d}0_r/q)2_.

We are now ready to prove the theorem.

Proof of Theorem 3.3. By Lemma 3.4, we can say that the input to our reduction is an instance ofGapSVP0_ζ,γ, i.e., a pair (B, d) whereminkb˜ik ≥ 1, the minimum distance λ1(L(B)) ≤ ζ, and1 ≤ d ≤ ζ/γ. Let

Λ =L(B).

By the discussion above, we may hypothesize a predictorPthat computesh1(s)with probability1/2 +δ

for some non-negligibleδ = δ(n)given As,Ψβ for arbitrarys ∈ Z

n

q, andβ chosen as described in the theorem statement.

The reduction runs the following procedure some large numberN = poly(n)times.

1. Choose a pointw∈Rnfrom distributionD_dn·ωfor

ω= α·γ 2n =ω(

p

logn),

2. Invoke the hypothesized predictorP, simulating each desired sample from theLWEdistribution as follows: using the algorithm from Proposition 2.8 on the reversed dual basis ofB, sample yfrom

DΛ∗_,rfor

r= q·

√

2n γ·d .

Next, samplee∈_RfromD1

α/√2and giveP the pair

(a=Btymodq , b=hy,xi/q+e)∈_Zn_q ×_T.

3. WhenP outputs a prediction, check whether the prediction equalsh1_{(s), wheres=B}−1_vmodq.

IfP’s prediction is correct in at least(1/2 +δ/2)N of the iterations, thenreject, otherwiseaccept.

We now analyze the reduction. Just as in the proof of Theorem 3.1, for the definition ofrabove, the algorithm from Proposition 2.8 correctly samples from a distribution that is within negligible statistical distance ofDΛ∗_,r.

Now consider the case when(B, d)is a NO instance ofGapSVP0, i.e.,λ1(Λ)> γ·d. Just as in the proof

of Theorem 3.1, we haver≥√2q·η(Λ∗)as required by Lemma 3.5. Now becausev=x−w∈Λ, the distance betweenxandvisd0 =kwk, which means thatd0r/qis distributed according toS_t(n), where

t=d·ω·r/q=α/√2n.

By Lemma 3.5, it follows that the reduction simulatesAs,Ψβ (up to negligible statistical distance), where

s=B−1vmodqandβ =pα2_{/2 +l}2_{, andlis distributed according toS}(n)

α/√2n. By hypothesis,Ppredicts

h1(s)with probability negligibly close to1/2 +δ, so by a standard application of the Chernoff bound (for sufficiently largeN = poly(n)),P predicts correctly in at least(1/2 +δ/2)N iterations, and the reduction rejects as desired.

Finally, consider the case when(B, d)is a YES instance ofGapSVP0, i.e., there exists az∈_Zn_{such that}

z1is odd andkBzk ≤d. Observe that Step 2, which provides all the input to the predictorP, depends only

on the fixed value ofxand additional randomness that is independent ofw. Also observe that conditioned on the fixed value ofx, the random variablev=x−w∈Λis distributed according toDΛ,d·ω,x. By Lemma 2.9,

the parity of the first entry ofB−1vis negligibly close to uniform, conditioned on the entire fixed input toP. Becauseqis even, the predicateh1(s)is also negligibly close to uniform, andP’s prediction is correct with probability at most1/2 + negl(n). By the Chernoff bound,P predicts correctly in fewer than(1/2 +δ)N

iterations, and the reduction accepts as desired.

4

Public-Key Cryptosystems

Here we construct public-key cryptosystems (for multi-bit messages) that are based on the search version of

4.1 Simultaneous Hard-Core Bits forLWE

Lemma 4.1. Let` = poly(n),q = q(n) ≥ 2be even, andφbe a distribution (itself possibly a random variable) on<sub>T</sub>. Ifh1 is hard-core forLWEq,φinndimensions, thenh`is hard-core forLWEq,φinn+`−1 dimensions.

More precisely, there is an efficient reduction from distinguishing h1_{(s) from U({0,1}) (with}

non-negligible advantage) givenAs,φ for uniformly randoms ∈ Znq to distinguishingh`(s0)fromU({0,1}`) (with non-negligible advantage) givenAs0_,φfor uniformly randoms0∈_Zn_q+`−1.

Proof. We proceed by a hybrid argument. If someD distinguishes between h`_(s0_{) and U}

` given As0_,φ

(for uniforms0 ∈ Znq+`−1) with non-negligible advantageδ = δ(n), then there is somej ∈ [`]such that

Ddistinguishes betweenhj−1(s0)◦U`−j+1 andhj(s0)◦U`−j givenAs0_,φ with non-negligible advantage

δ0(n) =δ(n)/`.

We describe a reduction that, given As,φfor uniformly randoms ∈Znq and an input bith, usesDto distinguish whetherhish1(s)orU1. The reduction choosessl∈Zjq−1andsr∈Z`q−juniformly at random, and letsh0 =hj−1(sl)◦h◦U`−j ∈ {0,1}`. It invokesDonh0, simulatingAs0_,φin the manner described

below, and copiesD’s output.

Lettings0 =sl◦s◦sr, we see thats0is distributed uniformly overZnq+`−1. It is also apparent that if the reduction’s input bith is uniform, thenh0 is distributed ashj−1(s0)◦U`−j+1, whereas ifh = h1(s),

thenh0is distributed ashj_(s0_)◦U

`−j. Therefore the reduction distinguishes between these two cases with non-negligible advantageδ0.

The reduction simulatesAs0_,φusingA_s,φas follows. Given a pair(a, b=ha,si/q+x)∈_Zn_q ×_Tfrom

As,φ, it choosesal ∈Zqj−1andar∈Z`q−j uniformly at random and outputs the pair

(al◦a◦ar, hal,sli/q+b+har,sri/q) = (a0, b0=ha0,s0i/q+x)∈Znq+`−1×T.

It is apparent thata0 is distributed uniformly overZqn+`−1, thus, the simulation is faithful toAs0_,φ.

4.2 Trapdoor Functions and Basic Cryptosystem

Here we recall the collection ofLWE-based injective trapdoor functions given in [GPV08], which build on ideas due to Goldreich, Goldwasser, and Halevi [GGH97]. For completeness, and due to some modifications and enhancements, we present a full description of the collection along with proofs of correctness and security. We then design a semantically secure cryptosystem around these trapdoor functions.

For consistency and simplicity of notation, we continue usenas the main parameter and hypothesize

`≥1simultaneous parity bits forLWEinndimensions, with the understanding that this is based on a single parity predicate for theLWEproblem inn−`+ 1dimensions by Lemma 4.1.

4.2.1 Generation

The first component is a special algorithm for generating a (nearly) uniform matrixA∈_Zn×m

q that serves as the index of the public functiongA, together with a trapdoorTmade up of vectors whose lengths are

bounded by some relatively smallL.2 Ajtai [Ajt99] gave the first such generation algorithm foroddq, which yielded a boundL =m2.5; recently, Alwen and Peikert [AP08] improved the algorithm to yield a tighter

2

boundL≈mforarbitraryq(recall that we use an evenqin Theorem 3.3 and Lemma 4.1 for our particular choice of hard-core functions).

Proposition 4.2([Ajt99, AP08]). For any positive integersnandq≥3, anyδ >0andm≥(2 +δ)nlgq, there is a probabilistic polynomial-time algorithm that outputs a pair(T∈Zm×m,A∈Znq×m)such that: the distribution ofAis within negligible statistical distance of uniform over_Zn_q×m,Tis nonsingular (over the rationals),kt_ik ≤L=O(mlogm)for everyi∈[m], andAT=0modq.

4.2.2 Evaluation

On indexAand inputss∈_Zn

q,x∈Tm, compute

b=Ats/q+x∈_Tm.

Round each entry ofbto the nearest multiple of1/q0 modulo1, i.e., letb0 =bq0·be/q0 ∈ _Tm_{. Output}

gA(s,x) =b0, which may alternately be represented asq0·b0 ∈Zmq0.

Lemma 4.3. Letπ : Znq → {0,1}`be a function (e.g., π = h`) andφbe a distribution (itself possibly a random variable) overT. Ifπis hard-core forLWEq,φ, thenπis hard-core for the collection{gA}under the

input distribution wheres∈Znq is uniformly random andxis drawn fromφm.

Proof. The proof follows immediately from the fact that A is negligibly close to uniform, and that an adversary given samples(ai, bi) from As,φ can round off eachbi ∈ Tto the nearest multiple of1/q0 to

simulate the outputb0ofgA(s,x).

4.2.3 Inversion

A standard counting argument reveals that a uniformly random matrixA∈Znq×mis full-rank (i.e., its rows are linearly independent moduloq) except with probability at mostqn/2m, which is negligible innwhen

m≥(1 +δ)nlgq. For the remainder of the paper we implicitly assume that such anAis full-rank. Observe thatA+=At(AAt)−1∈Zqm×nis theright inverseofAmoduloq, becauseAA+=In, the

n-dimensional identity matrix moduloq. (Note that the Gram matrixAAtis invertible moduloqbecauseA

is full-rank.) Therefore, giveny ∈_Tm _{wherey= (A}t_{s)/q mod 1for somes∈}

Znq, we can recoversby computing

(A+)t(q·y) = (AA+)ts=smodq.

To invertb0 =gA(s,x)∈Tmgiven the trapdoorT, treatb0as an element ofRm and compute

y=T−t· bTt·b0emod 1,

and recoversfromyas described above. (The exact value ofxcannot always be recovered fromb0due to rounding, but it is not needed in our applications.)

Lemma 4.4. Let q0 = q0(n) ≥ 2L√m andα = α(n) ≤ 1/(L·ω(√logn)). Then for anys ∈ Znq and forxchosen fromΨm_β for anyβ ≤α, the inversion algorithm onb0 = gA(s,x)correctly outputsswith

Proof. We start with a few facts that we later use to analyze the rounding step. First, letw∈_Rm_{be such} that|wi| ≤1/(2q0)for alli∈[m]. Then for alli∈[m], we have

|hti,wi| ≤ ktik · kwk ≤L·

√

m/(2q0)≤1/4

by the Cauchy-Schwarz inequality and by hypothesis onktikandq0. Second, supposex0 ∈Rmis distributed

according toDm_β for someβ ≤α. Then for alli∈[m], the inner productht_i,x0iis distributed according toDr forr = ktik ·β ≤ 1/ω(

√

logn)by hypothesis onktik,α, andβ. By the tail bound on Gaussian distributions,|hti,x0i|<1/4except with probabilityexp(−Ω(1/r2)) = negl(n).

Now consider the inversion algorithm onb0 =gA(s,x)wherexis chosen fromΨmβ. By the definition of

gA, there existw∈Rmwith|wi| ≤1/(2q0)for alli∈[m]and anx0 distributed according toDm_β such that

b0 = (Ats)/q+x0+wmodZm.

Thus,

Tt·b0= (AT/q)t·s+Tt·(x0+w) modL(Tt).

Observe that(AT/q)is an integer matrix by hypothesis onT, andL(Tt) ⊆_Zm_{becauseTis an integer} matrix. Therefore,

bTt·b0e= (AT/q)t·s+bTt·(x0+w)e=Tt(Ats/q) modL(Tt),

where the second inequality is with overwhelming probability over the choice ofx0by the bounds established above. Finally, we see thaty=T−t· bTt_·b0_{e= (A}t_{s/q) mod}

Zm, and the inversion algorithm recoverss

fromy.

We remark that the inversion algorithm presented above works inparallelby rounding each entry of

Tt·b0independently. Aniterativerounding scheme akin to the “nearest-plane” algorithm of Babai [Bab86] can also be used, and succeeds (with overwhelming probability) wheneverα(n)≤1/( ˜L·ω(√logn)), where

˜

L= maxikt˜ikis the norm of the longest vector in theGram-Schmidt orthogonalizationofT. (The proof is virtually identical to the one given above.)

4.2.4 Cryptosystem and Analysis

Using the above collection of trapdoor functions, a public-key cryptosystem based onGapSVP_ζ,γ (forγ

determined below) is conceptually straightforward: to encrypt, evaluategAon a suitably random input, and

mask the message by a hard-core function applied to the input. To decrypt, invertgAto recover the input and

remove the mask.

In detail, set the parameters as follows. Letq= (ζ/√n)·ω(√logn)be even, letm= (2 +δ)nlgqfor someδ >0, letq0= 2L√m= poly(n), and letα= 1/(L·ω(√logn)). Recall thatGapSVPζ_γis equivalent toGapSVP_γ whenζ(n) = 2n/2, which implieslogq = O(n). The other most interesting case is when

ζ(n) = poly(n), which implieslogq=O(logn).

• To generate a key pair, sample a function indexA(the public key) with its trapdoorT(the secret key).

• To encrypt, chooses∈_Zn

q uniformly at random andxaccording toΨmβ forβ =

p

α2_{/2 +l}2_{, wherel}

is distributed according toS(n−`+1)

α/√2(n−`+1). The encryption of messageµ∈ {0,1} `_is

• To decrypt a ciphertext(b0, c)usingT, invertb0to findsand outputh`(s)⊕c.

The size of the public key A is O(mnlogq) = O(n2log2q) bits, and the trapdoor T has size

O(m2logm). The size of the ciphertext is dominated byb0, which requiresO(mlogq0) =O(nlogqlogn) bits. By taking (say)`=n/2, the ciphertext is therefore anO(logqlogn)factor larger than the plaintext.

Proposition 4.5. The cryptosystem described above is complete and semantically secure, assuming that

GapSVP_ζ,γ is hard in the worst case for someγ(n) = ˜O(n2logq).

Proof. Correctness of decryption (with overwhelming probability over the encryption randomness) is imme-diate by the fact thatβ ≤αwith overwhelming probability, and by Lemma 4.4. Semantic security (assuming the worst-case hardness ofGapSVP_ζ,γ) follows directly from the fact that h` is hard-core forgA under

the input distribution used for encryption, which follows by the sequence of Lemma 4.3, Lemma 4.1, and Theorem 3.3. We may therefore take the underlying worst-case approximation factorγto be

γ(n) = ˜O(n/α) = ˜O(L·n) = ˜O(n2logq).

Note that an improved boundL(or its Gram-Schmidt counterpartL˜as described in Section 4.2.3 above) yields a tighter approximation factorγ. For example, ifL(orL˜) were improved to the asymptotically optimal

O(√m), the factorγcould be reduced toO˜(n1.5√logq).

4.3 Chosen-Ciphertext Security

To construct a cryptosystem that enjoys security under chosen-ciphertext attacks, we use a paradigm recently proposed by Peikert and Waters [PW08], and additional perspectives due to Rosen and Segev [RS08]. We discuss all the important technical ideas here, but defer a complete description and proof to the full version. The main observation is that any k = poly(n)independently chosen functionsgA1, . . . , gAk remain

one-way (assumingLWE is hard) even when evaluated on thesame inputs and independentx1, . . . ,xk (respectively) from the appropriate error distributionφ. This is because the indicesA1, . . . ,Akand outputs

b0₁ =gA(s,x1), . . . ,b0_k=gA(s,xk)can be assembled simply by drawingk·msamples fromAs,φ. Similarly, the functionh`(s)remains hard-core given all these values, if it was hard-core forLWEin the first place. (We remark that these facts were also observed independently by Goldwasser and Vaikuntanathan [GV08], who construct similar chosen ciphertext-secure cryptosystems.) Essentially, the properties described above constitute security under “correlated inputs,” as defined in [RS08].3

There is a simple (and black-box) chosen ciphertext-secure cryptosystem based on any collection of injective trapdoor functions that is secure under a suitable form of input correlation (including the one described above). Crucially, the proof of security requires the functions to beinjective. More precisely, the following properties must hold with overwhelming probability over the choice of functiongfrom the collection:

1. Each valueyin the range hasat most onelegal preimagexunderg.

2. Given anyyand any candidate preimagex(and the description ofg), one can efficiently check whether

xis the legal preimage ofy(without knowledge of the trapdoor).

3. Given anyyand the trapdoor forg, the inverteralwaysfinds the legal preimagexofy(if it exists).

3

These properties ensure that for anyy(possibly constructed adversarially), the following two algorithms behaveidentically: (1) on inputx, y, accept ifxis the preimage ofy; (2) on inputyand the trapdoor, run the inverter to get somex, and accept ifxis indeed the preimage ofy. This identical behavior is the crux of the security proof.

Making our functions injective. Note that in the above description of the trapdoor functionsgA, any

values ∈ Znq is a potential preimage ofb0 ∈ Tm, under the (possibly very unlikely) error vectorx =

b0−(Ats)/q ∈_Tm_{. Therefore, we need to restrict the notion of a legal preimage and prove that it satisfies} the three properties listed above. In particular, must carefully deal with the behavior of the inversion algorithm onarbitrary(possibly adversarial) valuesb0 ∈Tm, as opposed to those generated honestly. We stress that in

our context, the error componentxof the input need not be considered as part of the preimage, because it is not needed to check validity, nor is it used in the encryption.

We now define the notion of legal preimages for a function gA, which depends on the parameter

α =α(n) ∈ (0,1)associated with the collection, and some arbitraryt=t(n) =ω(√logn). Define the absolute value|·|onT= [0,1)as|x|= min{x,1−x}, and extend it coordinate-wise toTm.

Definition 4.6. We say thats∈_Zn

q is a legal preimage ofb0 ∈TmundergAif and only if every entry of

b0−(Ats)/q

is strictly less thanα·t.

Let q0 ≥ 1/(α ·t). First, we observe that s is indeed a legal preimage of an honestly-generated

b0 = gA(s,x), with overwhelming probability over the choice ofxfrom anyΨmβ whereβ ≤ α(this is required for completeness of the cryptosystem). Indeed, for everyi ∈ [m], we have|xi| < α·t/2with overwhelming probability by the Gaussian tail bound, and after the rounding step,

b0_i−b_i

≤1/(2q0)≤α·t/2.

Proposition 4.7. The three properties listed above are satisfied under Definition 4.6.

Proof. Property 2 holds trivially by definition. Property 1 follows by a simple fact that holds with all but

qn/2m= negl(n)probability over the choice ofA: for every nonzeros∈Znq,(Ats)/qmod 1has at least one entry with absolute value greater than1/4. (This can be seen by analyzing the probability for any fixed nonzeros, then invoking the union bound.) Then forα <1/(8t), everyb0has at most one legal preimage by the triangle inequality.

For Property 3, we observe that for anyb0that has a legal preimages, there is a vectorw∈_Rm_{such that}

kwk ≤√m·α·tand

b0 = (Ats)/q+wmodZm.

Then by following the proof of Lemma 4.4 (without the randomized componentx0), we see that the inversion algorithmalwayscorrectly recovers sas long asα ≤ 1/(L·√m·t) = 1/(L·√m·ω(√logn)). Note that the parameterαhere is smaller than the one in Lemma 4.4 by a factor of√m, due to the “worst-case” inversion requirement. This allows for an underlying worst-case approximation factor

γ(n) = ˜O(n/α) = ˜O(L·n·√m) = ˜O(n2.5log1.5q).

Acknowledgments

References

[AD97] Mikl´os Ajtai and Cynthia Dwork. A public-key cryptosystem with worst-case/average-case equivalence. InSTOC, pages 284–293, 1997.

[AD07] Mikl´os Ajtai and Cynthia Dwork. The first and fourth public-key cryptosystems with worst-case/average-case equivalence. Electronic Colloquium on Computational Complexity (ECCC), 14(97), 2007.

[Ajt99] Mikl´os Ajtai. Generating hard instances of the short basis problem. InICALP, pages 1–9, 1999.

[Ajt04] Mikl´os Ajtai. Generating hard instances of lattice problems. Quaderni di Matematica, 13:1–32, 2004. Preliminary version in STOC 1996.

[AKS01] Mikl´os Ajtai, Ravi Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. InSTOC, pages 601–610, 2001.

[AP08] Jo¨el Alwen and Chris Peikert. Generating shorter bases for hard random lattices. Manuscript, 2008.

[Bab86] L´aszl´o Babai. On Lov´asz’ lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1–13, 1986.

[Cai98] Jin-Yi Cai. A relation of primal-dual lattices and the complexity of shortest lattice vector problem. Theor. Comput. Sci., 207(1):105–116, 1998.

[GG00] Oded Goldreich and Shafi Goldwasser. On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci., 60(3):540–563, 2000.

[GGH97] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Public-key cryptosystems from lattice reduction problems. InCRYPTO, pages 112–131, 1997.

[GL89] Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions. InSTOC, pages 25–32, 1989.

[GN08] Nicolas Gama and Phong Q. Nguyen. Predicting lattice reduction. InEUROCRYPT, pages 31–51, 2008.

[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. InSTOC, pages 197–206, 2008.

[GV08] Shafi Goldwasser and Vinod Vaikuntanathan. Correlation-secure trapdoor functions from lattices, 2008. Manuscript.

[Imp95] Russell Impagliazzo. A personal view of average-case complexity. InStructure in Complexity Theory Conference, pages 134–147, 1995.

[KS06] Adam R. Klivans and Alexander A. Sherstov. Cryptographic hardness for learning intersections of halfspaces. InFOCS, pages 553–562, 2006.

[MR07] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput., 37(1):267–302, 2007. Preliminary version in FOCS 2004.

[MV03] Daniele Micciancio and Salil P. Vadhan. Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. InCRYPTO, pages 282–298, 2003.

[Pei08] Chris Peikert. Limits on the hardness of lattice problems in`pnorms. Computational Complexity, 17(2):300–351, May 2008. Preliminary version in CCC 2007.

[PVW08] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable oblivious transfer. InCRYPTO, pages 554–571, 2008.

[PW08] Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. InSTOC, pages 187–196, 2008.

[Reg04a] Oded Regev. Lecture notes on lattices in computer science, 2004. Available athttp://www.cs.

tau.ac.il/˜odedr/teaching/lattices_fall_2004/index.html, last accessed

28 Feb 2008.

[Reg04b] Oded Regev. New lattice-based cryptographic constructions. J. ACM, 51(6):899–942, 2004.

[Reg05] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. InSTOC, pages 84–93, 2005.