文献学习-On Lattices, Learning with Errors,Random Linear Codes, and Cryptography

On Lattices, Learning with Errors,Random Linear Codes, and Cryptography

格上的LWE、随机线性码和密码学

Oded Regev
Department of Computer Science, Tel-Aviv University, Tel-Aviv 69978, Israel

摘要

Our main result is areduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the ‘learning from parity with error’ problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe,gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies aquantumalgorithm for SVP and SIVP. A main open question is whether this reduction can be made classical.

主要成果：一个从最坏情况下的格问题（如SVP\SIVP）到一类学习性问题的归约。这类学习性问题是learning from parity with error（从奇偶错误校验中自学习？不好翻，意会就行）到更高模量的一个自然延伸。这也可以被视为线性随机码解码问题。

我们的归约是量子性的。这意味着这类问题的有效解决方法是SVP\SIVP的量子算法。

一个开放性问题是这种归约是否可作为经典。

Using the main result, we obtain a public key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public key cryptosystems such as the one by Ajtaiand Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystemis much more efficient than previous cryptosystems:  the  public key  is of  size O˜(n2)  and  encrypting a message increases its size byO˜(n) (in previous cryptosystems  these  values  are  O˜(n4)  and  O˜(n2),  respectively).  In fact, under the assumption that all parties share a random bit string of lengthO˜(n2), the size of the public key can be reduced toO˜(n).

我们得到一个公钥系统（拥有最坏情况下SVP\SIVP的量子困难性）。

之前的基于格的公钥系统仅依赖 unique-SVP。而新系统显然更加高效：

PK sizeincreases its size LWEO(n^2)O(n)previous
O(n^4)O(n^2)实际上，所有部分共享长度O(n^2)的随机比特串，公钥的长度可以降低至O(n).

引言

Main theorem.

（大段文字，恕不展示，仅做摘要）

An important open question is to explain the apparent difflculty in finding effcient algorithms for this learning problem. Our main theorem explains this diffculty for a natural extension of this problem to higher moduli, defined next：

Letp=p(n)<=poly(n) be some prime integer and consider a list of ‘equations with error’

……

这消耗的时间s为（模p的n维整数集），ai，bi也是从该整数集中独立选择的。设方程中的error符合Zp上的概率分布X：Zp->R+，这也说明，对每个方程，对于每个ei属于Zp，i，bi=<s,ai>+ei 符合分布X。我们指出这种方程中的s问题为LWE。我们的主要理论说明对于选择p和分布X，LWE是最坏情况下格的量子问题。

theorem 1.1 （informal） 略

一些观点：

If one flnds an effcient algorithm forLWE, then one also obtains a quantum algorithm for approximating worst-case lattice problems.

如果找到了解决LWE的有效方法，这意味着有了近似的最坏情况下格问题的量子算法。

TheLWEproblem can be equivalently presented as the problem of decoding random linear codes.
LWE问题可以与随机线性编码解码问题等价。

It turns out that certain problems, which are seemingly easier than theLWEproblem, are in fact equivalent to the LWEproblem.

一些看似比LWE简单的问题实际上与LWE等价。

Cryptosystem.

a public key cryptosystem whose security is based on the worst-cast quantum hardness of approximatingSIVPand SVPto withinO (n^1.5).

improved effciency.

Why quantum?

LetL be some lattice and let  d=λ1(L)/n^10  where  λ1(L) is the length of the shortest nonzero vector in L. We are given an oracle that for any point x∈Rn  within distance d ofL finds the closest lattice vector tox. Ifxis not within distance d ofL, the output of the oracle is undefined.

L是格，满足 d=λ1(L)/n^10，λ1(L)是最短非零向量的长度。给定任意属于实数集的点x，和L中到点x最短格向量的距离d，如果x没有属于L的距离d，说明该预言不成立。

（天啦，我也不知道这是啥）

somehow choose a lattice point y∈L and let x=y+zfor some perturbation vectorzof length at mostd. Clearly, on inputxthe oracle outputsy. But this is useless since we already knowy !This ability to erase the contents of a memory cell in a reversible way seems useful only in the quantum setting.

选择y，使 x=y+z ，其中z是距离不超过d的震动向量。即使知道y依然无效。

（确切的说，它能改变量子态。）似乎只有在量子中，这种可逆的隐藏存储单元内容的能力非常有效。

Overview

（大段文字，恕不展示，仅做摘要）

*iterative

step1. use these samples to construct an algorithm that solves CVPL*,αp/r, i.e. solves the closest vector problem on L*for points that are within distanceαp/rof the lattice. This algorithm is classical and uses the LWEoracle.

step2. use this algorithm to generate samples fromDL,r'. This step is quantum (and in fact, the only quantum part of our proof). In the following, we describe each of these steps briefly.